You are on page 1of 24

International Journal of Computer Science and Information Security (IJCSIS),

Vol. 17, No. 4, April 2019

SECURITY IN CLOUD COMPUTING: A


SURVEY
Lubna Alhenaki, Alaa Alwatban, Bashaer Alahmri and Noof Alarifi
College of Computer Science and Information, King Saud University, Riyadh, Saudi Arabia.
437204268@student.ksu.edu.sa, 437203516@student.ksu.edu.sa,
438202924@student.ksu.edu.sa, 437202861@student.ksu.edu.sa

Abstract- Within the recent decade, major innovations in technology have emerged, that potentially add
more convenience to daily life practices not only on an enterprise level but on an individual level as well. Cloud
Computing technology has witnessed significant advances in its implementation and become widely adopted by
either private or public sectors. It was obvious recently that a lot of organizations and enterprises are
transferring their workloads to the cloud. However, security is a major concern for the cloud computing services
which is based on Internet connection that makes it vulnerable to multiple types of attacks. Even though that the
security measures implemented over cloud computing are developing every passing year, Security still a
challenge. In this paper, we conducted a survey study on cloud computing and addressed different types of
attacks and possible threats to this emerging technology, as well as protection methods and existing solutions to
such attacks.

I. INTRODUCTION
Cloud computing (CC) technology has been broadly utilized in many areas, including file sharing, real-
time applications, and communication. Major CC innovations have emerged within recent decades,
including significant advances. CC has become widely adopted in both the private and public sectors due to
the practicality of its services, which can potentially add convenience at several levels. On the other hand,
the security of the provided services is a primary concern for both cloud users and cloud service providers.
Cloud Computing security is an essential subdomain of computer security, and it poses a major challenge
to cloud technologies’ widespread adoption [1]. Because CC services are essentially based on an Internet
connection, they are vulnerable to a variety of attacks and other security threats, which can result in
potentially severe impacts such as data breaches, malware injections, denial-of-service (DoS) attacks, data
losses, and insecure application programming interfaces (APIs) [2]. According to [3], security incidents in
the cloud environment have grown notably over the few past years probably due to the remarkable growth
in cloud services.
It was obvious that recently many organizations and enterprises have begun transferring their workloads
to the cloud. According to a survey conducted by LogicMonitor [4], which is a leading SaaS-based
performance-monitoring platform for enterprise IT, the number of enterprises workloads moving to the
cloud will increase to 83% by 2020.
Despite the evolution of cloud adoption, many significant challenges could hinder the deployment of this
ubiquitous technology. According to “the state of the cloud” report conducted by a leading Cloud
Computing company, RightScale [5], CC security is still a major concern, along with increased spending,
lack of resources and expertise, and performance issues (among others).

67 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

For this paper, we conducted a survey on Cloud Computing to address various types of attacks and other
threats to this progressing technology, as well as potential protection methods and the existing solutions to
such problems.
The remainder of this paper is structured as follows. Section II presents an overview of CC, including its
characteristics, architecture, deployment models, and advantages and disadvantages. In Section III, we
discuss the CC security models, requirements, and policies, followed by an intensive study of CC security
threats and the possible solutions to the existing problems in CC. Section IV comprises the conclusion.
II. OVERVIEW OF CLOUD COMPUTING
Cloud Computing is defined by National Institute of Standards and Technology (NIST) as “A model for
enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction” [1].
This section provides a brief overview of CC technology, including its characteristics, architecture,
service models, deployment models, and advantages and disadvantages. The essential CC characteristics
are illustrated in the following subsection.
A. Cloud Computing Characteristics
Cloud Computing has the following unique characteristics.
a)On-demand self-service
In on-demand self-service, any user can comfortably obtain computing capabilities such as network
storage, software usage, and server time. These services are flexible and do not actually require users to
contact service providers for assistance, as the users can easily access the required services through the
Internet and perform the desired actions on their own and at any time [6].
b)Broad network access
Broad network access refers to the various cloud capabilities and resources that are broadly accessible
over the network through multiple platforms (e.g., laptops, mobile phones, and tablets) [7]. Those cloud
capabilities and resources are usually hosted in a firm’s private cloud and operate behind a firewall to
provide more options for the firm’s employees to conveniently access the resources over the Internet from
multiple devices.
c) Resource pooling
In resource pooling, computing resources are shared using a multi-tenant model [1], thus serving many
consumers. This method allows users to modify their levels of service at any time without being restricted by
physical limitations or even virtual resources. The administration of these resources is completely
transparent to users, and all the services seem to be available at all times from the user’s perspective; the user
might not even know about the resources’ physical location [8].
d)Rapid elasticity
Rapid elasticity is a fundamental aspect of CC in which capabilities are efficiently provided in any
quantity and at any time to support rapid scaling (both inward and outward) according to consumer requests

68 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

such as those for additional space in the cloud; in rapid elasticity, many types of services can be provided
seamlessly to users at various scales [1].
e) Measured service
In measured service, cloud systems continuously monitor and control resources; the measurements
(billing, resource use, etc.) are communicated transparently to the users. This process is highly beneficial to
both users and providers because it allows the services to be optimized at various levels [1].
B. Architecture of Cloud Computing
The cloud architecture is generally classified into three cloud-service models: infrastructure-as-a-service
(IaaS), the lowest layer, which provides fundamental infrastructure for the other layers; platform-as-a-
service (PaaS), the middle layer, which provides an environment for developing and hosting users’
applications; and software-as-a-service (SaaS), the upper layer, which provides an application layer that
works as a service on demand. This architecture follows a bottom-up approach [9],[10] as shown in Fig. 1.

Figure 1. Service Model in Cloud Architecture.


a) Software-as-a-service (SaaS)
SaaS is also known as on-demand service that allows customers to utilize applications that are hosted on a
cloud server and delivered over the Internet; this can include online office suites and e-mail applications.
Users can subscribe to web-based software services to handle their business’s needs at a small cost instead of
purchasing new software. The consumers depend on the providers for security. SaaS does not require the
users to have special hardware of software; however, it does require a permanent Internet connection.
Consumers who use SaaS do not have to pay for hardware or maintenance, and they can easily scale their
services according to their needs [11], [12].

69 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

b) Platform-as-a-service (PaaS)
PaaS, the layer beneath SaaS, allows developers to efficiently write and develop SaaS applications and
deploy them on the PaaS layer. PaaS completely supports the software life cycle, and it is an economical
option for developers, as it allows them to concentrate on building and running applications rather than on
monitoring the underlying infrastructure. The service providers are responsible for constructing and
maintaining the infrastructure for the developers [11].
c) Infrastructure-as-a-service (IaaS)
IaaS, the lowest layer, provides the fundamental infrastructure for the above layers. IaaS includes
networking hardware, servers, operating systems (OS), and storage. It allows consumers to utilize complete
resources without purchasing physical equipment. IaaS is also cost-effective and faster choice for operating
the workload without the need to purchase or manage the underlying infrastructure; however, as it is based
on Internet connectivity, availability is a primary concern [12],[13].
C.Deployment Model of Cloud Computing
The National Institute of Standards and Technology (NIST) proposes four main CC deployment models
[1]: public, private, hybrid, and community clouds.
a) Public clouds
In a public cloud environment, hardware and software resources are publicly shared among different users.
A third-party public-cloud service provider manages and monitors this environment, so such clouds are
suitable for information that is not sensitive [14]. The main distinction between public clouds and private
clouds lies in the fact that public-cloud users aren’t responsible for managing or maintaining the
infrastructure (which is the provider’s responsibility); in addition, although increasing scalability should not
be an issue for the public-cloud users, security concerns remain a concern [7], [15].
b) Private clouds
A private cloud is operated by a single organization; all of a given cloud’s systems and services are only
accessible within the boundaries of that organization. Private clouds are also known as internal clouds or
enterprise clouds. The data center that runs the cloud belongs to the company, and the data is protected
behind that company’s firewall. The company handles all the management and maintenance related to the
infrastructure; a private cloud is thus very expensive, but it is more secure than a public cloud [11], [15].
c) Hybrid clouds
A hybrid cloud is a combination of two or more types of clouds (e.g., a public–private cloud). Because it
exhibits the features of the involved clouds, this type of deployment model provides high scalability and
flexibility, as well as many options for data deployment. A hybrid cloud is managed centrally. The workload
can move from private to public according to the organization’s needs and the available resources [11], [15].
d) Community clouds
Community clouds are similar to public clouds in many aspects; however, this cloud-service model is
usually intended for specific individuals, businesses, or organizations that share the same cloud

70 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

requirements. In a community cloud, either participating community members or a third-party service


provider can manage the shared resources [6],[11].
D. Advantages and Disadvantages of Cloud Computing
It goes without saying that every existing technology has positive and negative points that need to be
considered and that the balance between those points is highly important for those who seek to ensure that
the results always match the requirements. In this subsection, we describe some of the most common
advantages and disadvantages of CC.
a) Advantages
· Cost efficiency: Enterprises and organizations need not worry about expenses related to software,
hardware, or maintenance [16].
· High speed: Acquiring the desired services (whether they are hardware- or software-based) can be
done in a few clicks, thus eliminating long waits for service deployment [8].
· Automatic backups and data restoration: Cloud backups of data can be a life-saver when a local
machine is damaged [8].
· Accessibility: Storing data in the cloud makes it accessible anywhere, at all times, and from multiple
devices [17].
b) Disadvantages
· Security flaws: The confidentiality of information stored on the cloud can be violated when
unauthorized access occurs due to various causes (e.g., hacking) [18].
· Limited control: Cloud services sometimes do not match an organization’s requirements; it is often
not possible for cloud users to control the services’ hardware or software [18].
· Low bandwidth: A company that has low bandwidth may have limited accessibility to cloud
resources [19].
III. CLOUD COMPUTING SECURITY REQUIREMENTS
There are four main CC security requirements that help to ensure the privacy and security of cloud
services: confidentiality, integrity, availability, and accountability.
A. Confidentiality
Confidentiality requires blocking unauthorized exposure of CC service users’ information. Cloud
providers charge users to guarantee confidentiality; in CC, the focus is on authentication of cloud resources
(e.g., requiring a username and password for each user). Moreover, access control is an important part of
confidentiality in CC. Neither access control nor authentication works with a compromised CC system, as it
is much harder to block unauthorized information disclosure on such a system. Many approaches to
protecting users’ sensitive cloud data are based on encryption and data segmentation. If a provider’s server
is compromised, data segmentation reduces the amount of sensitive data that is disclosed. Data
segmentation also has other advantages; for instance, if the entire server is compromised, only a small
amount of user data is leaked, and downtime is reduced. A cover channel is another potential

71 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

confidentiality issue in a CC system; cover channels can cause information leaks through unauthorized
transmission paths.
CC providers use service-level agreements (SLAs) method to resolve security issues for customer. Thus,
providers of CC services should join to create standards for SLAs [20]. As in [21], combining a CC system
with a trustworthy computing platform can improve availability, confidentiality, and integrity in a security
service. In addition, secure objects can be restricted using encryption, which gives permission for only
particular users to access those objects. Virtualization is the main aspect of the CC system; therefore many
researchers have proposed techniques for using virtualized systems to implement security goals. One of the
proposed techniques for ensuring a secure environment for CC services is called 3D [22]; in it, before using
CC services, the user must choose levels of availability, confidentiality, and integrity. The availability
value restricts the data access to certain verified clients. The confidentiality value describes the security
level. Finally, the integrity value represents the accuracy of the users’ data and the amount of modification
needed.
Confidentiality is a part of CC service that the provider must guarantee, along with control of the CC
infrastructure. The provider should guarantee confidential access to the data by ensuring trusted data
sharing or through the use of authorized data access. Therefore, there are huge barriers with the growth of
the CC system between the privacy of the user and security of the data.
B. Integrity
One goal of using CC systems is to utilize a variety of resources. That is why CC support all data and
why many users stick to the same clouds. Users also desire the ability to change or update existing data or
to add new data to the cloud. Therefore, data access should be controlled to ensure data integrity. As with
confidentiality, integrity requires access control and authentication. Thus, if the CC system is compromised
by a weak password, the cloud data’s integrity will not be protected.
To overcome this huge challenge, providers use virtualization-based dynamic integrity [23] to help
clients use cloud services without interrupting the providers’ work with other clients. Such a method is
useful for ensuring integrity and security with satisfactory performance and cost. Another method, value-at-
risk [24], helps to ensure suitable security and integrity. In [25], the cloud-based governance design
guarantees integrity and security by controlling the path between the provider and the enterprise client.
Another method [26] provides a test of information integrity based on an SLA between the provider and the
client. The consumer can use this SLA to verify the accuracy of the cloud information. In a blind execution
of services, the client transfers each type of information through the CC system using a separate process. In
the trusted computing method [27], blind processing is used to ensure the integrity of the clients’ data. This
method separates the execution environment from the system, so that the system’s hardware and computing
base can be secured and the credentials’ accuracy can be verified.
C.Availability
Availability is the ability for the consumer to utilize the system as expected. One of the significant
advantages of a CC system is its data availability. CC enhances availability through authorized entry. In

72 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

addition, availability requires timely support and robust equipment. A client’s availability may be ensured
as one of the terms of a contract; to guarantee availability, a provider may secure huge capacity and
excellent architecture. Because availability is a main part of the CC system, increased use of the
environment will increase the possibility of a lack of availability and thus could reduce the CC system’s
performance.
CC affords clients two ways of paying for cloud services: on-demand resources and (the cheaper option)
resource reservation. The optimal virtual-machine (VM) placement [28] mechanism helps to reduce the
cost of both payment methods. By reducing the cost of running VMs for many CC providers, it supports
expected changes in demand and price. This method involves the client making a declaration to pay for
certain resources owned by the CC providers (using the SIP optimal solution). As discussed above, CC
systems can achieve high service availability and high scalability through the use of partitioned computing.
The client can take advantage of CC resource pooling through the provider’s huge computers, which
provide the applications with computational power and software based on the service demand. Because
they use separated and distributed servers, clouds have high availability [29]. CC providers offer services to
huge companies through big data centers, and other companies can also use the services on those clouds. In
the architecture described in [30], a collection of small clouds is used to produce a massive joint cloud that
users view as a single entity. This architecture requires the managing of individuals’ behavior to satisfy the
complex matching of clients and ensure that the service provides the computing benefits offered by small
clouds.
D. Accountability
Accountability involves verifying the clients’ various activities in the data clouds. Accountability is
achieved by verifying the information that each client supplies (and that is logged in various places in
information clouds). Directly connecting all activities to a client’s account is not always satisfactory.
Neither the client nor the provider takes all the responsibility for a system breakdown. Thus, both the client
and the provider must maintain accountability in case disputes occur. Thus, one of them will need to log
any incidents for future auditing, clearly identify each incident, and provide the necessary equipment for
logging such transactions [31],[32]. As an example, when a client’s account is compromised in an attack,
the client can no longer perform certain activities. Thus, the cloud service providers need to have saved
sufficient information to restore the compromised account and identify the exceptional behavior. Tracing
even the smallest actions that happen in the clouds could ensure accountability; such tracking will identify
the client or entity that is responsible for any given disaster. Evidence should be logged for each activity
once it starts processing. The transaction log can then be used during the examination to determine the
aptness of the evaluation.
Accountability is a challenge in a CC system in part because misconfigured devices can produce
unreliable calculation results. In addition, when clients rent insufficient resources for their tasks, this could
reduce the performance of the provided services. A virus can also destroy clients’ data, and a provider can
fail to deliver data on time or even lose data.

73 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

IV. CLASSIFICATION OF CLOUD SECURITY ISSUES


CC contains many categories, each of which has many security concerns. The security issues occur
throughout CC hardware, software, and communication. Data defects in cryptographic methods can cause
security issues in data centers or in communication. These issues can also come from the customer if the
authentication policy is weak.
A. Embedded Security
Embedded systems have the advantages of high-quality tools and require the user to connect to a local
network to unlock the debug ability. The main CC security issues in the embedded system are due to the
use of VMs [33]. Such systems have the advantages of strength and isolation. However, a VM can have a
real security threat when a problem with deployment occurs. Data leakage can arise through the
implementation of separate VM workloads. Thus, CC providers should be careful when uploading isolated
VMs into the infrastructure. In addition, in VM monitoring, the host computer works as a controlling point,
as the host machine can update and change any resources in the VM [34].
B. Applications
The most sensitive and vulnerable areas of any system are software applications. Software includes both
a front end and a back end on many platforms and frameworks. The huge amount of software code [35] is
the primary cause of security concerns. When an application has many programmers and/or coding
languages, much vulnerability can arise.
A software front end can allow for a high potential for unauthorized access and insufficient
configuration. Part of a programmer’s job is to learn and apply the security features used in web coding. A
special isolated front end uses injection-masked code to limit the errors that an intruder can generate.
Injection attacks [36] are used to gain access to the software’s back end through weaknesses that can arise
from development through testing. Platform-security issues include authentication, permissions, and
access-control challenges. This framework has some of the biggest security problems in the CC
environment: identity management, user-access control, and flow control. In the cloud, licensing can
become a problem as well, as vendors have not yet been able to prevent the illegal distribution of licensed
software.
C.Client Management
Clint management is a security matter in the CC environment. Client management simply involves
protecting the public information in the client’s system. The client’s experience plays an important role in a
cloud, as cloud services are growing so fast that the industry is experiencing an overall service increase.
That’s why some providers are struggling due to the deployment of weak solutions to the user. Some users
with experience in the cloud security field will struggle when choosing a cloud provider. User
authentication plays a great role in protecting the cloud from strictly illegal access.
A lot of previous work [37] has been done on various cloud-authentication attacks. Part of a cloud
service is the ability to access that service from many locations and through many devices; therefore,
providers must ensure that legitimate users have access. Producing a benchmark to manage the service

74 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

level is helpful in evaluating a cloud’s performance for a particular client. Such a measurement helps
ensure that the cloud services meet the users’ expectations. Some security problems [38], such as
unintentionally stopping a provider’s auditing of security events, can cause a response alert from an
important vendor to be ignored.
D. Cloud Data Storage
The most significant component of CC is cloud data storage. Given the current growth in online
applications and the connected devices, the security issues related to cloud data storage are becoming more
important. Data warehouse deployment requires high security, which reflects the quality of the cloud
service.
As discussed earlier, availability is one the main goals of CC; availability means that the client can get
services from any location at any time. Multitier architecture carries the balance by running on many
servers, thus helping to prevent DDoS attacks [39]. Cryptography generally works properly, but failures
can occur when the cryptography is employed to overcome the weaknesses of a cloud. Attackers can inject
malware into a cloud to take control over the cloud storage. In a technique called inference, the attacker
extracts high-level sensitive data from complicated databases. In other words, inference is similar to data
mining in that it huge databases are used to extract information. Much more information is endangered as
the complexity of databases increases [40].
V. THREATS AND COUNTERMEASURES IN A CLOUD COMPUTING ENVIRONMENT
A threat is a possible cause of an incident; it may result in harm to a system or an organization [41],[42].
This section provides specifications on the most dangerous threats in CC. Each threat is described in detail,
and some examples are provided. The impact of these threats and some suggested solutions are also given.
The chosen threats are data losses; data breaches; insecure interfaces and APIs; malicious insiders; account,
service, and traffic hijacking; shared technology vulnerabilities; and abuse of cloud services [43],[44].
A. Data Loss
Data losses can occur for various reasons, both intentional and unintentional; actions with both good and
harmful intentions can lead to data losses. Data can be lost due accidental deletion or alteration.
Additionally, for encrypted data, the loss of the encryption key can cause data loss. Natural causes (e.g.,
earthquakes or fires) are also possible. In CC, the threat of data loss affects IaaS, PaaS, and SaaS cloud
services. CC providers should cover the data-loss aspect to ensure reliability, usability, and extensibility.
Even though the cloud provides cost-saving methods, these methods should not compromise the users’ data
[45].
Therefore, it is important to be aware of all the situations that can cause this type of threat. Clearly, data
protection is a critical priority in all of network security (not just in cloud security), but the challenges are
greater in CC due to the high number of interactions and users. Both cloud employees and cloud providers
can cause data losses. An employee’s lack of knowledge of cloud-related methods and actions, for instance,
can lead to data loss. In addition, trust in cloud providers is an issue, as they could rely on the cloud for
significant profits, which they could achieve by trying to preserve the customers’ data using lower-priced

75 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

methods that could be easily overcome [46]. Additionally, unverified procedures, inadequate data-retention
practices, and poor policies can cause data losses [47].
Institutions use CC to store data, and they expect to receive the promised levels of data integrity and
safety. However, as the cloud is a multi-tenant environment with various authorities and access methods,
unauthorized users need to be detected and prevented from accessing data and services. Although this is not
an easy task, it needs to be correctly addressed and managed. Data loss can cause financial losses for
customers and reputation losses for institutions. Specifically, incomplete authentication, authorization, or
accounting controls; undependable encryption algorithms or keys; operational failures; political matters;
and data-center reliability are the main causes of direct and indirect data loss [48].
Many users have suffered from data loss. One such data-loss incident occurred with the smartphone
known as the Sidekick; the personal data from 800,000 users’ smartphones went missing for almost two
weeks, and some of the losses were permanent. At the time of the incident, the data was stored on
Microsoft’s servers and accessed via a cloud service. As a result of another incident, Rackspace was
required to pay out between $2.5 million and $3.5 million to customers in the wake of a power outage that
hit its Dallas data center in late June of 2009 [49].
Organizations should apply the following mitigation techniques to protect against this type of threat:
· Provide data-storage and backup mechanisms.
· Use proper encryption techniques.
· Protect in-transit data.
· Generate strong keys and implement advanced storage and management.
· Legally require suppliers to use reinforcement and maintenance techniques [50].
B. Insecure Interfaces and Application Programming Interfaces
Cloud users utilize APIs to communicate properly with cloud services. Cloud providers usually publish a
number of APIs that permit users to develop their own interfaces for communication. The types of
communication that APIs offer include supply, management, concurrency, and monitoring of the cloud
processes [51]. The security and availability of the cloud services are reliant on the security of these APIs.
From the early stages of authentication and access control to the encryption and monitoring processes,
these interfaces need to be designed to defend against both unintentional and malicious attempts to attack
[52].
Additionally, cloud institutions that use these interfaces will often provide more services to their
customers. However, these interfaces increase the complexity of a cloud by adding a layer on top of the
framework. This allows the API’s weaknesses to spread in the cloud environment. Moreover, institutions
may be required to give their credentials to third parties in order to enable their services specified by the
developed APIs. In CC, the insecure interface and API threat affects the IaaS, PaaS, and SaaS cloud
services [51].
Because the security of cloud services depends on these APIs, these interfaces should have protected
certification standards, suitable access controls, and proper monitoring methods. This will lead to avoiding

76 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

threats such as unidentified access, clear-text authentication, reusable tokens or passwords, improper
authorization, inadequate monitoring, and logging capabilities [53]. Thus, if the APIs are not sufficiently
secured, unintentional or malicious attacks to interrupt them may expose the cloud data to many security
threats related to inflexible access control, scalability, inadequate monitoring, and many other issues [54].
An example of an attack scenario that could arise due to the design of these interfaces is the password-
reset message. The reset message could expose information to attackers that facilitates an attack, even
though the message was essentially created for good reasons. For example, a reset message indicating that
the account does not exist or that the username is not valid could give the attacker information about
existing accounts or some knowledge of the username creation policy.
Organizations should apply the following mitigation techniques to protect against this type of threat:
· Robust authentication and access control methods.
· Encryption of the transmitted data.
· Analysis of the cloud provider interfaces and a proper security model for these interfaces.
· Detailed understanding of the dependency chain related to APIs [50].
C.Malicious Insiders
The malicious-insider threat arises from trusted people within the cloud organization who have
authorized access to the organization’s assets and items of value. These people can apply unprivileged
operations to cause harm to the organization’s assets. The harm can be financial loss, technical failure, or
resource loss and can occur due to what seem to be legal activities (e.g., developing malicious firewalls)
[55]. This threat is critical to address because insiders are harder to detect than outsiders. Giving authority
to employees is the main concern here because they are the gateway to this threat. In CC, the malicious-
insider threat affects IaaS, PaaS, and SaaS cloud services [56].
Insider attacks are launched by malicious employees at the provider’s or user’s site. It is a well-known
fact that most security threats arise from the inside of an organization. A malicious insider can easily gain
passwords, encryption keys, and data. This threat can affect the cloud users’ trust in the cloud provider
[57]. The threat of insider attacks has increased due to lack of transparency in cloud providers’ processes
and procedures regarding employees, data locations, and relationships with vendors. This threat poses a
challenge in terms of how to control the internal employees, contractors, vendors, and other trusted people
who have access to critical resources [58].
There are many types of insider attackers with different motives for attacking the cloud. These motives
could be to steal valuable data, cause controversy, get revenge, prove intelligence, gain respect, or profit
financially. Insider threats are the highest priced threats and are hard to detect and deal with for the
following reasons:
· Malicious-insider threats can be hidden for a long time.
· It is tough to distinguish harmful actions from normal work.
· It is easy for employees to cover up their actions.
· It is hard to prove guilt.

77 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

Organizations should apply the following mitigation techniques to protect against this type of threat:
· Apply human resource management as part of a legal agreement.
· Institute a compliance reporting system to help determine the security breach notification so that
appropriate action may be taken against a person who has committed a fraud.
· Non-disclosure of the employees’ privileges and how they are monitored.
· Conduct a comprehensive supplier assessment.
· Transparency of the information security and management practices [48],[59].
D. Account, Service, and Traffic Hijacking
Account or service hijacking happens if an attacker gains the login information of an account, which
makes the hacked account a launching base for the attacker. By acquiring the account credentials, the
attacker can snoop on customer businesses, refund wrong information, manipulate data, and redirect the
customer to other places to perform additional attacks. In cloud-account hijacking, a malicious intruder can
use the stolen credentials to hijack the cloud services and then enter into others’ transactions, add incorrect
information, and divert users to illegal websites, causing legal issues for cloud service providers. This
threat is widespread and critical nowadays; many attackers obtain the account credentials of various cloud
consumers [53].
These kinds of attacks involve the ability to obtain stolen credentials. There are different attack
approaches for stealing credentials, such as phishing, fraud, DoS, and finding vulnerabilities. In CC, the
account, service, and traffic hijacking threat affects the IaaS, PaaS and SaaS cloud services. Account and
service hijacking remains a top threat. With stolen credentials, attackers can often access critical areas of
deployed cloud services, leading to compromising the confidentiality, integrity and availability of those
services. Organizations need to be aware of these malicious techniques as well as common defense
methods and protection plans to cover the harm resulting from this threat [46].
This threat is not new. The mentioned attack methods, such as phishing and fraud, still achieve good
results for attackers. Credentials and passwords are often reused, which increases the effect of these threats.
With cloud technology, this threat has a bigger impact, including on other cloud users. The stolen account
or service becomes the new base for the attackers, resulting in the attackers using the stolen account’s
reputation to gain trust for their malicious purposes. Many users have suffered from this threat and its
consequences. Examples of such incidents are two hijacking occurrences on Amazon. In April 2010,
Amazon experienced a cross-site scripting (XSS) bug that permitted attackers to steal credentials from the
site. In 2009, numerous Amazon systems were hijacked to run Zeus botnet nodes [54].
Organizations should apply the following mitigation techniques to protect against this type of threat:
· Appropriate understanding of security policies and SLAs.
· A strong multifactor authentication to provide an extra security check for the identification of
genuine customers and make the cloud environment more secure and reliable.
· Strict and continuous monitoring to detect unauthorized activities.
· Prevention of credentials being shared among customers and services [50].

78 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

E. Shared-Technology Vulnerabilities
The threat of shared-technology vulnerabilities arises from the shared environment of the cloud. Cloud
services are provided by sharing the cloud infrastructure, applications, and platforms. Underlying
components (IaaS), rearranged platforms (PaaS), or applications of several customers (SaaS) are all
exposed to vulnerabilities that will spread the threat of shared-technology vulnerabilities in all delivery
models. As a result, compromising any piece of shared technology exposes not just the customer involved
but the whole environment to possible harm. Thus, in CC, the shared-technology vulnerabilities threat
affects the IaaS, PaaS, and SaaS cloud services. This threat is critical because it could affect the entire
cloud. A strong defensive mechanism is needed that includes devices, storage, network, applications, users,
and all the cloud components [51].
Organizations should apply the following mitigation techniques to protect against this type of threat:
· Apply good authentication and access control methods.
· Monitor the cloud environment for unauthorized activities.
· Use SLAs for patching the weakness remediation, vulnerability scanning, and configuration
reviews [46].
F. Abuse of Cloud Services
The cloud has the great benefit of allowing even small organizations or individuals to use large services.
This solves the issue of having to purchase expensive components for incapable sectors by enabling them
to rent these expensive services from the cloud as needed. However, this benefit can be used for malicious
purposes. Cracking the encryption key can take a long time with local abilities; with the use of the array of
cloud services and components, however, this can be easier. Moreover, the attacker can use this array to
spread malware or attacks. In CC, the abuse of cloud services affects IaaS and PaaS cloud services [52].
The mentioned data breach threat of Sony PlayStation Network can also be considered an example of this
threat. Organizations should apply the following mitigation techniques to protect against this type of threat:
· Strong authorization and authentication mechanisms.
· Continuous examination of the network traffic [53].
In this section, we sought to mention and summarize the most effective threats in CC. Mitigating these
threats are essential to cloud providers and users. However, the priority given to some of these threats over
others depends on the cloud application and usage. Concluding our discussion of this matter, the challenges
of developing solutions to each threat will be listed. These challenges have to be studied and addressed in
order to overcome the cloud threats. Table I lists the threats and the challenges associated with their
remediation development. These challenges can arise from the cloud providers, users, environment, and
many other sources [60].

79 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

TABLE I
CHALLENGES TO THREAT REMEDIATION
Threat Challenges
Data Losses · Trust issue with the cloud providers.
· Untested procedures, standards, and insufficient data preservation methods.
· Absence of knowledge.
Insecure Interfaces and APIs · Incapability of reviewing events associated with API use.
· The APIs’ complexity.
Malicious Insiders · Providers hide their company strategies from employees.
· Lateness of solutions, developed after the incident occurs.
· Incapability of cloud providers to monitor employees.
Account, Service, and Traffic · Fast growth of CC opens new gaps.
Hijacking · Current method of digital identity management is not good enough for hybrid
clouds.
Shared-Technology Vulnerabilities · Development of shared components is not guaranteed.
· The use of VM technology.
· Mapping between the manufacturing process and allotment process of shared
components.
Abuse of Cloud Services · Cloud providers’ limited ability to monitor due to privacy laws.
· Stakeholders’ varied interests.

VI. ATTACKS AND COUNTERMEASURES IN A CLOUD COMPUTING ENVIRONMENT


The key motivation of this research is to determine the potential attacks in the CC environment and their
possible solutions. CC offers services using IaaS, PaaS, and SaaS, as shown in Fig. 3 [61]. In this paper, we
classified the attacks based on the service delivery model of CC [62]. By exploiting vulnerabilities in the
cloud, as explained in Section V, an adversary can launch various attacks. The following subsections
outline the key attacks under each category.
A. Security Attacks on the SaaS Cloud Layer
In SaaS, the provider is responsible for the security measures. According to [63], SaaS is the “software
that’s owned, delivered and managed remotely by one or more providers.” However, most users are still
uncomfortable with the SaaS model due to data-related security issues such as who owns the data, data
backup, data access, data locality, data availability, identity management, and authentication [64]. We
consider famous types of security attacks on the SaaS cloud layer, as elaborated below.
a) Denial-of-service attacks
DoS attacks are the most prominent attacks in the CC environment. The main aim of the attacker is to
exhaust all the resources of the victim by sending thousands of request packets to the victim over the Internet
[65]. In fact, the rate of DoS attacks is increasing due to some characteristics of CC, such as on-demand
services, self-service, and broad network access. DoS attacks target the availability of the services provided
by the cloud in order to flood a network. Thus, they reduce the user’s bandwidth, disrupt service to a specific
system, and prevent the user from accessing or using the cloud service. There are many types of DoS

80 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

attacks, such as Distributed DoS (DDoS) attacks, which are extended from DoS attacks and involve the
attacker using numerous network hosts to inflict more devastating effects on the victim [66],[67].
As mentioned above, SaaS provides services to their customers if DDoS attackers strike, then the services
becomes unavailable. Therefore, SaaS customers will not get their money’s worth. Indeed, SaaS is an
attractive target for DDoS attackers. In addition, a DDoS attack is much more complex and harder to detect
than a DoS attack. In addition, other common DoS attacks to the CC environment involve the attacker
sending many types of packets, including Transmission Control Protocol (TCP) packets, User Datagram
Protocol (UDP) packets, and Internet Control Message Protocol (ICMP) echo request packets, which
overwhelms the cloud resources under heavy traffic and load [68],[69]. Overall, many users share CC
infrastructures; consequently, these attacks are difficult to resolve. Indeed, this will have a much greater
impact than single-tenant architectures. For example, in Jan 2013, the European Network and Information
Security Agency (ENISA) reported that Dropbox (a large cloud-storage service) was attacked by DDoS
attacks and suffered a substantial loss of service for more than 15 hours, affecting all users across the globe
[70]. Generally, SaaS, PaaS, and IaaS services are affected by this type of attack.
Nowadays, various techniques are used to eliminate this attack. Overall, this attack affects service
availability. The attacker may create an account for false service usage. In general, using better
authentication and authorization mechanisms can protect against this attack. However, various approaches,
such as strong authentication and authorization, a filter-based approach, a signature-based approach, and
firewalls, can be used. The main aim of a signature pattern is to monitor the traffic on the network. The
attack pattern is compared with the help of a signature database, and the attacks will be blocked if the traffic
matches the database’s signature traffic. In addition, a filter-based approach can be used to detect and block
low-rate DoS attacks, which are meant to just increase traffic [66],[71].
An Intrusion Detection System (IDS) is one of the most popular methods of defense against this type of
attack. Firewalls are one method of Intrusion Prevention System (IPS) [72]. The research in [73], targets this
attack. In general, this research is based on the information exchange between clouds. Every cloud is loaded
with its own IDS, so if one is under attack, then the cooperative IDS alerts the whole system. Voting and
performance is the base for decisions regarding the trustworthiness of a cloud.
b) Authentication attacks
The identity is used to identify users to achieve secure access to cloud applications. In essence, the identity
is the core part of any virtualized CC system. Indeed, authentication attacks can lightly occur in cloud
environments due to the weak mechanism of username and password that users still employ. As a result,
authentication cloud attacks such as brute-force and dictionary attacks are the most common [64]. However,
the main goal of authentication is to allow only authorized users to access cloud services according to the
cloud provider’s policy. In this attack, the attackers target the mechanisms used by the user to authenticate
the system. Moreover, using different encryption and decryption mechanisms to transfer the data in a more
confidential manner is required [67],[68].

81 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

As discussed, this attack occurs when a weak authentication mechanism is used, such as simple username
and password. However, these attacks can be reduced using security countermeasures; for example, the
Service Provisioning Markup Language (SPML), Secure Assertion Markup Language (SAML), and
Extensible Access Control Markup Language (XACML) standards are applied to secure federated identities
as well as cloud platforms and domains.
Moreover, an advanced authentication mechanism can be used, such as one-time password, which can
only be used once. In addition, communication channels can be encrypted to secure authentication tokens
[64],[67]. The study described in [74] proposes an Extensible Markup Language (XML) digital signature
based on authentication to detect this type of attack. On the other hand, the research in [15] involves single
sign-on, which is a Secure Socket Layer (SSL) authentication mechanism that authorized parties can use to
protect users over insecure networks. Consequently, man-in-the-middle attacks are reduced by using a set of
cipher suites and server certificates that are verified and trusted.
c) Structured Query Language–Injection attacks
Database and web servers make up a significant percentage of the systems within the cloud environment.
Structural Query Language (SQL) is used to program and manage data in relational databases. SQL-
injection and Cross Site Scripting (XSS) attacks are the most common hacking techniques in the cloud
environment, according to the Open Web Application Security Project, (OWASP) which lists SQL-injection
attacks as among the 10 most critical web application security risks [76]. However, the main goal of this
type of attack is to steal user information from the web application, such as usernames and passwords or
even credit cards, by injecting malicious code into the web application as a user input. If SQL-injection
attacks are successful, then the attackers gain unauthorized access to the data and become able to remotely
execute system commands as well as alter and delete the standard database design [77],[78].
To protect against SQL-injection attacks, cloud providers such as Microsoft offers Azure SQL Database
Threat Detection, which provides an additional layer of security built into the Azure SQL Database service
[79]. Microsoft is not the only cloud provider to play a role in protection against SQL-injection attacks;
Amazon offers a virtual cloud version of its Web Application Firewall to detect SQL injections [80].
Overall, this attack affects service integrity. In general, the best options for protecting the system against
this attack are to avoid using dynamically generated SQL in the code, sanitize the user input by using
appropriate filtration, and detect and extract users’ input using a proxy-based architecture [81]. The study
described in [78], proposed an SQL injection intrusion detection framework as a service for SaaS providers.
The main aim of this framework is to allow SaaS providers to detect SQL-injection attacks that target any of
several SaaS applications without having to read, analyze, or modify source code.
d) Cross-Site Scripting attacks
Many web applications provide dynamic web pages to enable users to access applications via a web
browser. JavaScript is the major script language used to implement these dynamic web pages. Because the
cloud provides a shared environment, the architectural components that are shared on the cloud system may
be affected by different attacks. As previously explained, XSS is one of the most common application layer

82 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

attacks. In this attack, the attackers exploit the authorization, authentication, and accounting of cloud
systems. The attackers attempt to inject malicious script such as JavaScript, Hypertext Markup Language
(HTML), and Visual Basic Script code into a website in order to gather important information such as user
IDs, passwords, and credit card information. If this attack is successful, an attacker is able to perform buffer
overflows, DoS attacks, and malicious software injection into the web browsers [82],[83].
Defenses against XSS aim to prevent unauthorized script execution by enforcing a no-script policy on
untrusted HTML. Various techniques can be used to protect against this attack, such as proper Secure Socket
Layer configuration, anti-malware software, browser collaboration, and content-based data leakage
prevention technology [82],[83]. In the next section, we will explain the security attacks on the PaaS cloud
layer.
B. Security Attacks on the PaaS Cloud Layer
As discussed, in PaaS, the user controls the applications that run in a cloud environment, but the cloud
provider controls the hardware, network substructure, and operating systems. However, lack of validation,
anonymous signs, and service fraud are major issues in PaaS [62]. We discuss famous types of security
attacks on the PaaS cloud layer below.
a) Phishing attacks
Phishing attacks affect both providers and users in the PaaS cloud model. This type of attack aims to
retrieve personal information from a legitimate user by manipulating a web link and redirecting the user to a
spoofed link. In CC, phishing attacks can be classified into two categories. The first is an abusive behavior,
in which an attacker hosts a phishing attack site on cloud by using one of the cloud services; the second
involves hijacking the accounts using traditional social-engineering techniques. In addition, spam e-mails
and pop-up messages are phishing attack methods [84]. For example, 200 million Facebook users are
targeted by phishing attacks [85].
Moreover, SaaS, PaaS, and IaaS services are affected by this type of attack. In general, a phishing attack
affects the privacy of a user’s sensitive information that should not be revealed. Techniques to protect
against this attack include identifying spam e-mails and using the secure version of the Hypertext Transfer
Protocol (HTTP). Moreover, users should not click on short Uniform Resource Locator (URLs) or when
someone tries to force them to [68].
b) Port-Scanning attacks
The main aim of port-scanning attacks is to access the resources in a cloud network. In this type of attack,
the attacker uses open ports such as those that services run on the system which can include Internet Protocol
(IP) and Medium Access Control (MAC) addresses that belong to a connection to gain exact information
about the working environment and the application processes that are running. After scanning the ports, the
attacker can use this information to find vulnerabilities and conduct exploits as part of an actual attack.
There are various port-scanning techniques, including TCP/IP scanning, User Datagram Protocol scanning,
and window scanning [81],[86].

83 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

SaaS, PaaS, and IaaS services are all affected by this type of attack. Strong port security is required to
protect against it. Various methods have been proposed to detect port-scanning attacks: using a time-
independent feature set, adding a firewall, counting packets, applying a neural network, capturing packets,
and using evolving TCP/IP packets [87].
c) Man-in-the-Middle attacks
A Man-in-the-Middle attack is a major security issue that occurs when an attacker is placed between two
parties in a cloud environment. This type of attack aims to access sensitive information being shared.
However, if the communication channel is not secure between two parties (including providers), the attack
can take place in an ongoing communication. A popular example of this attack is client and server. The
attacker accesses data communication between client and server when they communicate with each other in
a Hypertext Transfer Protocol transaction. Then, the attacker splits this connection into two parts; the first
part is between client and attacker, and the other part is between attacker and server [88],[89].
SaaS, PaaS, and IaaS services are affected by this type of attack. Man-in-the-Middle attacks affect data
security and privacy. A common method to protect against this attack is to use an encryption and decryption
algorithm such as the Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Triple
Data Encryption Standard. Also, proper configuration of Secure Socket Layer is required. Moreover, an
intrusion detection system should be used [88],[89].
d) Metadata spoofing attacks
Metadata is “data about data.” In other words, it contains confidential and sensitive information. The
descriptions of service functionality and details, for example, are stored in a Web Services Description
Language (WSDL) file; an attacker may seek to access this file and apply modifications or delete operations.
However, this type of attack is possible if the attacker at delivering time succeeds to interrupt the service
invocation code in the Web Services Description Language file [90]. A metadata spoofing attack affects
service confidentiality. Generally, SaaS and PaaS services are affected by this type of attack. The solution to
this type of attack is to encrypt the information about service functionality and other details. Also, strong
authentication should be required to access this type of file [68]. In the next section, we will explain the
security attacks on the IaaS cloud layer.
C.Security Attacks on the IaaS Cloud Layer
The security concerns at the virtualized level are major securities threats to the IaaS computing
environment. As previously discussed, in CC, available infrastructures include a collection of several
computers, VMs, and storage resources to store important information such as confidential information and
data documents. On this layer, the developer has better control over the security because there is no security
hole in the virtualization manager [62]. Moreover, sharing physical resources of a host among virtual
machines through a hypervisor abstraction layer is enabled by the virtualization.
The VMs can be considered software containers that contain a set of virtual hardware resources,
operating systems, and applications. Hypervisor is a software layer that runs between the operating system
and system hardware; it is responsible for the controls to each VM’s access to the CPU, memory, persistent

84 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

storage, I/O devices, and the network [62],[64]. We describe some major security attacks on the IaaS cloud
layer, as elaborated below.
a) Cross-virtual-machine (side-channel) attacks
In the cloud environment, VMs are easily accessible by the tenant users. Accordingly, they are the most
vulnerable part of the virtualized system. Side-channel attacks are likely one of the most challenging types of
attack in a cloud environment. These attacks are meant to extract confidential information from a victim’s
VM by exploiting side-channel information such as time, cache, heat, and power. This information is
retrieved from the cryptographic software that is neither the plaintext to be encrypted nor the cipher text
resulting from the encryption process [91]. In addition, using the side channel, the attackers can bypass
logical isolation between VMs.
Placement and extraction are the main steps in side-channel attacks. The first step is the placement, which
involves the attacker placing malicious VMs on the same physical machine. The second step is the extraction
of confidential information after successful placement of malicious code to target a VM [92]. Virtual firewall
and encryption and decryption are common countermeasures against side-channel attacks. The virtual
firewalls prevent side-channel attacks on environments, whereas encryption and decryption prevent side-
channel attacks against users’ confidential information [67].

b) VM rollback attacks
Basically, in a VM rollback attack, the attacker takes advantage of a VM from an old snapshot and runs it
without the user’s awareness. The attacker can get the password for the VM by launching a brute-force
attack, even if the guest operating system has a restriction on the number of failed trials. Moreover, the
attacker can change users’ permissions using rollback, a permission control module [93],[94]. This attack
can be prevented by using suspend and resume functions. However, this solution is complex due to the fact
that it cannot distinguish between an attack and normal suspend and resume functions. Moreover, the
researchers in [94], proposed a new solution to balance security and functionality. This balance is achieved
by securely logging all the suspend and resume functions and migration operation inside a small trusted
computing base; a user can audit the log to check malicious rollback and constrain the operations on the VM.
c) VM escape attacks
The attacker interacts directly with the hypervisor to break the isolation layer. Another major issue at the
VM level is a VM escape attack, which is malicious code that can interfere with the hypervisor or other
guest VMs. In this type of attack, the attackers attempt to break down guest operating systems or gain access
to the memory in order to access the hypervisor or penetrate the functionalities [68]. In essence, this
breaking of the guest operating system is called an escape. In addition, the attacker gains access to the
memory that is beyond the access of the compromised tenant VM and can read, write, or execute its
contents. Furthermore, if successful, the attacker can control the entire guest operating system because the
hypervisor is compromised [93]. Nevertheless, this problem can be solved by use of a secure hypervisor,

85 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

proper configuration of the host–guest interactions, VM isolation, and monitoring activities at the hypervisor
[68].
Table II presents several security attacks over various cloud-service delivery models and their effects on
the cloud (including some solutions). These categories are attacks, affected cloud services, effects, and
finally, the solutions. Table 2 shows that several attacks have been applied to different cloud services and the
most common attack in the CC environment is a DoS attack.
TABLE II
TYPES OF SECURITY ATTACKS
Affected Cloud
Attacks Services Effects Solutions
Service
· Using strong authentication and authorization.
availability is
SaaS, PaaS, and · Using a filter-based approach.
DoS affected; a fake
IaaS · Using signature-based approach.
service may be
· Using an intrusion-detection or intrusion-
created
prevention system.

· Using strong passwords and a better authentication


mechanism.
· Applying Service Provisioning Markup Language,
Authenticati Affects privacy Secure Assertion Markup Language, OAuth, and Extensible
SaaS
on and integrity Access Control Markup Language standards to secure
federated identities.
· Encrypting communication channels to secure
authentication tokens.
Malicious
· Avoiding use of dynamically generated SQL in the
service is provided
code.
to users instead of
SQL · Using appropriate filtration to sanitize the user
SaaS valid service.
Injection input.
Service integrity is
· Using a proxy-based architecture to dynamically
affected.
detect and extract user input.

· Using Active Content Filtering.


The integrity is · Using Browser Collaboration.
affected. · Using content-based data-leakage prevention
XSS SaaS
technology.
· Proper Secure Socket Layer configuration.
· Using anti-malware software.
· Using secure web links.
· Identifying spam e-mails.
Affects the
SaaS, PaaS, and · Not clicking on short URLs.
privacy of the user
Phishing IaaS · Not clicking when someone forces you to click.
credentials that
should not be
revealed

86 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

Affected Cloud
Attacks Services Effects Solutions
· Using a time-independent feature set.
Abnormal
SaaS, PaaS, and · Using packet counts and neural networks.
Port behavior of the
IaaS · Evolving TCP/IP packets.
Scanning service; affects
· Capturing packets.
service availability
· Using firewalls.
· Requiring a proper Secure Socket Layer
Affects the data
Man in the SaaS, PaaS, and architecture.
privacy and
Middle IaaS · Using an encryption and decryption algorithm.
security.
· Using an Intrusion Detection System.
Abnormal
·
behavior of the
Metadata · Encrypting information about service functionality
SaaS and PaaS service; affects the
Spoofing and other details.
privacy of the
· Requiring strong authentication to access files.
service.
Allows an
attacker to gain
· Using a virtual firewall.
Cross-VM IaaS control over
· Using encryption and decryption.
another user’s
VM.
Allows an
attacker to gain
VM
IaaS control over · Using suspend and resume.
Rollback
another user’s
VM.
Enables access · Monitoring hypervisor activities.
to the credentials · Requiring VM isolation.
VM Escape IaaS
and control of · Using a secure hypervisor.
another user. · Configuring the host/guest interactions.

VII. CONCLUSION
Major innovations in CC have emerged within the past decade; significant advances have been made and
become widely adopted in various areas due to the practical services that potentially add more convenience
at several levels. Cloud Computing provides several benefits to organizations and enterprises. On the other
hand, Cloud Computing security is an essential aspect of computer security, and it poses a major challenge
to its widespread adoption because the fact that CC services are essentially based on Internet connection
makes them vulnerable to a variety of attacks and security threats that may result in either light or severe
impacts.
In this paper, we reviewed the significant attacks threatening the security of Cloud Computing;
moreover, we provided solutions and possible countermeasures to serve as a reference for comparative
analysis. Understanding the various cloud security issues and the means possible to overcome them is a
major key that helps to mitigate the risk associated with the adoption of Cloud Computing technology.

87 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

REFERENCES
[1] Mell, P. and Grance, T. (2018). The NIST Definition of Cloud Computing. [online] National Institute of Standards and
Technology | NIST. Available at: https://www.nist.gov/ [Accessed 15 Nov. 2018].
[2] Khalil, I., Khreishah, A. and Azeem, M. (2014). “Cloud Computing Security: A Survey”. Computers, 3(1), pp.1-35
[3] Gupta, B. and Badve, O. (2016). “Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a Cloud computing
environment.” Neural Computing and Applications, 28(12), pp.3655-3682.
[4] Suse.com. (2018). [online] [Accessed 25 Nov. 2018]. Available at:
https://www.suse.com/media/report/rightscale_2018_state_of_the_cloud_report.pdf
[5] LogicMonitor. (2018). LogicMonitor: SaaS-based Performance Monitoring Platform. [online] Available at:
https://www.logicmonitor.com/ [Accessed 25 Nov. 2018].
[6] Jing, X. and Jian-jun, Z. (2010). “A Brief Survey on the Security Model of Cloud Computing.” International Symposium on
Distributed Computing and Applications to Business, Engineering and Science. IEEE, 2010, p. 475-478.
[7] Chowdhury, R. (2014). “Security in Cloud Computing.” International Journal of Computer Applications (0975 – 8887), vol.96,
June 2014.
[8] D. Q. L. Shilpashree Srinivasamurthy, "Survey on Cloud Computing Security," Indiana University, US.
[9] Munir, K. and Palaniappan, S. (2013). “Framework for Secure Cloud Computing. “International Journal on Cloud Computing:
Services and Architecture, 3(2), pp.21-35.
[10] Kumar, S. and Goudar, R. (2012). Cloud Computing – Research Issues, Challenges, Architecture, Platforms and Applications: A
Survey. International Journal of Future Computer and Communication, pp.356-360.
[11] Nazir, M. (2012). “Cloud Computing: Overview & Current Research Challenges. “ IOSR Journal of Computer Engineering,
8(1), pp.14-22.
[12] Zissis, D. and Lekkas, D. (2012). "Addressing cloud computing security issues. "Future Generation Computer Systems, 28(3),
pp.583-592.
[13] HUANG, W., GANJALI, A., KIM, B., OH, S. and LIE, D. (2015). "The State of Public Infrastructure-as-a-Service Cloud
Security. "ACM Comput. Surv. 47, 4, Article 68 (June 2015), 31 pages.
[14] Salih, A. (2016). A survey of Cloud Computing Security challenges and solutions. Najran University.
[15] Cdr Nimit Kaura, W. and Col Abhishek Lal, L. (2017). "Survey Paper On Cloud Computing Security."International Conference
on Innovations in Information, Embedded and Communication Systems (ICIIECS).
[16] Li, W. and Lu, D. (2012). "Study on Cloud Computing." Applied Mechanics and Materials, 263-266, pp.2020-2023.
[17] Ravi, V. (2012)." Cloud Computing Paradigm for Indian Education Sector." International Journal of Cloud Applications and
Computing, 2(2), pp.41-47.
[18] Winans, T. and Brown, J. (2018). Cloud computing A collection of working papers. Deloitte.
[19] J. Sen, Cloud Computing Architecture and Application, Croatia: Janeza Trdine 9, 51000 Rijeka, 2017.
[20] Kandukuri, B.R, Paturi, V.R., Rakshit, A. “Cloud Security Issues” Services Computing, 2009. SCC '09. IEEE International
Conference, 2009.
[21] Zhidong Shen, Qiang Tong, "The security of cloud computing system enabled by trusted computing technology.” Signal
Processing Systems (ICSPS), 2012 2nd International Conference, 2012.
[22] Prasad, P. ; Ojha, B. ; Shahi, R.R. ; Lal, R. ; Vaish, A. ; Goel, U. "3 dimensional security in cloud computing” Computer
Research and Development (ICCRD), 2012 3rd International Conference,2012.
[23] Ge Cheng ; Hai Jin ; Deqing Zou ; Xinwen Zhang ; Min Li ; Chen Yu ; Guofu Xiang "Building dynamic integrity protection for
multiple independent authorities in virtualization-based infrastructure” Grid Computing, 2009 10th IEEE/ACM International
Conference, 2009.
[24] Min Luo , Liang-Jie Zhang , Fengyun Lei , “An Insuanrance Model for Guranteeing Service Assurance, Integrity and QoS in
Cloud Computing”, International Conference on Web Services (ICWS), July 2014
[25] Zhiyun Guo , Meina Song , Junde Song ,” A Governance Model for Cloud Computing,” Proceedings of International
Conference on Management and Service Science (MASS), August,2014.
[26] Sravan Kumar, R. Saxena, A., "Data integrity proofs in cloud storage,” Third International Conference on Communication
Systems and Networks (COMSNETS 2011), January,2011
[27] Naruchitparames, J. , Gunes, M.H. ,"Enhancing data privacy and integrity in the cloud”, International Conference on High
Performance Computing and Simulation (HPCS 2011), July, 2011
[28] Chaisiri, S., Bu-Sung Lee ; Niyato, D.,”Optimal virtual machine placement across multiple cloud providers”, Services
Computing Conference, 2009. APSCC 2009. IEEE Asia-Pacific, December, 2009
[29] Pervez, Z. , Sungyoung Lee ; Young-Koo Lee ,"Multi-Tenant, Secure, Load Disseminated SaaS Architecture” , The 12th
International Conference on Advanced Communication Technology (ICACT 2015),Vol-1, February, 2015
[30] Mejías, B Roy, P.V. , “From Mini-clouds to Cloud Computing”, 2015 Fourth IEEE International Conference on Self-Adaptive
and Self- Organizing Systems Workshop (SASOW), September, 2015
[31] Pearson, S. , “Toward Accountability in the Cloud” Internet Computing, IEEE, 2014.
[32] Nakahara, S. ; Ishimoto, H. “A study on the requirements of accountable cloud services and log management” Information and
Telecommunication Technologies (APSITT), 2010 8th Asia-Pacific Symposium, 2010.
[33] Flavio, Lombardi, Pietro, Roberto Di, 2011. Secure virtualization for cloud computing. J. Network Computer. Appl. 34 (4),
1113–1122.
[34] Jiang, Yexi, Perng, Chang-shing, Li, Tao, Chang, Rong, 2012. "Self-adaptive cloud capacity planning." In: Proceedings of the
2012 IEEE Ninth International Conference on Services Computing (SCC). IEEE, pp. 73–80.
[35] Ouedraogo, Moussa, Mignon, Severine, Cholez, Herve, Furnell, Steven, Dubois, Eric, 2015. Security transparency: the next
frontier for security research in the cloud. J. Cloud Computing. 4 (1), 1–14.
[36] Fernandes, Diogo A.B., Soares, Liliana F.B., Gomes, João V., Freire, M.ário M., Inácio, Pedro R.M., 2014. "Security issues in
cloud environments: a survey." Int. J. Information Security. 13 (2), 113–170.

88 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

[37] Sumitra, B., Pethuru, C.R., Misbahuddin, M., 2014. "A survey of cloud authentication attacks and solution approaches. "Int. J.
Innov. Res. Comput. Commun. Eng. 2 (10).
[38] Fotiou, Nikos, Machas, Apostolis, Polyzos, George C., Xylomenos, George, 2015. Access control as a service for the Cloud. J.
Internet Serv. Appl., ISSN 1869-0238
[39] Choi, Junho, Choi, Chang, Ko, Byeongkyu, Choi, Dongjin, Kim, Pankoo, 2013." Detecting web-based DDoS attack using
MapReduce operations in cloud computing environment." J. Internet Serv. Inf. Security, vol.3, pp.28–37, 2013.
[40] Kim, Jin-Mook, Moon, Jeong-Kyung, Hong, Bong-Hwa, 2013. An Effective Resource Management for Cloud Services using
Clustering Schemes.
[41] P. Deshpande, S. C. Sharma, and P. S. Kumar, “Security threats in cloud computing,” International Conference on Computing,
Communication & Automation, 2015.
[42] H. Lv and Y. Hu, “Analysis and Research about Cloud Computing Security Protect Policy,” 2011 International Conference on
Intelligence Science and Information Engineering, 2011.
[43] N. Gonzalez, C. Miers, F. Redigolo, T. Carvalho, M. Simplicio, M. Naslund, and M. Pourzandi, “A Quantitative Analysis of
Current Security Concerns and Solutions for Cloud Computing,” 2011 IEEE Third International Conference on Cloud
Computing Technology and Science, 2011.
[44] A. T. Monfared and M. G. Jaatun, “Monitoring Intrusions and Security Breaches in Highly Distributed Cloud Environments,”
2011 IEEE Third International Conference on Cloud Computing Technology and Science, 2011.
[45] N. Kajal, N. Ikram, and Prachi, “Security threats in cloud computing,” International Conference on Computing, Communication
& Automation, 2015.
[46] M. T. Khorshed, A. S. Ali, and S. A. Wasimi, “A survey on gaps, threat remediation challenges and some thoughts for proactive
attack detection in cloud computing,” Future Generation Computer Systems, vol. 28, no. 6, pp. 833–851, 2012.
[47] M. T. Khorshed, A. S. Ali, and S. A. Wasimi, “Trust Issues that Create Threats for Cyber Attacks in Cloud Computing,” 2011
IEEE 17th International Conference on Parallel and Distributed Systems, 2011.
[48] A. Behl, “Emerging security challenges in cloud computing: An insight to cloud security challenges and their mitigation,” 2011
World Congress on Information and Communication Technologies, 2011.
[49] Dahbur, K. Mohammad, B. Tarakji, “A survey of risks, threats and vulnerabilities in cloud computing,” In: Proceedings of the
International Conference on Intelligent Semantic Web-Services and Applications, pp. 12:1–12:6. ACM, New York, NY, USA,
2011.
[50] C. Modi, D. Patel, B. Borisaniya, A. Patel, and M. Rajarajan, “A survey on security issues and solutions at different layers of
Cloud computing,” The Journal of Supercomputing, vol. 63, no. 2, pp. 561–592, 2012.
[51] CSA: "The notorious nine: Cloud computing top threats in 2013." Top Threats Working Group, 2013.
[52] C. Prakash and S. Dasgupta, “Cloud computing security analysis: Challenges and possible solutions,” 2016 International
Conference on Electrical, Electronics, and Optimization Techniques (ICEEOT), 2016.
[53] N. Amara, H. Zhiqui, and A. Ali, “Cloud Computing Security Threats and Attacks with Their Mitigation Techniques,” 2017
International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 2017.
[54] A. Tripathi and A. Mishra, “Cloud computing security considerations,” 2011 IEEE International Conference on Signal
Processing, Communications and Computing (ICSPCC), 2011.
[55] N. Aawadallah, “Security Threats of Cloud Computing,” International Journal on Recent and Innovation Trends in Computing
and Communication, vol. 3, no. 4, pp. 2393–2397, 2015.
[56] Duncan, A. Creese, S. Goldsmith, “Insider attacks in cloud computing,” In: IEEE 11th International Conference on Trust,
Security and Privacy in Computing and Communications, pp. 857–862. IEEE Computer Society,Washington, DC,USA, 2012.
[57] W. R. Claycomb and A. Nicoll, “Insider Threats to Cloud Computing: Directions for New Research Challenges,” 2012 IEEE
36th Annual Computer Software and Applications Conference, 2012.
[58] Panah, A. Panah, A. Panah, O. Fallahpour, “Challenges of security issues in cloud computing layers” Rep. Opin. 4(10), 25–29,
2012.
[59] D. A. B. Fernandes, L. F. B. Soares, J. V. Gomes, M. M. Freire, and P. R. M. Inácio, “Security issues in cloud environments: a
survey,” International Journal of Information Security, vol. 13, no. 2, pp. 113–170, 2013.
[60] Boampong, P.A. Wahsheh, “Different facets of security in the cloud,” In: Proceedings of the 15th Communications and
Networking Simulation Symposium, pp. 5:1–5:7. Society for Computer Simulation International, San Diego, CA, USA, 2012.
[61] S. Ramgovind, M. M. Eloff, and E. Smith, “The management of security in Cloud computing,” in 2010 Information Security for
South Africa, Johannesburg, South Africa, 2010, pp. 1–7.
[62] S. Iqbal et al., “On cloud security attacks: A taxonomy and intrusion detection and prevention as a service,” J. Netw. Comput.
Appl., vol. 74, pp. 98–120, Oct. 2016.
[63] the Software-as-a-Service Executive Council, “Software-as-a-Service; A Comprehensive Look at the Total Cost of Ownership
of Software Applications,” 2006.
[64] S. Subashini and V. Kavitha, “A survey on security issues in service delivery models of cloud computing,” J. Netw. Comput.
Appl., vol. 34, no. 1, pp. 1–11, Jan. 2011.
[65] M. Masdari and M. Jalali, “A survey and taxonomy of DoS attacks in cloud computing: DoS attacks in cloud computing,” Secur.
Commun. Netw., vol. 9, no. 16, pp. 3724–3751, Nov. 2016.
[66] G. Somani, M. S. Gaur, D. Sanghi, M. Conti, and R. Buyya, “DDoS attacks in cloud computing: Issues, taxonomy, and future
directions,” Comput. Commun., vol. 107, pp. 30–48, Jul. 2017.
[67] S. T.K and D. B, “Security Attack Issues and Mitigation Techniques in Cloud Computing Environments,” Int. J. UbiComp, vol.
7, no. 1, pp. 1–11, Jan. 2016.
[68] A. Singh and K. Chatterjee, “Cloud security issues and challenges: A survey,” J. Netw. Comput. Appl., vol. 79, pp. 88–115, Feb.
2017.
[69] R. Mehta, “Distributed Denial of service Attacks on Cloud Environment,” Int. J. Adv. Res. Comput. Sci., p. 3, 2017.
[70] M. Dekker, D. Liveri, M. Lakka, and European Network and Information Security Agency, “Cloud security incident reporting
framework for reporting about major cloud security incidents.” 2013.
[71] R. Bhadauria, R. Chaki, and S. Sanyal, “A Survey on Security Issues in Cloud Computing,” pp. 1-15, 2011.

89 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 4, April 2019

[72] K. Vieira, A. Schulter, C. Westphall, and C. Westphall, “Intrusion Detection for Grid and Cloud Computing,” IT Prof., vol. 12,
no. 4, pp. 38–43, Jul. 2010.
[73] C. Lo, C. Huang, and J. Ku, “A Cooperative Intrusion Detection System Framework for Cloud Computing Networks,” in 2010
39th International Conference on Parallel Processing Workshops, 2010, pp. 280–284.
[74] K. G. A. Sawesi, M. M. Saudi, and M. Z. Jali, “Designing a new E-Commerce authentication framework for a cloud-based
environment,” in 2013 IEEE 4th Control and System Graduate Research Colloquium, 2013, pp. 53–58.
[75] A. G. Revar and M. D. Bhavsar, “Securing user authentication using single sign-on in Cloud Computing,” in 2011 Nirma
University International Conference on Engineering, 2011, pp. 1–4.
[76] “Category:OWASP Top Ten Project - OWASP.” [Online]. Available:
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. [Accessed: 12-Nov-2018].
[77] T.-Y. Wu, C.-M. Chen, X. Sun, S. Liu, and J. C.-W. Lin, “A Countermeasure to SQL Injection Attack for Cloud Environment,”
Wirel. Pers. Commun., vol. 96, no. 4, pp. 5279–5293, Oct. 2017.
[78] M. Yassin, H. Ould-Slimane, C. Talhi, and H. Boucheneb, “SQLIIDaaS: A SQL Injection Intrusion Detection Framework as a
Service for SaaS Providers,” in 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud),
New York, NY, USA, 2017, pp. 163–170.
[79] “At general availability, SQL Database Threat Detection will cost $15 / server / month.” [Online]. Available:
https://azure.microsoft.com/en-us/blog/azure-sql-database-threat-detection-general-availability-in-spring-2017/. [Accessed: 12-
Nov-2018].
[80] “AWS WAF - Web Application Firewall - Amazon Web Services (AWS),” Amazon Web Services, Inc. [Online]. Available:
https://aws.amazon.com/waf/. [Accessed: 12-Nov-2018].
[81] P. Deshpande, S. C. Sharma, S. K. Peddoju, and A. Abraham, “Security and service assurance issues in Cloud environment,” Int.
J. Syst. Assur. Eng. Manag., vol. 9, no. 1, pp. 194–207, Feb. 2018.
[82] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna, “Cross-Site Scripting Prevention with Dynamic Data
Tainting and Static Analysis,” p. 12.
[83] M. T. Louw and V. N. Venkatakrishnan, “Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers,”
in 2009 30th IEEE Symposium on Security and Privacy, Oakland, CA, USA, 2009, pp. 331–346.
[84] “Survey on Security Attacks and Solutions in Cloud Infrastructure,” IJARCCE, vol. 3, no. 8, p. 5, Aug. 2014.
[85] “Facebook users targeted by hackers in successful phishing attack - Telegraph.” [Online]. Available:
https://www.telegraph.co.uk/technology/facebook/5326971/Facebook-users-targeted-by-hackers-in-successful-phishing-
attack.html. [Accessed: 13-Nov-2018].
[86] O. Achbarou, M. A. E. kiram, and S. E. Bouanani, “Securing Cloud Computing from Different Attacks Using Intrusion
Detection Systems,” Int. J. Interact. Multimed. Artif. Intell., vol. 4, no. 3, p. 61, 2017.
[87] A. Akbarabadi, M. Zamani, S. Farahmandian, J. M. Zadeh, and S. M. Mirhosseini, “An Overview on Methods to Detect Port
Scanning Attacks in Cloud Computing,” p. 6.
[88] A. Singh and D. M. Shrivastava, “Overview of Attacks on Cloud Computing,” vol. 1, no. 4, p. 3, 2012.
[89] M. A. Khan, “A survey of security issues for cloud computing,” J. Netw. Comput. Appl., vol. 71, pp. 11–29, Aug. 2016.
[90] R. Anitha, P. Pradeepan, and P. Yogesh, “Data Storage Security in Cloud using Metadata,” p. 5, 2013.
[91] S. Anwar et al., “Cross-VM cache-based side channel attacks and proposed prevention mechanisms: A survey,” J. Netw.
Comput. Appl., vol. 93, pp. 259–279, Sep. 2017.
[92] M.-M. Bazm, M. Lacoste, M. Südholt, and J.-M. Menaud, “Side Channels in the Cloud: Isolation Challenges, Attacks, and
Countermeasures,” p. 14.
[93] P. Mishra, E. S. Pilli, V. Varadharajan, and U. Tupakula, “Intrusion detection techniques in cloud environment: A survey,” J.
Netw. Comput. Appl., vol. 77, pp. 18–47, Jan. 2017.
[94] Yubin Xia, Yutao Liu, H. Chen, and B. Zang, “Defending against VM rollback attack,” in IEEE/IFIP International Conference
on Dependable Systems and Networks Workshops (DSN 2012), Boston, MA, USA, 2012, pp. 1–5.

90 https://sites.google.com/site/ijcsis/
ISSN 1947-5500