Professional Documents
Culture Documents
Survey On Security Issues in Cloud Compu
Survey On Security Issues in Cloud Compu
ABSTRACT environment users need not own the infrastructure for various
Cloud Computing holds the potential to eliminate the computing services. In fact, they can be accessed from any
requirements for setting up of high-cost computing computer in any part of the world. This integrates features
infrastructure for IT-based solutions and services that the supporting high scalability and multi-tenancy, offering
industry uses. It promises to provide a flexible IT architecture, enhanced flexibility in comparison to the earlier existing
accessible through internet from lightweight portable devices. computing methodologies. It can deploy, allocate or reallocate
This would allow multi-fold increase in the capacity and resources dynamically with an ability to continuously monitor
capabilities of the existing and new software. In a cloud their performance [4].
computing environment, the entire data resides over a set of
networked resources, enabling the data to be accessed through
2. CLOUD TAXONOMY,
virtual machines. Since these data-centres may be located in CHARACTERISTICS AND BENEFITS
any part of the world beyond the reach and control of users, Cloud computing can be classified based on the services
there are multifarious security and privacy challenges that offered and deployment models. According to the different
need to be understood and addressed. Also, one can never types of services offered, cloud computing can be considered
deny the possibility of a server breakdown that has been to consist of three layers. Infrastructure as a Service (IaaS) is
witnessed, rather quite often in the recent times. There are the lowest layer that provides basic infrastructure support
various issues that need to be addressed with respect to service. Platform as a Service (PaaS) layer is the middle layer,
security and privacy in a cloud computing environment. This which offers platform oriented services, besides providing the
extensive survey paper aims to elaborate and analyze the environment for hosting user’s applications. Software as a
numerous unresolved issues threatening the cloud computing Service (SaaS) is the topmost layer which features a complete
adoption and diffusion affecting the various stake-holders application offered as service on demand [5, 6].
associated with it.
SaaS ensures that complete applications are hosted on the
Keywords internet and users use them. The payment is made on a pay-
Software as a Service (SaaS), Platform as a Service (PaaS), per-use model. It eliminates the need to install and run the
Infrastructure as a Service (IaaS), Interoperability, Denial of application on the customer’s local computer, thus alleviating
Service (DoS), Distributed Denial of Service (DDoS), Mobile the customer’s burden for software maintenance. In SaaS,
Cloud Computing (MCC), Optical Character Recognition there is the Divided Cloud and Convergence coherence
(OCR), Community of Interest (COI). mechanism whereby every data item has either the “Read
Lock” or “Write Lock” [7]. Two types of servers are used by
1. INTRODUCTION SaaS: the Main Consistence Server (MCS) and Domain
Internet has been a driving force towards the various Consistence Server (DCS). Cache coherence is achieved by
technologies that have been developed since its inception. the cooperation between MCS and DCS [8]. In SaaS, if the
Arguably, one of the most discussed among all of them is MCS is damaged, or compromised, the control over the cloud
Cloud Computing. Over the last few years, cloud computing environment is lost. Hence securing the MCS is of great
paradigm has witnessed an enormous shift towards its importance.
adoption and it has become a trend in the information In the Platform as a Service approach (PaaS), the offering
technology space as it promises significant cost reductions and also includes a software execution environment. For example,
new business potential to its users and providers [1]. The there could be a PaaS application server that enables the lone
advantages of using cloud computing include: i) reduced developer to deploy web-based applications without buying
hardware and maintenance cost, ii) accessibility around the actual servers and setting them up. PaaS model aims to protect
globe, and iii) flexibility and highly automated processes data, which is especially important in case of storage as a
wherein the customer need not worry about mundane concerns service. In case of congestion, there is the problem of outage
like software up-gradation [2, 3]. from a cloud environment. Thus the need for security against
A plethora of definitions have been given explaining the cloud outage is important to ensure load balanced service. The data
computing. Cloud computing is defined as a model for needs to be encrypted when hosted on a platform for security
enabling ubiquitous, convenient, on-demand network access reasons. Cloud computing architectures making use of
to a shared pool of configurable computing resources (e.g. multiple cryptographic techniques towards providing
networks, servers, storage devices and services) that can be cryptographic cloud storage have been proposed in [9].
rapidly provisioned and released with minimal management Infrastructure as a Service (IaaS) refers to the sharing of
effort or service provider interaction [4]. In such an hardware resources for executing services, typically using
*Corresponding Author
virtualization technology. Potentially, with IaaS approach,
multiple users use available resources. The resources can • Virtualization: It has been the underlying concept
easily be scaled up depending on the demand from user and towards such a huge rise of cloud computing in the
they are typically charged on a pay-per-use basis [10]. They modern era. The term refers to providing an
are all virtual machines, which need to be managed. Thus a environment that is able to render all the services,
governance framework is required to control the creation and supported by a hardware that can be observed on a
usage of virtual machines. This also helps to avoid personal computer, to the end users [15]. The three
uncontrolled access to user’s sensitive information. existing forms of virtualization categorized as:
Server virtualization, Storage virtualization and
Irrespective of the above mentioned service models, cloud Network virtualization, have inexorably led to the
services can be deployed in four ways depending upon the evolution of Cloud computing. For example, a
customers’ requirements: number of underutilized physical servers may be
consolidated within a smaller number of better
• Public Cloud: A cloud infrastructure is provided to utilized severs [16].
many customers and is managed by a third party
[11]. Multiple enterprises can work on the • Web Service and SOA: Web services provided
infrastructure provided, at the same time. Users can services over the web using technologies like XML,
dynamically provision resources through the internet Web Services Description Language (WSDL),
from an off-site service provider. Wastage of Simple Object Access Protocol (SOAP), and
resources is checked as the users pay for whatever Universal Description, Discovery, and Integration
they use. (UDDI). The service organisation inside a cloud is
managed in the form of Service Oriented
• Private Cloud: Cloud infrastructure, made available Architecture (SOA) and hence we can define SOA
only to a specific customer and managed either by as something that makes use of multiple services to
the organization itself or third party service provider perform a specific task [17].
[11]. This uses the concept of virtualization of
machines, and is a proprietary network. • Application Programming Interface (API): Without
APIs it is hard to imagine the existence of cloud
• Community cloud: Infrastructure shared by several computing. The whole bunch of cloud services
organizations for a shared cause and may be depend on APIs and allow deployment and
managed by them or a third party service provider. configuration through them. Based on the API
• Hybrid Cloud: A composition of two or more cloud category used viz. control, data and application,
deployment models, linked in a way that data different functions of APIs are invoked and services
transfer takes place between them without affecting are rendered to the users accordingly.
each other. • Web 2.0 /Mash-up: Web 2.0 has been defined as a
Moreover, with the technological advancements, we can see technology that enables us to create web pages and
derivative cloud deployment models emerging out of the allows the users to interact and collaborate as
various demands and the requirements of users. A virtual- creators of user generated content in a virtual
private cloud is one such case wherein a public cloud is used community [18, 19]. It enables the usage of World
in a private manner, connected to the internal resources of the Wide Web technology towards a more creative and
customer’s data-centre [12]. With the emergence of high-end a collaborative platform [20]. Mash-up is a web
network access technologies like 2G, 3G, Wi-Fi, Wi-Max etc. application that combines data from more than one
and feature phones, a new derivative of cloud computing has source into a single integrated storage tool [21].
emerged. This is popularly referred to as “Mobile Cloud
Computing (MCC)”. It can be defined as a composition of These were the few technological advances that led to the
mobile technology and cloud computing infrastructure where emergence of Cloud Computing and enabled a lot of service
data and the related processing will happen in the cloud only providers to provide the customers a hassle free world of
with an exception that they can be accessed through a mobile virtualization fulfilling all their demands. The prominent ones
device and hence termed as mobile cloud computing [13] as are: Amazon-EC2 [22, 23] (Elastic Compute Cloud), S3 [22]
shown in Fig. 1. It is becoming a trend now-a-days and many (Simple Storage Service), SQS (Simple Queue Service), CF
organizations are keen to provide accessibility to their (Cloud Front), SimpleDB, Google, Microsoft Windows-Azure
employees to access office network through a mobile device [23], ProofPoint, RightScale, Salesforce.com, Workday, Sun
from anywhere. Microsystems etc. and each of them are categorised either as
one of the three main classifications based on the cloud
Recent technical advancements including the emergence of structure they provide: private, public and hybrid cloud. Each
HTML5 and various other browser development tools have of the above mentioned cloud structure has its own limitations
only increased the market for mobile cloud-computing. An and benefits.
increasing trend towards the feature-phone adoption [13] has
also ramped up the MCC market.
Cloud Computing distinguishes itself from other computing
paradigms like grid computing, global computing, and internet
computing in various aspects of on demand service provision,
user centric interfaces, guaranteed QoS (Quality of Service),
and autonomous system [14] etc. A few state of the art
techniques that contribute to cloud computing are:
Fig 1: A Mobile Cloud Computing Scenario
Data Storage Uses homomorphic token with 1. Supports dynamic operations on The security in case of dynamic
security [48] distributed verification of erasure-coded data blocks such as: update, delete data storage has been considered.
data towards ensuring data storage and append without data corruption However, the issues with fine-
security and locating the server being and loss. grained data error location remain to
attacked. 2. Efficient against data modification be addressed.
and server colluding attacks as well as
against byzantine failures.
User identity Uses active bundles scheme, whereby Does not need trusted third party Active bundle may not be executed
safety in cloud predicates are compared over encrypted (TTP) for the verification or approval at all at the host of the requested
computing data and multiparty computing. of user identity. Thus the user’s service. It would leave the system
identity is not disclosed. The TTP vulnerable. The identity remains a
remains free and could be used for secret and the user is not granted
other purposes such as decryption. permission to his requests.
Trust model 1. Separate domains for providers and 1. Helps the customers to avoid Security in a very large scale cross
for users, each with a special trust agent. malicious suppliers. cloud environment is an active
interoperability 2. Different trust strategies for service 2. Helps the providers to avoid issue. This present scheme is able to
and security in providers and customers. cooperating/serving malicious users. handle only a limited number of
cross cloud 3. Time and transaction factors are security threats in a fairly small
[81] taken into account for trust assignment. environment.
Virtualized 1. Uses a hierarchy of DHT-based Extensive use of virtualization for The proposed model is in its early
defence and overlay networks, with specific tasks to securing clouds. developmental stage and needs
reputation be performed by each layer. further simulations to verify the
based trust 2. Lowest layer deals with reputation performance.
management aggregation and probing colluders. The
highest layer deals with various attacks.
Secure 1. Idea of an Advanced Cloud A virtualized network is prone to System performance gets
virtualization Protection system (ACPS) to ensure the different types of security attacks that marginally degraded and a small
[83] security of guest virtual machines and can be launched by a guest VM. An performance penalty is encountered.
of distributed computing middleware is ACPS system monitors the guest VM This acts as a limitation towards the
proposed. without being noticed and hence any acceptance of an ACPS system.
2. Behaviour of cloud components can suspicious activity can be blocked and
be monitored by logging and periodic system’s security system notified.
checking of executable system files.
Safe, virtual Cloud Providers have been suggested to Ensures the identification of If the adversary gets to know the
network in obscure the internal structure of their adversary or the attacking party and location of the other VMs, it may
cloud services and placement policy in the helping us find a far off place for an try to attack them. This may harm
environment cloud and also to focus on side-channel attacking party from its target and the other VMs in between.
[81] risks in order to reduce the chances of hence ensuring a more secure
information leakage. environment for the other VMs.
Every cloud service provider has installed various security Hence, there is a need to ensure that security against the
measures depending on its cloud offering and the architecture. virtual threats should also be maintained by adopting the
Their security model largely depends upon the customer methodologies such as: checking the virtual machines
section being served, type of cloud offering they provide and connected to the host system and constantly monitoring their
the deployment models they basically implement as discussed activity, securing the host computers to avoid tampering or
in [107]. file modification when the virtual machines are offline,
preventing attacks directed towards taking control of the host
One of the security measures implemented by SalesForce.com system or other virtual machines on the network etc.
to avoid unauthorized access to its platform is sending a Detecting unauthorized access in a cloud using tenant profiles
security code to the registered customer every-time the same can be performed as per the techniques mentioned in [111]. It
account is accessed from same or different IP-address and the has been assumed that the usage patterns in virtual machines
user needs to provide the security code at the time of logging in a cloud computing environment can be used to detect
in, in order to prove his/her identity [108]. intrusions through abnormal usage. The recorded usage
It is equally important to secure the data-in-transit and patterns over a period of time can be compared with the
security of transmitted data can be achieved through various expected usage patterns which have already been provided by
encryption and decryption schemes. Steganography is another the tenants and deviations in case of unauthorized access can
such technique which can be used to hide confidential be detected.
information within a plain text, image, audio/video files or A security model wherein a dedicated monitoring system
even IP datagrams in a TCP/IP network. A detailed analysis of tracking data coming in and out of a virtual machine/machines
various steganographic techniques and their application using in a virtualized environment on a hypervisor can be presented
different cover media has been done in [109]. as shown below:
Security issues in a virtualized environment wherein a
malicious virtual machine tries to take control of the
hypervisor and access the data belonging to other VMs have
been observed and since traffic passing between VMs does
not travel out into the rest of the data-centre network it cannot
be seen by regular network based security platforms [110].
[17] Youseff, L; Butrico, M; Da Silva, D., “Toward a [29] George V. Hulme, “NIST formalizes cloud computing
Unified Ontology of Cloud Computing”, Grid definition, issues security and privacy guidance”, Feb.
Computing Environments Workshop, pp. 1-10, Nov, 3, 2011 [A common platform enabling security
2008, Austin, Texas. executives to share best security practices and strategic
DOI: 10.1109/GCE.2008.4738443 insights].
http://www.csoonline.com/article/661620/nist-
[18] James Governor, “Web 2.0 Architectures: What formalizes-cloud-computing-definition-issues-
Entrepreneurs and Information Architects Need to security-and-privacy-guidance.
Know by James Governor”, May 15, 2009; O’Reilly;
ISBN-13: 978-0596514433. [30] Julisch, K., & Hall, M., “Security and control in the
cloud”, Information Security Journal: A Global
[19] Amy Shuen, “Web 2.0: A Strategy Guide: Business Perspective, vol. 19, no. 6, pp. 299-309, 2010.
thinking and strategies behind successful Web 2.0
implementations”, O'Reilly Media; 1st edition; Apr 30, [31] Chi-Chun Lo, Chun-Chieh Huang, Joy Ku, “A
2008; ISBN-13: 978-0596529963. Cooperative Intrusion Detection System Framework
for Cloud Computing Networks”, ICPPW ’10
[20] Sam Murugesan, “Understanding Web 2.0”, IEEE Proceedings of the 2010 39th International
Computer Society, pp. 34-41. July-Aug, 2007. Conference on Parallel Processing Workshops, IEEE
http://91-592- Computer Society, pp. 280-284, Washington DC,
722.wiki.uml.edu/file/view/understanding_web_20.pdf USA, 2010. ISBN: 978-0-7695-4157-0.
[21] Antero Taivalsaari, “Mashware: The Future of Web [32] Hamid R. Motahari-Nezhad, Claudio Bartolini, Sven
Applications”, Technical Report, Feb 2009. Graupner, Sharad Singhal, Susan Spence, “IT Support
http://labs.oracle.com/techrep/2009/smli_tr-2009- Conversation Manager: A Conversation-Centered
181.pdf Approach and Tool for Managing Best Practice IT
DOI: 10.1145/1878537.1878703 Processes”, Proceedings of the 2010 14th IEEE
International Enterprise Distributed Object Computing
[22] David Chappel, “A Short Introduction to Cloud Conference, pp. 247-256, October 25-29, 2010, ISBN:
Platforms: An Enterprise Oriented View”, David 978-1-4244-7966-5.
Chappel and Associates, August, 2008. [Sponsored by
Microsoft Corporation]
[33] L.J. Zhang and Qun Zhou, “CCOA: Cloud Computing [43] B. R. Kandukuri, R. V. Paturi and A. Rakshit, “Cloud
Open Architecture”, ICWS 2009: IEEE International Security Issues”, 2009 IEEE International Conference
Conference on Web Services, pp. 607-616. July 2009. on Services Computing, Bangalore, India, September
DOI: 10.1109/ICWS.2009.144. 21-25, 2009. In Proceedings of IEEE SCC'2009. pp.
517-520, 2009. ISBN: 978-0-7695-3811-2.
[34] Wayne Jansen, Timothy Grance, “NIST Guidelines on
Security and Privacy in Public Cloud Computing”, [44] Jessica T., “Connecting Data Centres over Public
Draft Special Publication 800-144, 2011. Networks”, IPEXPO.ONLINE, April 20, 2011.
http://csrc.nist.gov/publications/drafts/800-144/Draft- http://online.ipexpo.co.uk/2011/04/20/connecting-
SP-800-144_cloud-computing.pdf. data-centres-over-public-networks/
[35] Jon Marler, “Securing the Cloud: Addressing Cloud [45] Cong Wang, Kui Ren, Wenjing Lou, Jin Li, “Towards
Computing Security Concerns with Private Cloud”, Publicly Auditable Secure Cloud Storage Services”,
Rackspace Knowledge Centre, March 27, 2011, IEEE Networks, pp. 19-24, vol. 24, issue. 4, July,
Article Id: 1638. 2010.
http://www.rackspace.com/knowledge_center/private- DOI: 10.1109/MNET.2010.5510914
cloud/securing-the-cloud-addressing-cloud-computing- [46] H. Liang, D. Huang, L. X. Cai, X. Shen and D. Peng,
security-concerns-with-private-cloud “Resource allocation for security services in mobile
[36] Frederik De Keukelaere, Sumeer Bhola, Michael cloud computing”, in Proc. IEEE INFOCOM’11,
Steiner, Suresh Chari, Sachiko Yoshihama, “Smash: Machine-to-Machine Communications and
secure component model for cross-domain mashups on Networking (M2MCN), pp. 191-195, April 10-15,
unmodified browsers”, Proc. of the 17th International 2011, Shanghai, China.
Conference on World Wide Web, ACM, NY, USA, [47] Martin Mulazzani, Sebastian Schrittwieser, Manuel
2008, ISBN: 978-1-60558-085-2, DOI: Leithner, Markus Huber, Edgar Weippl, “Dark Clouds
10.1145/1367497.1367570. on the Horizon: Using Cloud Storage as Attack Vector
[37] Michael Armbrust, Armando Fox, Rean Griffith, and Online Slack Space”, Proceedings of the 20th
Anthony D. Joseph, Randy Katz, Andy Konwinski, USENIX conference on Security, Berkley, USA, 2011.
Gunho Lee, David Petterson, Ariel Rabkin, Ion Stoica, [48] Cong Wang, Qian Wang, Kui Ren, and Wenjing Lou,
Matei Zaharica, “A View of Cloud Computing”, “Ensuring Data Storage Security in Cloud
Communications of the ACM, vol. 53, issue. 4, April Computing”, 17th International workshop on Quality
2010, USA. of Service,2009, IWQoS, Charleston, SC, USA, pp.1-
DOI: 10.1145/1721654.1721672 9, July 13-15, 2009, ISBN: 978-1-4244-3875-4.
[38] Neal Leavitt, “Is Cloud Computing Really Ready for [49] W. Li, L. Ping, X. Pan, “Use trust management
Prime Time?” Computer, vol. 42, issue. 1, pp. 15-20, module to achieve effective security mechanisms in
IEEE Computer Society, CA, USA, January 2009. cloud environment”, 2010 International Conference
ISSN: 0018-9162. on Electronics and Information Engineering (ICEIE),
Volume: 1, pp. V1-14 - V1-19, 2010.
[39] Robert Minnear, “Latency: The Achilles Heel of
DOI: 10.1109/ICEIE.2010.5559829.
Cloud Computing”, March 9, 2011, Cloud Expo:
Article, Cloud Computing Journal. [50] R. A. Vasudevan, A. Abraham, S.Sanyal, D.P.
http://cloudcomputing.sys- con.com/node/1745523. Agarwal, “Jigsaw-based secure data transfer over
computer networks”, Int. Conference on Information
[40] Daniele Catteddu, Giles Hogben, “Cloud Computing:
Technology: Coding and Computing, pp. 2-6, vol.1,
Benefits, Risks and Recommendations for Information
April, 2004.
Security”, European Network and Information
Security Agency (ENISA), Nov, 2009. [51] R. A. Vasudevan, S. Sanyal, “A Novel Multipath
http://www.enisa.europa.eu/act/application- Approach to Security in Mobile Ad Hoc Networks
security/test/act/rm/files/deliverables/cloud- (MANETs)”, Int. Conference on Computers and
computing-risk-assessment Devices for Communication, CODEC’04, Kolkata,
India.
[41] Marios D. Dikaiakos, Dimitrios Katsaros, Pankaj
Mehra, George Pallis, Athena Vakali, “Cloud [52] Jeff Sedayao, Steven Su, Xiaohao Ma, Minghao Jiang
Computing: Distributed Internet Computing for IT and and Kai Miao, “A Simple Technique for Securing Data
Scientific Research”, IEEE Internet Computing at Rest”, Lecture Notes in Computer Science, pp. 553-
Journal, vol. 13, issue. 5, pp. 10-13, September 2009. 558, 2009.
DOI: 10.1109/MIC.2009.103. DOI: 10.1007/978-3-642-10665-1_51
[42] Michael Kretzschmar, S Hanigk, “Security [53] Yogesh L. Simmhan, Beth Plale, Dennis Gannon, “A
management interoperability challenges for Survey of Data Provenance Techniques”, ACM
collaborative clouds”, Systems and Virtualization SIGMOD, vol. 34, issue. 3, Sep, 2005, NY, USA.
Management (SVM), 2010, Proceedings of the 4th DOI: 10.1145/1084805.1084812
International DMTF Academic Alliance Workshop on
Systems and Virtualization Management: Standards [54] P. R. Gallagher, “Guide to Understanding Data
and the Cloud, pp. 43-49, October 25-29, 2010. ISBN: Remanence in Automated Information Systems”, The
978-1-4244-9181-0, Rainbow Books, ch3 and ch.4, 1991.
DOI: 10.1109/SVM.2010.5674744.
[55] Larry Dignan (Editor in Chief- ZDNet), “Epsilon Data Framework for Cloud-Oriented Service Mashup”, Int.
Breach: What’s the value of an email address”, IT Conf on Trust, Security and Privacy in Computing and
Security Blogs, Tech Republic, April 5, 2011. Communications (TrustCom), pp. 304-311, Nov,
http://www.techrepublic.com/blog/security/epsilon- 2011.
data-breach-whats-the-value-of-an-email-address/5307 DOI: 10.1109/TrustCom.2011.41
[56] Farzad Sabahi, “Secure Virtualization for Cloud [67] Adam A Noureddine, Meledath Damodaran, “Security
Environment Using Hypervisor-based Technology”, in Web 2.0 Application Development”, iiWAS '08,
Int. Journal of Machine Learning and Computing, pp. Proc. of the 10th International Conference on
39-45, vol. 2, no. 1, February, 2012. Information Integration and Web-based Applications
& Services, pp. 681-685, 2008, ISBN: 978-1-60558-
[57] David Goldman, “Why Amazon’s Cloud Titanic Went 349-5, DOI: 10.1145/1497308.1497443.
Down”, CNNMoney, April, 2011.
http://money.cnn.com/2011/04/22/technology/amazon [68] Justin Clarke; SQL Injection Attacks and Defense;
_ec2_cloud_outage/index.htm Syngress 2009; ISBN-13: 978-159749424.
[58] Rory Smith (SOC Analyst), “The Use of Legitimate [69] A. Liu, Y. Yuan, A Stavrou, “SQLProb: A Proxy-
Channels to distribute malicious software to Users”, based Architecture towards Preventing SQL Injection
Security Samurai, Aug. 2, 2011. Attacks”, SAC March 8-12, 2009, Honolulu, Hawaii,
http://www.thesecuritysamurai.com/2011/08/02/the- U.S.A.
use-of-legitimate-channels-to-distribute-malicious-
software-to-users-by-rory-smith-soc-analyst/ [70] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C.
Kruegel, and G. Vigna, “Cross-Site Scripting
[59] Thomas Ristenpart, Eran Tromer, Hovav Shacham, Prevention with Dynamic Data Tainting and Static
Stefan Savage, “Hey, you get off my cloud: Exploring Analysis”, Proceedings of the Network and Distributed
information leakage in third party compute clouds”, System Security Symposium (NDSS’07), February,
CCS’09, Proceedings of the 16th ACM conference. On 2007.
Computer and Communications Security, pp. 199-212,
ACM New York, NY, USA, 2009. ISBN: 978-1- [71] D. Gollmann, “Securing Web Applications”,
60558-894-0. Information Security Technical Report, vol. 13, issue.
[60] Michael Krigsman, “MediaMax/The Linkup: When 1, 2008, Elsevier Advanced Technology Publications
the Cloud fails”, IT Project Failures, News and Blogs, Oxford, UK, DOI: 10.1016/j.istr.2008.02.002.
ZDNet, August, 2008. [72] Ter Louw, M; Venkatakrishnan, V. N.; “BluePrint:
http://www.zdnet.com/blog/projectfailures/mediamax- Robust Prevention of Cross-Site scripting attacks for
the-linkup-when-the-cloud-fails/999 existing browsers”, 30th IEEE Symposium on Security
[61] K. Hwang, S Kulkarni and Y. Hu, “Cloud security and Privacy, pp. 331-346, May, 2009.
with virtualized defence and Reputation-based Trust DOI: 10.1109/SP.2009.33
management”, Proceedings of 2009 Eighth IEEE [73] Jonathan Katz, “Efficient Cryptographic Protocols
International Conference on Dependable, Autonomic Preventing Man in the Middle Attacks”, Doctoral
and Secure Computing (security in cloud computing), Dissertation submitted at Columbia University, 2002,
pp. 621-628, Chengdu, China, December, 2009. ISBN: ISBN: 0-493-50927-5.
978-0-7695-3929-4. http://www.cs.ucla.edu/~rafail/STUDENTS/katz-
[62] Ryan K.L.Ko, Bu Sung Lee and Siani Pearson, thesis.pdf /
“Towards Achieving Accountability, Auditability and [74] Eric Ogren, “Whitelists SaaS modify traditional
Trust in Cloud Computing”, Communications in security, tackle flaws”, Sep. 17, 2009. [Eric Ogren is
Computer and Information Science, Vol. 193(4), pp. the founder and principal security analyst at Ogren
432-444, 2011. Group]
DOI: 10.1007/978-3-642-22726-4_45 http://searchsecurity.techtarget.com/news/column/0,29
[63] S. Subashini, V. Kavitha, “A survey on security issues 4698,sid14_gci1368647,00.html/
in service delivery models of cloud computing”, [75] Gurdev Singh, Amit Sharma, Manpreet Singh Lehal,
Journal of Network and Computer Applications, Vol. “Security Apprehensions in Different Regions of
34(1), pp 1–11, Academic Press Ltd., UK, 2011, ISSN: Cloud Captious Grounds”, International Journal of
1084-8045. Network Security & Its Applications (IJNSA), Vol.3,
[64] “Amazon Web Services: Overview of Security No.4, July 2011.
Processes”, Whitepaper, May, 2011. [76] Char Sample, Senior Scientist, BBN Technologies,
http://d36cz9buwru1tt.cloudfront.net/pdf/AWS_Securi Diana Kelley, Partner, Security Curve, “Cloud
ty_Whitepaper.pdf computing security: Routing and DNS security
[65] Pradnyesh Rane, “Securing SaaS Applications: A threats”.
Cloud Security Perspective for Application Providers”, http://searchsecurity.techtarget.com/tip/0,289483,sid14
Information Security Management Handbook, Vol. 5, _gci1359155_mem1, 00.html/
2010. [77] Zouheir Trabelsi, Hamza Rahmani, Kamel Kaouech,
http://www.infosectoday.com/Articles/Securing_SaaS Mounir Frikha, “Malicious Sniffing System Detection
_Applications.htm Platform”, Proceedings of the 2004 International
[66] Ruixuan Li, Li Nie, Xiaopu Ma, Meng Dong, Wei Symposium on Applications and the Internet
Wang, “SMEF: An Entropy Based Security (SAINT'04), pp. 201-207, 2004, ISBN: 0-7695-2068-
5.
[78] Josh Karlin, Stephanie Forrest, Jennifer Rexford, [89] Claudio Mazzariello, Roberto Bifulco and Roberto
“Autonomous Security for Autonomous Systems”, Canonico, “Integrating a Network IDS into an Open
Proc. of Complex Computer and Communication Source Cloud Computing Environment”, Sixth
Networks; vol. 52, issue. 15, pp. 2908- 2923, Oct. International Conference on Information Assurance
2008, Elsevier North-Holland, Inc. New York, NY, and Security, USA, pp. 265-270, Aug. 23-25, 2010.
USA. DOI: 10.1109/ISIAS.2010.5604069.
[79] Scalable Security Solutions, Check Point Open [90] D. Nurmi, R. Wolski, C. Grzegorczyk, G. Obertelli, S.
Performance Architecture, Quad-Core Intel Xeon Soman, L. Youseff, and D. Zagorodnov, “The
Processors, “Delivering Application-Level Security at Eucalyptus open-source cloud-computing system”, in
Data Centre Performance Levels”, Intel Corporation, Proceedings of the 9th IEEE/ACM International
Whitepaper, 2008. Symposium on Cluster Computing and the Grid
http://download.intel.com/netcomms/technologies/secu (CCGRID ’09), pp. 124–131, 2009.
rity/320923.pdf
[91] John E. Dunn, “Spammers break Hotmail’s
[80] Shengmei Luo, Zhaoji Lin, Xiaohua Chen, Zhuolin CAPTCHA yet again”, Tech-world, Feb. 16, 2009.
Yang, Jianyong Chen, “Virtualization security for http://news.techworld.com/security/110908/spammers-
cloud computing services”, Int. Conf on Cloud and break-hotmails-captcha-yet-again/
Service Computing, pp. 174-179, Dec, 2011. [92] Albert B Jeng, Chien Chen Tseng, Der-Feng Tseng,
DOI: 10.1109/CSC.2011.6138516 Jiunn-Chin Wang, “A Study of CAPTCHA and its
Application to User Authentication”, Proc. Of 2nd Intl.
[81] Shantanu Pal, Sunirmal Khatua, Nabendu Chaki, Conference on Computational Collective Intelligence:
Sugata Sanyal, “A New Trusted and Collaborative Technologies and Applications, 2010.
Agent Based Approach for Ensuring Cloud ISBN: 3-642-16731-4 978-3-642-16731-7
Security”, Annals of Faculty Engineering Hunedoara
International Journal of Engineering (Archived copy), [93] Cui, JingSong; Wang, LiJing; Mei,
scheduled for publication in vol. 10, issue 1, January JingTing; Zhang, Da; Wang, Xia; Peng,
2012. ISSN: 1584-2665. Yang; Zhang, WuZhou; “CAPTCHA design based
on moving object recognition problem”, Intl.
[82] Jenni Susan Reuben, “A Survey on Virtual Machine Conference on Information Sciences and Interaction
Security”, Seminar of Network Security, Helsinki Sciences, pp. 158-162, June, 2010, China.
University of Technology, 2007. DOI: 10.1109/ICICIS.2010.5534730
http://www.tml.tkk.fi/Publications/C/25/papers/Reube
n_final.pdf?q=attacks-on-virtual-machine-emulators [94] V. Kumar, M. Singh, A. Abraham, S. Sanyal,
“CompChall: addressing password guessing attacks”,
[83] Flavio Lombardi, Roberto Di Pietro, “Secure Int. Conference on Information Technology: Coding
Virtualization for Cloud Computing”, Journal of and Computing, pp. 739-744, vol. 1, April, 2005.
Network and Computer Applications, vol. 34, issue 4,
pp. 1113- 1122, July 2011, Academic Press Ltd. [95] Kellep Charles, “Google’s Gmail Hacked by China
London, UK. Again”, SecurityOrb, The Information Security
knowledge-Base Website, June 2, 2011.
[84] Hanqian Wu, Yi Ding, Winer, C., Li Yao, “Network http://securityorb.com/2011/06/googles-gmail-hacked-
Security for Virtual Machines in Cloud Computing”, by-china-again/
5th Int’l Conference on Computer Sciences and
Convergence Information Technology, pp. 18-21, [96] Ningning Zhu, Tzi-cker Chiueh, “Portable and
Seoul, Nov. 30-Dec. 2, 2010. ISBN: 978-1-4244-8567- Efficient Continuous Data Protection for Network File
3. Servers”, Intl. Conference on Dependable Systems and
Networks, pp. 687-697, Edinburg, June, 2007.
[85] K. Vieira, A. Schulter, C. B. Westphall, and C. M. DOI: 10.1109/DSN.2007.74
Westphall, “Intrusion detection techniques for Grid
and Cloud Computing Environment”, IT Professional, [97] A. Verma and S. Kaushal, “Cloud Computing Security
IEEE Computer Society, vol. 12, issue 4, pp. 38-43, Issues and Challenges: A Survey”, Proceedings of
2010. DOI: 10.1109/MITP.2009.89. Advances in Computing and Communications, Vol.
193, pp. 445-454, 2011.
[86] Ian Rathie, “An Approach to Application Security”, DOI: 10.1007/978-3-642-22726-4_46
SANS Security Essentials White Paper, SANS
Institute. [98] P. Sharma, S. K. Sood, and S. Kaur, “Security Issues
http://www.sans.org/reading_room/whitepapers/applic in Cloud Computing”, Proceedings of High
ation/approach-application-security_16 Performance Architecture and Grid Computing, Vol.
169, pp. 36-45, 2011.
[87] Ruiping Lua and Kin Choong Yow, “Mitigating DDoS DOI: 10.1007/978-3-642-22577-2_5
Attacks with Transparent and Intelligent Fast-Flux
Swarm Network”, IEEE Network, vol. 25, no. 4, pp. [99] Sudharsan Sundararajan, Hari Narayanan, Vipin
28-33, July-August, 2011. Pavithran, Kaladhar Vorungati, Krishnashree
Achuthan, “Preventing Insider attacks in the Cloud”,
[88] Nathan Mcfeters, “Recent CNN Distributed Denial of Communications in Computer and Information
Service (DDoS) Attack Explained”, ZDNet, April, Science, vol. 190, issue. 5, pp. 488-500, 2011.
2008. DOI: 10.1007/978-3-642-22709-7_48
http://www.zdnet.com/blog/security/recent-cnn-
distributed-denial-of-service-ddos-attack-
explained/1054
[100] Thomas W. Shinder, “Security Issues in Cloud pp. 85-90, USA, November, 2009. ISBN: 978-1-
Deployment models”, TechNet Articles, Wiki, 60558-784-4.
Microsoft, Aug, 2011.
http://social.technet.microsoft.com/wiki/contents/articl [111] Jason Nikolai, “Detecting Unauthorized Usage in a
es/security-issues-in-cloud-deployment-models.aspx Cloud using Tenant Profiles”.
http://www.homepages.dsu.edu/malladis/teach/717/Pa
[101] E. Mathisen, “Security Challenges and Solutions in pers/nikolai.pdf
Cloud Computing”, Proceedings of the 5th IEEE
International Conference on Digital Ecosystems and [112] Craig Balding, “GoGrid Security Breach”,
Technologies (DEST), pp. 208-212, June, 2011, ISBN: cloudsecurity.org, March 30, 2011.
978-1-4577-0871-8, DOI: http://cloudsecurity.org/blog/2011/03/30/gogrid-
10.1109/DEST.2011.5936627. security-breach.html
[102] Alessandro Perilli, Claudio Criscione, “Securing the [113] Czaroma Roman, “Sony Data Breach Highlights
Private Cloud”, Article on Secure Networks, Importance of Cloud Security”, Cloud Times, May 9,
Virtualization.info. 2011.
http://virtualization.info/en/security/privatecloud.pdf http://cloudtimes.org/sony-data-breach-highlights-
importance-of-cloud-security/
[103] Sato, H; Kanai, A; Tanimoto, S; “A Cloud Trust
Model in a Security Aware Cloud”, Intl. Symposium [114] Hiroshi Wada, Alan Fekete, Liang Zhao, Kevin Lee,
on Applications and the Internet (SAINT), pp. 121-124, Anna Liu, “Data Consistency Properties and the
July, 2010, Seoul. Trade-offs in Commercial Cloud Storages : The
Consumers’ Perspective”, Proc. of the 5th Biennial
[104] Ayu Tiwari, Sudip Sanyal, Ajith Abraham, Svein Conference on Innovative Data Systems Research
Johan Knapskog, Sugata Sanyal, “A Multi-Factor (CIDR '2011), Asilomar, CA, January 2011.
Security Protocol for Wireless Payment – Secure Web
Authentication Using Mobile Devices”, IADIS, [115] J. Weinman, “The Future of Cloud Computing”, IEEE
International Conference Applied Computing, pp. 160- Technology Time Machine Symposium on
167, 2007. Technologies Beyond 2020 (TTM), pp. 1-2, June,
2011.
[105] Tao Peng, Christopher Leckie, Kotagiri DOI: 10.1109/TTM.2011.6005157
RamMohanRao, “Survey of Network Based Defense
Mechanisms Countering the DoS and DDoS
Problems”, ACM Computing Surveys, vol. 39, no. 1,
April, 2007.
DOI: 10.1145/1216370.1216373
[106] Qishi Wu, Sajjan Shiva, Sankardas Roy, Charles Ellis,
Vivek Datla, “On Modelling and Simulation of game-
theory based defense mechanisms against DoS and
DDoS attacks”, Proceedings of 2010 Spring
Simulation Multiconference, NY, USA, 0032010.
DOI: 10.1145/1878537.1878703
[107] Amitav Chakravartty, Serena Software, “Serena
Service Manager Security in the Cloud”.
http://www.serena.com/docs/repository/products/servi
ce-manager/Serena-Service-Manager-Security-in-the-
Cloud.pdf
[108] Security and Privacy policies of sales-force.com,
“Secure, Private and Trustworthy: Enterprise Cloud
Computing with Force.com”.
http://www.salesforce.com/assets/pdf/misc/WP_Force
dotcom-Security.pdf
http://trust.salesforce.com/trust/security/best_practices
/
http://trust.salesforce.com/trust/privacy/tools/
[109] Soumyendu Das, Subhendu Das, Bijoy
Bandopadhyay, Sugata Sanyal, “Steganography and
Staganalysis: Different Approaches”, Int. Journal of
Computers, Information Technology and Engineering
(IJCITAE), vol.2, no.1, June, 2008.
[110] Richard Chow, Philippe Golle, Markus Jakobsson,
Elaine Shi, Jessicca Staddon, Ryusuke Masuoka, Jesus
Molina, “Controlling Data in the Cloud: Outsourcing
Computation without Outsourcing Control”, Proc. of
the ACM Workshop on Cloud Computing Security,