a bibliometric analysis of cloud security research...deploy the service [5]. examples include amazon...

http://www.iaeme.com/IJCET/index.asp 14 [email protected]

International Journal of Computer Engineering and Technology (IJCET)

Volume 11, Issue 4, July-August 2020, pp. 14-30, Article ID: IJCET_11_04_003

Available online at http://www.iaeme.com/ijcet/issues.asp?JType=IJCET&VType=11&IType=4

Journal Impact Factor (2020): 10.8630 (Calculated by GISI) www.jifactor.com

ISSN Print: 0976-6367 and ISSN Online: 0976–6375

© IAEME Publication

A BIBLIOMETRIC ANALYSIS OF CLOUD

SECURITY RESEARCH

Umar Yusuf Dayyabu, Chandrashekhar Uppin and Jo Greenwood

Department of Computer Science, Baze University, Abuja and School of Computing,

Science and Engineering, University of Salford, Salford, Greater Manchester,

M5 4WT, United Kingdom

ABSTRACT

In current era, cloud services are playing a major role in data processing and

data transmission services across the globe. As result, there has been a surge in data

security risks which have repeatedly threatened organisations and national data grids.

Through this paper we provide our research study on current articles using

bibliometric analysis on cloud computing services. Bibliometrics involves the

measurement of data that is not central to the text. The text does not necessarily need

to be read as part of the analytical process. Instead, extrinsic measures such as

keyword frequency, author affiliation, research areas and citations are measured. Our

study used several strategies to source relevant publications. Firstly, we performed an

automated database search using “cloud AND computing AND security” as the main

search terms. We searched for inclusion of all 3 words in either the title, abstract or

keywords of all documents. The analysis was conducted on the following criteria:

impact journals, highly cited articles, research areas, productivity, keyword

frequency, institutions and authors.

Key words: Cloud Computing, Cloud Security, Bibliometric

Cite this Article: Umar Yusuf Dayyabu, Chandrashekhar Uppin and Jo Greenwood,

A Bibliometric Analysis of Cloud Security Research, International Journal of

Computer Engineering and Technology 11(4), 2020, pp. 14-30.

http://www.iaeme.com/IJCET/issues.asp?JType=IJCET&VType=11&IType=4

1. INTRODUCTION

Cloud computing is a computing model where a large number of systems are connected over

networks, to distribute computer resources [1]. The idea of cloud computing is based on a

fundamental principle of users being able to retrieve and process their data anywhere and at

any time. Before the advent of cloud computing, most organizations stored their data locally.

This could be frustrating when users wanted to access their data remotely. After the

emergence of cloud computing, organisations began moving their data to the cloud, but by

doing so, they put themselves at risk as their data was now accessible anywhere. Attackers are

using the cloud as a way of gaining access to, and manipulating the data of organizations. The

cloud can be grouped into three categories, namely: software, platform and infrastructure [2].

A Bibliometric Analysis of Cloud Security Research


Software as a Service (SaaS): In this model, generally, cloud providers allow users to

access application software in the cloud on demand [1]. SaaS allows organisations to create a

single instance of a web service and feed multiple users with it. An example of this model is

Yahoo Mail. SaaS has increased the number of security challenges whereby multiple users all

over the world use this service. However, data integrity and confidentiality are at stake, as one

instance of a service is shared among multiple users [3].

Platform as a Service (PaaS): In the PaaS model, cloud providers encapsulate part of the

software and offer it as a service to the users. The end users have the freedom to integrate the

service with their software. PaaS providers may include additional facilities (application

development and design, testing, deployment, and hosting) for their customers [4]. Examples

of PaaS include Microsoft Azure and Google App Engine.

Infrastructure as a Service (IaaS): The IaaS model provides virtualized storage and

computing capabilities over the internet. The capabilities provided to the users of this model

are storage, network and other necessary resources where the user is able to implement and

deploy the service [5]. Examples include Amazon Cloud Formation, Right Scale, and Rack

Space Cloud.

In all three categories above, security is the most important issue, making it a clear

expectation that cloud security is key to all aspects of cloud computing.

Organisations are moving their data to cloud. This is because the cloud offers some

fundamental advantages in terms of cost-saving, efficiency, disaster recovery, and

deployment. The benefits that the cloud provides are numerous. Nevertheless, like any other

emerging technology, the limitations and issues are also many. There are issues of security

related to the multi-tenant and virtualisation nature of cloud computing; concerns with respect

to the loss of confidential data to cloud vendors. Data confidentiality and integrity are the

most crucial aspect of cloud computing security, most organisations continue to move their

data to the cloud due to the numerous advantages stated above, but the danger it poses is also

significant.

This paper focuses more on the Infrastructure as a Service (model). This is due to the

highest number of publications on the topic (when compared to SaaS and PaaS) as shown in

s.no 4 of this paper. Also, IaaS is one of the most widespread cloud computing models [1]

simply because the IaaS vendors grant the customers access to the underlying IT

infrastructure. During our research, several issues concerning IaaS security were identified as

discussed in s.no. 4, as were processes that would mitigate those issues. One of the critical

main issues that we identified was poor access control management which in some situations

allowed anyone to access sensitive information stored in the cloud.

Bibliometrics is the statistical analysis of scientific and technical data such as

publications, citations, and research outputs [6]. It allows researchers to explore their impact

in their respective field. The approach implements mathematical and statistical tools to

quantify the data that determines a researcher's input or contribution to science and

technology [7]. The analysis process involves a literature review of scientific activity such as

authors, publications, citations, institutions, countries, publication year, subject areas and

languages [6]. There are many advantages to bibliometric analysis. These include, (a)

researchers are in a position to critically evaluate the importance of their research and

publications, (b) authors are able to critically forecast the future trend of their research and its

impact on a society, (c) institutions are able to look at how their publications influence

succeeding researchers [8].



In order to evaluate the impact of cloud security, this paper aims to critically evaluate the

cloud security publications published in the Scopus database between 2010 and 2016. The

approach involves the evaluation of cloud security research, research topics, publication

patterns, and the assessment of cloud security. This paper was prepared using the following

research questions: (a) what is the trend of publications in cloud security, and (b) how does

this trend help in recognizing the future direction of cloud security study?

Using “cloud AND computing AND security” as the main keywords in the Scopus Core

Collection, we identified over 11,000 journals, conference proceedings, book series, books,

and trade publications dated from 1958 to 2017. After filtering the results to include only

English Language articles from 2010 to 2016, we identified 9,992 main related articles. With

the selected 9,992 articles, we carried out the analysis by creating the relationship between the

abstract, title, citation, publication, research area, location and the keywords used. Finally, we

categorised the research articles into six continents of World: Africa, Asia, Australia, Europe,

North America, and South America. Table 1 shows the distribution of the articles based on

their respective continents where Asia leads with 51.5% followed by Europe with 23.2%

respectively.

Table 1 Distribution of cloud security research based on 7 continents.

Geographic Area Publications (%)

Asia 58.5

Europe 26.7

North America 20.4

Australia 3.9

Africa 3.6

South America 1.0

This report is organized as follows: Section 2 describes the different methodologies and

the chosen method. Section 3 of the paper describes the literature review of cloud security

(findings). Section 4 presents the different types of cloud security. Section 5 describes the

trends and challenges of cloud security study. Finally, section 6 contains the conclusion and

recommendations of the study.

2. METHODOLOGY

Bibliometrics is the science of analysing research publications by methodical measurement of

written communication [9]. Pritchard described it as “The application of mathematics and

statistical methods to books and other media of communication” [10]. Bibliometrics involves

the measurement of data that is not central to the text. The text does not necessarily need to be

read as part of the analytical process. Instead, extrinsic measures such as keyword frequency ,

author affiliation, research areas and citations are measured [11].

Traditionally, bibliometrics has done 2 things: counting publications and counting

citations of individual papers [9]. The number of publications serves as an indicator of

productivity whilst the number of citations shows us how visible a particular piece of research

is, which in turn, reflects its importance. The number of citations is a good indicator of the

quality of a research publication and the relevance of its findings. Braun et al. stated that “if a

paper receives 5 or 10 citations a year throughout several years after its publication, it is very

likely that its content will become integrated into the body of knowledge of the respective

subject field; if, on the other hand, no reference is made at all on the paper during 5 to 10

years after publication, it is likely that the results involved do not contribute essentially to the

contemporary scientific paradigm system of the subject field in question” [12].



In this paper, we used several strategies to source relevant publications. Firstly, we

performed an automated database search using “cloud AND computing AND security” as the

main search terms. We searched for inclusion of all 3 words in either the title, abstract or

keywords of all documents. This returned 11,035 documents. Then we filtered the search

results to include only those documents published between 2010 and 2016 inclusive. A total

of 10,253 documents were returned. We then went on to limit our search results to include

only documents written in English. This gave us a final result of 9,992 documents on which to

perform our analysis. The analysis will be conducted on the following criteria: impact

journals, highly cited articles, research areas, productivity, keyword frequency, institutions

and authors. To illustrate the results, we will make use of Scopus‟ excellent visualisation

tools. Figure. 1 is provided to illustrate the process.

2.1. Scopus

There are several online databases used to index journal articles, such as Web of Science,

Elsevier‟s Scopus, Google Scholar, iEEE Xplore, ScienceDirect, DOAJ and Springer. There

are also many more subject specific databases such as Nature Index, APA PsycNET,

PubMed/Medline, INSPEC and DBLP. Traditionally, Web of Science and Scopus are

generally considered to be the 2 main data sources for the application of bibliometrics on

research literature [13]–[15] but more recently Google Scholar has become a popular

alternative.

Figure 1 The schematic of the data collection process.



Google Scholar works in a different way to WoS and Scopus as it collects its citation data

by crawling the web for documents that contain references to papers and books rather than

inputting its own bibliographical data. This was the subject of Jacsó‟s 2010 paper “Metadata

mega mess in Google Scholar” where he found Google Scholar to be “especially

inappropriate for bibliometric searches, for evaluating the publishing performance and impact

of researchers and journals” [16]

WoS and Scopus are commercial, subscription based databases whereas Google Scholar is

open access. Whilst Google Scholar has been recognised as having a unique coverage when

compared to other sources of publication and citation data and is able to identify highly-cited

papers effectively, its effectiveness as a bibliometric research tool is somewhat hampered by a

lack of search and sorting criteria and a limitation on search results [17]. Furthermore, “the

low data quality found in Google Scholar raises questions about its suitability for research

evaluation” [14]. This leads us to exclude Google Scholar as an option for our bibliometric

research.

When going on to compare Web of Science and Elsevier‟s Scopus we need to consider 3

main factors: coverage; search options and citation analysis.

Database provenance does not concern us, due to our research only involving studies

carried out in the past 6 years, but data coverage within our specific field of computer science

is of great importance. Zhang found that Scopus identified more journal articles than WoS in

the computer science field [18]. Wainer et al. found that Scopus was better than WoS in

representing computer science researchers and noted that “on average, 66% of a computer

scientist‟s published work is not accounted for in WoS” [19]. When investigating the

difference in coverage of bibliographical records in the computer science field across 4

databases (Scopus WoS, INSPEC and DBLP), Cavacini found that Scopus indexed the

highest number of unique articles and WoS the lowest [20].

Figure 2 Publications by year.

The search options in both databases are very similar. Both offer the same search fields

and the same filtering parameters for search results. However, when compared to that of its

competitors we have found the Scopus web interface to be the easiest and most intuitive to

navigate in terms of its usability. Whilst WoS has the capability to analyse search results, the

analytical functionality offered by Scopus and the presentation thereof, is far superior.

Aesthetically clear graphs and charts can be generated to illustrate trends and compare



citations by year, source, author, affiliation, country/territory, document type and subject area.

Elsevier‟s Scopus database will act as the search engine for this paper. It is the largest

database of peer-reviewed publications and includes scientific journals, books and conference

proceedings. It has over 66 million records consisting of over 22 thousand journals, 320 trade

journals and 7.7 million conference papers. Scopus is now a well-established alternative to the

Web of Science and is used in many international rankings of universities such as the Times

Higher Education ranking [21].

3. FINDINGS

In this section we discuss our findings in relation to the subject of cloud computing security.

This section comprises 7 topics: productivity, research areas, institutions, authors, impact

journals, highly-cited articles and keyword frequency. These findings show the publishing

rates with additional bibliometric data. This is important because it helps to expose the high-

quality research which in turn generates knowledge and an increased depth of understanding.

It also paves the way for future research of greater quality and substance.

Figure. 2 shows the number of publications between 2010 and 2016. These publications

include conference papers, articles, conference reviews, book chapters, reviews, press articles,

books, editorials, surveys and notes. A steady rise in the number of publications can be seen

throughout this period although a reduced rate of increase is noticeable during 2014 where

publication almost reach a plateau. The amount of publications then go on to pick up in 2015

at a rate of increase that exceeds the rate prior 2014.

Figure 3 Publications by type.

In Figure. 3 we can see how the number of publications in our selected time-period are

distributed by type. Almost 90% of publications are made up of conference papers (63.7%)

and articles (25.2%).

3.1. Productivity

In this section we look at the productivity of individual countries. Productivity can be

described as the number or frequency of documents published. In this way, we are able to

assess which countries have been the most productive in terms of publishing. Fig. 4 shows the



number of publications according to country during the time period of 2010 – 2016. Only the

10 countries with the highest publication rates are shown.

Figure. 4 shows that China makes the largest contribution to publications in the area of

cloud computing security with 2208 documents, closely followed by the United States (1774

documents) and India (1681 documents).

Figure 4 Publications by country.

3.2. Research Areas

In this section we discuss our findings in relation to specific research areas. Research areas

are often used to measure performance based on publication and citation rates. The Scopus

database indexes documents under 4 main subject areas: health sciences, life sciences,

physical sciences and social sciences & humanities. These subject areas are further

categorized into 232 fields such as computer science, engineering, mathematics, social

sciences, decisions sciences etc.

Figure 5 Publications by Subject Area



Figure. 5 shows that the majority of our articles come under the areas of computer science

and engineering (81% and 27.2% respectively). Some examples of sub-areas that come under

the main area of computer science and engineering are algorithms, artificial intelligence,

computer architecture, software architecture, software engineering, machine learning, big

data, data processing and security analysis. 13.6% of our articles come under the area of

mathematics.

Of the articles returned in our search, the article with the highest number of citations in the

area of computer science was “A survey on security issues in service delivery models of cloud

computing” with 859 citations.

3.3. Institutions

In this section we look at publications in relation to their affiliations with institutions. Our

objective is to find out which institutions, are most prolific in their academic output. Both the

frequency and impact of an institution's publications are important factors when calculating a

university‟s ranking [22].

In Figure. 6 we can see that the majority of publications are affiliated with Chinese

institutions. The top 10 institutions also include 2 from India.

Figure 6 Publications by affiliation.

3.4. Authors

This section looks at publications according to authors. Our objective is to find out which

authors are most active.

Of the top 10 most active authors, 6 are affiliated with Chinese universities, 2 with United

States universities and 2 with Italian universities. In Figure. 7 we can see that Xiaofeng Chen

has contributed to the most publications within the field of cloud computing security. He has

authored or co-authored 42 articles which between them have been cited 408 times. His most

highly cited articles are “New algorithms for secure outsourcing of modular exponentiations”

with 91 citations and “Fine-grained access control system based on outsourced attribute-based

encryption” with 42 citations. It is of interest that Cheng has collaborated with Jin Li on many

of these publications. Jin Li has contributed to a total of 34 cloud computing security articles

during the 2010 to 2016 period, 23 of which were co-authored with Cheng and others.



Figure 7 Publications by author.

3.5. Impact journals

In this section we discuss impact journals within the area of computer science. Our aim is to

reveal the leading journals in this area and also, those with the highest citations.

Figure. 8 shows 10 journal titles with the greatest number of publications in the area of

cloud computing security. The largest number publications comes from the Lecture Notes In

Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture

Notes in Bioinformatics), followed, in 2016, by the ACM International Conference

Proceeding Series. Whilst the output of the journals in 2nd

to 10th

position in terms of number

of publication, has fluctuated over the years, the Lecture Notes In Computer Science journal

has always remained on top (with the exception of being briefly superseded by the Applied

Mechanic and Materials journal in 2014). This may be because it publishes articles in what

are considered to be new development areas such as computer science and information

technology research[6].

Figure 8 Publications by source.



3.6. Highly-Cited Articles

This section looks at the number of citations received by the top journals. Table 2 shows 20 of

the most highly-cited articles in the field of cloud computing security between 2010 and 2016.

It lists the article title, the number of times the article has been cited, the journal in which the

article was published and the year of publishing. These 20 articles make up 13.45% of the

total publications in our search results. From studying this table we can see that the trend for

the number of citations is that they are fewer in more recent years. This would support the

assumption that the longer an article has been available in the Scopus, and other, databases,

the more citations it will receive.

Of all the articles published during this period, the most cited was “A survey on security

issues in service delivery models of cloud computing.” The paper presents a survey of the

different security risks that pose a threat to the cloud [23] and discusses the security issues

unique to SaaS, PaaS and IaaS.

3.7. Keywords Frequency

In this section we look at the keywords that are most used by researchers. Keywords are a

useful tool for identifying an article‟s relevance without solely relying on title searches.

Keywords can directly convey the content of a paper and the subject areas with which it is

concerned.

Table 2 Top 20 highly-cited articles.

Title Citations Journal Year

A survey on security issues in service delivery models of cloud

computing

859 Journal of Network and Computer Applications

2011

Achieving secure, scalable, and fine-grained data access control

in cloud computing

671 Proceedings - IEEE INFOCOM

2010

Addressing cloud computing security issues 542 Future Generation Computer Systems

2012

Privacy-preserving public auditing for data storage security in

cloud computing

530 Proceedings - IEEE INFOCOM

2010

Security and privacy challenges in cloud computing

environments

439 IEEE Security and Privacy

2010

A survey of mobile cloud computing: Architecture,

applications, and approaches

412 Wireless Communications and Mobile

Computing

2013

Enabling public auditability and data dynamics for storage

security in cloud computing

380 IEEE Transactions on Parallel and Distributed

Systems

2011

Privacy-preserving public auditing for secure cloud storage 344 IEEE Transactions on Computers 2013

Fuzzy keyword search over encrypted data in cloud computing 334 Proceedings - IEEE INFOCOM 2010

Data-intensive applications, challenges, techniques and

technologies: A survey on Big Data

305 Information Sciences 2014

Secure ranked keyword search over encrypted cloud data 284 Proceedings - International Conference on

Distributed Computing Systems

2010

Scalable and secure sharing of personal health records in cloud

computing using attribute-based encryption

273 IEEE Transactions on Parallel and Distributed

Systems

2013

Can homomorphic encryption be practical? 257 Proceedings of the ACM Conference on

Computer and Communications Security

2011

Achieving efficient cloud search services: Multi-keyword

ranked search over encrypted cloud data supporting parallel

computing

242 IEICE Transactions on Communications 2015

Understanding cloud computing vulnerabilities 226 IEEE Security and Privacy 2011

Data center network virtualization: A survey 206 IEEE Communications Surveys and Tutorials 2013

Security challenges for the public cloud 206 IEEE Internet Computing 2012

Toward secure and dependable storage services in cloud

computing

199 IEEE Transactions on Services Computing 2012

Cloud monitoring: A survey 192 Computer Networks 2013



Table 3 Frequency of keywords

Keyword Freq. Keywords Freq. Keywords Freq.

Cloud Computing 6,797 Information Science 213 Homomorphic Encryption 132

Security Of Data 1,620 Service Provider 210 Security Mechanism 131

Cryptography 1,562 Internet Of Things 209 Virtual Machine 130

Security 1,532 Public Key Cryptography 206 Data Storage Equipment 129

Network Security 1,328 Artificial Intelligence 202 Java Programming Language 128

Distributed Computer Systems 1,326 Infrastructure As A Service (IaaS) 201 Malware 126

Digital Storage 1,254 Cloud Computing Securities 199 Software Engineering 125

Data Privacy 1,052 Computation Theory 199 Cyber Security 123

Access Control 804 Health Care 198 Management 123

Computer Systems 761 Computing Resource 195 Intrusion Detection Systems 120

Authentication 658 Encryption 193 Cloud Computing Platforms 119

Internet 637 Computing Environments 192 Computing Paradigm 118

Web Services 538 Computer Architecture 190 Human 118

Privacy 530 Attribute-based Encryptions 184 Websites 118

Distributed Database Systems 529 Industry 183 Architecture 117

Mobile Security 521 Risk Assessment 183 Encrypted Data 117

Cloud Services 504 Search Engines 183 Smart Power Grids 117

Information Management 487 Cloud Computing Services 178 Cost Effectiveness 115

Cloud Security 485 Computer Simulation 177 Scheduling 115

Security Systems 474 Data Storage 172 Systems Engineering 115

Information Technology 468 Trust 171 Privacy And Security 114

Cloud Securities 460 Cloud Infrastructures 170 Query Processing 113

Virtualizations 449 Mobile Telecommunication Systems

170 SaaS 111

Cloud Service Providers 429 Data Integrity 164 Costs 110

Big Data 423 Application Programs 163 Cloud Data 108

Cloud 418 Cloud Computing Technologies 163 Mobile Computing 108

Clouds 412 Embedded Systems 160 Optimization 108

Cloud Computing Environments 403 Sensitive Information 156 Searchable Encryptions 108

Virtual Reality 388 Software As A Service (SaaS) 155 Middleware 107

Cloud Environments 386 Complex Networks 154 Privacy Protection 107

Virtual Machines 378 Data Confidentiality 152 Data Processing 105

Security And Privacy 375 Computer Security 146 Security Risks 105

Trusted Computing 372 Information Services 145 Third Parties 105

Mobile Devices 365 Monitoring 145 Internet Protocols 104

Security Issues 357 Data Centers 143 Sales 104

Computer Crime 342 Denial-of-service Attack 143 Service Oriented Architecture 104

Algorithms 314 Homomorphic Encryptions 143 Data Protection 103

Data Security 313 Semantics 143 Platform As A Service (PaaS) 103

Virtualization 312 Security Analysis 142 Distributed Systems 102

Privacy Preserving 287 Social Networking (online) 141 Hypervisor 102

Network Architecture 285 Sensitive Data 140 IaaS 100

Cloud Storage 282 Surveys 139 Security Policy 99

Cloud Storages 276 Computer Science 138 Risk Management 98

Mobile Cloud Computing 275 Security Threats 138 Decision Making 97

Quality Of Service 275 Hardware 137 Energy Utilization 96

Data Handling 269 Personal Computing 137 Network Management 96

Ubiquitous Computing 266 Security Problems 137 Research 96

Cloud Providers 260 Service Level Agreements 137 Smartphones 96

Intrusion Detection 254 Information Security 136 Efficiency 94

Security Challenges 234 Cloud Computing Security 135 Information Retrieval 94

Outsourcing 230 Data Mining 135 Interoperability 94

Information Systems 226 Communication 133 Searchable Encryption 92

Grid Computing 219 Confidentiality 133 Homomorphic Encryption 132

Security Requirements 217 Database Systems 132 Security Mechanism 131

Table 3 presents a list of keywords and the frequency with which they occur in our

articles.

As expected, the topics of SaaS, PaaS and IaaS are included in our keywords. Software as

a Service (SaaS) occurs 155 times. Platform as a Service (PaaS) occurs 103 times,

Infrastructure as a Service (IaaS) occurs 201 times and IaaS occurs 100 times. As the subject

of IaaS is researched with the most frequency (a total of 301 times) we have chosen to explore

this topic in more depth in the following section.



4. CLOUD COMPUTING IAAS SECURITY

This section discusses the different types of cloud computing. The section focuses more on

IaaS due to the greater number of publications on the topic (when compared with SaaS and

PaaS) as shown in Figure 9 below. In an Infrastructure as a Service environment, the cloud

providers grant the customers access to the underlying IT infrastructure[24]. In this model, the

customer does not have to bother about buying and managing data centres and hardware; the

cloud provider handles this instead. Also, IaaS providers provide infrastructure services or

resources, such as storage and communication services, in a flexible manner [25]. Most

enterprise servers today are hosted in cloud environments. This is because, cloud computing

offers some fundamental advantages in terms of cost-saving, efficiency, disaster recovery, and

deployment. Hosting servers resulted in significant technical security issues because the cloud

made them vulnerable to attacks. Among these issues are resource sharing, operational trust

modes, digital forensics, and new attack strategies [26]. Security focus has moved from

physical security and securing the data centres to securing the end-user system or end-points

themselves [26]. This was accomplished through numerous techniques including confining

the end-point services, firewalls, changing configurations to prevent unauthorised access, and

other related measures.

The evolution towards cloud computing on both IaaS and SaaS demands a re-evaluation

of approaches used to provide security [26]. The concern is how to protect data in an

unsecured channel and in the storage unit, and also how to ensure that data is protected from

the service providers.

Classification of this section is categorised in two parts. These are security issues, and

solution approach.

Figure 9 A comparison of SaaS, PaaS and IaaS keyword frequency.

4.1. Security Issues

As discussed above, security issues in IaaS fall in the hands of both the service provider and

the consumer (client) which greatly varies between cloud service models [23]. For instance, in

Amazon Elastic Compute Cloud (EC2), they (Amazon) are responsible for security up to the

40%

15%

45%

Software as a Service Platform as a Service Infrastrature as a Service



hypervisor [29], this means that they can only address security issues such as environmental

security, physical security, and virtualisation security. The client is responsible for the

managing the security controls to the system which includes Operating System, applications

and data [28].

IaaS environments often share resources across multiple clients. RAM, Hard disks, GPUs,

CPU cache, and other components were not typically designed with privacy requirements in

mind [24]. Consequently, the sharing of these resources may lead to leaked information.

The security concerns of Infrastructure as a Service are mostly to do with the issues of the

customer‟s (client) own data centre [30]. In IaaS model, the concern is how to protect data in

an unsecured channel and in the storage unit, and also how to ensure that data is protected

from the service providers. With IaaS frameworks, data control is the major issue that a

customer needs to tackle [30]. This is because you are using a virtualised environment and

services that belong to a third party. Failure in the vendor‟s security defence can affect your

organisation as well. Also, in the past, there have been successful side-channel timing attacks,

which exposed cryptographic keys across virtual systems [24]. Furthermore, vulnerabilities in

IaaS cloud core components, such as the hypervisor, can result in the compromise of the

entire IaaS infrastructure itself.

4.2. Solution Approach

The following approaches can be adopted to reduce the security concerns of IaaS mentioned

above.

Encrypted Communication Medium to Cloud Server: Making sure that data is encrypted

before storing on the cloud server using a symmetric cypher algorithm [27] [26], and

decrypting it after retrieval at the end user system for consumption [28]. It should be noted

that the general purpose of cryptography is ineffective if the data is purposely intended for use

within the cloud server [23]. This is because the server would require access to the key for

decryption whenever a user makes a request to the resources, which would make the key

available on the cloud server to the service provider. From our findings, different objectives

proposed by different authors on encrypted communication medium to cloud server are listed

in table 4.

Table 4 Encrypted communication medium to cloud server.

Reference Objectives

[27] End-to-end encryption of data. This can be achieved by disk encryption to encrypt all the data including

user files on the disk.

[28] Protecting data through encryption on a communication channel requires more than just ensuring that a

secure transfer channel is used, but strong algorithm as well

[23] [26] Encrypt data wherever possible to ensure that proper key management is implemented

Table 5 Computation on encrypted data.

Reference Objectives

[26] Data should be encrypted before storing to the database, and when retrieval, the decryption should be done

on the end-user system.

[31] To avoid eavesdrops attacks, data decryption should be carried out on the customer‟s system, and not the on

the network.

Computation on Encrypted Data: This is the process whereby a virtual machine in a cloud

environment can perform operations entirely on encrypted data, and produce results without

displaying the result in plaintext format [26] as shown in table 5. Such a strategy is called

homomorphic encryption [31]. Moreover, even in this type of operation, the service provider

may be able to intercept some classified data by following the pattern of operations used.



End to End Report and Logging: The effective deployment of Infrastructure as a Service

demands in-depth reporting and logging in places [27]. Robust reporting and logging

solutions helps to track where the data is, which server is handling the request, who is

accessing it, and which storage is responsible for it.

Authentication and Authorisation: A strong authentication and authorization algorithm such

as SHA1_512 would be helpful in providing an effective Data Loss Prevention solution [27].

5. CHALLENGES AND FUTURE TRENDS

Cloud Security researchers and hackers have started to pay closer attention to the cloud

infrastructures as data begins to move to cloud environments from traditional ICT setups.

Most enterprise servers today are hosted in cloud environments. This is because the cloud

offers more fundamental advantages in terms of cost-saving, efficiency, disaster recovery, and

deployment.

This section elaborates on the research challenges and the future trends of IaaS cloud

security based on existing research. Also, ideas on how to resolve the issues and challenges of

IaaS are proposed. Numerous research documents have dealt with important issues of IaaS

and the threats it poses. In spite of many studies conducted on IaaS, the security threats

continue to increase [24]. Even though the threats towards IaaS can include those related to

PaaS and SaaS [32], there are also extra threats. Nevertheless, With IaaS, most of the control

and security responsibilities rests with the customer. The following sub-sections outline the

most significant threats poses by IaaS model.

5.1. Compromising Accounts

Data leaks in IaaS cloud model often result due to the lack of understanding of users‟

privilege controls [33]. This is because IaaS providers let customer handle their own security

responsibilities and privilege controls. At some point, the customer creates a weak password

together with poor management of certificates and encryption keys. Additionally, when users

are assigned greater privileges than they actually need, some have abused them by planting

malicious files in the system and then invoking those files once they have been sacked or have

left the company. This technique can be used in order to manipulate data. In addition to data

manipulation, the results of such actions can even take the form of partial or full infrastructure

destruction.

To tackle this challenge, attention should be given to access controls (e.g. by using

federated cloud services). With the help of these cloud services, it is easy to manage and

maintain users' authentications and authorisations. Furthermore, using multi-factor

authentication technique [33], which include tokens, One True Pairing (OTP), smart cards,

etc., make it is easy to organise a flexible and convenient authentication system of internal

and external users. The use of multi-factor authentication reduces the risk of unauthorised

access to the infrastructure significantly.

5.2. Vulnerabilities

A typical mistake when using IaaS model is paying less attention to the security of

applications in the security and integration layer as shown in Figure 10 below [24] [33]. And

the vulnerability of applications results in a serious security threat to enterprise infrastructure

security of IaaS model.

Frequent use of vulnerability control, alongside constant software updates, can reduce the

risks associated with IaaS security significantly. This is recommended to both the IaaS

providers and their respective clients.



Figure 10 IaaS stack division [24].

5.3. Insecure APIs

The IaaS providers provide a set of APIs to access their cloud services. Recently, there have

been some security challenges with defective APIs [24], even though vendors are now

constantly improving their API development practices. Simultaneously, any update might

change an API‟s settings, which may result in malfunction of some customers‟ existing

functions.

The IaaS cloud providers are responsible for resolving these kinds of vulnerabilities.

Therefore, the APIs that need an upgrade should be fixed in a timely manner without the

customers worrying about them.

5.4. Denial of Service (DoS)

In IaaS, if a customer has exhausted all of their resources, they may degrade the service

quality of other customers in the same cloud section [24]. Hackers usually take advantage of

this issue and try to use it to exploit or exhaust all shared resources, or at some point, they try

to slow down other client‟s system performance. If hackers incorporate this issues with

network based DoS attacks, they could deny clients access to their important resources [24]

[27]. This attack may even result in an increased cost for the victim, this is because some

cloud vendors bill their customers based on their use of resources [24].

Frequent system maintenance should be carried out in order to track the infrastructure

performance and identify abnormalities on to system [34] and service security [35]. Also,

using intrusion detection and prevention solutions would help to detect network anomalies

and threats.

6. CONCLUSION

Cloud computing offers significant advantages in terms of cost-saving, efficiency, disaster

recovery, and deployment. The main concern, however, is the protection of data both in

transit and in storage.

IaaS security issues are the responsibility of both the service provider and the client [23].

Server side security concerns can be tackled using a variety of methods including encryption



of data, enabling computation on encrypted data and in depth reporting and logging. Client

side security concerns can be tackled by employing multi-factor authentication techniques,

thus significantly reducing the risk of unauthorised access.

In this study we have used bibliometric methods to analyse trends in cloud computing

security research between 2010 and 2016. In the process, we have discussed 7 different topics,

namely: productivity, research areas, institutions, authors, impact journals, highly-cited

articles and keyword frequency. These topics have helped to illustrate the global trends in

relation to the research of cloud computing security.

Our study shows that China is, by far, the most prolific producer of publications relating

to cloud computing security. China contributed a total of 2208 publications in this area

between 2010 and 2016. Of the top 10 most active authors, 6 were affiliated with Chinese

universities.

The majority of articles fell under the research areas of Computer Science and

Engineering. Lecture Notes In Computer Science was the leading journal in terms of the

number of publications in the area of cloud computing security.

A table of keyword frequencies was used to illustrate the trends and research directions

for future study in cloud computing and security related research. The most frequently

occurring keywords were “cloud computing”, “security of data”, “cryptography”, “security”,

“network security”, “distributed computer systems”, “digital storage”, “data privacy” and

“access control”.

These findings indicate that the issue of data confidentiality and integrity is currently

considered to be the most crucial aspect of cloud computing security.

REFERENCES

[1] A. Huth and J. Cebula, “The Basics of Cloud Computing,” 2011.

[2] A. M. Gamaleldin, “An Introduction to Cloud Computing Concepts Practical Steps for Using

Amazon EC2 IaaS Technology,” 2013.

[3] L. S. Gould, “Software as a Service for ERP,” Automot. Des. Prod., no. September, p. 56,

2008.

[4] S. Gritzalis, C. Mitchell, B. Thuraisingham, and J. Y. Zhou, “Security in cloud computing,”

Int. J. Inf. Secur., vol. 13, no. 2, pp. 95–96, 2014.

[5] J. Siddharth, “Platform as a service,” A White Pap. Ser., 2013.

[6] M. F. A. Razak, N. B. Anuar, R. Salleh, and A. Firdaus, “The rise of „malware‟: Bibliometric

analysis of malware study,” J. Netw. Comput. Appl., vol. 75, pp. 58–76, 2016.

[7] R. Herre, “Biblimetrics Chapter 1,” pp. 1–28, 2007.

[8] M. K. McBurney and P. L. Novak, “What is bibliometrics and why should you care?,”

Proceedings. IEEE Int. Prof. Commun. Conf., pp. 108–114, 2002.

[9] J. Koskinen et al., “How to use bibliometric methods in evaluation of scientific research? An

example from Finnish schizophrenia research.,” Nord. J. Psychiatry, vol. 62, no. 2, pp. 136–

43, 2008.

[10] A. Pritchard, “Statistical bibliography or bibliometrics?,” J. Doc., vol. 25, no. 4, pp. 348–349,

1969.

[11] V. Wilson, “Evidence Based Library and Information Practice,” vol. 1, pp. 50–52, 2016.

[12] T. Braun, W. Glanzel, and A. Schubert, Scientometric Indicators A 32-Century Comparative

Evaluation of Publishing Performance and Citation Impact. World Scientific, 1985.

[13] J. Mingers and L. Leydesdorff, “A review of theory and practice in scientometrics,” European

Journal of Operational Research. 2015.



[14] P. Mongeon and A. Paul-Hus, “The journal coverage of Web of Science and Scopus: a

comparative analysis,” Scientometrics, 2016.

[15] A. Abrizah, A. N. Zainab, K. Kiran, and R. G. Raj, “LIS journals scientific impact and subject

categorization: A comparison between Web of Science and Scopus,” Scientometrics, 2013.

[16] P. Jacsó, “Metadata mega mess in Google Scholar,” Online Inf. Rev., vol. 34, no. 1, pp. 175–

191, 2010.

[17] A. Martin-martin and E. Orduna-malea, “Can we use Google Scholar to identify highly - cited

documents ?,” vol. 11, pp. 1–20, 2016.

[18] L. Zhang, “The Impact of Data Source on the Ranking of Computer Scientists Based on

Citation Indicators: a comparison of Web of Science and Scopus,” Issues Sci. Technol.

Librariansh., 2014.

[19] J. Wainer, C. Billa, and S. Goldenstein, “Invisible work in standard bibliometric evaluation of

computer science,” Commun. ACM, vol. 54, no. 5, p. 141, 2011.

[20] A. Cavacini, “What is the best database for computer science journal articles?,”

Scientometrics, vol. 102, no. 3, pp. 2059–2071, 2015.

[21] A. W. Harzing and S. Alakangas, “Google Scholar, Scopus and the Web of Science: a

longitudinal and cross-disciplinary comparison,” Scientometrics, 2016.

[22] G. Buela-Casal, O. Gutiérrez-Martínez, M. P. Bermúdez-Sánchez, and O. Vadillo-Muñoz,

“Comparative study of international academic rankings of universities,” Scientometrics, vol.

71, no. 3, pp. 349–365, 2007.

[23] S. Subashini and V. Kavitha, “A survey on security issues in service delivery models of cloud

computing,” J. Netw. Comput. Appl., vol. 34, no. 1, pp. 1–11, 2011.

[24] C. Wueest, M. B. Barcena, and L. O. Brien, “Mistakes in the IaaS cloud could put your data at

risk,” 2015.

[25] M. I. Syed A. Ahson, Cloud Computing and Software Services. CRC Press, 2010.

[26] B. Hay, K. Nance, and M. Bishop, “Storm clouds rising: Security challenges for IaaS cloud

computing,” Proc. Annu. Hawaii Int. Conf. Syst. Sci., pp. 1–7, 2011.

[27] P. Arora, “Cloud Computing Security Issues in Infrastructure as a Service,” Int. J. Adv. Res.

Comput. Sci. Softw. Eng., vol. 2, no. 1, pp. 707–711, 2012.

[28] Cloud Security Alliance, “Security Guidance for Critical Areas of Focus in Cloud Computing

V3.0,” Cloud Secur. Alliance, pp. 0–176, 2011.

[29] Amazon, “Elastic Compute Cloud (EC2) – Cloud Server & Hosting – AWS,” Amazon,

2017. [Online]. Available: https://aws.amazon.com/ec2/. [Accessed: 10-May-2017].

[30] P. Davitt, “SaaS, PaaS and IaaS: What are all the risks?,” Arrow ESC E-Magazine, 2016.

[Online]. Available: http://ecsnamagazine.arrow.com/saas-paas-and-iaas-what-you-and-your-

customers-need-to-know-about-the-risks/. [Accessed: 11-May-2017].

[31] C. Gentry, “a Fully Homomorphic Encryption Scheme,” PhD Thesis, no. September, pp. 1–

209, 2009.

[32] P. Cox, “IaaS Threats In The Cloud – Part 3,” pp. 8–10, 2010.

[33] S. Maxim, “IaaS Security: Threats and Protection Methodologies,” eSecurity Planet, 2017.

[Online]. Available: http://www.esecurityplanet.com/network-security/iaas-security-threats-

and-protection-methodologies.html. [Accessed: 15-May-2017].

[34] É. Archambault, D. Campbell, Y. Gingras, and V. Larivière, “Comparing Bibliometric

Statistics Obtained from the Web of Science and Scopus.”

[35] Z. Mahmood, Cloud Computing: Challenges, Limitations and R&D Salutions. 2014.

a bibliometric analysis of cloud security research...deploy the service [5]. examples include amazon...

Documents