Security, Privacy, Threats and Risks in Cloud Computing ― A Vital Review

Year 2016, Volume: 4 Issue: 1, 31 - 38, 30.03.2016

Sumit Goyal

https://doi.org/10.18100/ijamec.29177

Abstract

Cloud computing is a multi million dollar business. As more and more enterprises are adopting cloud services for their businesses, threat of security has become a big concern for these enterprises and cloud users. This review describes the latest threats and risks associated with cloud computing and suggests techniques for better privacy and security of data in cloud environment. Threats and risks associated with cloud service models (SaaS, PaaS and IaaS) along with cloud deployment models (public and private) are thoroughly discussed with solutions. The security & privacy levels in cloud computing are illustrated and security solutions & standards for cloud computing are proposed. Encryption techniques for securing data in cloud environment are listed and latest security tools for cloud computing are included in this communication.

Keywords

cloud security tools, cloud privacy, cloud threats, cloud risks, cloud deployment models, cloud service models, cloud encryption techniques, cloud security solutions, cloud standards

References

• S. Pal, S. Khatua, N. Chaki, S. Sanyal, “A new trusted and collaborative agent based approach for ensuring cloud security,” arXiv preprint arXiv:1108.4100, 2011.
• Sumit Goyal, “Perils of cloud based enterprise resource planning,” Advances in asian social science, 3(4), 880-881, 2013.
• Sumit Goyal, “Public or Private: Which cloud computing model suits your business?,” International journal of distributed and cloud computing, 1(1), 42-44, 2013.
• C. Onwubiko, “Security issues to cloud computing”, In: Cloud Computing: Principles, Systems and Applications, Computer Communications and Networks, N. Antonopoulos and L. Gillam (Eds.), Springer-Verlag London Limited 2010, DOI 10.1007/978-1-84996-241- 4_16, pp. 271-288, 2010.
• W. Li, L. Ping, "Trust model to enhance security and interoperability of cloud environment", In: Proceedings of cloud computing 2009, Springer-Verlag Berlin Heidelberg 2009, LNCS 5931, pp. 69–79, 2009.
• J. Sedayao, S. Su, X. Ma, M. Jiang, K. Miao, "A simple technique for securing data at rest stored in a computing cloud", In: Proceedings of cloud computing 2009, Springer-Verlag Berlin Heidelberg 2009, LNCS 5931, pp. 553–558, 2009.
• J.S. Xu, R.C. Huang, W.M. Huang, G. Yang, "Secure document service for cloud computing", In: Proceedings of cloud computing 2009, Springer-Verlag Berlin Heidelberg 2009, LNCS 5931, pp. 541–546, 2009.
• M.D. Dikaiakos, D. Katsaros, P. Mehra, G. Pallis, A. Vakali, “Cloud computing: Distributed Internet computing for IT and scientific research,” Internet computing, 13(5), 10-13, 2009.
• C. Almond, “A practical guide to cloud computing security,” A white paper from Accenture and Microsoft, 2009.
• A. Patel, M. Kumar, “A proposed model for data security of cloud storage using trusted platform module,” International journal of advanced research in computer science and software engineering, 3(4), 862-866, 2013.
• N. El-Khameesy, H.A. Rahman, “A proposed model for enhancing data storage security in cloud computing systems,” Journal of emerging trends in computing and information sciences, 3(6), 2012.
• F. Hu, M. Qiu, J. Li, T. Grant, D. Taylor, S. McCaleb, R. Hamner, “A review on cloud computing: Design challenges in architecture and security,” Journal of computing and information technology, 19(1), 25-55, 2011.
• X. Li, Z.F. Liu, W.B. Liu, A. Xu, L. Ma, “A spatial data security model under the cloud environment,” In : Proceedings of the 2nd international conference on systems engineering and modeling, Published by Atlantis Press, Paris, France, 2013.
• R. Choubey, R. Dubey, J. Bhattacharjee, “A survey on cloud computing security, challenges and threats,” International journal on computer science and engineering, 3(3), 1227-1231, 2011.
• R. Buyya, C. S. Yeo, S. Venugopal, “Market oriented Cloud Computing: Vision, hype, and reality for delivering it services as computing utilities”, In: Proceedings of the 10th IEEE international conference on high performance computing and communications, IEEE CS Press, Los Alamitos, CA, USA, 2008.
• Top Threats to Cloud Computing V1.0, Cloud security alliance, March 2010.
• R. Bhadauria, R. Chaki, N. Chaki, S. Sanyal, “A survey on security issues in cloud computing. arXiv preprint arXiv:1109.5388, 2011.
• H. Harney, A. Colgrove, P. D. McDaniel, “Principles of policy in secure groups,” In: Proceedings of NDSS’01, 2001.
• P. D. McDaniel, A. Prakash, “Methods and limitations of security policy reconciliation,” In: Proceedings of SP’02, 2002.
• T. Yu, M. Winslett, “A unified scheme for resource protection in automated trust negotiation,” In: Proceedings of SP’03, 2003.
• J. Li, N. Li, W.H. Winsborough, “Automated trust negotiation using cryptographic credentials,” In: Proceedings of CCS’05, 2005.
• J. Anderson, “Computer security technology planning study,” Air force electronic systems division, Report ESD-TR-73-51, 1972, http: //seclab.cs.ucdavis.edu/projects/history/.
• M. Kallahalla, E. Riedel, R. Swaminathan, Q. Wang, K. Fu, “Scalable secure file sharing on untrusted storage,” In: Proceedings of FAST’03, 2003.
• E. Goh, H. Shacham, N. Modadugu, D. Boneh, “Sirius: Securing remote untrusted storage,” In: Proceedings of NDSS’03, 2003.
• G. Ateniese, K. Fu, M. Green, S. Hohenberger, “Improved proxy re-encryption schemes with applications to secure distributed storage,” In: Proceedings of NDSS’05, 2005.
• S.D.C. di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati, “Over-encryption: Management of access control evolution on outsourced data,” In: Proceedings of VLDB’07, 2007.
• S. Yu, C. Wang, K. Ren, W. Lou, “Achieving secure, scalable, and fine-grained data access control in cloud computing,” In Proceedings of IEEE INFOCOM, pp. 1-9, March 2010.
• S. Subashini, V. Kavitha, “A survey on security issues in service delivery models of cloud computing,” Journal of network and computer applications, 34(1), 1-11, 2011.
• J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka, L.L. Iacono, “All your clouds are belong to us: Security analysis of cloud management interfaces,” In: Proceedings of the 3rd ACM workshop on computing security workshop (pp. 3-14), October 2011.
• T. Surcel, F. Alecu, “Applications of cloud computing,” In: International conference of science and technology in the context of the sustainable development, pp. 177-180, 2008.
• D. Mukhopadhyay, G. Sonawane, P.S. Gupta, S. Bhavsar, V. Mittal, “Enhanced security for cloud storage using file encryption,” arXiv preprint arXiv: 1303.7075, 2013.
• G. Lewis, “Basics about cloud computing,” Software engineering institute carniege mellon university, Pittsburgh, 2010.
• A. Beloglazov, “Energy-efficient management of virtual machines in data centers for cloud computing,” PhD Thesis, 2013.
• I. Foster, Y. Zhao, I. Raicu and S. Lu, “Cloud computing and grid computing 360-degree compared,” In: IEEE grid computing environments workshop, pp.1-10, November, 2008.
• Z. Liu H.S. Lallie, L. Liu “A Hash-based secure interface on plain connection,” In: Proceedings of CHINACOM. ICST.OTG & IEEE Press, Harbin, China, 2011.
• A. Fox, R. Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, I. Stoica, “ Above the clouds: A Berkeley view of cloud computing,” Department of electrical engineering and computer sciences, university of California, Berkeley, Rep. UCB/EECS, 28, 2009.
• P. Mell, T. Grance, “The NIST definition of cloud computing (draft),” NIST special publication, 800(145), 7, 2011.
• A. Stevens, “When hybrid clouds are a mixed blessing,” The register, June 29, 2011.
• Frank Gens, Robert P Mahowald, Richard L Villars. (2009, IDC cloud computing 2010.
• Y. Simmhan, A.G. Kumbhare, B. Cao, V. Prasanna, “An analysis of security and privacy issues in smart grid software architectures on clouds,” In: Proceedings of the IEEE International Conference on Cloud Computing (CLOUD), pp. 582-589, July, 2011.
• http://aws.amazon.com/ec2/S [Online] [Accessed 12.10.2013].
• http://www.microsoft.com/windowsazure [Online] [Accessed 13.10.2013].
• http://www.silverspringnet.com/products/utilityiq apps.html [Online] [Accessed 12.10.2013].
• http://www.oracle.com/us/industries/utilities/ [Online] [Accessed 11.10.2013].
• http://www.microsoft.com/enterprise/industry/power-utilities/ [Online] [Accessed 11.10.2013].
• T. Espiner, “Cloud providers shrug off liability for security,” http://www.zdnet.co.uk/news/compliance/2010/02/12/cloud-providers-shrug-off-liability-for-security-40037148/,ZDNet UK. [Online] [Accessed 13.10.2013].
• G. Reese, “Cloud Application Architectures,” O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472, 2009.
• P. Mell, T. Grance, “Effectively and securely using the cloud computing paradigm,” NIST, Information Technology Lab., 2009.
• O. Hamrén, “Mobile phones and cloud computing,” M.S. Thesis, 2012.
• T. Mather, S. Kumaraswamy, S. Latif, “Cloud security and privacy: An enterprise perspective on risks and compliance,” Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472, 2009.
• https://drive.google.com/ [Online] [Accessed 13.10.2013].
• B.R Kandukuri, V.R. Paturi A. Rakshit, “Cloud security issues,” In: Proceedings of the IEEE international conference on services computing, pp.517–20, 2009.
• V. Choudhary, “Software as a service: Implications for investment in software development,” In: Proceedings of the international conference on system sciences, pp.209, 2007.
• Cloud Security Alliance, “Security guidance for critical areas of focus in cloud computing V2.1,” pp. 25, 2009.
• P.E. Johnson, “Cloud Computing for Libraries,” Journal of access services, 10(1), 71-73, 2013.
• S. Steinbuss, S. Flake, M. Ley, C. Schmuelling, J. Tacken, “Service design studio for SaaS,” In: Efficiency and logistics, Springer Berlin Heidelberg, pp. 229-236, 2013.
• P. Buxmann, H. Diefenbach, T. Hess, “Software as a Service: The application level of cloud computing,” In: The software industry, Springer Berlin Heidelberg, pp. 169-190, 2013.
• P.U. Chinedu, W. Nwankwo, U.F. Eze, “Enterprise cloud adoption: Leveraging on the business and security benefits,” West African journal of industrial and academic research, 7(1), 70-80, 2013.
• M. Y. Zhao, Z.Y. Lu, G. Wang, W.G. Zhang, “Large-scale electric vehicle operation monitoring platform based on cloud computing,” Applied mechanics and materials, 278, 1878-1882, 2013.
• L. Tingting, Z. Yong, “A decentralized information flow model for SaaS applications security. In: Proceedings of IEEE 3rd international conference on intelligent system design and engineering applications, pp. 40-43, January 2013.
• I.M. Khalil, A. Khreishah, S. Bouktif, A. Ahmad, “Security concerns in cloud computing. In: Proceedings of the 10th IEEE international conference on information technology: new generations, pp. 411-416, April 2013.
• A. Pandya, M. Shah, N. Rajagopal, K.V. Prasad, “Experiences in delivering power system decision support tools over the web using Software-as-a-Service (SaaS) model. In: Proceedings of the IEEE annual SRII global conference, pp. 846-849, July 2012.
• A.N. Hidayanto, Y.Y. Karnida, G. Moerita, “Analysis of software as a service (SaaS) for software service provision alternative: A case study of e–office on demand service of PT. Telkom Indonesia,” International journal of innovation and learning, 12(3), 294-318, 2012.
• I. Foster, V. Vasiliadis, “SaaS for science: the path to reality for research in the cloud,” In: Proceedings of the 1st ACM conference of the extreme science and engineering discovery environment: Bridging from the extreme to the campus and beyond, pp.66, July 2012.
• J. Gracia, E. Bayo, “Integrated 3D web application for structural analysis software as a service,” Journal of computing in civil engineering, 27(2), 159-166, 2012.
• T. Reuwer, S. Jansen, S. Brinkkemper, “Key factors in the internationalisation process of SMEs exporting business software as a service,” International journal of business information systems, 12(2), 140-162, 2013.
• J.S. Han, K.Y. Chung, G.J. Kim, “Policy on literature content based on software as service,” Multimedia tools and applications, 1-10, 2013.
• M. Decat, B. Lagaisse, D. Van Landuyt, B. Crispo, W. Joosen, “Federated authorization for Software-as-a-Service applications,” In: On the move to meaningful internet systems: OTM 2013, Conferences Springer Berlin Heidelberg, pp. 342-359, January 2013.
• A. Sun, J. Zhou, T. Ji, Q. Yue, “CSB: Cloud service bus based public SaaS platform for small and median enterprises,” In: Proceedings of the IEEE international conference on cloud and service computing, pp. 309-314, December 2011.
• M. Grammatikou, C. Marinos, Y. Demchenko, D.R. Lopez, K. Dombek, J. Jofre, “GEMBus as a service oriented platform for cloud-based composable services,” In: Proceedings of the IEEE 3rd international conference on cloud computing technology and science, pp. 666-671, November 2011.
• S. Strauch, V. Andrikopoulos, F. Leymann, D. Muhler, “ESB MT: Enabling multi-tenancy in enterprise service buses,” In: Proceedings of the IEEE 4th International conference on cloud computing technology and science, pp. 456-463, December, 2012.
• L. Chen, “Integrating Cloud Computing Services Using Enterprise Service Bus (ESB),” Business and management research, 1(1), pp. 26, 2012.
• Oracle, “Wiring through an enterprise service bus,” 2009. /http://www.oracle.com/technology/tech/soa/mastering-soa-series/part2.htmlS [Online] [Accessed 13.10.2013].
• C.R. Attanasio, “Virtual machines and data security,” In: Proceedings of the ACM workshop on virtual computer systems. New York, USA, pp. 206–9, 1973.
• S. Gajek, L. Liao, J. Schwenk, “Breaking and fixing the inline approach,” In: Proceedings of the ACM workshop on secure web services. New York, USA, pp.37–43, 2007.
• M. Descher, P. Masser, T. Feilhauer, A.M. Tjoa, D. Huemer, “Retaining data control to the client in infrastructure clouds,” In: Proceedings of the international conference on availability, reliability and security, pp. 9–16, 2009.
• P. Naik, S. Sanyal, “Increasing security in cloud environment,” arXiv preprint arXiv: 1301.0315, 2013.
• A. Bisong, M. Rahman, “An overview of the security concerns in enterprise cloud computing,” International journal of network security & its applications, 3(1), 30-45, 2011.
• W.A. Jansen, “Cloud hooks: Security and privacy issues in cloud computing,” In: Proceedings of the IEEE 44th Hawaii international conference on system sciences, pp. 1-10, January 2011.
• F. B. Shaikh, S. Haider, “Security threats in cloud computing,” In: Proceedings of the IEEE international conference for Internet technology and secured transactions, pp. 214-219, December, 2011.
• M. Almorsy, J. Grundy, I. Müller, “An analysis of the cloud computing security problem,” In: Proceedings of the asia pacific cloud workshop, Australia, 2010.
• K. Dahbur, B. Mohammad, A.B. Tarakji, “A survey of risks, threats and vulnerabilities in cloud computing,” In: Proceedings of the ACM international conference on intelligent semantic web-services and applications, pp. 12, April, 2011.
• Z. Wang, K. Sun, J. Jing, S. Jajodia, “Verification of data redundancy in cloud storage,” In: Proceedings of the ACM international workshop on security in cloud computing, pp. 11-18, May 2013.
• http://www.veruscorp.com/public-cloud-networks.aspx [Online] [Accessed 13.10.2013].
• D. Simmonds, A. Wahab, D. Gomez, “Public cloud computing vs. private cloud computing,” How security matters, 1-14, 2012.
• SAS 70, “Introduction to SAS 70 Type II Audit,” (2012).
• J.W. Schwartz, “6 worst data breaches of 2011,” Information week security, 2011.
• L.S. Pfleeger, C. Irvine, M. Kwon, “Guest editors introduction," IEEE security and privacy, 10(2), pp. 19-23, 2012.
• Microsoft TechNet (2), “Security Issues in the Private Cloud,” 2012.
• M. Stawowski, “Security zones. The principles of network security design,” 2007.
• J. Bloomberg, “Why public clouds are more secure than private clouds,” 2012.
• Thomas, “Security issues in the private cloud,” 2011.
• I.H. Chuang, S.H. Li, K.C. Huang, Y.H. Kuo, “An effective privacy protection scheme for cloud computing,” In: Proceedings of the IEEE 13th international conference on advanced communication technology, pp. 260-265, February, 2011.
• http://www.cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdfS [Online] [Accessed 13.10.2013].
• http://www.cloudsecurityalliance.orgS [Online] [Accessed 13.10.2013].
• http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdfS [Online] [Accessed 13.10.2013].
• http://www.ogf.org/S [Online] [Accessed 13.10.2013].
• W. Tsai Z. Jin, X. Bai, “Internet ware computing: issues and perspective,” In: Proceedings of the ACM first Asia-Pacific symposium on internet ware, Beijing, China, pp.1–10, 2009.
• C. Krugel, T. Toth, E. Kirda, “Service specific anomaly detection for network intrusion detection,” In: Proceedings of the ACM symposium on applied computing, pp.201–208, 2002.
• H. Raj, R. Nathuji, A. Singh, P. England, “Resource management for isolation enhanced cloud services,” In: Proceedings of the ACM work shop on cloud computing security, Chicago, Illinois, USA, pp.77–84, 2009.
• B. Hayes, “Cloud computing,” Communications of the ACM, 51 (7), 9-11, (July, 2008).
• A. Basta, W. Halton, “Computer security and penetration testing,” Delmar Cengage Learning, 2007.
• D. Naor, M. Naor, J.B. Lotspiech, “Revocation and tracing schemes for stateless receivers,” In: Proceedings of CRYPTO’01, 2001.
• M. Atallah, K. Frikken, M. Blanton, “Dynamic and efficient key management for access hierarchies,” In: Proceedings of CCS’05, 2005.
• R. Lu, X. Lin, X. Liang, X.S. Shen, “Secure provenance: the essential of bread and butter of data forensics in cloud computing,” In: Proceedings of the 5th ACM symposium on information, computer and communications security, pp. 282-292, April, 2010.
• R.L.Q. Sumter, “Cloud computing: Security risk classification,” In: ACMSE 2010, Oxford, USA, 2010.
• Wenchaoet, “Towards a data-centric view of cloud security,” In: CloudDB 2010, Toronto, Canada, 2010.
• F. Lombardi, R.D. Pietro, “Transparent security for cloud,” In: SAC’10, Sierre, Switzerland, March 22-26, 2010.
• M. Mowbray, S. Pearson, “A client-based privacy manager for cloud computing,” In: Proceedings of the ACM 4th international ICST conference on communication system software and middleware, pp. 5, June 2009.
• D. Lin, A. Squicciarini, “Data protection models for service provisioning in the cloud,” In: Proceedings of the 15th ACM symposium on access control models and technologies, Pittsburgh, Pennsylvania, USA, pp. 183-192, 2010.