International Conference on Computing, Communication and Automation (ICCCA2017)

Various Security Threats and Their

Solutions In Cloud Computing
Anil Barnwal, Satyakam Pugla, Rajesh Jangade,
Amity University, Noida,UP Amity University, Noida, UP Amity University, Noida,U.P.

Abstract: It is already known that there are many potential view, the main hurdles in the acceptance of cloud
advantages of cloud computing and many enterprise data computing is the security and safety concerns. A survey
and applications are shifting to hybrid or public cloud. But conducted by IDCI in 2009 states that most of the
there are some big organizations that may not shift to cloud
information technology managers and CEOs believes that
computing due to their critical business applications. The
the main challenge that disrupts the acceptance of cloud
share of the cloud computing in the market is far less than it
is expected. The security concerns of the cloud computing
computing is the security issues [4]. This has been
especially the issues of privacy protection and data security substantiated by survey conducted by Garter in the same
remain the main reasons of not accepting the services of year. Although the provider of cloud services give the
cloud computing as seen from the user’s point of view. This assurance of security concerns, but their claim is not so
paper summarizes and does the round analysis of various reliable and safe. In the year 2009, many organizations
issues related to the privacy protection and data security of face some problems while implementing it. In 2009,
cloud computing in various stages in its life cycle. It also Gmail was interrupted for about 4 to 5 hours; Google
describes some current available solutions of those issues
docs faced leakage of private information of user due to
and describes the future scope of various issues related to
security loopholes. Like ways Amazon was also
privacy protection and security of data.
interrupted in the same year with similar problems.
Keywords: CSA, NIST, ENISA, CPNI, ISACA, TCI Azure cloud service of Microsoft also faced similar
problems for many hours. These severe security problems
I. INTRODUCTION: sometimes can lead to collapse of services of many cloud
computing organizations. Since the misuse by
Since initial development till to its final deployment,
administrator can lead to loss of about 45% of user’s data,
cloud computing [1] has recently grown up into a mature
so cloud storage organization had been bind to shut down.
stage. In today’s environment many organizations have
Cloud’s security services are very much similar to the
understood the power of cloud computing and they are
services of traditional IT. So as a multi-client feature,
uploading their data and applications on it. This
deployment model and service delivery models of cloud
development decreases their cost of purchasing and
computing is often compared with the feature of
maintaining their infrastructure but increases the
traditional IT system. But the cloud computing may show
efficiency and usefulness of developing applications. The
many challenges and risks. Cloud computing atmosphere
most widely used definition of cloud computing is given
still face the issues related to traditional security. Since
by NIST (National Institute of Standard and Technology)
organizations have expanded its horizon to the cloud, the
as “cloud computing is a model for enabling convenient,
method of traditional security is not very much suitable
on demand network access to a shared pool of
for different data and application in cloud. So due to
configurable computing resources (e.g services,
cloud’s multi-client features, it put tremendous effect on
applications, storage, network and servers) that can be
its security. Some of those effects are:
rapidly provisioned and released with minimal
management effort or service provider interaction. This A. All data and applications on the cloud platform do not
cloud model promotes availability and is composed of have fixed security restrictions and fixed
five important characteristics, three service models and infrastructure because of location transparencies,
four deployment models” [2][3]. The different service abstractions and dynamic scalabilities of the
deployment models are public models, hybrid model, cloud computing models.
community model, private models and the service models B. Since the cloud services, resources and service
are platform as a service(PaaS), Software as a delivery models of cloud computing is owned by a
service(SaaS) and Infrastructure as a Service (IaaS). If number of providers, the integrated security
cloud computing is compared with traditional Information measures are difficult to implement.
technology model then it is observed that the former has
many potential advantages. Now from the user’s point of

ISBN: 978-1-5090-6471-7/17/$31.00 ©2017 IEEE 758

 International Conference on Computing, Communication and Automation (ICCCA2017)

C. Since the cloud services and virtualized resources are III. SECURITY TAXONOMY IN CLOUD COMPUTING
shared among multiple clients, so data of the user
can be accessed by some unauthorized users. On examining the security concerns of the cloud
D. Since large amount of information is stored on cloud computing solutions it is observed that each security issue
platform. So to supply faster delivery of services, has different impacts on different resources. For creating
there is the requirement of large processing of data security taxonomy in cloud computing, the different risks
and information. This paper defines the different and vulnerabilities was considered and arranged in
protection issues and security of data. hierarchical manner. The first classification level and
structure of the suggested security taxonomy is shown in
II. SECURITY IN CLOUD COMPUTING figure 1.

The definition of cloud computing security, as given in Compliance

Wikipedia [5], says “Cloud computing security (also Security Taxonomy

known as “cloud security”) is an evolving sub-domain of in Cloud
computer security, network security or more broadly,
information security. It refers to a set of policies, Privacy
Architecture

technologies, and controls deployed to protect data,

applications and the associated infrastructure of cloud
computing”. It should be noted that security of cloud Figure 1: Security Taxonomy in cloud computing. View
computing discussed here is not software products of of security taxonomy suggested, indicating its three
cloud based security like anti-spam, anti Dos, anti-virus important factors i.e. compliance, architecture and
etc. privacy

The security issues that are attached with cloud The three groups are related to basic security principles
computing can be combined into a number of different [13]. Figure 2 mentioned below are divided into three
classes. According to Gartner [6], before selecting a parts interfaces, security and virtualization issues that
cloud, one should consider the following issues: location access the cloud using user and administrative interfaces.
of data, segregation of data, recovery, user access Here the proper security methods are followed while
privilege, regulatory compliance, long term viability and transfers of data, virtual machines and other virtualization
investigation support. A research organization, named issues like isolation and cross virtual machine attacks.
Forrester Research Inclusive [7] has assessed security The structure here shows the division of responsibilities
and safety measures of some of the important cloud between consumer and provider. It analyses the security
service provider (like Google, Amazon, yahoo and roles based on the services (infrastructure or software
Microsoft etc) at the following aspects: legal and platform) that is offered. It also suggests that the different
prescribed issue, compliance and security and privacy security methods that is used here must be detached
issue. Cloud security Alliance (CSA) [8] is advising before it is being contacted. The compliance part presents
cloud solution provider and associated persons to give the different responsibilities towards services and
suggestions on the current and best upcoming practices provider. The earlier one includes service level
for information assurance within the cloud. The CSA has agreement, service loss, assessment of security and
found out 13 different domains who seriously think transparency, auditing capabilities whereas the latter one
about cloud computing security [9]. V.Kavitha and S. indicates data and security policy loss and configuration
Subashini investigated the security issues of cloud loss. The privacy part indicates security of data and some
computing, analyzed it and gave a detailed report on legal issues. The issues addressed above have been
each security issue [10]. Ingo Muller, Mohammed Al processed and included in information life cycle within
Morsey and John Grundy had analyzed security issues of the parameter of the provider and in its immediate
cloud computing from different angles, including service boundaries to the end user. One of the common points
delivery models, security issue of cloud computing within the different groups is maintaining connection
architectures, stakeholders and characteristics of cloud between service life cycles and data. Security here
[11]. H.Randy, Chen Yanpei and Vern Paxson suggested should be properly maintained between software and
that two points that are new and important to the cloud infrastructure hardware to guarantee the states of data
are: ensuing the need for mutual auditability and the between compliance and privacy, including application
complexities of multi-party trust considerations. They information or assets of user.
also described some new and upcoming opportunities in
the cloud computing security [12].

759
 International Conference on Computing, Communication and Automation (ICCCA2017)

C. Companies: The different interviews, manuals,

web contents and white papers from Microsoft,
CISCO, IBM, ERIMWARE, EMC, XEN,
ERRICSSON salesforce.

The aim of analyzing each reference was to find out all

the discussed concerned and their solutions. A reference
can produce more than one solution.

Some of the prospects of security are not discussed in this

paper because each security group can be further divided
into smaller sub groups like integrity, authentication,
network communication etc. The different security
concerns and their solutions are presented using pie charts
so that the each group represented with respect to total
number of references identified. Radar graphs are used to
compare between areas so that number of solutions
addressing each security concern group can be identified.
Figure 2: Architecture of security Taxonomy containing
host, network, application, security management, data
(storage and security), and access controls

IV. CURRENT STATUS OF SECURITY IN CLOUD V. DIFFERENT SECURITY CONCERNS

COMPUTING
The outcome that is obtained from a number of references
The focus in this section is to analyze the important on the security issue is presented in Figure 3. Three main
security problems that arise in the cloud computing and problems are identified in these references. They are loss
how it can be organized to make it simple for decision of control over data, compliance and legal issues. The
making. Here the focus will be to analyze the view points concerns related to the legal and governance is followed
of the academia and industry to develop the strategic by technical issue, isolation with reference of 7%. The
study areas. This conclusion was done by studying least referred problems are loss of service, firewalling,
hundreds of references including scientific papers, white configuration concerns and different interfaces. Some
papers, technical reports and other publications. These security problems are grouped in different categories as
were analyzed by taking into account the different shown in figure 4. In this figure all the issues of legal and
security problems and their solutions by solving a number governance represent a majority of 73% of total citations
of citations in each case. Here a quantitative approach concerned with high consideration of some legal issues
was used to figure out the amount of references related to like e-discovery, data location or some governance one
each category of concerns and their solutions. A number like loss of control over data and security. In this figure
of references discussing each concern are identified by technical issue that is highly valued is virtualization
providing some insight on those concerns that was (12%), followed by data security, different interfaces and
popular among research community and was not analyzed network security. Virtualization is one of the major
thoroughly. innovations used in cloud computing in terms of
technology used, by including virtual infrastructure,
The references here are taken from different research
resource sharing and scalability and other related
departments that include academia, companies and
problems.
organizations. Due to length constraint of articles, all the
references cannot be mentioned. However some of the
important references used are:

A. Organization: Interbviews, reports and research

paper from Open Grid, sans Institute, ENISA,
NIST, CSA, etc.

B. Academia: All the journals and conferences that

was published in springer, IEEE, webscience,
ACM, Scipress etc.

760
 International Conference on Computing, Communication and Automation (ICCCA2017)

solutions are only 1% as shown in figure 5. It is to noted

that for specific issue some special care has been taken
while accessing the popular machines solution providers
(like VMWARE, XEN, KVM) for verification of their
concerns and existing solutions. It is observed from this
situation that such concerns are equally important but
only small numbers of solutions are available for the
same. A conclusion that can be drawn from this is that
there is the requirement of developing some potential
areas for better security conditions and shifting processes
and data in the cloud.

Figure 3: Security Problems. Security concerns

represented using Pie-Chart

Figure 4: Security Problems with grouped categories.

Grouped Categories of security problems represented
using pie-chart Figure 5 Security solutions with grouped categories. Pie
chart shows lack of Virtualization security mechanisms
VI. SECURITY SOLUTIONS:
when compared with concerned references
To analyze references for solutions, the approach
mentioned in the beginning of this section, is used. The
percentage of solutions that is defined in the section
“Security in cloud computing” above is shown in the
figure 5. Furthermore the percentage of solutions of each
individual category is shown in figure 6. While
comparing the figures 4 and 6, it can be easily observed
that the number of references that covers problems of
security related to governance, compliance and legal
issues are high (respectively 17%, 22%, 24%) and same
is seen while proposing the solution references of the
security issues (which is 14%, 27% and 29% respectively
of the total number of references). Although these Figure 6: Security solutions. Pie chart representing
concerns are very much relevant but a large number of solutions references
solutions are available to handle them. The
circumstances here are totally different when it is VII. COMPARISON BETWEEN PROBLEM AND
analyzed on technical aspects like data leakage, SOLUTION REFERENCES
virtualization and isolation. Actually the virtualization
amounts to 12% of problem references and 3% for The dissimilarities between problem and solutions
solutions. Isolation is the exact example of such references shown above can be observed in Figure 7.
discrepancy when the number of references for such Here the axis values related to the number of references
problems is 7% as shown in figure in figure 3, whereas are studied. Red areas shows concern references and

761
 International Conference on Computing, Communication and Automation (ICCCA2017)

yellow areas indicate solutions. In other words, yellow

areas indicate problems with high references for solutions
than problems. There might be some important problems
which may arise but many solutions can be found out
from them. Though red areas represent potential subjects
which are given little attention, indicating there is need
for further studies.

It is clearly shown in figure 7 that there is deficiency of

development related to control mechanisms of data,
isolation solutions and assessment of hypervisor
vulnerabilities for virtual environments. In other words,
some areas like audit policies, compliance and SLAs of Figure 8: Comparison between references in group
legal concerns have a little satisfaction. The net resultant categories. Radar chart showing the differences between
of grouped categories is shown in figure 8. This figure grouped categories
shows that the problems of virtualization cover an area
that needs studies for discussing issues like isolation,
cross VM attacks and data leakage. Otherwise areas like
compliance and security of network cover concerns that
have considerable number of solutions or those which are
not considered much important. At last accepting that
virtualization is an important element for future studies,
below figure 9 shows a clear comparison of five problems
related to virtualizations. They are data leakage, VM
identification, cross-VM attacks, hypervisor
vulnerabilities and isolation. The comparison between
isolation and cross-VM attacks are more obvious than
other issues. But the number of solution references for all
the issues are comparatively less than other security
Figure 9: Radar chart showing comparison of
concerns, which further strengthen the researchers to
virtualization issues
focus on those areas.
VIII. FRAMEWORK OF SECURITY

To avoid and fully diminish the vulnerabilities, risks and

best practices, the framework of security mainly focus on
the information of its security and privacy. There are a
number of references that constantly publish paper related
to cloud computing security including NIST, CSA,
ISACA (Information Systems Audit and control
associations), ENISA (European Network and
Information Security Agency) and CPNI ( Centre for the
protection of National Infrastructure from UK). This
paper mainly focuses on three references which by
themselves provides a comparative analysis of different
issues and solutions and gives a high understanding of the
present status on the security of cloud.

A. NIST:
Figure 7: Comparison between references. Radar chart
showing references related to solutions and concerns When taxonomy for security in cloud computing [14]
published by NIST is compared with “Security
Taxonomy in Cloud Computing” described above, comes
up with the following points.

i. Cloud service Provider: It is responsible for making

the availability of service for itself.

762
 International Conference on Computing, Communication and Automation (ICCCA2017)

ii. Cloud service Consumer: It is responsible for using the One more approach accepted by CSA for maintaining
service and maintaining a relationship (business) cloud security and governance is the reference
with the provider. architecture model of TCI [20]. It defines guidelines for
iii. Cloud Carrier: It maintains a communication interface having faith in the cloud and accepting the open standards
between consumers and providers. and features of operations based on cloud. The
iv. Cloud Broker: It works as a negotiator between architecture used here contains the different frameworks
consumers and providers and maintains the such as COBIT, SOX, ISO 2002, PCI, SPI MODEL and
performance and delivery of services. architecture like ITIL, SABSA, Jericho and TOGAF. The
v. Cloud Auditor: It is responsible for assessment of characteristics of these architectures are as follows:
services, security and operations.
i. ITIL is mainly used for support and operation of
Here the role of each taxonomy is linked with their information technology, managing the different
respective activities and classified into respective incidents, resources and support, operation of
components and sub components. The main dissimilarity Information technology and service delivery
between two security taxonomy is the hierarchy used. ii. SABSA describes support service of business
The taxonomy used in this paper mainly gives emphasis operation like data governance, human resource
on security principles in its higher level perspective and security, monitoring service security, compliance,
the roles of cloud are explored in depth. The idea given legal services and internal investigations,
here enhances the initial definition of NIST for cloud operational risk management etc.
computing [15] by including roles and responsibilities iii. Jericho defines the risk management and security
which can be directly used for assessments of security. including policies and standards, management of
Otherwise security taxonomy defined in NIST includes threat and vulnerability and management of
some concepts like service types, deployment models and information security.
activities that are related to management of clouds, most iv. TOGAF explains the different types of services
of them are mainly used in publications related to cloud covered.
computing.
The ultimate outcome here is the three dimensional
B. CSA relationship between faith, operation and cloud delivery.

CSA is an organization which consists of corporations, C. ENISA:

practitioners, associations and stake holders [16] like
eBay, HP and Dell. It has one important goal to ENISA is an organization that maintains an effective and
encourage the use of best available practices for high level of information and network security[21]. It
maintaining security in cloud computing environment. published an article containing the benefits and risks
Three concepts are analyzed in this paper. They are related to cloud computing. In this article the security
threats [17] in cloud computing, security guidance [18] risk is divided into four parts:
and trusted cloud initiative.
i. Technical risk: Here the issues which are taken from
The current CSA security guidance [19] defines multi- various technologies are used to implement
tenancy as the important cloud characteristics where infrastructure of cloud and its services like encryption,
virtualization is avoided when cloud infrastructure is isolation and disposal, denial of service attacks & data
implemented and multi-tenancy here suggests the use of leakage and interception.
resources which is shared by a number of consumers, ii. Organization and policy risk: In this case the issues
especially from various organizations for various are related to reputation, governance and compliance
purposes. They further states that subdivision and policies iii. Legal risk: Here the risks related to summons,
that are isolated for describing proper management and jurisdictions and e-Discovery are covered
privacy are still required even if virtualization related iv. Other Risk: Here the risks related to privilege
issues are avoided. escalation; network management and logging are
considered.
It is good to see that selection of cloud specific issues is
done for the identification of central points for further ENISA here advises that the providers should guarantee
growth. However the compilation threats is associated to security practices to clients and also advises how to avoid
CSA security guidance which provides a strong legal problems. Some important points to be considered
framework for security and risk analysis assessments and are breach reporting, engineering of large scale computer
it uses the suggestions and preeminent practices to systems and good logging mechanisms that include
achieve acceptable security levels. isolation of resource, information and virtual machines.
Their analysis was based not only on the current

763
 International Conference on Computing, Communication and Automation (ICCCA2017)

observation but also the best practices and solutions that privacy protection mechanisms should ensure real time
were adopted to improve the system. It also transforms authorization, auditing and other security breach.
these observations into various quantitative approaches
for enhancement. REFERENCES:

1. Barnwal A, Jangade R, Transforming cloud computing system in

IX. CONSIDERATION AND FUTURE WORK AND
healthcare, International Journal of Information Technology &
SCOPE: Systems, PP 27-30, 2014
2. Barnwal A, Jangade R, Using Cloud Computing Technology to
Apart of having many advantages, cloud computing has Improve Education System, Asian Journal of Technology and
some problems also that needs to be sorted out. Management Reasearch, PP 23-29, 2014
3. Tim Grance,Peter Mell,The NIST Definition of Cloud computing,
According Gartner, the revenue generated by public and
Version 15, 10-7-09, http://www.wheresmyserver.co.nz/storage
hybrid cloud is around 200 billion dollar with the annual /media/faq-files/cloud-def-v15.pdf.
growth rate of 20 to 22%. This study shows that cloud 4. Introductory white paper on Sun Cloud Architecture,
computing is a growing and emerging technology. But http://developers.sun.com.cn/blog/functionalca/resource/sun_353
cloudcomputing_chinese.pdf
another aspect is the increase of threats from hackers. The
5. Security of Cloud Computing,
most important issues that need to be sorted out are the http://en.wikipedia.org/wiki/cloud_computing_security.
privacy protection issues and security of data. According 6. Gartner, Seven Cloud Computing Security risks, Infoworld,
to a study, privacy protection issues and security of data http://www.infoworld.com/d/security-central/gartner-seven-
cloudcomputing-secvurity-risks-853, 2008
are available in almost all levels of SPI service delivery
7. Cloud Security Front and Center, Forrest Research,
models and in different parts of data life cycle. The main http://blogs.forrester.com/srm/2009/11/cloud-security-front-
challenges here are the protection of personal data and andcenter.html, 2009,
sharing of public information. Systems that need this kind 8. CSA, http://www.cloudsecuritalliance.org
9. CSA, Security Guidance for Critical Areas of Focus in Cloud
of protection are e-commerce and M-commerce which
Computing, v2.1, http://
stores data of credit cards and health cards. A major www.cloudsecuritalliance.org/guidance/csaguide.v2.1.pdf
concern here is to control which information is to share 10. S.Subasini, V.Kavitha, A Survey on Security Issue in Service
and which one to hide on internet. This concern tried to Delivery Models of Cloud Computing, Journal of Network and
Computer Applications, 2011
find out whether the personal information can be stored
11. Ingo Muller, John Grundy, Mohamed Al Morsy, An Analysis of
and accessed by third parties without taking consent of Cloud Computing Security Problem, in Proceedings of APSEC
user or not or it can track the websites the user had 2010 Cloud Workshop, Sydney, Australia, 2010
visited. The important privacy protection issue in the 12. Vern Paxson, Yenpei Chen, Randy H Katz, “What new About
Cloud Security?”, Technical Report No. UCB/EECS-2010-5
cloud computing environment is the separation of
http://www.eecs.berkeley.edu/pubs/Techrpts/EECS-2010-5.htm
sensitive data from the non-sensitive ones. According to 13. Kumaraswamy S, Mather T, Cloud Security and Privacy : An
the concept of privacy protection issues and security of Enterprise Perspective On Risks and Compliance, 1 St Edition,
data mentioned above, it is believed to have an integrated O’Reilly Media, 2009
14. Reference Architecture on NIST Cloud Computing:
and comprehensive solution of security. The important
http://collaborate.nist.gov/twiki-cloud-
tasks here are data identification and isolation of private computing/pub/cloudcomputing/referencearchitectureTaxonomy/
data for protection. These facts must be considered while NIST/S500-292-090611.pdf
designing cloud based applications. 15. Grance T, Mell P, The NIST definition of Cloud Computing
Technical Report 15, National Institute of Standards and
X. FUTURE PROSPECTS: Technology, www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf,
2009
16. CSA About. https://cloudsecurityalliance.org/about/, 2011
The main challenges for the data security and issues of 17. Jr IJH, Hubbard D, Sutton M, Biggest Threats to Cloud Computing
privacy protection are the separation of crucial data and Tech Republic, Cloud Security Alliance,
access control. Our main goal is to design a framework of cloudsecurityalliance.org/research/projects/top-threats-to-cloud-
identity management and privacy protection across cloud computing, 2010
18. Cloud Security Alliance, Security Guidance for Critical Areas of
computing services and applications. As the movement of Focus in Cloud Computing, Tech Republic, 2009
the employees in the organization is comparatively high 19. CSA, Security Guidance for critical areas of Focus in Cloud
so the identity management system must ensure that un- Computing V 3.0, Tech Rep., Cloud Security Alliance,
authorized access to cloud resources of organization http://www.cloudsecurityalliance.org/guidance/csaguide .v.
3.0.pdf, 2011
should be prohibited from the employees who already left 20. Cloud Security Alliance, A Reference Architecture,
the organization. To fulfill the fine grained access https://cloudsecurityalliance.org/wp-content/uploads
authorization in the organization, access control /2011/11/TC1-Reference-Architecture-1.1.pdf, 2011
mechanisms and authorization must achieve reusable, 21. ENISA, Information on ENISA, http://www.enisa.europa.eu/about-
enisa
unified and scalable access control model. When the
private data of the data owners is accessed then the

764