See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/268445145 Cloud Computing Security & Privacy Challenges Conference Paper · June 2014 DOI: 10.13140/2.1.1779.6809 CITATIONS READS 9 6,622 3 authors: Younis A Younis Kashif Kifayat University of Benghazi Liverpool John Moores University 20 PUBLICATIONS 301 CITATIONS 71 PUBLICATIONS 787 CITATIONS SEE PROFILE Madjid Merabti University of Sharjah 414 PUBLICATIONS 3,666 CITATIONS SEE PROFILE Some of the authors of this publication are also working on these related projects: VIBRANT View project Net Homura View project All content following this page was uploaded by Younis A Younis on 18 November 2014. The user has requested enhancement of the downloaded file. SEE PROFILE Cloud Computing Security & Privacy Challenges Younis A.Younis, Kashif Kifayat and Madjid Merabti School of Computing and Mathematical Sciences, Liverpool John Moores University, Liverpool, L3 3AF, UK [email protected] {k.kifayat, m.merabti}@ljmu.ac.uk Abstract— Cloud computing is considered one of the most dominant paradigms in the Information Technology (IT) industry nowadays. It offers powerful processing and storage resources as on-demand services at reduced cost, and improved efficiency. It enables sharing computing physical resources among cloud computing tents and offers on-demand scaling with cost efficiency. However, with all of these services promising facilities and benefits, there are still a number of challenges associated with utilising cloud computing such as data security, abuse of cloud services, malicious insider and cyber-attacks. The target of this paper is to explore potential security issues related to securing cloud computing, highlight research directions and investigates various security challenges to cloud consumer and service providers. It divides cloud security and privacy threats into three main categories: threats to cloud service provider, attacks and threats to cloud physical infrastructure and threats to cloud customers. Keywords—cloud computing; security challanges; limitations; attacks and threats. I. INTRODUCTION Cloud computing is an open standard model, which is Internet-centric and provides various services either software or hardware. It needs minimal management effort from service providers. A significant interest in both industry and academia has been generated to explore and enhance cloud computing. It has five essential characteristics: on-demand self-service, measured service, rapid elasticity, broad network access and resource pooling. It is aiming at giving capabilities to use powerful computing systems with reducing the cost and increasing the efficiency and performance. Cloud computing gives a new hope for meeting various requirements of service providers and consumers. A new report published April 2014 by the Right Scale, finds that among 1000 IT executives surveyed, almost 94% indicate their companies are running Software as a Service (SaaS) or experimenting infrastructure as a Service (IaaS). Furthermore, 87% of surveyed organizations are utilising public cloud services [1]. In April 2013, the National Grid, the UK’s gas and electricity network, has announced to replace its own internal datacenters with a CSC-hosted cloud [2]. However, with all of these promising facilities and benefits, there are still a number of technical barriers that may prevent cloud computing from becoming a truly ubiquitous service. Security is the greatest inhibitors for adoption and the primary concern in cloud computing. It suffers from ISBN: 978-1-902560-27-4 © 2014 PGNet conventional distributed systems security attacks such as malicious codes. Moreover, cloud computing has new concerns such as moving resources and storing data in the cloud with probability to reside in another country, which has different regulations. A cloud service provider has to ensure its computing resources are fully usable and available at all the time [3]. Computing resources could be inaccessible due to many reasons such as natural disaster or denial of service. Protecting data privacy is another aspect in cloud computing security. Cloud computing is a shared environment, which uses sharing infrastructure. Hence, data may face a risk of disclosure or unauthorized access. Cloud computing services are delivered by a large number of service providers. They use various types of technologies, which cause heterogeneity issues. Extensibility and Shared Responsibilities is another concern as up to now it is not clear, how security duties should be assigned in cloud computing [4]. Furthermore, virtualization is one of many ways used in cloud computing to meet their consumer requirements, but it brings its own threats such as data isolation problems and communication between virtual machines. Cloud computing makes cyber-attacks more likely; many of these attacks are among the most potential and commonly encountered in the wider Internet such as Distributed Denial-Of-Service (DDOS) attack [5], insecure application programming interface, abuse and nefarious use of cloud computing, malicious insiders[6], etc. Cloud computing is shared open environment, which has its own characteristics and features such as on-demand services and mobility. Thus, cloud service providers need a strengthened access control system for controlling access to their resources with the ability to monitor who deal with them. They should have the ability to deal with dynamic and random behaviours of cloud consumers, and heterogeneity and diversity of service. This paper illustrates a list of the security issues faced to adopt the cloud computing and highlights security challenges. The cloud computing security challenges and threats are presented in three different categories, attacks and threats and other security challenges. The rest of this paper is structured as follows. Potential attacks and threats on cloud computing are illustrated in section 2. Section 3 presents other cloud computing security challenges such as access control and virtualization. The conclusion and our future work are presented in section 4. Figure 1: Cloud computing attacks and threats II. SECURITY ATTACKS AND THREATS IN CLOUD COMPUTING In cloud computing, a service provider has a big role to deal with all kinds of threats and attacks, which they or their customers could face. Cloud computing inherits a number of security attacks from conventional distributed systems such as malicious code (viruses, Trojan horses), back door, man-in-the middle attack and so on [7]. Moreover, cloud computing has brought its unique security threats and concerns. This section is divided into three main sections as shown in figure 1. The first section covers security challenges and threats related to cloud clients. The second section explores risks and attacks regarding to cloud service provider. Third section covers the most well-known threats and attack to the databases and physical infrastructure. 1. Clouds’ customers risks, challenges and threats Consumers are not adequately informed about what can be gained by moving to cloud computing, and the risk associated with that moving. Consumers should be engaged in the moving process, and in any further action. Numbers of security issues related to cloud computing consumers are listed below. A. Data security and privacy Due to migration from a single-tenant environment to multi-tenant one, consumers’ data face some threats related to data confidentiality, integrity and availability as shown in figure 2. The data security concerns and challenges were explored and presented in another published paper [8]. B. Customers’ privileges and access control Cloud service provider has the complete responsibility for managing access control to the network service, and customers have to maintain their credentials and sensitive data in a proper way as well. The cloud service provider has to determine how credentials will be managed, who will be in command of keeping data safe and giving information about people who manage customers’ data either people working in the same organization or third parties. C. Availability and recovery In any agreement between customers and a cloud service provider should be a part stated what will happen to customers’ data and service when the cloud service provider face outages problem caused by either natural disaster or attack such as DOS attack. In some cases, a backup of customers’ data will be kept in another place, so it should receive the same attention of security. D. Policies and Service of Level Agreement (SLA) In cloud computing, service providers and customers should have a well-written policy and SLA. A good cloud computing security policy should state important areas related to cloud computing security such as confidentiality and integrity, access control, communication security, identification and authentication, accountability and data protection[7]. In most cases, policies should be read carefully as it could be complicated, too long and full of jargons. So it should be easy to be understood and explained very well with using of diagrams when possible. cloud service provider system even when it is difficult to maintain [7]. D. Privilege escalation Attacks could be happened by escalating privileges on a system with using a lower level of access rights, then attack a VM with a higher level of access rights through the hypervisor [7]. There are other types of attacks should be mentioned such as social engineering, TCP Hijacking, password guessing and so on. Cloud computing has unique security and privacy threats and concerns such as: Figure 2: Data security challenges and threats in the cloud E. Long-term viability Cloud computing customers should be fully confident that the cloud service provider will not be taken over by other service providers, which could cause problems to customers’ data viability. Customers should ask in advance for this situation and add it in any policy of SLA. F. Investigation support Cloud service providers should have the ability to trace any illegal activity and giving investigation support to their customers. 2. Risks and attacks to cloud service providers Cloud service provider has to cope with two kinds of threats either inside threats or outside threats and attacks. In both kinds of threats, there are different kinds of security concerns must be considered. Most of the attacks which organizations have faced are come as a result of vulnerability that organizations have in their systems. Numbers of these threats are listed below: A. Weak access controls It is a big concern which it could cause serious security problems as having a poor access control system can lead to reveal customers’ data and give the attackers ability to infiltrate organizations and their assets. So, the service provider should design a strengthen access control system with the ability to monitor who deal with it. B. Complexity of configuration Due to cloud computing designing system necessities, number of layers has been added due to utilizing virtual machines. These layers have increased the level of complexity, which might cause improper configuration and unseen vulnerabilities. C. Segregation of duties In cloud computing, a large number of components might be used together to build a cloud service provider services. Therefore, segregation of duties should be involved in the A. Data Breaches and loss They are on the top list of cloud computing threats [9]. Utilizing cloud computing bring significant new avenues of attack such as data loss and leakage, which are both serious threats to cloud computing. A flaw in one client’s application hosted in a multi-tenant cloud service database that is not properly designed could allow an attacker access not only to that client’s data, but every other client’s data as well. B. Shared Technology Vulnerabilities Cloud computing will use the same infrastructure used in the Internet, and it will be shared amongst clouds' consumers. Furthermore, in order to meet clouds’ consumers’ necessities, cloud service providers have used a virtualization hypervisor to mediate access between guest operating systems and the physical compute resources. However, using hypervisors have a countable number of flaws, which might give the guest operating system ability to influence on the underlying platform or gain inappropriate level of access controls. So, strong compartmentalization is required to ensure proper isolation between consumers in the cloud, and the individual customer do not impact operations of other tents running on the same cloud providers [6]. C. Account and Service Hijacking This threat could happen when an attacker hacks into a web site that is hosted in a cloud service provider and then secretly installing its software and control the cloud provider infrastructure. However, moving the data to the cloud might make the situation more complicated as an attacker can steal credentials that will be used to gain access to cloud computing services. According to Cloud Security Alliance (CSA), a number of remedies can be used to mitigate this threat such as understanding SLAs and cloud service providers security policies’, and prohibit the sharing of account credentials between users and services[9]. D. Cloud Malware Injection Attack It aims at Injecting a malwares service, application or virtual machine into a cloud service provider’s system. It could be used for serving any particular purpose the attacker is interesting in starting from full functionality changes or blocking to eavesdropping and data modification. To cope with this threat, there is a promising countermeasure approach which is performing a service instance integrity check for incoming requests. For instance, strong a hash value on the original service instance’s image file and comparing the hash value with hash values of all new service instance images. E. Metadata Spoofing Attack A web service server provides the metadata documents, which store all information about the web service invocation such as message format, security requirements, network location, etc. to the service clients. Thus, this attack aims at reengineering a web service’s metadata descriptions in order modify the network endpoints and the references to security policies. For dealing with this attack, all metadata documents have to be carefully examined for authenticity, for example, a hash based integrity verification of the metadata description files prior to usage can be used. However, mechanisms for security metadata documents are not standardized[10]. F. Insecure Application Programming Interface In order to give cloud computing customers’ ability to manage and interact with cloud computing services and deliver resources or data, cloud service providers use software interfaces or APIs. As a result of creating and using APIs every day, security has been poorly implemented or left out in many applications. Organizations try offering value-added services, which add more complexity to the design of APIs. A proper analyzes to security models of cloud service providers interfaces’ are required with strong authentication and access control [9]. A. Unknown Risk Profile It can come as a result of caring about what features and functionalities can be gained from adopting cloud services without considering how security producers and technologies will be developed, who has access to the data and what happen when the data disclose for any reason. A number of concerns should be considered such as storing data in removable memory sticks and accessing it using smart phones. That can lead to serious problems as these handy devices might be lost with gigabytes of sensitive information. The CSA has suggested a number of remedies, for instance, monitoring and alerting on necessary information [6]. G. Malicious Insiders There is no a clear definition what the insider term means in the borderless Internet. In the cloud, insider should not just describe employees and stuff, yet it should consider third parties, consultants and anyone who take a part of delivering services in the cloud. In addition, lack of transparency into providers’ processes and how the access to virtual assets will be granted to employees make the matters more complicated. Furthermore, there is a huge demand of understanding what the normal behaviors are and how to detect abnormal behaviors of an employee who accesses the organizations’ resources[9]. H. Abuse and Nefarious use of Cloud Computing Cloud computing can provide an attacker with huge computing power of cloud infrastructure to attack any target by spreading malware and spam such as botnet. In the cloud, anyone with a valid credit card can register even stolen credit cards can be accepted and used by attackers. For coping with these concerns, an enhanced credit card fraud monitoring, stricter initial registration and validation process should be deployed in the cloud [9]. 3. Threats and attack to databases and physical infrastructures In this subsection, we are going to cover the most wellknown threats and attack to the databases and physical infrastructures. B. Databases threats Cloud service providers should prevent any access or modify to databases by unauthorized users and maintain appropriate privileges for authorized users in order to prevent any illegitimate modification of information by them. C. Physical infrastructure threats There are a number of threats to the Cloud computing infrastructure. They are theft, eavesdropping, Distributed Denial-of-Service (DDoS), fraud, network intrusion, fragmentation attacks and session hijacking attacks [7]. Figure 3: Other cloud computing security challenges III. OTHER SECURITY CHALLANGES In order to depict the whole pictures, we have to consider other challenges, which each one of them needs another survey as illustrated in figure 3. 1. Access controls and Identity Management (IdM) An access control system is a collection of components and methods that determine the correct admission to activities by legitimate users based upon preconfigured access permissions and privileges outlined in the access security policy [11]. Identity management (IdM) aims at performing the authentication among heterogeneous clouds to establish a federation, but it suffers from some problems related to interoperability between various security technologies [4]. Moreover, moving any organization to the cloud needs thinking critically about using multiple sources of identity with different attributes and ability to identify all the entities involved in a transaction [12]. Information in cloud computing is likely to be shared among different entities, which could have various degrees of sensitivity. Therefore, it would require robust isolation and controlling access mechanisms. In order to draw the whole picture, we have done an in-depth investigation on cloud security and identified different security requirements for different cloud users (e.g. critical infrastructure service providers and small businesses). We have found access control is one of the common and fundamental requirements for all types of cloud users. However, conventional access control models cannot be applied in the cloud environment due to the following reasons: A. Entities which are cloud based are likely to reside in varied trusted domains and may be located in different countries that have various regulations. Thus, they may not trust each other [13]. B. Cloud computing can be very complex and sophisticated due to the dynamic nature of the cloud’s resources [14]. C. Conventional access control models in cloud computing would suffer from the lack of flexibility in attribute management and scalability. D. Heterogeneity and variety of services [15]. E. Diversity of access control policies and various access control interfaces can cause improper interoperability [16]. F. Dealing with a large number of users, different classification, high dynamic performance, mobility features and changes in high frequency [17]. G. Different access permissions to a same cloud user, and giving him/her ability to use multiple services with regard to authentication and login time [17] [18]. H. Sharing of resources among potential untrusted tenants, multi-tenancy and virtualization, mechanisms to support transfer customers’ credentials across layers to access services and resources are crucial aspects in any access control model going to be deployed in cloud computing [18]. There may be possibilities to extend existing access control models and use them in the cloud environment. However, this could be a potential risk and may not solve the problem as conventional access models may focus on a specific problem in a specific platform or environment and miss the remaining interconnected issues. This could happen due to inexistence of a complete list of access control requirements for cloud computing. In other words, the success on any access control solution for cloud computing will depend on analysing and accurately identifying a complete list of requirements. 2. Monitoring In the cloud, there is a huge demand of using monitoring activities either for insiders or outsiders. 3. Risk analysis and management It is about reducing the load in cloud computing by checking any risk in the data before delivering it consumers. Risk analysis and management consist of: business risk analysis, technical risk analysis and infrastructure risk analysis [19]. It is used to deal with dynamic and random behaviors of consumers and mitigate risks involved when consumers utilizing cloud. Security’s incidents management has to be stated in any agreement between consumers and the cloud. 4. Service Level Agreement(SLA) Cloud computing consumers require SLA definitions and automatic enforcement mechanisms that guarantee their data security and privacy with sustained and verifiable end-to-end performance. The SLA must state how isolation, bandwidth on-demand and quality of service will be insured as well. 5. Heterogeneity Cloud computing services are delivered by a big number of service providers and using different types of technologies, which might cause heterogeneous problems. Heterogeneity can come as a result from differences at various levels either software or hardware level. 6. Virtualization Virtualization is a key element in cloud computing, which brings well known benefits to the cloud, yet it has a number of security concerns such as Hypervisor security and performance concerns [20]. Supporting scalable multi-tenant billing and very robust isolation are major requirements of any tempted to deploy a system in the cloud. 7. Compliance Cloud computing has a lack of proper mechanisms for the compliance management. These mechanisms have to deal with concerns related to compliance and prevent any serious problem can be caused to data security and privacy. In addition, security-breach audit and forensics are used to insure no one violates or attacks the security within the system [12]. 8. Trust Management In cloud computing environment, establishing a reasonable and practical model for managing a trust relationship among cloud computing entities is hugely needed [21]. 9. Cross-Organizational Security Management Achieving and maintaining security requirements and compliance with SLAs are big challenges to service providers in cloud computing. Moreover, ensuring and maintaining security requirements need the involvement of several organizations to achieve proper security settings that meet security necessities in cloud computing environments. 10. Policies In cloud computing, a well-written policy is needed to state security guidelines and security procedures, which are used to implement technical security solutions [21]. 11. Security in the web browser Web applications which used in the Internet have their own vulnerabilities that have not been solved yet, and these applications are being used again in the cloud to deliver services without a clear clue how their weakness will be sorted out and their impact on cloud computing users[22]. 12. Extensibility and Shared Responsibilities Either end users or cloud computing service providers should care about securing cloud computing. Up to now, there is no a clear clue about how security duties should be assigned in cloud computing and who is responsible for what [23]. [14] IV. CONCLUSION AND FUTURE WORK Cloud computing is considered one of the most dominant paradigms in the Information Technology (IT) industry these days. It offers new cost effective services on-demand. It supports multi-tenancy to fulfil future IT increasing demands for accessing and using resources provisioned over the Internet. However, without appropriate solutions for security and privacy challenges, the cloud computing adoption will not happen soon. In this paper, we have covered the essential concepts and reviewed significant challenges to cloud computing security. It is also analysed cloud computing security challenges and various cloud consumers’ concerns, which might prevent utilizing the cloud. Our future work will be focusing on proposing and implementing a cloud based access control model, which can secure access to cloud computing and fulfil various security requirements for different consumers. REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] K. Weins, “2014 State of the Cloud Survey,” 2014. [Online]. Available: http://www.rightscale.com/blog/cloud-industryinsights/cloud-computing-trends-2014-state-cloud-survey. P. Danny, “Green light for National Grid’s cloud move,” Computing.Co.UK, 2013. [Online]. Available: http://www.computing.co.uk/ctg/analysis/2257295/green-light-fornational-grid-s-cloud-move. [Accessed: 22-Apr-2013]. C. Wang, Q. Wang, K. Ren, and W. Lou, “Ensuring data storage security in Cloud Computing,” in 2009 17th International Workshop on Quality of Service, 2009, pp. 1–9. S. Lar, X. Liao, and S. Abbas, “Cloud computing privacy & security global issues, challenges, & mechanisms,” in Communications and Networking in …, 2011, pp. 1240–1245. Z. Wang, “Security and Privacy Issues within the Cloud Computing,” in 2011 International Conference on Computational and Information Sciences, 2011, pp. 175–178. W. Dan Hubbard and Z. Michael Sutton, “Top Threats to Cloud Computing V1.0,” Cloud Security Alliance, 2010. [Online]. Available: https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf. [Accessed: 20-Jun-2012]. R. Krutz and R. Vines, Cloud security: A comprehensive guide to secure cloud computing. John Wiley & Sons, 2010, p. 384. Y. A. Younis, M. Merabti, and K. Kifayat, “Secure Cloud Computing for Critical Infrastructure: A Survey,” in The 14th annual post graduate symposium on the convergence of telecommunications, networking and broadcasting, 2013, p. 6. Top Threats Working Group, “The Notorious Nine: Cloud Computing Top Threats in 2013,” 2013. M. Jensen, N. Gruschka, and R. Herkenhöner, “A survey of attacks on web services,” Comput. Sci. …, vol. 24, no. 4, 2009. R. Anderson, Security Engineering: A guide to building dependable distributed systems. John Wiley & Sons, 2010, p. 640. W. Group, “Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements,” National Institute of Standards and Technology, 2010. [Online]. Available: http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf. Z. Wan, J. Liu, and R. Deng, “HASBE: A Hierarchical AttributeBased Solution for Flexible and Scalable Access Control in Cloud View publication stats [15] [16] [17] [18] [19] [20] [21] [22] [23] Computing,” IEEE Trans. Inf. Forensics Secur., vol. 7, no. 2, pp. 743–754, 2012. R. Masood and M. A. Shibli, “Comparative Analysis of Access Control Systems on Cloud,” in 2012 13th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, 2012, pp. 41–46. H. Takabi, J. Joshi, and G. Ahn, “Security and privacy challenges in cloud computing environments,” Secur. Privacy, IEEE, vol. 8, no. 6, pp. 24–31, 2010. Z. Tianyi, L. Weidong, and S. Jiaxing, “An Efficient Role Based Access Control System for Cloud Computing,” in 2011 IEEE 11th International Conference on Computer and Information Technology, 2011, pp. 97–102. W. Wang, J. Han, M. Song, and X. Wang, “The design of a trust and role based access control model in cloud computing,” in 2011 6th International Conference on Pervasive Computing and Applications, 2011, pp. 330–334. A. Almutairi, M. Sarfraz, and S. Basalamah, “A Distributed Access Control Architecture for Cloud Computing,” Software, IEEE, vol. 29, no. 2, pp. 36–44, 2012. E. Bezerra, “Critical telecommunications infrastructure protection in Brazil,” in Critical Infrastructure Protection, First IEEE International Workshop on, 2005. S. Subashini and V. Kavitha, “A survey on security issues in service delivery models of cloud computing,” J. Netw. Comput. Appl., vol. 34, no. 1, pp. 1–11, Jan. 2011. Q. Zhang, L. Cheng, and R. Boutaba, “Cloud computing: state-ofthe-art and research challenges,” J. Internet Serv. Appl., vol. 1, no. 1, pp. 7–18, Apr. 2010. M. Mujinga and B. Chipangura, “Cloud computing concerns in developing economies,” in Australian Information Security Management Conference, 2011. the 9th Australian Information Security Management Conference, 2011. C. Aete, “7 areas of shared responsibility for public cloud security,” hp Cloud Source Blog, 2012. [Online]. Available: http://h30507.www3.hp.com/t5/Cloud-Source-Blog/7-areas-ofshared-responsibility-for-public-cloud-security/ba-p/117425. [Accessed: 12-Aug-2012].