Professional Documents
Culture Documents
Survey On Security Issues in Cloud Computing: November 2014
Survey On Security Issues in Cloud Computing: November 2014
net/publication/327100442
CITATIONS
READS
0
12
2 authors, including:
Cherif Ghazel
Université de la Manouba
33 PUBLICATIONS 53 CITATIONS
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Cherif Ghazel on 19 October 2020.
Abstract—Cloud computing presents an emerging technology of four deployment models depending upon the customers’
paradigm that provides current technological and computing requirements [5]: private cloud in which the infrastructure is
concepts into utility-like solutions similar to water and owned and managed by a specific organization; public cloud
electricity systems. A wide range of benefits is supplied by
in which the physical infrastructure is owned and managed by
clouds including service flexibility, configurable computing
resources and economic savings. However, the primary
the service provider; community cloud in which the physical
obstacles to a wide adoption of clouds are security and privacy infrastructure is owned and managed by a consortium of
concerns. The clouds introduce new concepts, such as organizations; and hybrid cloud witch includes combinations
outsourcing, resource sharing and multi-tenancy, which of the previous three models.
generate new challenges to the security community. These This paper is organized as follows: Section 2 describes
challenges require, in addition to the ability to tune the security cloud security categories and issues. Section 3 presents an
measures of traditional computing systems, providing new evaluation of main general cloud security mechanisms. An
security models, policies and protocols to address the unique analysis of security issues is presented in section 4. In section
cloud computing security challenges. We provide in this work,
5 we conclude the paper.
an entire study of cloud computing privacy concerns and
security. We present cloud vulnerabilities and classification of II. CLOUD SECURITY CATEGORIES AND ISSUES
known security threats, and present the state-of-the-art
measures to control the vulnerabilities and neutralize the
menaces. Finally, we analyze and identify the limitations of the In this part of this work we identify the five categories of
current cloud security solutions. cloud computing security issues cited in [6]. Then, we
describe the different cloud security issues and their
Keywords—Cloud computing; cloud security; security classifications.
vulnerabilities; threats; attacks; data protection.
A. Cloud security categories
I. INTRODUCTION Security Standards category: regroups the standards
required to take precaution measures in order to
Cloud computing, as defined by NIST, is a new computing prevent attacks in cloud computing. It includes
model that provides a centralized pool of configurable auditing and other agreements among users, service
computing resources (e.g., storage, applications, services, level agreements, service provider and other
etc.) that can be rapidly provisioned and released with service stakeholders. It governs cloud security policies
provider interaction or minimal management effort [1]. without compromising performance and reliability.
Five key characteristics of cloud computing was defined Network category: it’s the medium through which
by the National Institute of Standards and Technology (NIST) users connect to cloud infrastructure to accomplish the
[2], namely: broad network access, rapid elasticity or required computations. It includes network
expansion, measured service, on-demand self-service, and connections, information exchange through
resource pooling [2]. Cloud computing is also described as a registration, and browsers. This type of security covers
dynamic and often easily extended platform to provide network attacks like Connection Availability, Internet
transparent virtualized resources to users through the Internet Protocol Vulnerabilities, Flooding Attack, Denial of
[3]. Service (DoS), Distributed Denial of Service (DDoS),
According to the different types of services offered, cloud etc.
computing architecture can be considered to consist of three The Access Control category: allows capturing issues
layers: Infrastructure as a Service (IaaS) is the lowest layer that affect privacy of user information and data
that provides basic infrastructure support service; Platform as storage. It covers access control, identification and
a Service (PaaS) is the middle layer, which offers platform authentication. This category allows capturing issues
oriented services, besides providing the environment for that affect privacy of data storage and user
hosting user’s applications; Software as a Service (SaaS) is information.
the topmost layer which features a complete application The Cloud Infrastructure category: Involves the
offered as service on demand [4]. Cloud services can be attacks specific to the cloud infrastructure within IaaS,
deployed in one PaaS and SaaS such as privileged insiders and
tampered
www.ijert.org 39
International Journal Of Engineering Research and Technology (IJERT)
binaries and is related particularly with virtualization on behalf of legitimate users [14]. Hackers can run
environment. malicious code on the hijacked resources or they can generate
The Data category involves related security issues. It bogus data and occupy resources. Denial of service can be
includes data confidentiality, migration, integrity and launched by appearance of vulnerabilities in Internet
data warehousing. protocols such as Session Initiation Protocol (SIP) which
B. Cloud Security Issues and Classification could cause an un-trusted internet [15].
1) Cloud security standards issues 3) Access control issues
Currently, there is lack of appropriate security standards Service and account hijacking causes phishing and
in cloud computing [1]. Special attention is required towards software vulnerabilities where hackers gain unauthorized
mutual security standards such as Secure Sockets Layer access to servers. This unauthorized access results a threat to
(SSL)/Transport Layer Security (TLS), XML Encryption integrity and confidentiality of data and services [1].
Syntax and Processing, XML signature, and Key Malicious insiders present another access control issue such
Management Interoperability Protocols. The lack of as impacting organizations’ security by dishonest
governess for audits and assessment of corporate standards administrators. The current mechanisms of authentication
causes many security issues which are associated with may not be applicable in cloud environments [4]. A customer
compliance risks [1]. Customers of cloud do not have enough can access data and compose services from multiple cloud
knowledge of processes and procedures of the provider, providers using a browser or mobile application. This access
particularly in segregation of duties and areas of identity brings in a risk called privileged user access [16].
management. Auditability is an important aspect of cloud 4) Cloud Infrastructure issues
computing security; even so, there is not an audit net for The important cloud infrastructure issues in different case
service providers [7, 8]. Governing bodies and security studies are: insecure interface of Application Programming
standards are part of legal aspects and service level Interface (API) it covers the vulnerabilities in the set of APIs
agreements (SLA), which have not been practiced for cloud in the cloud portal (customers use APIs to connect to a cloud)
computing [9,10]. SLA determines the relationship among [1], Quality of Service (QoS), sharing technical flaws,
provider and recipient and is important for both parties [11]. reliability of suppliers, security misconfiguration and multi-
It identifies the customer’s needs, encourages dialog in the tenancy.
event of disputes, simplify complex issues, provides a 5) Data security issues
framework for understanding, reduces areas of conflict and Data loss and leakage, data redundancy, data recovery,
eliminates unrealistic expectations. If there is a loss of data data location, data protection, data availability and data
and some factors are not taken into consideration as users privacy have been the important issues in different case
may not be able to put claims on providers. The Trust studies which require data to be properly protected,
relationship between users and the different cloud encrypted, controlled, and transmitted.
stakeholders is required when users transfer data on cloud Fig. 1 shows cloud components where security issues are
infrastructure [12]. raised. Each component, such as policies, cloud
2) Cloud network security issues infrastructure, clients, and network, is prone to certain
Network security issues are considered the biggest security attacks and requires attack detection, prevention and
security challenges in clouds [13]. The overlooked security response strategies.
configurations on networks and the lack of proper installation
of network firewalls facilitate to hackers to access the cloud
www.ijert.org 40
International Journal Of Engineering Research and Technology (IJERT)
Depending on its cloud offering and the architecture, In table 1, we present a comparative evaluation of some
every cloud service provider has installed diverse security well-known general tools that are used to countermeasure
measures. Their security model mainly depends upon the type cloud security attacks.
of cloud offering they provide, customer section being served
and the deployment models they basically implement.
TABLE 1. COMPARATIVE ANALYSIS FOR STRENGTHS AND LIMITATIONS OF SOME EXISTING SECURITY MECHANISMS
Countermeasures Limitations
Autonomous Systems :
1. An autonomous system is an IDS that works with pre-specified 1. Security audit as a Service (SaaS)
basic rules. These rules configure, heal, optimize and protect involves the use of large number of agents
themselves automatically, thereby reducing human efforts and and functions such as initiating agent,
involvement [19]. moving agent, killing agent, etc., which
2. It is impossible, without autonomic computing, to manage next creates high communication among agents
generation distributed-systems such as clouds and grids effectively. and increases the processing and
3. An intelligent autonomous agent for incident detection named computational overhead.
Security audit as a Service (SaaS) as presented in [20]. SaaS addresses
three main problems of cloud computing namely: abusing cloud 2. There is no flexible management system
resources; missing security monitoring in cloud infrastructure and by number of user access, at a given time or
defective isolation of shared resources. by load averages.
4. A pure concept of autonomic manager in grid and cloud
computing as defined in [21]. It provides a feature of self-
configuration, self-healing, self-optimization and self-protection.
www.ijert.org 42
International Journal Of Engineering Research and Technology (IJERT)
www.ijert.org 43
International Journal Of Engineering Research and Technology (IJERT)