See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/327100442

Survey on Security Issues in Cloud Computing

Conference Paper · November 2014

CITATIONS
READS
0
12

2 authors, including:

Cherif Ghazel
Université de la Manouba
33 PUBLICATIONS 53 CITATIONS

Some of the authors of this publication are also working on these related projects:

NGN - QoS View project

All content following this page was uploaded by Cherif Ghazel on 19 October 2020.

The user has requested enhancement of the downloaded file.


Survey on Security Issues in Cloud Computing
H. Guesmi, C. Ghazel and L. A. Saidane
Cristal Lab, National School of Computer Sciences.
University of Manouba – Tunisia
Abstract—Cloud computing presents an emerging technology
paradigm that provides current technological and computing
concepts into utility-like solutions similar to water and
electricity systems. A wide range of benefits is supplied by
clouds including service flexibility, configurable computing
resources and economic savings. However, the primary
obstacles to a wide adoption of clouds are security and privacy
concerns. The clouds introduce new concepts, such as
outsourcing, resource sharing and multi-tenancy, which
generate new challenges to the security community. These
challenges require, in addition to the ability to tune the security
measures of traditional computing systems, providing new
security models, policies and protocols to address the unique
cloud computing security challenges. We provide in this work,
an entire study of cloud computing privacy concerns and
security. We present cloud vulnerabilities and classification of
known security threats, and present the state-of-the-art
measures to control the vulnerabilities and neutralize the
menaces. Finally, we analyze and identify the limitations of the
current cloud security solutions.
Keywords—Cloud computing; cloud security; security
vulnerabilities; threats; attacks; data protection.
I. INTRODUCTION
Cloud computing, as defined by NIST, is a new computing
model that provides a centralized pool of configurable
computing resources (e.g., storage, applications, services,
etc.) that can be rapidly provisioned and released with service
provider interaction or minimal management effort [1].
Five key characteristics of cloud computing was defined
by the National Institute of Standards and Technology (NIST)
[2], namely: broad network access, rapid elasticity or
expansion, measured service, on-demand self-service, and
resource pooling [2]. Cloud computing is also described as a
dynamic and often easily extended platform to provide
transparent virtualized resources to users through the Internet
[3].
According to the different types of services offered, cloud
computing architecture can be considered to consist of three
layers: Infrastructure as a Service (IaaS) is the lowest layer
that provides basic infrastructure support service; Platform as
a Service (PaaS) is the middle layer, which offers platform
oriented services, besides providing the environment for
hosting user’s applications; Software as a Service (SaaS) is
the topmost layer which features a complete application
offered as service on demand [4]. Cloud services can be
deployed in one
www.ijert.org
International Journal Of Engineering Research and Technology (IJERT)
PEMWN-2014 Conference Proceedings
of four deployment models depending upon the customers’
requirements [5]: private cloud in which the infrastructure is
owned and managed by a specific organization; public cloud
in which the physical infrastructure is owned and managed by
the service provider; community cloud in which the physical
infrastructure is owned and managed by a consortium of
organizations; and hybrid cloud witch includes combinations
of the previous three models.
This paper is organized as follows: Section 2 describes
cloud security categories and issues. Section 3 presents an
evaluation of main general cloud security mechanisms. An
analysis of security issues is presented in section 4. In section
5 we conclude the paper.
II. CLOUD SECURITY CATEGORIES AND ISSUES
In this part of this work we identify the five categories of
cloud computing security issues cited in [6]. Then, we
describe the different cloud security issues and their
classifications.
A. Cloud security categories
 Security Standards category: regroups the standards
required to take precaution measures in order to
prevent attacks in cloud computing. It includes
auditing and other agreements among users, service
level agreements, service provider and other
stakeholders. It governs cloud security policies
without compromising performance and reliability.
 Network category: it’s the medium through which
users connect to cloud infrastructure to accomplish the
required computations. It includes network
connections, information exchange through
registration, and browsers. This type of security covers
network attacks like Connection Availability, Internet
Protocol Vulnerabilities, Flooding Attack, Denial of
Service (DoS), Distributed Denial of Service (DDoS),
etc.
 The Access Control category: allows capturing issues
that affect privacy of user information and data
storage. It covers access control, identification and
authentication. This category allows capturing issues
that affect privacy of data storage and user
information.
 The Cloud Infrastructure category: Involves the
attacks specific to the cloud infrastructure within IaaS,
PaaS and SaaS such as privileged insiders and
tampered
39

binaries and is related particularly with virtualization
environment.
 The Data category involves related security issues. It
includes data confidentiality, migration, integrity and
data warehousing.
B. Cloud Security Issues and Classification
1) Cloud security standards issues
Currently, there is lack of appropriate security standards
in cloud computing [1]. Special attention is required towards
mutual security standards such as Secure Sockets Layer
(SSL)/Transport Layer Security (TLS), XML Encryption
Syntax and Processing, XML signature, and Key
Management Interoperability Protocols. The lack of
governess for audits and assessment of corporate standards
causes many security issues which are associated with
compliance risks [1]. Customers of cloud do not have enough
knowledge of processes and procedures of the provider,
particularly in segregation of duties and areas of identity
management. Auditability is an important aspect of cloud
computing security; even so, there is not an audit net for
service providers [7, 8]. Governing bodies and security
standards are part of legal aspects and service level
agreements (SLA), which have not been practiced for cloud
computing [9,10]. SLA determines the relationship among
provider and recipient and is important for both parties [11].
It identifies the customer’s needs, encourages dialog in the
event of disputes, simplify complex issues, provides a
framework for understanding, reduces areas of conflict and
eliminates unrealistic expectations. If there is a loss of data
and some factors are not taken into consideration as users
may not be able to put claims on providers. The Trust
relationship between users and the different cloud
stakeholders is required when users transfer data on cloud
infrastructure [12].
2) Cloud network security issues
Network security issues are considered the biggest
security challenges in clouds [13]. The overlooked security
configurations on networks and the lack of proper installation
of network firewalls facilitate to hackers to access the cloud
Fig. 1. Cloud components that are prone to security attacks.
III. COMPARATIVE EVALUATION OF
GENERAL CLOUD SECURITY
MECHANISMS
To addressing many security issues related to the cloud,
the European Union Agency for Network and Information
Security (ENISA) has done a significant work: provides
www.ijert.org
International Journal Of Engineering Research and Technology (IJERT)
PEMWN-2014 Conference Proceedings
on behalf of legitimate users [14]. Hackers can run
malicious code on the hijacked resources or they can generate
bogus data and occupy resources. Denial of service can be
launched by appearance of vulnerabilities in Internet
protocols such as Session Initiation Protocol (SIP) which
could cause an un-trusted internet [15].
3) Access control issues
Service and account hijacking causes phishing and
software vulnerabilities where hackers gain unauthorized
access to servers. This unauthorized access results a threat to
integrity and confidentiality of data and services [1].
Malicious insiders present another access control issue such
as impacting organizations’ security by dishonest
administrators. The current mechanisms of authentication
may not be applicable in cloud environments [4]. A customer
can access data and compose services from multiple cloud
providers using a browser or mobile application. This access
brings in a risk called privileged user access [16].
4) Cloud Infrastructure issues
The important cloud infrastructure issues in different case
studies are: insecure interface of Application Programming
Interface (API) it covers the vulnerabilities in the set of APIs
in the cloud portal (customers use APIs to connect to a cloud)
[1], Quality of Service (QoS), sharing technical flaws,
reliability of suppliers, security misconfiguration and multi-
tenancy.
5) Data security issues
Data loss and leakage, data redundancy, data recovery,
data location, data protection, data availability and data
privacy have been the important issues in different case
studies which require data to be properly protected,
encrypted, controlled, and transmitted.
Fig. 1 shows cloud components where security issues are
raised. Each component, such as policies, cloud
infrastructure, clients, and network, is prone to certain
security attacks and requires attack detection, prevention and
response strategies.
information to stakeholders that helps them to manage the
risks when migrating into the clouds, covers advisory services
on setting SLAs and to identify the critical cloud services and
analyze the impact of the cloud service failure in such
circumstances, ENISA provides cooperative studies with
various stakeholders.
40
 International Journal Of Engineering Research and Technology (IJERT)

PEMWN-2014 Conference Proceedings

Depending on its cloud offering and the architecture,
every cloud service provider has installed diverse security
measures. Their security model mainly depends upon the type
of cloud offering they provide, customer section being served
and the deployment models they basically implement.
In table 1, we present a comparative evaluation of some
well-known general tools that are used to countermeasure
cloud security attacks.

TABLE 1. COMPARATIVE ANALYSIS FOR STRENGTHS AND LIMITATIONS OF SOME EXISTING SECURITY MECHANISMS

Countermeasures Limitations

Intrusion Detection Systems (IDS) :

1. The main limitation in GCCIDS is the
1. Implementing IDS offers additional security measures by
high communication overhead and
investigating network traffic, log files and user behaviour.
redundancy.
2. IDS have two types (1) host based IDS (HIDS) which monitors the
behaviour on a single host and (2) network based IDS (NIDS) which
2. GCCIDS does not provide any
analyses traffic flowing through a network [17].
information as to whether a node should
3. An IDS system named Grid and Cloud Computing Intrusion
immediately alert other nodes as intrusion
Detection System (GCCIDS) was proposed in [18]. It consists of an
occurs or at certain predefined periodic time
audit system that detects and covers attacks that have not been covered,
interval.
previously, by other NIDS and HIDS systems. In GCCIDS each node
identifies the local event and alerts all other connected nodes.

Autonomous Systems :

1. An autonomous system is an IDS that works with pre-specified
basic rules. These rules configure, heal, optimize and protect
themselves automatically, thereby reducing human efforts and
involvement [19].
2. It is impossible, without autonomic computing, to manage next
generation distributed-systems such as clouds and grids effectively.
3. An intelligent autonomous agent for incident detection named
Security audit as a Service (SaaS) as presented in [20]. SaaS addresses
three main problems of cloud computing namely: abusing cloud
resources; missing security monitoring in cloud infrastructure and
defective isolation of shared resources.
4. A pure concept of autonomic manager in grid and cloud
computing as defined in [21]. It provides a feature of self-
configuration, self-healing, self-optimization and self-protection.
1. Security audit as a Service (SaaS)
involves the use of large number of agents
and functions such as initiating agent,
moving agent, killing agent, etc., which
creates high communication among agents
and increases the processing and
computational overhead.
2. There is no flexible management system
by number of user access, at a given time or
by load averages.

Federated Identity Management System

1. Management of identities (IDM) is about maintaining the integrity
of identities, throughout their life cycle, to make it and its related data
(e.g., authentication and authorization results) available to different
services in secure and privacy-protected manner [22].
2. The process to repeat authentication of user (Single Sign-On) can be
an example of federated identity [23].
1. The main issue with single Sign-On lies
in the wider damage that it causes in case of
compromise. If a user identity is
compromised, the illegitimate user will not
be verified again, which could create higher
level of information leakage.
2. Another issue is lacking dynamic
federation and agile mechanism in FIM
systems. It is an architectural concern and
requires further investigation.

attacks across all cloud components, to achieve

IV. ANALYSIS comprehensive cloud security. In 2011 the number of browser
Cloud computing is an emerging paradigm that involves based attacks increased from 580,371,937 to 946,393,693
all the basic components of computing such as [24]. This important increase is mainly due to the growing
communication networks, end-user machines (PCs), access value of the data assets and resources available on the clouds,
management systems and cloud infrastructures. The data and which makes the platform very attractive for attackers.
cloud infrastructure must be protected against known and Unfortunately, we cannot protect the cloud-computing
unknown
infrastructure from all the known and unknown attacks because it requires additional computational overhead and
www.ijert.org 41

resources. Current security solutions such as IDS, DIDS,
outsourcing the identity management systems, firewalling and [1]
installing antivirus, are expensive and degrade performance.
Thus, the important cloud security research challenge is not
only in providing high level measures but also in doing so [2]
with minimum resources and reduced performance
degradation.
Using this current study, we found that to achieve better [3]
security, data and system security should be embedded in the
design of cloud computing architecture. Furthermore, security
measures should be autonomous and dynamic. Cloud [4]
infrastructure is changing fast requiring security policies and
measures to be regularly updated at the same pace. Moreover, [5]
licensing is essential to the security of clouds. Standard
security policies should be implemented strictly in clouds and
organizational bodies should control clouds’ infrastructure on
[6]
regular bases to evaluate the adeptness of the security
precautions used by the vendors. In addition, it is very
important to holistically explore the various cloud security [7]
related parameters including challenges, risks, threats,
attacks, and vulnerabilities.
[8]
V. CONCLUSION
[9]
Currently the adoption of cloud paradigm is growing.
Analysts suppose that the factor of cost reduction in cloud
computing will increase the adoption of cloud computing in
the public sector. With the greet evolution in cloud adoption [10]
the sector of security attracted the attention of practitioners
and researchers. We conduct, in this work, a survey on the
current issues of cloud security and the state-of-the-art [11]
security solutions. The main issues were tampered binaries,
firewall misconfigurations, side channels, multi-tenancy,
mobility, and weak browser security. These issues are [12]
classified into five security categories includes: security
standards, network, cloud infrastructure, access, and data.
There are variable incidents of attacks that target the clouds
such fate sharing, phishing, botnet, and malware injection. In [13]
a comparative analysis we present the state-of-the-art well-
known countermeasures for cloud security attacks including
intrusion detection systems, autonomous systems, and
[14]
federated identity management systems. Finally, we highlight
limitations of these systems including the high
communication and computation overhead and the detection
efficiency and coverage.
At this moment, a big concerns are related with data. Data [15]
migration from one cloud to another is not realizable because
of the heterogeneous nature of clouds. Furthermore, if a
contract has expired, clouds lack the tools that confirm that
user data has been deleted from the cloud. These data threats [16]
require researchers’ attention to cover some standards for
continuous data deletion. We plan in the future to investigate
the possibility of presenting appropriate frameworks for
DIDS for clouds with scheduling algorithms for Green IT. [17]
[18]
[19]
www.ijert.org
International Journal Of Engineering Research and Technology (IJERT)
PEMWN-2014 Conference Proceedings
REFERENCES
Tripathi, A., Mishra, A. “Cloud computing security considerations”. In
Proceedings of the 2011 IEEE International Conference on Signal
Processing, Communications and Computing (ICSPCC), Xi’an, China,
14–16 September 2011; pp. 1–5.
“Final Version of NIST Cloud Computing Definition Published”.
Available online: http://www.nist.gov/itl/csd/cloud-102511.cfm
(accessed on 25 August 2013).
Lv, H., Hu, Y. “Analysis and research about cloud computing security
protect policy”. In Proceedings of the 2011 International Conference on
Intelligence Science and Information Engineering (ISIE), Wuhan,
China, 20–21 August 2011; pp. 214–216.
Mell, P., Grance, T. “The NIST Definition of Cloud Computing”, NIST,
USA. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-
145.pdf, USA, 2009.
Gowrigolla, B., Sivaji, S., Masillamani, M.R. “Design and auditing of
cloud computing security”. In Proceedings of the 2010 5th International
Conference on Information and Automation for Sustainability
(ICIAFs), Colombo, Sri Lanka, 17–19 December 2010; pp. 292–297.
Issa M. Khalil, Abdallah Khreishah, Muhammad Azeem. “Cloud
Computing Security: A Survey”, Computers 2014, 3, 1-35;
doi:10.3390/computers3010001.
Morin, J., Aubert, J., Gateau, B. “Towards cloud computing SLA risk
management: Issues and challenges”. In Proceedings of the 2012 45th
Hawaii International Conference on System Science (HICSS), Maui,
HI, USA, 4–7 January 2012; pp. 5509–5514.
Braun, V., Clarke, V. “Using thematic analysis in psychology”. Qual.
Res. Psychol. 2006, 3, 77–101.
“A Survey on Cloud Computing Security, Challenges and Threats|
Whitepapers| TechRepublic”. Available online:
http://www.techrepublic.com/whitepapers/a-survey-on-cloud-
computingsecurity challenges and-threats/3483757 (accessed on 18
March 2012).
Thalmann, S., Bachlechner, D., Demetz, L., Maier, R. “Challenges in
cross-organizational security management”. In Proceedings of the 2012
45th Hawaii International Conference on System Science (HICSS),
Maui, HI, USA, 4–7 January 2012; pp. 5480–5489.
M. Taifi, J. Y. Shi, A. Khreishah, “SpotMPI: A Framework for
Auction-based HPC Computing Using Amazon Spot Instances”, in
Proc. of the International Symposium on Advances of Distributed
Computing and Networking (ADCN), 2011.
Riquet, D., Grimaud, G., Hauspie, M. “Large-scale coordinated attacks:
Impact on the cloud security”. In Proceedings of the 2012 Sixth
International Conference on Innovative Mobile and Internet Services in
Ubiquitous Computing (IMIS), Palermo, Italy, 4–6 July 2012; pp. 558–
563.
Wang, J.-J., Mu, S. “Security issues and countermeasures in cloud
computing”. In Proceedings of the 2011 IEEE International Conference
on Grey Systems and Intelligent Services (GSIS)”, Nanjing, China, 15–
18 September 2011; pp. 843–846.
Gonzalez, N., Miers, C., Redigolo, F., Carvalho, T., Simplicio, M.,
Naslund, M., Pourzandi, M. “A quantitative analysis of current security
concerns and solutions for cloud computing”. In Proceedings of the
2011 IEEE Third International Conference on Cloud Computing
Technology and Science (CloudCom), Athens, Greece, 29 November–1
December 2011; pp. 231–238.
Rachel Suresh, N. Mathew, S.V. “Security concerns for cloud
computing in aircraft data networks”. In Proceedings of the 2011
International Conference for Internet Technology and Secured
Transactions (ICITST), Abu Dhabi, United Arab Emirates, 11–14
December 2011; pp. 132–136.
Jain, P., Rane, D., Patidar, S. “A survey and analysis of cloud model-
based security for computing secure cloud bursting and aggregation in
renal environment”. In Proceedings of the 2011 World Congress on
Information and Communication Technologies (WICT), Mumbai,
India, 11– 14 December 2011; pp. 456–461.
Van athi, R., Gunasekaran, S. “Comparison of network intrusion
detection systems in cloud computing environment”. In Proceedings of
the 2012 International Conference on Computer Communication and
Informatics (ICCCI), Coimbatore, India, 10–12 January 2012; pp. 1–6.
Vieira, K., Schulter, A., Westphall, C.B., Westphall, C.M. “Intrusion
detection for grid and cloud computing”. IT Prof. 2010, 12, 38–43.
Erdil, D.C. “Dependable autonomic cloud computing with information
proxies”. In Proceedings of the 2011 IEEE International Symposium on
42
 International Journal Of Engineering Research and Technology (IJERT)

PEMWN-2014 Conference Proceedings

Parallel and Distributed Processing Workshops and Phd Forum

(IPDPSW), Shanghai, China, 16–20 May 2011; pp. 1518–1524.
[20] Doelitzscher, F., Reich, C., Knahl, M., Clarke, N. “An autonomous
agent based incident detection system for cloud environments”. In
Proceedings of the 2011 IEEE Third International Conference on Cloud
Computing Technology and Science (CloudCom), Athens, Greece, 29
November–1 December 2011; pp. 197–204.
[21] Balen, D., Westphall, C., Westphall, C. “Experimental assessment of
routing for grid and cloud”. In Proceedings of the Tenth International
Conference on Networks (ICN 2011); St. Maarten, The Netherlands
Antilles, January 23-28, 2011, pp. 341–346.
[22] Bishop, M. “Computer Security: Art and Science”. Addison-Wesley
Professional: Reading, MA, USA, 2002.
[23] Leandro, M.A.P., Nascimento, T.J., dos Santos, D.R., Westphall, C.M.,
Westphall, C.B. “Multitenancy authorization system with federated
identity for cloud-based environments using shibboleth”. In
Proceedings of the Eleventh International Conference on Networks,
2012; pp. 88–93.
[24] Kaspersky Security Bulletin. Statistics 2011. Available online:
http://www.securelist.com/en/analysis/204792216/Kaspersky_Security
_Bulletin_Statistics_2011 (accessed on 13 January 2013).

www.ijert.org 43
 International Journal Of Engineering Research and Technology (IJERT)

PEMWN-2014 Conference Proceedings

View publication stats