Patel & Alabisi – Volume 17, Issue 2 (2019)

Journal of New Business Ideas & Trends

Vol. 17 Iss.2, September 2019, pp. 11-19.
”http://www.jnbit.org”

Cloud Computing Security Risks: Identification

and Assessment

Kumar Patel
Managing Director
Enovasions Limited, Fiji

Antonina Alabisi
Westmead Hospital, NSW, Australia

Abstract
Purpose – The purpose of this paper is to explore the issues of security risks for the
various types of cloud computing in an endeavour to provide a succinct overview.
Design/methodology/approach – The approach employed in this paper involves an
assessment of the literature relating to cloud computing security risks in order to provide
a synthesis of the issues.
Originality/value – The assessment leads to a concise focus of the security issues for
cloud computing services and guidance for considering the practical application of cloud
computing risk evaluation.

Keywords: Cloud computing; security risks; risk management.

JEL Classifications: O33

PsycINFO Classifications: 4120
FoR Codes: 0803
ERA Journal ID #: 40840

© JNBIT Vol.17, Iss.2 (2019) 11

 Patel & Alabisi – Volume 17, Issue 2 (2019)

Introduction
Cloud computing is arguably both an innovation in technology and an avenue for
new business ventures. However, the revelations made by Snowden that the USA had been
conducting mass surveillance and data collection through the US National Security Agency
(NSA) and various other national intelligence agencies has created additional concerns
about security when it comes to the cloud (Landau, 2013; Bauman, et al, 2014). As early as
2013 the German government adopted a particularly aggressive stance by seeking to
mitigate the dangers of cloud technology by creating secure data centres in Germany
specifically for email traffic. The use of SSL encryption was viewed as a way in which to
restrict foreign jurisdictions from gaining access. It was on August 31, 2014, that a collection
of almost 500 private pictures of various celebrities, mostly women, were hacked from the
online storage offered by Apple's iCloud platform which is the source for automatically
backing up photos from iOS devices, such as iPhones (Satti, 2015; Bai, Xing, Zhang, Wang,
Liao, Li & Hu, 2017).

Cloud computing has been heralded as an innovation in information system

architecture, with efficient usage of computer hardware resources (Zissis & Lekkas, 2010).
However, with the exponential growth in the development and use of web based systems
and computer technology brings with it an increased risk for security breaches from hacking
(Monrose & Rubin, 1999; Choo, 2011; Teh, Teoh & Yue, 2013). The banking industry is a
prime example of a high profile industry sector that has been the focus of the greatest
number of attacks (Choo, 2011). In this regards the security of cloud based systems is also
becoming a high risk prospect for cyber crime (Kaufman, 2009).

Subsequently, there has been a growth in the literature regarding risks and concepts
for dealing with cloud security. For the most part it is important to bring these disparate
concepts of the issues and the various approaches together in an effort to better understand
the recognition of the risks and the various methods for dealing with security. This paper is
therefore concerned with drawing the information from the literature together in an effort
to present a general overview.

Background

The National Institute of Standards and Technology (NIST) proposed a broad

ranging definition of cloud computing and set out what they considered to be five essential
features, three service models and four deployment models (Mell & Grance, 2011). The five
essential features encompass; virtualized computing resource pool, broad network access,
rapid elasticity, on-demand self-service, measured service. The three service models are
Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS);
the four deployment models are private cloud, community cloud, public cloud and hybrid
cloud.

With regards to the service models Infrastructure as a Service (IaaS) as the name
implies involves a single tenant cloud layer where the Cloud computing vendor’s dedicated
resources are only shared with contracted clients at a pay-per-use fee. Software as a Service
(SaaS) also operates on the pay-per-use costing model with software applications being

© JNBIT Vol.17, Iss.2 (2019) 12

 Patel & Alabisi – Volume 17, Issue 2 (2019)

leased out to contracted organisations by specialised SaaS vendors. Platform as a Service

(PaaS) works on a similar basis to IaaS however, it provides an additional level of “rented”
functionality. So there are different types of cloud computing services in much the same way
as there are different types of clouds that exist in the sky1.

A public cloud allows users’ access to the cloud via interfaces using mainstream web
browsers. Public clouds are less secure than the other cloud models because of the
additional need to ensure that all applications and data accessed on the public cloud are not
subjected to malicious attacks. A private cloud is established within an organisation and is
therefore easier to align with the security, compliance, and regulatory requirements,
providing greater control over deployment and use. In contrast, a hybrid cloud is a private
cloud which is linked to one or more external cloud services, although it is centrally
managed, acts as a single unit, and has a secure network. It consists of a mix of both public
and private clouds. Hybrid Clouds provide greater secure control over the data and
applications even though it allows various parties to access information over the Internet.

Access to any of the Cloud services is gained from two main technologies. Firstly,
Web Services are commonly used to provide access to IaaS. Secondly, Web browsers are
used in order to access SaaS applications. When it comes to PaaS environments both
approaches are used. The common thread here is the use of the internet to gain access to
any of the cloud models and it is this aspect that raises the risk factor when it comes the
potential for hacking to occur. Thus, the complexity of security risk is further compounded
by the reliance on the internet/web as the over-riding intermediary (see figure 1).

Figure 1:
Cloud Delivery Models and Deployment Models in the Internet / Web

Security Risks
There are various types of security risks and these vary according to the
distinguishing types of cloud computing environment models. To commence this
introspective analysis Chea, Duanb, Zhanga, and Fana, (2011) proposed that security risks

1
This is an interesting metaphor and arguably shares some similarities with actual cloud formations of which notably there are
10 types of cloud formations – 3 high level; 4 mid-level; and 3 low level. The use of metaphors in the computing discipline is
not surprising and is a common occurrence with examples being – the mouse; the memory (RAM); the speed (Chip speed);
and of course, artificial intelligence (AI).
© JNBIT Vol.17, Iss.2 (2019) 13
 Patel & Alabisi – Volume 17, Issue 2 (2019)

could be identified as falling within the requirements for three specific parties that is
customers, service providers and government.

Security risks – customers:

The security risks that customers face in the cloud environment are generally:

1) Potential downtime with an impact on business – this cannot be totally avoided;

2) Exposure of commercial secrets - this cannot be totally avoided;
3) The privilege status of the cloud service provider gives rise to concerns over issues
such as fault elimination, damage compensation and business migration etc.

Security risks - service providers:

The security risks that service providers face in the cloud environment encompass:

1) Assurance of the long-term secure operation of the cloud data center - isolate
potential fault to reduce or minimise their influence;
2) Protection against the numerous and aggressive network hackers is a disturbing
security problem;
3) Need to effectively and securely manage demands of customers - identify and block
any malicious customers (an unavoidable task).

Security risks – government:

The security risks that government departments face in the cloud computing
environment are likely to be:

1) Need to enhance the security protection of a mass-scale data center;

2) A means to securely manage the numerous and various scale cloud service providers;
3) Evaluation and ranking of the security level of cloud service providers which extends
to include the security credit of other cloud customers, and a proactive alarm
mechanism for malicious programs.

Whilst these are intuitively obvious in most respects, they are broad in their application
to those specific groups and as such remain as general concerns to be aware of in the
assessment process.

With regards to the deployment models the security risks have been summarised in a
number of papers in particular Subashini and Kavitha (2010) and Chou (2013). Now whilst
various terminology and issues are involved it is reasonable to assume that the concepts
remain virtually consistent. In essence these can be briefly summarised in regard to the
particular service model to which they apply:

SaaS security issues:

• Data security - which in itself requires attention be paid to:
o Cross-site scripting (XSS);
o Access control weaknesses;
o OS and SQL injection flaws;
o Cross-site request forgery (CSRF);
o Cookie manipulation;
o Hidden field manipulation;
o Insecure storage;
o Insecure confirmation.
© JNBIT Vol.17, Iss.2 (2019) 14
 Patel & Alabisi – Volume 17, Issue 2 (2019)

• Network security – which requires assessment be made of:

o Network penetration and packet analysis;
o Session management weaknesses;
o Insecure SSL trust configuration.
• Data locality – this is of particular concern since the location of the data storage will
be regulated by the legislation within the country in which it resides:
o Compliance and data privacy laws;
o Jurisdiction for legal action.
• Data segregation – given that there are inevitably multi users storing their data at
the same cloud site the issues of concern are:
o SQL injection flaws;
o Data validation;
o Insecure storage.
• Data access – here too the concern arises from the potential risks arising from multi
users being involved:
o Security policies;
o Limitations n levels of users.
• Authentication and authorization – this covers aspects of the methods of data access
security levels:

PaaS security issues:

This is dealt with in a much more succinct manner with the issues specifically
relating to:
• Security features and capabilities – in effect consideration of degree of flexibility to
layer additional security;
• Metrics on vulnerability – including patch coverage and application coding;
• Service Oriented Architecture (SOA) applications - machine to machine
vulnerabilities.

IaaS security issues:

Here too this is dealt with in a succinct manner and the issues in this area are
identified as being:
• Public cloud versus private cloud – there being greater risks associated with the
public cloud;
• Physical security – there needs to be attention to the security of infrastructure and a
disaster management plan;
• Encryption and security measures – cloud systems operate through the internet and
as such transmission of data is vulnerable to the same risks as face the internet.

As an alternative perspective, Zissis and Lekkas (2012) approached the security risks
and requirements for the service cloud models on two basic levels. Which they referred to as
the application level and the virtual level. The application level they proposed encompassed
the software as service model (SaaS) and the virtual level included both the platform as a
service (PaaS) and the infrastructure as a service (IaaS) model. The details of their
assessment of the security issues are therefore:

SaaS (Application level):

• Threats:
o Interception;
o Modification of data at rest and in transit;
o Data interruption (deletion);
o Privacy breach;
o Impersonation;
o Session hijacking;
© JNBIT Vol.17, Iss.2 (2019) 15
 Patel & Alabisi – Volume 17, Issue 2 (2019)

o Traffic flow analysis;

o Exposure in network.
• Security requirements:
o Privacy in multitenant environment;
o Data protection from exposure;
o Access control;
o Communication protection;
o Software security;
o Service availability.

PaaS and IaaS (Virtual level):

• Threats:
o Programming flaws;
o Software modification;
o Software interruption (deletion);
o Impersonation;
o Session hijacking;
o Traffic flow analysis;
o Exposure in network;
o Defacement;
o Connection flooding;
o DDOS;
o Disrupting communications.
• Security requirements:
o Access control;
o Application security;
o Data security (data in transit, at rest and remanence);
o Cloud management control security;
o Secure images;
o Virtual cloud protection;
o Communication security.

In essence there are a number of issues and concepts that although the terminology
may differ remain for all intense and purposes as covering the same or very similar aspects
as raised in the overview of Subashini and Kavitha (2010) and Chou (2013).

Risk Management
Having determined that there are a variety of risks inherent in the use of cloud
computing it then becomes a matter of seeking to evaluate the risks in terms of their impact
upon the business emanating from the most appropriate form of cloud computing. To assist
in this the application of risk management techniques is arguably the best way forward. The
notion of risk management has links to the general insurance field dating back some
considerable time (Laing, 1992a, 1992b). In more recent times the treatment of risk
management has come under the control of the International Standards ISO 31000 which
was originally published in 2009 and then updated in February 2018. Employing the
guidelines of ISO 31000: 2009 in conjunction with the work of Fito and Guitart (2014)
developed a risk management approach for assessing cloud computing risks with attention
focusing on the application for considering a PaaS cloud model.

© JNBIT Vol.17, Iss.2 (2019) 16

 Patel & Alabisi – Volume 17, Issue 2 (2019)

Whilst there is ample guidance in the ISO 31000 it is interesting to draw on the
original concepts and bring these together for the evaluation process. This is done to provide
the development of a more general framework for use in the evaluation of cloud computing
models. A specific risk management framework is presented in Figure 2.

Figure 2:
Risk Management framework for Cloud Risk Evaluation

This framework forms the basis for the risk management evaluation which follows.
For the purpose of this example the four common threats to all three deployment clouds will
be used. Given that they are common threats there is some degree of serendipity in the
evaluation concerns.

Step 1 is the establishment of the context and in this example the context is the
selection of a cloud deployment model.

Step 2 involves the identification of the threats or risks and here the four threats
common to all three are:
o Impersonation;
o Session hijacking;
o Traffic flow analysis;
o Exposure in network.

Step 3 is the analysis phase and to assist in this the process the work done by the
European Network and Information Security Agency (2012) employing the guidelines of
© JNBIT Vol.17, Iss.2 (2019) 17
 Patel & Alabisi – Volume 17, Issue 2 (2019)

ISO 31000: 2009 in conjunction with the work of Fito and Guitart (2014) are used to inform
the development of the risk matrix/grid.

The matrix / grid with an explanatory legend that is employed for this example is
presented in Figure 3.
Figure 3:
Risk Matrix / Grid

Impact
Probability Very Low Low Moderate High Very High
Almost Certain H H E E E
Likely M H H E E
Probable L M H E E
Unlikely L L M H E
Rare L L M H H

Rating Descriptor Action

E = Extreme Risk Never acceptable. Immediate action required.
H = High Risk Not acceptable. Attention required.
M = Medium Risk Acceptable risk. Monitor and review.
L = Low Risk Acceptable risk. Routine monitoring.

The analysis of the four threats / risks with reference to the evaluations provided by
the European Network and Information Security Agency (2012) with additional
consideration from the assessment undertaken by Fito and Guitart (2014) result in the
following assessments.

Impersonation – Probability: Medium; Impact: High; Risk: Medium

Session hijacking - Probability: Medium; Impact: Very High; Risk: High
Traffic flow analysis - Probability: Medium; Impact: High; Risk: Medium
Exposure in network - Probability: Medium; Impact: Very High; Risk: High

Step 4 armed with the above risk assessments two of the threats, impersonation and
traffic flow analysis, have a medium risk and would therefore be considered as acceptable.
However, the remaining two threats, session hijacking and exposure in the network, present
as having high risk and these require further attention. The questions that need to be
asked are firstly can the risks be reduced and this would require determining exactly what
actions need to be undertaken once they are reduced at which stage they would need to be
reassessed. Should reduction not be possible then it would be necessary to consider whether
they can be transferred, either by insurance or some other form of mitigation. Failing to
obtain a satisfactory reduction in the risks the decision lead to rejecting the cloud model and
investigate an alternative (which may be an alternative cloud model).

Step 5 now on the assumption that the means to satisfactorily deal with the threats
and risks were found and implemented then the decision would be to proceed with the cloud
model and establish a policy for the monitoring of the risks on a regular basis.

© JNBIT Vol.17, Iss.2 (2019) 18

 Patel & Alabisi – Volume 17, Issue 2 (2019)

Conclusion

The security and the risks associated with the various cloud computing models may
well be outweighed by other matters. For example, the costs to a business can not be
overlooked and the cloud computing models offer benefits that undoubtedly need to be
given consideration. To that end future research may prove beneficial in incorporating the
benefits into the evaluation process and extending the framework to accommodate the
alternative perspectives.

Further research may also provide the means to reduce the threats and risks by
merging them into categories that share very similar properties. This might be achievable
through the use of statistical evaluation techniques such as factor analysis.

References
Bai, X., Xing, L., Zhang, N., Wang, X., Liao, X., Li, T., & Hu, S. M. (2017). Apple ZeroConf holes: How hackers
can steal iPhone photos. IEEE Security & Privacy, 15(2), 42-49.
Bauman, Z., Bigo, D., Esteves, P., Guild, E., Jabri, V., Lyon, D., & Walker, R. B. (2014). After Snowden:
Rethinking the impact of surveillance. International political sociology, 8(2), 121-144.
Chea, J., Duanb, Y., Zhanga, T. & Fana, J. (2011). Study on the security models and strategies of cloud
computing, Procedia Engineering 23, 586–593.
Choo, K. K. R. (2011). The cyber threat landscape: Challenges and future research directions. Computers &
Security, 30(8), 719-731.
Chou, T. S. (2013). Security threats on cloud computing vulnerabilities. International Journal of Computer
Science & Information Technology, 5(3), 79-88.
European Network and Information Security Agency (2012). Cloud Computing: Benefits, risks and
recommendations for information security, www.enisa.europa.eu
Fito, J. O. & Guitart, J. (2014). Business-driven management of infrastructure-level risks in Cloud providers,
Future Generation Computer Systems, 32, 41-53.
Kaufman, L. M. (2009). Data security in the world of cloud computing. IEEE Security & Privacy, 7(4), 61-64.
Laing, G.K. (1992 a). The Function of Risk Management, Australian Insurance Institute Journal, February, 49-
50.
Laing, G.K. (1992 b). Risk Management and the Role of the Insurance Broker, Australian Insurance Institute
Journal, July, 53-54.
Landau, S. (2013). Making sense from Snowden: What's significant in the NSA surveillance revelations. IEEE
Security & Privacy, 11(4), 54-63.
Mell, P. & Grance, T. (2011). The NIST Definition of Cloud - Special Publication 800-145, National Institute of
Standards and Technology - U.S. Department of Commerce: Gaithersburg, MD.
Computinghttps://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
Monrose, F. & Rubin, A. (2000). Keystroke dynamics as a biometric for authentication, Future Generation
Computer Systems, 16, 351-359.
Oestreicher, K. (2014). A forensically robust method for acquisition of iCloud data. Digital Investigation, 11,
S106-S113.
Satti, C. (2015). A Call to (Cyber) Arms: Applicable Statutes and Suggested Courses of Action for the Celebrity
iCloud Hacking Scandal. Quinnipiac Law Review, 34, 561-581.
Subashini, S. & Kavitha, V. (2010). A survey on security issues in service delivery models of cloud computing,
Journal of Network and Computer Applications, 34(1), 1-11.
Teh, P., Teoh, A. & Yue, S. (2013). A Survey of Keystroke Dynamics Biometrics, Scientific World Journal, 1-24.
Zissis, D. & Lekkas, D. (2010). Addressing cloud computing security issues, Future Generation Computer
Systems, 28, 583-592.

© JNBIT Vol.17, Iss.2 (2019) 19

Copyright of Journal of New Business Ideas & Trends is the property of Australian Business
Education Research Association and its content may not be copied or emailed to multiple sites
or posted to a listserv without the copyright holder's express written permission. However,
users may print, download, or email articles for individual use.