BULUT BİLİŞİMDE GÜVENLIK ZAFİYETLERİ, TEHDİTLERI VE BU TEHDİTLERE YÖNELİK GÜVENLİK ÖNERİLERİ

Yıl 2019, Cilt: 5 Sayı: 1, 8 - 34, 15.06.2019

İşıl Karabey Aksakallı

https://doi.org/10.18640/ubgmd.544054

Cited By: 2

Öz

Bulut
bilişim, yeni çağı simgeleyen paralel hesaplama, dağıtık hesaplama ve
sanallaştırma teknolojilerinin gelişimidir. Bu teknoloji, talep üzerine
internet altyapısına inşa edilip bulut üzerinden yazılım, uygulama, iş ve
tüketici bilgi teknolojileri hizmetleri sunan esnek, uygun maliyetli ve
yapılandırılabilir hesaplama kaynaklarına sahip popüler bir teknolojidir. Esnek
altyapısı, ağ merkezli yaklaşımı ve erişim kolaylığı sebebiyle küçük, orta ve
büyük ölçekli bir çok organizasyon tarafından kullanımı giderek yaygınlaşmaktadır.
Fakat bu teknoloji, veri ve hizmet erişimini üçüncü bir partiden temin ettiği
için bazı güvenlik risklerini de beraberinde getirmektedir. Bu çalışmada bulut
bilişimde meydana gelen güvenlik zafiyetleri araştırılmış, bu zafiyetler kullanılarak
bulut sistemlerine yapılan saldırı türleri incelenmiştir. Ayrıca bu saldırıları
ve zafiyetleri kontrol altına almak adına bulut teknolojisi için alınan
güvenlik önlemleri literatür çalışmaları ile desteklenerek açıklanmıştır. 

Anahtar Kelimeler

Bulut bilişim, Bulut güvenliği, Bulut zafiyetleri, Güvenlik tehditleri

Kaynakça

• [1] Srinivasamurthy S., Liu D., Vasilakos A., Xiong N., Security and Privacy in Cloud Computing: A Survey,” Parallel&Cloud Computing (PCC). London, vol. 2, pp126-149, New York, NY: American V-King Scientific Publishing, 2013. http://opus.ipfw.edu/compsci_facpubs/44
• [2] CSA Cloud Security Alliance , Top Threats to Cloud Computing”, Prepared by the Cloud Security Alliance, March 2010, Erişim tarihi: 13.12.2018
• [3] Mell P. Grance T., The NIST Definition of Cloud Computing, 2009, http://www.wheresmyserver.co.nz/storage/media/faq-files/clouddef-v15.pdf, Erişim tarihi: 13.01.2018
• [4] Tari Z., Yi X., U.S. Premarathe, P. Bertok, and I. Khalil, Security and Privacy in Cloud Computing: Vision, Trends, and Challenges, IEEE Cloud Computing published by The IEEE Computer Society, 2015
• [5] Morsy M. Grundy J. Müller I., An Analysis of the Cloud Computing Security Problem, In Proceedings of APSEC 2010 Cloud Workshop, Sydney, Australia, 30th November 2010.
• [6] Hashizume D. Rosado G., Fernandez-Medina E., and Fernandez E. B., An Analysis of security issues for cloud computing, Journal of Internet Services and Applications, 4:5, 2013. http://www.jisajournal.com/content/4/1/5
• [7] Khan M. A., A Survey of security issues for cloud computing, Journal of Network and Computer Applications, Science Direct Elsevier, pp. 1129, 2016
• [8] Khalil I. M., Khreishah A., and Azeem M., Cloud Computing Security: A Survey, Computers, 3, 1-35; doi:10.3390/computers3010001, 2014. www.mdpi.com/journal/computers
• [9] CSA Top Threats Working Group , The Notorious Nine- Cloud Security Top Threats, February 2013, Erişim tarihi: 13.12.2018
• [10] Cloud Security Alliance, Security guidance for critical areas of focus in Cloud Computing V3.0, 2011. Available: https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf, Erişim tarihi: 10.01.2018
• [11] Ayyub M. Kaushik P., “An Analysis of Security Attacks on Cloud wrt SaaS”, International Journal of Advancements in Research & Technology, Volume 4, Issue 2, February 2015
• [12] Ju J., Wang Y., Fu, J., Wu J., and Lin Z., Research on Key Technology in SaaS, International Conference on Intelligent Computing and Cognitive Informatics (ICICCI), Hangzhou, China. IEEE Computer Society, Washington, DC, USA, pp 384–387, 2010
• [13] Alimuzzaman A Survey on Cloud Security, Challenges and Mitigation, Scientific Research Journal (SCIRJ), Volume III, Issue VI, pp. 31-36, June 2015[14] Cloud Security Alliance (CSA), Security guidance for critical areas of Mobile Computing, 2012. Available: https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Guidance_v1.pdf, Erişim tarihi: 10.01.2018
• [15] Sridhar S., Dr. Smys S., A Survey on Cloud Security Issues and Challenges with Possible Measures, International Conference on Inventive Research in Engineering and Technology, 2016
• [16] Chandramouli R. Mell P., State of Security readiness. Crossroads 16 (3):23–25,2010
• [17] OWASP (2010) The Ten most critical Web application Security risks. Available: https://www.owasp.org/index.php/Category: OWASP_Top_Ten_Project
• [18] Reuben JS., A survey on virtual machine Security. Seminar on Network Security, 2007
• [19] Hashizume K., Yoshioka, N., Fernandez EB., Three misuse patterns for Cloud Computing. Rosado DG, Mellado D, Fernandez-Medina E, Piattini M ed) Security engineering for Cloud Computing: approaches and Tools. IGI Global, Pennsylvania, United States, pp 36–53, 2013
• [20] Xiao S., Gong W., “Mobility Can help: protect user identity with dynamic credential”, 11th International conference on Mobile data Management (MDM). IEEE Computer Society, Washington, DC, USA, pp 378–380, 2010
• [21] Wylie J., Bakkaloglu M., Pandurangan V., Bigrigg M., Oguz S., Tew K., Williams, C., Ganger G. Khosla P., Selecting the right data distribution scheme for a survivable Storage system, CMU-CS-01-120, Pittsburgh, PA, 2001
• [22] Harnik D. Pinkas B., Shulman-Peleg A., Side channels in Cloud services: deduplication in Cloud Storage, IEEE Security Privacy 8(6):40–47, 2010
• [23] Santos N. Gummadi KP., Rodrigues, R., Towards Trusted Cloud Computing, Proceedings of the 2009 conference on Hot topics in cloud computing, San Diego, California. USENIX Association Berkeley, CA, USA, 2009
• [24] Berger, S., Cáceres, R., Pendarakis, D., Sailer, R., Valdez, E., Perez, R., Schildhauer, W., Srinivasan, D., TVDc: managing Security in the trusted virtual datacenter, SIGOPS Oper. Syst. Rev. 42(1):40–47, 2008
• [25] Berger S., Cáceres R. Goldman K. Pendarakis D. Perez R., Rao JR. Rom E. Sailer R. Schildhauer W., Srinivasan D., Tal S. Valdez E., Security for the Cloud infrastructure: trusted virtual data center implementation, IBM J Res Dev 53 (4):560–571, 2009
• [26] Wei J., Zhang X., Ammons G. Bala V. Ning P., Managing Security of virtual machine images in a Cloud environment, Proceedings of the 2009 ACM workshop on Cloud Computing Security. ACM New York, NY, USA, pp. 91–96, 2009
• [27] Zhang F., Huang Y., Wang H., Chen H. Zang B., PALM: Security Preserving VM Live Migration for Systems with VMM-enforced Protection, Trusted Infrastructure Technologies Conference, 2008. APTC’08, Third Asia-Pacific. IEEE Computer Society, Washington, DC, USA, pp 9–18, 2008
• [28] Xiaopeng G., Sumei W., Xianqin C., VNSS: a Network Security sandbox for virtual Computing environment, IEEE youth conference on information Computing and telecommunications (YC-ICT). IEEE Computer Society, Washington DC, USA, pp 395–398, 2010
• [29] Wu Ding Y., Winer C., Yao L., Network Security for virtual machine in Cloud Computing, 5th International conference on computer sciences and convergence information technology (ICCIT). IEEE Computer Society Washington, DC, USA, pp 18–21, 2010
• [30] Tirumala S., Sathu H., and Naidu V., Analysis and Prevention of Account Hijacking based INCIDENTS in Cloud Environment, International Conference on Information Technology, pp. 124-129, 2015
• [31] Thangavel M., Varalakshmi P. Renganayaki S., Subhapriva G.R., Preethi T., and Banu A. Z., SMCSRC-Secure Multimedia Content Storage and Retrival in Cloud, Fifth International Conference on Recent Trends In Information Technology, 2016
• [32] Wang C., Lin C., Liao I., and Kao C., An OpenFlow-based Collaborative Intrusion Prevention System for Cloud Networking, Communication Software and Networks (ICCSN), pp. 85-92, 2015
• [33] Kumar B. Abhishek K. Kumar A. Singh M.P., System and Method for Mitigating Cross VM Attacks in Cloud Computing by Securing the Network Traffic, Computer Applications & Industrial Electronics (ISCAIE), pp. 221-225, 2015
• [34] Singh S. Pandey B.K., Srivastava R. Rawat N. Rawat P., and Awantika, Cloud Computing Attacks: A Discussion With Solutions, Open Journal of Mobile Computing and Cloud Computing, vol. 1, no. 1, 2014
• [35] Nenvani G., and Gupta H., A Survey on Attack Detection on Cloud using Supervised Learning Techniques, Symposium on Colossal Data Analysis and Networking (CDAN), 2016
• [36] Xia Y. Liu, Chen H. Zang, Defending against VM Rollback Attack, Dependable Systems and Networks Workshops (DSN-W), 2012
• [37] Wang Z., and Jiang X., HyperSafe: a Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity, Security and Privacy, IEEE Computer Society, Washington, DC, USA, pp. 380-395, 2010
• [38] Freet D. Agrawal R. John S., Walker J., Cloud Forensics Challenges from a Service Model Standpoint: IaaS, PaaS and SaaS, MEDES '15, October 25-29, pp. 148-155, Caraguatatuba, Brazil, 2015
• [39] Li X., Zhou L. Shi Y., Guo Y., A Trusted Computing Environment Model in Cloud Architecture, Ninth International Conference on Machine Learning and Cybernetics, Qingdao, 11-14, pp. 2843-2848, 2010
• [40] Karame G., Neugschwandtner M. Önen M., Ritzdorf H., Reconciling Security and Functional Requirements in Multi-tenant Clouds, ASIA CCS ’17, April 02-06, Abu Dhabi, United Arab Emirates, 2017
• [41] Puzio P. Molva R. Önen M. Loureiro S., PerfectDedup: Secure Data Deduplication, DPM, QASA: Data Privacy Management, and Security Assurance pp 150-166, 2015
• [42] Yan Z. Deng R. Varadharajan V., Cryptography and Data Security in Cloud Computing, Information Sciences 387, pp. 53–55, 2017
• [43] Ali M., Khan S. Vasilakos A., Security in cloud computing: Opportunities and challenges, Information Sciences 305, pp. 357–383, 2015
• [44] Krutz R., Vines D., Cloud Security: A Comprehensive Guide to Secure Cloud Computing, Wiley Publishing, 2010
• [45] Dawoud W., Takouna I., Meniel C., Infrastructure as a Service Security: Challenges and Solutions, 7th International Conference - Informatics and Systems (INFOS), 2010
• [46] Ahmad A. Nasser N. Anan M., An Identification and Prevention of Theft-of-Service Attack on Cloud Computing, International Conference on Selected Topics in Mobile & Wireless Networking (MoWNeT), 2016
• [47] Deshmukh R. Devadkar K., Understanding DDoS Attack & Its Effect In Cloud Environment, Procedia Computer Science, Volume 49, pp. 202-210, 2015
• [48] Wang Z. Yang R., Fu X. Du X. Luo B., A Shared Memory based Cross-VM Side Channel Attacks in IaaS Cloud, 2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS): BigSecurity 16: The Fourth International Workshop on Security and Privacy in Big Data, 2016
• [49] Hashizume K. Yoshioka N. Fernandez E., Misuse Patterns for Cloud Computing, AsianPLoP '11 Proceedings of the 2nd Asian Conference on Pattern Languages of Programs, Article no. 12, Tokyo, Japan, 2011
• [50] Masti R. J., On the security of Virtual Machine migration and related topics, Master Thesis, Master of Science in Computer Science, ETH Zurich, April 2010
• [51] Mahalingam M. S., Nagarajan M.K., Cloud Based Security Center: To Protect Networking Attack by Forensic Scrutiny, International Journal of Scientific Engineering and Technology, Volume no.3, Issue no. 3, pp. 280-284, 2014
• [52] Kebande V. R., Venter H.S., A Cognitive Approach for Botnet Detection Using Artificial Immune System in the Cloud, Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), pp. 52-57, 2014
• [53] Almutairi A., Sarfraz M., Basalamah S., Aref W. Ghafoor A., A Distributed Access Control Architecture for Cloud Computing, IEEE Software, Volume: 29, Issue: 2, pp. 36-44, 2012
• [54] Shao J., Lu R. Lin X., Fine-Grained Data Sharing in Cloud Computing for Mobile Devices, IEEE Conference on Computer Communications (INFOCOM), pp. 2677- 2685, 2015
• [55] Li J. Wang Q., Wang C. Ren K., Enhancing Attribute-Based Encryption with Attribute Hierarchy, Journal of Mobile Networks and Applications, Springer-Verlag New York, Inc. Secaucus, NJ, USA, Volume 16, Issue 5, pp. 553-561, 2011
• [56] Tebaa M. El Hajji S., El Ghazi A., Homomorphic encryption method applied to Cloud Computing, Network Security and Systems (JNS2), pp.86-89, 2012
• [57] Rewagad P. Pawar Y., Use of Digital Signature with Diffie Hellman Key Exchange and AES Encryption Algorithm to Enhance Data Security in Cloud Computing, Communication Systems and Network Technologies (CSNT), pp. 437-439, 2013
• [58] Somani U., Lakhani K. Mundra M., Implementing digital signature with RSA encryption algorithm to enhance the Data Security of cloud in Cloud Computing, Parallel Distributed and Grid Computing (PDGC), pp. 211-216, 2010
• [59] Huang C., Ma S. Chen K., Using one-time passwords to prevent password phishing attacks, Journal of Network and Computer Applications 34, pp. 1292–1301, 2011
• [60] Grobauer B. Walloschek T. Stocker E., Understanding Cloud Computing Vulnerabilities, IEEE Security & Privacy, Volume: 9, Issue: 2, pp. 50-57, 2011
• [61] Wang K., Hou Y., Detection Method of SQL injection Attack in Cloud Computing Environment, Advanced Information Management, Communicates, Electronic and Automation Control Conference (IMCEC), pp. 487-493, 2016
• [62] Zunnurhain K., Vrbsky S., Security Attacks and Solutions in Clouds, 2nd IEEE International Conference on Cloud Computing Technology and Science, Indianapolis, 2010
• [63] Aviram A. Hu S., Ford B., Gummadi R., Determinating timing channels in compute clouds, ACM Workshop on Cloud Computing Security Workshop (CCSW ’10); ACM: New York, NY, USA, pp. 103–108, 2010
• [64] Hlavacs H., Treutner T., Gelas J. Lefevre L. Orgerie A., Energy consumption side-channel attack at virtual machines in a cloud, IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing (DASC), Sydney, NSW, Australia, pp. 605–612, 2011
• [65] Jasti A. Shah P. Nagaraj R., Pendse R., Security in multi-tenancy cloud, IEEE International Carnahan Conference on Security Technology (ICCST), KS, USA. IEEE Computer Society, Washington, DC, USA, pp 35–41, 2010
• [66] Wu H., Ding Y., Winer C. Yao L., Network Security for virtual machine in Cloud Computing, 5th International conference on computer sciences and convergence information technology (ICCIT). IEEE Computer Society Washington, DC, USA, pp 18–21, 2010
• [67] Rocha F., Correia M., Lucy in the sky without diamonds: Stealing confidential data in the cloud, IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSNW ’11), Hong Kong, IEEE Computer Society: Washington, DC, USA, 2011; pp. 129–134, 2011
• [68] Tupakula U., Varadharajan V., Akku N., Intrusion detection techniques for infrastructure as a service cloud, IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing (DASC), Sydney, Australia, pp. 744–751, 2011
• [69] Aborujilah A. Musa S., Cloud-Based DDoS HTTP Attack Detection Using Covariance Matrix Approach, Hindawi Journal of Computer Networks and Communications, Volume 2017, 2017
• [70] VivinSandar S. Shenai S., Economic Denial of Sustainability (EDoS) in Cloud Services using HTTP and XML based DDoS Attacks, International Journal of Computer Applications, Volume 41, No. 20, 2012
• [71] Fan L. Wenhua Z., Yi J. Jianmin L. Qi L., A Group Tracing and Filtering Tree for REST DDos in Cloud Computing, International Journal of Digital Content Technology and its Applications, vol 4, Number 9, Dec. 2010
• [72] Wang L. and Laszewski G., Scientific Cloud Computing: Early Definition and Experience, CiteSeerX, October 2008
• [73] Zissis D. and Lekkas D., Addressing cloud computing security issues, Future Generation Computer Systems 28, pp. 583–592, 2012