A Survey Paper on Cloud Security Issues and Challenges

l 2
Tunisha Saxena , Vaishali Chourey
!2
, Computer Science dept. Medi-Caps Institute of Technology and Management, Indore, India
2
I tunisha.I3saxena@gmail.com, vaishalichourey@yahoo.com

Abstract: Cloud Computing has transformed the software support Cloud computing applications are generally priced on a
for large systems from server to service oriented paradigm. This subscription model. The cloud-based services are not only
drift has evolved new challenges for design and delivery of services restricted to software applications (Software as a
over heterogeneous requirements and environments. This brings
about risks and challenges for systems. The system over internet are
vulnerable to performance and security risks. The performance is a
composite evaluation but risks that are related to privacy can be Deployment Models Essential Characteristics Service Models
handled at different levels of abstraction in cloud modeL This paper

6
addresses the security risks and challenges and analyzes the
On demand Self Service

EJ
available measures to handle

Broad Network Access

e
Keywords: Cloud Computing, Cloud security, Security challenges,
Network level security, Application level security.

I. INTRODUCTION
Resource Pooling
EJ
Cloud Computing is a computing model which has evolved
from distributed computing, virtualization technology, utility
8 Rapid Elasticity

computing and other computer technologies[l]. It is

synonymous with providing services on virtual machines
allocated over large physical pool of resources. It is also
characterized to address scalability and availability for large
enterprise level applications.
Service - SaaS), but could also be the platform for the
development and deployment of cloud applications (Platform
as a Service - PaaS) and the hardware infrastructure
(Infrastructure as a Service - IaaS). According to NIST[2] -
"Cloud computing is a model which enables convenient,
ubiquitous, on-demand network access to a shared pool of
configurable computing resources that can be rapidly
provisioned and released with minimal service provider
interaction or management effort".
Distributed Computing Hardware
Utility and Grid Hardware Virtualization
Computing Multi-core chips
� Measured Service EJ
Fig. 2: Cloud computing model 1.1 Essential Characteristics:
i. On-demand self-service: On-demand self service allows
the users to obtain and configure cloud resources
automatically, without involving any human
intervention. A consumer can provision computing
capabilities with each service provider.
n. Broad network access: Cloud resources and capabilities
are available over the network. They are accessed
through standard mechanisms that are used by thick and
thin client platforms which include tablets, laptops,
mobiles, workstations etc.

Ill. Resource pooling: The cloud providers allow the users to

enter the data in cloud and use them from any location,
at any time. Thus, computing resources are pooled in the
cloud so as to serve multiple consumers.

Autonomic Computing
SOA, Web 2.0, Web
Data Center Automation
iv) Rapid elasticity: The capabilities provided by the cloud
Services and Mashups
can be elastically and rapidly released or provisioned.
Internet Technologies Systems Management Cloud computing gives an illusion of multiple
computing resources. These resources can be scaled up
Fig 1: Convergence of cloud computing and down.

978-1-4799-3064-7/14/$31. 00©2014 IEEE

v) Measured service: Cloud systems provide transparency This is specifically used to handle spikes in load which is
to both - consumers and providers, by measuring and known as 'cloud bursting'.
reporting the resources used. Cloud providers enable the
users to pay only for the resources that they use and
release the resources when they are not needed.

High
1.2 Cloud Service models:

i) Infrastructure as a Service: IaaS offers virtualized

resources on demand. These virtualized resources
include storage, communication and computation. It is
the bottom layer of the cloud stack.E.g of IaaS includes
Amazon EC2, Flexiscale, Joyent, GoGrid, Rackspace �
cloud servers. P2
ii) Platform as a Service: It offers a higher level of
abstraction which makes cloud easily programmable. Private
This is known as Platform as a Service (PaaS). A cloud
platform offers an environment on which developers
Enterprise
create and deploy applications and do not necessarily
need to know how many processors or how much Low
memory that applications will be used. E.g of IaaS
includes Aneka, Google App Engine and Microsoft Low Control High
Azure.

Fig. 3: Graph showing tradeoff between Risk and Control when

iii) Software as a Service: Applications reside on the top of
migrated from public to enterprise cloud
the cloud stack. End users access the services provided
by SaaS through Web portals.. E.g of SaaS includes
Cloud Computing decreases risk and increases control when
Salesforce.com, Google app, Facebook, youtube.
moved from public to enterprise cloud. Private clouds give
greater control over security, privacy of data, compliance and
1.3 Cloud Deployment Models:
Quality of Service (QoS). The reason is that private clouds can
manage better network bandwidth and implement
i) Private cloud: The cloud infrastructure is an internal data
optimizations.
center of an organization which is not meant for the
general public. It is used by a single organization
II. SECURITY CHALLENGES AND THREATS IN
consisting of multiple consumers (e.g., business units).
CLOUD COMPUTING
Private clouds may be owned and managed by an
organization or a third party. It may exist on or off
Clouds have been used for a variety of applications including
premises.
business implementation, collaboration services, online
presence, R&D projects, social networking, as business tools
ii) Public cloud. The cloud infrastructure is made available
etc. With these areas of system developments and usage, risk
to the general public on a pay-as-you-go basis. It may be
analysis, estimation, control and treatment becomes essential.
owned, managed and operated by a government
The cloud service provider for cloud makes sure that the
organization business organizations and academic
customer does not face any problem such as loss of data or
organizations. It exists on the premises of the cloud
data theft. The following table gives the security challenges
provider.
and its associated threats[3,4]. These challenges and threats
are also distributed according to Cloud Security Alliance
iii) Community cloud. The cloud infrastructure is shared by
(CSA)[5].
several organizations and supports a specific community
that share common goals. It may be owned, managed,
III. CLOUD SECURITY
and operated by any organization in the community or a
third party. It may exist on or off premises.
This section deals with various aspects of security in Cloud
Computing. It includes information security principles,
iv) Hybrid cloud. The cloud infrastructure is a combination security requirements, security controls and security
of two or more clouds (private, community, or public). architecture.
 TABLE 1: CHALLENGES AND THREATS ON DIFFERENT MODELS IN CLOUD

Models Challenges Threats CSA Levels

Cloning and Resource pooling Trusting data to people and processes Malicious insiders

Motility of data and data residuals Viability of cloud vendor Insufficient due diligence

Elastic perimeter

Deployment

Shared multi-tenant environment

Unencrypted data

Authentication and Identity Management

Data leakage problem Legal and Regulatory Compliance Denial of service

Malicious attacks Cloud security violation Abuse of cloud services

Backup and storage

Service

Shared technological issues

Service hijacking

Virtual machine hopping

Man in the middle attack

Browser security Failure in provider security Data loss

SQL injection attacks Attacks by other customers Shared technology vulnerabilities

Flooding attacks

XML signature element wrapping

Incomplete data deletion

Network

Locks in

DNS attacks

Sniffer attacks

Issue in reused IP addresses

BGP prefix hijacking

Cross Site Scripting (XSS)

Security concerns with Hypervisor A vailability and Reliability issues Data breaches

Denial of service attacks Protection and Confidentiality of data Account or service traffic hijacking

Cookie poisoning Insecure interfaces and APIs

Hidden field manipulation

Application

Backdoor and debug options

Distributed denial of service attacks

CAPTCHA breaking

Dictionary attacks

Google hacking
3. J Information Security Principles:
There are certain principles which we need to abide by so as to
have a secure cloud communication. These principles are
referred as Information Security Principles. CIA Triad is a
well known security model which deals with important aspects
of IT security. It is used to identify security problems and
provide its necessary solutions [6,7]. In the CIA Triad, C
stands for Confidentiality, I for Integrity and A stands for
Availability. These security principles are also discussed in
[8].
i) Confidentiality - Confidentiality refers to protecting the
information from unauthorized users. Its aim is to ensure
that information is hidden from unauthorized users to
access it. With the increase in number of applications
and equipments in cloud, threats also increases which
lead to an increased number of access points.
ii) Integrity - Integrity refers to the consistency and
accuracy of data. The data should not be modified by
any unauthorized user or in an unauthorized manner. It
says that data should not be altered in transit.
iii) Availability - The principle of availability says that the
information must be available whenever it is needed. It
refers to the property that the system must be usable and
accessible when requested by the authorized users.
3.2 Cloud Security Requirements:
Before migrating the data to the cloud, security cannot be the
only requirement. Organizations not only need security, but
robust security that can be trusted and monitored. This brings
about three basic requirements of cloud security [9] -
i) Robust Security - Robust security refers to moving
beyond the traditional modes of security. Even in a
shared multitenant environment, robust security ensures
isolation of data. It ensures the protection of data at
different layers in the cloud. It includes mechanisms to
provide access control and confidentiality. This involves
robust log management, encryption, key management
etc.
ii) Trust and Assurance - In Trust and Assurance, the
organization maintains a confidence in the integrity of
the entire cloud infrastructure. This includes integrity of
software, hardware, data centers, processes etc. The
cloud provider needs to establish an evidence based trust
architecture of the cloud environment which involves
monitoring and reporting capabilities which ensures the
customer about the transparency related to security
vulnerabilities. It involves audit trials to deal with
customer's existing problems.
iii) Monitoring and Governance - It involves utilities that
allow customers to monitor the security environment,
performance and reliability. With these utilities,
customers can monitor these activities as they could in
their own data center. These utilities allow customers to
take necessary actions on account of the security
information received from the cloud provider. These
actions may include shutting down the application itself.
Governance includes risk management.
3.3 Cloud Security Controls:
Cloud Security Controls can be visualized as a three tiered
model[9]. These three layers include Front End Security,
Middle layer and Back End Security.
i) Front End Security deals with authorization and
authentication.
ii) Middle layer deals with OS security, virtual machine
security.
iii) Back End Security deals with data and database security,
network security and storage security.
3.4 Security Architecture:
The security architecture includes isolation , confidentiality
and access control which are the necessary requirements to
protect data and applications of a company[9].
i) Isolation - It ensures isolation within a multitenant
environment. its counter measure is the use of
'Hypervisors' which enables multiple data centers.
ii) Confidentiality Confidentiality is an important
component of security architecture which provides
protecting the information from unauthorized access.
The counter measure for confidentiality is 'Encryption'.
iii) Access Control and Identity Management - Identity
management ensures that only authorized users can
access the applications. This involves audit and log
management. Identity management and access control is
provided by 'federated identity management'. Along
with authorization and authentication, validation
processes also ensures identity and access control.
IV. CONCLUSION
With the advent of technology, cloud computing has become
an important computing paradigm and has been dominating
the IT market. More drift towards cloud computing can be
seen in the future because of its features and benefits. With
this revolutionization of computing world by cloud, it is prone
to number of security challenges as well which may vary from
application to network level. These security risks must be
controlled. Even the data residing inside the cloud is
vulnerable to attacks. In this paper, we presented various
aspects of security in cloud and the challenges associated on
different parts of cloud infrastructure.
REFERENCES
[1] Wentao Liu, Research on Cloud Computing Security
Problem and Strategy, 978-1-4577-1415-31121 ©2012
IEEE
[2] NIST defmition of Cloud. NIST 500-292 "NIST Cloud
Computing Reference Architecture"
[3] Ms. Disha H. Parekh, Dr. R. Sridaran, "An Analysis of
Security Challenges in Cloud Computing",
International Journal of Advanced Computer Science
and Applications (IJACSA), Vol. 4, No.1, 2013
[4] Rohit Bhadauria, Rituparna Chaki, Nabendu Chaki,
Sugata Sanyal, "A Survey on Security Issues in Cloud
Computing and Associated Mitigation", International
Journal of Computer Applications (IJCA), June 2012,
pp: 47 - 66.
[5] http://www.cloudsecurityalliance.org/topthreats.
[6] http://www.techrepublic.com/blog/it -security/the-cia­
triadl
[7] http://www.slideshare.net/bharathraob/the-cia-triad-
28739772
[8] Mircea Georgescu, Natalia Suicirnezov, "Issues
Regarding Security Principles In Cloud Computing",
The USV Annals of Economics and Public
Administration Volume 12, Issue 2(16), 2012.
[9] http://www.cloudsecuritysoftware.comlcloud-
security.htm I