Security Patterns for Scheduling Applications in Cloud: Case Study in Eucalyptus
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
International Journal of Early Childhood Special Education (INT-JECS)
ISSN: 1308-5581 Vol 14, Issue 03 2022
Security Patterns for Scheduling Applications in Cloud: Case Study in Eucalyptus
Bharath Kumar Madakatte1, Dr Nagesh H R2*
1
Research Scholar, Mangalore Institute of Technology and Engineering, Moodabidri, India
2
Professor &HoD, ISE, A J Institute of Engineering and Technology, Mangaluru, India
*Corresponding Author: nageshhrcse@gmail.com
Abstract
Cloud Computing empowers its consumers because of its high scalability nature to make use of computing
resources and accessing huge information utilizing various interfaces. Cloud stakeholders such as consumers,
service suppliers and partners in business share resources at multiple stages of technical functionalities. Because
of the advantages of cloud compared to conventional infrastructures, cloud has become favourite platform for
web-based applications. However there exist multiple concerns around security issues for data and systems,
availability, and privacy. Moreover, while planning and building cloud applications, those issues of security
must be taken into consideration to guarantee security, administrative compliances and trusted framework for
cloud consumers. In our work, security designs for the application in cloud are investigated. Worked on design
patterns considering three security viewpoints such as information security, privacy and system security. We
have discussed and produced best resolutions for the security problems and documentations of information
which a designer can follow while developing cloud applications. At the end of the paper, we have presented a
case study on eucalyptus cloud environment by simulating few potential attacks to consumer’s data stored in
database files.
Keywords: cloud applications, security patterns, data security,system security, privacy, eucalyptus.
1. INTRODUCTION
The advantages of cloud computing are adaptable, for example, infrastructure can be powerfully provisioned in
practically no time and with insignificant efforts of management. This increments adaptability and diminishes
costs, as the organization just pays for what it really utilizes. However, designers of cloud applications need to
manage virtualized, dynamic, dispersed and multi-occupant nature of a cloud framework, that can result in
challenges [1]. Growing huge programming frameworks in a heterogeneous environment is complicated and
needs cautious preparation of framework.
The software design is fundamental to oversee complicated and huge programming frameworks. Be that as it
may, it is hard to make a reasonable and adaptable programming design on the initial try. A decent plan is for
the most part the consequence of iterative attempt to execute[2]. Utilization ofdesign patterns associated to
software architecture can support in such manner, as patterns presents proven and verified answers for
appropriately building a software framework. Which implies, designs patterns are appropriate for a specific or
comparative class of issues which leads to viable, reusable and better-structured programming frameworks [3].
Cloud computing design patterns are depicted in a clear format and composed in naturally understandable
language by writers in [4]. Such documentation facilitates understanding and empowers simple conversation
among software designers. Because patterns are frequently executed as a feature of software design, it is critical
to check automatically pattern adherenceat the time of execution, that verifiably needs a conventional
description of patterns. While there are different methodologies that permit consistency validation of patterns of
object-oriented designs, particularly in programming frameworks of monolithic type, as of now there is just little
innovations in validating patterns of cloud computing.
There Exists reasonable number of research work that have been done on security patterns[5][6][7].
Nonetheless, these research works concentrated on broad topics and not especially for the Cloud. Besides, they
restrict themselves to exceptionally limited topics, like authorization and authentication security or attacks and
neglect few other issues of security which they believe are not important, that includes managing resources. The
authors in [6] tried identifying security patterns for topics such as authentication and access control, manage and
assess the risks, ownership, and authenticity of data, and also attacks and vulnerabilities. Researchers in [8]
published a catalogue of security patterns by differentiating between procedural and structural patterns,
describing design and architectural aspects belongs to secure framework elements, with recipes for security
technique implementations. The document published [9] on security patterns projects the consolidation of
research accomplished on date and synthesis of efforts put by individuals as community of security design
patterns. Authors in [10] also built few design patterns for cloud security considering general situations belong
1697
International Journal of Early Childhood Special Education (INT-JECS)
ISSN: 1308-5581 Vol 14, Issue 03 2022
to storage of data, securing privacy of consumers, and authentication of information processed and stored in
cloud.
The technical report by Oracle [11] describes some of the challenges faced in cloud SaaS(Software as a Service)
security, taking in to consideration managing and monitoring of clients, data regulatory, compliance and
securities. The report does not provide any solutions to discussed challenges. Researchers in [12][13][14]
explored security patterns for SaaS covering patterns related to numerous aspects of data security. In this paper,
we are targeting to obtain a comparatively better list of security patterns for web applications in cloud
environment. The design patterns cover significant areas such as data security, privacy and system security for
various classifications such as Authentication and Authorisation, Confidentiality and Privacy, Regulatory and
Compliances, Secure Application Development and Services, and Secure Designs. In last section of the paper,
we conduct case study on security patterns in eucalyptus cloud environment.
The design patterns are employed to different domains in computer engineering, such as patterns for cloud
computing [15], patterns for integration of enterprises [16][17], patterns for Internet of Things [18] and many
more. Among all these, during last few years patterns for cloud computing acquired much popularity because of
its frequent usages in industries, thereby publishing numerous sets of patterns for cloud computing.The pattern
documentations are made utilizing particular formats, by making use of text messages along with graphical
symbols. A pattern fundamentally contains name of the pattern for identifying design patterns, description of
problem as a issue, the context of problem occurrence that describes forces or environment and a solution part
defines how pattern is able to solve the issue. There can also be a graphical symbol or icon which may be used
to represent pattern graphically.
2. METHODOLOGY
The mechanism for defining and classification of patterns for security in cloud is discussed in this section. The
block diagram given in Figure 1 demonstrates the step-by-stepprocedure, by making use of regulations
[19][20][21].
Requirements of Security in Cloud: This component concentrates on requirements of security in cloud, by
investigating required securities which covers various aspects, such as, privacy, communication, system and
data securities. All the requirements for security for constructing trusted, secured and legally compliance
applications for cloud. The general checklist for cloud security for cloud applications, as outcome of this
component, is provided in next section. Various requirements for processing of data are analysed with respect to
legal needs [22].
Figure 1. Definition Process for Cloud security patterns.
Investigation of Security and Risk: This component isresponsible for identifying any security breaches and
risks in cloud.Major focus is to investigate security in need, inspection for any advancements needed for
1698
International Journal of Early Childhood Special Education (INT-JECS)
ISSN: 1308-5581 Vol 14, Issue 03 2022
securing the system and making sure theintegration of suitable security controls to design and development of
projects in cloud environment.This component will produce as output, the document containing security
investigation report along with security risks, that can be used to analyse and extract security characteristics in
cloud.
Recognition of Security Parameters:This component is referring to particular protection of security against the
different types of attacks developed for target users, resources and systems. Some sort of security parameters is
needed for coping up with such attacks. Cloud computing face numerous types of externally influenced security
risks including distributed denial-of-service attacks.The output of second component will be used as input for
recognizing security parameters.
Defining Security Patterns: Depending on security parameters of previous step, security patterns for cloud are
defined. The security patterns of traditionally existing systems are also investigated. We consider two areas such
as data and system securities for defining patterns. Every pattern for security defined, will contain structure as
follows.
Security issue, definition of relevant issues and their effects by not addressing it with implementation of
security.
Use case and Contexts: Recognizing the use case and contexts in which there’s a chance of getting security
issues.
Resolution: Obtaining solutions for mentioned issues in security. The solutions we proposed are of the
following. Firstly, the solution must give resistance to any kind of expected attack in cloud applications.
Secondly, the solution must permit identification of attacks in the system and reduce serious effects because of
the attack. Thirdly, the solution must have recovery technique for reducing disruptions in application service
when system is not capable of preventing the attacks.
Classifying Patterns for Security: The classification of patterns defined in the previous stage is done based on
domains of the issues, such as patterns for data security and patterns for system security. Suppose, the issues and
contexts are related, then the patterns are consolidated, by defining the association between crossed type issues.
3. DESIGN PATTERNS FOR CLOUD
In this section, defining the design patterns for security is utilized for describing the security patterns in cloud
apps.The Table 1 provides the description of higher-level requirements of security in cloud applications.
Depending on the investigations [23][24][25]of security done on the cloud applications, the design patterns for
securing cloud applications are categorised in to five classifications as depicted in Figure 2, that are detailed
below.
Table 1: Higher-level requirements of security
Req. No. Security Checklists Description
RD1 Capability to protect components of system Focus on protecting hardwares and software
component of system
RD2 Capability to protect Resources of System Focus on protecting cloud resources from
extended and unnecessary usage to support
durability and availability of applications
executing on Cloud.
RD3 Capability to prevent unauthorised access to system Focus on providing system access to only
authorized users.
RD4 Capability to prevent intrusion to resources Focus on preventing illegal intrusions to
resources of system in use.
RD5 Capability to audit and recovering from breaches Focus on resource auditing to detect the
anomalies.
RD6 Capability to monitor requests from networks Focus on network monitoring forpreventing
attacks to systems and resources.
RD7 Capability to support protection of data at rest Focus on supporting protection of data at rest
while they are belong to public cloud.
RD8 Capability to support protection of data at transit Focus on supporting protection of data at transit
when they are in public cloud.
RD9 Capability to support protection of privacy Focus on supporting protection of privacy of
processed data in cloud.
RD10 Capability to support regulatory compliance Focus on supporting protection of regulatory
compliance of processed data in cloud.
1699
International Journal of Early Childhood Special Education (INT-JECS)
ISSN: 1308-5581 Vol 14, Issue 03 2022
A. Authentication and Authorisation: In this we concentrate on resource and user service-related security
design patterns, covering patterns in authorisation and authenticationfor managing user access controls and
resources of systems. This category covers Many-factor Authenticationpattern with improved
computational power and cryptographic techniques, Single Sign-On pattern for authenticatingusers by not
having overloading of maintaining database securely,Identities and Management of Access pattern which
manages cloud application related access controls and identities of users, andAccess Tokens pattern for
controlling person-based or machine-based user accesses in cloud.
B. Confidentiality and Privacy: This classification is concentrated on integrity, confidentiality and privacy of
data. This covers Data Anonymisation pattern for processing data safely and securely in cloud by
maintaining compliance of regulatory,Data Encryption computation patternfor assuring integrity and
confidentiality of cloud data, and Data Purpose Controlpattern for supporting processing of data as per the
owner’s consent and purposes.
Figure 2. Security patterns for Cloud Applications
C. Regulatory and Compliances: This category concentrates on various legal aspects required for utilization
and processing of data. The classification covers Data Transfer Compliance pattern utilized for supporting
regulation compliance and safety of data during processing and transfer, Data Locality pattern for obtaining
compliance for storing data locally, Manage Lifecycle of data pattern which is utilized for effectively
managing private data in the applications of cloud environment, Reliable Data Erase pattern ensuressecure
and reliable erasing of data stored in cloud and so on.
D. Secure Application Development and Services: Thisclassification generallyconcentratesonsecurity for
building and managing cloud applications in secured ways. The classification covers Automatic Detection
of attacks patternutilized for ensuring detection of attacks automatically for better functioning of cloud
applications,Service Availability pattern for ensuring better services for users by maintaining cloud services
availability against the attacks such as Denial of service, Server bastion pattern to permit accessing of data
without having direct exposure to the internet, Vulnerability service pattern for detecting early
vulnerabilities and responding to reduce risk of severely damaging the systems.
E. Secure Design: This classification concentrates on secured design and architecture of cloud computing.
The classification covers secure device pattern for securing connected devices to cloud
1700International Journal of Early Childhood Special Education (INT-JECS)
ISSN: 1308-5581 Vol 14, Issue 03 2022
environment,Internet application firewall pattern for protecting access of web applications from
unauthorized users, Privacy Auditing pattern for establishing protective environment for helping audit and
preparing report of privacy related activities in cloud systems, Privacy storagepattern concerning to obtain
huge data accessibility in effective ways with respect to the cost, Cryptographic Key Manager pattern for
protecting data at rest and as well during transit by managing keys related to cryptography.
4. DESIGN PATTERNS FOR APPLICATION SECURITY ANDSOLUTIONS
There are various formats or templates used by many researchers [26][27] to express design patterns for
securing applications in cloud computing environment that contain different features [28][29]. In this work, we
make use of three featuring fields such issue, contexts and resolutions. The issue represents the description of
security problem of a pattern given, contextsrepresent the contexts the security related problems happen,
resolutions describe the respective solutions for addressing the security design pattern defined. The Table2 to
Table 6gives detailed Design patterns in a specific format along with the resolutions for different categories
such as Authentication and Authorisation, Confidentiality and Privacy, Regulatory and Compliances, Secure
Application Development and Services,and Secure Design respectively.
Table 2: Design patterns for Authentication and Authorisation category
Patterns Issues Contexts Resolutions
Many-factor Secured authentication of Person authentication by machines is Making use of all three factors of
Authentication users of applications in an issue for making security and authentication at a time to avail
cloud. usability balanced. The secret highest security while accessing
password, possession physically and sensitive applications.
biometrics obtains higher levelled
security.
Single Sign-On User authentication with Maintaining identities of users in Outsourcing tasks of authentication to
no burdensome for time consuming cloud applications is third parties for reutilization of
managing database of tedious task. existing users sign-on and sign-in
users securely. characteristics.
Identities and Managing database of To secure system resources from Suitable tools must be utilized to
Management of user effectively and obtain malicious users, it is significant to describe and maintain privileges of
Access authorization and establishing identity of users and access and roles of entire application
authentication in access control to resources of users and situations where granting of
applications of cloud. systems. privileges happens for the users.
Access Tokens Controlling machine or Providing access to cloud application Tokens of access are secret keys
individual access to requires to be granted on per- granted to application users permitting
applications in cloud. utilization basis to acquire specific cryptographic-based automatic access.
levels of security. Tokens enables accessing to particular
modules at particular time unit.
Table 3: Design patterns for Confidentiality and Privacy category
Patterns Issues Contexts Resolutions
Data Protecting privacy by The services of Cloud often utilized Data owner’s identities requires to be
Anonymisation eliminating from datasets, for processing larger datasets stripped off from records so that
the individual identifiers possessing private data, that could be owner of data not to be recognized
and still retain inferred by making correlation of from data which is anonymised.
datasets processing. numerous datasets.
1701International Journal of Early Childhood Special Education (INT-JECS)
ISSN: 1308-5581 Vol 14, Issue 03 2022
Data Encryption Outsourcing of data to a The elastic model of computations is Making use of completely
computation Cloud service for the provided as cloud service, but to homomorphic approach which permits
purpose of computations make use of encoded data, the codes difficult processing while data was
by not disclosing in the are to be obtained for decryption encoded and not seen by users.
process. prior to computations.
Data Purpose Guaranteeing that data is Multiple challenges in security and A solid information utilization control
Control processed as per its actual legal aspects occur while constructing devices are expected to control the use
purposes intended. applications for cloud that make use of information. Use of control device
of sensitive information for permits client to not just control and
processing. Major issue to guarantee implement the utilization of
the information shared in network information, yet additionally follow
among multiple people is as per its and review its use.
purposes described. Legally liable for
misusing sensitive data and has law
to guarantee data processing happens
in the systems legally and as per the
purposes declared.
Table 4: Design patterns for Regulatory and Compliances category
Patterns Issues Contexts Resolutions
Data Transfer Information to be moved Recent Cloud applications are Various regulations and guidelines
Compliance for handling to different frequently made out of multiple APIs. have consolidated the idea of
people in possibly unique Considering case of, an internet- consistent information
jurisdictions while based store might concentrate in its move in their body. The specific tool
remaining in consistence own application rationale on gives chance for consistent exchange
with legitimate and particular item list, however will of
administrative necessities. possibly outsource standard information to third-person
capacities, for example, client sign- information processors utilizing the
in, sign-on, email warnings, pricing authoritative provisions.
and so on to third-party suppliers.
Data Locality The solution based on Different lawful and administrative Cloud suppliers offer their
Cloud accomplishes necessities and norms in various administrations with location labels.
administrative compliance geographical While starting up a
concerning regions could call for explicit types of administration, the Cloud client can
locality of information information to be stored physically in pick the geographical area, which is
storage. an assigned lawful jurisdiction. determined by a territorial assignment.
While Cloud suppliers ordinarily don't
promote the specific physical location
belong to their data servers, they
ensure that a geographical area
assignment falls under a specific
legitimate purview. Geographic
assignments, however, do not stretch
out to cover entire services of Cloud.
Manage Lifecycle Managing cloud data life In the context of cloud, sharing Entire information traded between
of data cycle in secured and information across applications is various elements across applications
effective manner. occurring in the present connected should be connected to (a) access and
world. However, with false utilization control strategy utilized to
information all over the place, oversee usage of information and (b)
without appropriate track and trace Utilization history that stores all usage
the origin of information and how the data anytime in the information
information was handled after some lifecycle.
time, information dependability is
decreased.
1702International Journal of Early Childhood Special Education (INT-JECS)
ISSN: 1308-5581 Vol 14, Issue 03 2022
Reliable Data The way dataset be Incorporating those with endpoint Encoding information when its still,
Erase dependably and safely gadgets largely deployed in cloud, diminishes the issue of overseeing
deleted after storing in in information is regularly reproduced whole information set erasure to issue
cloud. and shared along an enormous count of monitoring cryptographic based
of physical gadgets, scattered keys lifelong. Since cryptographic
geographically. These ensures secure keys utilized for encoding at still are
information removal. little, those are definitely highly
reasonable compared to possibly
larger datasets, also could be placed in
controlled store. Cryptographic
erasure then, at that point, sums to safe
removal of key information. Given
that keys are not compromised all
through lifetime, and forward-secure
based cryptographic techniques are
utilized, cryptographic erasure ensures
messiness of encoded information
collection, up to security ensures given
by encryption technique.
Table 5: Design patterns for Secure Application Development and Services category
Patterns Issues Contexts Resolutions
Automatic Detection of network- In the present complicated Cloud Utilize the modern specialized
Detection of based attacks on endpoints frameworks, with various edge nodes instrument or programming packages
attacks of Cloud internet. and endpoints, perform daily based for automatic detection of various
manual frameworks service and types of attacks.
checking of security and investigation
troublesome if not inconceivable.
Service Establishing and In DoS attack server is overpowered Economic DoS-Shield is utilized to
Availability maintaining accessibility by traffic and therefore its disabled or relieveEconomic Denial of
of services of Cloud made inaccessible to its clients. DoS Sustainabilityattacks in cloud
applications despite attacks on payment cloud frameworks. Strategy used to alleviate
of Denial-of-Services applicationswill increase Cloud of such attacks making from spoofed
attacks. service bill, suppose Cloud-based IP addresses is separating of hop-
assistance is intended to increase in count. Time to Live (TTL) boundary is
automatic manner. utilized for ascertaining preeminent
life time of packet within networking
applications. Value of TTL was
decremented every time when packet
permittedvia any switch. At the point
when value of TTL become zero,
packet was dismissed.
Server bastion Cloud resources access by Dealing with a protected virtual Utilizing a unique Computer module
not directly exposing them Cloud network needs restricted on network explicitly planned and
to Internet. access to such networks. Without designed to endure attacks. Computer
appropriate separation, restricted usually has an application and any
access presents weaknesses. pending services are taken out or
limited to decrease threats to
Computers.
It's solidified fundamentally because
of its purposes and locations, that is on
external firewall or in a neutral region
and normally includes access belong
to networks which are untrusted.
1703International Journal of Early Childhood Special Education (INT-JECS)
ISSN: 1308-5581 Vol 14, Issue 03 2022
Vulnerability Identification of When a network transfers data and A tool such as "Nessus" could be
service vulnerabilities and applications to Cloud, that will utilized for scanning the
responding to the same. transfersome obligation related to vulnerabilities, that scans flaws of
security to cloud suppliers. Many of applications. Updating software
the such suppliers are liable for packages will be significant if there's a
getting their infrastructures, while chance of flaw detection.
users of cloud are liable for data and
applications executing in Cloud
environment. Subsequently, while
creating and sending application in
Cloud, a critical obligation regarding
a security proficient is to maintain
that environment is without
vulnerabilities that intruders can
utilize to get at applications.
Table 6: Design patterns for Secure Design category
Patterns Issues Contexts Resolutions
secure device Strong and secured Safeguarding cryptographic Making use of identity in unique way,
protection of IoT gadget’s privileged insights on IoT PKI must be underpinning of any IoT
identity. toolsutilized to make gadget related security methodology.
identification to backbone of Cloud is With an unique solid gadget identity,
difficult utilizing off-the-rack things could be verified when those
implanted scenarios which come on web, make sure secured and
storessecrets making use oforganized encoded interactions amongvarious
document systems on drives. There gadgets, clients and services.
exist numerous side channels which
could be taken advantage of
removing secret keys and sensible
data.
Internet Safeguarding endpoints of Cloud applications uncover API Web accessing firewall must be
application web APIs from abuse and endpoints. Those endpoints often utilized to control approaching and
firewall unauthorised access. presented to Internet and are inclined active admittance toand from
to various attacks. endpoints.
Privacy Auditing Ways for recording and Audits are significant for associations Guidelines for Security Audit
reporting behaviours in Cloud frameworks provided described important stages or
related to security in Cloud business model such as pay-per- operations to be accomplished for
frameworks. usage. A completely directed audit methodically looking into and
program can guarantee monetary and observing resources of Cloud for best
functional practices related to security.
prosperity of an organization.
Privacy storage Ways for securing Cloud service users regularly have The vast majority of the Cloud
availability of huge lawful or administrative commitment services stages give a choice to cold
quantity of information in to keep certain, in any case no more store where the information could be
cost-effective manner. or only sometimes utilized, stored for a brief time or forever.
information for a predetermined Nonetheless, information put away on
measure of time prior to cancellation Cloud store must be encoded to
is permitted. Such information, when guarantee information confidentiality
left in web, promptly accessible and honesty.
application store presents unwanted
burden on financial plan, yet
additionally builds the weakness
impression.
1704International Journal of Early Childhood Special Education (INT-JECS)
ISSN: 1308-5581 Vol 14, Issue 03 2022
Cryptographic Ways for effective and In appropriately overseen Cloud Re-establishing certificate and
Key Manager safe creation, provisioning frameworks, cryptographic items, cryptographic key is significant to
and revoking of like public or private key sets and limit
certificates and keys for secret symmetric keys possess a clear gamble which might happen as
protecting information at lifetime. Nonetheless, currently in consequence of repeated use of former
transit as well in rest. basic frameworks, there may be many one. There must be restoration strategy
keys and certificates that need for key and certificates automatically
management lifelong. or manual ways. In the majority of
Cloud frameworks, they give a tool to
oversee key and certificates, client can
take on either manual or programmed
key reestablishment.
5. CASE STUDY: EUCALYPTUS WITH WALRUS
In this section, the cloud Eucalyptus patterns are discussed.A Eucalyptus controlled private cloud can be
functionally compelling just when cloud data set, being the archive for sensitive cloud clients' information, is
safeguarded from all planned external/internal sources of attack.WALRUS is service for data storage in
Eucalyptus that permits clients to store diligent information as objects and buckets. WALRUS is point of
interaction viable with Amazon's S3 for getting access to client objects and buckets [30]. The Eucalyptus web
interface support accounts of two sorts, "admin" and "user" accounts. An effective client registration operation
with a Eucalyptus upheld cloud supplier provides enrolled clients with X509 certificates along with secret key
and Query Id. As the decompression occurs, compressed file of credentials furnishes the clients with RSA
private and public keys, certificates X509 of cloud supplier, authority of certification, and a file with name
"eucarc" containing all fundamental credentials of client required by clients to utilize the services of cloud [31].
The WALRUS architecture is depicted in Figure 3 demonstrating the different tools such as s3cmd, s3curl, s3fs,
cloud berry s3 and more tools, utilizing which the client can get access to WALRUS storage through SOAP or
REST protocols making use of HTTP while controller of cloud gives control of access to WALRUS objects
utilizing ACLs and credentials of clients [32].
Figure 3. Architectural demonstration of Eucalyptus-WALRUS
Clients utilize such interfaces command-based tools for streaming of information all through WALRUS and
getting to S3 buckets. The s3curl is utilized for interactions with WALRUS, that adds curl headers as parameters
for security. WALRUS executes Access Control Lists (ACLs) for restricting client's admittance to objects and
buckets. User of Eucalyptus needs to give his access key and secret key during mentioning admittance to objects
and buckets. When the client is confirmed, read and compose authorizations are allowed over standard HTTP.
WALRUS involves MD5 hashing method to give consistency to information that are stored.
1705International Journal of Early Childhood Special Education (INT-JECS)
ISSN: 1308-5581 Vol 14, Issue 03 2022
In order to store data of consumers of cloud, the file system locations of Eucalyptus such as Walrus buckets and
database files are utilized, where in, personal data of consumers and that of metadataare stored in Database files,
and cloud consumers data and consumer’s customized image files are stored in Walrus buckets. Few of the
sensitive attacks related to cloud database in private cloud system supported by eucalyptus are discussed here.
Attacks related to Buckets: The credentials used in query interfaces names and users, such as
EC2_SECRET_KEY and EC2_ACCESS_KEY aremade available in AUTH_USERS tablewith the attributes
AUTH_USER_SECRETKEY, AUTH_USER_QUERY_ID and AUTH_USER_NAME accordingly as per the
screenshot illustration produced in Figure 4.Suchspecific attacks, keeping along above given attributes,
includesusages of file “eucarc” derived from eucalyptus_auth.script’s catalog.
Person who wishes attack required to introduce new file “eucarc” along S3_URL set representing IP_Address of
controller of Cloud and EC2_SECRET_KEY and EC2_ACCCESS_KEY values represented as
AUTH_USER_SECRETKEY and AUTH_USER_QUERY_ID extracted out of eucalyptus_auth.script catalog,
as illustrated in Figure 5.
Figure 4. Eucalyptus_auth. script’s table illustrations
Figure 5. The “eucarc”: Credentials Compressed File Constituent
The other components in 'eucarc' document might be overlooked as those are not required during attacks
associated with buckets. Once eucarc document is prepared, intruder basically in need to source that newer
eucarc document and execute command s3curl to make another bucket mimicking client whose login details are
utilized or to get a collection of relative multitudes of buckets claimed by client whose login details are utilized.
Attacks related to Objects: Prior to launch of attacks related to object, the intruder has to realize the specific
name of bucket in which objective item is found. There exists two different ways of figuring out the specific
name of bucket. One includes utilizing the eucalyptus-walrus.scriptcatalog. This specific catalog stores name of
parent bucket, names of constituent objects and name of bucket owner in table OBJECTS under attributes
OBJECT_KEY ,BUCKET_NAME and OWNER_ID accordingly as demonstrated in Figure 6.
1706International Journal of Early Childhood Special Education (INT-JECS)
ISSN: 1308-5581 Vol 14, Issue 03 2022
Figure 6. Eucalyptus-walrus.script Table illustrations
In the wake of getting hold of this data, the attacker essentially requires to make a newer eucarc document with
interface certifications of his victim, source this record and execute command s3curl to place an object into the
buckets of victim, obtain size, MD5 checksum, and time for updating of a victim's object, read victim's object
into a document or erase it.
The attacks associated with buckets must need 'administrator' to have the ownership of consumers login details
yet tragically, activities like placing an object into a consumers bucket, obtaining size, MD5 checksum, and last
alteration time for a consumer possessed object, obtaining object from a consumer's bucket, erasing a consumer
claimed object, erasing a client possessed bucket, gaining access control strategy for a consumer's bucket and
obtaining contents of a consumer possessed buckets can be done by the 'administrator' utilizing its own
arrangement of login details with no dependence on getting the consumer's login details.
Attacks related to ACLs:Every WALRUS object and bucket has an ACL associated to it in the form of
subresource. For launching attacks related to ACL on objects or buckets, initially attacker required to hold
specific subresources belong to ACL. One approach to obtaining hold of ACL is by utilizing command s3curl to
peruse ACL of an object or a bucket into a *.acl document. When ACL has been added something extra to a
*.acl record, attacker will be able to make any changes to document. On the other hand, attacker will also be
able to make a new *.acl record consisting of favoured control privileges allowed to chosen grantees. At this
time, attacker basically requires to set updated record or newly made document as ACL of targeting object or
buckets utilizing command s3curl. There could be one more sort of attacking chance for attackers where in he
could make assignment of particular privileges of access control to complete collection of consumers registered
in cloud. Based on preferences of attacker, he will be able to set attributes such as GLOBAL_WRITE_ACP,
GLOBAL_READ_ACP, GLOBAL_WRITE, and GLOBAL_READ in OBJECTS and BUCKETS tables
available in eucalyptus_walrus.script catalog as demonstrated in Figure 6, that would alter *.acl document of
targeted bucket or object automatically to permit by granting accesses to all the consumers.
Attacks related to Log File:Eucalyptus empowers clients to produce access log records for buckets that they
possess. These records could be conveyed to any of client claimed buckets relying upon the preferences of
owner. Once access logs have been conveyed to targeting bucket, they can be managed as normal objects that
owner can list, erase, and read at their flexibility.Logging data of client's bucket is stored in the form of
attributes TARGET_PREFIX, TARGET_BUCKET and LOGGING_ENABLED in BUCKETS table of
eucalyptus_walrus.script catalog. Suppose the TRUE value is set to attribute LOGGING_ENABLED, the
1707International Journal of Early Childhood Special Education (INT-JECS)
ISSN: 1308-5581 Vol 14, Issue 03 2022
TARGET_BUCKET will have name of client determined bucket where files related to access log would be
stored and TARGET_PREFIX would possess client indicated prefix to be attached to framework produced log
file names. While dealing with WALRUS, when the intruder has removed all essential data from the list
eucalyptus_walrus and accessed bucket storing log records, he can generously utilize these log records in any
favoured manner.
6. CONCLUSION
In the research work accomplished, we have identified security patterns for cloud applications taking into
consideration various aspects of security, including information security, privacy and system security. Initially
we have investigated by studying the existing works done on designing security patterns considering various
issues and solutions to be followed wile developing applications for cloud. We provided design patterns
covering significant areas such as data security, privacy and system security for various classifications like
Authentication and Authorisation, Confidentiality and Privacy, Regulatory and Compliances, Secure
Application Development and Services, and Secure Designs. We made our work unique by documenting in the
form of tables, the better practices that cloud application designer may follow as guidelines. At the end, we have
simulated some potential attacks the consumer’s data and system faces in eucalyptus cloud environment, which
identifies sources of attacks, its context and possible resolutions for the prevention of attacks. We attempted to
explore the attacks utilizing Walrus services for storage, and demonstrated that comparatively many areas
require security in substantial stages, to guarantee protection of consumer’s information, privacy and hence
ensuring sustainability of a private cloud framework.
REFERENCES
[1] Doddavula, Shyam& Agrawal, Ira & Saxena, Vikas. (2013). Cloud Computing Solution Patterns:
Application and Platform Solutions. 10.1007/978-1-4471-5107-4_11.
[2] A. Saboor, A. K. Mahmood, M. F. Hassan, S. N. M. Shah, F. Hassan and M. A. Siddiqui, "Design Pattern
Based Distribution of Microservices in Cloud Computing Environment," 2021 International Conference on
Computer & Information Sciences (ICCOINS), 2021, pp. 396-400, doi:
10.1109/ICCOINS49721.2021.9497188.
[3] Martino, Beniamino Di and Antonio Esposito. “A rule‐based procedure for automatic recognition of design
patterns in UML diagrams.” Software: Practice and Experience 46 (2016): 1007 - 983.
[4] C. Fehling, F. Leymann, R. Retter, W. Schupeck, P. Arbitter. Cloud computing patterns: fundamentals to
design, build, and manage cloud applications. Springer Science & Business Media, 2014.
[5]. Fernandez, E.B.; Monge, R. A security reference architecture for Cloud systems. In Proceedings of the
WICSA 2014 Companion Volume, Sydney, Australia, 7–11 April 2014; p. 3.
[6].RomanoskySecurity design pattern’s part 1, https://www.cgisecurity.com/lib/securityDesignPatterns.pdf
(accessed on 15Jan2022).
[7]. Yskout, K.; Heyman, T.; Scandariato, R.; Joosen, W. Security Patterns: Interim Report. Available online:
http://www.cs.kuleuven.be/publicaties/rapporten/cw/CW514.abs.html (accessed on 15 Jan 2022).
[8]. Kienzle, D.M.; Elder, M.C.; Tyree, D.; Edwards- Hewitt, J. Security Patterns Repository, Available online:
http://www.cse.msu.edu/~cse870/Homework/SS2005/HW5/Kienzle.pdf (accessed on 15 Jan 2022).
[9] Schumacher, M.; Fernandez-Buglioni, E.; Hybertson, D.; Buschmann, F.; Sommerlad, P. Security Patterns:
Integrating Security and Systems Engineering; Wiley: Hoboken, NJ, USA, 2013.
[10] Langer, T.; Pohls, H.C.; Ghernaouti, S. Selected Cloud Security Patterns to Improve End User Security
and Privacy
in Public Clouds. Privacy Technologies and Policy. APF 2016. Lecture Notes in Computer Science; Springer:
Cham,Switzerland, 2016; Volume 9857.
[11]. Oracle Technical Report in 2018, “Securing SaaS at Scale”. Available online:
http://www.oracle.com/us/solutions/Cloud/Cloudessentials-securingsaas-5101707.pdf (accessed on 15 Jan
2022).
[12] Annanda Rath *, Bojan Spasic, Nick Boucart and Philippe Thiran, “Security Pattern for Cloud SaaS: From
System and Data Security to Privacy Case Study in AWS and Azure”, Computers, 2019, 8, 34;
doi:10.3390/computers8020034.
[13] Christoph Fehling, “Cloud Computing Patterns Identification, Design, and Application”, 2015.
[14] Nirmala Holagundi, Mustafa Basthikodi, “Algorithm Fuzzy Scheduling (AFS) for Realtime Jobs on
Multiprocessor Systems”, Indonesian Journal of Electrical Engineering and Computer Science, 2022,
Volume 25, No. 3, pp. 1308-1319.
[15] AWS Cloud Design Patterns. URL: http://en.clouddesignpattern.org/ (accessed on 5 Feb 2022).
[16] Cloud Patterns. URL: http://cloudpatterns.org (accessed on 5 Feb 2022).
1708International Journal of Early Childhood Special Education (INT-JECS)
ISSN: 1308-5581 Vol 14, Issue 03 2022
[17] Mustafa Basthikodi, Ananth Prabhu, Anush Bekal, "Performance Analysis of Network Attack Detection
Framework using Machine Learning", Sparkinglight Transactions on Artificial Intelligence and Quantum
Computing (STAIQC),2021, Vol. 1, No. 1, pp. 11-22, doi: 10.55011/staiqc.2021.1102.
[18] Google Cloud Design Patterns. URL: https://cloud.google.com/apis/design/design_
patterns (accessed on 10 Feb 2022).
[19]. Web Application Security Guidance. Available online:
https://www.owasp.org/index.php/Web_Application_Security_Guidance (accessed on 15 Feb 2022).
[20]. Langer, T.; Pohls, H.C.; Ghernaouti, S. Selected Cloud Security Patterns to Improve End User Security
and Privacy in Public Clouds. Privacy Technologies and Policy. APF 2016. Lecture Notes in Computer
Science; Springer: Cham, Switzerland, 2016; Volume 9857.
[21]. OWASP Cloud Security Project. Available online: https://www.owasp.org/index.php/OWASP_Cloud_
Security_Project (accessed on 15 Feb 2022).
[22]. General Data Protection Regulation (GDPR). Available online: https://ec.europa.eu/info/law/law-
topic/data-protection_en (accessed on 20 Feb 2022).
[23]. Achbarou, O.; Kiram, M.A.E.; Bouanani, S.E. Securing Cloud Computing from Different Attacks Using
Intrusion Detection Systems. Int. J. Interact. Multimed. Artif. Intell. 2017, 4, 61–64.
[24]. Subramaniam, T.K.; Deepa, B. Security attack issues and mitigation techniques in Cloud computing
environments. Int. J. UbiComp (IJU) 2016, 7, doi:10.5121/iju.2016.7101.
[25] SGX. Available online: https://software.intel.com/en-us/blogs/2018/11/08/microsoft-azure-
confidentialcomputing-with-intel-sgx (accessed on 20 Feb 2022).
[26] 12. Langer, T.; Pohls, H.C.; Ghernaouti, S. Selected Cloud Security Patterns to Improve End User Security
and Privacy in Public Clouds. Privacy Technologies and Policy. APF 2016. Lecture Notes in Computer
Science; Springer: Cham, Switzerland, 2016; Volume 9857.
[27]. Taherizadeh, S.; Stankovski, V.; Grobelnik, M. A Capillary Computing Architecture for Dynamic Internet
of Things: Orchestration of Microservices from Edge Devices to Fog and Cloud Providers. Sensors 2018,
18, 2938.
[28] Ondiege, B.; Clarke, M.; Mapp, G. Exploring a new security framework for remote patient monitoring
devices. Computers 2017, 6, 11.
[29] Detailed Pattern Structure. Available online: http://www.sirris.be.s3-website-eu-west-
1.amazonaws.com/(accessed on 20 Feb 2022).
[30] A. Waqar, A. Raza and H. Abbas, "User Privacy Issues in Eucalyptus: A Private Cloud Computing
Environment," 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and
Communications, 2011, pp. 927-932, doi: 10.1109/TrustCom.2011.128.
[31]EucalyptusBeginner’s Guide UEC
Edition,http://cssoss.files.wordpress.com/2010/06/book_eucalyptus_beginners_guide_uec_edition1.pdf
[32] S3-Compatible Tools- s3curl, http://open.eucalyptus.com/wiki/s3curl
1709You can also read
