See discussions, stats, and author profiles for this publication at: [Link]

net/publication/228319527

Securing Cloud Computing

Thesis in SSRN Electronic Journal · April 2011

DOI: 10.2139/ssrn.1989519

CITATIONS READS

0 957

1 author:

Aiman Athambawa
Sri Lanka Institute of Advanced Technological Education
9 PUBLICATIONS 15 CITATIONS

SEE PROFILE

All content following this page was uploaded by Aiman Athambawa on 27 November 2018.

The user has requested enhancement of the downloaded file.

 A dissertation submitted in partial fulfilment of the requirements for the University of Greenwich
Masters Degree in Computer forensic and system security

SECURING CLOUD COMPUTING

Name: Aiman Athambawa

Student ID: XXXXXXXXX

Programme of Study: MSc Computer forensic and system Security

Date Proposal Submitted: 06/06/2010

Project Hand In Date: 30/04/2011

Supervisor: Dr. Xiangdong Xue

STUDENT PLAGIARISM DECLARATION

I hereby declare that the work submitted for assessment is original and my own work, except where
acknowledged in the submission.
Signed: Aiman Athambawa Date: 30/04/2011

1
Abstract
Cloud computing is the latest buzz words in computing. There is significant excitement about
Cloud computing and this has been building up over the past few years. Cloud computing
offers several great benefits which include cost savings and easy access to state of the art
resources, however when considering deploying critical applications and sensitive
information to a public cloud environment, security concerns are a big challenge. Recent
study has shown that security, privacy and legal issues are the main obstacles to the adoption
of cloud services. This thesis looks at how a cloud service user can constantly place a check
on the cloud service provider with respect to data security and in cases where there has been a
breach of security agreement, how these breach can be traced using forensic tools by the
provider. We implement a virtual environment to showcase our proposed solution and
configure security and test out deployment using a forensic tool (Forensic Tool Kit)

2
Acknowledgement

I consider it an honour to present this dissertation as a student of MSc in Computer forensic

and system security of the School of Computing and mathematical Science, University of
Greenwich. I convey my deepest thanks to the school for giving me this wonderful
opportunity.

I express my special thanks to:

 Dr. Xiangdong Xue, who has been my supervisor for this project. He was guiding me
to complete it in a correct way. He was always there to help me out from the
beginning to end.
 Dr. Mona Ghassimian, the senior lecturer, who involve more on cloud based system
when i was reading second semester and encourage me to focus on different
virtualization techniques. She was arranged guest lecturers who work in cloud based
companies.
 Dr. Dimitrios Frangiskatos, the senior lecturer, who taught me many aspects of
System security and computer forensic techniques. He serves me as the programme
leader of my course.
 My father, Mr. Shahul Hameed Athambawa, Encourage me to study further from my
Bachelor’s degree to Master’s Degree. He makes me up with wishes when i succeed
and giving hope when i fail on something.
 My mother, Mrs. Ummul Varitha, She is like my father. She always makes me a star.
 My Friend, Mr. Ummar Sheriff, He is helping and supporting me a lot on my studies
like a mentor.
 My Brothers and sisters, they always keeping me busy with my studies and helping
out my personnel day to day stuff.
 My other friends, who have encouraged me when I lacked confidence.
 Above all to GOD, who works through me as he does through all of us!

3
Table of Contents
1 Introduction ........................................................................................................................ 7

1.1 Introduction ................................................................................................................. 7

1.2 Motivation ................................................................................................................... 8

1.3 Research Objectives .................................................................................................... 8

1.4 Report Organisation .................................................................................................... 9

2 Background ....................................................................................................................... 11

2.1 Introduction ............................................................................................................... 11

2.2 The Emergence of Cloud Computing........................................................................ 11

2.3 What is a Cloud? ....................................................................................................... 13

2.4 Basic Concepts .......................................................................................................... 13

2.5 Deployment Models .................................................................................................. 15

2.5.1 Private Clouds .................................................................................................... 15

2.5.2 Community Cloud .............................................................................................. 15

2.5.3 Public Cloud....................................................................................................... 16

2.5.4 Hybrid Cloud ..................................................................................................... 16

2.6 Cloud Services Delivery Model ................................................................................ 18

2.6.1 Infrastructure as a Service (IAAS) ..................................................................... 18

2.6.2 Platform as a Service (PaaS) .............................................................................. 18

2.6.3 Software as a Service (SaaS) ............................................................................. 19

2.7 Benefits...................................................................................................................... 21

3 Literature Review ............................................................................................................. 23

3.1 Cloud Computing Marketplace ................................................................................. 25

3.1.1 Amazon Web Services (AWS) .......................................................................... 25

3.1.2 Microsoft Azure Services Platform ................................................................... 26

3.1.3 Google ................................................................................................................ 26

3.1.4 [Link]/ [Link] ................................................................................ 27

4
4 Design Analysis ................................................................................................................ 28

4.1 Introduction ............................................................................................................... 28

4.2 Cloud Computing Risks ............................................................................................ 28

4.3 Top Threats to Cloud Computing.............................................................................. 29

4.4 Forensic Analysis of Cloud Services ........................................................................ 30

4.5 Digital Forensic Challenges within the Cloud Ecosystem ........................................ 31

4.6 Proposed Solution/ Design ........................................................................................ 32

4.7 Software Components ............................................................................................... 33

5 Implementation ............................................................................................. 34
5.1 Introduction ............................................................................................................... 34

5.2 Solution Design ......................................................................................................... 34

5.3 Setup & Configuration .............................................................................................. 35

6 Conclusion .................................................................................................... 43
6.1 Future Work .............................................................................................................. 44

5
Table of Figures
Figure 2.1: Cloud Computing Market Landscape.................................................................... 17

Figure 2.2: Architecture for relevant technologies .................................................................. 22

Figure 4.1: Proposed Solution Architecture............................................................................. 32

Figure 5.1: Design overview .................................................................................................... 34

Figure 5.2: VMware server configuration overview................................................................ 36

Figure 5.3: Booting up Astaro virtual machine ....................................................................... 38

Figure 5.4: Astaro web interface .............................................................................................. 38

Figure 5.5: Astaro security configuration overview ................................................................ 39

Figure 5.6:Astaro Network Security Statistics......................................................................... 40

Figure 5.7: Astaro Network Security Statistics 2..................................................................... 40

Figure 5.8: Astaro Logging system .......................................................................................... 41

Figure 5.9: FTK running forensic analysis on the server logs ................................................. 42

6
CHAPTER 1

1 Introduction
1.1 Introduction
As we blaze on in this jet age where speed and time are key concern to everyone especially in
the IT industry, technological advancement has come to help us make work and living easy
by affording tangible products and also services that helps us undertake various task in more
organised and easy way. These products and services help us keep pace with major logical
and technical challenges we face daily; and as a result makes work easier, faster, cheaper, and
better. Amongst these services is cloud computing.

The idea of cloud computing is more of a combination of many technologies rather than a
single technology. Its element mirrors the earlier computing eras, but differs in that it
incorporates advances in virtualization, storage, connectivity, and processing power to
synthesize modern technical ecosystem for cloud computing. Many organizations including
private sector, public sector, and the governmental organization are moving their data to the
cloud via cloud service providers amongst which are: Microsoft, VMware, Google, Amazon
etc due to the huge benefits it offers ranging from flexibility, scalability, centralized data
management, cheap in terms of cost, no down time or infinitesimal down time, and most
importantly the architecture stresses on the benefits of shared services over isolated products;
thus increasing the adoption of cloud computing services. This project focuses on the private
cloud infrastructure deployment, and how the service renders security of data because
moving data to the cloud, to a large extent exposes users of this cloud service to privacy
attack by hackers. However, one of the branches of this project focuses on ways in which
these data stored in the cloud is kept secured. Cloud computing as a matter of fact has come
to make productivity quite easier by offering users of these services the ability to stay
connected and at the same time maintain essential security and control required. This gives
everyone a better platform and endless ways to work and collaborate from anywhere,
anytime, and on variety of devices.

7
1.2 Motivation
Owing to the fact that cloud services could either be a public cloud service or a private cloud
service; whichever the case maybe, we adopt this service base on the many benefits it
promises but not really putting into consideration the fact that as we adopt cloud services,
confidential data is outsourced in a sense, this therefore raises the question of data protection,
as data protection policies varies in different countries. Many cloud service providing
organisations may not even have proper controls in place in terms of security, hence we only
hope that our data is kept secured based on trust and also when in transit as we call for them.
This piece of work looks at how a cloud service user can constantly place a check on the
cloud service provider with respect to data security through auditing, and in cases where there
has been a breach of security agreement, how these breach can be traced using forensic tools
by the provider.

Similarly, there has been a slow adoption of cloud service as a result of issues arising base on
security of data in the cloud; hence this piece of work in a sense has come to present the
concept of cloud computing not just as migration, but as transformation. It’s just like saying
the aim of marriage is not just to change your surname but more so for companionship.

It is important to draw to mind the fact that we are still in the early stage of cloud adoption
owing to the fact that transferring one’s organisation’s sensitive data to a third-party cloud-
based vendor raises serious security concerns we can’t really overlook; amongst which is
untraceable data breaches. Unto this end, we shall deploy the cloud infrastructure in a
virtualized environment for the sake of this project.

1.3 Research Objectives

The basic aim of this project is to unfold technical ways that will inevitably ensure adequate
security of cloud service user’s data by implementing auditing against the SLA the cloud
service providers offer during the inception of the contract, amongst others; and also using
some forensic tools to trace data security breach at the cloud service provider’s end when
such incident(s) present themselves.

Due to the fact that Cloud computing is a service, the infrastructure upon which this piece of
work shall be demonstrated will be a virtual environment for the sake of cost and also saves
space. The project went through the following stages:

8
  Create cloud environment and providing security on it. The platform for the scenario
will be virtual PCs for creating small server- client architecture or alternatively, cloud
server and use the web browser as the client.
 Monitoring security threats channelled to the cloud architecture
 Performing audit on cloud environment from client site.
 Using forensic tool(s) to perform forensics on cloud environment from client site.
This project is concerned on how to provide a secure cloud service by unveiling some
technical ways to keep the cloud service and architecture safe from being compromised and
the data that resides in the cloud service providers domain safe as well from hackers. In
addition, to be able to trace breaches with forensic tool in cases where data is being
compromised.

1.4 Report Organisation

This report is organized as follows:

Chapter 1 – The general introduction to Cloud and the overview of the project work.

Chapter 2 – This chapter presented a general overview of the concept of cloud computing,
providing insight into the emergence of cloud computing, the basic characteristics that are
required for cloud services, the different deployment models and service models of cloud
computing and then concludes with the benefits of adopting cloud services.

Chapter 3 – Literature review of the existing services and technology, background study of
the subject matter and the functionality of Cloud Computing. The literature review affords
insight into what the project entails and its relevance with respect to previous works on the
project. A review of previous literatures on the topic is treated here with emphasis on the
problems encountered, how to solve them and the best option among alternatives. This
chapter also covers the cloud computing marketplace, presenting the early developers of
cloud services such as Amazon, Google etc.

Chapter 4 –This chapter first looks at the security challenges in adopting cloud services and
proceeds to present the proposed architecture that provides for securing cloud services and
carry out forensic analysis on the cloud. In simple term(s), a design overview is afforded
here, detailing the initial design of the system

9
Chapter 5 – Implementation and testing of design, functionality and interoperability of
functional parts. This chapter affords details regarding the implementation of the system. The
final architecture design is unveiled in detail, with justification for certain decisions. The
details of system testing are found here, including the methodology that was used in the
testing. The results obtained from the above testing will also be discussed and finally

Chapter 6 – Conclusion, recommendation and limitations of the project. This chapter sums up
all aims set out in the introduction, it indicates if the overall aims of the project have been
met, and if the system was as it was expected. Considerations for future research are also
included in this chapter.

10
CHAPTER 2

2 Background
2.1 Introduction
With the excitement about Cloud computing that has been building up over the past few years
and the general hype surrounding the idea. One cannot help but be curious about what this is.
However, to any curious persons understanding, there is a general consensus to agree to
disagree on what cloud computing is. If one goes on to ask ten different professionals, you
tend to end up with ten different answers. You are left wondering what all the hype is about
this new fad.

In 2008, Oracle CEO Larry Ellison had to comment on this hype but indicating that the term
was overused and poorly applied. He said to a group of Oracle analysts that “The computer
industry is the only industry that is more fashion-driven than women’s fashion,” [1]

I believe that this general excitement around cloud computing is due to the obvious
emergence of a new model of computing in the IT world which is a very big deal.

2.2 The Emergence of Cloud Computing

Cloud computing evolved via a number of phases such as grid and utility computing,
application service provision and software as a service. However, the concept of cloud
computing is rooted in the sixties. [2]

In 1961, a professor at MIT called John McCarthy presented the concept of computing as a
utility which is similar to that of electricity. Then in 1969, J. C. R Licklider who later went
ahead to develop the basis for the ARPANET, presented the idea of an “Intergalactic
computer network” at ARPA and Bolt, Beranek and Newman (BBN). He stated that, “If such
a network as I envisage nebulously could be brought into operation, we could have at least
four large computers, perhaps six or eight small computers, and a great assortment of disc
files and magnetic tape units—not to mention remote consoles and teletype stations—all
churning away.” The combination of the utility computing concept by McCarthy and a large
scale network by Licklider provided the foundation for the future development of cloud
computing. [3]

11
The arrival of [Link] in 1999, heralded one of the first milestones for cloud
computing. [Link] brought to reality the concept of enterprise applications being
delivered via a simple website. This then led software firms to deliver applications over the
internet. Then in 2002, Amazon web services was developed and provided a suite of a variety
of cloud-based service which ranged from computation to storage. In 2006, they then
launched the Elastic compute cloud (EC2) which was a commercial web service that allows
for renting of computers on a pay by the hour basis. According to Jeremy Allaire, CEO
of Brightcove, "Amazon EC2/S3 was the first widely accessible cloud computing
infrastructure service".

In 2009, a major mile stone in cloud computing was reached when Google and other began to
offer browser-based enterprise application, for example Google Apps. One key contributor to
the evolution of cloud computing has been the maturing of virtualization technology. Another
being high speed bandwidth. [2]

According to Irving Wladawsky-Berger of IBM over the hype around cloud computing in his
blog titled Cloud- the Emergence of a New Model of Computing, he said “In my opinion, the
key piece of the puzzle that has brought it all together and is giving us unmistakable signals
that a new computing model is indeed emerging, is the explosive rise of intelligent mobile
devices, such as BlackBerrys, iPhones, Web-capable cell phones of all kinds, e-book
devices and netbooks. Beyond them, is the even larger number of sensors and other digital
technologies that are being embedded into myriads of things in the physical world, like cars,
appliances, medical equipment, cameras, roadways, pipelines, pharmaceuticals or livestock.
These are bringing together the world’s digital and physical infrastructures and giving rise
to all kinds of new, smart applications.” [4]

12
2.3 What is a Cloud?
With all the hype around cloud computing and the general consensus on the lack of unifying
definition of a cloud, I will attempt to draw from the knowledge of several experts in this
field in order to provide a general overview of what a cloud is.

Peter Mell and Tim Grance of the National Institute of Standards and Technology (NIST)
Information Technology Laboratory, presented a paper titled “Effectively and Securely Using
the Cloud Computing Paradigm,”[3] In an October, 2009 . They defined cloud computing as:

“…a model for enabling convenient, on-demand network access to a shared pool of
configurable and reliable computing resources (e.g., networks, servers, storage, applications,
services) that can be rapidly provisioned and released with minimal consumer management
effort or service provider interaction.” [3]

Marks & Lozano in Executive’s guide to cloud computing defined it as “… a type of

computing that provides simple, on-demand access to pools of highly elastic computing
resources. These resources are provided as a service over a network (often the Internet), and
are now possible due to a series of innovations across computing technologies, operations,
and business models. Cloud enables the consumers of the technology to think of computing as
effectively limitless, of minimal cost, and reliable, as well as not be concerned about how it is
constructed, how it works, who operates it, or where it is located.” [5]

2.4 Basic Concepts

There are various definitions of Cloud Computing in the industry, with the different sources
opting for definitions that suit their agenda. However, at the core, the concept of Cloud
Computing is based on these five essential characteristics according to National Institute of
Standards and Technology (NIST) Information Technology Laboratory.

Scalable (Aggregate): Scalability refers to the property of a system or service whereby an

increase in resources leads to a proportion increase in performance. Scalability can be
implemented vertically and horizontally in centralised and distributed systems. Vertical
scaling involves increasing the size and capacity of resources while horizontal scaling
involves adding a particular resource. Replicating a database across several servers to
improve performance is an example of horizontal scaling in cloud computing. [3]

13
Elasticity: This refers to the capability of cloud services to expand and reduce in order to
handle fluctuations in demand for resources. This is an essential feature required in IT
systems as the traditional infrastructure are setup to scale up or down in order to deal with
changes in demand. Hence the typical solution is to over-allocate resources leading
underutilization of the total resources. Therefore elasticity is vital capability required in
cloud services in order to allow for scaling up or down automatically without extra effort. [5]

On-Demand Self-Service: This is a characteristic of cloud computing whereby a user can

setup and use a cloud service with human interaction with the cloud service provider and can
gain access to the computation power and storage they require. This eliminates the use hassle
experienced in the traditional IT model where any need for increased capacity requires going
through the usual bureaucracy such as budgeting, acquiring the equipment, deploying,
training etc. However, with self-service, acquiring this infrastructure is as simple as ordering
a gift online. [5]

Ubiquitous Access (Services and More):

Ubiquitous access is another trait the cloud inherited from its web ancestry. Ubiquitous
access refers to the concept whereby all of an entity’s capabilities are open and accessible
from anywhere using any supported device or service (application). Cloud computing is an
enabling force in service ubiquity both within and without the enterprise. [5]

Complete Virtualization:
The lack of mature tools and skilled personnel saw the early era of widespread adoption of IT
resource virtualization end up complicating IT operations which lead to the ‘VM sprawl’ [5].
The missing component in this era was the lack of a seeming transparency of the
infrastructure components – to act as one from the view of software developers and
operational groups. That is to say, irrespective of the degree of scaling of a particular cloud,
the simplicity of working with it does not change i.e. it stays easy to operate and easy to
develop applications for as if it was a single server. This is what complete virtualization is.
[24]

14
Other Common (though Nonessential) Characteristics

The previous characteristics are essential to any cloud deployment project; however the
following characteristics are optional though quite important.

 Measured Service (By the Drink)

 Multiple Tenants:
 Multiple Applications
 Scalable (Individual Applications)
 Reliable [5]

2.5 Deployment Models

2.5.1 Private Clouds

Private clouds or sometimes known as Internal clouds refers to IT resources and services
which are owned/leased, operated, and presumably restricted to a particular organization. [5]
NIST describes a private cloud “as a cloud infrastructure operated solely for an
organization, managed by the organization or a third party and existing either on premise or
off-premise. The private cloud is typically hosted within the boundaries of the owner
organization”. [3] One might perceive the concept of private cloud to be an oxymoron, in the
sense that clouds are meant to be shared but it can be seen that certain situations arise where
an organisation may choose to build and manage their own cloud. [5] As a result the
organisations have to buy, build and maintain these clouds and do not benefit from the cost
savings and less hands-on approach offered by public clouds. On the other hand, the private
cloud is dedicated to a single organisation hence the security management and day-to-day
operation of hosts are handled by the organisation and established security standards, policies
and regulatory compliance can be enforced. [6]

2.5.2 Community Cloud

A community cloud refers to a deployment model that conceptually lies between a private
cloud and a public cloud. It refers to a cloud deployment that is built and managed by several
organisations. [3]

15
2.5.3 Public Cloud
A public cloud is a cloud computing deployment scheme that is hosted, operated and
managed by a third party cloud services vendor and is open for use by the general public. The
general public refers to either individual users or corporations. [3] With public clouds, day to
day operations and management is handled by the third party cloud services vendor, which
leaves the customer with little to no control over the physical and logical security of the
cloud. [6] Public clouds are an economically viable option for organisations as it provides
immediate cost savings. This is due to the fact that cloud implementations remove the burden
of maintaining IT infrastructure from the organisation and provides access to state of art
resources without the crippling capital investment cost. [3] The type of clouds available were
mostly public clouds such as Amazon, Google and Salesforce and they tend to focus on
providing services on particular layers. For example, Amazon focuses on providing
Infrastructure based services, while Google and Salesforce focus on application based
services. [5]

2.5.4 Hybrid Cloud

A Hybrid cloud as the name implies, is a combination of any/all of the other types of clouds
i.e. internal or external. It is defined by NIST as “a composition of two or more clouds
(private, community, or public) that remain unique entities but are bound together by
standardized or proprietary technology that enables data and application portability (e.g.,
cloud bursting for load-balancing between clouds). [25] Hybrid cloud differs from other
cloud deployments due its use of cloudburst. Cloudburst refers to an application running
predominantly in a private cloud but can also run in the public cloud and can be used to adapt
to capacity expansion when needed. A typical example of a hybrid cloud deployment is
found when an organisation runs its non-critical applications on the public cloud and its
sensitive applications on the private cloud. [3]

This deployment approach provides an organization with the flexibility to utilize the best
tools when required, while adapting to deal with the increasing complexity. [5], [3]

16
Figure ‎2.1: Cloud Computing Market Landscape

17
2.6 Cloud Services Delivery Model
The cloud services delivery model commonly referred to as SPI is made up of three major
layers–the cloud infrastructure (commonly known as Infrastructure as a Service, or IaaS),
cloud application platform (commonly known as Platform as a Service, or PaaS), and cloud
application (commonly known as Software as a Service, or SaaS) layers. The following
section presents an overview of the different layers. [6]

2.6.1 Infrastructure as a Service (IAAS)

The National Institute of Standards and Technology (NIST) defines IaaS as: “The capability
provided to the consumer is to provision processing, storage, networks, and other
fundamental computing resources where the consumer is able to deploy and run arbitrary
software, which can include operating systems and applications. The consumer does not
manage or control the underlying cloud infrastructure but has control over operating systems,
storage, deployed applications, and possibly limited control of select networking components
(e.g., host firewalls).” The benefits of adopting IaaS are just like that of SaaS and PaaS, in
that they provide smaller organizations access to enormous computing power without the
capital expenditure and risk involved with it. [26]

The adoption of the IaaS model is mostly done in conjunction with both the PaaS and SaaS
models and together, they offer a very good level of scalability that can swiftly respond to
change in any dimension of a business practice in a way that conventional IT infrastructure
cannot.
There exist a broad variety of IaaS service providers ranging from data centre centric cloud
infrastructure service providers (such as Sun, Oracle, IBM etc), data storage centric service
providers (such as Dropbox and Amazon Simple Storage Service) and full-fledged IaaS
service provicedrs such as Amazon Web Services and Rackspace. [5], [3]

2.6.2 Platform as a Service (PaaS)

The National Institute of Standards and Technology (NIST) describes PaaS as follows: “The
capability provided to the consumer is to deploy onto the cloud infrastructure consumer-
created or acquired applications created using programming languages and tools supported by
the provider. The consumer does not manage or control the underlying cloud infrastructure
including network, servers, operating systems, or storage, but has control over the deployed
applications and possibly application hosting environment configurations.” [27]

18
In other words, the PaaS model can be said to be a kind of SaaS model but where the service
provided is a software development and deployment environment. In most cases, this
provided service includes a software development kit which interfaces with the service
provider’s deployment environment, pre-configured domain names, dynamic and scalable
application hosting environment, etc. Hence, the PaaS proposition offers software application
developers a more reliable and scalable service with a lower total cost of ownership (TCO)
with attendant lower cost of entry. Examples of PaaS service providers include the Google
App Engine and Windows Azure. [30]

There are a variety of PaaS service offerings ranging from a full suite consisting of
application development tools with provision for testing and deployment. However, the
service can also be smaller and more targeted to a specific area for instance – content
management. Moreover, the key element that qualifies a platform to be a PaaS includes the
presence of:
1. A Monitoring system for applications resource management.
2. An integration mechanism for the customer’s application software with other cloud-
based services e.g. databases, firewalls, etc.
3. A multi-tenancy system which can accommodate a good number of customers
(software developers) simultaneously.
4. A scheme to allow for collaboration between the stakeholders (service providers,
developers, and users) via the cloud.
5. A basic provision of security, reliability and privacy for all applications
6. A browser based interface for developers to access their accounts and software
deployments. [5] [3]

2.6.3 Software as a Service (SaaS)

The National Institute of Standards and Technology (NIST) (an agency of the U.S.
Department of Commerce) defines the cloud’s Software as a Service (SaaS) model as “The
capability provided to the consumer is to use the provider’s applications running on a cloud
infrastructure. The applications are accessible from various client devices through a thin
client interface such as a web browser (e.g., web-based e-mail). The consumer does not
manage or control the underlying cloud infrastructure, including network, servers, operating
systems, storage, or even individual application capabilities, with the possible exception of
limited user-specific application configuration settings.” [7] Moreover, [8] describes the SaaS

19
delivery model as “well-defined applications offering users online resources and storage. This
differentiates SaaS from traditional websites or web applications which do not interface with
user information (e.g., documents) or do so in a limited manner.”[9]
From these definitions, the SaaS cloud delivery model can simply be said to be a solution
whereby a service provider delivers software services to consumers on demand via a
licensing model. Usually, the service provider caters for the hosting of the service while the
consumer accesses the service using an authorized predefined interface – usually a web
browser. The SaaS model is a big departure from conventional methods of acquiring software
which often involved purchasing, shipping and then installation when the product arrives at
the customer’s destination. In the SaaS model, the customer is billed for access to the service
in a ‘pay-as-you-go’ model or through a subscription model unlike the inflexible payment
model for conventional delivery. [28]

Furthermore, with the SaaS model the consumer no longer has to deal with compatibility
issues with hardware, software or operating systems. Also, getting updates is now
instantaneous with little or no need for client premise support or maintenance. Other benefits
of the SaaS model include minimal installation requirements and software rollout
simplification. To the service provider, the SaaS model provides increased control of the use
of its products (in terms of licensing) and also patch and upgrade management control. A
good example of SaaS is the Google App suite which provides customers with word
processing and email services. [5], [3]

20
2.7 Benefits
The rapid adoption of cloud computing is as a result of the benefits it offers. Some of these
benefits include:

Reduction/ Maximization of IT Cost

The adoption of cloud computing can provide an organization with means for reducing IT
infrastructure costs and offering ways to maximize the available IT capacity through a variety
of schemes. For instance, cloud computing can avail an organisation with ‘pay-as-you-go’
capacity such that they only pay for what they need and when they need it. This also
eliminates unnecessary capital expenditure with the associated cost of maintaining an
extensive IT infrastructure. Cloud computing affords organisation a reduced cost of operation
since operations can easily be centralized when virtualized thereby requiring less IT resources
in terms of software, hardware and peopleware. [29]

More Efficient IT Asset Utilization

Cloud computing provides leverage for storage and infrastructure virtualization which can
significantly improve server and storage utilization to the tune of 50-65% [5]. Such asset
utilization reduces the associated fixed overhead cost, maintenance cost and the total number
of staff required to manage the assets. Furthermore, cloud computing can allow an
organization easily decouple its IT infrastructure and assets in such a way that makes
outsourcing seamless so that IT staff can focus on more strategic aspects of the organization
which leads to a better return on people assets.

Business Agility

To a large extent, the adoption of cloud computing in a business can shed some weight of the
business to leave room for flexibility in the business model. When cloud models such as
infrastructure as a service (IaaS), platforms as a service (PaaS) or software as a service (SaaS)
are adopted by a business, the business is given the freedom to easily react to market changes
without its infrastructure holding it back. In addition, the business can easily experiment with
infrastructure or service architectures without costing it so much money or time. [5]

21
Figure ‎2.2: Architecture for relevant technologies

22
CHAPTER 3

3 Literature Review

The focus of this chapter is to explore existing literature of previous works on the subject
matter with regards to this thesis. It examines previously related technology schemes and
methods involved in keeping data secured, thereby stating areas of variation as opposed to
that of the project.

In a world where loss of confidential or sensitive data could expose one to the risk of fraud or
copyright breaches and also the reputation of an organisation could be directly affected.
Judith Hurwitz et al[13], presents a better storage in terms of capacity and security to an
extent, compare to the old scheme of storing data using magnetic tapes (e.g. as in floppy
drives), Hard disk, and mainframe. The piece of material gives an in depth knowledge of the
concept of cloud computing, and also explores the benefits of cloud services such as
scalability via dynamic i.e. "on-demand" purveying of resources on a fine-grained,
establishment where customers serve themselves near real-time, without the users having to
mastermind for peak loads; Performance, maintenance, scalability amongst others. It looks at
cloud computing beyond just being a service sitting in some remote data centre; but as a set
of approaches that can help organisations quickly do some mathematically additions and
subtractions of resources in almost real time. It also channelled it’s write-up on the business
impact, the economics of the cloud, and how to develop cloud services strategy.

Zaharia et al. [10] presented LATE, a kind of scheduling algorithm which is used to handle
heterogeneity in a data center environment. This algorithm LATE attempt to schedule tasks
according to the longest approximate time to completion. The approximation relies on the
heterogeneity of the nodes and the gradual improvement of the task. The work presented in
[10] could potentially be extended to schedule tasks in an edge based cloud where it involves
latency and node bandwidth in the required approximate time for completing calculations. In
a nutshell, projects demanding cloud computing concepts, such as the ones that drive the
MapReduce programming model, directly to edge networks is sparse and this sphere of
research is still modern and so in a stage of early development.

23
Eric A. Marks et al, looks at the best place to begin with cloud computing by considering
some of the developments that are not only enabling the practical adoption of cloud
computing, but in turn will be themselves driven by that same adoption. The author(s) admit
to the fact that over the next 5 to 10 to 15 years, some changes are more or less inevitable
such as: ‘The decline and fall of the near-monopoly of the relational database—it will no
longer dominate and simply be assumed; rather it will be relegated to relatively modest to
mid-sized and legacy use cases’[12];’The nature of archiving, disaster recovery, and
geographic distribution will fundamentally change—archiving and disaster recovery will be
accomplished by multiple, optionally live, geographically dispersed copies of the same data;
this will be true for the most crucial, mission- critical, high-volume data’[12]; and thirdly,
‘Computing and storage infrastructures will merge—first for the highest volume applications,
then eventually for most applications’[12]. An explanation for the cause of this phenomenon
according to the write up lies in the fact that the developments are epidemic to cloud
computing.

Daniel [14] critically looked at securing cloud service in terms of e-mail and the growing
opportunities cloud services provides. Though he considered security but was just considered
only in the light of e-mail services by looking at the fact that about 80 to 95% of the mails
sent within a day are spam, not just that they are spam but also that they can carry security
threat to business and so has suggested that internal anti-spam and firewall solutions on
laptops, PCs and also mail servers are good approach to combating this threat, but can be
even better by constantly managing and upgrading internal defenses or alternatively is to
adopt a cloud-based email security application, because of its ability to filter and blocks
unwanted content in the cloud to prevent it from getting to its destination.

Owing to the above facts, other project work(s) as regards cloud computing looks at how to
secure cloud services, and from the user’s side we adopt this service base on trust; but this
project takes it a step further by looking at how to ensure that from the user’s side we don’t
just adopt this services base on just trust hoping that our data is kept secured in the cloud and
that this data is not being compromised in terms of security, but also ensuring that we can
audit, and also carry out forensic investigations in places that matter and when it is required
especially in cases where there is a breach of security measure(s) in the cloud. [28]

24
3.1 Cloud Computing Marketplace
Having discussed what Cloud Computing is, we are now going to look at the different
vendors who offer cloud computing services and what they have to offer.

3.1.1 Amazon Web Services (AWS)

Amazon was one of the first companies to offer cloud computing services to the public and
they have the most extensive cloud service. Amazon has invested heavily in data centres
which were initially only used for its own businesses and decided to resell these computing
resources to the public. Hence allowing the public to take advantage of [Link]’s
computing infrastructure. [15]

Amazon offers different cloud services including the following:

 Elastic Compute Cloud (EC2): A web service that offers scalable deployment of
applications by providing an interface through which a user can create virtual
machines and extra CPU cycles to load any software required an in turn the customer
pays by the hour for active servers. [27]
 Simple Storage Service (S3): This a web services interface that allows you to store
and retrieve items up to 5GB in size in Amazon’s virtual storage service.
 Simple Queue Service (SQS): This is a distributed queue messaging service which
allows different machines to communicate over the internet using this message-
passing API. [1]
 SimpleDB: This is a web service for indexing and running queries on structured data
in real time. This service works in close conjunction with Amazon Simple Storage
Service (Amazon S3) and Amazon Elastic Compute Cloud (Amazon EC2),
collectively providing the ability to store, process, and query data sets in the cloud
making web-scale computing easier and more cost effective.
 Cloud Front: This is a content delivery network that delivers content using a global
network of edge locations. [6]

25
3.1.2 Microsoft Azure Services Platform
The Windows Azure Platform is Microsoft’s Cloud offering, this is a public cloud
implementation managed on Microsoft’s data centres around the world. Windows Azure is an
operating system that provides an overlay for IT infrastructure and runs the applications and
services which are used by end users for development, management and hosting purposes.
The end user makes use of the provided libraries to develop the desired Azure based
applications while making use of tools such as Visual studio. [15]

Azure Services Platform includes the following tools:

 Microsoft .Net Services: This provides service-based implementations of .NET

Framework concepts such as workflow, access control service bus etc.
 Microsoft SQL Services: This provides a set of services which extends database
services and reporting into the cloud. [29]
 Live Services: This is used to share, store, and synchronize documents, photos, and
files across PCs, phones, PC applications, and web sites. It provides developers the
ability to connect their applications’ and share them with Windows live users.
 Microsoft SharePoint Services and Microsoft Dynamics CRM Services: This
provides a set of services used for business content, collaboration, and solution
development in the cloud. [6]

3.1.3 Google
Google App Engine is Google’s cloud services offering that enables developers to build their
web apps on Google’s infrastructure. The currently supported programming languages are
Python and Java. Google App Engine allows for easy deploying of web applications by
providing computing resources dynamically when required. Google App Engine allows one
to take advantage of Bigtable and other components of Google’s scalable infrastructure
thereby making it easier to adapt to changes. Google’s Services allow for several uses cases,
such as:

 Messaging: Google’s Apps can be leveraged by organisations for internal emails and
calendar services.
 Securing Existing Email Systems: Google Apps can be used by organisations for
securing their existing mal systems in filtering out spam and viruses.
 Collaboration: Google Apps can be used for office productivity and collaboration
etc. [6]

26
3.1.4 [Link]/ [Link]
[Link] is a cloud service provider offering CRM products or hosted sales force
automation applications for a number of years. Pricing is done on a per user / per month
basis, depending on the different [Link] modules needed. [Link] is a SaaS
model deployed in a public cloud also providing a PaaS offering with the [Link] platform.
[15]

[Link] has a number of use cases, which include the following:

 CRM On-demand: [Link] CRM applications can be used to centralize,

manage and efficiently share client information as well as develop applications that
can extend functionality of the CRM infrastructure.
 Application Development: The [Link] platform can be used to develop custom
applications. [6]

27
CHAPTER 4

4 Design Analysis

4.1 Introduction
As we have seen from the previous chapter, Cloud computing offers several great benefits
which include cost savings and easy access to state of the art resources, however when
considering deploying critical applications and sensitive information to a public cloud
environment, security concerns are a big challenge. As a result, the cloud service provider
now has to address this security concerns by developing security controls that are of the same
level or greater than what the organization would have in their own private establishment. In
this chapter we discuss these security concerns and propose a solution that enables the cloud
service user to ensure that this service level is adhered to by the service provider.

4.2 Cloud Computing Risks

According to Gartner in the article “Seven Cloud computing risks”, there are specific issues
that should be raised with cloud services vendors regarding the security of the service being
provided. The risks to cloud computing are as follows:

User access: Access control is a big concern when referring to cloud computing services due
to insider attacks. The user of the cloud service has no control over the physical and logical
access controls at the end of the service provider as well as the hiring policies. Hence the user
is at risk of compromise from the same individuals who provide the service [26]

Regulatory compliance: The responsibility of ensuring security and integrity of their data is
still placed on the cloud user even though it is held by the service provider. Hence customers
have to ensure these providers are able to meet the regulatory requirements or run the risk of
being prosecuted.

Data location: When using cloud services, a customer is at risk of their data being stored in a
different country. And different countries have different requirements and controls which are
to be placed on data access. For instance the EEA has the Data protection act while other
countries may not even have any controls. The cloud user is then at risk of not having the
same compliance level needed by law. [25]

28
Data segregation: When using a cloud service, the user runs the risk of having their data
stored in a shared environment along with data from other customers. Encryption may or may
not be provided and during transit and at rest is data encrypted. Although encryption is
effective, availability is compromised. [30]

Recovery: Disaster recovery is a key factor when using cloud services. Users may not know
where their data is located, but where ever that is, it is physically located somewhere which is
subject to threats such as fire, floods, natural disasters etc. Hence not knowing what could
happen to your data is a big concern for customers.

Investigative support: In event of a security breach, accessing logs and data is usually
difficult as multiple customers are usually co-located and the customer’s information may be
spread across different servers and data centres, thus, making it difficult to carry out an
investigation.

Long-term viability: The viability of a cloud service provider is a risk a customer has to face
as they could go out of business and the customer would be left stranded. [16], [17]

4.3 Top Threats to Cloud Computing

According to cloud security alliance, the following are the top threats to cloud computing

Threat 1: Abuse and Nefarious Use of Cloud Computing:

Service providers do not have control over who signs up for their services; hence criminals
can take advantage of the extensive resources to conduct nefarious activities such as hosting
botnets, Trojans etc. [30]

Threat 2: Insecure Interfaces and API

Use of the software interface and APIs provided by service providers can expose a customer
to security issues that may compromise the confidentiality, integrity and availability of their
information.

Threat 3: Malicious Insiders

The providers may not have a strict hiring policy or structure access control thereby exposing
the customers to possible malicious insider which may have access to their sensitive data.

29
Threat 4: Shared Technology Issues
Cloud providers make use of virtualization technology to make their services scalable,
therefore exposing the customer to flaws from the hypervisor and insufficient isolation.

Threat 5: Data Loss or Leakage

Due to the issues of data centre reliability, access controls, auditing etc., the threat of data
compromise is a serious concern [24]

Threat 6: Account or Service Hijacking

If attackers are able to gain access to clients security credentials, they are able to compromise
the integrity of data and redirect clients from the legitimate site to an illegitimate one.

Threat 7: Unknown Risk Profile

Relinquishing control of managing their infrastructure to a cloud provider exposes an
organisation the possible lapse of security controls. [18]

4.4 Forensic Analysis of Cloud Services

Prosecution of computer crime perpetrators is possible with provision of computer forensic
evidence. Computer forensics refers to the use of scientific methods on computing resources
in order to validate the occurrence or not of a suspected event. The process of gathering
forensic evidence involves analysing storage devices such as hard drives or CDs.

Forensic analysis involves the following steps:

1. Verifying that an incident has indeed taken place

2. Gathering evidence and ensuring that the chain of custody of the evidence is
maintained using tools developed specifically to maintain evidence integrity
3. Investigating and analysing the evidence
4. Reporting results

Computer forensics has to be carried out in a manner that ensures that it maintains the
standards of evidence which can be admissible in a court of law. [19]

30
4.5 Digital Forensic Challenges within the Cloud Ecosystem
Although advocates for cloud computing tout its scalability and cost effectiveness as the
advantages for which to adopt cloud services, however, due to the scope and diversity,
forensic scientists view this as a forensic challenge. The challenges to carrying out forensic
analysis within the cloud environment are as follows:

1. Establishing the computational and storage resources that fall within the scope of the
investigation
2. Separation of customer's data sources during evidence collection
3. Adapting forensic analysis methods to the cloud
4. Improving live analysis techniques
5. Improving log generation & analysis techniques
6. Establishing a complete understanding of processes, their dependencies and
distribution across different systems within the cloud ecosystem. [20]

31
4.6 Proposed Solution/ Design
In order to achieve the aims of this project, we propose a solution provides for security of the
cloud service user’s data by implementing Intrusion prevention and detection using Astaro
Security gateway virtual and also using Forensic tool kit to trace data security breach at the
cloud service provider’s end when such incident(s) present themselves.

Figure ‎4.1: Proposed Solution Architecture

This solution is to be implemented on VMware server 2.0 running three (3) virtual machines.
Two of the virtual machines are running Windows XP operating systems and have been set
up to run in a Client-Server manner. The third virtual machine is the Astaro security gateway
virtual appliance which is set up to ensure security of the cloud deployment. The forensic tool
kit was installed on the client –side to analyse digital evidence from the server.

32
4.7 Software Components

VMware Server 2.0

VMware server is a free virtualization offering that allows for quick deployment of several
virtual machines on a physical server.
VMware Server supports the following hardware and software:

 Any standard x86‐compatible or x86‐64‐compatible personal computer

 Windows, Linux, Solaris, and other guest operating systems (both 32-bit and 64-bit)
 Two‐way Virtual SMP
 Intel Virtualization Technology (Intel VT)
 AMD‐Virtualization (AMT‐V) [21]

Astaro Security Gateway

Astaro Security Gateway is a virtual appliance designed to run in VMware environments. It
was the first unified threat management product designed as VMware ready. It provides for
easy deployment of an all-encompassing security solution. ANS includes a configurable
firewall, Intrusion detection and prevention system, web security etc. [22]

Forensic Tool Kit

Forensic Toolkit (FTK) is a computer forensics software that delivers excellent computer
forensic analysis, decryption and password cracking. It is a court-validated digital
investigations platform built for speed, analytics and enterprise-class scalability. [23]

33
CHAPTER 5

5 Implementation

5.1 Introduction
In this chapter we present the steps used in achieving the aims of this project. This includes
setting up the virtual environment, configuring the security components and deploying
Forensics Tool Kit to enable Forensic analysis of the Cloud deployment.

5.2 Solution Design

The idea of this solution is to provide a secure cloud infrastructure which allows for Forensic
analysis of the server from the client side. This project is setup in a client –server fashion
which is representative of the cloud infrastructure. We then deploy the different components
of the design which are the VMware Server 2.0, the two (2) Windows XP Virtual machines,
Astaro Security Gateway 8 and Forensic Tool Kit.

The design of the solution is described in Figure 5.1.

VM VM VM
FTK Applications Applications Applications Applications Applications

Windows XP Windows XP
(Client) Astaro
(Server)

VMware Server

Windows 7

Hardware

Figure ‎5.1: Design overview

34
5.3 Setup & Configuration

DEPLOYING VMWARE SERVER 2.0

1. The first step taken was to log in to the Microsoft Windows 7 host as the
Administrator. Then from the Start menu, the directory containing the downloaded
installer file was selected. Then permission to run the installer was granted through
the User Account Control dialog box.
2. When the installation wizard opens and finished computing space requirements, the
license agreement was accepted and destination folder specified.
3. On the Server configuration page, the FQDN, Server HTTP Port, and Server HTTPS
Port were specified and on that same page “Allow virtual machines to start and stop
automatically with the system” was selected.
4. On the Configure shortcuts page, the shortcuts we wanted were specified and on the
ready to install page, install was clicked to begin installation.
5. The final wizard prompts were followed to complete the installation and the computer
rebooted.

LOGGING IN TO VMWARE SERVER USING VI WEB ACCESS

In order to manage our deployment, we setup the VMware server to allow access via the VI
Web Access management interface. To do this we did the following:

1. Launched the Web browser and entered the URL of the VMware Server installation in
the format of [Link] or [Link]
2. The VI Web Access login page appears and then the user name and password used to
log in to the host was entered to Log In.
3. After the user name and password are authorized, the main application page appears.

35
Figure ‎5.2: VMware server configuration overview

DEPLOYING THE VIRTUAL MACHINES

To deploy the virtual machines on VMware Server, the virtual machine had to be first created
using the virtual machine wizard and the operating system was then installed.

TO CREATE A NEW VIRTUAL MACHINE

1. After logging on to the VI Web Access management interface, on the commands

section of the host workspace, create virtual machine was clicked.
2. On the Name and Location page, the name of the virtual machine was entered and a
datastore from the list of existing datastores was selected.
3. On the Guest Operating System page, the type of operating system that is to be
installed on the new virtual machine and the version was selected.
4. Under the Product Compatibility heading, hardware version 7 (the default) was
selected as this allows the virtual machine to use new VMware server 2.
5. On the Memory and Processors page, the default memory setting was kept and the
number of processors for the virtual machine was selected.
6. On the Hard Disk page, to configure the virtual disk create a New Virtual Disk was
selected to add a new blank hard disk to the virtual machine.

36
 7. On the Network Adapter page a network adapter was added. „
8. On the Ready to complete page, finish was clicked to create the virtual machine.

DEPLOYING THE TWO WINDOWS XP VIRTUAL MACHINES ON VMWARE SERVER 2

1. After logging into the VI web access interface, the virtual machine that was created
was selected.
2. In the Hardware section of the Summary tab, the CD/DVD drive’s icon was edited to
Connect at power on.
3. The ISO Image was selected from the existing datastore.
4. The SCSI or IDE device node in the Virtual Device Node section was also selected.
5. The changes were saved and the virtual machine powered
6. To complete the guest operating system installation using VMware Remote Console
the Console tab was clicked.
7. The instructions specific to Windows XP O.S. was followed to complete installation.

DEPLOYING ASTARO ON VMWARE SERVER 2.0

1. After unzipping the downloaded package in the VMachines directory, the

Infrastructure Client was opened to log in to the management interface of the
VMware Server 2.0.
2. Under the datastore section where the virtual ASG is located and the VMX file of the
ASG was selected and added to the Inventory from the context menu
3. The VMware Add to Inventory Wizard then opened and a name for the ASG entered.
4. Then the VMware server was specified to run the virtual machine and the Add to
Inventory Wizard was completed.
5. The necessary IP address configurations were then carried out
6. The URL of [Link] was entered into the web browser and the SSL
certificate was accepted
7. As this was the first time ASG’s web frontend (called WebAdmin) was started, a
strong password and valid e-mail address for the administrator account was entered.
8. The Perform Basic System Setup button was clicked to continue logging in and the
admin Username and password specified was entered.
9. After logging in, the Dashboard of WebAdmin appeared, providing us with all system
status information of the Astaro Security Gateway unit.

37
Network configuration information

WinXP-VM1 - [Link]
WinXP-VM2 - [Link]
Astaro - [Link]:4444

Figure ‎5.3: Booting up Astaro virtual machine

Figure ‎5.4: Astaro web interface

38
CONFIGURING ASTARO FOR SECURITY

Figure ‎5.5: Astaro security configuration overview

WEB SECURITY

HTTP/S
The tab of the HTTP/S was used to configure Astaro Security Gateway Software as an
HTTP/S caching proxy. The HTTP/S of Astaro Security Gateway provides simple caching
services, web filtering etc. It also prevents viruses and spyware infections using its virus
scanning engines.

FIREWALL
The Packet Filter was used to define and manage packet filter rules of the firewall.

39
 Figure ‎5.6:Astaro Network Security Statistics

INTRUSION PREVENTION

On the Intrusion Prevention tab, the IPS rules of the firewall were defined. The Intrusion
Prevention system (IPS) is a signature-based IPS that analyses the complete traffic and then
automatically blocks attacks before they can reach the network to compromise it.

Figure ‎5.7: Astaro Network Security Statistics 2

40
LOGGING

Logging was enabled in Astaro through the logging tab. The machine was enabled to log all
interactions on the system including FTP Data connections, Admin notifications, Intrusion
prevention system alerts etc.

Figure ‎5.8: Astaro Logging system

ENABLING AUDITING ON WINDOWS XP:

To allow for forensic analysis local auditing/logging has to be enabled in windows XP and
was done as follows:

1. After Logging on as administrator and opening the control panel, the local security
policy was expanded to display the individual policy settings.
2. The type of auditing required was then enabled

41
DEPLOYING FTK

In order to install and run FTK, the following steps were taken:

INSTALL CODEMETER

The installation wizard was launched to Install CodeMeter Software and the directions were
followed and all defaults were accepted to complete the installation

INSTALL FTK

Following the installation of CodeMeter Software, FTK was then installed by clicking on
Autorun. 1.

The Access Data License Agreement was read and accepted before selecting the location for
the FTK components.

The screen prompts were followed to successfully install the application.

RUN FTK: FTK was run next, to add the schema to the database.

Figure ‎5.9: FTK running forensic analysis on the server logs

42
CHAPTER 6

6 Conclusion
In this thesis, we were able to conduct an in-depth research into cloud computing and this
report presents the results of this research. We found out that cloud computing is a rapidly
developing area in the IT services industry. Despite the excitement around cloud computing,
most specialists have a different definition of the term. We were also able to present a report
on the emergence of cloud computing by looking into the history and stages of development
of cloud computing. This report also presents the different cloud deployment models and
service models.

The challenges of ensuring security by cloud adopters is the main focus of this thesis and we
presented a prototype solution which attempts to solve this issue for cloud adopters. This
thesis was concerned with how to provide a secure cloud service by presenting a client-
server virtual deployment which is representative of the cloud infrastructure and the cloud
adopters. We then went on to deploy a virtual security gateway which provides intrusion
detection and prevention, firewall and web security. In addition, to be able to trace breaches
we adapted the Forensic tool kit to carry out forensic analysis on the cloud.

In the process of carrying out this project, we faced a lot of challenges, ranging from the
software to be used to achieve the aims of the project to acquiring the technical know-how in
order to successfully carry it out.

43
6.1 Future Work
This project is not without its limitations due to the available resources. However, this project
is step towards solving the challenges cloud adopters have in ensuring compliance with the
security policies they require in their computing services.

This project can be further extended by deploying this proposed solution on a public cloud
such as Amazon EC2. This would allow for real world testing and evaluation based on real
data.

This project can be focused to explore forensic analysis in cloud environment, by

implementing a solution that carry out multi-location forensic analysis.

Further work can be done on auditing the cloud computing infrastructure. This would require
developing a means of auditing the cloud infrastructure without intervention from the cloud
provider. Thus by-passing the providers and still being able to ensure compliance with
required standards.

44
References

[1] Velte, A. T., Velte, T. J., & Elsen Peter, R. C. (2010). Cloud computing a practical approach.
New York, McGraw-Hill. [Link]
[2] Arif Mohamed; A History of Cloud Computing Available at:
[Link]
[Link] [Accessed 30 April 2011]
[3] Krutz, R. L., & Vines, R. D. (2010). Cloud security: a comprehensive guide to secure cloud
computing. Indianapolis, IN, Wiley
[4] Cloud the emergence of a new model of computing; Available at:
[Link]
[Link] [Accessed 30 April 2011]
[5] Marks, E. A., & Lozano, B. (2010). Executive's guide to cloud computing. Hoboken, N.J.,
Wiley
[6] Mather, T., Kumaraswamy, S., & Latif, S. (2009).Cloud security and privacy. Beijing,
O'Reilly.
[7] Cloud Computing; Available at: [Link] [Accessed
30 April 2011]
[8] Open Cloud Manifesto; Available at:
[Link] [Accessed 30 April 2011]
[9] Cloud computing use cases white paper; Available at:
[Link] [Accessed
30 April 2011]
[10] M. Zaharia, A. Konwinski, A. J. R. K.,and Stoica, I. Improving mapreduce
performance in heterogeneous environments. In 8th USENIX Symposium on Operating
Systems Design and Implementation (Dec 2008).
[11] Rajkumar Buyya, R. R., and Calheiros, R. N. Modeling and simulation of scalable
cloud computing environments and the cloudsim toolkit: Challenges and opportunities. In
Proceedings of the 7th High Performance Computing and Simulation Conference (Jun 2009).
Ropella GEP, Hunt CA. Cloud computing and validation of expandable in silico livers. BMC
systems biology. 2010;4:168.
[12] What's the Forecast for Cloud Computing in Healthcare; Available at:
[Link] [Accessed 30 April 2011]
[13] Judith Hurwitz, Robin Bloor,Marcia Kaufman, and Dr. Fern Halper. Cloud
Computing for Dummies. (2010).
[14] Daniel Power. Enemy at the gates: Email security and the growing opportunity from
the cloud. Available at:
[Link]
[Accessed 30 April 2011]
[15] Cloud Computing without the hype; an executive guide; Available at:
[Link]
DetectCookieSupport=1 [Accessed 30 April 2011]
[16] 10 Security Concerns Cloud Computing
Gartner: Seven cloud-computing security risks Available at:
[Link]
853?page=0,1 [Accessed 30 April 2011]

45
 [17] CSA: Cloud Security Alliance; Top threats to cloud computing V1.0; Available at:
[Link] [Accessed 30 April 2011]
[18] Incidence Response; Available at:
[Link]
[Accessed 30 April 2011]
[19] Digital Forensic Challenges within Cloud Computing; Available at:
[Link] [Accessed 30 April 2011]
[20] VMware Servers Users Guide; Available at:
[Link] [Accessed 30 April
2011]
[21] Astaro home page; Available at: [Link] [Accessed 30 April 2011]
[22] Douglas Schweitzer; Incident Response; Available at:
[Link]
[Link] [Accessed 30 April 2011]
[23] CSA: Cloud Security Alliance; Security Guidance for Critical Areas of Focus in
Cloud Computing V2.1; Available at: [Link]
[Accessed 30 April 2011]
[24] Rittinghouse, J. W., & Ransome, J. F. (2010). Cloud computing: implementation,
management, and security. Boca Raton, CRC Press. Data protection and data sec issues on
cloud computing
[25] Rangan, (2008). K. The Cloud Wars: $100+ billion at stake. Tech. rep., Merrill
Lynch,
[26] May [Link], R. F. (2011). Evaluating & deploying cloud computing for
electronic records management: technology, security & implementation issues : a
management primer. [New Orleans, La.], E-Records Institute at IMERGE Consulting
[27] Qamar, S., Lal, N., Singh, M., (2010). Internet Ware Cloud Computing: Challenges.
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 7, No. 3,
March 2010.
[28] Rosenthal, A., Mork, P., Li, M., Stanford, J., Koester, D., Reynolds, P., (2009). Cloud
computing: A new business paradigm for biomedical information sharing. Journal of
Biomedical Informatics. Journal homepage: [Link]/locate/yjbin.
[29] Kourpas E (2006) Grid Computing: Past, Present and Future – An Innovation
Perspective. IBM white paper.
[30] Youseff, L., Butrico, M. and Da Silva, D. (2008). Toward a Unified Ontology of
Cloud Computing. In Grid Computing Environments Workshop (GCE '08), Austin, Texas,
USA, November 2008, 1-10.

46

View publication stats