A Classification and Characterization of Security Threats in Cloud Computing

##plugins.themes.academic_pro.article.sidebar##

Published Mar 1, 2016
https://doi.org/10.47164/ijngc.v7i1.101
Download
pdf
Statistic

Downloads

Download data is not yet available.

Metrics

Metrics Loading ...
Volume 7, Issue 1, March 2016

##plugins.themes.academic_pro.article.main##

Tariqul Islam
University of Kentucky, Lexington, Kentucky, USA
D. Manivannan
University of Kentucky, Lexington, Kentucky, USA
Sherali Zeadally
University of Kentucky, Lexington, Kentucky, USA

Abstract

Security and privacy are the most critical issues that need to be addressed in designing a computing environment that is reliable and trustworthy. Like all other computing paradigms, Cloud Computing is no different. Since data and storage are outsourced to third party service providers, users lose direct control of data management and have to depend solely on the providers who may not always be dependable. This distinctive feature of Cloud Computing makes it susceptible to several security threats and vulnerabilities. Although some of the security issues such as network and virtualization security, authentication, access control, confidentiality, and integrity are not new to computing, the effect of such issues is exacerbated in cloud environment because of the unique features (e.g., multi-tenancy, data and resource sharing, virtualization, etc.) it possesses. In this paper, we classify and characterize the various security and privacy challenges associated with Cloud Computing.

##plugins.themes.academic_pro.article.details##

How to Cite
Tariqul Islam, D. Manivannan, & Sherali Zeadally. (2016). A Classification and Characterization of Security Threats in Cloud Computing. International Journal of Next-Generation Computing, 7(1), 01–17. https://doi.org/10.47164/ijngc.v7i1.101
Crossref
Scopus
Google Scholar
Europe PMC

References

  1. CSA DOMAIN 12. https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf. 2009. Security Guidance for Critical Areas of Focus in Cloud Security Computing V3.0. http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf.
  2. Apecechea, G. I., Inci, M. S., Eisenbarth, T., and Sunar, B. 2014. Fine Grain Cross-VM Attacks on Xen and VMware. In Proc. BDCloud. 737–744.
  3. Armburst, M., Fox, A., Griffith, R., Joseph, A., Katz, R., Konwinski, A., Lee, G., Peterson, D., Rabkin, A., Stoica, I., and Zaharia, M. 2009. Above the Clouds: A Berkely View of Cloud Computing. Tech. Rep. UCB/EECS-2009-28, University of California at Berkely, eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009- 28.html.
  4. Asghar, M. R., Ion, M., Russello, G., and Crispo, B. 2011. Securing Data Provenance in the Cloud. In Proc. iNetSeC. 145–160.
  5. Ateniese, G., Pietro, R. D., Mancini, L., and Tsudik, G. 2008. Scalable and Efficient Provable Data Possession. In Proceedings of SecureComm.
  6. Bhadauria, R. and Sanyal, S. 2012. Survey on Security Issues in Cloud Computing and Associated Mitigation Techniques. CoRR abs/1204.0764.
  7. Calero, J. A., Edwards, N., Kirschnick, J., Wilcock, L., and Wray, M. 2010. Toward a Multi-Tenancy Authorization System for Cloud Services . IEEE Security & Privacy 8, 6 (Nov.-Dec.), 48–55.
  8. Chen, H. and Lee, P. 2014. Enabling Data Integrity Protection in Regenerating-Coding-Based Cloud Storage: Theory and Implementation. IEEE Transactions on Parallel and Distributed Systems 25, 2, 407–416.
  9. Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., and Molina, J. 2009. Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control. In Proc. of the 2009 ACM Workshop on Cloud Computing Security. 85–90.
  10. Chu, C., Chow, S., Tzeng, W., Zhou, J., and Deng, R. 2014. Key-Aggregate Cryptosystem for Scalable Data Sharing in Cloud Storage. IEEE Transactions on Parallel and Distributed Systems 25, 2, 468–477.
  11. CLOUD-SECURITY-ALLIANCE. 2013. The Notorious Nine: Cloud Computing Top Threats in 2013.
  12. Dabrowski, C. and Mills, K. 2011. VM Leakage and Orphan Control in Open-Source Clouds. In Proc. 3 rd IEEE International Conference on Cloud Computing Technology and Science (CloudCom). 554–559.
  13. Erway, C., Kupcu, A., Papamanthou, C., and Tamassia, R. 2009. Dynamic Provable Data Possession. In Proceedings of the 16th ACM Conference on Computer and Communications Security.
  14. Factor, M., Hadas, D., Hamama, A., Har’El, N., Kolodner, E., Kurmus, A., and Shulman-Peleg, A. 2013. Secure Logical Isolation for Multi-tenancy in Cloud Storage. In Proc. MSST. 1–5.
  15. Feldman, A., Zeller, W., Freedman, M., and Felten, E. 2010. SPORC: Group Collaboration using Untrusted Cloud Resources. In Proc. OSDI. 337–350.
  16. Feng, Y., Li, B., and Li, B. 2014. Price Competition in an Oligopoly Market with Multiple IaaS Cloud Providers. IEEE Transactions on Computers 63, 1 (January), 59–73.
  17. Godfrey, M. and Zulkernine, M. 2014. Preventing Cache-Based Side-Channel Attacks in a Cloud Environment. IEEE Transactions on Cloud Computing 2, 4 (Oct.-Dec.), 395–408.
  18. Gonzalez, N., Miers, C., RedALgolo, F., Carvalho, T., SimplALcio, M., Naslund, M., and Pourzandi, M. 2011. A Quantitative Analysis of Current Security Concerns and Solutions for Cloud Computing. In Proc. of 3rd IEEE CloudCom.
  19. Grobauer, B., Walloschek, T., and Stocker, E. 2011. Understanding Cloud Computing Vulnerabilities. IEEE Security & Privacy 9, 2 (March-April), 50–57.
  20. Hackett, M. and Hawkey, K. 2012. Security, Privacy and Usability Requirements for Federated Identity . In In Proceedings of the Workshop on Web 2.0 Security & Privacy.
  21. He, H., Li, R., Dong, X., and Zhang, Z. 2014. Secure, Efficient and Fine-Grained Data Access Control Mechanism for P2P Storage Cloud. IEEE Transactions on Cloud Computing 2, 4 (Oct-Dec), 471–484.
  22. Heilig, L. and Voss, S. 2014. A Scientometric Analysis of Cloud Computing Literature. IEEE Transactions on Cloud Computing 2, 3 (July-Sept.), 266–278.
  23. Hogben, G. 2011. ENISA, Cloud Computing: Benefits, Risks and Recommendations for Information Security. https://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment.
  24. Hong, H.-J., Chen, D.-Y., Huang, C.-Y., and Kuan-Ta. 2015. Placing Virtual Machines to Optimize Cloud Gaming Experience. IEEE Transactions on Cloud Computing 3, 1 (Jan.- March), 42–53.
  25. Hydara, I., Bakar, A., Sultan, M., Zulzalil, H., and Admodisastro, N. 2015. Current State of Research on Cross-site Scripting (XSS) - A Systematic Literature Review. Information & Software Technology 58, 170–186.
  26. Ibrahim, A., Hamlyn-Harris, J., and Grundy, J. 2010. Emerging Security Challenges of Cloud Virtual Infrastructure. In Proc. of APSEC Cloud Workshop. II, J. R. and Al-Hamdani, W. 2011. Who Can You Trust in the Cloud? A Review of Security Issues Within Cloud Computing. In Proc. of the Information Security Curriculum Development Conference. 15–19.
  27. Jamshidi, P., Ahmad, A., and Pahl, C. 2013. Cloud Migration Research: A Systematic Review. IEEE Transactions on Cloud Computing 1, 2 (July-December), 142–157.
  28. Jansen, W. 2011. Cloud Hooks: Security and Privacy Issues in Cloud Computing. In Proc. 44th Hawaii International Conference on Systems Science. Jansen, W. and Grance, T. 2011. Guidelines on Security and Privacy in Public Cloud Computing Special Publication. http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf.
  29. Jayalath, C., Stephen, J., and Eugster, P. 2014. Universal Cross-Cloud Communication. IEEE Transactions on Cloud Computing 2, 2 (April-June), 103–116.
  30. Jensen, M., Gruschka, N., and Herkenhner, R. 2009. A Survey of Attacks on Web Services. Computer Science - R&D 24, 4 (Nov.), 185–197.
  31. Jensen, M., Schwenk, J., Gruschka, N., and Iacon, L. 2009. On Technical Security Issues in Cloud Computing. In Proc. of IEEE International Conference on Cloud Computing. 109–116.
  32. Khalil, I. M., Khreishah, A., and Azeem, M. 2014. Cloud Computing Security: A Survey. Computers 3, 1 (Mar.), 1–35.
  33. Kouchaksaraei, H. R. and Chefranov, A. G. 2013. Countering Wrapping Attack on XML Signature in SOAP Message for Cloud Computing . CoRR abs/1310.0441.
  34. Le, M. and Tamir, Y. 2011. ReHype: Enabling VM Survival Across Hypervisor Failures. In Proc. VEE. 63–74.
  35. Li, J., Li, J., Chen, X., Jia, C., and Lou, W. 2015. Identity-Based Encryption with Outsourced Revocation in Cloud Computing. IEEE Transactions on Computers 64, 2 (Feb.), 425–437.
  36. Liu, A., Yuan, Y., and Stavrou, A. 2009. QLProb: A Proxybased Architecture towards Preventing SQL Injection Attacks. In Proc. SAC.
  37. Liu, X., Zhang, Y., Wang, B., and Yan, J. 2013. Mona: Secure Multi-Owner Data Sharing for Dynamic Groups in the Cloud. IEEE Transactions on Parallel and Distributed Systems 24, 6, 1182–1191.
  38. Lombardi, F. and Pietro, R. D. 2011. Secure Virtualization for Cloud Computing. Journal of Network and Computer Applications 34, 4 (July), 1113–1122.
  39. Luo, S., Lin, Z., Chen, X., Yang, Z., and Chen, J. 2011. Virtualization Security for Cloud Computing Services. In Proc. Int. Conf on Cloud and Service Computing. 174–179.
  40. Maler, E. and Reed, D. 2008. The Venn of Identity: Options and Issues in Federated Identity Management . IEEE Security & Privacy 6, 2 (Apr.), 1623.
  41. Mastroianni, C., Meo, M., and Papuzzo, G. 2013. Probabilistic Consolidation of Virtual Machines in SelfOrganizing Cloud Data Centers. IEEE Transactions on Cloud Computing 1, 2 (July-December), 215–228.
  42. Mather, T., Kumaraswamy, S., and latif, S. 2009. Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance - 1st edition. OReilly Media.
  43. Mell, P. and Grance, T. 2011. The NIST Definition of Cloud Computing - Special Publication 800-145. National Institute of Standards and Technology.
  44. Moreno, I. S., Garraghan, P., Townend, P., and Xu, J. 2014. Analysis, Modeling and Simulation of Workload Patterns in a Large-Scale Utility Cloud. IEEE Transactions on Cloud Computing 2, 2 (April-June), 208–221.
  45. Morshedlou, H. and Meybodi, M. R. 2014. Decreasing Impact of SLA Violations:A Proactive Resource Allocation Approachfor Cloud Computing Environments. IEEE Transactions on Cloud Computing 2, 2 (April-June), 156–167.
  46. Morsy, M., Grundy, J., and Mller, I. 2010. An Analysis of the Cloud Computing Security Problem. In Proc. of APSEC Cloud Workshop.
  47. Mundada, Y., Ramachandran, A., and Feamster, N. 2011. SilverLine: Data and Network Isolation for Cloud Services. In Proc. HotCloud.
  48. Papagianni, C., Leivadeas, A., Papavassiliou, S., Maglaris, V., and Monje, C. C.-P. A. 2013. On the Optimal Allocation of Virtual Resources in Cloud Computing Networks. IEEE Transactions on Computers 62, 6 (June), 1060–1071.
  49. Pearce, M., Zeadally, S., and Hunt, R. 2013. Virtualization: Issues, security threats, and solutions . ACM Comput. Surv. 45, 2 (Apr.), 17.
  50. Pearson, S. and Benameur, A. 2010. Privacy, Security and Trust Issues Arising from Cloud Computing . In Proc. of IEEE 2nd International Conference on Cloud Computing Technology and Science (CloudCom).
  51. Prasad, A. S. and Rao, S. 2014. A Mechanism Design Approach to Resource Procurement in Cloud Computing. IEEE Transactions on Computers 63, 1 (January), 17–30.
  52. Rahumed, A., Chen, H., Tang, Y., Lee, P., and Lui, J. 2011. A Secure Cloud Backup System with Assured Deletion and Version Control. In Proc. 3rd Intl Workshop Security in Cloud Computing.
  53. Reimer, D., Thomas, A., Ammons, G., Mummert, T. W., Alpern, B., and Bala, V. 2008. Opening Black Boxes: Using Semantic Information to Combat Virtual Machine Image Sprawl. In Proc. VEE. 111–120.
  54. Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. 2009. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In Proc. ACM Conference on Computer and Communications Security.
  55. Ruj, S., Stojmenovic, M., and Nayak, A. 2014. Decentralized Access Control with Anonymous Authentication of Data Stored in Clouds. IEEE Transactions on Parallel and Distributed Systems 25, 2 (Feb.).
  56. Sabahi, F. 2012. Secure Virtualization for Cloud Environment Using Hypervisor-based Technology. In Proc. Int. Journal of Machine Learning and Computing. Vol.2, No.2, 39–45.
  57. Schwarzkopf, R., Schmidt, M., Fallenbeck, N., and Freisleben, B. 2009. Multi-layered Virtual Machines for Security Updates in Grid Environments. In Proc. EUROMICRO-SEAA. 563–570.
  58. Schwarzkopf, R., Schmidt, M., Fallenbeck, N., and Freisleben, B. 2011. Checking Running and Dormant Virtual Machines for the Necessity of Security Updates in Cloud Environments. In Proc. CloudCom. 239–246.
  59. Schwarzkopf, R., Schmidt, M., Strack, C., Martin, S., and Freisleben, B. 2012. Increasing Virtual Machine Security in Cloud Environments. Journal of Cloud Computing.
  60. Sosinsky, B. 2011. Cloud Computing Bible. Wiley Publications.
  61. Spring, J. 2011. Monitoring Cloud Computing by Layer, Part 1. IEEE Security & Privacy 9, 2 (March-April), 66–68.
  62. Subashini, S. and V.Kavitha. 2011. A Survey on Security Issues in Service Delivery Models of Cloud Computing. Journal of Network and Computer Applications 34, 1 (January), 1–11.
  63. Takabi, H., Joshi, J., and Ahn, G. 2010. Security and Privacy Challenges in Cloud Computing Environments. IEEE Security & Privacy 8, 6, 24–31.
  64. Tang, Y., Lee, P., Lui, J., and Perlman, R. 2010. FADE: Secure Overlay Cloud Storage with File Assured Deletion. In Proc. 6 th Intl ICST Conf. Security and Privacy in Comm. Networks (SecureComm).
  65. Tysowski, P. K. and Hasan, M. A. 2013. Hybrid Attribute- and Re-Encryption-Based Key Management for Secure and Scalable Mobile Applications in Clouds. IEEE Transactions on Cloud Computing 1, 2 (July-December), 172–186.
  66. Wang, B., Li, B., and Li, H. 2014. Oruta: Privacy-preserving Public Auditing for Shared Data in the Cloud. IEEE Transactions on Cloud Computing 2, 1 (Jan. - March), 43–56.
  67. Wang, C., Chow, S., Wang, Q., Ren, K., and Lou, W. 2011. Privacy-Preserving Public Auditing for Secure Cloud Storage. IEEE Transactions on Computers 62, 2 (Feb.), 362–375.
  68. Wang, C., Wang, Q., Ren, K., and Lou, W. 2009. Ensuring Data Storage Security in Cloud Computing. In Proceedings of the 17th International Workshop on Quality of Service. 1–9.
  69. Wang, Q., Wang, C., Li, J., Ren, K., and Lou, W. 2009. Enabling Public Verifiability and Data Dynamics for Storage Security. In Proceedings of the 14th European Conference on Research in Computer Security.
  70. Wang, Q., Wang, C., Ren, K., Lou, W., and Li, J. 2011. Enabling Public Auditability and Data Dynamics for Storage Security in Cloud Computing. IEEE Transactions on Parallel and Distributed Systems 22, 5 (May).
  71. Wang, W., Li, Z., Owens, R., and Bhargava, B. 2009. Secure and Efficient Access to Outsourced Data. In Proc. ACM Workshop Cloud Computing Security (CCSW).
  72. Wang, Y. and Shi, W. 2014. Budget-Driven Scheduling Algorithms for Batches of MapReduce Jobs in Heterogeneous Clouds. IEEE Transactions on Cloud Computing 2, 3 (July-Sept.), 306–319.
  73. Wei, J., Zhang, X., Ammons, G., Bala, V., and Ning, P. 2009. Managing Security of Virtual Machine Images in a Cloud Environment. In Proc. CCSW. 91–96.
  74. Xue, K. and Hong, P. 2014. A Dynamic Secure Group Sharing Framework in Public Cloud Computing. IEEE Transactions on Cloud Computing 2, 4 (Oct.-Dec), 459–470.
  75. Yan, L., Rong, C., and Zhao, G. 2009. Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography. In Proceedings of the 1 st International Conference on Cloud Computing. 167–177.
  76. Yang, K. and Jia, X. 2013. An Efficient and Secure Dynamic Auditing Protocol for Data Storage in Cloud Computing. IEEE Transactions on Parallel and Distributed Systems 24, 9, 1717–1726.
  77. Yu, S., Wang, C., Ren, K., and Lou, W. 2010. Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing. In Proceedings of IEEE INFOCOM.
  78. Zaman, S. and Grosu, D. 2013. A Combinatorial Auction-Based Mechanism for Dynamic VM Provisioning and Allocation in Clouds. IEEE Transactions on Cloud Computing 1, 2 (July-December), 129–141.
  79. Zeng, K. 2008. Publicly Verifiable Remote Data Integrity. In Proceedings of the 10th International Conference on Information and Communications Security. 419–434.
  80. Zhang, Y., Ion, M., Russello, G., and Crispo, B. 2012. Cross-VM Side Channels and their Use to Extract Private Keys. In Proc. ACM CCCS. 305–316.
  81. Zissis, D. and Lekkas, D. 2012. Addressing Cloud Computing Security Issues. Future Generation Comp. Syst. 28, 3, 583–592.
  82. Zunnurhain, K. and Vrbsky, S. 2010. Security Attacks and Solutions in Clouds. In Proc. 1 st International Conference on Cloud Computing. 145156.
  83. Zunnurhain, K., Vrbsky, S. V., and Hasan, R. 2014. FAPA: Flooding Attack Protection Architecture in a Cloud System. International Journal of Cloud Computing 3, 4 (Nov.), 379–401.