The question focus was to identify the most relevant issues in Cloud Computing which consider vulnerabilities, threats, risks, requirements and solutions of security for Cloud Computing. TCCP  enables providers to offer closed box execution environments, and allows users to determine if the environment is secure before launching their VMs. Washington DC, USA: IEEE Computer Society; 2010:395–398. Wylie J, Bakkaloglu M, Pandurangan V, Bigrigg M, Oguz S, Tew K, Williams C, Ganger G, Khosla P: Selecting the right data distribution scheme for a survivable Storage system. The inclusion and exclusion criteria of this study were based on the research question. J Internet Serv Appl 4, 5 (2013). International Journal of Network Security & Its Applications (IJNSA) 2011, 3(1):30–45. Han-zhang W, Liu-sheng H: An improved trusted cloud computing platform model based on DAA and privacy CA scheme. We have focused on this distinction, where we consider important to understand these issues. The authors declare that they have no competing interests. However, web services also lead to several challenges that need to be addressed. The virtual network model is composed of three layers: routing layers, firewall, and shared networks, which can prevent VMs from sniffing and spoofing. Washington, DC, USA: IEEE Computer Society; 2009:1–4. 10.1016/j.future.2010.12.006. TVDc [73, 74] insures isolation and integrity in cloud environments. Moreover, most compliance standards do not envision compliance with regulations in a world of Cloud Computing . For instance, in threat T10, an attacker can read or tamper with the contents of the VM state files during live migration. SaaS applications can be grouped into maturity models that are determined by the following characteristics: scalability, configurability via metadata, and multi-tenancy [30, 33]. Available: http://www.theregister.co.uk/2009/06/08/webhost_attack/. Even at this early stage in cloud adoption, users of PaaS services are raising the question of the portability of their applications-- not to a given PaaS provider, but from that first provider to a different one, or even back to the data center. The security issues are a little different, depending on whether you use a public cloud or private cloud implementation of IaaS. As described in this paper, storage, virtualization, and networks are the biggest security concerns in Cloud Computing. Ormandy T: An empirical study into the Security exposure to hosts of hostile virtualized environments. For each vulnerability and threat, we identify what cloud service model or models are affected by these security problems. PubMed Google Scholar. Accessed: 16-Jul-2011 http://www.keeneview.com/2009/03/what-is-platform-as-service-paas.html Online. From the perspective of the application development, developers face the complexity of building secure applications that may be hosted in the cloud. Compared to traditional technologies, the cloud has many specific features, such as its large scale and the fact that resources belonging to cloud providers are completely distributed, heterogeneous and totally virtualized. As mentioned before, sharing resources allows attackers to launch cross-tenant attacks . By using this website, you agree to our In both SaaS and PaaS, data is associated with an application running in the cloud. In Information Security Curriculum Development Conference, Kennesaw, Georgia. Countermeasures are proposed and discussed. Hashizume K, Yoshioka N, Fernandez EB: Three misuse patterns for Cloud Computing. OWASP: The Ten most critical Web application Security risks. Network components are shared by different tenants due to resource pooling. Journal of Internet Services and Applications, http://www.gartner.com/it/page.jsp?id=1454221, https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf, http://www.cpni.gov.uk/Documents/Publications/2010/2010007-ISB_cloud_computing.pdf, http://www.techrepublic.com/whitepapers/from-hype-to-future-kpmgs-2010-cloud-computing-survey/2384291, https://cloudsecurityalliance.org/research/top-threats, http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, http://msdn.microsoft.com/en-us/library/aa479086.aspx, https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Guidance_v1.pdf, http://www.keeneview.com/2009/03/what-is-platform-as-service-paas.html, http://www.tml.tkk.fi/Publications/C/25/papers/Reuben_final.pdf, http://www.academia.edu/760613/Survey_of_Virtual_Machine_Migration_Techniques, http://www.savvis.com/en-us/info_center/documents/hos-whitepaper-securingvirutalcomputeinfrastructureinthecloud.pdf, https://downloads.cloudsecurityalliance.org/initiatives/secaas/SecaaS_Cat_1_IAM_Implementation_Guidance.pdf, http://www.eecs.umich.edu/fjgroup/pubs/blackhat08-migration.pdf, https://creativecommons.org/licenses/by/2.0. In Proceedings of the 2011 International conference on intelligent semantic Web-services and applications. Also, running these filters may raise privacy concerns because they have access to the content of the images which can contain customer’s confidential data. %PDF-1.5
Introduction Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically Moving critical applications and sensitive data to public cloud environments is of great concern for those corporations that are moving beyond their data center’s network under their control. Washington, DC, USA: IEEE Computer Society; 2010:380–395. Available: http://www.theregister.co.uk/2009/06/08/webhost_attack/. 13, V13–39. Available: http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment Available: Dahbur K, Mohammad B, Tarakji AB: A survey of risks, threats and vulnerabilities in Cloud Computing. Washington, DC, USA: IEEE Computer, Society; 2010:V13–33. But rolling back virtual machines can re-expose them to security vulnerabilities that were patched or re-enable previously disabled accounts or passwords. These issues are primarily related to the safety of the data flowing through and being stored in the cloud, with sample issues including data availability, data access and data privacy. It provides the following security management features: access control framework, image filters, provenance tracking system, and repository maintenance services. Table 3 presents an overview of threats in Cloud Computing. Cloud Security Alliance: Top Threats to Cloud Computing V1.0. Accessed: 02-Aug-2011 The Register, 08-Jun-2009. In International Conference on Management and Service Science. In the first maturity model, each customer has his own customized instance of the software. It's a logical next step for organizations that want to move specific processes and applications into the cloud, but that still want t… This analysis offers a brief description of the vulnerabilities, and indicates what cloud service models (SPI) can be affected by them. In cloud computing, data is stored in a diverse geographic location with different legal jurisdictions . In 5th International conference on computer sciences and convergence information technology (ICCIT). Implementation, Management, and Security, CRC Press; 2009. Cloud Security Alliance: Security guidance for critical areas of focus in Cloud Computing V3.0.. 2011. Available: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Available: Zhang Y, Liu S, Meng X: Towards high level SaaS maturity model: methods and case study. DC, USA: IEEE Computer Society Washington; 2010:18–21. The speed at which applications will change in the cloud will affect both the System Development Life Cycle (SDLC) and security [12, 24]. Virtual machine security becomes as important as physical machine security, and any flaw in either one may affect the other . Privacy J Netw Comput Appl 2011, 34(1):1–11. This useful feature can also raise security problems [42, 43, 47]. Mather T, Kumaraswamy S, Latif S: Cloud Security and Privacy. PaaS as well as SaaS are hosted on top of IaaS; thus, any breach in IaaS will impact the security of both PaaS and SaaS services, but also it may be true on the other way around. Although there are many benefits to adopting Cloud Computing, there are also some significant barriers to adoption. Centre for the Protection of National Infrastructure: Information Security Briefing 01/2010 Cloud Computing. As it is shown in Table 1, most of the approaches discussed identify, classify, analyze, and list a number of vulnerabilities and threats focused on Cloud Computing. stream
In this section, we provide a brief description of each countermeasure mentioned before, except for threats T02 and T07. The Register, 08-Jun-2009. This question had to be related with the aim of this work; that is to identify and relate vulnerabilities and threats with possible solutions. This approach includes the following security features: access control framework, image filters, a provenance tracking, and repository maintenance services. Washington, DC, USA: IEEE Computer Society; 2008:9–18. IaaS essentially refers to purchasing the basic storage, processing power and networking to support the delivery of cloud computing applications. Available: . Pittsburgh, PA: CMU-CS-01–120; 2001. Naehrig M, Lauter K, Vaikuntanathan V: Can homomorphic encryption be practical? In addition, we can see that in our search, many of the approaches, in addition to speaking about threats and vulnerabilities, also discuss other issues related to security in the Cloud such as the data security, trust, or security recommendations and mechanisms for any of the problems encountered in these environments. There are very few limitations on what applications can be run on the infrastructure or what tools can be used to run the applications. In IEEE International Carnahan Conference on Security Technology (ICCST), KS, USA. In International Conference on Computer Application and System Modeling (ICCASM), vol. VM images are dormant artifacts that are hard to patch while they are offline . TVDc provides integrity by employing load-time attestation mechanism to verify the integrity of the system. Thus, a malicious Virtual Machine can monitor shared resources without being noticed by its VMM, so the attacker can infer some information about other virtual machines. Syst. The results of the systematic review are summarized in Table 1 which shows a summary of the topics and concepts considered for each approach. 10.1016/j.jss.2006.07.009. Thus, these images are fundamental for the the overall security of the cloud [46, 49]. A SaaS provider may rent a development environment from a PaaS provider, which might also rent an infrastructure from an IaaS provider. Journal of Internet Services Applications 2010, 1(1):7–18. For the final model, applications can be scaled up by moving the application to a more powerful server if needed. [Online]. Seminar on Network Security; 2007. . Santos N, Gummadi KP, Rodrigues R: Towards Trusted Cloud Computing.  this technique aims to provide intrusion tolerance and, in consequence, secure storage. IEEE Security Privacy 2010, 8(6):40–47. Jansen W, Grance T: Guidelines on Security and privacy in public Cloud Computing. However, one limitation of this approach is that filters may not be able to scan all malware or remove all the sensitive data from the images. 10.1016/j.jnca.2010.07.006. Fernandez EB, Yoshioka N, Washizaki H: Modeling Misuse Patterns. Owens D: Securing elasticity in the Cloud. In some cases, this switch has required major changes in software and caused project delays and even productivity losses. Venkatesha S, Sadhu S, Kintali S: Survey of virtual machine migration techniques. Same as SaaS, PaaS also brings data security issues and other challenges that are described as follows: Moreover, PaaS does not only provide traditional programming languages, but also does it offer third-party web services components such as mashups [10, 38]. The PaaS provider secures the operating system and physical infrastructure. In IaaS environments, a VM image is a prepackaged software template containing the configurations files that are used to create VMs. Beijing, China: Springer Berlin Heidelberg; 2009:69–79. CA, USA: USENIX Association Berkeley; 2005:227–229. Its very nature however makes it open to a variety of security issues that can affect both the providers and consumers of these cloud services. Viega J: Cloud Computing and the common Man. Vordel CTO Mark O'Neill looks at 5 challenges. The PaaS customer is responsible for securing its applications, data, and user access. Wu and et al. They control the software running in their virtual machines, and they are responsible to configure security policies correctly . With SaaS, the burden of security lies with the cloud provider. We put more emphasis on threats that are associated with data being stored and processed remotely, sharing resources and the usage of virtualization. IaaS provides a pool of resources such as servers, storage, networks, and other computing resources in the form of virtualized systems, which are accessed through the Internet . They all approved the final version to be published. ��b������$�I��9�vP$�. Jasti A, Shah P, Nagaraj R, Pendse R: Security in multi-tenancy cloud. We systematically analyze now existing security vulnerabilities and threats of Cloud Computing. In the cloud, security is a shared responsibility between the cloud provider and the customer. Security problems of PaaS clouds are explored and classified. Other Data Related Security Issues Other minor data related security issues can occur through Data location, Multi-tenancy and Backup in cloud computing. The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. Virtualization allows users to create, copy, share, migrate, and roll back virtual machines, which may allow them to run a variety of applications [43, 44]. Rev. One can either create her own VM image from scratch, or one can use any image stored in the provider’s repository.