ijcrb.webs.

com

INTERDISCIPLINARY JOURNAL OF CONTEMPORARY RESEARCH IN BUSINESS

JANUARY 2012
VOL 3, NO 9

CLOUD COMPUTING: NETWORK/SECURITY THREATS AND

COUNTERMEASURES
Sara Qaisar
Department of Technology Management, Faculty of Management Sciences, International Islamic University, H-10,
Islamabad, Pakistan,

Kausar Fiaz Khawaja (Corresponding Author)

Department of Technology Management, Faculty of Management Sciences, International Islamic University, H-10,
Islamabad, Pakistan,

Abstract:
Nowadays not just large organizations, but even small and medium size businesses are looking forward to adopt an
economical computing resource for their business application, i.e. by introducing a new concept of cloud computing
in their environment. Cloud computing improves organizations performance by utilizing minimum resources and
management support, with a shared network, valuable resources (The NIST Definition of Cloud Computing, 2009),
bandwidth, softwares and hardwares in a cost effective manner and limited service provider dealings. Basically its
a new concept of providing virtualized resources to the consumers. Consumers can request a cloud for services,
applications, solutions and can store large amount of data from different location. But due to constantly increase in
the popularity of cloud computing there is an ever growing risk of security becoming a main and top issue. Current
paper proposes a back up plan required for overcoming the security issues in cloud computing.
Keywords: Cloud computing, Network issues, Security issues, Counter measures
1- Introduction:
In October 2007, Cloud computing became popular in the presence of other computing techniques used
before (Wikipedia, 2012 a; Foster & Kesselman, 1998; Raleigh & Armonk, 2007; Naone, 2007; Reimer, 2007). The
popularity was due to the partnership of IBM and Google to work under a domain ( Lohr., 2007; View, Calif &
Armonk., 2007) followed by the entry of (Wikipedia, 2012b; Vouk, 2008). Cloud Computing was a new idea that
uses internet and remote servers for maintaining data and applications. It offers through internet dynamic virtualized
resources, bandwidth and on-demand softwares to consumers and promises the distribution of many economical
benefits among its adapters. It helps consumers to reduce the usage of hardware, software license and system
maintenance. Hence by using internet consumers are able to use service application on clouds (Ren & Lou, 2009).
Moreover by using cloud computing consumers can get benefit in the form of cost, on-demand self services that
reply rapidly, and can access broad network.
Current paper discuss in detail cloud computing, its types and Network/security issues related to it.
Networks structure faces some attacks that are denial off service attack, man in the middle attack, network sniffing,
port scanning, SQL injection attack, cross site scripting. Security Issues that occur in Cloud Computing are XML
signature element wrapping, Browser security, cloud malware injection attack, flooding attacks, data protection,
insecure or incomplete data deletion, locks in.
2- Cloud Computing
Many Organizations deal with the storing and retrieving of huge data and cloud computing helps in
performing it efficiently with minimum cost, time and maximum flexibility. Besides the benefits associated with the
cloud computing, there are different security issues organization has to deal with inorder to separate one cloud users
data from the other inorder to maintain confidentiality/privacy, reliability and integrity (Bugiel, Nurnberger,
Sadeghi, & Schneider, 2011). Moreover as cloud service provider has a complete control on the infrastructure, so
security risk like manipulating or stealing of code by service provider exist (Cloud Security Alliance, 2010).

COPY RIGHT 2012 Institute of Interdisciplinary Business Research

1323

ijcrb.webs.com

INTERDISCIPLINARY JOURNAL OF CONTEMPORARY RESEARCH IN BUSINESS

JANUARY 2012
VOL 3, NO 9

Graphically network of networks i.e. Internet is shown globally as cloud. And cloud computing is referred
as applications and services rendered to consumers through internet cloud. It is a paradigm shift that happened
rapidly, transferring older computing techniques to a newer one. Hence nowadays internet provides different
services to its consumers, and no special device or software is required to use those services. After studying 20
definitions Vaquero et al., (2009) come up with a minimum definition containing essential characteristics
Clouds are a large pool of easily and accessible virtualized resources (such as hardware, development platforms
and/or services). These resources can be dynamically re-configured to adjust to a variable load (scale), allowing
also for an optimum resource utilization. This pool of resources is typically exploited by a pay-per-use model in
which guarantees are offered by the infrastructure provider by means of customized service-level Agreements
Cloud computing provides different services rather than a unit of product. These services put forwarded 3 models:
software as a service (SAAS), platform as a Service (PAAS), and infrastructure as a Service (IAAS) (Iyer and
Henderson, 2010; Han, 2010, Mell and Grance, 2010).
1. SAAS: it is run by cloud service provider and mostly used by organizations. It is available to users through
internet.
2. PAAS: It is a tool (Windows, LINUX) used by developers for developing Websites without installing any
software on the system, and can be executed without any administrative expertise.
3. IAAS: It is operated, maintained and control by cloud service providers that support various operations like
storage, hardware, servers and networking.
There are four types of cloud computing models listed by NIST (2009): private cloud, public cloud, hybrid
cloud and community cloud.
1. Public Cloud: it is for the general public where resources, web applications, web services are provided over the
internet and any user can get the services from the cloud,. Public Organizations helps in providing the
infrastructure to execute the public cloud.
2. Private Cloud: It is used by the
organizations internally and is for a single
organization,
anyone
within
the
organization can access the data, services
and web applications but users outside the
organizations cannot access the cloud.
Infrastruture of private cloud are
completely managed and corporate data
are fully maintained by the organization
itself.
3. Hybrid Cloud: The Cloud is a
combination of two or more clouds
(public, private and community). Basically
it is an enviornment in which multiple
internal or external suppliers of cloud
services are used. It is being used by most
Figure 1: Types of Cloud Computing
of the organizations (IBM and Junipers
Network, 2009).
4. Community Cloud: The cloud is basically the mixture of one or more public, private or hybrid clouds, which is
shared by many organization for a single cause (mostly security).Infrastructured is to be shared by several
organizations within specific community with common security, compliance objectives. It is managed by third
party or managed internally.Its cost is lesser then public cloud but more than private cloud.

COPY RIGHT 2012 Institute of Interdisciplinary Business Research

1324

ijcrb.webs.com

INTERDISCIPLINARY JOURNAL OF CONTEMPORARY RESEARCH IN BUSINESS

JANUARY 2012
VOL 3, NO 9

3- Network Issues in Cloud Computing:

There are different network issues occur in cloud computing some of which are discussed below:
3-1 Denial of Service:
When hackers overflows a network server or web server with frequent request of services to damage the
network, the denial of service cannot keep up with them, server could not legitimate client regular requests. For
example a hacker hijacks the web server that could stop the functionality of the web server from providing the
services. In cloud computing, hacker attack on the server by sending thousands of requests to the server that server is
unable to respond to the regular clients in this way server will not work properly. Counter measure for this attack is
to reduce the privileges of the user that connected to a server. This will help to reduce the DOS attack. (Scarfone K,
2007)
3-2 Man in the Middle Attack:
This is another issue of network security that will happen if secure socket layer (SSL) is not properly
configured. For example if two parties are communicating with each other and SSL is not properly installed then all
the data communication between two parties could be hack by the middle party. Counter measure for this attack is
SSL should properly install and it should check before communication with other authorized parties.
3-3 Network Sniffing:
Another type of attack is network sniffer, it is a more critical issue of network security in which
unencrypted data are hacked through network for example an attacker can hack passwords that are not properly
encrypted during communication. If the communication parties not used encryption techniques for data security then
attacker can capture the data during transmission as a third party. Counter measure for this attack is parties should
used encryption methods for securing there data.
3-4 Port Scanning:
There may be some issues regarding port scanning that could be used by an attacker as Port 80(HTTP) is
always open that is used for providing the web services to the user. Other ports such as 21(FTP) etc are not opened
all the time it will open when needed therefore ports should be secured by encrypted until and unless the server
software is configured properly. Counter measure for this attack is that firewall is used to secure the data from port
attacks. (Services, 2009)
3-5 SQL Injection Attack:
SQL injection attacks are the attacks where a hackers uses the special characters to return the data for
example in SQL scripting the query end up with where clause that may be modified by adding more information in
it. For example an argument value of variable y or 1==1 may cause the return of full table because 1==1is always
seems to be true.
3-6 Cross Site Scripting:
It is a type of attack in which user enters right URL of
a website and hacker on the other site redirect the user to its
own website and hack its credentials. For example user entered
the URL in address bar and attacker redirects the user to
hacker site and then he will obtain the sensitive data of the
user. Cross site scripting attacks can provide the way to buffer
overflows, DOS attacks and inserting spiteful software in to
the web browsers for violation of users credentials. (Yang,
2003)

Hacker site

Hacker on
Sever
Redirect the
user

Enter Real
URL

Figure 2: Cross Site Scripting

COPY RIGHT 2012 Institute of Interdisciplinary Business Research

1325

ijcrb.webs.com

INTERDISCIPLINARY JOURNAL OF CONTEMPORARY RESEARCH IN BUSINESS

JANUARY 2012
VOL 3, NO 9

4- Security Issues in Cloud Computing:

Security issues of cloud computing are discussed below:
4-1 XML Signature Element Wrapping:
XML signature Element Wrapping is the fine renowned attack for web service. It is use to defend a
component name, attribute and value from illegal party but unable to protect the position in the documents. (Jamil &
Zaki, 2011b) Attacker targets the component by operating the SOAP messages and putting anything that attacker
like. Counter measure for this attack is using the digital certificate e.g. X.509 authorized by third party such as
certificate authorities and also uses the mixture of WS-security with XML signature to a particular component. XML
should have the list of components so that it can reject the messages which have malicious file and also reject the
unexpected messages from the client.
4-2 Browser Security:
The second issue is Browser Security. As a client sent the request to the server by web browser the web
browser have to make use of SSL to encrypt the credentials to authenticate the user.SSL support point to point
communication means if there is third party, intermediary host can decrypt the data. If hacker installs sniffing
packages on intermediary host, the attacker may get the credentials of the user and use in these credentials in the
cloud system as a valid user. (Jensen, 2009) Counter measure for this attack is Vendor should use WS-security
concept on web browsers because WS-security works in message level that use XML encryption for continuous
encryption of SOAP messages which does not have to be decrypted at mediator hosts.
4-3 Cloud Malware Injection Attack:
The third issue is Cloud Malware Injection Attack, which tries to damage a spiteful service, application or
virtual machine. An interloper is obligatory to generate his personal spiteful application, service or virtual machine
request and put it into the cloud structure (Booth, 2004). Once the spiteful software is entered into the cloud
structure, the attacker care for the spiteful software as legitimate request. If successful user ask for the spiteful
service then malicious is implemented. Attacker upload virus program in to the cloud structure. Once cloud structure
care for as a legitimate service the virus is implemented which spoils the cloud structure. In this case hardware
damages and attacker aim is to damage the user. Once user asks for the spiteful program request the cloud throws
the virus to the client over the internet. The client machine is infected by virus. Counter measure for this attack is
authenticity check for received messages. Store the original image file of the request by using hash function and
compare it with the hash value of all upcoming service requests. In this way attacker create a legitimate hash value
to deal with cloud system or to enter into the cloud system.
4-4 Flooding Attacks:
The fourth issue is Flooding Attack. Attacker attacks the cloud system openly. The most significant feature
of cloud system is to make available of vigorously scalable recourses. Cloud system repeatedly increase its size
when there is further requests from clients, cloud system initialize new service request in order to maintain client
requirements. Flooding attack is basically distributing a great amount of non-sense requests to a certain service.
Once the attacker throw a great amount of requests, by providing more recourses cloud system will attempt to work
against the requests, ultimately system consume all recourses and not capable to supply service to normal requests
from user. Then attacker attacks the service server. DOS attacks cost extra fees to the consumer for usage of
recourses. In an unexpected situation the owner of the service has to compensate additional money. Counter measure
for this attack is its not easy to stop Dos Attacks. To stop from attacking the server, Intrusion detection system will
filter the malicious requests, installing firewall. Occasionally intrusion detection system provides fake alerts and
could mislead administrator.
4-5 Data Protection:
Data protection in cloud computing is very important factor it could be complicated for the cloud customer
to efficiently check the behavior of the cloud supplier and as a result he is confident that data is handled in a legal
way, but it does not like that this problem is intensify in case of various transformation of data. Counter measure for
this attack is that a consumer of cloud computing should check data handle either it is handled lawfully or not.

COPY RIGHT 2012 Institute of Interdisciplinary Business Research

1326

ijcrb.webs.com

INTERDISCIPLINARY JOURNAL OF CONTEMPORARY RESEARCH IN BUSINESS

JANUARY 2012
VOL 3, NO 9

4-6 Incomplete Data Deletion:

Incomplete data deletion is too much risky in cloud computing, it does not remove completed data because
replicas of data is placed in other servers for example When a client request to remove a cloud resource then with
most operating systems this will not remove accurately. Accurate data deletion is not possible because copies of data
are stored in the nearest replica but are not available. (Jamil & Zaki, 2011a). Counter measure is that Virtualized
private networks should use for securing the data and used the query that will remove the complete data from the
main servers along with its replicas.
4-7 Locks in:
Another issue is locks in; at this time there is a small tender in the manner of tools, standard data format or
procedures, services edge that could undertake data, application and service portability. This will not enable the
customer to shift from one cloud provider to another or shift the services back to home IT location. (Catteddu, 2010)

5- Conclusion:
Cloud computing is a new term that is introduced in business environment where users can interact directly
with the virtualized resources and safe the cost for the consumers. Some security issues and their counter measures
are discussed in this paper. It has several models to protect its data for the business users. An organization used
private clouds within its organization to prevent from loss of data. Cloud computing have several deployment
models that help in retrieving the information. SAAS, PAAS, IAAS are the three models for cloud computing.
Security in cloud computing consist of security abilities of web browsers and web service structure.

COPY RIGHT 2012 Institute of Interdisciplinary Business Research

1327

ijcrb.webs.com

INTERDISCIPLINARY JOURNAL OF CONTEMPORARY RESEARCH IN BUSINESS

JANUARY 2012
VOL 3, NO 9

References
Booth, D. (2004). Web service architecture. Retrieved from http://www.w3.org: http://www.w3.org/TR/ws
arch/wsa.pdf
Bugiel, S., Nurnberger, S., Sadeghi, A.-R., & Schneider, T. (2011). Twin Clouds: An Architecture for Secure
Cloud Computing. Workshop on Cryptography and Security in Clouds . Zurich.
Catteddu,
D.
(2010).
Cloud
Computing.
Retrieved
from
http://www.enisa.europa.eu/act/rm/files/deliverables/cloudcomputingriskassessment
Cloud
Security
Alliance
(2010).
Top
threats
to
cloud
computing,
version
1.0.
http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf .
Cloud Security Alliance. (2010). Top Threats to Cloud Computing V1.0. Cloud Security Alliance (CSA).
Foster, I., & Kesselman, C. (1998). The Grid: Blueprint for a New Computing Infrastructure (The Elsevier
Series in Grid Computing). Morgan Kaufmann.
Han Y (2010). On the clouds: a new way of computing. Inf Technol Libr, Vol. 29 No. 2, pp: 87-92.
Iyer B, Henderson JC (2010). Preparing for the future: understanding the seven capabilities of cloud computing.
MIS Q Exec; Vol. 9 No. 2, pp:117-131.
Jamil, D., & Zaki, H. (2011a). cloud computing security. International Journal of Engineering Science and
Technology (IJEST) , Vol.3 No.4, 3478-3483.
Jamil, D., & Zaki, H. (2011b). SECURITY ISSUES IN CLOUD COMPUTING AND COUNTER
MEASURES. International Journal of Engineering Science and Technology (IJEST) , Vol. 3 No. 4, 2672-2676.
Jensen, M. (2009, September). On Technical Security Issues in Cloud Computing. IEEE International
Conference in Cloud Conouting , 109-116.
Lohr, S. (2007, October 8). Google and I.B.M. Join in Cloud Computing Research. Retrieved 1 28, 2012, from
The Newyork Times: http://www.nytimes.com/2007/10/08/technology/08cloud.html
Mell P, Grance T (2010). The NIST definition of cloud computing. Commun ACM; Vol. 53 No. 6, pp:50.
NAONE, E ( 2007, September 18). Computer in the Cloud. Retirived 1 24, 2012, from Technology Review,
MIT: http://www.technologyreview.com/printerfriendlyarticle.aspx?id=19397
Peter Mell and Tim Grance, (2009)The NIST Definition of Cloud Computing, version 15, National Institute of
Standards and Technology (NIST), Information Technology Laboratory (www.csrc.nist.gov).
RALEIGH, NC & ARMONK, NY (2007, May 7). North Carolina State University and IBM help bridge digital
divide in North Carolina and beyond. Retrived 1 27,2012, from IBM: http://www
03.ibm.com/press/us/en/pressrelease/21506.wss
REIMER, J (2007, April 8). Dreaming in the Cloud with the XIOS web operating system. Retrived 1 24,
2012, from ars technical: http://arstechnica.com/news.ars/post/20070408dreaminginthecloudwiththe
xiosweboperatingsystem.html
Ren, K., & Lou, W. (2009). Ensuring Data Storage Security in Cloud Computing. Retrieved from
http://www.ece.iit.edu/~ubisec/IWQoS09.pdf
Scarfone
K,
S.
A.
(2007).
Guide
to
Secure
Web
Services.
Retrieved
from
http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf
Services, A. W. (2009, April). Amazon Virtual private Cloud. Retrieved from http://aws.amazon.com/vpc/
Vaquero LM, Rodero-Merino L, Caceres J, Lindner M (2009). A break in the clouds: towards a cloud
definition. ACM SIGCOMM Comput Commun, Vol. 39 No. 1, pp:50-55.
View, M. Calif & Armonk. (2007, October 8). Google and IBM Announced University Initiative to Address
Internet-Scale Computing Challenges. Retrieved 1 28, 2012, from IBM: http://www03.ibm.com/press/us/en/pressrelease/22414.wss
View, M. Calif & Armonk. (2007, October 8). Google and IBM Announced University Initiative to Address
Internet-Scale Computing Challenges. Retrieved 1 28, 2012, from IBM: http://www03.ibm.com/press/us/en/pressrelease/22414.wss

COPY RIGHT 2012 Institute of Interdisciplinary Business Research

1328

ijcrb.webs.com

INTERDISCIPLINARY JOURNAL OF CONTEMPORARY RESEARCH IN BUSINESS

JANUARY 2012
VOL 3, NO 9

Vouk, M. (2008). Cloud Computing-Issues, Research and Implication. "Journal of Computing and Information
Technology - CIT" , Vol. 16 No.4, pp. 235246.
Wikipedia (2012a, January 26). Amazon Elastic Compute Cloud Retrived 1 27, 2012, from Wikimedia
Foundation Inc. http://en.wikipedia.org/wiki/Amazon_Elastic_Compute_Cloud.
Wikipedia (2012b, January 27). Cloud Computing Retrieved 1 28, 2012, from Wikimedia Foundation Inc.
http://en.wikipedia.org/wiki/Cloud_computing
Yang,
A.
(2003).
Guide
to
XML
Web
Services
Security.
Retrieved
from
http://www.cgisecurity.com/ws/WestbridgeGuideToWebServicesSecurity.pdf

COPY RIGHT 2012 Institute of Interdisciplinary Business Research

1329