See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/252022768

Cloud computing security auditing

Article · January 2011

CITATIONS READS

53 4,564

3 authors, including:

Irfan Gul Muhammad Hasan Islam

National University of Sciences and Technology 20 PUBLICATIONS 208 CITATIONS
3 PUBLICATIONS 166 CITATIONS
SEE PROFILE
SEE PROFILE

All content following this page was uploaded by Irfan Gul on 23 July 2016.

The user has requested enhancement of the downloaded file.

 Cloud Computing Security Auditing
Irfan Gul, Atiq ur Rehman M Hasan Islam
Department of Computer Sciences Department of Computer Sciences
SZABIST CASE
Islamabad, Pakistan Islamabad, Pakistan
email: irfan24br@gmail.com, hafizatiq@gmail.com email: mhasanislam@gmail.com

Abstract: In the recent era, cloud computing has evolved as a measures to achieve overall security objectives in a system.
net centric, service oriented computing model. Consumers Since advantages of cloud computing are obvious, but the
purchase computing resources as on-demand basis and get security risks associated with each cloud service model
worry free with the underlying technologies used. Cloud hinder its widespread adoption [1]. The externalized aspect
computing model is composed of three service models Software
of outsourcing makes it difficult to maintain data integrity,
as a Service (SaaS), Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS) and four deployment models privacy, availability and above all compliance check of
Public, Private, Community and Hybrid. A third party service security measures taken by the service provider. According
provider, stores & maintains data, application or to a survey in 2009, cloud security was revealed as the top
infrastructure of Cloud user. Relinquishing the control over most challenge/ issue of cloud computing among others like
data and application poses challenges of security, performance, availability of services, performance, lack of interoperability
availability and privacy. Security issues in Cloud computing standards and so on.
are most significant among all others. Information Technology
(IT) auditing mechanisms and framework in cloud can play an
important role in compliance of Cloud IT security policies. In
this paper, we focus on cloud security audit mechanisms and
models.

Keywords: IaaS, PaaS, SaaS, TPA, SOA. Cloud security

I. INTRODUCTION

Cloud computing has been envisioned as a next

generation information technology (IT) paradigm for
provisioning of computing services with a reduced cost and
fast accessibility. Big IT giants like Google, Amazon,
salesforce.com are providing computing facility like
storage, computation and application by pay as per usage
through Infrastructure as a Service (IaaS), Platform as a
Service (PaaS) and Software as a Service (SaaS) cloud
service models. Since cloud computing supports distributed
service oriented architecture, multi-users and multi-domain
administrative infrastructure, it is more prone to security
threats and vulnerabilities. At present, a major concern in
cloud adoption is its security. Intrusion prospects within Figure.1- Cloud users’ Survey–Security at the top [1]
cloud environment are many and with high gains. Security
issues are of more concern to cloud service providers who Over time, organizations tend to relax their security posture
are actually hosting the services. In most cases, the provider and so there is always a need to perform regular security
must guarantee that their infrastructure is secure and clients’ check for compliance of policies through security auditing
data and applications are safe by implementing security regularly. Presently, security auditing standards like
policies and mechanisms. While the cloud customer must Statement on Auditing Standards (SAS)-70, ISO/IEC
ensure that provider has taken proper security measures to 27001, Health Insurance Portability and Accountability Act
protect their information. In order to ensure, compliance of (HIPPA) etc. for information security management are
security policies / mechanisms and to verify whether these available but cloud-specific standard or mechanism is yet to
policies and procedures are implemented in true letter and be delivered. In the next section, we‘ll analyze the related
spirit, auditing can be employed as a verification tool. research work in the field of security audit mechanisms and
Auditing is the process of tracing and logging significant frameworks specifically for cloud environment.
events that could take place during a system run-time. It can In this paper we have focused on cloud computing
be used for analysis, verification and validation of security security issues and auditing mechanisms. In section I, we‘ve

- 143 -
highlighted security concerns and ranking of challenges/ customers who claim loss to get paid. Privacy preservation
issues in cloud computing. In Section II, we have carried out is achieved through zero-knowledge, concealing data
the literature review pertaining to cloud security audit. contents from the auditor. The suggested protocol has
Section III gives a conclusion and section IV gives the idea mainly three stages: initialization, audit and extraction.
of future work. During initialization, user and the service provider enter into
an agreement on the stored data object. The auditor
II. LITERATURE REVIEW confirms both customer & service agree on contents of
encrypted data or encryption key, else it would be difficult
A. Data outsourcing in Cloud Computing is fast to resolve future conflicts. In audit stage, auditor can
becoming economically viable for large enterprises. In fact, effectively verify the proof of data possession by the service
this data outsourcing is ultimately retrieving user’s control provider through a challenge-response protocol. During
over its own data and does not provide any assurance on extraction phase, the auditor verifies data integrity of data
data integrity and availability. On behalf of cloud user, a returned to the customer through the auditor. The encrypted
third party auditor (TPA) who has resources and experience data and a “blinded” version of encryption key are
that a user does not have can be emplaced to audit the forwarded to the auditor. The auditor checks its
integrity of large data storage. But user data privacy is still completeness and passes it to the customer who then
exposed to a TPA, which is required to be secured against recovers the actual data.
unauthorized leakage. Wang and Sherman et al. [2] have The proposed protocols in this paper provide
proposed a public auditing system of data storage security completeness & soundness of data with zero knowledge of
by developing a privacy preserving auditing protocol. By data contents to auditor. The protocols divide the data in two
which auditor can audit without having knowledge of user’s parts, an encryption key and encrypted data. The encrypted
data contents. Wang and Sherman also proposed a batch data rely on a cryptographic hash function and symmetric
auditing protocol where multiple auditing tasks from key encryption. The protocols rely on external
different users can be performed simultaneously by a TPA. authentication methods for communication and do not guard
A public auditing scheme consisting four algorithms ( against denial of service attacks. The suggested protocols
KeyGen, SigGen, GenProof, VerifyProof ) has been used. mostly send small hashes which cause a major overhead for
KeyGen is run by the user to set up the scheme. SigGen is computing HMACs over large data contents.
used to generate verification metadata. GenProof is C. Cloud computing is a new evolving distributed
executed by Cloud Server to provide a proof of data storage and service oriented computing paradigm. Cloud computing
correctness. VerifyProof is run by TPA to audit the proof provides services to consumers through Software as a
from Cloud Server. Service (SaaS), Platform as a Service (PaaS) and
The proposed scheme is among the pioneer work to Infrastructure as a Service (IaaS) models. In a cloud
support scalable and efficient public auditing for secure environment, customer’s data and applications are placed
cloud storage. Wang and Sherman et al. have presented a over remote machines that cause a lot of security hazards. In
privacy preserving auditing protocol by public key based this scenario, the cloud service providers must adhere to
homomorphic linear authenticator (HLA) using random security measures/ policies to mitigate security risks. A
masking technique. A high performance batch auditing strict check on policy compliance must be implemented
protocol is also proposed for TPA to perform auditing tasks through IT security auditing. In this paper [4], Chen and
for a number of users concurrently and efficiently. Yoon have proposed a framework with master check list for
However, the authors did not discuss the audit internal and external auditors for reference during auditing.
authentication of TPA for a cloud server to respond. Also no Chen and Yoon have enlisted check lists for Public, Private
details are discussed for authentication handshake between and Community Cloud deployment models with a focus on
User, Cloud Server or Cloud Service Provider (CSP) and the IaaS and SaaS service models. IT auditing check list of IaaS
TPA. model includes: Data location awareness and its legal
B. Big IT giants such as Google, Yahoo and Microsoft documentation, data ownership awareness and its
are earning a lot of money by providing storage services like verification & destruction process, data protection plan and
online backups, video hosting and photo sharing to their best practices, data isolation routines checks, User data
customers. A customer has to rely on storage service lock-in and its exit strategy/options, Cloud disaster recovery
providers to maintain their data integrity. Unluckily, no data plan and its frequent tests/updates. SaaS model audit check
storage service is fully reliable as large scale storage list comprises of: Data surrender activity and its
systems are complicated and prone to multiple threats that documented policy, Data format check & availability of
cause data corruption. At present there are no proper readers and monitoring policy for Cloud service availability
mechanisms for policy compliance that leads to protect data and performance. Community Cloud check list items are:
by the service providers. In this paper, Shah and Baker et Community Cloud management and Member exit strategy.
al.[3] have proposed some efficient challenge-response Private Cloud check list focuses on reporting control & its
auditing protocols by a third party auditor, not only to check compliance, IT architecture & its technical description
data integrity from service provider but also fraudulent documentation and disaster recovery & continuity plan.

- 144 -
 Chen and Yoon have discussed Cloud IT auditing TPA must be able to fulfill concurrent auditing requests
check lists for IaaS and SaaS to assure a secure cloud from multiple customers efficiently.
computing model. But they have not given any security The authors have discussed the pros and cons of
auditing check list for PaaS service model. basic building blocks of publicly auditable secure and
D. Cloud customers can reduce huge investment by hiring dependable cloud data storage. They have focused on the
expensive IT infrastructure to place their application and auditing of un-trusted cloud server through a trusted TPA.
data over the cloud. The customer does not have a direct But they have not discussed the accountability of cloud
control over its computation and data, similarly the through auditing, if other cloud entities including owner,
customer does not know the details of the ‘service’ provided user, TPA and service provider as well are malicious and
by the service provider. The problem arises when some fault fraudulent.
occurs which is not owned by any of the two parties. In this F. Cloud computing is gaining popularity due to its
scenario, an accountable cloud is needed to address the cost effectiveness in service provisioning. But certain
issues like data loss, application or infrastructure security, security requirements such as confidentiality, integrity and
performance and availability. In this paper [5], Andreas has availability of data are the major security concerns in cloud
proposed that clouds be made accountable to both customer adoption. Access to cloud by unauthorized users targeting
and provider by using ‘audit’ as a basic parameter through a data availability through Distributed Denial of Service
third party auditor. To implement audit, a set of basic (DDOS) attacks is one of the biggest causes of cloud
techniques were discussed which includes tamper-evident outages. In this paper [7] Sameera and Chan have proposed
logs, that maintain record of past actions performed by an identity and access management as a service (IDaaS)
cloud customer, provider and user in such a way that a third model for enterprises using cloud. An organization can
party auditor can identify the modifications and deletion of completely automate user account provisioning and its
entries in the log. The auditor can verify the evidences of auditing by adopting IDaaS model. The main stages of the
faults by obtaining correct records through the logs. model consist of: Provisioning and de-provisioning, in that
Virtualization-based replay can execute virtualized replay of users are provided or deprived of access according to their
the software over a virtual machine and then record the role in the organization. Authentication and authorization, it
events for auditing. Trusted time stamping, detects involves verification of identity of users or systems and then
performance faults by adding time information to the determining the privileges to be given to legitimate users.
tamper-evident logs. Sampling, allows customers to audit Self service, users can change their password, maintain and
checkpoints randomly as various serious problems could update their own information. Password management
have affected most of the segments, though the probability consists of single sign on to access cloud base services and
of detection would be high. how passwords will be stored in the cloud. Auditing, helps
The author has described a set of auditing auditors to verify the compliance of different access control
techniques that could be used to make a cloud accountable policies, periodic auditing and reporting.
for correctness and performance. The presented work is Sameera and Chan have discussed two popular
among the first to propose cloud accountability for the entire identity management protocols Security Assertion Markup
platform. However, they have not proposed a technical Language (SAML) & Open authentication (OAuth) and
solution to address the challenge of data storage security recommended them to be part of IDaaS model. The
auditing in cloud environment. proposed model uses multi protocol environment where it
E. Data outsourcing in cloud computing is has to interface with different cloud service providers’
advantageous in terms of worry-free storage management, systems. The main drawback of the model is that the
relief from huge investment and maintenance. It also brings enterprise will not be able to know the structure,
along certain security threats like integrity and availability implementation and services of service provider, also the
of outsourced data. Considering the owner’s large data and generated reports of its users may not match the
restricted resources capability the responsibility for organization’s requirement.
verification of completeness and availability of data must be G. Cloud computing provides development, delivery
delegated to a reliable Third Party Auditor (TPA) without and consumption of IT services over a distributed network
compromising the privacy of data. Cong and Kui et al. [6] environment. These services are interdependent on each
have suggested a set of properties for public auditing other and failure of one service can cause unavailability of
services focusing cloud data storage security. They have other service resulting loss of revenue, damaging repute of
carried out an in depth analysis of publicly auditable data the enterprise providing services and unreliability over the
storage security building blocks that constitute: Minimize cloud. To minimize the risks of cloud outages there is a dire
auditing overhead i.e. the I/O cost for data access and need for ‘cloud governance’ model that could control and
bandwidth cost for data transfer must be reduced. Protect manage cloud-based services and storage. In this paper
data privacy, in that auditing protocol should not allow TPA [8], Zhiyun and Meina et al. have proposed a cloud based
to know the data contents when auditing. Support data governance model that securely manages and controls the
dynamics, the auditing protocol must be able to support implementation of cloud services according to recognized
dynamic data updating. Support batch auditing, in which policies, service management policies and their audit

- 145 -
procedures. Elements of operational governance model protected from intruders through a firewall-like feature
includes: Authentication, i.e. enforcement of identity and known as ‘security group’. The authors have carried out
access management system. Authorization, it enables validation of security assessment of these security groups by
implementation of a role-based authorization model. Audit, two properties. First, reachability i.e. information flow from
the collection of information related to the compliance of source to destination allowed by cofiguration and services.
cloud security and service management policies. Second, vulnerability i.e. attack vulnerability to a service
Monitoring, the preparation of individual and aggregate data with the help of reachability and attack graphs respectively.
transaction reports, summaries and graphs. Metadata The algorithm for auditing the configuration for a
repository, a master repository for service, security and risk reachability policy carries out analysis with respect to
management policies of an enterprise. reachability graph/set of policies and verifies compliance of
The proposed governance framework is among the its policies. Service vulnerability analysis has been carried
pioneer work that focuses on managing and improving the out by Dijkstra’s shortest path algorithm basing on
visibility and trust of cloud services. Though, the authors vulnerability rating i.e. high, medium, low having shortest
have not discussed the procedures to implement cloud path with lowest weight. Service vulnerability audit has
security and service management policies. Also they have been carried out by analysis of attack graph against
not suggested the need for a third party mediator for specified policies.
compliance and audit of cloud policies. The authors have presented an interesting approach
H. Cloud and Grid computing are the most vulnerable which uses manually obtained reachability and attack graphs
targets for intruders’ attacks due to their distributed for the verification and auditing of network security
environment. For such environments, Intrusion Detection configurations in public cloud infrastructure. However an
System (IDS) can be used to enhance the security measures automated approach for construction and analysis of these
by a systematic examination of logs, configurations and graphs is needed for auditing of such scalable cloud
network traffic. Traditional IDSs are not suitable for cloud infrastructure.
environment as network based IDSs (NIDS) cannot detect J. In cloud and grid computing data outsourcing and
encrypted node communication, also host base IDSs (HIDS) sharing creates not only security issues like data
are not able to find the covert attack traces. Kleber, schulter confidentiality, integrity and privacy but also its access
et al. [9] have proposed an IDS service at cloud middleware authorization / authentication is of utmost importance. For
layer, which has an audit system designed to cover attacks such distributed environments, a mechanism to protect
that NIDS and HIDS cannot detect. The architecture of IDS against unauthorized data access is essentially needed,
service includes the node, service, event auditor and storage. where even the administrators may not be able to access
The node contains resources that are accessed through records without being noticed. Authentication and
middleware which defines access-control policies. The authorization techniques must be employed to ensure data
service facilitates communication through middleware. The access attempts and alteration by legitimate users,
event auditor monitors and captures the network data, also implementing an effective security policy. To comply with
analyzes which rule / policy is broken. The storage holds the security policies in distributed environments, data access
behavior-based (comparison of recent user actions to usual and modification must be recorded and reconstructed
behavior) and knowledge-based (known trails of previous through audit trails. These audit logs can then be evaluated
attacks) databases. The audited data is sent to IDS service to compile and produce audit reports for violations. In [11],
core, which analyzes the data and alarm to be an intrusion. Marco, Feilhauer, Huemer et.al have introduced a new
The authors have tested their IDS prototype with concept of a secure data access architecture, which
the help of simulation and found its performance guarantees data access and modification through a single
satisfactory for real-time implementation in a cloud point of access (SPOA). A secure virtual machine has been
environment. Although they have not discussed the security modeled to host sensitive data that can be accessed through
policies for cloud computing environment and their audit a portal provided as users interface. All the administrative
procedures. tasks and users’ queries are accomplished through the
I. Public infrastructure cloud provides services to SPOA, where strict logging is enforced by creating log files
end-users through a multi-tier virtual infrastructure (web, to have full control over data access. Auditing of data
application and database) which is implemented on different integrity and access can then be possible by reconstructing
abstraction levels i.e. IaaS, PaaS and SaaS. Security risks and evaluating the audit logs in order to achieve non-
are the main obstacle in cloud adoption on all levels of repudiation.
abstraction. Faulty network security configurations in public Although, this paper covers implementation of a
cloud infrastructure can lead to exposure of services to secure data storage access in cloud and grid computing by
attackers. In this paper [10], Bleikertz and Schunter et al. logging using audit trails through a SPOA. But it does not
have proposed algorithms to audit correct network security give out any solution for logs transportation, their
configurations/policies of a complex multi-tier cloud interoperability, use of semantics with the log data and their
infrastructure using Amazon’s Elastic Compute Cloud automated evaluation / auditing for complex distributed
(EC2) public infrastructure. In EC2, virtual machines are environments like cloud computing.

- 146 -
K. Cloud and Grid computing support multitenancy L. Multi-tenancy, data outsourcing and distributed
and multitasking i.e. multiple customers can perform service oriented nature of cloud computing has introduced
different tasks through accessing a shared pool of resources the issues of security, privacy and data leakage. Risk
over the internet. Distributed nature of these service assessment is considered as an effective approach for
environments having multiple administrative domains with evaluating a system for potential risks and maintaining trust
different security policies and large number of users, creates among stakeholders. It enables organizations to protect their
new security risks. In this case, ‘logging’ i.e. event valuable data / assets through security / privacy assessments
recording for examination and reconstruction of sequence of and external audits for compliance of policies. Presently, no
events is one of the solution available for provisioning of set standard of risk assessment for evaluating potential
audit trails, which can subsequently be used for security security risks and policies compliance mechanism is
audits and forensic analysis. At present, different logging available for a dynamic cloud environment. In [13], Kaliski
formats are being used that poses the problem of logs and Wayne have presented risk assessment as a service
correlation and interoperability for creating audit logs and (RaaS) paradigm for measuring and evaluating security risks
hinders effective security evaluation in complex in cloud computing. The authors have envisioned an
environment like cloud computing. In this paper [12], automated real-time risk assessment system through which a
Huemer and Tjoa have introduced a secure logging cloud provider could perform self-assessment or a trusted
infrastructure based on Extensible Markup Language third party could assess the provider through privileged
(XML) technology. The proposed solution aims at access and consumers could assess the provider through non
automated evaluation and reporting by XML enriched log privileged access. Also the providers who are consumers of
files using semantics to detect malicious events in a system. services of other providers could assess them. Automated
For this purpose logging life cycle includes logging measurement and analysis is the key for delivering RaaS.
configuration (to avoid unwanted information), creation of Risk assessment service would employ sensors that collect
log files and its protection against modification or relevant data in real-time environment and an autonomic
unauthorized access, parsing, aggregation, correlation and manager to analyze risks and implement relevant changes.
automatic evaluation to generate automated audit reports. Assessment service would provide an automated service
Although this paper tackles problem of level agreement (SLA) directory or namespace where risk
interoperability and incompatibility of log files and their assessment rules and important assets valuation data
automated evaluation / auditing for distributed and complex provided by the users would be entered for continuous
systems like cloud & grid computing. But it does not assessment in a cloud environment.
provide a solution to map current log file formats to XML Authors have proposed a new concept of ‘RaaS’ for
conforming structure that leads to a great effort needed to automated cloud security audit and assessment with its
write parsers for each log file format. Since log files would research directions. But they have neither discussed the
be maintained by cloud providers in cloud environment, the technical details of the service nor have they practically
authors have not addressed the issue of log files tampering implemented such a service in a real-time cloud
and its auditing from user’s perspective. environment.

III. CONCLUSION

In this paper, we have focused on cloud security auditing interface / mechanism to improve trust in cloud
issues in general and cloud security auditing in particular. In computing paradigm. Data confidentiality, integrity,
the literature review section, we have analyzed different cloud authentication and availability are the major security concerns
security auditing protocols for data integrity and privacy in cloud adoption. In future we intend to develop a tool or
through a trusted TPA. We have also studied data access service for data integrity auditing that allows auditors to
management architecture using audit trails, a set of auditing discover and verify true integrity and authenticity without
techniques to make cloud accountable, an IDS service with a compromising the data privacy. Audit the records available in
core audit system and auditing frameworks/ models for cloud cloud storage and generate audit reports.
environments. At the end we have carried out a critical
analysis of strengths and weaknesses of these auditing models REFERENCES
and techniques. Since cloud computing is in its stage of [1] Xuan Zhang, Nattapong Wuwong, Hao Li, Xuejie Zhang,“
infancy, a common, interoperable and cloud-specific auditing Information Security Risk Management Framework for the Cloud
mechanism need to be designed to maintain trust and Computing Environments", 10th IEEE International Conference on
Computer and Information Technology, 29 June, 2010.
transparency within the cloud environment. [2] Wang, Sherman, Kui, Lou, “Privacy-Preserving Public Auditing for
Secure Cloud Storage", INFOCOM, 2010 Proceedings IEEE, 14-19
IV. FUTURE WORK March, 2010.
[3] Mehul, Ram, Baker, “Privacy-Preserving Audit and Extraction of
Digital Contents”, HP Lab Technical Report No. HPL-2008-32, 25
In cloud computing, security auditing can be April, 2008.
enforced through a trusted third party auditor or an automated

- 147 -
[4] Zhixiong, John Yoon, “IT Auditing to Assure a Secure Cloud
Computing”, IEEE 6th World Congress on Services, 5-10 July, 2010.
[5] Andreas Haeberlen,“A Case for the Accountable Cloud”, ACM
SIGOPS Operating Systems Review, 02, April 2010.
[6] Cong and Kui, “Toward Publicly Auditable Secure Cloud Data
Storage Services”, IEEE Network Magzine, 19 July, 2010.
[7] Sameera and Chan, “Cloud Computing Security Management”,
Second International Conference on Engineering Systems
Management and Its Applications (ICESMA), 30 March, 2010.
[8] Zhiyun and Meina, “A Governance Model for Cloud Computing”,
International Conference on Management and Service Science
(MASS), 24-26 Aug. 2010.
[9] Kleber, schulter, “Intrusion Detection for Grid and Cloud
Computing”, IEEE Journal: IT Professional, 19 July 2010.
[10] Bleikertz and Schunter, “Security Audits of Multi-tier Virtual
Infrastructures in Public Infrastructure Clouds”, 17th ACM
Conference on Computer and Communications Security, 08 Oct,
2010.
[11] David Huemer, A Min Tjoa,Marco Descher, Thomas Feilhauer,
Philip Masser, “Towards a Side Access Free Data Grid Resource
by Means of Infrastructure Clouds”, International Conference on
Parallel Processing Workshops, 2009. ICPPW '09, 22-25
September, 2009.
[12] David Huemer, A Min Tjoa, “A Stepwise Approach Towards an
Interoperable and Flexible Logging Principle for Audit Trails”,
Seventh International Conference on Information Technology: New
Generations (ITNG), 12-14 April, 2010.
[13] Kaliski and Wayne, “Toward Risk Assessment as a Service in
Cloud Environments”, HotCloud'10 Proceedings of the 2nd
USENIX conference on Hot topics in cloud computing, 22-25 June,
2010.

- 148 -

View publication stats