International Journal of Engineering, Management & Sciences (IJEMS)

ISSN-2348 3733, Volume-1, Issue-7, July 2014

9 www.alliedjournals.com


Abstract Cloud computing services are developing at much
faster rate as all big organizations are outsourcing their
computational services or selling their idle computing resources.
From a financial perspective migrating to the cloud remains a
crucial factor as there are several aspects that must be taken into
account by administrators before migrating to cloud. One of the
most important aspect in cloud is the security as cloud security
issues are mainly inherited from the solutions and techniques
adopted to create cloud services including what the services are
running and which kind of service/data will be placed on the
cloud by cloud user.
There are a number of security issues associated with cloud
computing but are not much addressed till now. These security
issues can be faced by cloud providers or by their customers.
The cloud provider should make sure that whatever services
they are offering to their customers are secure and their
customers data is safe while the customer should check that
cloud providers are using security measures to keep their data
safe.
Web Services are the essential feature of cloud computing. As
web services helps in providing services easily to end users and
manage cloud services, So, now-a-days all cloud providers
support a large number of web services. But problem is that in
hurry of implementing web services on cloud platform, some
developers are making mistakes in their web services modules
that are found by attacker in past and exploited[5].

Index Terms Security, cloud, challenges, Attacks, Risks,
Computing, Availability, Platforms, Internet.

I. INTRODUCTION
Cloud computing security (sometimes referred to simply
as "cloud security") is an evolving sub-domain of computer
security, network security, and, more broadly, information
security. It refers to a broad set of policies, technologies, and
controls deployed to protect data, applications, and the
associated infrastructure of cloud computing.
Cloud computing is regarded as the important growth point
of IT after the Internet. According to IDC forecasts, the cloud
computing market will reach $42 billion in 2012. In addition,
because the cloud computing concepts of development accord
with the low carbon economy and green computing, is likely
to be the soul of the future network, so countries pay great
attention to it now[5].
On the other hand, there are many key problems in cloud
computing. As the report made by IDC in 2009 shows, service
security, stability and performance are the first three market
challenges. Based on the investigation released by Forrester

Manuscript received July 23, 2014.
Priyanka Singh, Department of Information Technology, Rajasthan
Technical University, Jaipur, India,
Dr. Vijay Singh Rathore, Department of Computer Science, Rajasthan
Institute of Engg & Tech, Jaipur, India,
Research in November 2009, about 51% of SEMs regarded
security and privacy as the most important reasons
abandoning cloud services [7]. In 2009 Google, Microsoft,
Amazon and other cloud computing Services Company
suffered a major failure, resulting in thousands of customer
information services affected, further exacerbating the
industry's cloud computing security concerns. The security
issue is an important factor related to the healthy development
of cloud computing.

II. CHALLENGES IN CLOUD COMPUTING SECURITY
Security issues occur mainly due to three elements: a flaw in
software development, attacker gets to know about the flaw,
and finally when attacker uses that flaw to exploit the target
service or system [3]. To exploit a flaw, an attacker somehow
must have some technique or tool to connect to target service
so that attacker can access the service and exploit flaw.
When it comes to security issues in web services, its
vulnerability in any web service running on a service that can
be used to gain access to server or it may give access to some
information carried over that web service[10]. To find
vulnerability is a web service we can use a web application
security scanner that allows us the automated vulnerability
detection of our web application. Generally Web application
vulnerability scanners can look for a huge variety of
vulnerabilities, like:
Server configuration errors
Input and Output validation
Specific problems related to that particular web service.
So, depending on how the security issues in web services can
provide access information or server data, we can categorise
security issues in web services as follows.
A. Bypassing Authentication
Authentication is the method by which users can verify their
identity to server to get access the services. Authentication
can be done using a set of credentials that can verify the users
identity [12]. For example of an identity can be like a
username, fingerprint etc., while a credential can be
password, fingerprint scan etc.
Attacker may bypass authentication in web services by
gaining users credentials in several ways like:
Dictionary attacks: Attacker can perform a dictionary
attack on server to find credentials of users.
Network eavesdropping: In this method attacker tries to
steals the users identity and credentials by reading network
traffic on users network.
Brute force attacks: Brute force attack may be also
performed on server to find credentials of user when
dictionary attack fails but it takes much more time than
dictionary attack.
Challenges in Cloud Computing Security
Priyanka Singh, Dr. Vijay Singh Rathore

Challenges in Cloud Computing Security
10 www.alliedjournals.com
Credential theft: Attacker can steal credentials of users by
stealing data from server, phishing users and social
engineering of users.
Cookie replay attacks: This attack happens when somehow
attacker gains access to cookie of a user and uses that cookie
to gain access to the users account.
To stop these attacks user may use following
Countermeasures:
Always use strong password.
Do not share credentials with anybody.
Whenever possible use HTTPS only.
Web service providers should use generators random
session IDs.
B. Session replay Attacks
In Session replay attack, attacker somehow gains access to
session cookie of user and then uses that cookie to gain access
to account of user. An attacker capture session cookie from
messages sent over the network and analyses these packets to
find cookie of the user[13]. This attack is possible when
messages are not encrypted or poorly encrypted that can be
easily decoded.
To avoid session replay attack user may use following
countermeasures:
If possible use only encrypted connection in web services.
Do not use persistent cookies when accessing web services
over public systems.
C. Session Hijacking
Sessions are used by the application to maintain stateful
communication with user over time a period of time during
using of that web service. To maintain session applications
generally makes use of a session cookie or session ID. As a
session allows a user to as many as service request until
session is expired without asking again for credentials, so if
attacker could somehow gain access to the session ID or
session cookie, then attacker can also gain access to users
session on original user's behalf[6].
Session hijacking may possible if attacker has ability to
perform attacks like:
Session replay: If attacker can access messages from the
users network when channel over network in unencrypted
and can find session key in the message. Then attacker can use
that session key for session hijacking.
Users leaves account without singing out successfully: If
due to some error or by mistake users was not able to log out
from his account and then attacker uses that system then
attacker may use users session and server will never know if
its attacker or real user.
If an application places session identifiers in query strings,
then attacker may find the session identifier by looking at sent
URL.
To prevent session hijacking users may follow these
countermeasures:
Dont use persistent session cookies until its required.
Always logout before leaving the system.
Use HTTPS whenever possible.
Server administrators should use minimal time of expiry of
session keys that may minimize prolonged use of session
keys.

D. Man-in-the-middle attack
In Man-in-the-middle attack, an attacker tries to steal
messages from communication channel between the
client and the service. The attacker if gains access to
communication channel then he may read message
directly and can modify them if channel is unencrypted
[7]. If channel is encrypted then user can only read and
modify messages if he can decrypt the messages sent
over the channel.
To decrypt messages sent over encrypted channel
attacker needs to know encryption key that is possible if
attacker starts monitoring the channel before the server
and client starts communication. In that scenario when
user wants to connect to server, user will ask to the
server for his public key. If attacker can stop this
message than attacker will ask for the public key from
the server on users behalf but keeps the original public
key sent by the server with him and generates two pair
of public and private key on his own, sends one public
key to client on behalf of server and other public key to
server on behalf of client.
So, now whenever server send any message, attacker
will capture the message and decode it using its private
key and after looking into message, attacker will
forward that message to client after encrypting with
clients public. Same thing is followed when user is
sending message to server. Now server and client will
think that they are using encrypted channel but really
its session is under watch even the connection is
encrypted.
To prevent Man-in-the-middle we need to secure our
communication channel between client and server but
this not possible completely as generally different
network segments are controlled by different agencies
and rarely they uses all security measures and protocols
to stop access to communication channel.
E. Cross-site request forgery attack
In Cross-site request forgery (CSRF) attack, an attacker tricks
a user into visiting a site where the user actually has an
account and is currently logged in to the account. This attack
also known as a one-click attack because user is tricked to
click on link that has a malicious exploit that will perform
action on behalf of a user on logged in website. While
cross-site scripting (XSS) takes advantage of users trust in a
website to perform attack, whereas cross-site request forgery
(CSRF) takes advantage of a websites trust in web browser to
perform attack.
III. GENERAL REQUIREMENTS ON CLOUD SECURITY
Security is in general related to the important aspects of
confidentiality, integrity, availability and privacy.
A. Confidentiality
Confidentiality refers to only authorized users or systems
having the permission and ability to access protected
data. Confidentiality is to ensure that user data which
resides in the cloud cannot be accessed by unauthorized
party. In cloud computing, confidentiality plays a major
part especially in maintaining control over organizations
data situated across multiple distributed databases [2].
International Journal of Engineering, Management & Sciences (IJEMS)
ISSN-2348 3733, Volume-1, Issue-7, July 2014
11 www.alliedjournals.com

Asserting confidentiality of users profiles and protecting
their data, which is virtually accessed, allows for
information security protocols to be enforced at various
different layers of cloud applications.
Confidentiality can be achieved through proper
encryption techniques taking the type of encryption into
consideration: symmetric or asymmetric encryption
algorithms, also key length and key management in case
of the symmetric cipher [11]. Actually, it is all based on
the cloud provider. It also depends on the customers
awareness that they can encrypt their information prior to
uploading it. Also, the cloud provider should ensure
proper deployment of encryption standards using NIST
standards in [5].
Data confidentiality in the cloud is correlated to user
authentication. Protecting a users account from theft is
an instance of a larger problem of controlling access to
objects, including memory, devices, software, etc.
Authentication is the process of establishing confidence
in user identities, while they are presented to an
information system. Lack of strong authentication can
lead to unauthorized access to users account on a cloud,
leading to a breach in privacy.

Fig. 1 Cloud Computing Security-A Biggest Concern
B. Integrity
Integrity means that assets can be modified only by
authorized parties or in authorized ways. Integrity may be
associated with data, software and hardware. Data
Integrity refers to protecting data from unauthorized
deletion, modification or fabrication. Managing an
entitys admittance and rights to specific enterprise
resources ensures that valuable data and services are not
abused or misappropriated [1]. Moreover, integrity
preserving mechanisms offer a greater visibility into
determining who or what may have altered data or system
information, potentially affecting their integrity
(accountability). Cloud users should not only worry
about the confidentiality of data stored in the cloud but
also the data integrity.
Data could be encrypted to provide confidentiality, there
is, however, no guarantee that the data has not been
altered while it resides in the cloud. A cloud computing
provider is trusted to maintain data integrity and accuracy
[15].
C. Availability
Availability is one of the most critical information
security requirements in cloud computing. Availability
refers to the property of a system being accessible and
usable upon demand by an authorized entity. In simple
terms, availability means that an organization has its full
set of computing resources accessible and usable at all
times. Availability can be affected temporarily or
permanently, and a loss can be partial or complete.
Denial of service attacks, equipment outages, and natural
disasters are all threats to availability [14].
The goal of availability for cloud systems (including
applications and infrastructures) is to ensure the users can
use them at any time, at any place. This is one of the
prime concerns of mission and safety critical
organizations.
D. Privacy
Privacy is the desire of a person to control the
disclosure of personal information. Privacy is an
important issue for cloud computing, both in terms of
legal compliance and user trust [9]. Privacy is a core
issue in all the challenges, including the need to protect
identity information, policy components during
integration, and transaction histories. By migrating
workloads to a shared multi-tenant infrastructure,
customers, private information faces increased risk of
potential unauthorized access and exposure [4].
Cloud providers must assure their customers and provide a
high degree of transparency into their operations and privacy
assurance. Privacy protection mechanisms must be embedded
in all security solution.

IV. CONCLUSION
This paper emphasizes on the concept of cloud computing
security. Cloud computing is regarded as the important
growth point of IT after the Internet. Security is the biggest
concern for cloud computing .Security is in general related to
the important aspects of confidentiality, integrity, availability
and privacy. Various security risks were pointed out. A cloud
computing scenario can be modelled using three different
classes of participants: service users, service instances and the
cloud. Security attacks surface areas classification was
described in brief.
Web Services in the cloud computing are challenged by
several security issues. The attacks described earlier illustrate
how easily an insufficiently secured Web Service server can
be affected with a single or few web vulnerabilities. While
some of the vulnerabilities are caused by implementation
weaknesses, most of them exploit fundamental protocols by
abusing the given WS-related standards. Thus, in order to
cope with these threats, Web Service developers and adopters
must be aware of the vulnerabilities and their potential
impact.
Web servers can also be affected by some web
vulnerabilities. Thus, to cope with these security issues, Web
Service developers have to be aware of these security issues.
As in cloud nearly all services are running over web, so in

Challenges in Cloud Computing Security
12 www.alliedjournals.com
cloud also these security issues may appear. So, web services
in cloud must also be secured.
REFERENCES
[1] Overview of Attacks on cloud Computing, Ajey Singh, Dr. Maneesh
Shrivastava, IJEIT, Volume 1,Issue 4,April 2012.
[2] Dikaiakos et.al, Cloud Computing: Distributed Internet Computing
for IT and Scientific Research, IEEE, Volume 13, Issue 5, Sept.-Oct.
2009, Page: 10 - 13.
[3] Wang Laifu, Shen Jun Jin Huamin. Research on Cloud Computing
Security, Telecommunications Science, 2010,26(6)67-70.
[4] Huaglory Tianfield,"Security Issues in Cloud Computing" 2012 IEEE
International Conference on Systems, Man, and Cybernetics October
14-17, 2012, COEX, Seoul, Korea.
[5] Rosenblum M., Garfinkel T., "Virtual Machine Monitor: Current
Technology and Future Trends", Published by the IEEE Computer
Society, 2005.
[6] ] L. M. Kaufman, Data security in the world of cloud computing, IEEE
Security & Privacy, vol. 7, no. 4, 2009, pp. 61-64.
[7] Ajay Jangra, Renu Bala, A Survey On Various Possible Vulnerabilities
And Attacks In Cloud Computing Environment, ISSN 2229-6166
Volume 3 Issue 1 January 2012.
[8] ] W. Jansen and T. Grance, Guidelines on Security and Privacy in
Public Cloud Computing, National Institute of Standards and
Technology (NIST), January 2011,
http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cl
oud-computing.pdf.
[9] European Network and Information Security Agency, Cloud
Computing Benefits, risks and recommendations for information
security, November 2009,
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing
-risk-assessment.
[10] Gartner, From Secure Virtualization to Secure Private Clouds, October
2010,
http://www.vmware.com/files/pdf/analysts/Gartner-From-Secure-Virt
ualization-to-Secure-Private-Clouds.pdf.
[11] Jericho Forum, Cloud Cube Model: Selecting Cloud Formations for
Secure Collaboration, April 2009,
http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf.
[12] K. Scarfone, M. Souppaya and P. Hoffman, Guide to Security for Full
Virtualization Technologies, National Institute of Standards and
Technology (NIST), January 2011,
http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.p
df
[13] Jyotiprakash Sahoo,Subasish Mohapatra,Radha Lath, Virtualization:
A Survey On Concepts, Taxonomy And Associated Security Issues,
2010 IEEE
[14] Anas BOUAYAD, Asmae BLILA T, Nour el houda MEJHED,
Mohammed EL GHAZI, Cloud computing : security challenges, 2012
IEEE
[15] Gurudatt Kulkarni, Nikita Chavan,Ruchira Chandorkar ,Rajnikant
Palwe, Cloud Security Challenges, 2012 7th International Conference
on Telecommunication Systems, Services, and Applications (TSSA).
[16] Akhil Behl, Emerging Security Challenges in Cloud Computing, 2011
IEEE.