You are on page 1of 9

Security threats in Infrastructure as a

Service layer in Cloud Computing

Sahil Arora
Thapar University
Abstract Cloud Computing is often conceived as the next-gen technology of the IT
industry to facilitate development of large scale, on-demand, flexible computing
infrastructures. It is an archetype in which resources can be lent on pay-per-use basis thus
reducing the cost and complexity of the service providers. But as it is said, with technology
comes responsibility, the need to develop proper security through cloud implementations is
quite clear. Authenticity, Availability, Confidentiality, Integrity and Privacy are essential
concerns for both cloud providers and users as well. Infrastructure as a Service (IaaS)
serves as a foundation layer for other delivery models and overlooking security in this layer
will have negative impact on the other layers i.e., PaaS and SaaS. This paper presents a
detailed study of IaaS components security and several challenging security issues and their

Keywords Cloud Computing, Cloud Security, Infrastructure as a Service (IaaS), Service

Level Agreements (SLAs)



Cloud computing is now-a-days one the

most emerging IT innovations. Most IT
companies announce to plan or already have
IT products according to the cloud
computing paradigm. Its a pay-per-use
model in which the Infrastructure Provider,
by means of customized Service Level
Agreements (SLAs), offers guarantees,
typically exploiting a pool of resources.
Regarding definition of cloud computing
model, the most widely used one is made by
NIST as Cloud computing is a model for
enabling convenient, on-demand network
access to a shared pool of configurable

computing resources (e.g., networks,

servers, storage, applications, and services)
that can be rapidly provisioned and released
with minimal management effort or service
provider interaction. This cloud model
promotes availability and is composed of
five essential characteristics, three service
models, and four deployment models.[1]
Though cloud computing itself is still not
yet mature enough, it is already evident that
security is its most critical flaw. [2] [3].


Software as a Service (SaaS): This

includes end user applications
delivered on pay per use basis. The

application developers use PaaS and the end

users use SaaS.

Development tools, execution

runtime, databases, web
servers etc
Individual servers, disk drives,
network, domain name
servers etc


E-mail, virtual desktop,

applications, CRM etc

software requires only a browser and

network connectivity. An example of SaaS is
Microsoft Office365. Before it was
launched, if a user required an office
application say MS Word, they would have
to purchase it, install it, backup files etc.
With Office365, Microsoft Word can be
acquired for a small monthly fee, with no
client installation, the files are automatically
backed up, software upgrades are
automatically received and the software can
be accessed from anywhere.

Figure 1: Services in Cloud Computing

Platform as a Service (PaaS): Provides a

companies to run their software products.
Software products need physical servers to
run on, with database software, and often
Web servers too. These are all the platform
that the application runs on. Building this
yourself is a time consuming task and needs
to be continually monitored and updated.
PaaS provides all of the platform out of the
box enabling software applications to be
given to the platform which will execute
them with no requirement for administration
of the lower level components.
Infrastructure as a Service (IaaS): Provides
hardware facilities which include a range of
features, from individual servers, to private
networks, disk drives, various long term
storage devices, email servers, domain name
servers as well as messaging systems. They
can be provisioned on demand and often
include software license fees for operating
systems and associated software installed on
the servers.
Thus, the services which the cloud provides
fit into one of these models as described
above. IT developers whose responsibility is
infrastructure use IaaS, software and



With the increasing advancement in the

Cloud technology, there comes many
security threats present for the Cloud. Now a
days, a large number of users are boarding
the cloud ship. But at the back of their
minds, they have an unreasonable fear of
facing security issues with this technology.
The shift from server to service-based
thinking is transforming the way technology
computing technology and applications. Yet
these advances have created new security
vulnerabilities, including security issues
whose full impact is still emerging.
Cybercriminals and the needless disturbance
they can cause have become the leading
concern of cloud security experts. That's the
takeaway from the non-profit Cloud
Security Alliance's (CSA) latest poll on the
top nine threats the industry faces held in
February, 2013.

A. Data Breaches
Data breaches are every CTOs worst
nightmare. This implies leakage of an
organizations sensitive private data into the
hand of the competitors and unwanted
people. While data loss and data leakage are
both severe threats to cloud computing, the
measures you put in place to reduce one of
these threats can enhance the other. You can
have data encryption to reduce the impact of
a data breach, but if encryption key is lost,
all your data is lost as well. Conversely, one
may decide to keep offline backups of his
data to reduce the impact of a catastrophic
data loss, but it increases exposure to data
B. Data Loss
The thought of losing ones data
permanently is terrifying for both consumers
and businesses. Malicious attackers are one
of the key reasons for the loss of data. Any
accidental deletion by the cloud service
provider, or worse, a physical calamity such
as a fire or earthquake, can lead to the
permanent loss of customers data unless the
provider takes adequate measures to backup
C. Account Hijacking
In 2009, many Amazon systems were
hijacked to run Zeus botnet nodes. In April
2010, Amazon experienced a Cross-Site
Scripting (XSS) bug that allowed attackers
to hijack credentials from the site.
Account or service hijacking is not new.
Phishing, fraud, and exploitation of software
vulnerabilities still achieve results. Cloud
solutions add more elements to the top of the
stack. If an attacker gains access to your
credentials, they can intercept your activities
and transactions, manipulate data, return

falsified information, and redirect your

clients to illegitimate sites. Your account or
service instances may become a new base
for the attacker. From here, they may
leverage the power of your reputation to
launch subsequent attacks.
D. Insecure APIs
Cloud providers expose a set of APIs and
software interfaces that customers use to
manage and interact with cloud services.
These interfaces perform the major
functions of provisioning, management, and
monitoring. Reliance on a weak set of
interfaces and APIs exposes firms to many
security issues related to availability,
accountability, confidentiality, and integrity.
E. Malicious Insiders
The European Organization for Nuclear
Research, known as CERN defines
malicious insiders as:
A malicious insider threat to an
organization is a current or former
employee, contractor, or other business
partner who has or had authorized access to
an organization's network, system, or data
and intentionally exceeded or misused that
access in a manner that negatively affected
the confidentiality, integrity, or availability
of the organization's information or
information systems.
From IaaS to PaaS and SaaS, The malicious
insider has increasing levels of access to
more critical systems and data.
F. Denial of Service
Denial-of-service attacks are attacks meant
to prevent users from accessing their data or
their applications. Experiencing a denial-ofservice attack is like being caught in rushhour traffic gridlock: theres no way to get to

your destination, and nothing you can do

about it except sit and wait. By forcing the
victim cloud service to consume of finite
system resources such as processor power,
disk space, network bandwidth, and
memory. The attacker causes an intolerable
system slowdown and leaves all of the
legitimate service users confused and angry
as to why the service isnt responding.
G. Insufficient Due Diligence
Cloud Computing has brought the promise
of improved efficiencies, improved security
and cost reductions and thats the reason
why many organizations are jumping into
the cloud world. But too many enterprises
jump into the cloud without understanding
the full scope of the undertaking. An
organization that rushes to adopt cloud
technologies subjects itself to a number of
issues. Contractual issues arise over
obligations on liability, response, or
transparency by creating mismatched
expectations between the CSP and the
customer. Pushing applications that are
dependent on internal network-level
security controls to the cloud is dangerous
when those controls disappear or do not
match the customers expectation.

service? How will you define abuse? How

will you prevent them from doing it again?
I. Shared Technology Vulnerabilities
A compromise of an integral component of
shared technology architecture such as the
hypervisor, or an application in a SaaS
environment exposes the compromised
customer. It also exposes the entire
environment to a potential of compromise
and breach. This vulnerability is catastrophic
because it potentially can affect an entire
cloud at once.



Infrastructure layer (IaaS) consists of several

components that have been developed in the
past and still are in the development stage.
The most common security challenges of the
cloud world have been discussed earlier.
However, breaching the security of one
component adversely affects the security of
other components which in turn, affects the
overall security of the system. In this
section, we will cover on IaaS components,
their security issues
and propose
recommendations and solutions.

H. Abuse of Cloud Services

A. Service Level Agreement (SLAs)

With cloud, even small organizations have

access to vast amounts of computing power.
However, not everyone wants to use this
power for good. It might take an attacker
years to crack an encryption key using his
own limited hardware, but using an array of
cloud servers, he might be able to crack it in
minutes. This threat is more of an issue for
cloud service provider and raises a number
of serious implications for those providers.
How will you detect people abusing your

SLAs contains the complete list of services

delivered by the provider with their
complete definition. It also contains the
parameters which determine whether the
provider is delivering the service as
promised and an auditing mechanism to
monitor the service. SLAs deliver important
information regarding the responsibilities of
the provider and the consumer and remedies
available to both if the terms of the SLA are
not met.

For a cloud provider, one of the major uses

of SLAs is to make decisions about its
infrastructure. Lets take an example, a
provider might observe that throughput for a
particular service is hardly meeting the
consumer's requirements. To resolve that
situation, the provider might reallocate
bandwidth or bring more physical hardware
online. However, if giving one consumer
more resources would make it impossible to
meet the terms of another consumer's SLA,
the provider might decide to keep one
customer happy at the expense of another.
The purpose of SLAs is to help providers
make intelligent decisions based on its
business objectives and technical realities.
B. Utility Computing
Utility Computing is plays a significant role
in Cloud Computing deployment. It
encapsulates the resources into packages as
metered services and delivers them to the
client. Utility computing serves 2 functions
mainly. First, it reduces the total cost, i.e.,
instead of owning the resources, client can
only pay per use. Second, it has been
developed to support the scalable systems.
Utility Computing shapes two of the main
features of the Cloud Computing (e.g.,
scalability, and pay as- you-go). The first
challenge to the Utility Computing is the
complexity of the Cloud Computing, for
example, the higher provider as Amazon
must offer its services as metered services.
Those services can be used by second level
providers who also provide metered
services. In such multiple layers of utility,
the systems become more complex and
require more management effort from both
the higher and the second level providers.
Amazon DevPay5, an example for such
systems, allows the second level provider to
meter the usage of AWS services and bill the

users according to the prices determined by

the user. The second challenge is that Utility
Computing systems can be attractive targets
for attackers, so an attacker may aim to
access services without paying, or can go
further to drive specific company bill to
unmanageable levels. The provider is the
main responsible to keep the system healthy
and well-functioning, but the clients
practice also affects the system.
C. Virtualization
Virtualization is highly critical to cloud
world because it simplifies the delivery of
services by providing a platform for
optimizing complex IT resources in a
scalable manner, which is what makes cloud
computing so cost effective. Virtualization
can be applied very broadly to memory,
networks, storage, hardware, and even
operating systems, and applications.
Virtualization has three characteristics that
make it ideal for cloud computing:
Encapsulation, Partitioning and Isolation.
Hypervisors manage the various aspects of
virtualization. As in cloud computing you
need to support many different operating
environments, the hypervisor becomes an
ideal delivery mechanism by allowing you
to show the same application on lots of
different systems. Because hypervisors can
load multiple operating systems, they are a
very practical way of getting things
virtualized quickly and efficiently.



authentication, consider two factor or multifactor authentication for all information that
needs to be restricted. In addition, consider
tiering your access policies based on the
tion and
level of trust you have for each identity
provider for your IaaS cloud solutions. The
level of authorization you enable from an
identity provide such as Google Mail is
going be a lot lower than if the identity
provider is your corporate Active Directory
environment. Integrate this authorization
Figure 2 Deploying IaaS Security Model
tiering into your DLP solution.

End to End

End to End

A. Data leakage protection and usage

Data stored in an IaaS infrastructure needs
to be closely monitored. When youre
deploying IaaS in a public cloud, it is of
critical importance. You need to know who
is accessing the information, from what type
of device the information was accessed, the
location from which it was accessed, and
what happened to that information after it
was accessed.
These problems can be solved by using
modern Rights Management services and
applying restrictions to all information that
is considered business critical. Create legal
policies for this information and then deploy
those policies in a way that doesnt require
user intervention. In addition, you should
create a transparent process that controls
who can see that information and then create
a self-destruct policy for sensitive
information that does not need to live
indefinitely outside of the confines of the
corporate datacenter.
B. Authentication and Authorization
Vigorous authentication and authorization
methods are required in order to have a data
loss prevention (DLP) solution. In case of

C. Infrastructure hardening
Virtual machines and VM templates should
be hardened and clean. You can do this with
initial system hardening when you create the
images, and you can also take advantage of
technologies that enable you to update the
images offline with the latest service and
security updates. Make sure that you have a
process in place to test the security of these
master images on a regular basis to confirm
that there has been no drift from your
desired configuration, due to malicious or
non-malicious changes from the original
D. End to end encryption
In end to end encryption, you should use
whole disk encryption, which ensures that
all data on the disk are encrypted so that it
can be prevented from online as well as
offline attacks. Also make sure that all
communications to host OSs and VMs in
the IaaS infrastructure are encrypted. This
can be done over SSL/TLS or IPsec. This
includes not only communications from
communications between the virtual
machines themselves. One should also
deploy mechanisms such as homomorphic
encryption to keep end-user communications

safe and secure. This is a form of encryption

that allows complex calculations to be
performed on the data even though it is
E. End to end logging
The logging and reporting solutions become
highly important in the event of a security
breach. Logging is critical for incident
response and forensics and the reports and
findings after the incident are going to
infrastructure. Make sure that all compute,
network, memory and storage activity is
logged and that the logs are stored in
multiple, secure locations with extremely
limited access.



Cloud Computing is an evolving computer

paradigm. The NIST document has defined
several requirements for a cloud computing
solution. There are three service models for
cloud computing: SaaS, PaaS and IaaS.
When deploying an IaaS solution, there are a
number of security issues that need to be
considered for both private cloud IaaS and
public cloud IaaS, which are highlighted in
this research paper. The security issues
presented here concern the security of each
IaaS component in addition to recent
proposed solutions.

I am very grateful to Mr. Gaurav Sharma,
for his support to write this paper.

Appication Denial of Service. (n.d.). Retrieved from The open web application security project:
Cloud Security Issues - A fading worry. (n.d.). Retrieved from Ramco blog:
Czarnecki, C. (2011, November 9). Cloud Service Models: Comparing SaaS, PaaS and IaaS.
Retrieved from Learning Tree International:
Gill, P. J. (2013, April). Utility Computing in the cloud. Oracle Magazine, pp. 1-5.
Goodin, D. (2010, April 4). Amazon purges account hijacking threat from site. Retrieved from
The Register:
Grance, T., & Mell, P. (2009, July 10). The NIST definition of Cloud Computing. Retrieved from
Honan, M. (2012, November 11). Kill the password : Why a string of characters cant protect us
anymore? Retrieved from Wired:
Howell, D. (2013, January 16). Cloud Computing Users are losing data, Symantec finds SYMC.
Retrieved from
Kassner, M. (2011, June 29). Homomorphic Encryption: Can it save cloud computing? Retrieved
from TechRepublic:
Lemos, R. (2012, April 23). Insecure API implementations threaten Cloud. Retrieved from Dark
Miller, M. (2009). Cloud Computing - Web Based Application that change the way you
collaborate online. QUE, 2nd print.
Schwartz, M. J. (2012, June 13). New Virtualization Vulnerability Allows Escape To Hypervisor
Attacks. Retrieved from Information Week:
Shinder, D. (2013, January 23). Security Considerations for Infrastructure as a Service Cloud
Computing. Retrieved from Windows Security:

The Notorious Nine : loud COmputing threats in 2013. (2013, February). Retrieved from Cloud
Security alliance:
Vilaca, R., & Oliveira, R. (2009). A flexible large scale decentralized object store. WDDDM.
Architecture Overview.