Cloud Computing Security Issues

Guma Ali
Islamic University of Technology (IUT)
Board Bazaar, Gazipur-1704, Bangladesh
E-mail: guma2000@gmail.com

Abstract Cloud computing is one of today's most exciting
technologies due to its ability to reduce costs associated with
computing while increasing flexibility and scalability for
computer processes. Despite the potential gains achieved from
the cloud computing, the organizations are slow in accepting
it due to security issues associated with it. The purpose of the
paper was to provide an overall security issues of Cloud
computing with the aim to highlight the security concerns that
should be properly addressed and managed to realize the full
potential of Cloud computing. This paper met these twin
research aims through an extensive study of relevant literature.
In this paper, the author discuss security issues for cloud
computing particularly trust, legal issues, confidentiality,
authenticity, encryption, virtual machine attack, shared
resources, etc. The main conclusions drawn from this paper was
that, the Security of the cloud infrastructure relies on trusted
computing and cryptography. Organizational data must be
protected in a manner consistent with policies, whether in the
organizations computing center or the cloud. Having a list of
common outsourcing provisions, such as privacy and security
standards, regulatory and compliance issues, service level
requirements and penalties, change management processes,
continuity of service provisions, and termination rights, provides
a useful starting point

Keywords Cloud Computing, Models, Security Issues, SaaS,
IaaS, PaaS.
I. INTRODUCTION
Cloud computing has been defined by National Institute of
Standards and Technology (NIST) as a model for enabling
ubiquitous, convenient, on-demand network access to a shared
pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or
service provider interaction[1]. Cloud computing can be
considered a new computing paradigm with implications for
greater flexibility and availability at lower cost. Because of
this, cloud computing has been receiving a good deal of
attention lately.
Cloud describes the use of a collection of services,
applications, information, and infrastructure comprised of
pools of compute, network, information and storage resources.
These components can be rapidly orchestrated, provisioned,
implemented and decommissioned, and scaled up or down
providing for an on demand utility-like model of allocations
and consumption. Cloud systems are very economical and
useful for businesses of all sizes. Cloud computing is a
technology that everyone would love to take full advantage of,
it offers so much: limitless flexibility, better reliability and
security, enhanced collaboration, portability, simpler devices,
unlimited storage, access to lightning quick processing power,
virtual, affordable and open (or closed) [2]. There is a critical
need to securely store, manage, share and analyze massive
amounts of complex (e.g., semi-structured and unstructured)
data to determine patterns and trends in order to improve
the quality of healthcare, better safeguard the nation and
explore alternative energy. Because of the critical nature of
the applications, it is important that clouds be secure.
Numerous quantifiable business benefits of adopting the
cloud are compelling enterprises to consider a prominent role
for cloud technologies in their overall IT strategies. However,
when contemplating cloud adoption, the questions of data
privacy and cloud computing security concerns are typically
raised. Corporate policies or the regulations of the governing
jurisdictions impact the way sensitive data is managed
where it is located, what type of data it is, who has access to it
and often determine the degree to which organizations can
realize the value of cloud computing. When enterprises are
considering migrating software applications from on-premise
versions to cloud-based versions, they frequently need to
address cloud security concerns such as data residency (data
sovereignty), industry compliance mandates and third party
obligations surrounding the use and processing of sensitive
data.
Cloud computing services benefit from economies of scale
achieved through versatile use of resources, specialization and
other efficiencies. However, it is an emerging form of
distributed computing still in its infancy. The term itself is
often used today with a range of meanings and interpretations
[3].

II. CLOUD COMPUTING MODELS
Service Models
Three widely referenced service models have evolved [4, 5,
6]:
Software-as-a-Service (SaaS) also sometimes
referred to as Service or Application Clouds are
offering implementations of specific business
functions and business processes that are provided
with specific cloud capabilities, i.e. They provide
applications / services using a cloud infrastructure or
platform, rather than providing cloud features
themselves. Often, kind of standard application
software functionality is offered within a cloud.
Software-as-a-Service (SaaS) enables a software
deployment model in which one or more applications
and the computing resources to run them are
provided for use on demand as a turnkey service. It
can reduce the total cost of hardware and software
development, maintenance, and operations. E.g.
Google Docs, Salesforce CRM, SAP Business by
Design.

Platform-as-a-Service (PaaS) enables a software
deployment model in which the computing platform
is provided as an on-demand service that applications
can be developed upon and deployed. It can reduce
the cost and complexity of buying, housing, and
managing hardware and software components of the
platform. Platform as a Service (PaaS), provide
computational resources via a platform upon which
applications and services can be developed and
hosted. PaaS typically makes use of dedicated APIs
to control the behaviour of a server hosting
engine which executes and replicates the
execution according to user requests (e.g. access rate).
As each provider exposes his / her own API
according to the respective key capabilities,
applications developed for one specific cloud
provider cannot be moved to another cloud host
there are however attempts to extend generic
programming models with cloud capabilities (such as
MS Azure). E.g. Force.com, Google App Engine,
Windows Azure (Platform).

Infrastructure as a Service (IaaS) also referred to
as Resource Clouds, provide (managed and scalable)
resources as services to the user in other
words, they basically provide enhanced
virtualisation capabilities. Accordingly, different
resources may be provided via a service interface:
Data & Storage Clouds deal with reliable access
to data of potentially dynamic size, weighing
resource usage with access requirements and / or
quality definition. E.g. Amazon S3, SQL Azure.
Infrastructure-as-a-Service (IaaS) enables a software
deployment model in which the basic computing
infrastructure of servers, software, and network
equipment is provided as an on-demand service upon
which a platform to develop and execute applications
can be founded. It can be used to avoid buying,
housing, and managing the basic hardware and
software infrastructure components.
The capability provided to the consumer is to
provision processing, storage, networks, and other
fundamental computing resources where the
consumer is able to deploy and run arbitrary software,
which can include operating systems and applications.
The consumer does not manage or control the
underlying cloud infrastructure but has control over
operating systems, storage, and deployed
applications; and possibly limited control of select
networking components (e.g., host firewalls).

Cloud computing service models

Deployment Models:
o Private cloud: The cloud infrastructure is
provisioned for exclusive use by a single
organization comprising multiple consumers (e.g.,
business units). It may be owned, managed, and
operated by the organization, a third party, or some
combination of them, and it may exist on or off
premises.

o Community cloud: The cloud infrastructure is
provisioned for exclusive use by a specific
community of consumers from organizations that
have shared concerns (e.g., mission, security
requirements, policy, and compliance considerations).
It may be owned, managed, and operated by one or
more of the organizations in the community, a third
party, or some combination of them, and it may exist
on or off premises.

o Public cloud: The cloud infrastructure is provisioned
for open use by the general public. It may be owned,
managed, and operated by a business, academic, or
government organization, or some combination of
them. It exists on the premises of the cloud provider.

o Hybrid cloud: The cloud infrastructure is a
composition of two or more distinct cloud
infrastructures (private, community, or public) that
remain unique entities, but are bound together by
standardized or proprietary technology that enables
data and application portability (e.g., cloud bursting
for load balancing between clouds).


Cloud computing can be implemented entirely within an
organizational computing environment as a private cloud.
However, it should be clear from the service models described
that a main thrust of cloud computing is to provide a means to
outsource parts of that environment to an outside party. As
with any outsourcing of information technology services,
concerns exist about the implications for computer security
and privacy, particularly with moving vital applications or
data from the organizations computing center to the
computing center of another organization.
While reducing cost is a primary motivation for moving
towards a cloud provider, reducing responsibility for security
or privacy should not be. Ultimately, the organization is
accountable for the overall state of the outsourced service.
Monitoring and addressing security and privacy issues remain
in the purview of the organization, just as other important
issues, such as performance, availability, and recovery.
This paper looks at the main security issues pertinent to
cloud computing, as they relate to outsourcing portions of the
organizational computing environment. It points out areas of
concern with public clouds that require special attention.

III. KEY SECURITY ISSUES
Security is considered one of the most critical aspects in
everyday computing, and it is no different for cloud
computing due to the sensitivity and importance of data stored
in the cloud [7]. Cloud computing infrastructures use new
technologies and services, most which havent been fully
evaluated with respect to security. Cloud Computing has
several major issues and concerns, such as data security, trust,
expectations, regulations, and performance issues. The aim of
this research is to examine the major security issues affecting
Cloud computing. Cloud services are very exciting and useful,
but have many open security issues [9]. One issue with cloud
computing is that the management of the data might not be
fully trustworthy; the risk of malicious insiders in the cloud
and the failing of cloud services have received a strong
attention by companies [7].
Security is a troubling concern for cloud computing as
shown in a Survey conducted by the IDC enterprise panel
which confirms that Security is the top concern of cloud users
[8]. Cloud systems has lots of potential; however, several
concerns such as those discussed in this article slows the
adoption, and in turn, the growth and usage of cloud systems;
therefore, cloud Security is one of the issues that need to be
addressed in order to allow faster growth of cloud computing.
These major security issues in cloud computing include:

A. Trust
Trust between the Service provider and the customer is one
of the main issues cloud computing faces today. There is no
way for the customer to be sure whether the management of
the Service is trustworthy, and whether there is any risk of
insider attacks. This is a major issue and has received strong
attention by companies. The only legal document between the
customer and service provider is the Service Level Agreement
(SLA). This document contains all the agreements between
the customer and the service provider; it contains what the
service provider is doing and is willing to do [9]. However,
there is currently no clear format for the SLA, and as such,
there may be services not documented in the SLA that the
customer may be unaware that it will need these services at
some later time.

B. Legal Issues
There are several regulatory requirements, privacy laws and
data security laws that cloud systems need to adhere to. One
of the major problems with adhering to the laws is that laws
vary from country to country, and users have no control over
where their data is physically located.

C. Confidentiality
Confidentiality is preventing the improper disclosure of
information. Preserving confidentiality is one of the major
issues faced by cloud systems since the information is stored
at a remote location that the Service Provider has full access
to. Therefore, there has been some method of preserving the
confidentiality of data stored in the cloud. The main method
used to preserve data confidentiality is data encryption;
however encryption brings about its own issues, some of
which are discussed later.

D. Authenticity (Integrity and Completeness)
Integrity is preventing the improper modification of
information. Preserving Integrity, like confidentiality is
another major issue faced by cloud systems that needs to be
handled, and is also mainly done by the use of data encryption.
In a common database setup, there would be many users with
varying amount of rights. A user with a limited set of rights
might need to access a subset of data, and might also want to
verify that the delivered results are valid and complete (that is,
not poisoned, altered or missing anything) [9].
A common approach to such a problem is to use digital
signatures; however, the problem with digital signatures is
that not all users have access to the data superset, therefore
they cannot verify any subset of the data even if theyre
provided with the digital signature of the superset; and too
many possible subsets of data exist to create digital signatures
for each.
Recently, researchers have tried to find solutions to this
problem. The primary proposal is to provide customers with
the supersets signature and some metadata along with the
query results. This metadata (called verification objects) lets
customers fill in the blanks of the data which they dont have
access to and be able to validate the signature. There are two
primary variations of this idea, one based on Merkle trees and
the other based on signature aggregation [9].

E. Encryption
The main method used for ensuring data security in the
cloud is by encryption. Encryption seems like the perfect
solution for ensuring data security; however, it is not without
its drawbacks. Encryption takes considerably more
computational power, and this is multiplied by several factors
in the case of databases [9]. Cryptography greatly affects
database performance because each time a query is run, a
large amount of data must be decrypted; and since the main
operation on a database is running queries, the amount of
decryption operations quickly become excessive.

F. Key Management
Since encryption is the main method used to ensure data
security, naturally we would be faced with the problem of key
management. The encryption keys cannot be stored on the
cloud, therefore the customer must manage and control a key
management system for any cryptographic method used [9].
For simple encryption schemas such as the Early Approaches
described above, there might not be a problem since a single
encryption and decryption key can be used for the entire
system. However, almost any real database requires a more
complex system [9]. This simple system to manage keys
might even have to take the form of a small database which
would have to be a secure local database; which again, may
defeat the purpose of moving the original database to the
cloud. Clearly Key Management is a real problem for cloud
systems using encryption, and recent research has been done
on using two-level encryption which allows the Key
Management system to be stored in the cloud. This scheme is
efficient, and may be the solution to the Key Management
problems cloud systems faces; however, it hasnt yet been
applied specifically to database encryption.

G. Multi-Tenancy
Cloud systems share computational resources, storage,
services between multiple customer applications (tenants) in
order to achieve efficient utilization of resources while
decreasing cost, this is referred to as multi-tenancy. However,
this sharing of resources violates the confidentiality of tenants
IT Assets. This implies that unless theres a degree of
isolation between these tenants, it is very difficult to keep an
eye on the data flowing between different realms which make
the multi-tenancy model insecure for adoption [8]. Some
multi-tenancy issues are:

H. Virtual Machine Attacks
Typically, in a cloud, business data and applications are
stored and ran within virtual machines. These virtual
machines are usually running on a server with other virtual
machines, some of which can be malicious. Research has
shown that attacks against, with and between virtual machines
are possible.
If one of the virtual machines on a server hosts a malicious
application that breaches legal or operational barriers; this
may lead legal authorities, the service provider or other
authorities to shutting down and blocking access the entire
server. This would greatly affect the users of the other Virtual
Machines on the server.

I. Shared Resources
Assuming the cloud system isnt running on a virtual
machine, the hardware is now an issue. Research has shown
that it is possible for information to flow between processor
cores, meaning that an application running on one core of a
processor can get access to information of another application
running on another core. Applications can also pass data
between cores.
Multicore processors often have complex and large caches.
With these hardware resources, if data is decrypted in the
cloud, if even for a moment for comparison, it would then
exist unencrypted in the memory of some one of the cloud
machines. The problem is that we dont know what other
application is running on these machines. Other malicious
cloud users or the service provider can me monitoring the
machine memory and be able to read our data. However, the
likelihood of these hardware attacks is very small [9].
If one of the applications on a server hosts is malicious, this
may lead to the service provider or some other authority
shutting down and blocking access the entire server in order to
investigate and determine the malicious application. This
would greatly affect the users of the other applications on the
server.

J. Development Life Cycle
From the perspective of the application development,
developers face the complexity of building secure applications
that may be hosted in the cloud. The speed at which
applications will change in the cloud will affect both the
System Development Life Cycle (SDLC) and security [10,11].
Developers have to keep in mind that PaaS applications
should be upgraded frequently, so they have to ensure that
their application development processes are flexible enough to
keep up with changes [12]. However, developers also have to
understand that any changes in PaaS components can
compromise the security of their applications. Besides secure
development techniques, developers need to be educated
about data legal issues as well, so that data is not stored in
inappropriate locations. Data may be stored on different
places with different legal regimes that can compromise its
privacy and security.

K. Bugs in Large-Scale Distributed Systems
One of the difficult challenges in Cloud Computing is
removing errors in these very large scale distributed systems.
A common occurrence is that these bugs cannot be reproduced
in smaller configurations, so the debugging must occur at
scale in the production datacenters.
One opportunity may be the reliance on virtual machines in
Cloud Computing. Many traditional SaaS providers developed
their infrastructure without using VMs, either because they
preceded the recent popularity of VMs or because they felt
they could not afford the performance hit of VMs. Since VMs
are de rigueur in Utility Computing, that level of virtualization
may make it possible to capture valuable information in ways
that are implausible without VMs.

L. Data locality
In a SaaS model of a cloud environment, the consumers use
the applications provided by the SaaS and process their
business data. But in this scenario, the customer does not
know where the data is getting stored. In many a cases, this
can be an issue. Due to compliance and data privacy laws in
various countries, locality of data is of utmost importance in
many enterprise architecture [13]. For example, in many EU
and South America countries, certain types of data cannot
leave the country because of potentially sensitive information.
In addition to the issue of local laws, there's also the question
of whose jurisdiction the data falls under, when an
investigation occurs. A secure SaaS model must be capable of
providing reliability to the customer on the location of the data
of the consumer.
M. Data integrity
Data integrity is one of the most critical elements in any
system. Data integrity is easily achieved in a standalone
system with a single database. Data integrity in such a system
is maintained via database constraints and transactions.
Transactions should follow ACID (Atomicity, Consistency,
Isolation and Durability) properties to ensure data integrity.
Most databases support ACID transactions and can preserve
data integrity.
Next in the complexity chain are distributed systems. In a
distributed system, there are multiple databases and multiple
applications. In order to maintain data integrity in a distributed
system, transactions across multiple data sources need to be
handled correctly in a fail safe manner. This can be done using
a central global transaction manger. Each application in the
distributed system should be able to participate in the global
transaction via a resource manager. This can be achieved
using a 2-phase commit protocol as per XA standard.
Enter the world of SOA and Cloud computing, and the
problem of the data integrity gets magnified even more, as
there is a mix of on-premise and SaaS applications exposed as
service. SaaS applications are multi-tenant applications hosted
by a third party. SaaS applications usually expose their
functionality via XML based APIs (Application Program
Interfaces). Also, in SOA based environments, many on-
premise applications expose their functionality via SOAP and
REST web services as well. One of the biggest challenges
with web services is transaction management. At the protocol
level, HTTP (Hyper Text Transfer Protocol) does not support
transactions or guaranteed delivery, so the only option is to
implement these at the API level. Although there are standards
available for managing data integrity with web services such
as WS-Transaction and WS-Reliability, these standards are
not yet mature and not many vendors have implemented these.
Most SaaS vendors expose their web services APIs without
any support for transactions. Also, each SaaS application may
have different levels of availability and SLA (service-level
agreement), which further complicates management of
transactions and data integrity across multiple SaaS
applications.
The lack of integrity controls at the data level (or, in the
case of existing integrity controls, bypassing the application
logic to access the database directly) could result in profound
problems. Architects and developers need to approach this
danger cautiously, making sure they do not compromise
databases integrity in their zeal to move to cloud computing.

N. Web application security
SaaS is software deployed over the internet and/or is
deployed to run behind a firewall in local area network or
personal computer. The key characteristics include Network-
based access to, and management of, commercially available
software and managing activities from central locations rather
than at each customers site, enabling customers to access
application remotely via the Web. SaaS application
development may use various types of software components
and frameworks. These tools can reduce time-to-market and
the cost of converting a traditional on-premise software
product or building and deploying a new SaaS solution.
Examples include components for subscription management,
grid computing software, web application frameworks and
complete SaaS platform products. One of the must-have
requirements for a SaaS application is that it has to be used
and managed over the web (in a browser)[14]. The software
which is provided as a service resides in the cloud without
tying up with the actual users. This allows improvising the
software without inconveniencing the user. Security holes in
the web applications thus create a vulnerability to the SaaS
application. In this scenario, the vulnerability can potentially
have detrimental impact on all of the customers using the
cloud. The challenge with SaaS security is not any different
than with any other web application technology, however one
of the problems is that traditional network security solutions
such as network firewalls, network intrusion detection and
prevention systems (IDS & IPS), do not adequately address
the problem. Web applications introduce new security risks
that cannot effectively be defended against at the network
level, and do require application level defenses.

IV. CONCLUSION
In conclusion, the Security of the cloud infrastructure relies
on trusted computing and cryptography. Organizational data
must be protected in a manner consistent with policies,
whether in the organizations computing center or the cloud.
No standard service contract exists that covers the ranges of
cloud services available and the needs of different
organizations. Having a list of common outsourcing
provisions, such as privacy and security standards, regulatory
and compliance issues, service level requirements and
penalties, change management processes, continuity of service
provisions, and termination rights, provides a useful starting
point [15]. The migration to a cloud computing environment is
in many ways an exercise in risk management. Both
qualitative and quantitative factors apply in an analysis. The
risks must be carefully balanced against the available
safeguards and expected benefits, with the understanding that
accountability for security remains with the organization.




REFERENCES
[1] P. Mell, T. Grance, The NIST Definition of Cloud Computing,
Version 15, National Institute of Standards and Technology, October 7,
2009, http://csrc.nist.gov/groups/SNS/cloud-computing
[2] http://www.rackspace.com/cloud/what_is_cloud_computing/
[3] G. Fowler, B. Worthen, The Internet Industry is on a Cloud
Whatever That May Mean, The Wall Street Journal, March 26, 2009
[4] N. Leavitt. Is Cloud Computing Really Ready for Prime Time?,
IEEE Computer, January 2009
[5] L. M. Vaquero1, L. Rodero-Merino1, J. Caceres, M. Lindner, A Break
in the Clouds: Towards a Cloud Definition, Computer Communication
Review, January 2009, http://ccr.sigcomm.org/online/files/p50-
v39n1l-vaqueroA.pdf
[6] L. Youseff, M. Butrico, D. D. Silva, Toward a Unified Ontology of
Cloud Computing, Grid Computing Environments Workshop, held
with SC08, November 2008.
http://www.cs.ucsb.edu/~lyouseff/CCOntology/CloudOntology.pdf
[7] AlZain, M., Soh, B., & Pardede, E. (2012). A New Approach Using
Redundancy Technique to Improve Security in Cloud Computing.
IEEE.
[8] Behl, A., & Behl, K. (2012). An Analysis of Cloud Computing
Security Issues. IEEE, 109-114.
[9] Weis, J., & Alves-Foss, J. (2011). Securing Database as a Service.
IEEE Security and Privacy, 49-55.
[10] Rittinghouse JW, Ransome JF (2009) Security in the Cloud. In: Cloud
Computing. Implementation, Management, and Security, CRC Press
[11] Morsy MA, Grundy J, Mller I (2010) An analysis of the Cloud
Computing Security problem. In: Proceedings of APSEC 2010 Cloud
Workshop. APSEC, Sydney, Australia
[12] Ertaul L, Singhal S, Gkay S (2010) Security challenges in Cloud
Computing. In: Proceedings of the 2010 International conference on
Security and Management SAM10. CSREA Press, Las Vegas, US, pp
3642
[13] Softlayer. Service Level Agreement and Master Service Agreement,
2009 http://www.softlayer.com/sla.html, accessed on: 11 December
2009
[14] Zalewski M. Browser security handbook, 2009
http://code.google.com/p/browsersec/, accessed on: 19 February 2010.
[15] S. Overby, How to Negotiate a Better Cloud Computing Contract, CIO,
April 21, 2010,
http://www.cio.com/article/591629/How_to_Negotiate_a_Better_Clou
d_Computing_Contract