Furthermore, we describe the relationship between these vulnerabilities and threats; how these vulnerabilities can be exploited in order to perform an attack, and also present some countermeasures related to these threats which try to solve or improve the identified problems. SSL is the underpinnings of most of the "security" utilized in the cloud and, for that matter, the Internet in general. Seminar on Network Security; 2007. . Using covert channels, two VMs can communicate bypassing all the rules defined by the security module of the VMM [48]. Furthermore, virtual machines are able to be rolled back to their previous states if an error happens. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the NSF. From Table 2, we can conclude that data storage and virtualization are the most critical and an attack to them can do the most harm. The remainder of the paper is organized as follows: Section 2 presents the results obtained from our systematic review. In Proceedings of the 33rd International convention MIPRO. However, it requires a huge processing power which may impact on user response time and power consumption. A SaaS provider may rent a development environment from a PaaS provider, which might also rent an infrastructure from an IaaS provider. The SaaS provider is the one responsible for the security of the data while is being processed and stored [30]. Largely because of the relatively lower degree of abstraction, IaaS offers greater tenant or customer control over security than do PaaS or SaaS [10]. Additionally, security controls and self-service entitlements offered by the PaaS platform could pose a problem if not properly configured. The three basic operations for cloud data are transfer, store, and process. In part, this is because of the degree of abstraction, the SaaS model is based on a high degree of integrated functionality with minimal customer control or extensibility. 10.1007/s13174-010-0007-6. They all approved the final version to be published. Implementation, Management, and Security, CRC Press; 2009. These issues are primarily related to the safety of the data flowing through and being stored in the cloud, with sample issues including data availability, data access and data privacy. The speed at which applications will change in the cloud will affect both the System Development Life Cycle (SDLC) and security [12, 24]. Tebaa M, El Hajji S, El Ghazi A: Homomorphic encryption method applied to Cloud Computing. With SaaS, the burden of security lies with the cloud provider. We have carried out a systematic review [13–15] of the existing literature regarding security in Cloud Computing, not only in order to summarize the existing vulnerabilities and threats concerning this topic but also to identify and analyze the current state and the most important security issues for Cloud Computing. Security Issues in Cloud Deployment Models. Security of PaaS clouds is considered from multiple perspectives including access control, privacy and service continuity while protecting both the service provider and the user. Cloud Computing Security Issues and Challenges Dheeraj Singh Negi 2. Traditional web applications, data hosting, and virtualization have been looked over, but some of the solutions offered are immature or inexistent. 1 0 obj Table 2 presents an analysis of vulnerabilities in Cloud Computing. Beijing, China: Springer Berlin Heidelberg; 2009:69–79. x��=�r㶒�S5��G�Ԙ&�$S��N�Lv�M2���Crh�c3�H^��9s��/��� ��e'E"��F������m�W�6�����m[�n��Ӌ��?O/>�֧��fS��v��W��ߜ%__�|q��%eZ�����,��_�*e�L�\��|�fߝ�����,��_�����,�.�b�����m��Z����.O���:�~y�/���n�m��{��,O����G�A6�z�4�������,[\%竦��K-�K���@�ǎ�_���\�3����oa�f�|:J�T��p� @��#Z�Ea�����:�taO5���������X[����۾B>3~"��4q�BqO�OŨ-���S�5��L$+�-�@�Tj�����c�����S��4q��dK'�ГN*ֶ:��rq��n��lz��`c�h'�N:���o��N���Cãh�N����%R�4�-N��9L�O_D' Malicious users can store images containing malicious code into public repositories compromising other users or even the cloud system [20, 24, 25]. Zhang Y, Juels A, Reiter MK, Ristenpart T: Cross-VM side channels and their use to extract private keys. 10.1016/j.future.2010.12.006. Jordan: Amman; 2011:1–6. Accessed: 16-Jul-2011 http://www.keeneview.com/2009/03/what-is-platform-as-service-paas.html Online. 2009. 10.1016/j.jss.2006.07.009. Sending or storing encrypted data in the cloud will ensure that data is secure. Li W, Ping L: Trust model to enhance Security and interoperability of Cloud environment. In IaaS environments, a VM image is a prepackaged software template containing the configurations files that are used to create VMs. The public cloud refers to software, infrastructure, or platforms offered as a service by 3 rd parties over the Internet, referred to as Cloud Service Providers or CSPs. CA, USA: USENIX Association Berkeley; 2009. Virtual networks are also target for some attacks especially when communicating with remote virtual machines. Cloud Computing is a relatively new concept that presents a good number of benefits for its users; however, it also raises some security problems which may slow down its use. - Provides ability to pool computing resources (e.g., Linux clustering). In Services Computing conference. Ertaul L, Singhal S, Gökay S: Security challenges in Cloud Computing. Available: . Next, in Section 3 we define in depth the most important security aspects for each layer of the Cloud model. International Journal of Ambient Computing and Intelligence 2011, 3(1):38–46. Some confidential information such as passwords or cryptographic keys can be recorded while an image is being created. With a private cloud, your organization will have total control over the solution from top to bottom. Heidelberg: Springer Berlin; 2009:347–358. Most developers still deal with application security issues in isolation, without understanding the security of the "“full stack”". The adoption of SaaS applications may raise some security concerns. We have presented security issues for cloud models: IaaS, PaaS, and IaaS, which vary depending on the model. endobj Hashizume, K., Rosado, D.G., Fernández-Medina, E. et al. Wang C, Wang Q, Ren K, Lou W: Ensuring data Storage Security in Cloud Computing. Security policies are needed to ensure that customer’s data are kept separate from other customers [35]. We therefore established that the studies must contain issues and topics which consider security on Cloud Computing, and that these studies must describe threats, vulnerabilities, countermeasures, and risks. Unfortunately, integrating security into these solutions is often perceived as making them more rigid [4]. However, it also exposes the service to additional security risks. 116: 116; 2009:109–116. An evaluation of this approach was not performed when this publication was published. Also, even when virtual machines are offline, they can be vulnerable [24]; that is, a virtual machine can be instantiated using an image that may contain malicious code. Since Cloud Computing leverages many technologies, it also inherits their security issues. [52] proposes a security framework that customizes security policies for each virtual machine, and it provides continuous protection thorough virtual machine live migration. Like Table 2 it also describes the threats that are related to the technology used in cloud environments, and it indicates what cloud service models are exposed to these threats. Besides secure development techniques, developers need to be educated about data legal issues as well, so that data is not stored in inappropriate locations. The goal of this analysis is also to identify some existing defenses that can defeat these threats. The session will examine the security of a typical Java Web application in an enterprise deployment. Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (https://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. PaaS as well as SaaS are hosted on top of IaaS; thus, any breach in IaaS will impact the security of both PaaS and SaaS services, but also it may be true on the other way around. Edited by: Rosado DG, Mellado D, Fernandez-Medina E, Piattini M. Pennsylvania, United States: IGI Global; 2013:36–53. VM images are dormant artifacts that are hard to patch while they are offline [50]. International Conference on Signal Acquisition and Processing (ICSAP’10) 2010, 278–281. For this analysis, we focus mainly on technology-based vulnerabilities; however, there are other vulnerabilities that are common to any organization, but they have to be taken in consideration since they can negatively impact the security of the cloud and its underlying platform. Berger S, Cáceres R, Goldman K, Pendarakis D, Perez R, Rao JR, Rom E, Sailer R, Schildhauer W, Srinivasan D, Tal S, Valdez E: Security for the Cloud infrastructure: trusted virtual data center implementation. Carlin S, Curran K: Cloud Computing Security. Heidelberg: Springer-Verlag Berlin; 2009. on Availability, Reliability, and Security (ARES 2009), Fukuoka, Japan. Winkler V: Securing the Cloud: Cloud computer Security techniques and tactics. Gaithersburg, MD: NIST, Special Publication 800–145; 2011. By contrast, the PaaS model offers greater extensibility and greater customer control. Understanding what vulnerabilities exist in Cloud Computing will help organizations to make the shift towards the Cloud. Jaeger T, Schiffman J: Outlook: cloudy with a chance of Security challenges and improvements. However, new security techniques are needed as well as redesigned traditional solutions that can work with cloud architectures. The importance of Cloud Computing is increasing and it is receiving a growing attention in the scientific and industrial communities. For example, a malicious VM can infer some information about other VMs through shared memory or other shared resources without need of compromising the hypervisor [46]. PaaS providers are responsible for securing the platform software stack that includes the runtime engine that runs the customer applications. International Journal of Network Security & Its Applications (IJNSA) 2011, 3(1):30–45. There are some well-known encryption schemes such as AES (Advanced Encryption Standard). However, cloud Computing presents an added level of risk because essential services are often outsourced to a third party, which makes it harder to maintain data security and privacy, support data and service availability, and demonstrate compliance. In International Conference on Management and Service Science. It provides the following security management features: access control framework, image filters, provenance tracking system, and repository maintenance services. In Proceedings of the 2009 ACM workshop on Cloud Computing Security.