See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/220790184

Cloud Computing Security Issues and Challenges: A Survey

Conference Paper · July 2011

DOI: 10.1007/978-3-642-22726-4_46 · Source: DBLP

CITATIONS READS

77 12,202

2 authors:

Amandeep Verma Sakshi Kaushal

Panjab University Panjab University
33 PUBLICATIONS   1,085 CITATIONS    92 PUBLICATIONS   1,120 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Complex Network Comparison Framework View project

Mobile cloud computing View project

All content following this page was uploaded by Amandeep Verma on 06 May 2014.

The user has requested enhancement of the downloaded file.

 Cloud Computing Security Issues and Challenges:
A Survey

Amandeep Verma and Sakshi Kaushal

U.I.E.T, Panjab University, Chandigarh, India

verma_aman81@yahoo.com, sakshi@pu.ac.in

Abstract. Cloud Computing has become another buzzword after Web 2.0. The
phrase cloud computing originated from the diagrams used to symbolize the
internet. Cloud computing is not a completely new concept; it has intricate
connection to the grid Computing paradigm, and other relevant technologies
such as utility computing, cluster computing, and distributed systems in general.
With the development of cloud computing, a set of security problems appears.
Security issues present a strong barrier for users to adapt into Cloud Computing
systems. Several surveys of potential cloud adopters indicate that security is the
primary concern hindering its adoption. This paper introduces the background
and service model of cloud computing. Along with this, few of security issues
and challenges are also highlighted.

Keywords: Cloud computing, Grid computing, Security.

1 Introduction
The cloud computing is a new computing model that provides the uniform access to
wide area distributed resources on demand. The emergence of cloud computing has
made a tremendous impact on the Information Technology (IT) industry over the past
few years, where large companies such as Google, Amazon and Microsoft strive to
provide more powerful, reliable and cost-efficient cloud platforms, and business
enterprises seek to reshape their business models to gain benefit from this new
paradigm[1]. However, there still exist many problems in cloud computing today. A
recent survey by Cloud Security Alliance (CSA) [2] shows that security have become
the primary concern for people to shift to cloud computing.
In this paper, we investigate the security concerns of current Cloud Computing
systems. As Cloud Computing referred to both the applications delivered as services
over the Internet and the infrastructures (i.e., the hardware and systems software in the
data centers) that provide those services [3], we present the security concerns in terms
of the diverse applications and infrastructures. More concerns on security issues, such
as availability, confidentiality, integrity control, authorization and so on, should be
taken into account.
The rest of the paper is organized as follows: Section 2 highlights the basic cloud
computing definitions and architecture. Section 3 and 4 presents the security issues
and challenges. The paper is concluded in Section 5.

A. Abraham et al. (Eds.): ACC 2011, Part IV, CCIS 193, pp. 445–454, 2011.
© Springer-Verlag Berlin Heidelberg 2011
446 A. Verma and S. Kaushal

2 Cloud Computing Definition and Features

2.1 Definition

A number of computing researchers and practitioners have attempted to define Clouds

in various ways. Here are some definitions:
NIST [4] definition of cloud computing: “ Cloud computing is a model for
enabling convenient, on-demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal management effort or service
provider interaction”.

Buyya [5] defined Cloud as follows:

“A Cloud is a type of parallel and distributed system consisting of a collection of

inter-connected and virtualized computers that are dynamically provisioned and
presented as one or more unified computing resource(s) based on service-level
agreements established through negotiation between the service provider and
consumers.''

To understand the importance of cloud computing and its adoption, one must have to
understand its principal characteristics, its delivery and deployment models.

2.2 Characteristics

The five key characteristics of cloud computing defined by NIST includes [4]:

• On-demand self-service: A consumer can unilaterally provision computing

capabilities, such as server time and network storage, as needed without
requiring human interaction with each service’s provider.
• Ubiquitous network access: Accessed through standard mechanisms on
heterogeneous thin and thick clients. Both high bandwidth and low latency
are expected.
• Location-independent resource pooling: The provider’s computing resources
are pooled to serve all consumers using a multi-tenant model, with different
physical and virtual resources dynamically assigned and reassigned
according to consumer demand.
• Rapid elasticity: Lets us quickly scale up (or down) resources.
• Measured service: are primarily derived from business model properties and
indicate that cloud service providers control and optimize the use of
computing resources through automated resource allocation, load balancing,
and metering tools.

2.3 Cloud Computing Service Model

Three cloud computing delivery service models are [5]:

 Cloud Computing Security Issues and Challenges: A Survey 447

i) Software as a Service (SaaS): In SaaS, the business application software

are delivered to customer/client as on-demand services. Because clients
acquire and use software components from different providers, so the
main issue is here that information handled by these composed services
is to be well protected. Example of SaaS providers are Salesforce,
GoogleApp etc.
ii) Platform as a Service (PaaS): PaaS provide an application or
development platform in which user can create their own application
that will run on the cloud. Microsoft Azure, Manjrasoft Aneka and
Google AppEngine are examples of PaaS providers.
iii) Infrastructure as a Service (IaaS): Iaas is the delivery of computer
hardware like servers, networking technology, storage, and data center
space etc. as a service. It may also include the delivery of operating
systems and virtualization technology to manage the resources. Example
is Amazon S3, EC2, and OpenNebula etc.

Fig. 1 shows the general cloud computing architecture.

2.4 Cloud Deployment Models

There are four cloud deployment models:

i) Public cloud: In public cloud, the resources are dynamically provisioned on a fine-
grained, self-service basis over the Internet, via web applications/web services. The
customers can quickly access these resources, and only pay for the operating
resources. As multiple customers are sharing the resources so major dangers to public
cloud are of security, regulatory compliance and Quality of Service (QoS) [6, 7, 8].

ii) Private cloud: In the private cloud, computing resources are used and controlled by
a private enterprise. In private cloud, resource access is limited to the customers that
belong to the organization that owns the cloud. The main advantage of this model is
that the security and privacy of data is increased as compliance and QoS are under the
control of the enterprises [6, 7].
iii) Hybrid cloud: A third type can be hybrid cloud that is typical combination of
public and private cloud. Through this environment an organization can provide and
manage certain resources in-house and have others provided through external
resources.
iv) Community cloud: The cloud infrastructure is shared among a number of
organizations with similar interests and requirements. This may help limit the capital
expenditure costs for its establishment as the costs are shared among the
organizations. The cloud infrastructure could be hosted by a third-party vendor or
within one of the organizations in the community.

Although, cloud computing is becoming a well-known buzzword nowadays. However,

security issues present a strong barrier for users to adapt into Cloud Computing systems.
According to an IDC survey in August 2008, security is regarded as the top challenge of
nine [9]. Fig. 2 shows the nine challenges in detail.
448 A. Verma and S. Kaushal

Fig 1. Cloud computing architecture

3 Security Issues Associated with the Cloud

There is a number of security issues associated with cloud computing. These issues
are categories as: security issues faced by cloud providers and security issues faced by
their customers. In most cases, the provider must ensure that their infrastructure is
secure and that their client’s data and applications are protected while the customer
must ensure that the provider has taken the proper security measures to protect their
information.
The following list contains several security issues highlighted by Gartner [10]:

• Privileged access: Who has specialized/privileged access to data? Who decides

about the hiring and management of such administrators?
• Data location: Does the cloud vendor allow for any control over the location of
data?
• Data segregation: Is encryption available at all stages, and were these encryption
schemes designed and tested by experienced professionals?
• Data availability: Can the cloud vendor move their entire client’s data onto a
different environment should the existing environment become compromised or
unavailable?
• Regulatory compliance: Is the cloud vendor willing to undergo external audits
and/or security certifications?
• Recovery: What happens to data in the case of a disaster, and does the vendor
offer complete restoration, and, if so, how long does that process take?
• Investigative Support: Does the vendor have the ability to investigate any
inappropriate or illegal activity?
• Long-term viability: What happens to data if the cloud vendor goes out of
business, is client’s data returned and in what format?
 Cloud Computing Security Issues and Challenges: A Survey 449

Fig. 2. Rate the challenges/issues ascribed to cloud on-demand model

3.1 Security Issues Based on the Delivery and Deployment Model of Cloud

In SaaS, providers are more responsible for security. The clients have to depend on
providers for security measures. As public cloud is less secure than private clouds, the
stronger security measures are required in public cloud. Also in SaaS, it becomes
difficult for the user to ensure that proper security is maintained or not. Private clouds
could also demand more extensibility to accommodate customized requirements. The
following key security elements [11] should be carefully considered as an integral part
of the SaaS application development and deployment process:
i) Data security
ii) Data locality
iii) Data integrity
iv) Data segregation
v) Data access
vi) Data confidentiality
vii) Network security
viii) Authentication and authorization
ix) Availability
x) Identity management and sign-on process
In PaaS, customers are able to build their own applications on top of the platforms pro-
vided. Thus it is the responsibility of the customers to protect their applications as
providers are only responsible for isolating the customers’ applications and workspaces
from one another [6]. So, maintaining the integrity of applications and enforcing the
authentication checks are the fundamental security requirements in PaaS.
450 A. Verma and S. Kaushal

IaaS is mainly used as a delivery model. The major security concern in IaaS is to
maintain the control over the customer’s data that is stored in provider’s hardware.
The consumers are responsible for securing the operating systems, applications, and
content. The cloud provider must provide low-level data protection capabilities [6].
Based upon the deployment model, public clouds are less secure than the other
cloud models as it allows users to access the data across wide area network. In public
cloud, additional security measurements like trust are required to ensure all
applications and data accessed on the public cloud are not subjected to malicious
attacks [12]. Utilization on the private cloud can be much more secure than that of the
public cloud because of it is specified for some particular organization. A hybrid
cloud is a private cloud linked to one or more public clouds. Hybrid clouds provide
more secure control of the data and applications as each and everything is centrally
managed [12].
Fig 3, illustrates the information security requirements coupled with the Cloud
computing deployment model and delivery models [12, 13]. In Fig 3[12], an “X”
denoting mandatory requirements and an asterisk (*) denoting optional requirements.
Each of the security requirements will be highlighted below in context of cloud
computing:

A. Authorization
Authorization is an important information security requirement in Cloud computing to
ensure referential integrity is maintained. It follows on in exerting control and
privileges over process flows within cloud computing. In case of public cloud,
multiple customers share the computing resources provided by a single service
provider. So proper authorization is required irrelevant of the delivery model used. In
private cloud, authorization is maintained by the system administrator.

B. Identification & authentication

As the major concerns in public and private cloud include internal and external
threats, data collection, privacy and compliance, so, it is the cloud service provider’s
ability to have a secure infrastructure to protect customer data and guard against
unauthorized access. We need to have some identification and authentication process
to verifying and validating individual cloud users based upon their credentials before
accessing any data over the cloud. That’s why identification and authentication is
mandatory security requirement in public and private cloud.

C. Integrity
The integrity requirement lies in applying the due diligence within the cloud domain
mainly when accessing data. Therefore ACID (atomicity, consistency, isolation and
durability) properties of the cloud’s data should without a doubt be robustly imposed
across all Cloud computing delivery models.

D. Confidentiality
In Cloud computing, confidentiality plays a major part especially in maintaining
control over organizations’ data situated across multiple distributed databases.
Asserting confidentiality of users’ profiles and protecting their data, that is virtually
accessed, allows for information security protocols to be enforced at various different
layers of cloud applications.
 Cloud Computing Security Issues and Challenges: A Survey 451

Data confidentiality is one of the most difficult things to guarantee in a public

cloud computing environment. There are several reasons for that: First, as public
clouds grow, the number of people working for the cloud provider who actually have
access to customer data (whether they are entitled to it or not) grows as well, thereby
multiplying the number of potential sources for a confidentiality breach. Second, the
needs for elasticity, performance, and fault-tolerance lead to massive data duplication
and require aggressive data caching, which in turn multiply the number of targets a
data thief can go after. Third, end-to-end data encryption is not yet available. So,
data confidentiality will be maximized by using a large number of private clouds
managed by trusted parties.

E. Availability
Availability is one of the most critical information security requirements in Cloud
computing because it is a key decision factor when deciding among private, public or
hybrid cloud vendors as well as in the delivery models. The service level agreement is
the most important document which highlights the trepidation of availability in cloud
services and resources between the cloud provider and client.
The goal of availability for Cloud Computing systems (including applications and
its infrastructures) is to ensure its users can use them at any time, at any place. Many
Cloud Computing system vendors provide Cloud infrastructures and platforms based
on virtual machines. So availability is a mandatory security requirement for IaaS and
PaaS whether the public cloud is used or private cloud. As in private cloud, all
services are internal to the enterprise, so availability is also required when SaaS is to
be used.

F. Non-repudiation
Non-repudiation in cloud computing can be obtained by applying the traditional e-
commerce security protocols and token provisioning to data transmission within cloud
applications such as digital signatures, timestamps and confirmation receipts services
(digital receipting of messages confirming data sent/received).

Fig. 3. Cloud computing security requirements

452 A. Verma and S. Kaushal

4 Security Challenges

Cloud computing environments are multinomial environments in which each domain

can use different security, privacy, and trust requirements and potentially employ
various mechanisms, interfaces, and semantics [6]. Main security challenges in cloud
computing and their solutions are discussed below:

4.1 Service –Level Agreement

A Service level agreement (SLA) [14] is a part of a service contract between the
consumer and provider that formally defines the level of service. It is used to identify
and define the customer’s needs and to reduce areas of conflict like Services to be
delivered Performance, Tracking and Reporting Problem Management Legal
Compliance and Resolution of Disputes, Customer Duties and Responsibilities,
Security IPR and Confidential Information Termination.

4.2 Authentication and Identity Management

By using the cloud services, the user can access the information from various places
over the internet. So we need some Identity Management (IDM) [6] mechanism to
authenticate users and provide services to them based on credentials and
characteristics. An IDM system should be able to protect private and sensitive
information related to users and processes .Every enterprise will have its own identity
management system to control access to information and computing resources.

4.3 Data- Centric Security and Protection

In cloud computing, number of customers can share, save and access the data over the
cloud. So data from one customer must be properly segregated from that of another
and it must be able to move securely from one location to another [6]. Cloud
providers must implement the proper security measures to prevent data leaks or access
by third unauthorized parties. The cloud provider should carefully assign privileges to
the customers and also ensure that assigned duties cannot be defeated, even by
privileged users at the cloud provider. Access control policies should be properly
implemented. When someone wants to access data, the system should check its policy
rules and reveal it only if the policies are satisfied. Existing cryptographic techniques
can be used for data security.

4.4 Trust Management

In cloud computing environments, the customer is dependent on provider for various

services. In many services, the customer has to store his confidential data on the
provider’s side. Thus, a trust framework should be developed to allow for efficiently
capturing a generic set of parameters required for establishing trust and to manage
evolving trust and interaction/sharing requirements.
 Cloud Computing Security Issues and Challenges: A Survey 453

4.5 Access Control and Accounting

Due to heterogeneity and diversity in cloud computing services, a fine grained access
control polices should be enforced. Access control services should be flexible enough
to capture dynamic, attribute- or credential-based access requirements. The access
control models should also be able to capture relevant aspects of SLAs. As the cloud
computing model is pay-per-usage model, so proper accounting records for users are
required for billing purposes. In clouds, service providers usually do not know their
users in advance, so it is difficult to assign roles to users directly. Therefore,
credential- or attribute-based policies can be used to enhance this capability. Security
Assertion Markup Language (SAML), Extensible Access Control Markup Language
(XACML), and Web services standards can be used to specify the secure access
control policies. Among the many methods proposed so far, Role-Based Access
Control (RBAC) [6] has been widely accepted because of its simplicity, flexibility in
capturing dynamic requirements, and support for the principle of least privilege and
efficient privilege management.

5 Conclusion

In this paper key security considerations and challenges which are currently faced in
the Cloud computing are highlighted. Many enhancements in existing solutions as
well as more mature and newer solutions are urgently needed to ensure that cloud
computing benefits are fully realized as its adoption accelerates. Cloud computing is
still in its infancy, and how the security and privacy landscape changes will impact its
successful, widespread adoption.

References
1. Zhang, Q., Cheng, L., Boutaba, R.: Cloud computing: state-of-the-art and research
challenges. Journal of Internet Services and Application 1(1), 7–18 (2010)
2. Cloud Security Alliance , http://www.cloudsecurityalliance.org
3. Zhou, M., Zhang, R., Xie, W., Qian, W., Zhou, A.: Security and privacy in cloud
computing: a survey. In: The Proceedings of IEEE 6th International Conference on
Semantics, Knowledge and Grids, pp. 105–111 (2010)
4. Mell, P., Grance, T.: The NIST definition of Cloud Computing, version 15. National
Institute of Standards and Technology (NIST), Information Technology Laboratory
(October 7, 2009), http://www.csrc.nist.gov
5. Buyya, R., Yeo, C.S., Venugopal, S., Broberg, J., Bandic, I.: Cloud Computing and
emerging IT platforms: vision, hype, and relatity for deliverling computing as the 5th
utility. Future Generation Computer System 25(6), 599–616 (2009)
6. Takabi, H., Joshi, J.B.D.: Security and privacy challenges in cloud computing
environment. IEEE Journal on Security and Privacy 8(6) (November 2010)
7. Yang, J., Chen, Z.: Cloud computing research and security issues. In: The Proceeding of
IEEE International Conference on Computational Intelligence and Software Engineering,
pp. 1–3 (2010)
8. Kaur, P., Kaushal, S.: Security concerns in cloud computing. In: Accepted For
International Conference on High Performance Architecture And Grid Computing-2011.
Chitkara University, Rajpura (2011)
454 A. Verma and S. Kaushal

9. Gens, F.: New IDC IT Cloud Services Survey: Top Benefits and Challenges. In: IDC
eXchange (2009), http://blogs.idc.com/ie/?p=730
10. Brodkin, J.: Gartner: Seven cloud-computing security risks. In: Infoworld 2008 (2008),
http://www.infoworld.com/d/security-central/gartner-seven-
cloudcomputing-security-risks-53?page=0,1
11. Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud
computing. Journal of Network and Computer Application, 1–11 (2010)
12. Ramgovind, S., Eloff, M.M., Smith, E.: The management of security in cloud computing.
In: The Proceedings of IEEE Conference on Information Security for South Africa-2010
(2010)
13. Dlamini, M.T., Eloff, M.M., Eloff, J.H.P.: Internet of People, Things and Services – The
Convergence of Security, Trust and Privacy. In: The Proceeding of 3rd Annual
CompanionAble Consortium Workshop-IoPTs, Brussel (December 2009)
14. Kandukuri, B.R., Paturi, R., Rakshit, A.: Cloud Security Issues. In: The Proceedings of
IEEE International Conference on Service Computing, pp. 517–520 (2009)

View publication stats