State-of-the-art Cloud Computing Security Taxonomies ±

A classification of security challenges in the present cloud

computing environment
Madhan Kumar Srinivasan K Sarukesi Paul Rodrigues
Infosys Limited Hindustan University Hindustan University
Mysore, India Chennai, India Chennai, India
madhankrs@gmail.com vc@hindustanuniv.ac.in drpaulprof@gmail.com

Sai Manoj M Revathy P

IIITMK Infosys Limited
Trivandrum, India Mysore, India
saimanoj30@gmail.com revamadhankr@gmail.com

ABSTRACT
Cloud computing has taken center stage in the present business
scenario due to its pay-as-you-use nature, where users need not
bother about buying resources like hardware, software,
infrastructure, etc. permanently. As much as the technological
benefits, cloud computing also has risks involved. By looking at
its financial benefits, customers who cannot afford initial
investments, choose cloud by compromising on the security
concerns. At the same time due to its risks, customers ± relatively
majority in number, avoid migration towards cloud. This paper
analyzes the current security challenges in cloud computing
environment based on state-of-the-art cloud computing security
taxonomies under technological and process-related aspects.
Categories and Subject Descriptors
D.4.6 [Operating Systems]: Security and Protection ± access
controls, authentication, cryptographic controls, information flow
controls, security kernels, verification.
K.6.5 [Management of Computing and Information Systems]:
Security and Protection ± authentication, physical security,
unauthorized access.
1. INTRODUCTION
Cloud computing is rapidly transforming the way organizations
view their IT resources. From a scenario of a single system
consisting of single operating system and single application,
organizations are moving into cloud computing where resources
are available in abundance and the user has a wide range to
choose from. In cloud computing, the end-users need not know
the details of a specific technology while hosting their application,
as the service is completely managed by the cloud service
provider (CSP). Users can consume services at a rate that is set by
their particular needs. This on-demand service can be provided
any time. CSP takes care of all the necessary complex operations
on behalf of the user. It provides the complete system which
allocates the required resources for execution of user applications
and management of the entire system flow. Figure 1, depict the
visual representation of the architecture of cloud computing.

General Terms
Security, Standardization, Verification, Management.

Keywords
Cloud computing, cloud security, state-of-the-art cloud computing
security taxonomies, logical storage segregation, multi-tenancy,
malicious insider, identity management, virtualization, hypervisor
vulnerabilities, cloud API, cloud migration, SLA.

Permission to make digital or hard copies of part or all of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that
copies bear this notice and the full citation on the first page. Copyrights
for components of this work owned by others than ACM must be
honored. Abstracting with credit is permitted. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior Figure 1. Cloud Computing Architecture.
specific permission and/or a fee.

ICACCI '12, August 03 - 05 2012, CHENNAI, India There are many benefits of cloud computing. Cost optimization
Copyright 2012 ACM 978-1-4503-1196-«. among them is the frontrunner, since you pay as you go. The

470
other benefits are increased mobility, ease of use, portability of
application, etc. This means users can access information
anywhere easily.
As per International Data Corporation (IDC) reports [1] ³7KH
proliferation of devices, compliance, improved systems
performance, online commerce and increased replication to
secondary or backup sites is contributing to an annual doubling of
the amount of information transmitted over the InterQHW´7KHFRVt
of handling the huge amount of data is something that every
organization must address. Considering the present rising
economy, organizations are looking at cost saving measures.
Among all, the best part of cloud computing is that it provides
more flexibility than its previous counterparts.
Having recognized two major benefits of cloud computing are
lower cost service and ease of use, it also has significant security
issues and challenges in many aspects. It is important to
understand and address these security gaps by taking into account
the user privacy, sensitivity of data in critical enterprise
applications when it gets deployed in cloud, especially in public
2.2.2 Broad Network Access
The deployed customer application must be available to the end-
users in heterogeneous environment i.e. thin or thick client
platforms (e.g., mobile phones, tablets, laptops, and workstations).
2.2.3 Resource Pooling
&63¶V DUH UHVSRQVLEOH for serving multiple customers by
sharing/pooling their resources in a multi-tenant model while
keeping customers away from location transparency concerns
(through appropriate mapping mechanisms between physical or
virtual machines).
2.2.4 Rapid Elasticity
As promised E\ µSD\-as-you-use¶ model computing, customers
should be able to scale-up and scale-down the available features
on an on-demand basis automatically.
2.2.5 Measured Service
Based on the dynamic decisions taken by the customers while
accessing/using the cloud services (example, switching between
GLIIHUHQW VFKHPHV RI &63¶V RIIHULQJV WKH V\VWHP VKRXOG WDNH
and hybrid cloud environments.
automatic control in providing appropriate services (to facilitate
In this paper, we have investigated the security challenges µcharge-per-use¶) as demanded by the customer without the
involved in cloud computing with respect to its architectural & involvement of CSP.
technological aspects, and process & regulatory related aspects.
2.3 Service Models
2. CLOUD COMPUTING Figure 3 elucidates the cloud reference model given by Cloud
PHYSIOGNOMIES AND MODELS Security Alliance (CSA) [3]. In general, there are three basic
designs of cloud computing models as described below:
2.1 Definition
Cloud computing [2] is a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly provisioned
and released with minimal management effort or service provider
interaction with the following five essential characteristics. Figure
2 illustrates the holistic view of cloud computing environments
with its mandatory characteristics and different models.

Figure 2. Characteristics and Models.

2.2 Characteristics
2.2.1 On-demand Self-service Figure 3. Cloud Reference Model.
Customers should be capable of accessing/controlling
/provisioning their deployed application independently whenever
UHTXLUHGZLWKRXW&63¶VLQWHUYHQWLRQ Source: Security Guidance for Critical Areas of Focus in Cloud
Computing V2.1, Cloud Security Alliance

International Conference on Advances in Computing, Communications and Informatics (ICACCI-2012) 471

2.3.1 Infrastructure-as-a-Service (IaaS)
Required computational infrastructure resources like storage,
network, load balancers, virtual machines, etc. are provided to the
cloud user over Internet on-demand & rent (pay-as-you-use) basis.
In this model, customers need not maintain huge servers; they just
need to choose their required infrastructure using a web browser
and they will be provided with all sorts of hardware infrastructure
by CSP. Citrix, 3tera, vmware, HP, Dell, IBM etc. are example
IaaS vendors.
2.3.2 Platform-as-a-Service (PaaS)
This model provides a complete development environment to the
customers, which includes all phases of SDLC with an appropriate
support of APIs. PaaS facilitating a customer organization in
developing software applications without investing huge on
infrastructure which will be delivered to the users over Internet
on-demand & rent (pay-as-you-use) basis. Web servers,
application servers, development environment, runtime
environment, etc. are the example components with respect to
PaaS. In this model customers need not maintain underlying
infrastructure including maintaining server machines, cooling,
operating systems, storage, etc. Google AppEngine, force.com,
Microsoft Windows Azure, RedHat, etc. are example of PaaS
vendors.
2.3.3 Software-as-a-Service (SaaS)
Licensed application software(s) runs at CSP and customers can
access that software through thin clients (web browser, mobile,
etc.) on-demand & rent (pay-as-you-use) basis. Example
components with respect to SaaS are office suites (docs), online
games, email applications, online readers, online movie players,
etc. In this model, customers need not maintain heavy investment
on system configuration to run all these applications; they just
require Internet connection and a web browser. Salesforce.com,
Amazon, Zoho, Microsoft Dynamics CRM, Google, etc. are
example SaaS vendors.
Figure 4. CSP Vendors.
Figure 4 displays the some of the business vendors who provide
services in different cloud domains.
2.4 Deployment Models
Figure 5 demonstrates the different cloud deployment models and
the connections among them [3]. Irrespective of the service model
being used, based on the way end-users publish their application
in cloud, deployment models are categorized as follows:
2.4.1 Private Cloud
This kind of cloud setup is for the sole use of a single
company/organization and its customers. This setup may reside
472 International Conference on Advances in Computing, Communications and Informatics (ICACCI-2012)
inside or outside the customer premises. This cloud setup could be
controlled, maintained or maneuvered by a third party or the
organization itself or the combination of them.
Figure 5. Deployment Model ± Outline.
Source: Security Guidance for Critical Areas of Focus in Cloud
Computing V2.1, Cloud Security Alliance
2.4.2 Community Cloud
This kind of cloud setup is for sole use by a particular community
of consumers from organizations that have common views. This
setup may reside inside or outside the CSP premises. This cloud
setup could be controlled, maintained or maneuvered by a third
party or combination of the organizations itself.
2.4.3 Public Cloud
This kind of cloud setup is for open use by the general public i.e.
individuals or organizations. It resides on the premises of the CSP.
This cloud setup could be controlled, maintained or maneuvered
by different government organizations or corporate organizations
or academic institutions or combination of them to the extent
permitted by the CSP.
2.4.4 Hybrid Cloud
This cloud setup is a composition of two or more distinct and
unique cloud setup (private, community, or public) and is tied
together by standardized or registered technology that ensures and
allows data and application portability.
3. SECURITY CHALLENGES
Cloud computing attracts users with its great elasticity and
scalability of resources with an attractive tag line µpay-as-you-use¶
at relatively low prices. Compared to the construction of their own
infrastructures, customers are able to cut down on expenditure
significantly by migrating computation, storage and hosting onto
the cloud. Although this provides savings in terms of finance and
manpower, it brings with new security risks. Considering the
influence of cloud computing with respect to its business benefits
and technological transformations, the future enterprise
applications are going to be completely dependent on it. It has its
benefits; nevertheless it has numerous issues and challenges with
respect to the security aspects. There are many research
organizations, cloud vendors, product development enterprises
and academic research institutes working on various security
classifications of cloud computing and its solutions. This paper
analyses the current security challenges in cloud computing
environment based on state-of-the-art Cloud Computing Security
Taxonomies (T1 to T9) under the following two categories.
Category 1: Architectural & Technological aspects
T1. Logical storage segregation & multi-tenancy
security issues
T2. Identity management issues
T3. Insider attacks
T4. Virtualization issues
T5. Cryptography and key management
Category 2: Process & regulatory-related aspects
T6. Governance and regulatory compliance gaps
T7. Insecure APIs
T8. Cloud & CSP migration issues
T9. SLA & trust management gaps
3.1 Logical storage segregation & multi-
tenancy security issues
Using cloud computing, customers can store and deliver their data
(data, application, and database) across the globe through Internet.
The user (owner of the data) does not control, and typically
doesQ¶WHYHQNQRZWKHORFDWLRQZKHUHWKHGDWDLVVWRUHG'XHWR
the nature of cloud computing, there is a strong possibility that
customers¶ DQG WKHLU FRPSHWLWRUs' data can reside on the same
physical storage device with logical segregation [4]. Due to this
reason there is a high probability of one users¶ private data to be
viewed by the other users. If the data and the information are not
protected from other users then it is a major risk for the user to
keep their private information, bank account numbers, secret
codes, passwords, and so on in the cloud. In addition, the data is
GHSOR\HG RQ FORXG VHUYLFH SURYLGHU¶V LQIUDVWUXFWXUH on a multi-
tenant model basis. This situation brings the following security
concerns to be appropriately addressed by CSP.
Question 1: Who owns the data ownership and control
ownership?
Question 2: Who maintains the audit records of the data?
Question 3: What is the mechanism in the delivery of this
audit record to the customer?
Question 4: As a real owner of the data, does the CSP allow
the customers to secure and manage access from end-users
more [5]. As the traditional identity and access management is
still facing so many challenges [6] [7] from various aspects such
as security, privacy, provisioning of service as well as VMs, etc.,
when considering it for cloud computing, it needs to be more
secure and sophisticated. Claiming µSD\-as-you-XVH¶DVRQHRILWV
attractions, cloud computing really requires strong identity
management capabilities, to charge appropriately and accurately
the correct customer through a granular sensitive provisioning. As
stated by [5] an IDM in cloud has to manage control points,
dynamic composite/decommissioned machines, virtual device or
service identities, etc. Cloud deployments are dynamic with
servers being launched or terminated; IP addresses dynamically
reassigned; and services started or decommissioned or re-started.
So, unlike traditional IDM, simply managing users and services is
not sufficient. When a deployment or service or machine (VM) is
decommissioned, the IDM has to be informed so that future
access to it is revoked. IDM, in cloud, should ideally store its
details till it becomes active. Meanwhile access to its relevant
stored data has to be monitored and granted by the defined access
level for that mode as mentioned in SLA. Traditional IDM is not
directly amenable for cloud computing due to these features of
FORXG 7RGD\¶V FORXG UHTXLUHV G\QDPLF JRYHUQDQFH RI W\SLFDO
IDM issues like, provisioning/de-provisioning, synchronization,
entitlement, lifecycle management, etc.
3.3 Insider attacks
One of the primary security concerns in cloud computing is that
the customer loses direct control over potentially business
sensitive and confidential data. This needs more attention because
the CSP is outside the trusted domain of customer. The risk of a
malicious insider is one or the most dangerous security threats.
The cloud security alliance report [8] lists malicious insiders as
the number three top threat in cloud computing. This threat is
intensified for customers of cloud services by the union of
infrastructure, services and customers under a single controlling
domain, with a huge lack of transparency in the way the CSP
services through its processes and procedures. For example, a
provider may not reveal how it grants employees access to
physical and virtual assets, how it monitors these employees, or
how it analyzes and reports on policy compliance [8]. To add to
the threat, there is often little or no visibility into the hiring
standards and practices for cloud employees. Cloud Security
Alliance [8] summarize that this kind of situation clearly creates
an attractive opportunity for an enemy ² ranging from the
hobbyist hacker, to organized crime, to corporate espionage, or
even nation-state sponsored intrusion. The level of access granted
FXVWRPHU¶VFOLHQW"
To handle such sensitive situations, CSP should ensure proper
data isolation. This isolation is not just in concern to protecting
data (& applications) from threats or external penetrations, but
also preventing unwanted changes by the CSP. Hence, providing
security to the user data, which is logically segregated, from any
other user (and/or CSP) in terms of unauthorized access/attacks,
isolation of data, and maintaining proper compliance & SLAs
becomes the order-of-the-day of all cloud computing security
concerns.
3.2 Identity management issues
Today, the advancement of cloud computing based on numerous
technical and business models such as SaaS/PaaS/IaaS,
grid/cluster computing, high performance computing, etc.,
signifies that cloud computing with an appropriate identity
management (IDM), Cloud IDM, can be considered as a superset
of all the corresponding issues from these paradigms and many
International Conference on Advances in Computing, Communications and Informatics (ICACCI-2012)
could enable such an enemy to gather confidential data or gain
complete control over the cloud services with little or no risk of
detection. It can lead to situations like financial impact, brand
GDPDJHDQGKXJHSURGXFWLYLW\ORVVHVHWF%%&¶VUHVHDUFKUHSRUW
[9] sensitizes that insider attacks are on the rise. Also Verizon
2010 data breach report [10] indicates that there is a 26% increase
in the data breaches by malicious insiders accounting to a total of
48% of data breaches being carried out by insiders. So even
though the cloud provider may be trusted, a cloud administrator
could potentially be a rogue.
3.4 Virtualization issues
Virtualization is a key element for cloud computing to achieve its
REMHFWLYH ,QWHO¶V 1RYHPEHU  UHVHDUFK UHSRUW ³2YHUFRPLQJ
Security Challenges to Virtualize Internet-IDFLQJ $SSOLFDWLRQV´
[11] states that, due to the security concerns, they initially (when
Intel entered into the cloud market) did not virtualize applications
with significant security requirements which include Internet-
473
facing applications for customers. Prior to including virtualization
LQWR,QWHO¶VFORXGHQYLURQPHQWHDFKRIWKHLUFXVWRPHUDSSOLFDWLRQ
tiers typically ran on a dedicated physical server, which was
connected to the enterprise network through a dedicated virtual
LAN (VLAN). Though this was highly secure, considering the
utilization of hardware resources, this approach (without
virtualization) was not effective in the long run. Virtualization can
be achieved through a hypervisor (also called VMM, Virtual
Machine Monitor). Hypervisor (example, Citrix XenServer 6.0) is
a platform that allows multiple OS and related applications (called
VMs, virtual machines) to run on a cloud machine concurrently to
facilitate sharing of cloud resources. Virtualization of enterprise
servers introduces noteworthy security concerns due to
aggregation of risks. Associating multiple servers with one host
removes the physical separation between servers, increasing the
risk of undesirable cooperation of one application (of one VM)
with others on the same host. At the same time [13], if an attacker
gets the root to access the hypervisor, then it brings significant
threats to the holistic view of cloud computing. If the attacker
hacks the virtualization host machine i.e. computer which runs the
hypervisor and manages the VMs (for example, Virtualization
Host VH, of CloudStack v3.0.0), then the attacker can gain access
WRDOOJXHVW26¶VFUHDWHGRQWKDWYLUWXDOL]DWLRQVHUYHU+DFNHUVFDQ
target numerous areas of a virtualization host such as the
hypervisor, the hardware and the guest operating systems and the
applications within individual VMs. The most commonly used
techniques are [3]:
x Modify the hypervisor on the VH to get its direct access
x Install a rootkit on VH
They can also target the virtualization management system. To
avoid the security risks associated with virtualization, each of
these components must be protected and isolated from each other.
3.5 Cryptography and key management
Cryptography and key management issues are not something
unique to cloud computing. Like any other traditional system, this
becomes the most critical requirement also in cloud computing.
This, in turn, reflects in the high security risk possibilities [14].
In fact, the need for appropriate, up-to-date cryptography systems
with efficient key management will be the order-of-day for any
CSP with highly sensitive customer information. As compared to
traditional systems, the huge amount of business data in the cloud
attracts the attention of attackers who constantly eye private
information. As the current generation hacking techniques
advance to an entirely new level, many of the traditional
cryptographic algorithms and mechanisms do not suit the cloud
FRPSXWLQJ WUHQGV RI WRGD\¶V EXVLQHVVes. The following are the
possible vulnerable components in the cloud environment with
respect to the improper cryptographic mechanisms.
x Communication channels between customer-to-CSP (during
cloud migration and other business communications) and
CSP-to-CSP or CSP-to-end-users (while consuming cloud
services)
x Storage areas of customer data aW&63¶VLQIUDVWUXFWXUHZKHUH
security and privacy are predominant issues to be addressed
x Hypervisor host need to be securely protected and isolated
x Cloud mapping services to be safeguarded to avoid direct
physical access to the VMs
474 International Conference on Advances in Computing, Communications and Informatics (ICACCI-2012)
x Individual VM isolation to provide higher level of production
between two customer VMs
x Updating all the existing cryptographic systems with respect
to new security patterns
Further, unless the CSP comes forward to understand the current
trends and sophistication of hacking mechanisms and update their
security systems with latest cryptographic algorithms like
Homomorphic Encryption, AES, DES, SHA-2, MD5, Blum Blum
Shub, Fortuna, RC4, etc, they will be prone to constant security
threats.
3.6 Governance and regulatory compliance
Cloud SHFXULW\ $OOLDQFH¶V [3] Security Guidance for Critical
Areas of Focus in Cloud Computing report states that an effective
governance in Cloud Computing environments follows from well-
developed information security governance processes, as part of
the organizDWLRQ¶V RYHUDOO FRUSRUDWH JRYHUQDQFH REOLJDWLRQV with
due care. Such well-developed information security governance
processes should exhibit the following properties:
x Scalable (with the business)
x Repeatable (across the organization)
x Measurable
x Sustainable
x Defensible
x Continually improving
x Cost-effective (on an ongoing basis)
In addition to the application deployment and support&63¶VDUH
responsible for incorporating the corresponding regulatory
compliance with government & legal (country-specific) policies
such as SOX, HIPAA, FISMA, FIPS 140-2, GLBA, ITAR, ISAE
3402, ISO/IEC 27001, SAS 70, SSAE 16, etc. When a CSP fails
to identify and implement any of the above mentioned feature(s)
appropriately, it incurs substantial loss to both the parties involved
in the business i.e. CSP and customer. Currently it is very difficult
to find any CSP who guarantees complete accountability and
liabilities of such information security governance process. This is
primarily because of the evolving state of cloud computing, but
which needs to be given high priority at this point-of-time
considering its importance.
Table 1. Important Governance & regulatory policies
Name Policies
SOX Sarbanes±Oxley Act
The Health Insurance Portability
HIPAA and Accountability Act (HIPAA)
of 1996
The Federal Information Security
FISMA
Management Act of 2002
The Federal Information
FIPS 140-2 Processing Standard (FIPS)
Publication 140-2
GLBA The Gramm±Leach±Bliley Act
International Traffic in Arms
ITAR
Regulations
ISAE 3402
The International Standards for
Assurance Engagements No. 3402
International Organization for
Standardization and the
ISO/IEC 27001
International Electrotechnical
Commission
Statement on Auditing Standards
SAS 70
No. 70
The Statement on Standards for
SSAE 16
Attestation Engagements No. 16
3.7 ,QVHFXUH$3,¶V
Applications programming interface (also called software
interface) API is the detailed structural documentation that
provides details required to use software product/service, mostly
written by developers, that customers use to manage and interact
with services. API can be defined as a user manual of the product
from the perspective of developers who build upon or extend the
product. 7RGD\ DOPRVW HYHU\ &63 SXEOLVKHV WKHLU $3,¶V WR
general public for two reasons.
1. To expose the available features of cloud components to
their customers
2. To facilitate customer(s) to formulate their deployment
re-architected, if needed, for better mutual benefits
'XH WR WKLV QDWXUH &63¶V $3,¶V DUH YHU\ PXFK XVHIXO ZKHQ
considering it fURP WKH FXVWRPHU¶V SRLQW-of-view in terms of
XQGHUVWDQGLQJ &63¶V FRPSRQHQWV DQG IXQFWLRQV $W WKH VDPH
time, the same nature can also invite attackers¶ attention to know
the architecture of the CSP and internal design details, if not
completely but to an (greater) extent. Hence, insecure APIs may
lead to major security concerns for CSP as well as customers like
cyber-attacks and illegitimate control over user accounts, etc. At
any point-of-WLPH &63 FDQQRW HOLPLQDWH WKHLU $3,¶V
announcement due to the strong influence of web services and
XML-blend with respect to cloud computing. Instead, CSP must
FRQFHQWUDWH RQ µZKDW WR VKRZ DQG what QRW¶ RI LWV FRUH
functionalities through encryption, abstraction and encapsulation
mechanisms.
3.8 Cloud & CSP migration issues
When an enterprise (or cloud customer) is making either of the
following decisions, migration (i.e. data and cloud) will be the
single solution,
R1. Entering into cloud (to a specific CSP)
R2. Shifting from one CSP to another
The above requirements R1 and R2 will be addressed by the
following migration levels respectively,
Level 1: Data (and application) migration
Level 2: Cloud migration
Considering the physical separation of organizations (may be
customer-to-CSP or CSP-to-CSP), migration brings a challenging
situation(s) to both the parties involving in business such as secure
transmission of digital content (data & network security issues),
maintenance of customer & their end-XVHU¶VSHUVRQDOLQIRUPDWLRQ
(privacy issues) along with the governance compliance
(regulatory issues), etc.
International Conference on Advances in Computing, Communications and Informatics (ICACCI-2012)
When a customer wants to move their services to cloud then they
need to migrate the data and application together from on-the-
premise to off-the-premise i.e. Level 1 migration, then there is a
possibility of the following security risks.
Risk 1: Is CSP migrating data in a systematically in a staged
fashion with appropriate processes and policies?
Risk 2: What level of technology is been used in the
migration workflow?
Risk 3: Can CSP able to handle infrastructure replication and
platform interoperability accordingly?
Risk 4: Whether the CSP is addressing problems related to
the new security patterns with respect to the secure channel?
Risk 5: Can the data stored with a service provider be
exported (Data portability) by customer request?
Assuming the situation of migrating from one CSP to another i.e.
Level 2 cloud migration, addresses few more security issues in
addition to the level 1 migration security risks.
Risk 6: Customer can never be sure of whether their data is
securely transferred to another cloud
Risk 7: What is the surety of the CSP (old) erasing/removing
the original data (and application) of customer permanently
after cloud migration?
3.9 SLA & trust management gaps
Service Level Agreement is a document that describes the
minimum performance criteria a CSP promises to meet while
delivering service(s) to their customer(s). It typically also sets out
the remedial action and any consequences that will take effect if
performance falls below the promised standard. This is clearly an
extremely important legal contract between a cloud service
provider and the consumer that should have the following
qualities [15].
1. ,GHQWLI\DQGGHILQHWKHFXVWRPHU¶VQHHGV
2. Provide a framework for customer to better understand
the available facilities
3. Simplify complex issues
4. Reduce areas of conflict
5. Facilitate solutions in the event of disputes
6. Eliminate unrealistic expectations
In this process customer must understand their security
requirements and what control & federation patterns are necessary
to meet those requirements. CSP must understand what they must
deliver to the customer to enable the appropriate control &
federation patterns [16].
Knowing the significance of SLA and its legal aspects, it is highly
recommended that the customer must know and be clear on the
complete requirements, specifically with respect to the security
aspects of their business. We identified the following as SLA
security qualities (SSQ), which are mandatory for any customers
who enter into cloud business model with CSP.
SSQ1. Promises on logical segregation of customer data
SSQ2. Accessibility & auditability of both customer and CSP
475
 SSQ3. Assurance on complete removal (disk format) of data
when customer no longer with CSP
SSQ4. Availability (7x24 uptime) of the services
SSQ5. Security and privacy of customer data with respect to
unauthorized user as well as CSP
SSQ6. Technology & standards enrichment of CSP to up-to-
date
SSQ7. Governance and regulatory compliance maintenance
with respect to the country(s) bound of the deployed
application
7KRVH FXVWRPHUV ZKR IDLOHGWR LQFOXGHWKHVH 664¶V PD\ OHDG WR
critical business security threats and cannot claim at CSP.
4. CONCLUSION
It is certain that cloud computing is predominantly dominating the
present enterprise business computing with its tempting financial
benefits. At the same time, due to the open & public nature of
cloud, it equally attracts the attention of attackers on par with
customers (sometimes in leading count), which append more
severe security challenges & risks to it. At the same time, the
amounts of investment made by these cloud vendors are also
significantly high. In WKLVVFHQDULRXQOHVV&63¶VWDNHVRPHVWHSV
towards attaining more customers (at least the needy) in near
future to come forward in using cloud services without the fear of
present security vulnerabilities, they will be in the verge of
another serious crisis. On the similar lines, this paper addresses
the cutting-edge state-of-the-art cloud computing taxonomies for
present cloud computing systems. This paper can be a better
basement for any CSP to build (new CSP) and/or enhance
(existing CSP) their current cloud system to more secure and
sophisticated which in turns provide mutual benefits to both the
CSP and the customer. Also, this paper gives a clear roadmap for
the customers WR HYDOXDWH WKH &63¶V FDSDELOLWLHV LQ WHUPV RI
security aspects.
5. REFERENCES
[1] Michael Gregg. 2010. 10 Security Concerns for Cloud
Computing. Technical Report. Global Knowledge.
[2] Peter Mell, Timothy Grance. September 2011. The NIST
Definition of Cloud Computing. NIST Special Publication
800-145. National Institute of Science and Technology.
[3] Security Guidance for Critical Areas of Focus in Cloud
Computing V2.1. December 2009. Cloud Security Alliance.
[4] Hong Li, Jeff Sedayao, Jay Hahn-Steichen, Ed Jimison,
Catherine Spence, and Sudip Chahal. January 2009.
Developing an Enterprise Cloud Computing Strategy.
Technical Report. Intel Corporation.
476 International Conference on Advances in Computing, Communications and Informatics (ICACCI-2012)
[5] Anu Gopalakrishnan. 2009. Cloud Computing Identity
Management. SETLabs Briefings. Vol. 7, No. 7. Page no. 45
± 55.
[6] Madhan Kumar Srinivasan, Paul Rodrigues. 2010. A
roadmap for the comparison of identity management
solutions based on state-of-the-art IdM taxonomies. Springer
Communications in Computer and Information Science. Page
no. 349 ± 358. Springer-Verlag Berlin Heidelberg, New
York, USA.
[7] Madhan Kumar Srinivasan, Paul Rodrigues. 2010. Analysis
on identity management systems with extended state-of-the-
art IdM taxonomy factors, International Journal of Ad hoc,
Sensor & Ubiquitous Computing. (December 2010), Vol.1,
No.4. Page no. 62 ± 70. DOI=10.5121/ijasuc.2010.1406.
[8] Top Threats to Cloud Computing V1.0. March 2010. Cloud
Security Alliance.
[9] Maggie Shiels 2009. Malicious insider attacks to rise.
Technical Report. BBC News, Silicon Valley.
[10] Wade Baker, Alexander Hutton. 2010. 2010 Data Breach
Investigations Report, A study conducted by the Verizon
RISK Team with cooperation from the U.S. Secret Service
and the Dutch High Tech Crime Unit. Technical Report.
Verizon, New Jersey.
[11] Bill Sunderland, Ajay Chandramouly. November 2011.
Overcoming Security Challenges to Virtualize Internet-
facing Applications. Technical Report. Intel Corporation.
[12] Sabahi, F. 2011. Virtualization-level security in cloud
computing. Proceedings of IEEE International Conference
on Communication Software and Networks. Page no. 250 ±
254. DOI: 10.1109/ICCSN.2011.6014716.
[13] Vaquero,L.M., Rodero-Merino, L., Caceres, J., Lindner, M.
2009. A Break in the Clouds: Towards a Cloud Definition.
ACM SIGCOMM Computer Communication Review. 39(1).
[14] Jansen, W.A. 2011. Cloud Hooks: Security and Privacy
Issues in Cloud Computing. Proceedings of 44th Hawaii
International Conference on System Sciences. Page No. 1-
10.DOI: 10.1109/HICSS.2011.103
[15] Balachandra Reddy Kandukuri, Ramakrishna Paturi V,
Atanu Rakshit. 2009. Cloud Security Issues. IEEE Computer
Society. Page no. 517 ± 520. DOI 10.1109/SCC.2009.84.
[16] Rabi Prasad Padhy, Manas Ranjan Patra, Suresh Chandra
Satapathy. March 2012. SLAs in Cloud Systems: The
Business Perspective. International Journal of Computer
Science and Technology. Vol. 3, Issue 1. Page no. 481 ± 488.