WIXLIB

International Journal of Scientific & Engineering Research Volume 8, Issue 5, May-2017ISSN 2229-5518end. All data flow over the network needs to besecured in order to prevent leakage of sensitiveinformation. This involves the use of strongnetwork traffic encryption techniques such asSecure Socket Layer (SSL) and the Transport LayerSecurity (TLS) for security. In case of Amazon WebServices (AWS), the network layer providessignificant protection against traditional networksecurity issues, such as MITM (Man-In-TheMiddle) attacks, IP spoofing, port scanning, packetsniffing, etc. For maximum security, Amazon S3 isaccessible via SSL encrypted endpoints.2.2.3 Resource LocalityIn a SaaS model of a cloud environment, the endusers use the services provided by the cloudproviders without knowing exactly where theresources for such services are located, possibly inother legislative domains. This poses a potentialproblem when disputes happen, which issometimes beyond the control of cloud providers.Due to compliance and data privacy laws invarious countries, locality of data is of utmostimportance in much enterprise architecture [112].The European Union has issued a Directive95/46/EC to protect the user privacy at all costs[13].37promote the wide use of cloud computing, thesestandards bodies need to sit down and worktogether to establish common standards. Possible‘‘Inter-cloud’’ standards in the following domainsare needed to increase cloud interoperability andfree data movement among clouds:– Network architecture, – Data format, – Meteringand billing, – Quality of Service, – Resourceprovisioning, – Security, identity management andprivacy. As stated, there are many generalcomputing standards that may be reused in thecloud, but for the moment, there2.2.5Data SegregationMulti-tenancy is one of the major characteristics ofcloud computing. As a result of multitenancy,multiple users can store their data using theapplications provided by SaaS. In such a situation,data of various users will reside at the samelocation. Intrusion of data of one user by anotherbecomes possible in this environment. Thisintrusion can be done either by hacking throughthe loop holes in the application or by injectingclient code into the SaaS system. A client can writea masked code and inject into the application. Ifthe application executes this code withoutverification, then there is a high potential ofintrusion into other’s data. A SaaS model shouldtherefore ensure a clear boundary for each user’sdata. The boundary must be ensured not only atthe physical level but also at the application level.The service should be intelligent enough tosegregate the data from different users. Amalicious user can use application vulnerabilitiesto hand- craft parameters that bypass securitychecks and access sensitive data of other tenants.IJSER2.2.4 Cloud standardsTo achieve interoperability among clouds and toincrease their stability and security, cloudstandards are needed across different standarddeveloping organizations. For example, the currentstorage services by a cloud provider may beincompatible with those of other provider. In orderto keep their customers, cloud providers mayintroduce so called ‘‘sticky services’’ which createdifficulty for the users if they want to migrate fromone provider to the other, e.g., Amazon’s S3 isincompatible with IBM’s Blue Cloud or ed Management Task Force [14], StorageNetworking Industry Association [15], Open GridForum [16], Open Cloud Consortium [17] andOrganization for the Advancement of StructuredInformation Standards [18], and so forth. To2.2.6 Data AccessData access issue is mainly related to securitypolicies provided to the users while accessing thedata. In a typical scenario, a small businessorganization can use a cloud provided by someother provider for carrying out its businessprocesses. This organization will have its ownsecurity policies based on which each employeecan have access to a particular set of data. TheIJSER 2017http://www.ijser.org

International Journal of Scientific & Engineering Research Volume 8, Issue 5, May-2017ISSN 2229-5518security policies may entitle some considerations,wherein, some of the employees are not givenaccess to certain amount of data [19]. Thesesecurity policies must be adhered by the cloud toavoid intrusion of data by unauthorized users[20].The SaaS model must be flexible enough toincorporate the specific policies put forward by theorganization. The model must also be able toprovide organizational boundary within the cloudbecause multiple organization will be deployingtheir business processes within a single cloudenvironment.2.2.7Web application securitySaaS is software deployed over the internet and/oris deployed to run behind a firewall in local areanetwork or personal computer. The keycharacteristics include Network-based access to,and management of, commercially availablesoftware and managing activities from centrallocations rather than at each customer’s site,enabling customers to access application remotelyvia the Web. SaaS application development mayuse various types of software components andframeworks. These tools can reduce time-tomarket and the cost of converting a traditional onpremise software product or building anddeploying a new SaaS solution. Examples includecomponents for subscription management, gridcomputing software, web application frameworksand complete SaaS platform products. One of the‘‘must-have’’ requirements for a SaaS application isthat it has to be used and managed over the web.The software which is provided as a service residesin the cloud without tying up with the actual users.This allows improvising the software withoutinconveniencing the user. Security holes in the webapplications thus create a vulnerability to the SaaSapplication. In this scenario, the vulnerability canpotentially have detrimental impact on all of thecustomers using the cloud. The challenge withSaaS security is not any different than with that ofany other web application technology. Howeverone of the problems is that traditional networksecurity solutions such as network firewalls,network intrusion detection and prevention38systems (IDS & IPS), do not adequately addressthis problem. Web applications introduce newsecurity risks that cannot effectively be defendedagainst at the network level, and do requireapplication leveldefenses. The Open WebApplication Security Project has provided the tenmost critical web applications security threats.2.2.8 Data breachesSince data from various users and businessorganizations lie together in a cloud environment,breaching into the cloud environment willpotentially attack the data of all the users. In theVerizon Business breach report blog it has beenstated that external criminals pose the greatestthreat (73 percent), but achieve the least impact(30,000 compromised records), resulting in aVirtualization vulnerability [21].IJSER3 CURRENT SECURITY SOLUTIONSTheOpen Web Application Security Project (OWASP)maintains list of top vulnerabilities to cloud-basedor SaaS models which is updated as the threatlandscape there are several research workshappening in the area of cloud security. Severalgroups and organization are interested indeveloping security solutions and standards forthe cloud. The Cloud Security Alliance (CSA) isgathering solution providers, non- profits andindividuals to enter into discussion about thecurrent and future best practices for informationassurance in the cloud [11]. The Cloud Standardswebsite collects and coordinates information aboutcloud-related standards under development by thegroups changes [10]. The Open Grid Forumpublishes documents to containing security andinfrastructural specifications and information forgrid computing developers and researchers [13].The best security solution for SaaS applications isto develop a development framework that hastough security architecture. One simple solution,for UK businesses is to simply use in-house‘‘private clouds’’ .Pearson highlighted that thecurrent lack of transparency is preventing manyusers from reaping the true benefits of the cloud.For Identity and access management in the SaaS,has issued an Identity and Access ManagementIJSER 2017http://www.ijser.org

International Journal of Scientific & Engineering Research Volume 8, Issue 5, May-2017ISSN 2229-5518Guidance which provides a list of recommendedbest practices to assure identities and secure accessmanagement. Resource Locality and DataSegregation are the two key security challenges onwhich not much information is available in theexisting literature, which necessitates that this canbe further taken up for research.4 CONCLUSIONThere are numerous though advantages in using acloud-based system, there are yet many practicalissues which have to be sorted. Cloud computingis a disruptive technology with profoundimplications not only for Internet services but alsofor the IT sector as a whole. Still, severaloutstanding issues exist, particularly related toservice-level agreements (SLA), security andprivacy, and power efficiency. As described in thepaper, currently security has lot of loose endswhich scares away several potential users. Until aproper security module is not in place, potentialusers will not be able to leverage the true benefitsof this technology. This security module shouldcater to all the issues arising from all directions ofthe cloud. Every element in the cloud should beanalyzed at both the macro and micro level andsubsequently an integrated solution must bedesigned and deployed in the cloud to attract andretain the potential consumers. Until then, cloudenvironment will remain cloudy. In a cloud, wherethere are heterogeneous systems having a variationin their asset value, a single security system wouldbe too costly for certain applications and if there isless security then the vulnerability factor of someapplications like financial and military applicationswill shoot up. On the other side, if the cloud has acommon security methodology in place, it will be ahigh value asset target for hackers because of thefact that hacking the security system will make theentire cloud vulnerable to attack. In this paper anoverview of cloud computing service deliverymodel, SaaS along with the security challenges ,including both the traditional and cloud specificsecurity challenges ,associated with the model hasbeen presented A number of new challenges that isinherently connected to the new cloud paradigm39has also been deliberated in the paper. As securedata storage in cloud environment is a significantconcern which prevents many users from using thecloud, a practical solution to provide security andprivacy for user data, when it is located in a publiccloud, was also discussed in this paper. The needfor further work on various security mechanismshas also been highlighted, in order to providetransparent services that can be trusted by allusers.References[1] Heiser J. (2009) what you need to know about cloudcomputing security and compliance, Gartner, Research, IDNumber: G00168345.[2] Seccombe A., Hutton A, Meisel A, Windel A,Mohammed A, Licciardi A, (2009). Security guidance forcritical areas of focus in cloud computing, v2.1. CloudSecurity Alliance, 25 p.IJSER[3] Mell P, Grance T (2011) The NIST definition of CloudComputing. NIST, Special Publication 800– 145,Gaithersburg, MD[4] Choudhary V. (2007). Software as a service: implicationsfor investment in software development. In: Internationalconference on system sciences, 2007, p. 209.[5] Pratap Murukutla, K.C. Shet (2012).Single Sign On forCloud .In: International Conference on Computing Sciences,2012IEEE DOI 10.1109/ICCS.2012.66[6] Amlan Jyoti Choudhury, Pardeep Kumar,Mangal Sain,Hyotaek Lim, Hoon Jae-Lee(2011).A Strong UserAuthentication Framework for Cloud Computing. In: IEEEAsia -Pacific Services Computing Conference, 2011 IEEEDOI 10.1109/APSCC.2011.14 [7] Amazon Web zon.com/security Accessed: [January2013][8] Amazon. Amazon Elastic Compute Cloud (EC2). http://aws.amazon.com/ec2/ . Accessed: [December, 2012][9] Cloud Security Alliance. Security best practices for cloudcomputing,2010b http://www.cloudsecurityalliance.org [Accessed: July 2012].[10] Cloud Security Alliance (2012) SecaaS implementationguidance, category 1: identity and Access tyalliance.org/initiatives/secaas/SecaaS Cat 1 IAM Implementation Guidance.pdfIJSER 2017http://www.ijser.org

International Journal of Scientific & Engineering Research Volume 8, Issue 5, May-2017ISSN 2229-5518[11] Secunia. Xen multiple vulnerabilities; 2011. http://secunia.com/advisories/26986/ [Accessed on 22November 2012][12] Soft layer. Service Level Agreement and Master ServiceAgreement, 2009 /http: // www.softlayer.com/sla.htmlS[Accessed: October2012].[13] European Union. Directive 95/46/EC of the Europeanparliament and of the council of 24 October 1995 on theprotection of individuals with regard to the processing ofpersonal data and on the free movement of such data; 1995[14] DTMF, 2013.Distributed Management Task Force. http://www.dmtf.org/ . [Accessed: January 2013][15] SNIA. (2013).Storage Networking Industry Association. http://www.snia.org/ . [Accessed: January 2013][16] OGF, 2010.Open Grid Forum, http://www.ogf.org/[Accessed:August 2012][17]OCC,2013.OpenCloud http://www.opencloudconsortium.org/ .January 2013]Consortium.[Accessed:IJSER[18] OASIS, 2013.Organization for the Advancement ofStructured Information Standards. http://www.oasisopen.org/ .[Accessed:January2013]Cloud Computing Standards Too Many Doing Too Little[19] Kormann D, Rubin A. (2000) Risks of the passport singlesignon protocol. Computer Networks 2000; 33 (16): 51–8.[20] Blaze M, Feigenbaum J, Ioannidis J, Keromytis AD. Therole of trust management in distributed systems security,secure Internet programming, issues for mobile anddistributed objects. Berlin: Springer-Verlag; 1999.p.185–210[21] Cooper R. Verizon Business Data Breach security IJSER 2017http://www.ijser.org40

paper we are going to showcase some major security issues of current cloud computing environments. KEYWORDS: Cloud Computing, Software as a Service, Security Challenges . 1 INTRODUCTION . A lot has been written and spoken about Cloud Computing technology, by IT experts, industry and business leaders and independent experts. At a high-level, we .