See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/327100442

Survey on Security Issues in Cloud Computing

Conference Paper · November 2014

CITATIONS READS

0 12

2 authors, including:

Cherif Ghazel
Université de la Manouba
33 PUBLICATIONS   53 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

NGN - QoS View project

All content following this page was uploaded by Cherif Ghazel on 19 October 2020.

The user has requested enhancement of the downloaded file.


Survey on Security Issues in Cloud Computing
H. Guesmi, C. Ghazel and L. A. Saidane
Cristal Lab, National School of Computer Sciences.
University of Manouba – Tunisia
Abstract—Cloud computing presents an emerging technology
paradigm that provides current technological and computing
concepts into utility-like solutions similar to water and
electricity systems. A wide range of benefits is supplied by
clouds including service flexibility, configurable computing
resources and economic savings. However, the primary
obstacles to a wide adoption of clouds are security and privacy
concerns. The clouds introduce new concepts, such as
outsourcing, resource sharing and multi-tenancy, which
generate new challenges to the security community. These
challenges require, in addition to the ability to tune the security
measures of traditional computing systems, providing new
security models, policies and protocols to address the unique
cloud computing security challenges. We provide in this work,
an entire study of cloud computing privacy concerns and
security. We present cloud vulnerabilities and classification of
known security threats, and present the state-of-the-art
measures to control the vulnerabilities and neutralize the
menaces. Finally, we analyze and identify the limitations of the
current cloud security solutions.
Keywords—Cloud computing; cloud security; security
vulnerabilities; threats; attacks; data protection.
I. INTRODUCTION
Cloud computing, as defined by NIST, is a new computing
model that provides a centralized pool of configurable
computing resources (e.g., storage, applications, services, etc.)
that can be rapidly provisioned and released with service
provider interaction or minimal management effort [1].
Five key characteristics of cloud computing was defined
by the National Institute of Standards and Technology (NIST)
[2], namely: broad network access, rapid elasticity or
expansion, measured service, on-demand self-service, and
resource pooling [2]. Cloud computing is also described as a
dynamic and often easily extended platform to provide
transparent virtualized resources to users through the Internet
[3].
According to the different types of services offered, cloud
computing architecture can be considered to consist of three
layers: Infrastructure as a Service (IaaS) is the lowest layer
that provides basic infrastructure support service; Platform as
a Service (PaaS) is the middle layer, which offers platform
oriented services, besides providing the environment for
hosting user’s applications; Software as a Service (SaaS) is the
topmost layer which features a complete application offered as
service on demand [4]. Cloud services can be deployed in one
www.ijert.org
International Journal Of Engineering Research and Technology (IJERT)
PEMWN-2014 Conference Proceedings
of four deployment models depending upon the customers’
requirements [5]: private cloud in which the infrastructure is
owned and managed by a specific organization; public cloud
in which the physical infrastructure is owned and managed by
the service provider; community cloud in which the physical
infrastructure is owned and managed by a consortium of
organizations; and hybrid cloud witch includes combinations
of the previous three models.
This paper is organized as follows: Section 2 describes
cloud security categories and issues. Section 3 presents an
evaluation of main general cloud security mechanisms. An
analysis of security issues is presented in section 4. In section
5 we conclude the paper.
II. CLOUD SECURITY CATEGORIES AND ISSUES
In this part of this work we identify the five categories of
cloud computing security issues cited in [6]. Then, we
describe the different cloud security issues and their
classifications.
A. Cloud security categories
 Security Standards category: regroups the standards
required to take precaution measures in order to
prevent attacks in cloud computing. It includes
auditing and other agreements among users, service
level agreements, service provider and other
stakeholders. It governs cloud security policies without
compromising performance and reliability.
 Network category: it’s the medium through which
users connect to cloud infrastructure to accomplish the
required computations. It includes network
connections, information exchange through
registration, and browsers. This type of security covers
network attacks like Connection Availability, Internet
Protocol Vulnerabilities, Flooding Attack, Denial of
Service (DoS), Distributed Denial of Service (DDoS),
etc.
 The Access Control category: allows capturing issues
that affect privacy of user information and data storage.
It covers access control, identification and
authentication. This category allows capturing issues
that affect privacy of data storage and user information.
 The Cloud Infrastructure category: Involves the attacks
specific to the cloud infrastructure within IaaS, PaaS
and SaaS such as privileged insiders and tampered
39

binaries and is related particularly with virtualization
environment.
 The Data category involves related security issues. It
includes data confidentiality, migration, integrity and
data warehousing.
B. Cloud Security Issues and Classification
1) Cloud security standards issues
Currently, there is lack of appropriate security standards in
cloud computing [1]. Special attention is required towards
mutual security standards such as Secure Sockets Layer
(SSL)/Transport Layer Security (TLS), XML Encryption
Syntax and Processing, XML signature, and Key Management
Interoperability Protocols. The lack of governess for audits
and assessment of corporate standards causes many security
issues which are associated with compliance risks [1].
Customers of cloud do not have enough knowledge of
processes and procedures of the provider, particularly in
segregation of duties and areas of identity management.
Auditability is an important aspect of cloud computing
security; even so, there is not an audit net for service providers
[7, 8]. Governing bodies and security standards are part of
legal aspects and service level agreements (SLA), which have
not been practiced for cloud computing [9,10]. SLA
determines the relationship among provider and recipient and
is important for both parties [11]. It identifies the customer’s
needs, encourages dialog in the event of disputes, simplify
complex issues, provides a framework for understanding,
reduces areas of conflict and eliminates unrealistic
expectations. If there is a loss of data and some factors are not
taken into consideration as users may not be able to put claims
on providers. The Trust relationship between users and the
different cloud stakeholders is required when users transfer
data on cloud infrastructure [12].
2) Cloud network security issues
Network security issues are considered the biggest security
challenges in clouds [13]. The overlooked security
configurations on networks and the lack of proper installation
of network firewalls facilitate to hackers to access the cloud
Fig. 1. Cloud components that are prone to security attacks.
III. COMPARATIVE EVALUATION OF GENERAL
CLOUD SECURITY MECHANISMS
To addressing many security issues related to the cloud,
the European Union Agency for Network and Information
Security (ENISA) has done a significant work: provides
www.ijert.org
International Journal Of Engineering Research and Technology (IJERT)
PEMWN-2014 Conference Proceedings
on behalf of legitimate users [14]. Hackers can run
malicious code on the hijacked resources or they can generate
bogus data and occupy resources. Denial of service can be
launched by appearance of vulnerabilities in Internet protocols
such as Session Initiation Protocol (SIP) which could cause an
un-trusted internet [15].
3) Access control issues
Service and account hijacking causes phishing and
software vulnerabilities where hackers gain unauthorized
access to servers. This unauthorized access results a threat to
integrity and confidentiality of data and services [1].
Malicious insiders present another access control issue such as
impacting organizations’ security by dishonest administrators.
The current mechanisms of authentication may not be
applicable in cloud environments [4]. A customer can access
data and compose services from multiple cloud providers
using a browser or mobile application. This access brings in a
risk called privileged user access [16].
4) Cloud Infrastructure issues
The important cloud infrastructure issues in different case
studies are: insecure interface of Application Programming
Interface (API) it covers the vulnerabilities in the set of APIs
in the cloud portal (customers use APIs to connect to a cloud)
[1], Quality of Service (QoS), sharing technical flaws,
reliability of suppliers, security misconfiguration and multi-
tenancy.
5) Data security issues
Data loss and leakage, data redundancy, data recovery,
data location, data protection, data availability and data
privacy have been the important issues in different case
studies which require data to be properly protected, encrypted,
controlled, and transmitted.
Fig. 1 shows cloud components where security issues are
raised. Each component, such as policies, cloud infrastructure,
clients, and network, is prone to certain security attacks and
requires attack detection, prevention and response strategies.
information to stakeholders that helps them to manage the
risks when migrating into the clouds, covers advisory services
on setting SLAs and to identify the critical cloud services and
analyze the impact of the cloud service failure in such
circumstances, ENISA provides cooperative studies with
various stakeholders.
40
 International Journal Of Engineering Research and Technology (IJERT)

PEMWN-2014 Conference Proceedings

Depending on its cloud offering and the architecture, every
cloud service provider has installed diverse security measures.
Their security model mainly depends upon the type of cloud
offering they provide, customer section being served and the
deployment models they basically implement.
In table 1, we present a comparative evaluation of some
well-known general tools that are used to countermeasure
cloud security attacks.

TABLE 1. COMPARATIVE ANALYSIS FOR STRENGTHS AND LIMITATIONS OF SOME EXISTING SECURITY MECHANISMS

Countermeasures Limitations

Intrusion Detection Systems (IDS) :

1. The main limitation in GCCIDS is the
1. Implementing IDS offers additional security measures by
high communication overhead and
investigating network traffic, log files and user behaviour.
redundancy.
2. IDS have two types (1) host based IDS (HIDS) which monitors the
behaviour on a single host and (2) network based IDS (NIDS) which
2. GCCIDS does not provide any
analyses traffic flowing through a network [17].
information as to whether a node should
3. An IDS system named Grid and Cloud Computing Intrusion
immediately alert other nodes as intrusion
Detection System (GCCIDS) was proposed in [18]. It consists of an
occurs or at certain predefined periodic time
audit system that detects and covers attacks that have not been covered,
interval.
previously, by other NIDS and HIDS systems. In GCCIDS each node
identifies the local event and alerts all other connected nodes.

Autonomous Systems :

1. An autonomous system is an IDS that works with pre-specified

1. Security audit as a Service (SaaS)
basic rules. These rules configure, heal, optimize and protect involves the use of large number of agents
themselves automatically, thereby reducing human efforts and
and functions such as initiating agent,
involvement [19]. moving agent, killing agent, etc., which
2. It is impossible, without autonomic computing, to manage next creates high communication among agents
generation distributed-systems such as clouds and grids effectively.
and increases the processing and
3. An intelligent autonomous agent for incident detection named computational overhead.
Security audit as a Service (SaaS) as presented in [20]. SaaS addresses
three main problems of cloud computing namely: abusing cloud
2. There is no flexible management system
resources; missing security monitoring in cloud infrastructure and by number of user access, at a given time or
defective isolation of shared resources. by load averages.
4. A pure concept of autonomic manager in grid and cloud
computing as defined in [21]. It provides a feature of self-
configuration, self-healing, self-optimization and self-protection.

Federated Identity Management System

1. Management of identities (IDM) is about maintaining the integrity
of identities, throughout their life cycle, to make it and its related data
(e.g., authentication and authorization results) available to different
services in secure and privacy-protected manner [22].
2. The process to repeat authentication of user (Single Sign-On) can be
an example of federated identity [23].
1. The main issue with single Sign-On lies
in the wider damage that it causes in case of
compromise. If a user identity is
compromised, the illegitimate user will not
be verified again, which could create higher
level of information leakage.
2. Another issue is lacking dynamic
federation and agile mechanism in FIM
systems. It is an architectural concern and
requires further investigation.

attacks across all cloud components, to achieve

IV. ANALYSIS
Cloud computing is an emerging paradigm that involves
all the basic components of computing such as communication
networks, end-user machines (PCs), access management
systems and cloud infrastructures. The data and cloud
infrastructure must be protected against known and unknown
comprehensive cloud security. In 2011 the number of browser
based attacks increased from 580,371,937 to 946,393,693
[24]. This important increase is mainly due to the growing
value of the data assets and resources available on the clouds,
which makes the platform very attractive for attackers.
Unfortunately, we cannot protect the cloud-computing

www.ijert.org 41

infrastructure from all the known and unknown attacks
because it requires additional computational overhead and [1]
resources. Current security solutions such as IDS, DIDS,
outsourcing the identity management systems, firewalling and
installing antivirus, are expensive and degrade performance. [2]
Thus, the important cloud security research challenge is not
only in providing high level measures but also in doing so
[3]
with minimum resources and reduced performance
degradation.
Using this current study, we found that to achieve better
[4]
security, data and system security should be embedded in the
design of cloud computing architecture. Furthermore, security
measures should be autonomous and dynamic. Cloud [5]
infrastructure is changing fast requiring security policies and
measures to be regularly updated at the same pace. Moreover,
licensing is essential to the security of clouds. Standard [6]
security policies should be implemented strictly in clouds and
organizational bodies should control clouds’ infrastructure on
[7]
regular bases to evaluate the adeptness of the security
precautions used by the vendors. In addition, it is very
important to holistically explore the various cloud security
related parameters including challenges, risks, threats, attacks, [8]
and vulnerabilities.
[9]
V. CONCLUSION
Currently the adoption of cloud paradigm is growing.
Analysts suppose that the factor of cost reduction in cloud [10]
computing will increase the adoption of cloud computing in
the public sector. With the greet evolution in cloud adoption
the sector of security attracted the attention of practitioners [11]
and researchers. We conduct, in this work, a survey on the
current issues of cloud security and the state-of-the-art
security solutions. The main issues were tampered binaries, [12]
firewall misconfigurations, side channels, multi-tenancy,
mobility, and weak browser security. These issues are
classified into five security categories includes: security
standards, network, cloud infrastructure, access, and data. [13]
There are variable incidents of attacks that target the clouds
such fate sharing, phishing, botnet, and malware injection. In a
comparative analysis we present the state-of-the-art well- [14]
known countermeasures for cloud security attacks including
intrusion detection systems, autonomous systems, and
federated identity management systems. Finally, we highlight
limitations of these systems including the high communication
and computation overhead and the detection efficiency and [15]
coverage.
At this moment, a big concerns are related with data. Data
migration from one cloud to another is not realizable because
of the heterogeneous nature of clouds. Furthermore, if a [16]
contract has expired, clouds lack the tools that confirm that
user data has been deleted from the cloud. These data threats
require researchers’ attention to cover some standards for
continuous data deletion. We plan in the future to investigate [17]
the possibility of presenting appropriate frameworks for DIDS
for clouds with scheduling algorithms for Green IT.
[18]
[19]
www.ijert.org
International Journal Of Engineering Research and Technology (IJERT)
PEMWN-2014 Conference Proceedings
REFERENCES
Tripathi, A., Mishra, A. “Cloud computing security considerations”. In
Proceedings of the 2011 IEEE International Conference on Signal
Processing, Communications and Computing (ICSPCC), Xi’an, China,
14–16 September 2011; pp. 1–5.
“Final Version of NIST Cloud Computing Definition Published”.
Available online: http://www.nist.gov/itl/csd/cloud-102511.cfm
(accessed on 25 August 2013).
Lv, H., Hu, Y. “Analysis and research about cloud computing security
protect policy”. In Proceedings of the 2011 International Conference on
Intelligence Science and Information Engineering (ISIE), Wuhan,
China, 20–21 August 2011; pp. 214–216.
Mell, P., Grance, T. “The NIST Definition of Cloud Computing”, NIST,
USA. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-
145.pdf, USA, 2009.
Gowrigolla, B., Sivaji, S., Masillamani, M.R. “Design and auditing of
cloud computing security”. In Proceedings of the 2010 5th International
Conference on Information and Automation for Sustainability
(ICIAFs), Colombo, Sri Lanka, 17–19 December 2010; pp. 292–297.
Issa M. Khalil, Abdallah Khreishah, Muhammad Azeem. “Cloud
Computing Security: A Survey”, Computers 2014, 3, 1-35;
doi:10.3390/computers3010001.
Morin, J., Aubert, J., Gateau, B. “Towards cloud computing SLA risk
management: Issues and challenges”. In Proceedings of the 2012 45th
Hawaii International Conference on System Science (HICSS), Maui,
HI, USA, 4–7 January 2012; pp. 5509–5514.
Braun, V., Clarke, V. “Using thematic analysis in psychology”. Qual.
Res. Psychol. 2006, 3, 77–101.
“A Survey on Cloud Computing Security, Challenges and
Threats|Whitepapers| TechRepublic”. Available online:
http://www.techrepublic.com/whitepapers/a-survey-on-cloud-
computingsecurity challenges and-threats/3483757 (accessed on 18
March 2012).
Thalmann, S., Bachlechner, D., Demetz, L., Maier, R. “Challenges in
cross-organizational security management”. In Proceedings of the 2012
45th Hawaii International Conference on System Science (HICSS),
Maui, HI, USA, 4–7 January 2012; pp. 5480–5489.
M. Taifi, J. Y. Shi, A. Khreishah, “SpotMPI: A Framework for
Auction-based HPC Computing Using Amazon Spot Instances”, in
Proc. of the International Symposium on Advances of Distributed
Computing and Networking (ADCN), 2011.
Riquet, D., Grimaud, G., Hauspie, M. “Large-scale coordinated attacks:
Impact on the cloud security”. In Proceedings of the 2012 Sixth
International Conference on Innovative Mobile and Internet Services in
Ubiquitous Computing (IMIS), Palermo, Italy, 4–6 July 2012; pp. 558–
563.
Wang, J.-J., Mu, S. “Security issues and countermeasures in cloud
computing”. In Proceedings of the 2011 IEEE International Conference
on Grey Systems and Intelligent Services (GSIS)”, Nanjing, China, 15–
18 September 2011; pp. 843–846.
Gonzalez, N., Miers, C., Redigolo, F., Carvalho, T., Simplicio, M.,
Naslund, M., Pourzandi, M. “A quantitative analysis of current security
concerns and solutions for cloud computing”. In Proceedings of the
2011 IEEE Third International Conference on Cloud Computing
Technology and Science (CloudCom), Athens, Greece, 29 November–1
December 2011; pp. 231–238.
Rachel Suresh, N. Mathew, S.V. “Security concerns for cloud
computing in aircraft data networks”. In Proceedings of the 2011
International Conference for Internet Technology and Secured
Transactions (ICITST), Abu Dhabi, United Arab Emirates, 11–14
December 2011; pp. 132–136.
Jain, P., Rane, D., Patidar, S. “A survey and analysis of cloud model-
based security for computing secure cloud bursting and aggregation in
renal environment”. In Proceedings of the 2011 World Congress on
Information and Communication Technologies (WICT), Mumbai,
India, 11– 14 December 2011; pp. 456–461.
Van athi, R., Gunasekaran, S. “Comparison of network intrusion
detection systems in cloud computing environment”. In Proceedings of
the 2012 International Conference on Computer Communication and
Informatics (ICCCI), Coimbatore, India, 10–12 January 2012; pp. 1–6.
Vieira, K., Schulter, A., Westphall, C.B., Westphall, C.M. “Intrusion
detection for grid and cloud computing”. IT Prof. 2010, 12, 38–43.
Erdil, D.C. “Dependable autonomic cloud computing with information
proxies”. In Proceedings of the 2011 IEEE International Symposium on
42
 International Journal Of Engineering Research and Technology (IJERT)

PEMWN-2014 Conference Proceedings

Parallel and Distributed Processing Workshops and Phd Forum

(IPDPSW), Shanghai, China, 16–20 May 2011; pp. 1518–1524.
[20] Doelitzscher, F., Reich, C., Knahl, M., Clarke, N. “An autonomous
agent based incident detection system for cloud environments”. In
Proceedings of the 2011 IEEE Third International Conference on Cloud
Computing Technology and Science (CloudCom), Athens, Greece, 29
November–1 December 2011; pp. 197–204.
[21] Balen, D., Westphall, C., Westphall, C. “Experimental assessment of
routing for grid and cloud”. In Proceedings of the Tenth International
Conference on Networks (ICN 2011); St. Maarten, The Netherlands
Antilles, January 23-28, 2011, pp. 341–346.
[22] Bishop, M. “Computer Security: Art and Science”. Addison-Wesley
Professional: Reading, MA, USA, 2002.
[23] Leandro, M.A.P., Nascimento, T.J., dos Santos, D.R., Westphall, C.M.,
Westphall, C.B. “Multitenancy authorization system with federated
identity for cloud-based environments using shibboleth”. In
Proceedings of the Eleventh International Conference on Networks,
2012; pp. 88–93.
[24] Kaspersky Security Bulletin. Statistics 2011. Available online:
http://www.securelist.com/en/analysis/204792216/Kaspersky_Security
_Bulletin_Statistics_2011 (accessed on 13 January 2013).

www.ijert.org 43

View publication stats