A Survey on SaaS Related Security Issues In Cloud Computing

(1)

International Journal on Advanced Computer Theory and Engineering (IJACTE)

_______________________________________________________________________________________________

ISSN (Print): 2319-2526, Volume -3, Issue -6, 2014 20

A Survey on SaaS Related Security Issues In Cloud Computing

Santhrupth.B.C, Mohan.H.S, Vinod.H.C Department of ISE, SJBIT, Bangalore, India

Email: [email protected], [email protected], [email protected]

Abstract—Internet has been a driving force towards the various technologies that have been developed since its inception, cloud computing paradigm has witnessed an enormous shift towards its adoption and it has become a trend in the information technology space as it promises significant cost reductions and new business potential to its users and providers. With the rise of Cloud Computing, many predicted a paradigmatic change of IT-based business processes. However, extant research is primarily focusing on technical aspects, such as security and scalability; hence the assumed paradigm shift has not been explored in more detail yet. Therefore, this paper brings out new security issues.It also makes an attempt to describe the security challenges in Software as a Service (SaaS) model of cloud computing.

Keywords-component: Cloud Computing, Software as Service (SaaS), and platform as a service (PaaS), Security Challenges.

I. INTRODUCTION

Cloud computing is a class of the next generation highly scalable distributed computing platform in which computing resources are offered 'as a service' via Internet. Cloud-based services include software-as-a- service (SaaS) and platform as a service (PaaS).

Amazon's Elastic Compute Cloud (EC2) and IBM‟s Blue Cloud are examples of cloud computing services.

Users use software via Internet and only pay what they use for, so they do not have to be worried about the management of software and hardware which is quite complicated [3] [4].

Characteristics of cloud computing;

Cloud computing exhibit five essential characteristics as defined by NIST (National Institute of Standards and Technology)[7].

 On-demand self-service.A consumer can unilaterally provide computing capabilities.

 Broad network access.Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms.

 Resource pooling.The provider‟s computing resources are pooled to serve multiple consumers, with different physical and virtual resources

dynamically assigned and reassigned according to consumer demand.

 Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in.

 Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service.

Traditionally, software solutions were purchased, installed and maintained in an organization‟s network – this is sometimes referred to as an „in-house‟ solution.

This would involve overhead costs to establish infrastructure (servers, for example), and then ongoing maintenance and support (backups and database maintenance), all of which would have to be organized and dealt with internally. The alternative solution is Software as a Service (also often referred to as „On Demand‟ software), working is as shown in below figure. The software is provided to a customer as a subscription based service that is delivered over the internet, and is usually accessed via a web browser.

Figure 1.SaaS Workflow

(2)

_______________________________________________________________________________________________

II. LITERATURE SURVEY

Cloud Computing and SaaS came into existence in 2007 when companies such as Google, Amazon, andIBM started to provide their under-utilized computing power and storage capacities via the Internet to potential customers [12]. SaaS-based applications are still in the beginning stage and there are coming out some independent solutions and office offering technologies, however, SaaS market shows a fast grow according to reduction of investment in IT and environmental request of fast business embodiment.

In the SaaS model, user data is stored at the SaaS provider‟s data center, along with the data of other users.

If the SaaS provider is dealing with public cloud computing service, the enterprise data might be stored along with the data of other unrelated SaaS applications.

The cloud provider might, additionally, replicate the data at multiple locations across countries for the purposes of maintaining high availability. There is a great deal of anxiety with the lack of control and awareness of how user‟s data is stored and secured in the SaaS model. The key security rudiments should be carefully considered as a fundamental part of the SaaS application development and deployment process include; Data security, Network security, Data locality, Data integrity, Data segregation, Data access, Authentication and authorization, Data confidentiality, Web application security, Data breaches, Virtualization, Availability, Backup and Identity management [2].

Security Access Control Service includes Access Authorization for the CSUs who desire for cloud services, Security API that provides safety for users to use the services after verifying the cloud, and Cloud Communication Security. Otherwise, a composition of symmetric and asymmetric cryptography, as well as capability-based access control can also be used [13][3].

For instance, in [13], the platform services can be accessed upon the permission that is encoded in cryptographic capability tokens. At the same time,[3]

these platform services also provides solutions to security risks and specifications required for personal cloud computing by means of special cloud services, such as Amazon EC2 and Azure [3].

The model proposed in the literature [6] verifies user authenticity using two-step verification, which is based on password, smartcard and out of band (i.e. strong two factors) authentication. In addition, the scheme also provides mutual authentication, identity management, session key establishment, user privacy and security against many popular attacks; however the formal security proofing hasn‟t yet been formalized.

III. SECURITY ISSUES AND MEASURES TO BE CONSIRED IN SAAS

In Software as a Service (SaaS) model, the client has to depend on the service provider forproper security measures. The provider must ensure that the multiple users don‟t get to see each other‟sdata. So, it becomes

important to the user to ensure that right security measures are in place and also difficult to get an assurance that the application will be available when needed [10].Some of the traditional security issues which also affect the SaaS model have been described below. Fig below indicates some important security issues in SaaS delivery model.

Figure 2.Security issues in SaaS A. Authentication and authorization

The authentication and authorization applications for enterprise environments may need to be changed, to work with a safe cloud environment. Forensics tasks may become much more difficult since the investigators may not be able to access system hardware physically.

The typical authentication process allows the system to identify the user (via a username), and then validate their identity through user-provided evidence such as a password.Certificate based authentication techniques where the user is asked to provide his/her digital ID.

This digital ID, known as digital certificate, is validated against the trusted authority that issued the digital ID.

There are various other parameters that are checked to ensure the identification of the user [11].

B. Availability

The availability ensures the reliable and timely access to cloud data or cloud computing resources by the appropriate personnel. The availability ensures the reliable and timely access to cloud data or cloud computing resources by the appropriate personnel. The availability of cloud service providers is also a big concern, since if the cloud service is disrupted; it affects more customers than in the traditional model [1]. The availability of cloud service providers is also a big concern, since if the cloud service is disrupted; it affects more customers than in the traditional model. SaaS platform instrumentation for user experience, availability and capacity are important to ensure that any potentially service-affecting trends are proactively monitored and reliably acted on before becoming a real issue. At the end of the day, high availability services are a 24x7x365 commitment. A combination of excellence in people, process and technology with vigilance is the only way to ensure that the SaaS

(3)

_______________________________________________________________________________________________

platform is indeed providing the service as committed to end users and clients [6].

C. Data confidentiality

Confidentiality refers to the prevention of intentional or unintentional unauthorized disclosure of information.

Confidentiality in cloud system is related to the areas of intellectual property rights, covert channels, traffic analysis, encryption, and inference [11]. Cloud computing involves the sharing or storage of information on remote servers owned or operated by others, whileaccessingthrough the Internet or any other connections [1]. Cloud-based services also offer the advantages of “anywhere accessibility,” intuitive ease- of-use, and compatibility with both Windows and Mac operating environments [7].

Though all software, both desktop and Web-based, is subject to certain risks, issues relating to security, privacy, confidentiality, and data availability gain special relevance with cloud-based services, especially in the context of law practices, many cloud specific issues need to be addressed while doing SaaS implementation of cloud[9].

D. Risks with Multi-tenant SaaS Solutions

The multi-tenant nature of SaaS applications makes security an essential concern. One of the first things to consider when looking at a SaaS option is whether your deployed solution will be residing in a multi-tenant environment.Multi-tenant implementation leads to the low annual cost than other deployment options, but which leads to the greater risk of having your employee data breached. This additional risk exists because in a multi-tenant environment many customers reside in one application environment simultaneously. While vendors can provide security within their applications and databases to prevent customer data from being breached or accidently leaked, these security measures are sometimes not robust enough. As a result, sensitive employee data may end up being visible to unauthorized individuals.

E. SaaS application upgrade to the next version One of the most controversial policies with a SaaS-only model is the forced upgrade policy. This policy of some SaaS vendors requires that customers upgrade to the next version of the application on the vendor‟s time frame, generally monthly or quarterly. This can have many bad downstream effects on the customer‟s organization. Issues related to it are, If the vendor does not manage the testing and QA process well, new releases can be unstable and existing features can stop working correctly. Often new releases change how an important part of the application works or in some cases it can even update the entire user interface. As a result, users often require re-training on how to use the new version of the application. In large organizations especially, constant training and re-training can be very expensive.

F. Application Architecture

In a SaaS deployment model, sensitive data is obtained from the enterprises, processed by the SaaS application and stored at the SaaS vendor end. All data flow over the network needs to be secured in order to prevent leakage of sensitive information. This involves the use of strong network traffic encryption techniques such as Secure Socket Layer (SSL) and the Transport Layer Security (TLS) for security. In case of Amazon Web Services (AWS), the network layer provides significant protection against traditional network security issues, such as MITM (Man-In-The-Middle) attacks, IP spoofing, port scanning, packet sniffing, etc. For maximum security, Amazon S3 is accessible via SSL encrypted endpoints. The encrypted end points are accessible from both the Internet and from within AmazonEC2, ensuring that data is transferred securely both within AWS and to and from sources outside of AWS [14]. However, malicious users can exploit weaknesses in network security configuration to sniff network packets.

G. SaaS Datacenter Security Issues

For any enterprise application, datacenter security is also important; but for SaaS vendors this is especially so, as not just one, but many copies of customer data are stored in the datacenter. However, not all vendors provide adequate security when it comes to their datacenters. It is very important to evaluate the datacenter services the vendor provides as a part of the offering. One good approach to this is to ask for a technical overview document that outlines the datacenter services provided as part of the SaaS offering. As discussed previously, multi-tenant SaaS can offer risks which organizations may find unacceptable. Dedicated hosting for SaaS can provide a truly secure deployment, while still offering the benefits of a SaaS deployment.

IV. CONCLUSION

Though there are numerous advantages in using a cloud- based system, there are yet many practical issues which have to be sorted. A SaaS hosted solution can provide many benefits to any size organization from small to enterprise. It is both time and cost efficient and there are many reasons why they have clear advantages over traditional installations. Some surveys have discussed security issues about clouds without making any difference between vulnerabilities and threats. We have focused on this distinction, where we consider important to understand these issues. However, new security techniques are needed as well as redesigned traditional solutions that can work with cloud architectures.

Traditional security mechanisms may not work well in cloud environments because it is a complex architecture that is composed of a combination of different technologies.

(4)

_______________________________________________________________________________________________

REFERENCES

[1] Rashmi , Dr.G.Sahoo, Dr.S.Mehfuz, Securing Software as a Service Model of Cloud Computing: Issues and Solutions, International Journal on Cloud Computing: Services and Architecture (IJCCSA) ,Vol.3, No.4, August 2013.

[2] S. Subashini and V. Kavitha, "A survey on security issues in service delivery models of cloud computing," Journal of Network and Computer Applications, vol. 34, pp. 1-11, 2011.

[3] Feng Liu, WeipingGuo, ZhiQiang Zhao, Wu Chou Avaya Labs Research, Avaya Inc, SaaS Integration for Software Cloud,” 2010 IEEE 3rd International Conference on Cloud computing.

[4] http://www.intralinks.com/us/blog/2009/07/22/hi gh-availability-service-management-saas- environments.

[5] http://www.americanbar.org/newsletter/publicati ons/technology_e_report_home/2009_vol8_num 4_feature2.html

[6] M.Peter and G. T, The NIST definition of Cloud Computing. 2009.

[7] Cloud Security Alliance. Security Guidance for critical areas of focus in cloud computing Version2.1.(2009).

[8] Celine Mancas-Thillou, Bernard Gosselin, “Color Text Extraction from Camera-based Images- the Impact of the Choice of the Clustering Distance”

ICDAR, 2007.

[9] Y. Karabulut and I. Nassi, "Secure enterprise services consumption for SaaS technology platforms," presented at the ICDE 2009.

[10] Choudhary V.(2007). Software as a service:

implications for investment in software development. In: International conference on system sciences, 2007, p. 209.

[11] http://en.wikipedia.org/wiki/Software_as_a_servi ce

[12] http://puleng.co.za/the-4-as-of-cloud-identity- authentication-authorization-account

management-audit-logging/

[13] Vahid Khatibi, Elham Khatibi, Issues on Cloud Computing: A Systematic Review,International Conference on Computational Techniques and Mobile Computing (ICCTMC'2012) December 14-15, 2012 Singapore

[14] www.softscape.com [15] http://www.linksoft.co.kr

