An analysis of security issues for cloud computing

Download An analysis of security issues for cloud computing

Post on 08-Dec-2016




2 download

Embed Size (px)


  • RESEARCH Open Access

    An analysis of security issues for cloud computingKeiko Hashizume1*, David G Rosado2, Eduardo Fernndez-Medina2 and Eduardo B Fernandez1


    Cloud Computing is a flexible, cost-effective, and proven delivery platform for providing business or consumer ITservices over the Internet. However, cloud Computing presents an added level of risk because essential services areoften outsourced to a third party, which makes it harder to maintain data security and privacy, support data andservice availability, and demonstrate compliance. Cloud Computing leverages many technologies (SOA,virtualization, Web 2.0); it also inherits their security issues, which we discuss here, identifying the mainvulnerabilities in this kind of systems and the most important threats found in the literature related to CloudComputing and its environment as well as to identify and relate vulnerabilities and threats with possible solutions.

    Keywords: Cloud computing, Security, SPI model, Vulnerabilities, Threats, Countermeasures

    1. IntroductionThe importance of Cloud Computing is increasing andit is receiving a growing attention in the scientific andindustrial communities. A study by Gartner [1] consideredCloud Computing as the first among the top 10 mostimportant technologies and with a better prospect insuccessive years by companies and organizations.Cloud Computing enables ubiquitous, convenient,

    on-demand network access to a shared pool of configur-able computing resources (e.g., networks, servers, storage,applications, and services) that can be rapidly provisionedand released with minimal management effort or serviceprovider interaction.Cloud Computing appears as a computational para-

    digm as well as a distribution architecture and its mainobjective is to provide secure, quick, convenient datastorage and net computing service, with all computingresources visualized as services and delivered over theInternet [2,3]. The cloud enhances collaboration, agility,scalability, availability, ability to adapt to fluctuationsaccording to demand, accelerate development work, andprovides potential for cost reduction through optimizedand efficient computing [4-7].Cloud Computing combines a number of computing

    concepts and technologies such as Service OrientedArchitecture (SOA), Web 2.0, virtualization and other

    technologies with reliance on the Internet, providingcommon business applications online through webbrowsers to satisfy the computing needs of users, whiletheir software and data are stored on the servers [5]. Insome respects, Cloud Computing represents the matur-ing of these technologies and is a marketing term torepresent that maturity and the services they provide [6].Although there are many benefits to adopting Cloud

    Computing, there are also some significant barriers toadoption. One of the most significant barriers to adop-tion is security, followed by issues regarding compliance,privacy and legal matters [8]. Because Cloud Computingrepresents a relatively new computing model, there is agreat deal of uncertainty about how security at all levels(e.g., network, host, application, and data levels) can beachieved and how applications security is moved toCloud Computing [9]. That uncertainty has consistentlyled information executives to state that security is theirnumber one concern with Cloud Computing [10].Security concerns relate to risk areas such as external

    data storage, dependency on the public internet, lackof control, multi-tenancy and integration with internalsecurity. Compared to traditional technologies, thecloud has many specific features, such as its large scaleand the fact that resources belonging to cloud providersare completely distributed, heterogeneous and totallyvirtualized. Traditional security mechanisms such asidentity, authentication, and authorization are no longerenough for clouds in their current form [11]. Securitycontrols in Cloud Computing are, for the most part, no

    * Correspondence: ahashizu@fau.edu1Department of Computer Science and Engineering, Florida AtlanticUniversity, Boca Raton, USAFull list of author information is available at the end of the article

    2013 Hashizume et al.; licensee Springer. This is an Open Access article distributed under the terms of the CreativeCommons Attribution License (, which permits unrestricted use, distribution, andreproduction in any medium, provided the original work is properly cited.

    Hashizume et al. Journal of Internet Services and Applications 2013, 4:5

  • different than security controls in any IT environment.However, because of the cloud service models employed,the operational models, and the technologies used toenable cloud services, Cloud Computing may present dif-ferent risks to an organization than traditional IT solutions.Unfortunately, integrating security into these solutions isoften perceived as making them more rigid [4].Moving critical applications and sensitive data to public

    cloud environments is of great concern for those corpora-tions that are moving beyond their data centers networkunder their control. To alleviate these concerns, a cloudsolution provider must ensure that customers willcontinue to have the same security and privacy controlsover their applications and services, provide evidence tocustomers that their organization are secure and they canmeet their service-level agreements, and that they canprove compliance to auditors [12].We present here a categorization of security issues for

    Cloud Computing focused in the so-called SPI model(SaaS, PaaS and IaaS), identifying the main vulnerabilitiesin this kind of systems and the most important threatsfound in the literature related to Cloud Computing andits environment. A threat is a potential attack that maylead to a misuse of information or resources, and theterm vulnerability refers to the flaws in a system thatallows an attack to be successful. There are some sur-veys where they focus on one service model, or theyfocus on listing cloud security issues in general withoutdistinguishing among vulnerabilities and threats. Here,we present a list of vulnerabilities and threats, and wealso indicate what cloud service models can be affectedby them. Furthermore, we describe the relationshipbetween these vulnerabilities and threats; how thesevulnerabilities can be exploited in order to perform anattack, and also present some countermeasures relatedto these threats which try to solve or improve the identifiedproblems.The remainder of the paper is organized as follows:

    Section 2 presents the results obtained from our system-atic review. Next, in Section 3 we define in depth themost important security aspects for each layer of theCloud model. Later, we will analyze the security issues inCloud Computing identifying the main vulnerabilitiesfor clouds, the most important threats in clouds, and allavailable countermeasures for these threats and vulner-abilities. Finally, we provide some conclusions.

    1.1 Systematic review of security issues for cloudcomputingWe have carried out a systematic review [13-15] of theexisting literature regarding security in Cloud Computing,not only in order to summarize the existing vulnerabilitiesand threats concerning this topic but also to identify and

    analyze the current state and the most important securityissues for Cloud Computing.

    1.2 Question formalizationThe question focus was to identify the most relevant is-sues in Cloud Computing which consider vulnerabilities,threats, risks, requirements and solutions of security forCloud Computing. This question had to be related withthe aim of this work; that is to identify and relate vulner-abilities and threats with possible solutions. Therefore, theresearch question addressed by our research was thefollowing: What security vulnerabilities and threats arethe most important in Cloud Computing which have to bestudied in depth with the purpose of handling them? Thekeywords and related concepts that make up this questionand that were used during the review execution are: secureCloud systems, Cloud security, delivery models security,SPI security, SaaS security, Paas security, IaaS security,Cloud threats, Cloud vulnerabilities, Cloud recommenda-tions, best practices in Cloud.

    1.3 Selection of sourcesThe selection criteria through which we evaluated studysources was based on the research experience of the au-thors of this work, and in order to select these sources wehave considered certain constraints: studies included inthe selected sources must be written in English and thesesources must be web-available. The following list ofsources has been considered: ScienceDirect, ACM digitallibrary, IEEE digital library, Scholar Google and DBLP.Later, the experts will refine the results and will includeimportant works that had not been recovered in thesesources and will update these work taking into accountother constraints such as impact factor, received cites,important journals, renowned authors, etc.Once the sources had been defined, it was necessary to

    describe the process and the criteria for study selectionand evaluation. The inclusion and exclusion criteria of thisstudy were based on the research question. We thereforeestablished that the studies must contain issues and topicswhich consider security on Cloud Computing, and thatthese studies must describe threats, vulnerabilities,countermeasures, and risks.

    1.4 Review executionDuring this phase, the search in the defined sources mustbe executed and the obtained studies must be evaluatedaccording to the established criteria. After executing thesearch chain on the selected sources we obtained a set ofabout 120 results which were filtered with the inclusioncriteria to give a set of about 40 relevant studies. This setof relevant studies was again filtered with the exclusioncriteria to give a set of studies which corresponds with 15primary proposals [4,6,10,16-27].

    Hashizume et al. Journal of Internet Services and Applications 2013, 4:5 Page 2 of 13

  • 2. Results and discussionThe results of the systematic review are summarized inTable 1 which shows a summary of the topics and conceptsconsidered for each approach.As it is shown in Table 1, most of the approaches

    discussed identify, classify, analyze, and list a number ofvulnerabilities and threats focused on Cloud Computing.The studies analyze the risks and threats, often give rec-ommendations on how they can be avoided or covered,resulting in a direct relationship between vulnerability orthreats and possible solutions and mechanisms to solvethem. In addition, we can see that in our search, many ofthe approaches, in addition to speaking about threats andvulnerabilities, also discuss other issues related to securityin the Cloud such as the data security, trust, or securityrecommendations and mechanisms for any of the prob-lems encountered in these environments.

    2.1 Security in the SPI modelThe cloud model provides three types of services[21,28,29]:

    Software as a Service (SaaS). The capabilityprovided to the consumer is to use the providersapplications running on a cloud infrastructure. Theapplications are accessible from various clientdevices through a thin client interface such as a webbrowser (e.g., web-based email).

    Platform as a Service (PaaS). The capability providedto the consumer is to deploy onto the cloudinfrastructure his own applications without installingany platform or tools on their local machines. PaaSrefers to providing platform layer resources,including operating system support and softwaredevelopment frameworks that can be used to buildhigher-level services.

    Infrastructure as a Service (IaaS). The capabilityprovided to the consumer is to provision processing,storage, networks, and other fundamentalcomputing resources where the consumer is able to

    deploy and run arbitrary software, which caninclude operating systems and applications.

    With SaaS, the burden of security lies with the cloudprovider. In part, this is because of the degree ofabstraction, the SaaS model is based on a high degree ofintegrated functionality with minimal customer controlor extensibility. By contrast, the PaaS model offers greaterextensibility and greater customer control. Largely becauseof the relatively lower degree of abstraction, IaaS offersgreater tenant or customer control over security than doPaaS or SaaS [10].Before analyzing security challenges in Cloud Com-

    puting, we need to understand the relationships anddependencies between these cloud service models [4].PaaS as well as SaaS are hosted on top of IaaS; thus, anybreach in IaaS will impact the security of both PaaS andSaaS services, but also it may be true on the other wayaround. However, we have to take into account thatPaaS offers a platform to build and deploy SaaS applica-tions, which increases the security dependency betweenthem. As a consequence of these deep dependencies,any attack to any cloud service layer can compromisethe upper layers. Each cloud service model comprisesits own inherent security flaws; however, they also sharesome challenges that affect all of them. These relation-ships and dependencies between cloud models may alsobe a source of security risks. A SaaS provider may rent adevelopment environment from a PaaS provider, whichmight also rent an infrastructure from an IaaS provider.Each provider is responsible for securing his own services,which may result in an inconsistent combination ofsecurity models. It also creates confusion over whichservice provider is responsible once an attack happens.

    2.2 Software-as-a-service (SaaS) security issuesSaaS provides application services on demand such asemail, conferencing software, and business applicationssuch as ERP, CRM, and SCM [30]. SaaS users have lesscontrol over security among the three fundamental

    Table 1 Summary of the topics considered in each approach

    Topics/References [4] [6] [10] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27]

    Vulnerabilities X X X X X X X X X

    Threats X X X X X X X X X X X X X

    Mechanisms/Recommendations X X X X X X X X

    Security Standards X X

    Data Security X X X X X X X

    Trust X X X X X

    Security Requirements X X X X X X

    SaaS, PaaS, IaaS Security X X X

    Hashizume et al. Journal of Internet Services and Applications 2013, 4:5 Page 3 of 13

  • delivery models in the cloud. The adoption of SaaS ap-plications may raise some security concerns.

    2.3 Application securityThese applications are typically delivered via the Internetthrough a Web browser [12,22]. However, flaws in webapplications may create vulnerabilities for the SaaS appli-cations. Attackers have been using the web to compromiseusers computers and perform malicious activities suchas steal sensitive data [31]. Security challenges in SaaSapplications are not different from any web applicationtechnology, but traditional security solutions do noteffectively protect it from attacks...