Cloud Computing. DDoS, Blockchain, Regulation and Compliance

Table of Content

Summary

Cloud

DDoS Attacks in Cloud

Blockchain for Cloud

Organic Networks – merger of ‘viral and social’ networks [20]

Using Private Blockchain with DTMM in Cloud Platform

Compliance in Cloud

Conclusion

References

Summary

Cloud computing is a promising technology where computational power is provided over internet as per users demand just like the supplies daily utilities of tap water, electricity and gas provided as pay per use. The features of easy accessibility anywhere at any time and almost no burden of on-going operational expenses like running of data-centre makes it one of the fastest growing technologies with the overall business of cloud being anticipated to be above $40 billion by 2012. The popularity of cloud computing and its growing reach poses some unanswered questions regarding security and authentication of both the user and the provider. How much a user can rely on the cloud service provider for data security and application related services? In 2009 NIST defined Cloud Computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction [3]. With the growing number of organizations moving towards cloud platform, issues like security, compliance, threats, attacks and intrusion are some of the most challenging and unresolved issues. Due to low cost, scalability, elasticity, sharing of resources, global presence and ease of business, more and more firms are moving towards cloud computing technology. Cloud compliance is a nagging problem with firms or users using cloud backup or storage facility. With more and more research being done, several problem areas in cloud computing were identified that were blocking the widespread adoption of cloud on the enterprise level, are listed below [22]:

- Security and privacy
- Controllability and flexibility
- Visibility and availability
- Auditability and accountability
- Latency, performance/throughput
- Compliance

Here I have attempted to provide solutions to some of the above stated problems. Two emerging cloud deployment models and two emerging cloud service models have also been briefly discussed. DDoS attacks have been listed and effects discussed along with an alternated solution for Blockchain DDoS attacks. Though data protection laws can be different with change in jurisdiction but here emphasis has been given on data policies existing in India based on IT Act (2000). In case of data transfer or storage the data protection laws of both the jurisdiction any intermediate jurisdiction has to be taken into consideration. Compliance with the involved jurisdictions at state or country level becomes mandatory for the organizations or users involved in data transfer/storage/retrieval/deletion/updating/management. Important points of consideration have been listed for organizations to consider while designing SLA’s and their compliance Strategy. IT Act (2000) has been discussed here and Strategies to be designed keeping the omissions in mind. National law regulating the collection and use of personal data is the Information Technology Act 2000 (IT Act) has been stated and suggestions provided to safeguard data in case of data storage, retrieval, deletion or transfer. Dynamic Trust Management Method (DTMM) has been discussed in context to Cloud and Blockchain. Finally a reference model has been suggested for avoiding DDoS and Blockchain DDoS Attacks in Cloud Environment. Finally the discussions has been concluded highlighting the recommendations and necessary actions needed for the same.

Cloud

Cloud platform provides access to applications and software from anywhere as per need to the user. This means storage and power is no more a user’s problem while they are working in a cloud environment. Before cloud computing came into existence a whole team of experts were needed for installing, configuring, testing, managing, updating and securing the hardware and software used for running applications for business enterprises. So this made business applications pretty expensive. But with the introduction of cloud computing’s pay per use model, business applications have been made available at much affordable cost also simultaneously optimizing resources and improving scalability. But the adoption of cloud technology is not very simple and seamless as it appears to be. Let’s began with adoption challenges, virtualization of resources in IT began with the arrival of cloud computing, enterprise business applications, services and data started to be modernized to take on to this journey but this evolution introduced some complexities where the orchestration became more complicated as it started to transform IT structure into virtual systems, interdependency on network performance grew big and business models started to move towards pay as you go licensing as opposed to per instance [22].

NIST identified the following characteristics that every cloud service must have [23]:

1. It must be an on-demand self-service in which a customer can self-provision compute, store, etc., without human interaction.
2. It must contain broad network access with reachability and platform options (including thin and thick clients, phones, and tablets).
3. It must be a multi-tenant environment fostering location-independence.
4. It must support rapid elasticity with the ability to grow and shrink based on policy, with no impact to applications or users.
5. It must be a measured service, metered by performance with a pay-as-you-go pricing model.

There are six deployment models existing in a cloud platform: Public (bills on per hour or per month basis, open for public), Private (more expensive, better security, owned privately), Community (shared among users having common interests in organization) and Hybrid (mix of public, private or community). There are two emerging deployment models [24]: Federated (allows inter-cloud resources sharing and combined provisioning) and Intercloud (provides a basis for provisioning heterogeneous multi-provider cloud based project oriented infrastructures on-demand). Also there are three popular service models in cloud computing: Infrastructure as a service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Also there are two emerging service models in cloud computing: Data Analytics as a Service and HPC/Grid as a Service. The point is to carefully choose service model, deployment model and the service provider keeping your requirement and security needs in mind. Whatever data you store on a cloud platform will always be owned by you but it is stored by cloud service provider. So understanding data retention policy by the service provider is very important. Copying data from previous provider to new provider is needed to be done by you while shifting cloud provider. This makes compliance laws and policy to be clearly stated and understood by both the parties. So policies regarding deletion of any data or data retention will have to be stated and clarified while opting your service provider.

DDoS Attacks in Cloud

Cloud environment covers services right from the core infrastructure to software like email at an individual user level. This also brings enormous opportunities for individuals and organizations to host as well as use the services; there are a number of organizations offering different types of cloud services. By implementing cloud the organizations certainly gets the benefit of reduced capital investment, faster implementation cycle with net reduction in hardware-software procurement and installation and thus many miss out on the fact that responsibility to abide to the regulatory requirements imposed by various federal agencies and regulatory bodies is still with them. Non-conformance to the regulation might attract huge penalties and in cases federal agencies can also revoke the organizations licence to operate. Cloud Environment is vulnerable to attacks. One of the most popular attacks is Distributed Denial of Service (DDoS) attack. Some of the other attacks are Cloud Malware Injection attack, Side Channel attack, Authentication attack and Man in the Middle Cryptographic attack. DDoS attacks have become a common means for cybercriminals to distract a target’s security, said Akamai’s senior security advocate Martin McKeay [12]. Hackers are increasingly turning to distributed denial-of-service (DDoS) attacks to take companies offline or steal their sensitive data, according to a new report from Corero Network Security [14]. In table 1 and table 2 some of the major DDoS Attacks have been stated from year 1998 to 2018. The most surprising part of these DDoS is that the intensity of attacks have been increasing. The more ubiquitous the technology being adopted like Internet of Things (IoT) and Artificial Intelligence, the reach of these DDoS attacks are more widespread.

illustration not visible in this excerpt

Table1: DDoS attacks in past [3] (Source: “Understanding DDoS Attack & Its Effect In Cloud Environment” by Rashmi V. Deshmukha , Kailas K. Devadkarb published in Elsvier Procedia Computer Science 49 ( 2015 ) 202 – 210)

illustration not visible in this excerpt

Table2: DDoS attacks 2014-2018

During this period increase in Ransom Denial of Service (RDoS) is seen on rise where the attackers send a message to victim demanding ransom in bitcoins which if not paid will result in sensitive data loss. RDoS attacks returned in Q3 2017, as this method allows cybercriminals to extort money from their victims [14]. The growing availability in DDoS-for-hire services and the proliferation of unsecured Internet of Things (IoT) devices has led to the increase in DDoS attacks in 2017-Corero Network Security, 2017 [14].

Kaspersky Lab’s did IT security survey in 2017. It polled 5,200 business representatives from 29 countries. The survey pointed at financial implications of reacting to DDoS attacks has resulted in $123,000 for SMBs per incident in 2017, compared to $106,000 in 2016.When asked about the specific consequences experienced as a result of a DDoS attack, most organizations (33%) claim that the cost incurred in fighting the attack and restoring services is the main burden, while a quarter (25%) cited money spent investing in an offline or back-up system while online services are unavailable, 23% stated that a loss of revenue and business opportunities occurred as a direct result of DDoS attacks, whereas 22% listed the loss of reputation among clients and partners as another direct consequence of a DDoS attack [16].

Blockchain for Cloud

Distribution of digital information which cannot be copied is the essence of Blockchain technology. Blockchain has (a) Data: Value of transaction attached to the block which includes From, To and Amount (b) Hash Code: Special code for every transaction (c) Hash of Previous Block. The amazing feature of this technology is that it doesn’t have centralized record keeping as it is hosted by millions of computers at the same time. The data is available to anyone on the internet and beyond the scope of hacking. Due to decentralized nature direct modification of data is not possible. Instead of shared ledger system used by banks, distributed ledger system should be used which gets automatically updated with any change on the current available version and the updated version is made available to all in the network. Two users of the same document cannot mess with the same document/record at the same time. As a peer-to-peer network, combined with a distributed time-stamping server, Blockchain databases can be managed autonomously to exchange information between disparate parties [21]. Here the users are the administrators and data once entered in a block cannot be altered. Public Blockchain allows anyone in the network to see or send transactions as long as they are part of the process of transaction or any other activity. Private Blockchains, in contrast, restrict the ability to write to a distributed ledger to one organization, such as a group of employees within a corporation, or between a set number of organizations, such as a number of banks that agree to a network partnership [21].

[...]