See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/274720640

Cloud Service Security & Application Vulnerability

Conference Paper · April 2015

DOI: 10.1109/SECON.2015.7132979

CITATIONS READS
12 1,078

5 authors, including:

Acklyn Murray Geremew Begna

Howard University Howard University
6 PUBLICATIONS   21 CITATIONS    4 PUBLICATIONS   16 CITATIONS   

SEE PROFILE SEE PROFILE

Ebelechukwu Nwafor Wayne Patterson

Villanova University 92 PUBLICATIONS   93 CITATIONS   
12 PUBLICATIONS   75 CITATIONS   
SEE PROFILE
SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Towards a Provenance Aware IoT View project

CliniViz: An Interactive Visualization Tool for Exploring Clinical Data View project

All content following this page was uploaded by Ebelechukwu Nwafor on 10 April 2015.

The user has requested enhancement of the downloaded file.

 Cloud Service Security & Application Vulnerability
Acklyn Murray, Geremew Begna, Ebelechukwu Nwafor, Jeremy Blackstone, Wayne Patterson
Department of Systems and Computer Science
Howard University
Washington, DC, USA
[email protected]

Abstract— Cloud computing is one of today’s most appealing Broad network access.-Capabilities are available over the
technology areas due to its cost-efficiency and flexibility. network and accessed through standard mechanisms that
However, despite significant interests, deploying cloud computing promote use by heterogeneous thin or thick client platforms
in an enterprise infrastructure offers significant security (e.g., mobile phones, tablets, laptops, and workstations).
concerns. Successful implementation of cloud computing in an
Resource pooling- the provider’s computing resources are
enterprise requires proper planning and understanding of
emerging risks, threats, vulnerabilities, and possible pooled to serve multiple consumers using a multi-tenant
countermeasures. This paper discusses security concerns of the model, with different physical and virtual resources
three cloud computing models namely ‘‘Software as a Service’’ dynamically assigned and reassigned according to consumer
(SaaS), Platform as a Service’’ (PaaS) and ‘‘Infrastructure as a demand. There is a sense of location independence in that the
Service’’ (IaaS). It also discusses Cloud-based Security Tools customer generally has no control or knowledge over the exact
currently available today. Under the U.S. Federal Security location of the provided resources but may be able to specify
Requirements for Cloud Security. The paper demonstrated the location at a higher level of abstraction (e.g., country, state, or
Federal Information Security Management Act (FISMA) and the datacenter). Examples of resources include storage,
Federal Risk and Authorization Management Program
processing, memory, and network bandwidth.
(FedRAMP). The paper also discusses Cloud Data Encryption,
Homomorphic Encryption and Access Control (Identity Access Rapid elasticity-capabilities can be elastically provisioned and
Management). Finally, this paper talks about cloud applications released, in some cases automatically, to scale rapidly outward
focusing on select cloud applications. It also looks at some of the and inward commensurate with demand. To the consumer, the
known vulnerability issues associated with the applications and capabilities available for provisioning often appear to be
also the future of cloud applications. unlimited and can be appropriated in any quantity at any time.
Measured service-cloud systems automatically control and
Keywords— cloud computing, IaaS; SaaS, PaaS; cybersecurity
optimize resource use by leveraging a metering capability at
Application Vulnerability, cryptography; access control, FISMA,
Data Encryption
some level of abstraction appropriate to the type of service
(e.g., storage, processing, bandwidth, and active user
I. INTRODUCTION : CLOUD MODELS accounts). Resource usage can be monitored, controlled, and
Cloud computing is defined as ” a collection of IT reported, providing transparency for both the provider and
resources (servers, databases, and applications) which are consumer of the utilized service.
available on an on-demand basis, provided by a service
company, available through the internet, and provide resource There are three models of Cloud services commonly known
pooling among multiple users." [1]. as SPI, an acronym for the most common cloud computing
service models, Software as a Service, Platform as a Service
According to National Institute of Standards and Technology and Infrastructure as a Service. Software as a Service (SaaS) is
(NIST) one of the most accepted definition of cloud a software distribution model in which applications are hosted
computing is ” a model for enabling ubiquitous, convenient, by a vendor or service provider and made available to
on-demand network access to a shared pool of configurable customers over a network, typically the Internet. Platform as a
computing resources (e.g., networks, servers, storage, Service (PaaS) is a paradigm for delivering operating systems
applications, and services) that can be rapidly provisioned and and associated services over the Internet without downloads or
released with minimal management effort or service provider installation. Infrastructure as a Service (IaaS) involves
interaction.” outsourcing the equipment used to support operations,
including storage, hardware, servers and networking
The cloud model is composed of five essential components. Example Amazon’s Elastic Compute Cloud
characteristics, three service models, and four deployment (EC2) [5]
models [5]. The five essential characteristics of cloud models
are: There are four cloud deployment models. These are Private
On-demand self-service- a consumer can unilaterally cloud, in which cloud infrastructure is provisioned for
provision computing capabilities, such as server time and exclusive use by a single organization comprising multiple
network storage, as needed automatically without requiring consumers (e.g., business units), Community cloud, in which
human interaction with each service provider, the infrastructure is provisioned for exclusive use by a specific
community of consumers from organizations that have shared Availability, Backup and Identity management and sign-on
concerns (e.g., mission, security requirements, policy, and process- Identity management (IdM) or ID management are
compliance considerations), Public cloud, in which the cloud other concerns of SaaS.
infrastructure is provisioned for open use by the general public
2.2. Security issues in PaaS
, and Hybrid cloud, which is a composition of two or more
distinct cloud infrastructures (private, community, or public). In PaaS, the provider may offer functional control to the
Despite significant interests, deploying cloud computing in an client to build applications on top of the platform. But any
enterprise infrastructure brings significant security concerns security below the application level such as host and network
[5] intrusion prevention will still be in the scope of the provider
and the provider has to offer strong assurances that the data
II. CLOUD SERVICES & VENDORS remains inaccessible between applications. PaaS is intended to
Security Concerns of Cloud Computing enable developers to build their own applications on top of the
platform. As a result it tends to be more extensible than SaaS,
1. Services at the expense of customer-ready features. This tradeoff
Security remains a major concern for moving data to the extends to security features and capabilities, where the built-in
cloud. Although data encryption provides protection, decisions capabilities are less complete, but there is more flexibility to
need to be made regarding when, where, and how to encrypt layer on additional security [2].
data heading to cloud [4]. 2.3. Security issues in IaaS
2. Model Security
To understand more about security concerns, we discussed IaaS is prone to various degrees of security issues based on
security concerns of the three cloud computing models the cloud deployment model through which it is being
describing the common security issues that are posed by the delivered. Public cloud poses the major risk where as private
cloud service delivery models. Namely, ‘‘Software as a cloud seems to have lesser impact. Physical security of
Service’’ (SaaS), Platform as a Service’’ (PaaS) and infrastructure and disaster management is of utmost
‘‘Infrastructure as a Service’’ (IaaS). importance if any damage is incurred to the infrastructure
2.1. Security Issues in SaaS (either naturally or intentionally). Infrastructure not only
pertains to the hardware, where data is processed and stored,
In SaaS, the client has to depend on the provider for proper but also the path where it is getting transmitted. In a typical
security measures. The provider must do the work to keep cloud environment, data will be transmitted from source to
multiple users’ from seeing each other’s data. So it becomes destination through numerous number of third-party
difficult to the user to ensure that right security measures are infrastructure devices [11].
in place and also difficult to get assurance that the application
will be available when needed. 3. Cloud-based Security Tools

According to [2], the following key security elements Protecting your network is becoming more important than
should be carefully considered as an integral part of the SaaS ever. Despite what the size of your network is, hackers want
application development and deployment process: access to it. Now, with modern technologies like software-as-
a-service, or security-as-a-service it’s easier than ever to
Data security- in the SaaS model, the enterprise data is stored implement security strategies for your company. According to
outside the enterprise boundary. Network security-in a SaaS [14, 15], here are some of the top security products that are
deployment model, sensitive data is obtained from the available today:
enterprises processed by the SaaS application and stored at the
SaaS vendor end. SilverSky is a cloud-based security provider. It offers email,
Data locality-in a SaaS model of a cloud environment, the monitoring and protection, network protection, and helps your
consumer’ does not know where the data is getting stored. company become HIPPA (Health Insurance Portability and
Data integrity-Data integrity is one of the most critical Accountability Act) and PCI (Payment Card Industry)
elements in any system compliant.
Data segregation -Multi-tenancy is one of the major Vaultive encrypts any data leaving the network using AES
characteristics of cloud computing. In such a situation, data of Encryption system. It sits between your network and the
various users will reside at the same location. Internet without needing any on premise hardware. The
Data access -Data access issue is mainly related to security company helps people protect cloud-based services like Office
policies provided to the users while accessing the data. 365 and Exchange.
Authentication and authorization- the software is hosted
DocTrackr is a security layer that works with file-sharing
outside of the corporate firewall.
services such as Box and Microsoft SharePoint. Once you
Data confidentiality issue- Cloud computing involves the
send a document out of your system, you typically have no
sharing or storage by users of their own information on remote
control of it anymore. DocTrackr however, reinstates your
servers owned or operated by others and accessed through the
control and lets you set user privileges for each person you
internet or other connections.
share a document with. It also tracks the views on your
Web application security- Data breaches, Vulnerability,
document, and allows you to “unshare” the document if you
want. FedRAMP was structured to reduce duplication efforts,
Proofpoint focuses on the security of email with cloud-only inconsistencies, and cost inefficiencies associated with the
services. It protects any incoming and outgoing data. While current modern noted security processes.
Proofpoint admits to storing your data, it promises that it does
The Federal Risk and Authorization Management Program
so only for the purpose of protecting against data loss, and that
(FedRAMP) supports the U.S. government’s objective to
they do not have the keys to decrypt any of the information.
enable U.S. federal agencies to use managed service providers
Centrify focuses on identity-management across many that enable cloud computing capabilities.
different devices and applications. It puts all of your FedRAMP allows U.S. federal agencies to make use of CPs
employees and/or customers into one centrally controlled, platforms and offerings. The FedRAMP program provides an
secure, and monitored area. Centrify will protect your network avenue for CPs to obtain a provisional authorization after
through on premise software, or cloud applications. undergoing a third-party independent security assessment. By
There are also other security tools which are available today assessing security controls on candidate platforms and
such as Qualys secures your devices and web apps, White Hat providing provisional authorizations on platforms that have
acceptable FedRAMP Governance. FedRAMP is governed by
Security focus on protecting website from the ground up,
a Joint Authorization Board (JAB) that consists of
including in the coding process; Okta focuses purely on
representatives from the Department of Homeland Security
identity management knowing who is where and why.
(DHS), the General Services Administration (GSA), and the
4. U.S. Federal Security Requirements for Cloud Security Department of Defense (DoD). FedRAMP provides a
NIST marks top security requirements for U.S. Government standardized approach to security assessments and ongoing
Cloud Computing Technology to ensure that cloud service assessments and authorizations (continuous monitoring)
providers meet a baseline set of federal security requirements. designed to save cost, time, and staff required to assess and
The Cloud system has to meet not only U.S. government authorize cloud services.
security needs, but also those of other customers sharing the 5. Cloud Security Vendors
environment. The following Cloud Security Vendors that have Federal ties
4.1. FISMA under the FedRAMP program. FedRAMP mandates secure
The Federal Information Security Management Act (FISMA) transference to Cloud technologies in an allotted schedule.
requires U.S. government agencies to implement and FedRAMP certifies both commercial and government cloud
document programs to protect the confidentiality, integrity, service providers.
and availability of IT systems. All U.S. Agencies must budget 5.1 Encase
allocated funding to be in compliance. As the controlling
Federal Law, enacted in 2002 as the E-Government Act, 116 A current vendor with much promise comes from the realm
Statue 2899 under 44 U.S.C. §3541[12] the scope and purpose of digital forensics. EnCase is the shared technology, within a
of initiative is described as the National Institute of Standards suite of digital investigations products, by Guidance Software.
and Technology (NIST) interpretation of “important aspects of Software is packaged separately for forensic, cyber
cloud computing and is intended to serve as a means for broad security, security analytics, and e-discovery use. The focus
comparisons of cloud services and deployment strategies, and would be on cyber security, specifically under the function of
to provide a baseline for discussion from what is cloud cloud security, which is validated for Federal integration under
computing to how to best use cloud computing. The service the NIST Cybersecurity Framework for cybersecurity risk
and deployment models defined form a simple taxonomy that mitigation.
is not intended to prescribe or constrain any particular method As an immediate rapid response countermeasure, EnCase
of deployment, service delivery, or business operation” [5] Cybersecurity products collaborate with other vendors’
The requested trusted service models under the Act, invoke software to ascertain threats and secure data under the SIEM
Saas, PaaS and IaaS with provisions. Deployment models may platform, (Secure Information and Event Management). When
vary based on independent Agency requirements. Such leveraging these integrations, EnCase Cybersecurity provides
“Deviations” are limited in coordination with independent security operation centers the validation and details required
agency stipulations. from affected hosts in close to real time to completely
understand the nature and scope of any incident with a valid
4.2. FedRAMP remediation. Known partner vendors manufacturers are HP
The Federal Risk and Authorization Management Program, ArcSight, IBM Q1 Labs, FireEye, SourceFire and others [20].
or FedRAMP, has been a unified, Federal government program 5.2 Splunk
focused on vendor and multiple agency systems. FedRAMP
has been established to provide a standard approach to cloud Splunk is software tailored to capture then indexes with
computing by Assessing and Authorizing particular vetted noted correlations, data in a searchable repository for post
services and products. FedRAMP allows joint authorizations incident event alerts and reports. The products featured apply
and continuous monitoring services for Government and to application management, security and compliance by
Commercial cloud systems intended for multiple agency use. identifying data patterns, providing metrics, diagnosis of
 problems and provides predictive intelligence specifically for affected by the attack rendered invalid [50]. Next, they
cloud security. emailed the user of these accounts with instructions on how to
Splunk offers both Splunk Storm and Hunk: Splunk Analytics reset their passwords as well as a debriefing of the situation.
for Hadoop, which supports accessing, searching, and
LinkedIn's current security measures now include Automated
reporting on external data sets located specifically in Splunk '
Public Turing test to tell Computers and Humans Apart
s proprietary Cloud product or Hadoop from a Splunk (CAPTCHA), email verification, and two-step verification
interface. Splunk is currently under review for full Federal [51]. CAPTCHA is used to keep users accounts safe from
Agency use [21].
unauthorized access by making sure that a person and not a
III. SECURITY VULNERABILITIES computer is accessing the account. CAPTCHA operates by
creating an image containing random, slightly distorted
B. CLOUD APPLICATIONS & VULNERABILITIES numbers and letters that computers are not able to read but
1. Netflix humans are able to read. Proper completion of the test verifies
that a human user is attempting to access the account.
Netflix is an online video streaming application that allows for
Through email verification, LinkedIn monitors anomalous
ubiquitous access of video content. Users have the option of
activity such as signing in from a country not associated with
choosing a wide array of videos which can be paused or
the user's profile and sends a verification email to the email
resumed on any client device. Netflix is entirely run on public
address associated with the account to make sure that it is the
cloud. It is run on Amazon Web Services. In August 2008,
real user performing the activity. Finally, two-step verification
Netflix experienced database corruption. This served as a
is a security method in which more than one form of
motivation for migrating to the cloud. Netflix is regarded as
verification is required in order to gain access to an account.
one of the largest cloud service.
This usually consists of requiring a password for the account
Netflix moved all of its corporate IT applications to SaaS and sending an SMS of a numeric code any time there is a sign
cloud applications such as Evernote, OneLogin, Workday, and in from an unfamiliar device. By requiring both something
Box. They also built their own Platform as a Service cloud you know and "something you know" and "something you
tools that help test the efficiency of the cloud service which have", this process provides an extra layer to keep the account
makes developers more productive. In September 2006, as part secure if the user's password is compromised due to using the
of its effort to improve consumer movie recommendations, same password for multiple sites, downloading software from
Netflix organized a competition in which it allowed the internet or clicking on links with malicious content in
contestants to develop a movie recommendation algorithm that email an messages[52].
better improves Netflix current movie recommendation by
10%. Anonymized data of about 480,000 consumers 3. 3. iCloud
containing movie ratings were released. This data was
believed to be anonymized but according to two researchers at iCloud is a cloud storage application developed by Apple Inc.
University of Texas, information from the dataset can be used It allows apple client systems (iphone, ipad, ipod etc.) to store
to reveal information about the consumers. A law-suit was and retrieve information on the cloud. It was launched in
filed against Netflix based on releasing dataset of its consumer October, 12, 2011. It allows users to seamlessly access
rating recommendations. It was discovered that attackers tried information on any client system by using their apple id.
to exploit Netflix based on a vulnerability found in Silverlight iCloud contains an auto sync feature whereby once a user
[55], a plug-in similar to adobe flash developed by Microsoft. saves information on the cloud, the content is automatically
These cybercriminals use fake website advertisement to install synced on all of their devices connected to the cloud system.
malicious software on the host systems. Once a user clicks on For data to be saved on the cloud, application places the data
the ad, it is redirected to the website containing malicious in a location called cloud container. This serves as the local
contents. This site infects the browser with malicious content. representation of the data on the client system. iCloud is a
2. LinkedIn private cloud managed solely by Apple Inc.

LinkedIn is a social networking site in which users connect According to Forbes.com, a group known as
with people whom they know and trust professionally [48]. Hackappcom posted a proof of concept script information on
Each user creates a profile page with their employment history how to effectively guess username and password information
and education and is able to form connections with other users using the find my app API. This API allows for unlimited
who they have worked with, know professionally or have gone amounts of username and password queries. The script was
to school with. In 2012, LinkedIn faced a $5 million class- made public at a talk given by Andrey Balenko and Alexy
action lawsuit after a hacker posted over 6.5 million of its Troshichev titled iCloud Keychain and IOS 7 Data protection
hashed passwords on a password cracking forum [49]. The at the Russian DEFCON group. It is also believed that iCloud
lawsuit was filed because of an appalling lack of security was the medium of attack for the cyber-attack in which
measures which was revealed by reports of the site being hundreds of personal celebrity photos were leaked. Due to the
infiltrated by a SQL injection attack. In response to this attack data breach, iCloud now uses 2-factor authentication whereby
the company had the passwords of all accounts that were its users are required to enter a password and another security
 feature such as SMS verification to further authenticate their formatted and saved on Google’s cloud server which is
identity. accessed through the internet [31]. Documents created on
Google Cloud can be exported in various formats (ODF,
4. Dropbox HTML, PDF, RTF, Text, and Open Office XML). It allows
multiple users to work on the same document concurrently.
Dropbox is a cloud based storage application that allows Each user can see changes made character by character. It is
seamless synchronization of files on multiple clients. It was available as a web application, on chrome browser extensions
developed in 2007[26]. It offers a secure way of storing as a chrome app and also on mobile applications (iPhone,
information using 256-bit AES data encryption. The client android). Google Docs is a typical example of Software as a
application is available for Microsoft windows, Apple OS X Service office suite which allows for the creation,
and Linux operating system platforms. When a user makes a modification, editing, and deletion of documents, spreadsheets
request to upload or download a file, files that are larger than and presentations. Documents created can be saved locally and
4MB are split into different chunks when sent from the client are automatically saved on Googles servers.
system to the server. Each chunk is identified by a SHA-256 Some of the previously known vulnerabilities that existed in
hash value which is contained in the meta-data description of Google Docs are as follows:
the file. Dropbox uses three major servers: The control and In 2009, a previously authorized party of a Google Doc could
the data storage servers. The control server is managed still maintain access to a document even when access has been
directly by Dropbox Inc. This server is responsible for the revoked by the owner of the document. Images embedded in
exchange of authentication and metadata information while Google Doc are identified with an ID which is accessible by a
the storage server which is responsible for file URL [53]. Google Doc did not provide protection to images
upload/download is an Amazon Elastic Compute Cloud (EC2) embedded in a document (e.g. a user might restrict access to a
and Simple Storage Service (S3). Dropbox architecture also given document but the images contained in the document can
contains a notification server which keeps a constant TCP still be visible to unauthorized parties).
connection with the client and notifies it of any change to the
file performed at another client. Metadata information is 1.2 DocuSign
stored in a database which runs on MySQL. All servers except
the notification server use HTTPS to establish connections DocuSign is an application that allows users to send and sign
with the client. The application reduces the amount of legally binding documents electronically [33]. To begin the
information sent by using delta encoding while the data process, the sender uploads a document to DocuSign, adds the
chunks are being transmitted. Each data chunk is compressed names and email addresses of signers and other recipients.
before it is sent to the data storage server. The client Afterwards, the recipient clicks on a link from any internet-
application also keeps a local database which contains meta- enabled device and is given access and instructions to sign the
data information of files sent. Dropbox application offers users document using an electronic signature. Once signed, both the
the ability to control the maximum upload and download sender and recipients have access to the signed document and
speed. File synchronization starts with message exchange are able to download and print them as necessary.
through the meta-data servers. This is succeeded by a send or
retrieve operation which is sent to the data-storage servers. DocuSign operates using a cloud service known as digital
Once data has been successfully exchanged, the client system transaction management (DTM) which is able to perform
sends messages to the meta-data server to terminate the transactions on documents digitally [34]. DocuSign uses DTM
connection [26]. as an end to end solution for its document signing and
management process providing all components and resources
In 2011, Dropbox system was compromised. About a hundred needed to meet its requirements. First, users define the order
usernames and passwords of Dropbox consumers were stolen. in which steps are completed as well as the associated actions
According to Dropbox, this was due to a compromised in order to prepare for transactions [35]. Next, each
administrator account which contained email address of transaction is carried out using enterprise level security and
several users. Dropbox has since also required users to use authentication methods as a validation method for signer
two-factor authentication which ensures a more stringent data identity. Finally, each transaction is recorded digitally in the
security. Also, in 2011, it was confirmed by Dropbox that a cloud for use in reporting and proof of compliance.
programming flaw was detected which allowed access to an
account without requiring a password. Access was possible DocuSign boasts in its bank grade security features [36]. It
between 1:54PM PT and 5:46 PM. This was detected and operates with compliance to the xDTM standard, a list of
immediately updated. requirements for platforms and companies to uphold in order
to ensure consumer data is protected in an online environment
IV. NOTED VULNERABILITY EXAMPLES [37]. DocuSign utilizes this standard to provide protection for
digital transactions, full document encryption for the
1.1 GOOGLE-DOCS confidentiality of data, robust anti-tamper controls for the
Google Docs is a cloud based application that allows the use integrity of documents, redundant, geo-diverse data centers to
of a web processor over the internet. Documents are created, back up critical documents and numerous authentication
 options to validate the identity of users. However, on authentication for all of its accounts based on a time-based-
December 5, 2012 users reported a breach in DocuSign's one-time password algorithm (TOTP). TOTP is a password
customer-information database resulting in an email that can only be used once and changes continuously based on
pretending to be from DocuSign containing Trojan malware time passed since a set point of time [46]. Furthermore, its
[38]. The user claims that the only way a spammer could have web service uses OAuth in order to authenticate third party
received knowledge of their email address used for DocuSign applications so they do not need to store the user's username or
is through a DocuSign security leak. A DocuSign password on their device. Instead, OAuth directly connects
representative argues that more than 85% of messages it the third party application to the user's account without giving
receives with similar issues are from individuals who do not the application the user's login credentials by returning an
even have DocuSign accounts asserting that the DocuSign authentication token to the client. Finally, EverNote operates
eSignature network has undergone investigation and appears two data centers in the United States and transmits encrypted
to be secure. The representative goes further to say that the data between them with a dedicated network link not
attacker most likely received the email address through some connected to the Internet.
sort of phishing method and gives suggestions to protect
against spam. The user remains skeptical contending that the 1.4 Joukuu
unique single-use address created links the leak to DocuSign
and challenges DocuSign to focus their investigation on the Joukuu is a cloud service that allows users to manage their
time period between the date he or she created the single-use files from other cloud storage applications in one location
address and the date of the malicious email. [47]. Rather than having to keep track of the locations of their
files from Box.net, Dropbox and Google Docs, Joukuu gives
1.3 EverNote the user the ability to search, manage and edit files from the
other three applications. While the free web app can run from
EverNote is a note-taking application that allows users create, any browser, the desktop app is for Windows users only. The
store, search for and share documents synchronizing them to paid Joukuu Plus version which is also a Window only desktop
be accessed by any computer, web browser or mobile device app adds a drag and drop capability and has a document sync
[39]. The user may create a note that starts off as a blank service that synchronizes files based on how frequently they
document that serves as a notepad and files can be attached to are used in order to save the amount of bandwidth used.
it via drag and drop [40]. Once this is a complete text, Joukuu does not store any passwords or files on its servers so
attached documents and legible handwriting in photos can be the security of the users' data is dependent on the security of
searched for using keywords and users may click on an icon to Box.net, Dropbox and Google Docs and the encrypted
open documents embedded in the notes. Additionally, these connections they utilize [48]. So far, there has not been any
notes can be shared with an unlimited number of other users. known security issues associated with Joukuu.
Users can be given viewing and editing permissions. All
information EverNote records is placed in cloud storage and V. .FURTHER CLOUD SECURITY
allows for a monthly upload of 60 MB for the free version and 1. Cloud Data Encryption and Access Control
1 GB for the premium version.
Recent research result shows cloud service security can be
On March 2, 2013 EverNote reported that it was able to secure via data encryption and access control. Under this
identify and block a malicious attempt to break into secure topic, we discuss types of Encryption system that is
data [41]. The attacker was able to gain access to usernames, convenient for Cloud and the type of access controls.
email addresses and encrypted passwords but EverNote has Encryption is required for sensitive and sensitive-enhanced
since reset all user passwords and claims there is no evidence data, both at rest and in transit, to meet security requirements.
of leaked user data or payment information. On June 11, 2014 Sensitive and sensitive-Enhanced data must be encrypted
EverNote was subject to an immense distributed denial of using FIPS 140-2–validated encryption modules. Keys must
service (DDoS) attack that interrupted the company's normal be managed separately from data and require higher
operations and prevented users from accessing and privileges. Encryption keys must be changed every two years
synchronizing their notes [42]. Perhaps in response to the for sensitive data and annually for sensitive-enhanced data,
latest attack, EverNote now uses an on-demand DDoS decrypting data with the old key and re-encrypting the data
mitigation service [43]. To secure passwords it uses Password with the new key. Encryption requirements are as follows:
Based Key Derivation Function 2 (PBKDF2) rather than I. Encryption of data at rest-Encryption must be used for
plaintext in storage. PBKDF2 is a method for creating sensitive and sensitive-enhanced information stored or
encryption keys from a password. It operates by performing a archived on fixed and removable devices and media.
pseudorandom function to generate a derived key which could II. Encryption of data in transit-Encryption of data in transit
be any length [45]. While it does not require for users to protects data, including usernames and passwords, from
create strong passwords, it encourages them to do so using a interception. This is especially important when using
password strength meter and limits failed login attempts based untrusted network environments
on accounts and IP-addresses to inhibit password guessing 1.1 Homomorphic Encryption
attacks. In addition to this EverNote uses two-factor Homomorphic Encryption systems are used to perform
operations on encrypted data without knowing the private key and timely management of on-boarding (provisioning) and off-
(without decryption). The client is the only holder of the secret boarding (deprovisioning) of users in the cloud. Further,
key. When we decrypt the result of any operation, it is the enterprises that have invested in user management processes
same as if we had carried out the calculation on the raw data. within an enterprise will seek to extend those processes to
They are ones where mathematical operations on the cipher cloud services.
text have regular effects on the plaintext. Among the Authentication: When organizations utilize cloud services,
Homomorphic encryption, there are operations that allow authenticating users in a trustworthy and manageable manner
assessing on raw data; the Additive Homomorphic encryption is a vital requirement. Organizations must address
adds the raw data, and the Multiplicative Homomorphic authentication-related challenges such as credential
encryption multiplies the raw data. management, strong authentication, delegated authentication,
A very simple demonstration of the mathematical and managing trust across all types of cloud services.
consistency required: A user sends a request to add the Federation: In the cloud computing environment, Federated
numbers 1 and 2, which are encrypted to become the numbers Identity Management plays a vital role in enabling
44 and 55, respectively. The server in the cloud processes the organizations to authenticate their users of cloud services
sum as 99, which is downloaded from the cloud and decrypted using the organization’s chosen identity provider (IdP).
to the final answer. Authorization and User Profile Management: The
Definition: An encryption is homomorphic, if: from Enc (a) requirements for user profiles and access control policy vary,
and Enc (b) it is possible to compute Enc (f (a, b)), where f can depending on whether the user is acting on their own behalf
be: +, ×, ⊕ and without using the private key. (such as a consumer) or as a member of an organization (such
as an employer, university, hospital, or other enterprise). The
Fully Homomorphic Encryption is a good basis to enhance access control requirements in SPI environments include
the security measures of un-trusted cloud systems or establishing trusted user profile and policy information, using
applications that stores and manipulates sensitive data [18]. At it to control access within the cloud service, and doing this in
a high-level, the essence of fully homomorphic encryption is an auditable way.
simple: given ciphertexts that encrypt π1,…., πt. Fully Compliance: For customers who rely on cloud services, it is
homomorphic encryption should allow anyone (not just the important to understand how Identity Management can enable
key-holder) to output a ciphertext that encrypts f (π1… πt) for compliance with internal or regulatory requirements. Well-
any desired function f, as long as that function can be designed identity management can ensure that information
efficiently computed. No information about π1… πt or f about accounts, access grants, and segregation of duty
(π1,…., πt), or any intermediate plaintext values, should leak; enforcement at cloud providers, can all be pulled together to
the inputs, output and Intermediate values are always satisfy an enterprise’s audit and compliance reporting
encrypted [19]. requirements.

This type of encryption method accepts encrypted inputs and VI. CONCLUSION
then performs blind processing to satisfy the user query Cloud computing model offers so many benefits yet it faces
without being aware of its content, whereby the retrieved issues and criticism due to its non-stringent security
encrypted data can only be decrypted by the user who initiates enforcement. There should be stricter security policies put in
the request. This allows clients to rely on the services offered place when dealing with cloud applications. Also, applications
by remote applications without risking their privacy. should enforce more layers of security such as 2 factor
In Fully homomorphic encryption, two operations are required authentication to ensure that data is properly secured. Data at
to be considered it + and rest or in transit should be encrypted and signed to ensure
confidentiality, integrity. Also, most business organizations
1.2 Access Control (Identity Access Management) should employ a hybrid cloud model since this ensures that
Managing identities and access control for enterprise personal information is managed internally on private clouds
applications remains one of the greatest challenges facing IT and not stored on public clouds. This helps to alleviate the risk
professionals today. While an enterprise may be able to of personal information being compromised.
leverage several cloud computing services without a good
identity and access management strategy, in the long run REFERENCES
extending an organization’s identity services into the cloud is a [1]. S. Subashini, V. Kavitha (2011) A survey on security issues in service
necessary prerequisite for strategic use of on-demand delivery models of cloud computing
[2]. The Next Wave Vol.20 No. 3 | 2014
computing services [13]. The major IAM functions that are https://www.nsa.gov/research/tnw/tnw203/articles/pdfs/tnw203_article5.
essential for successful and effective management of identities pdf
in the cloud are Identity provisioning/ deprovisioning, [3]. Cloud Computing
Authentication & federation, Authorization & user profile http://searchcloudcomputing.techtarget.com/tip/Breaking-down-the-
three-stages-of-cloud-data-encryption
management and Support for compliance. [4]. ] Mell, Peter, Grance, Timothy [2011] The NIST Definition of Cloud
Identity Provisioning: One of the major challenges for computing
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
organizations adopting cloud computing services is the secure
[5]. The 20 Coolest Cloud Security Vendors of the 2014 Cloud 100 [32]. How docusign works. (2015, January). Retrieved from
http://www.crn.com/slide-shows/cloud/240165645/the-20-coolest-cloud- https://www.docusign.com/how-it-works
security-vendors-of-the-2014-cloud-100.htm/pgno/0/10 [33]. End-to-end solution in technology. (2006, March 30). Retrieved from
[6]. Top-Ten-SaaS-security-tools http://dictionary.reference.com/browse/end-to-end solution
http://venturebeat.com/2014/01/30/top-ten-saas-security-tools/ [34]. The global standard for digital transaction management. (2015, January).
[7]. How Secure Is Your Cloud Service Provider? Retrieved from https://www.docusign.com/how-it-works/digital-
http://www.forbes.com/sites/cdw/2014/09/17/how-secure-is-your-cloud- transaction-management
service-provider/ [35]. Bank-grade security & operations. (2015, January). Retrieved from
[8]. NIST http://csrc.nist.gov/groups/SMA/fisma/ https://www.docusign.com/how-it-works/security
[9]. Fed ramp http://cloud.cio.gov/fedramp [36]. Industry leaders align on digital transaction management standard.
[10]. Ristenpart T, Tromer E, Shacham H, Savage S. Computer Science and (2014, March 5). Retrieved from https://www.docusign.com/press-
Artificial Intelligence Laboratory, Massachusetts Institute of Technology, releases/industry-leaders-align-on-digital-transaction-management-
Cambridge, US (2009). Hey, you, get off of my cloud: exploring infor- standard
mation leakage in third- party compute clouds. In: Proceedings of the [37]. Docusign customer information security breach. (2012, December 5).
CCS 2009, ACM Press, 2009 Retrieved from
[11]. 116 Statue 2899 under 44 U.S.C. §3541 :FISMA" http://community.docusign.com/t5/Miscellaneous/DocuSign-customer-
http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW- information-security-breach/m-p/14161
107publ347.pdf [38]. Understanding evernote sync. (2015). Retrieved from
https://evernote.com/getting_started/
[12]. Cloud Security Alliance (2010) Guidance for Identity & Access [39]. Walsh, E., & Cho, I. (2013). Using evernote as an electronic lab note-
Management V2.1 https://cloudsecurityalliance.org/guidance/csaguide- book in a translational science laboratory. Journal of Laboratory Auto-
dom12-v2.10.pdf mation, 18(3), 229-234. Retrieved from
[13]. Meghan Kelly (January 30, 2014 10:11 AM) -The top 10 cloud-based http://jla.sagepub.com/content/early/2012/12/26/2211068212471834.full
security tools to protect your network in a hurry. [40]. Ovide, S. (2013, March 2). Evernote discloses security breach. Wall
http://venturebeat.com/2014/01/30/top-ten-saas-security-tools/ Street Journal. Retrieved from
[14]. TrustIT http://www.wsj.com/articles/SB100014241278873234783045783363735
http://www.trustitllc.com/five-cloud-based-security-tools-that-will- 31236296
protect-your-business-effortlessly/ [41]. King, L. (2014, June 11). Evernote pounded by aggressive cyber attack.
[15]. Fujitsu Laboratories Ltd. “Fujitsu develops world’s _1 st homomorphic Forbes. Retrieved from
encryption technology that enables statistical Calculations and biometric http://www.forbes.com/sites/leoking/2014/06/11/evernote-pounded-by-
authentication” [press release].Aug 2013. Available at aggressive-cyber-attack/
http://www.fujitsu.com/global/about/resources/news/press- [42]. Security overview. (2015). Retrieved from https://evernote.com/security/
releases/2013/0828-01.html [43]. Kaliski, B. (2000, September). Password-based cryptography specifica-
[16]. InformationWeek (February 2014) FedRAMP Cloud Security tion. Retrieved from http://www.ietf.org/rfc/rfc2898.txt
http://dc.ubm-us.com/i/244186 [44]. One-time passwords - hotp and totp. (2015, February 28). Retrieved
[17]. Bajpai, Shashank, Srivastava, Padmija (2009) A Fully Homomorphic from http://blogs.forgerock.org/petermajor/2014/02/one-time-passwords-
Encryption Implementation on Cloud computing hotp-and-totp/
http://www.ripublication.com/irph/ijict_spl/ijictv4n8spl_05.pdf [45]. Fulton, S. (2011, November 02). Joukuu floats a web-based "cloud
[18]. Craig Gentry (2009), A Fully Homomorphic Encryption Scheme cloud" for online storage. Retrieved from
http://crypto.stanford.edu/craig/craig-thesis.pdf http://readwrite.com/2011/11/02/joukuu-floats-a-web-based-clou
[19]. EnCase https://www.guidancesoftware.com/products/Pages/EnCase- [46]. Smollinger, M. (2011, March 22). Joukuu reviewed. Retrieved from
Cybersecurity/nist-cybersecurity-framework.aspx] accessed on http://www.smallnetbuilder.com/other/cloud/cloud-services-apps/301-
01/10/2015 joukuu-reviewed
[20]. Splunk (http://www.splunk.com/product) accessed on 01/10/2015 [47]. Rouse, M. (2014, July). Linkedin. Retrieved from
[21]. Scheier, Robert [2003] Web services security vendors focus on access http://whatis.techtarget.com/definition/LinkedIn
control, XML firewallshttp://searchsecurity.techtarget.com/tip/Web- [48]. Schwartz, M. (2012, June 20). Linkedin security breach triggers $5
services-security-vendors-focus-on-access-control-XML-firewalls million lawsuit. Retrieved from http://www.darkreading.com/risk-
[22]. Macmillan, Douglas. Yadron, Danny. “DropBox blames Security breach management/linkedin-security-breach-triggers-$5-million-lawsuit/d/d-
on Password Reuse” Wall Street Journal. Oct 14, 2014. Date accessed: id/1104943?
Jan 01, 2015. [49]. Silveira, M. (2012, June 06). An update on linkedin member passwords
[23]. McCullagh, Declan “Dropbox confirms security glitch—no password compromised. Retrieved from
required” CNET. Jun, 20, 2011. Date Accessed: Jan 01, 2015 http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-
[24]. Mell, Peter. Grance, Timothy. “The NIST Definition of Cloud compu- compromised/
ting” NIST. NIST special publication 800-145. Sep 2011 [50]. Linkedin security features. (2015). Retrieved from
[25]. Idilio Drago, Marco Mellia, Maurizio Munafo, “Inside Dropbox: Under- https://help.linkedin.com/app/safety/answers/detail/a_id/3702
standing Personal Cloud Storage Services” Proceedings of the 2012 [51]. Google 2-step verification. (2015). Retrieved from
ACM conference on Internet measurement conference. Pages 481-494. https://www.google.com/landing/2step/
2012. [52]. Bisong, Anthony and Rahman, Syed[2011] An Overview of the Security
[26]. “How we’ve Scaled Dropbox” YouTube. YouTube. 10 Sept. 2010 Web. Concerns In Enterprise Cloud Computing.
04 Jan. 2015. [53]. N Nayab, Jean Scheid “Is Google Docs Secure Enough for Your Com-
[27]. Adrian Crockcroft “NetflixOSS-A Cloud Native Architecture”. Sept pany's Data?”. 8 Aug, 2011. BrightHub. Retrieved from
2013. Date accessed: 01 Jan, 2013 http://www.brighthub.com/computing/enterprise-
http://laser.inf.ethz.ch/2013/material/cockcroft/LASER2.pdf security/articles/122102.aspx
[28]. Jaspn, Chan. “Netflix’s Journey to the Cloud: Lessons learned from [54]. Ryan Singel “NetFlix Cancels Recommendation Contest After Privacy
Netflix migration to the public cloud” Lawsuit”. WIRED. 3 May, 2010. Retrieved from
http://www.sfisaca.org/images/FC12Presentations/D1_2.pdf http://www.wired.com/2010/03/netflix-cancels-contest/
[29]. “iCloud Design Guide.” Apple Inc. 2014 [55]. Jill Scharr “Criminals Target Netflix Users via Microsoft Flaws” toms
[30]. “Google-Docs” Wikipedia. Wikipedia. Date accessed: 5 Jan, 2015 Guide US. 20 March, 2014. Retrieved from
http://en.wikipedia.org/wiki/Google_Docs http://www.tomsguide.com/us/cybercriminals-netflix-microsoft-
[31]. Norton, Steven. Boulton, Steven. “Why Big companies Delay using the silverlight,news-18807.html
cloud for some applications”. Wall Street Journal. 16 July, 2014. Date
accessed: 1 Jan, 2015.

View publication stats