Professional Documents
Culture Documents
net/publication/324562008
CITATIONS READS
2 5,723
1 author:
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Innovative machine learning algorithm for network intrusion detection View project
All content following this page was uploaded by Pericherla Satya Suryateja on 17 April 2018.
P.S. Suryateja
Software-as-a-Service (SaaS): In this model the consumers is to minimize the threats by providing countermeasures to
can use the application services provided by the cloud various vulnerabilities that affect the security of the
providers. The consumers can access the service through thin organization or enterprise. This paper provides a baseline for
clients (Ex: web browsers) or through APIs. Consumers have various threats and vulnerabilities in cloud computing.
no control over the application or the underlying operating
system and infrastructure. The only control provided to the The novel addition in this research is the inclusion of latest
consumer is changing the user configuration settings. threats like Ransomware and Spectre and Meltdown which
Examples of SaaS providers include Google Apps, are unfound in the literature. In the past few years, the most
Facebook, YouTube, Salesforce, etc. troublesome malware infecting the cloud was Ransomware,
which almost encrypts everything and makes the assets
Platform-as-a-Service (PaaS): In this model consumers can inaccessible. Spectre and Meltdown are the most recent
develop or deploy their own applications on the platform threats which arise because of vulnerabilities in cloud
(languages, libraries, and tools) provided by the cloud hardware and are common across all the hardware
provider. Consumers have no control over the underlying manufacturers. Although patches for these vulnerabilities are
operating system and infrastructure (servers, storage, being released, it is not easy to utilize them. These are
network, etc.). Consumers will have limited control to significant threats that need to addressed by every cloud
modify the environment (platform) settings. Examples of service provider and customer.
PaaS providers include Microsoft Azure, Google AppEngine,
IBM Bluemix, Amazon Simple DB/S3, etc. Entire information in this paper is organized as follows:
Section I provides an introduction to cloud computing and
Infrastructure-as-a-Service (IaaS): In this model consumer is the need for giving importance to the security in cloud
able to provision processing, storage, network and other computing. Section II provides an overview of threats and
resources on which the consumer can develop or deploy an vulnerabilities of cloud computing and finally Section III
application. The consumer can’t manage the underlying concludes with the future scope of the research.
cloud infrastructure but has control over the operating
system, firewall, storage and deployed applications.
II. THREATS AND VULNERABILITIES
Examples of IaaS providers include Amazon EC2, GoGrid,
Flexiscale, etc. A threat is a potential cause of an incident that may result in
harm to a system or an organization. A vulnerability is a
Apart from the features and services provided by cloud
weakness in the asset or system which is exploited by a
computing, there are several issues that act as a hindrance to
threat. A threat agent carries out threats by exploiting one or
its adoption [8,10]. Based on the survey conducted by a
more vulnerabilities. By conducting an exhaustive literature
leading SaaS provider, RightScale, one of the major
survey, various threats and vulnerabilities for cloud
challenge in the adoption of cloud computing is security as
computing are identified. They are discussed in detail below:
shown in Figure 2.
Data Breaches (T01): A data breach is a security incident in
which sensitive, private, or confidential data related to a
person or organization has been accessed, copied, or
transmitted by an unauthorized party. Data breach is a threat
with severe risk and is ranked as number one [4,9] among the
threats in cloud computing. Over 1.4 billion records were lost
to data breaches in 2017 alone, many of which involved
cloud servers. Equifax breach [3] affected at least 143
million people. OneLogin, which provides identity
management and single sign-on capabilities for cloud
services was hacked in May 2017. Data breaches can be
caused due to targeted attacks, simple human error,
application vulnerabilities, or poor security practices.
Figure 2: Cloud challenges 2017 vs. 2016 Data Loss (T02): It is corruption or unavailability of data
which results due to natural disasters [3] like floods,
An exhaustive search for various threats and the earthquakes; and simple human errors like when a cloud
vulnerabilities related to those threats was performed and an administrator accidentally deletes files, hard drive failure,
overview of those is presented in this paper. The goal of a power failure, or due to malware infection. To avoid data
Chief Information Security Officer (CISO) and his/her team loss, the most efficient strategy is to backup data to multiple
locations so that even when data gets corrupted or lost at one Internet DNS (Domain Name Service) company, Dyn,
location, it can be replaced with a copy available at another brought down many major websites throughout the U.S. and
location. Europe. A variation of DoS or DDoS, particularly related to
cloud is Economic Denial of Sustainability (EDoS) attack
Malicious Insiders (T03): Perhaps the most devastating [11], where an attacker sends fake requests to a victim cloud
threat with highest risk is a malicious insider. An insider service to have an economic affect.
threat can take different forms [5] like a former employee,
system administrator, third-party contractor, or a business Vulnerable Systems and APIs (T05): Cloud APIs
partner. An insider threat can be disastrous. As an example, a (Application Programming Interfaces) represent an open
recent insider breach in Sage, resulted in the company's stock door for public to your cloud application. Exploiting a cloud
price dropping by 4.3%, causing millions of dollars in losses. API can grant an attacker considerable access to cloud
Systems that depend solely on cloud service providers for resources. Cloud Service Providers (CSP) exposes a set of
security are at a more excessive risk. A malicious insider software user interfaces or APIs that customers use to
such as a system administrator can access potentially interact with cloud services. Those APIs should be designed
confidential information and can acquire increasing levels of to protect against accidental and malicious attempts.
access to more critical systems and eventually may cause a
data breach.
records of personal and medical information. This attack was monitoring, and rigid process management are key to
the result of stolen user credentials. Attackers masquerading defending against this threat to cloud infrastructure.
as legitimate users, operators or developers can access and
modify data, issue control plane and management functions, Abuse of Cloud Services (T11): Poorly secured cloud service
sniff data in transit, or inject malicious software that appears deployments, free cloud service trials, and fraudulent account
to originate from a legitimate source [4]. sign-ups via payment interfaces expose cloud computing
models to malicious attacks. Examples of abuse of cloud-
Account Hijacking (T07): Cloud services add a new threat to based resources include launching DDoS or EDoS attacks,
the landscape of account or service hijacking. Account email spam, and phishing campaigns.
hijacking is compromising the account credentials of a
legitimate user and utilizing them for nefarious purposes. A Lack of Responsibility (T12): Often cloud service
With stolen credentials, attackers might compromise the customers think that the security is sole responsibility of the
confidentiality, integrity, or availability of the cloud services. CSP and often neglect safeguarding their applications in the
Techniques like phishing and fraud allow attackers to hijack cloud. Cloud providers have no obligation to protect
account credentials. Enterprises should mitigate the sharing customer workloads or data beyond the services agreed upon
of account credentials between users and cloud services and in the Service Level Agreement (SLA) [7].
enable multifactor authentication where ever possible.
Insufficient Security Tools (T13): Public providers have an
Shared Technology Vulnerabilities (T08): Cloud computing array of tools, and services designed to improve cloud
provides multi-tenancy where multiple users share different security, verify the state of cloud resources and mitigate
cloud resources. Underlying components that comprise the attacks. It can be almost inadmissible for cloud users to deal
infrastructure supporting cloud services deployment may not with certain attacks, such as DDoS in progress.
have been designed to offer strong isolation properties for a
multi-tenant architecture or multi-customer applications. This Human Error (T14): Even in this age of computing, the
can lead to shared technology vulnerabilities related to human element is still one of the weakest links in IT security.
Virtual Machines (VMs), operating systems, hypervisor, etc. In the cloud, the risk of human error multiplies because
A vulnerability or misconfiguration in a shared platform compromised credentials can wreak havoc across
component can allow an attacker to compromise the cloud applications and data. Phishing, fraud and other forms of
data security of many or all customers, resulting in a data social engineering allows hackers to steal credentials and
breach. Best practices around client implementation and data thereby hijack cloud accounts. Administrators should offer
management help protect against shared technology security education, and certifications to users, write, clear,
vulnerabilities. acceptable use policies and apply other security best
practices.
Lacking Due Diligence (T09): Due diligence is the process of
evaluating CSPs to ensure that best practices are in place. A Ransomware (T15): A type of malware using which an
part of this process includes verifying whether the cloud attacker locks files or other resources in the victim's system
provider can offer necessary security controls and meet the generally through encryption is called ransomware. To
level of service expected by the customer. Enterprises should decrypt the files, the attacker requires a ransom. There is no
review accreditations and standards gained by CSPs guarantee that the attacker will send the key to decrypt files
including ISO 9001, DCS, PCI, and HIPAA. Lack of due even when the ransom is paid. In 2017, WannaCry
diligence massively affects application security resulting in ransomware crippled data at companies and government
breach. agencies worldwide [6]. According to the FBI, there were
4000 ransomware attacks per day in 2016, a 300% increase
Advanced Persistent Threats (T10): An Advanced Persistent over the previous year. Ransomware can come from multiple
Threat (APT) is a type of attack in which the attacker sources like email, video, PDF file or a website link, a
infiltrates systems to establish a foothold in the infrastructure connected device, or even by a password hack. Ransomware
of an organization in the cloud, from which they steal data. encrypts everything that is attached to a system. In order to
APTs purse their targets stealthily over extended periods of be safe, backups should be always saved in different cloud
time, often adapting to the security measures intended to location.
defend against them. These types of attacks are very hard to
detect as they evolve their defenses. APTs get into cloud Spectre and Meltdown (T16): These are the names given to
services through techniques like spear phishing, direct latest (2018) set of vulnerabilities in the underlying hardware
hacking, attack code on USB devices, penetration through that affects nearly every computer chip manufactured by all
the network and the use of unsecured third-party APIs. the vendors in the last 20 years. They allow attackers to
Advanced security controls, frequent infrastructure access data that was previously deemed to be safe. Both
Spectre and Meltdown allow side-channel attacks because
T03 Malicious Insiders Former Employee T16 Spectre and Meltdown Hardware Design