IT Systems Integerity - Cloud Computing

profileChitla234
TraditionalResearchPaper.docx

IT SYSTEMS INTEGRITY 21

IT Systems Integrity – Cloud Computing

Legal Name

IST 8101

Master of Science in Information Systems Technology

University

Running head: IT SYSTEMS INTEGRITY 1

January 2018

Table of Contents IT Systems Integrity – Cloud Computing 3 Abstract 3 Introduction 4 Problem Statement 4 The Purpose........................................................................................................................ 5 Research Questions .............................................................................................................5 Hypothesis ...........................................................................................................................5 Background of the Study.....................................................................................................6 Literature Review.................................................................................................................8 Methodology......................................................................................................................16 References 8

Abstract

Cloud computing is revolutionizing how information technology (IT) architecture and systems are provisioned, implemented and deployed. Computer software engineers have reduced computer hardware infrastructure into a software program that can be stored and manipulated like an ordinary data file and called a virtual machine. With cloud computing, virtual machines, application software, and databases are moved to a large data center known as "the cloud' in the form of files and managed from there. Remote managing of this data comes with serious security risks because users are no longer in full control of their systems. The common assumption is the cloud is correctly configured to protect their sensitive data. This paper explores the problem of ensuring the integrity of virtual machine files, application software, and data stored in the cloud. It covers processes involving the collection of data from cloud computing vendors and experiences of cloud service consumers. As the world continue adopting cloud computing, then great emphasis must be placed on building verifiable systems that customers and any cloud user can inspect with ease.

IT System Integrity – Cloud Computing

Introduction

Cloud computing can be defined as a virtualized environment for remotely offering modern computing services to clients via the high-speed internet. This technology reduces administrative costs by enabling companies to shift their physical infrastructure, software applications, and data to the cloud (Rittinghouse, & Ransome, 2016). Many companies are moving from hosting their data and applications in-house to the cloud (off-site), and are becoming vulnerable to both human threats and system issues. For example, a malicious administrator may write a script to consume all of a company's cloud resource denying that service to the customer. Data can leak from the cloud while in transit when stored or being processed by other users. Attackers may gain access control of a cloud account for own malicious activities. Unsecured communication interfaces between cloud users could lead to unauthorized access to data. Cloud administrators could fail to disclose where and how the data is stored in the cloud. In some cases, negligence of IT security officers compromises the data or information available or transmitted via the cloud (Khorshed, Ali, & Wasimi, 2012). This paper seeks to explore the uncertainty or exposure the users of cloud computing are exposed. Consequently, the findings should ensure the integrity of the data stored in cloud computing and dictate how cloud computing services can be designed transparently.

Problem Statement

Exposure of the cloud system to an unlimited number of users multiplies the risk of intrusion or cyber-attack by malicious users or anyone with access to the information/data. As a result, companies and organizations risk losing their competitive advantage and appeal of their clients.

The purpose

This research’s main aim is to explore the limitations of current cloud integrity verification techniques in the market and help to develop a simple framework and tool that can assist cloud administrators, customers, and external clients verify the integrity standards of data on the cloud without having to inspect every configuration of the entire platform directly.

Research Question

The research seeks to know the limitations of current cloud verification techniques in the market with a view of developing a simple framework or a tool for verifying data on the cloud without administrators and users having to directly inspect every configuration of the entire platform.

Rationale/Significance of the study

This study aims at gaining insights to current limitations to cloud verification tools and framework. Its findings will help cloud administrators, customers, clients, and any consumer of cloud computing services identify tools that attest if the cloud computing infrastructure they are using is integral in their decision making.

Hypothesis

Establishing a secure data/information storage system full with backup capabilities upon sensing anomalies and eliminate the risk associated with compromised system integrity.

Background of the study

The need to reduce organizational management costs has led to a vigorous transformation in the IT industry. First was the creation of a robust computer called "server computer" to be a central machine for managing and controlling the many client desktops and software application users of an organization. These made international companies install server computers architecture in all their branch network and the net result being many server computers distributed in different regions – a distributed server computer deployment. The invention of a central data center ‘the cloud' was to help manage the growing network of distributed server computers.

Cloud computing provides many advantages to the customer like scalability, better economics of scaling, disaster recovery mechanism, ability to outsource non-core business activities and flexibility. The unique advantages of cloud computing are that it enables a fundamental paradigm shift in how we deploy and deliver computing services. Users and organizations can avoid spending money and resources creating capital outlays when buying and managing software and hardware, and dealing with the operational overheads. Overall security and privacy have been the primary concern in comparison to the benefits offered by cloud computing (Rittinghouse, & Ransome, 2016).

Cloud computing is a better option for organizations to take up as their best option without any initial investment and day by day, the frequency and heavy use of cloud computing has been increasing. Despite all the benefits a cloud offers to an organization there are certain doubts and threats regarding the security issues associated with a cloud computing platform. The security issues primarily involve the external control over organizational structure since management of an organization’s private data can be compromised (Fernandes et al., 2014). Personal and private data in cloud computing environment has a very high risk of breach of confidentiality, integrity, and availability. The growth of cloud computing is mainly hampered due to these security concerns and challenges (Fernandes et al., 2014).

It is more challenging to control or manage a cloud environment since all the resources of the cloud are from outside the organization. Moreover, cloud computing still faces problems related to security threats from internal and external sources. There are many examples of a security breach in the recent times like Apple's iPad subscriber privacy leak, Amazon S3's recent downtime, and Gmail's mass email deletions (Marston et al., 2011). Cloud service provider organizations usually don't examine data sent or received by users to the cloud and users don't have any access to the internal procedures of a cloud, hence leading to a possibility of a data breach. Additionally, owing to hardware virtualization, multiple users can now share the same physical infrastructure, which runs their distinct application instances simultaneously.

From the user point of view cloud computing seems to be very insecure due to privacy and security vulnerabilities that are likely to arise from its multi-tenancy feature. It is not possible for the user to get control of his data and computing applications until a reliable security measure and privacy guarantee is put in place. The user will not give priority to scalability, flexibility and commercial availability over its privacy and security of his data (Ali, Khan, & Vasilakos, 2015). More motivation is required towards addressing security issues and providing more trustworthy solutions for making cloud computing more helpful and accessible to the public at large.

Literature Review

Clouding computing has been used widely by organizations in the storage, administration and retrieval of data in an efficient and cost-effective manner. As information technology develops, cloud technology has become widely accepted for storing and processing volumes of data. This has exposed organizations to system vulnerabilities that necessitate appropriate strategies to overcome them and prevent data losses and related interference with the information systems.

Data auditing helps the system user to discover issues related to data quality that originate from source systems, their specific applications as well as their operational processes. (Tu, 2017) argues that remote data auditing makes it possible for the cloud users to confirm the integrity of the outsourced file through the auditing against cloud storage before downloading any files from it. Hence, in the view of the computational costs caused by the auditing process, the auditing model should be adopted by the organizations to make the users to outsource the heavy auditing task to the third party auditor. Tu et al.  further argues that despite the fact that the outsourced auditing scheme plays a key role in protecting the system against the malicious Third party auditors (TPA), it makes sure that the TPA has read access right over the data outsourced (Tu et al, 2017). This is the potential risk that establishes to be significantly malicious when it comes to user’s data privacy. In other words, Wei (2017) states the organization should introduce the user focus element for the outsourced auditing that emphasizes the idea that the user should navigate through and dominate their own data. This does not only prevent personalized data from leaking to unwarranted system users but also regulates the third party auditor from gaining unnecessary access to private information. Depending on the manner in which the data is encrypted, data signal processing can be deployed on the cloud storage environment to create more information wealth and security. This is primarily for the purposes of checking the possibility of reproducibility and data verification as well as the effectiveness of the audit trials.

Instead of typing a given code, technology advancement has moved providers and users alike beyond the single-factor passwords to the more safer, secure and private easy to use FIDO (Fast Identity Online).   Yi (2017) stresses that one of the ways to ensure efficient integrity verification of the replicated data in the cloud system is the use of a single security key. Yi states that the cloud serve can never cheat the data owner. It is for this reason that he proposed adoption of the FHE algorithm model that is used to generate multiple replicas. It is important to understand that the scheme reinforces third party public validation such that it is only the authorized users who are able to access the copies of the data in the system using a uniform security key. This makes it possible for the users to outsource their information and data to remote cloud servers and as well enjoy on-demand high quality services. According to Trovati (2016), the use of this scheme ensures that the computer users have absolute control of their data. The scheme also enables the users to store unlimited data and more importantly to ensure that the most sensitive one is not encroached.

FIDO enables an interoperable ecosystem of hardware, biometrics-based authenticators and mobile- and that can be used with many apps and websites. Trovati (2016) further argues that the data owners further have a chance to reap great benefits ranging from those related to durability, availability and scalability requirements. The research study proposed an efficient and more secure multi-copy provable data processing scheme that exhibit five characteristics. To start with, the data owner is able to use the fully homographic encryption to generate data block replicas. The second characteristic is that this scheme enables the user to perform dynamic update operations when it comes to the access to the stored data blocks. As mentioned earlier, the security scheme is founded on the principle that the cloud service provider cannot cheat the owner of the data (Yi, 2017). Fourth, the computer system security scheme supports third party public verification and finally, there is a single key that makes it possible for the users to have seamlessly access data copies from the fact that the data owners have increased interest when it comes to the confidentiality aspects of the system.

Cloud computing has made it possible for the people to outsource their data by storing it remotely on the cloud and enjoying on-demand high quality internet services obtained from a remotely shared pool of configurable computing resources. Hwang (2017) depicts cloud computing as an emerging model whereby the computing infrastructure system resources are conveniently provided over the internet as a service. Hence, the use of these data storage services makes it possible for the system user using these data services to be relived of the burden of local maintenance and storage. However, Hwang (2017) emphasizes that from the fact that cloud servers and data owners do not share the same trusted domain, the computer users must have in mind that their data is subject to the risk of loss or interference as the cloud server cannot be fully trusted. Hwang hence proposes that the system be configured in such a manner that the trusted third party or the individual users can check data integrity devoid of the need to demand for a localized copy of the data. Service level contracts become a critical requirement for the user to check adherence of the cloud to the terms spelled in the contract and as well deter cheating such as maintenance of fewer companies than agreed and tampering with the stored data.

There are several approaches to system security concerns such as prevalence of third party auditors, check summing for data and mirroring proofs that have been proposed by computer security experts. Contrary to Tu et al. (2017), Shi (2017) argues that data integrity proofs in the cloud computing services have not been widely investigated to deter security threats. However, it is important to understand that against the findings of the researchers discussed above, Shi makes an important observation that the aforementioned methods lack the tracking of integrity violations as well as the time in which the hack or infringement of data occurred. Hence, he reiterates the significance of tracking integrity violations through experiments conducted in clouds to check the configuration of the system and related security vulnerabilities.

Service level agreements are contracts between service providers and end users that depict the level of service that the user expects from the provider. Whereas Hwang (2017) focuses on the need to introduce service level contracts, Shi (2017) supposes that we need a comprehensive remedy to the existing system attacks that combines diverse techniques that rely on the local resources when it comes to the cloud environment. Hence, Shi (2017) addresses this issue of data integrity using data provenance, a powerful local resource of cloud computing. This is used to answer many questions in different domains of information and communication with regard to the state and history of the data such as where the data was obtained from , when the data product was generated, the computations and transformations that it has undergone since its creation and inputs of the output data item. These are critically important questions that should be addressed in every stage of data product cycle in the cloud. In other words, Shi (2017) unlike other researchers who have conducted extensive research in this field, proposes security consideration in every stage of the cloud life cycle. This, according to Shi (2017), makes it possible to detect data integrity breaches at every stage which is not determined in the security models and schemes proposed by the earlier researchers.

Discussions regarding cloud computing security often fail to differentiate between the general computer issues from the cloud-specific issues. Allen (2016) highlights several cloud computing vulnerabilities and the current solutions. He states that since data and computation are usually outsourced to a remote serve, it is important for organizations to make sure that data integrity is checked constantly to prove that this computation and related data is safe, secure and protected. In other words, Allen (2017) argues that data integrity is achieved when data is free from unauthorized modification. Hence, the system should be set in such a manner that any modification on the data is detected to prevent damages from malware or malicious users who could otherwise change program execution. He elucidates on two instances when data integrity should be violated which include data loss or manipulation and in the event of untrusted remote server.

While encryption is critical to secure adoption and use of the cloud services, analysts recommend that companies develop a well detailed security plan that address several issues related to access controls and key management. Unlike Hwang (2017), Allan (2017) offers specific solutions to each of the system vulnerabilities. The tenants of the cloud systems tend to commonly assume that if data is encrypted before it is outsourced to the cloud, it is sufficiently secure enough. Hence, Allan offers great emphasis on some of the common mistakes that are made by cloud users. Thus, despite the fact that encryption is aimed at providing confidentiality against attacks by the cloud users, there is no guarantee that the data is protected from corruption that arises from software bugs and configuration errors. Kannan (2016) on the other hand, stresses that checking data integrity can be achieved through the client or the third party. The former requires the user to download the file to check its hash value. This is the reason as to why the message authentication code is used by the client. The latter utilizes the computed hash value using a hash tree. Hence, the hash tree is used to generate the data from the bottom to the top where the client is only allowed to store the root.

A key-based technique allows any verifier to key queries to the server to obtain an interactive proof of the data procession. Wei (2015) proposes the probable data possessions scheme that ensures that data is investigated statistically to ascertain its correctness without it being retrieved. This proposed model is aimed at ensuring that the data that is stored in the remote server is in its original possession and that the server houses the original data before it is retrieved. Kannan (2016) proposes the existence of the proof of retrievability. This model differs from probable data possessions scheme as it is only effective when malware attacks huge amounts of data. Hence, it is not appropriate for small data vendors.

It is important to understand that the probable data possessions scheme protocols may be verified either privately or publicly. That which is verified privately means that it is only the owner who has the key that can be used to verify the encoded data. However, the proof of retrievability utilizes a cryptographic approach based on the challenge response protocol such that the price of data can be deemed retrievable without the need to retrieve it from the cloud. The owner of the data must possess the hash values so that the cloud investigation can be done using the hash computation function.

As mentioned earlier, one of the remarkable features of cloud computing is its associated virtually infinite storage. Kannan (2016) further emphasizes the need for a proof of ownership. In such a manner, the client proves ownership of that file that is outsourced by the client from the server. Such a notion differs from probable data possessions scheme and proof of retrievability in the sense that these two need to be embedded in some secret key in the file before it is outsourced. The client can hence check with the cloud server for accuracy by asking for the secret and comparing with the one they have. It is important to underscore the fact that the proof of ownership scheme is more effective when there is a need to save the storage by duplication.

The basic idea behind the proof of ownership is the collision resistance hash functions as well as merkle hash tree. It is for this reason that it is able to send the file called verifier to the cloud which is further divided into bits by the user of pairwise independent hash. Kannan (2016) developed a cloud storage infrastructure that covers the issues of availability, reliability and security. The underlying technique for this storage method is the identifiers that are configured during the encryption process. Also, the owner of the data has a master security key that they can use to create other security keys for different classes of data as well as for all the classes of the cipher text.

It is important to underscore the fact that the proof of ownership approach utilizes deduplication techniques. They play a key role in reducing the size of the data to be stored and eventually cut on the storage expenses. Nevertheless, despite this benefit, it has its own security weaknesses. Hence, the adversary in possession of an unauthorized downloaded file via the hash may undermine cloud server efficiency and more importantly mobile device efficiency. A security infrastructure that enables the users to collaboratively edit the latest version of the documents and as well synchronize them in the smart mobile devices is necessary.

Methodology

The main objective of this research will be to conduct a study in various organizations that use cloud computing to find out how secure their data is when using the system. Conducting this study will help to create a very strong basis for a wider full scale study on the security and integrity of organizations using cloud computing in their operations. Employees and managers from these organizations will be the ones who will be involved in the study to facilitate an in-depth exploration about the application of cloud computing. The other people that will also be involved in this study are the vendors who provide the cloud computing services to various organizations.

Research design Approach method

Quantitative Research

The paper is going to use quantitative approach methodology to collect the relevant required data. This means that we are going to use mathematical or scientific data to help us in understanding the various limitations of cloud computing (Creswell & Creswell, 2017). The researcher will for example carry out surveys concerning the limitations of cloud computing with an aim of predicting the consumer demand. This approach will provide the research with hard numbers which will be useful in making decision about the project at hand (Punch, 2013). Most of the time, the quantitative research usually uses deductive logic meaning researchers usually start with the hypotheses after which they start collecting data that will help in determining whether empirical can produce evidence to support the existing hypothesis.

Reason for choosing Quantitative Approach

The quantitative approach will help the researcher to focus on the results from a large number of people, instead of just focusing on individuals. This method will also help the researcher to tackle the various research questions in the project and also help to prove the research hypothesis (Frels & Onwuegbuzie, 2013).

Research Design

The research study is going to use the case study design method. It is an empirical inquiry that usually investigates a contemporary phenomenon that is within its real-life context especially when the boundaries between the context and phenomenon seem unclear; and also where there is the usage of multiple sources of evidence to be used (Creswell & Creswell, 2017). This type of method usually emphasizes on detailed contextual analysis of very limited number of conditions or events together with their relationships. The research object when using case study research design is usually a group of people, a program, a person, or an entity.

The object of this case study which is cloud computing will be investigated in depth through the use of different data gathering methods that will help in the production of enough evidence. The evidence produced will help in the understanding of the case and consequently also help to answer the main research questions. The use of multiple techniques and sources when gathering data is usually the key strength of using the case study method. Use of case study method to build upon theories is now being applied by many researchers. The case study method is often used for challenging, producing or disputing a theory (Kumar & Phrommathed, 2005). Apart from being applied in theories, the case study method can also be used in exploring or describing phenomenon or an object, providing a basis to solutions to certain situations.

The main advantages of the case study design method are that it can be applied to human, real-life and contemporary situations. It can also be easily accessed by the public through written reports. Finally, the last advantage about using the case study design method is that the results usually relate directly to the common readers everyday experiences. The case study also helps in facilitating an understanding of real-life situations that are complex.

Participants

The research will mainly target organizations and institutions that host their servers on the cloud. The people that will be targeted in these organizations will be the employees and managers. The research will especially target the ICT department in each of the organizations that will be investigated. The other groups that will be targeted are the vendors who offer the cloud computing services. The research will seek to know the various vulnerabilities that exist in the current cloud computing infrastructure with an aim of suggesting changes.

Instrumentation

The research will use questionnaires, observation and interviews when it comes to collecting data from the relevant participants in the research. The research will also use the relevant accessible online resources concerning cloud computing. The other method that will be used in gathering or collecting data is through conducting intrusion and testing experiments on the cloud computing system to see establish how secure it is.

Sampling Strategy

The study will focus on a number of managers and employees in different organizations and institutions. Taking data from different employees and managers in different institutions will greatly help in collection of data that will be representative and comprehensive. This research is going to target about three organizations that use the cloud computing services and also target two cloud computing vendors that provide such services. The target of different vendors and organizations will help in the collection of data that is detailed and also has enough information concerning cloud computing.

Data Collection Procedure

The study will first of all start by conducting interviews from both the organizations and the employees. Questionnaires will also be distributed to the relevant participants in the research. Open questionnaires will be used in the study to help in the collection of data from the managers and employees. Open questionnaires will help in collecting what exactly is in the minds of the participants concerning cloud computing systems (Kothari, 2004). The study will also use observation whereby we will visit the various websites hosted on the cloud to see how easy it is to access the information. We will also seek permission from organizations to carry out an intrusion test on their website. Laboratory experiments will also be tried through setting up an imaginary organization in order to host it on the cloud platform.

Methods

Interviews

Interviews are usually the primary method that researchers use when it comes to data collection. Interviews are normally very descriptive because of their ability to identify the in-depth issues through a holistic perspective. Interview will be a very important part in this research project as it will provide the researcher a great opportunity in doing some further investigation about cloud computing. This research will use semi structured interview approach as it will help in delving deep into the background of the participant something that will provide flexibility to explore and probe more about any themes (Kothari, 2004).

Focus Groups

This combination of multiple methods will help in adding something unique to the researchers understanding in a particular phenomenon. This kind of approach probably relates to the ethnography that is usually a blend of observation and interviewing. The approach is very useful when it comes to the addition of various perspectives in the collected data because of the cascading effect of discussions (Kumar & Phrommathed, 2005).

Sampling

The research will use purposive sampling in the study as it is the best to apply when conducting qualitative investigation. Using this method means that the number of people interviewed is not that important rather it is the criteria being used that matters. The three methods of sampling include; theoretical, convenience and judgment.

Data Analysis

The study will use microanalysis to analyze the data collected. The data will be analyzed by the researcher immediately gathered and also coded into the probable emergent themes on the judgment of the researcher. The researcher will also back up the collected data with some literature review. The research study will also use QSR NVIVO to analyze and transcribe the interviews. The node feature in the software will also be utilized to develop central themes and perform coding.

Summary

The method used in this research study will be very helpful in answering the various research answers. The methodology will also help us to prove the hypothesis of the research study.

References

Ali, M., Khan, S. U., & Vasilakos, A. V. (2015). Security in cloud computing: Opportunities and challenges. Information sciences305, 357-383.

Allen, W. (2016). Data Security, Privacy, Availability and Integrity in Cloud Computing: Issues and Current Solutions. Florida Institute of Technology.

Creswell, J. W., & Creswell, J. D. (2017). Research design: Qualitative, quantitative, and mixed methods approaches. Sage publications.

Fernandes, D. A., Soares, L. F., Gomes, J. V., Freire, M. M., & Inácio, P. R. (2014). Security issues in cloud environments: a survey. International Journal of Information Security13(2), 113-170.

Frels, R. K., & Onwuegbuzie, A. J. (2013). Administering quantitative instruments with qualitative interviews: A mixed research approach. Journal of Counseling & Development91(2), 184-194.

Hwang, K., & Chen, M. (2017). Big-Data Analytics for Cloud, IoT and Cognitive Computing. Hoboken, NJ; Chichester, UK: John Wiley et Sons.

Kannan, R. (2016). Managing and processing big data in cloud computing. Hershey, PA: Information Science Reference.

Khorshed, M. T., Ali, A. S., & Wasimi, S. A. (2012). A survey on gaps, threat remediation challenges and some thoughts for proactive attack detection in cloud computing. Future Generation computer systems28(6), 833-851.

Kothari, C. R. (2004). Research methodology: Methods and techniques. New Age International.

Kumar, S., & Phrommathed, P. (2005). Research methodology(pp. 43-50). Springer US.

Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., & Ghalsasi, A. (2011). Cloud computing—The business perspective. Decision support systems51(1), 176-189.

Punch, K. F. (2013). Introduction to social research: Quantitative and qualitative approaches. sage.

Rittinghouse, J. W., & Ransome, J. F. (2016). Cloud computing: implementation, management, and security. CRC press.

Shi, Y. (2017). Provenance based data integrity checking and verification in cloud environments. PLOS. PMC5435237.

Trovati, M. (2016). Big-Data Analytics and Cloud Computing: Theory, Algorithms and Applications. Cham: Springer International Publishing.

Tu, T., Rao, L., Zhang, H., Wen, Q., Xiao, J. (2017). Privacy-Preserving Outsourced Auditing Scheme for Dynamic Data Storage in Cloud. Security and Communication Networks.

Wei, C. (2015). Modern Library Technologies for Data Storage, Retrieval, and Use. Hershey, PA: Information Science Reference.

Yi, M. (2017). Efficient integrity verification of replicated data in cloud computing system, ACM Digital Library.