Professional Documents
Culture Documents
Survey On Security Issues in Cloud Computing: November 2014
Survey On Security Issues in Cloud Computing: November 2014
net/publication/327100442
CITATIONS READS
0 12
2 authors, including:
Cherif Ghazel
Université de la Manouba
33 PUBLICATIONS 53 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Cherif Ghazel on 19 October 2020.
Abstract—Cloud computing presents an emerging technology of four deployment models depending upon the customers’
paradigm that provides current technological and computing requirements [5]: private cloud in which the infrastructure is
concepts into utility-like solutions similar to water and owned and managed by a specific organization; public cloud
electricity systems. A wide range of benefits is supplied by in which the physical infrastructure is owned and managed by
clouds including service flexibility, configurable computing
the service provider; community cloud in which the physical
resources and economic savings. However, the primary
obstacles to a wide adoption of clouds are security and privacy infrastructure is owned and managed by a consortium of
concerns. The clouds introduce new concepts, such as organizations; and hybrid cloud witch includes combinations
outsourcing, resource sharing and multi-tenancy, which of the previous three models.
generate new challenges to the security community. These This paper is organized as follows: Section 2 describes
challenges require, in addition to the ability to tune the security cloud security categories and issues. Section 3 presents an
measures of traditional computing systems, providing new evaluation of main general cloud security mechanisms. An
security models, policies and protocols to address the unique analysis of security issues is presented in section 4. In section
cloud computing security challenges. We provide in this work, 5 we conclude the paper.
an entire study of cloud computing privacy concerns and
security. We present cloud vulnerabilities and classification of II. CLOUD SECURITY CATEGORIES AND ISSUES
known security threats, and present the state-of-the-art
measures to control the vulnerabilities and neutralize the
In this part of this work we identify the five categories of
menaces. Finally, we analyze and identify the limitations of the
current cloud security solutions. cloud computing security issues cited in [6]. Then, we
describe the different cloud security issues and their
Keywords—Cloud computing; cloud security; security classifications.
vulnerabilities; threats; attacks; data protection.
A. Cloud security categories
I. INTRODUCTION Security Standards category: regroups the standards
required to take precaution measures in order to
Cloud computing, as defined by NIST, is a new computing prevent attacks in cloud computing. It includes
model that provides a centralized pool of configurable auditing and other agreements among users, service
computing resources (e.g., storage, applications, services, etc.) level agreements, service provider and other
that can be rapidly provisioned and released with service stakeholders. It governs cloud security policies without
provider interaction or minimal management effort [1]. compromising performance and reliability.
Five key characteristics of cloud computing was defined Network category: it’s the medium through which
by the National Institute of Standards and Technology (NIST) users connect to cloud infrastructure to accomplish the
[2], namely: broad network access, rapid elasticity or required computations. It includes network
expansion, measured service, on-demand self-service, and connections, information exchange through
resource pooling [2]. Cloud computing is also described as a registration, and browsers. This type of security covers
dynamic and often easily extended platform to provide network attacks like Connection Availability, Internet
transparent virtualized resources to users through the Internet Protocol Vulnerabilities, Flooding Attack, Denial of
[3]. Service (DoS), Distributed Denial of Service (DDoS),
According to the different types of services offered, cloud etc.
computing architecture can be considered to consist of three The Access Control category: allows capturing issues
layers: Infrastructure as a Service (IaaS) is the lowest layer that affect privacy of user information and data storage.
that provides basic infrastructure support service; Platform as It covers access control, identification and
a Service (PaaS) is the middle layer, which offers platform authentication. This category allows capturing issues
oriented services, besides providing the environment for that affect privacy of data storage and user information.
hosting user’s applications; Software as a Service (SaaS) is the The Cloud Infrastructure category: Involves the attacks
topmost layer which features a complete application offered as specific to the cloud infrastructure within IaaS, PaaS
service on demand [4]. Cloud services can be deployed in one and SaaS such as privileged insiders and tampered
www.ijert.org 39
International Journal Of Engineering Research and Technology (IJERT)
binaries and is related particularly with virtualization on behalf of legitimate users [14]. Hackers can run
environment. malicious code on the hijacked resources or they can generate
The Data category involves related security issues. It bogus data and occupy resources. Denial of service can be
includes data confidentiality, migration, integrity and launched by appearance of vulnerabilities in Internet protocols
data warehousing. such as Session Initiation Protocol (SIP) which could cause an
un-trusted internet [15].
B. Cloud Security Issues and Classification
3) Access control issues
1) Cloud security standards issues Service and account hijacking causes phishing and
Currently, there is lack of appropriate security standards in software vulnerabilities where hackers gain unauthorized
cloud computing [1]. Special attention is required towards access to servers. This unauthorized access results a threat to
mutual security standards such as Secure Sockets Layer integrity and confidentiality of data and services [1].
(SSL)/Transport Layer Security (TLS), XML Encryption Malicious insiders present another access control issue such as
Syntax and Processing, XML signature, and Key Management impacting organizations’ security by dishonest administrators.
Interoperability Protocols. The lack of governess for audits The current mechanisms of authentication may not be
and assessment of corporate standards causes many security applicable in cloud environments [4]. A customer can access
issues which are associated with compliance risks [1]. data and compose services from multiple cloud providers
Customers of cloud do not have enough knowledge of using a browser or mobile application. This access brings in a
processes and procedures of the provider, particularly in risk called privileged user access [16].
segregation of duties and areas of identity management.
4) Cloud Infrastructure issues
Auditability is an important aspect of cloud computing The important cloud infrastructure issues in different case
security; even so, there is not an audit net for service providers studies are: insecure interface of Application Programming
[7, 8]. Governing bodies and security standards are part of Interface (API) it covers the vulnerabilities in the set of APIs
legal aspects and service level agreements (SLA), which have in the cloud portal (customers use APIs to connect to a cloud)
not been practiced for cloud computing [9,10]. SLA [1], Quality of Service (QoS), sharing technical flaws,
determines the relationship among provider and recipient and reliability of suppliers, security misconfiguration and multi-
is important for both parties [11]. It identifies the customer’s tenancy.
needs, encourages dialog in the event of disputes, simplify 5) Data security issues
complex issues, provides a framework for understanding, Data loss and leakage, data redundancy, data recovery,
reduces areas of conflict and eliminates unrealistic data location, data protection, data availability and data
expectations. If there is a loss of data and some factors are not privacy have been the important issues in different case
taken into consideration as users may not be able to put claims studies which require data to be properly protected, encrypted,
on providers. The Trust relationship between users and the controlled, and transmitted.
different cloud stakeholders is required when users transfer Fig. 1 shows cloud components where security issues are
data on cloud infrastructure [12]. raised. Each component, such as policies, cloud infrastructure,
2) Cloud network security issues clients, and network, is prone to certain security attacks and
Network security issues are considered the biggest security requires attack detection, prevention and response strategies.
challenges in clouds [13]. The overlooked security
configurations on networks and the lack of proper installation
of network firewalls facilitate to hackers to access the cloud
www.ijert.org 40
International Journal Of Engineering Research and Technology (IJERT)
Depending on its cloud offering and the architecture, every In table 1, we present a comparative evaluation of some
cloud service provider has installed diverse security measures. well-known general tools that are used to countermeasure
Their security model mainly depends upon the type of cloud cloud security attacks.
offering they provide, customer section being served and the
deployment models they basically implement.
TABLE 1. COMPARATIVE ANALYSIS FOR STRENGTHS AND LIMITATIONS OF SOME EXISTING SECURITY MECHANISMS
Countermeasures Limitations
Autonomous Systems :
www.ijert.org 41
International Journal Of Engineering Research and Technology (IJERT)
www.ijert.org 42
International Journal Of Engineering Research and Technology (IJERT)
www.ijert.org 43