ISSN - 2348-2397 S SHODH SARITA

ODH ARITA
UGC Approved, Journal No. 48836 SH Vol. 3, Issue 11, July-September, 2017
Page Nos. 153-155
COMPUTER SCIENCE
AN INTERNATIONAL BILINGUAL PEER REVIEWED REFEREED RESEARCH JOURNAL

A COMPREHENSIVE STUDY OF CLOUD

Pragya Shukla*
COMPUTING AND SECURITY
Shashank Dahiya**
Vipul Dhariwal***
ABSTRACT
Now almost everyone use or take a service that usesstorage that can be accessed anytime anywhere without
actually carrying it, Cloud computing proved to be a revolution it was predicted to be. It's elastic nature and on-
demand and pay per use access to a pool of shared resources namely networks, storage, servers, services and
applications, without physically acquiring them worked wonders for cloud service providers. A report from
Forrester[1]predicted that the total global public cloud market will be $178B in 2018, up from $146B in 2017, and will
continue to grow at a 22% compound annual growth rate (CAGR). With such huge market, comes possibilities of
threats, attacks and possible compromise on regulations. Even though it is ever growing but still many IT firms are
reluctant to invest in Cloud due to security concerns.This researchpaperdefines the modern-day definition of Cloud
computing, outlines various models of Cloud and its architecture. This paper alsoincludes research on major security
threats and possible attacks and categorized based on security architecture. Relevant solutions and their efficiency
areone of the most important factors in recent scenario and the paper consolidates the ideas and techniques
mentioned in various other researches.
Keywords : Cloud computing, Secuity in cloud, Threats to cloud, Solutions to threats and attacks.

Introduction their organizations are not thoroughly vetted for

Cloud computing is growing inall fields, from
Commercial entities to Governments to consumers.A
[2]
survey by Right Scale found that an average user runs
applications in 3.1 clouds and experimenting with 1.7
more for a total of 4.8 clouds at least four cloud-based
applications and at any point in time is evaluating
another four. The survey also found that commercial
entities run32 percent of workloads in public cloud and
45 percent in private cloud. With so much workload
shifting towards clouds, its security and guideline
compliance has come under deeper scrutiny. These
results are supported by the findings of another study
[3]
in which 66 percent of respondents said their
organization's use of a cloud resource diminishes its
ability to protect confidential sensitive information and
62 percent said they believed the cloud services in use by
*Guide - Computer Science Department IET DAVV, Indore
**Computer Science Department IET DAVV, Indore
***Information Technology Department, IET DAVV, Indore, India
Vol. 3 Issue 11 July to Sept. 2017 'kks/k lfjrk
153
security before beingused while 71 percent said they
would not receive immediate notifications involving the
loss or theft of customer data. All these point in
onedirection: Need of increased reliability and tighter
security.
Hence, we have to look at issues and threats that the
modern cloud infrastructurefaces, some modern issues
are: Data protection, User Authentication,
Authorization, Availability, Confidentiality, Integrity,
Audit, Security monitoring, incident response. Lock-in
and multi tenancy are threats which are new to the cloud
computing world but are growing more and more as the
user base and number of cloud providers are increasing.
There are three categories of cloud computing based on
[4]
delivery as defined by ENISA :
1. Software as a service (SaaS): is software offered
53
QUARTERLY BI-LINGUAL RESEARCH JOURNAL
by a third-party provider, available on demand, usually
via the Internet configurable remotely. Examples
include online word processing and spreadsheet tools,
CRM services and web content delivery services
(Salesforce CRM, Google Docs, etc.).
2. Platform as a service (PaaS): allows customers
to develop new applications using APIs deployed and
configurable remotely. The platforms offered include
development tools, configuration management, and
deployment platforms. Examples are Microsoft Azure,
Force and Google App engine.
3. Infrastructure as service (IaaS): provides virtual
machines and other abstracted hardware and operating
systems which may be controlled through a service API.
Examples include Amazon EC2 and S3, Terremark
Enterprise Cloud, Windows Live SkyDrive and Rackspace
Cloud.
Also, it can be categorized by type of deployment:
• Private cloud. The cloud infrastructure is
operated for a private organization. It may be managed
by the organization or a third party and may exist on
premise or off premise.
• Community cloud. The cloud infrastructure is
shared by several organizations and supports a specific
community that has communal concerns (e.g., mission,
security requirements, policy, and compliance
considerations). It may be managed by the organizations
or a third party and may exist on premise or off premise.
• Public cloud. The cloud infrastructure is made
available to the general public or a large industry group
and is owned by an organization selling cloud services.
• Hybrid cloud. The cloud infrastructure is a
composition of two or more clouds (private, community,
or public) that remain unique entities, but are bound
together by standardized or proprietary technology,
that enables data and application portability (e.g., cloud
[5]
bursting for load-balancing between clouds) .
This article summarizes the definition of cloud
and its architecture and while defining possible threats
and attacks it also provides with relevant solutions.
The remainder of the paper is organized as
follows: Section 2 describes the architecture of Cloud
while Section 3 laying out the architecture for security
Vol. 3 Issue 11 July to Sept. 2017 'kks/k lfjrk
154
and its need. Possible threats are summarized in section
4 and relevant solutions to them are classified by section
5. Section 6 is for Conclusion.
Architecture
Before examining the threats and security
architecture, we need to understand the definition and
architecture of cloud computing. Thereare many
definitions for cloud computing in the literature [6]. The
definition provided by the National Institute of
Standards and Technology (NIST) [5]appears to include
key common elements widely used in the cloud
[7]
computing community : “Cloud computing is a model
for enabling convenient, on demand network access to a
shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services)
that can be rapidly provisioned and released with
minimal management effort or service provider
interaction”.
While a comparatively recent definition
[8]
bySharma and Trivedi , cloud computing is a set of
resources that can scale up and down on-demand. It is
available over the Internet in a self-service model with
little to no interaction required with the service
provider. Cloud enables new ways of offering products
and services with innovative, technical, and pricing
opportunities.
Characteristics of cloud computing as defined
by Dr. U Ravi Babu[9]are -
1. On-demand self service
2. Broad network access
3. Resource pooling
4. Rapid elasticity
5. Measured service
As per NIST's Cloud Computing Reference
[5]
Architecture , major activities are identified and their
activities and functionalities are depicted in a generic
high-level architecture intended to facilitate the
understanding of the requirements, uses,
characteristics and standards of cloud computing.
As shown in the figure, there are 5 major actors
involved in the process, they can be an organization or a
user that takes part in process or transaction or manages
functionalities in cloud computing. It follows the Open
53
QUARTERLY BI-LINGUAL RESEARCH JOURNAL
System Interconnection (OSI) model and all the seven
layers are depicted in the reference model. The model
according to their roles in cloud computing as -
Need for security and its architecture
The average cost to an organization for a breach
of all compliance-related data is $2.8M per year as
[10]
reported by Symantec . The report also finds that an
averageenterprise uses 1516 cloud apps, 40 time they
Vol. 3 Issue 11 July to Sept. 2017 'kks/k lfjrk
154
also depicts the interactions of actors according to the
delivery model described in the previous section.
The major actors can further be defined
typically think. As the technology progresses, so does
the techniques of data breaches become advanced, with
huge money and infrastructure in cloud the incidents of
data breaches and attacks are ever growing. In a recent
blow torideshare application Uber hackers gained
53
QUARTERLY BI-LINGUAL RESEARCH JOURNAL
access topersonal information of 57 million customers
[11]
and driversin October 2016 . The list of data breaches
in cloud includes one of the most popular names like
Dropbox, LinkedIn, Yahoo, Pro wrestling giant WWE and
many others. While Dropboxhackers tapped into more
than 68 million user accounts – email addresses and
passwords included – representingnearly 5 gigabytes of
data[12], LinkedIn's cloud data was breached two times –
2012 & 2016, with 167 million users' personal
information including email and passwords was
compromised in 2016[13]. With all these attacks and
breaches increasing, a robust and unified architecture
for security needs to be followed by all cloud providers
and cloud users both.
[14]
V.KRISHNA REDDY, Dr. L.S.S.REDDY have
designed a detailed architecture for addressing the
Figure 2 –Security Architecture for Cloud Computing
Vol. 3 Issue 11 July to Sept. 2017 'kks/k lfjrk
154
security issues in cloud computing from a customer's
perspective. The architecture is based on delivery model
of cloud computing as discussed in section 1 of this
paper:Software-as-a-Service (SaaS), Platform-as-a-
Service (PaaS), and Infrastructure-as-a-Service (IaaS).
Some of the important components of User
layer are Cloud Applications, Programming, Tools and
Environments. Some of the popular examples for these
applications are B2B, Facebook, Myspace, Enterprise,
ISV, Scientific, CDNs, Web 2.0 Interfaces, Aneka,
Mashups, Map Reduce, Hadoop, Dryad, Workflows,
Libraries, Scripting.
Some of the important components of Service
Provider Layer are SLA Monitor, Metering, Accounting,
Resource Provisioning, Scheduler& Dispatcher, Load
53
QUARTERLY BI-LINGUAL RESEARCH JOURNAL
Balancer, Advance Resource Reservation Monitor, and
Policy Management.
Some of the security issues related to Service
Provider Layer are Identity, Infrastructure, Privacy, Data
transmission, People and Identity, Audit and
Compliance, Cloud integrity and Binding Issues. Some of
the important components of Virtual Machine Layer
creates number of virtual machines and number of
operating systems and its monitoring. Some of the
security issues related to Virtual Machine Layer are VM
Sprawl, VM Escape, Infrastructure, Separation between
Customers, Cloud legal and Regularity issues, Identity
and Access management. Some of the important
components of Data Center (Infrastructure) Layer
contains the Servers, CPU's, memory, and storage, and is
henceforth typically denoted as Infrastructure-as-a-
Service (IaaS). Some of the security issues related to
Data Center Layer are secure data at rest, Physical
Security: Network and Server.
Security Issues and challenges
Security concerns and issues can be divided
among three categories: Threats, Vulnerabilities and
Attacks.
Threats
1. Insecure interfaces and API – Customers usually
interact with the cloud services through Application
Programming Interfaces (APIs). These APIs are extra
layer added to the top of cloud framework and hence
adds to the complexity of infrastructure. Improper use
of such interfaces would often pose threats such as
clear-text authentication, transmission of content,
improper authorizations, etc.
2. Malicious insiders – Wicked insiders are most
troublesome factor for security as the customers
generally are not fully aware of the provider policies and
procedures. Insiders gain unauthorized access to the
customer's database and might go undetected. This
[10]
threat is identified in study by Symantec as it shows
68% of organizations have some employees who exhibit
high-risk behavior in their cloud accounts. Up to 71% of
employees in some cases. High-risk behaviorincludes
activities that can indicate data destruction, data
exfiltration, and account takeovers.
Vol. 3 Issue 11 July to Sept. 2017 'kks/k lfjrk
154
3. Multi tenancy - Multitenancy refers to the cloud
characteristic of resource sharing. Several aspects of the
IS are shared including, memory, programs, networks
and data among multiple unrelated customers.
Multitenancy presents a number of privacy and
confidentiality threats by breaching data confidentiality
as the separation of storage is only virtual so sometimes
data residuals are left in the hardware and space is
allocated to other users.
4. Data crash – Data can be compromised through
various ways; deleted or altered data without formation
of backup, loss of encoding key, weak encryption
algorithm, lack of disaster recovery systems and illegal
access of sensitive data.
5. Identity and access management - Identity theft
is a form of fraud in which someone pretends to be
someone else, to access resources or obtain credit and
o t h e r b e n e f i t s . T h i s a f f e c t s
SaaS, PaaS and IaaS.
6. Account, Server Hi-jacking – Such threats are
caused when the credentials are stolen. Cause of stolen
credentials are many such as Phishing, Hacking of
database and leak of information.
Vulnerabilities
1. Session riding and Hi-jacking – session hi-jacking
refers to accessing of the current session by
unauthorized user by use of valid session-key. This is also
known as cookie-stealing and is more of a vulnerability
of web technology. Hi-jacker can delete user's data,
[15]
make bids or orders, send spam or even open firewall .
2. Reliability and Availability of service – As the
cloud is growing to be one of the most depending
technology for storage of data, continuousavailability of
data is vital. For example, in February 2008, Amazon's
Web Service (Amazons-S3) cloud storage infrastructure
went down for several hours, causing data loss and
[16]
access issues with multiple Web 2.0 services and a
[17]
similar outage occurred in 2017 .
3. Insecure Cryptography – As methods to hack the
encryption algorithms are in public domain, all an
attacker has to do is to find the encryption algorithm
used which is fairly easy.
4. Diminished Customer Trust - Data breaches
53
QUARTERLY BI-LINGUAL RESEARCH JOURNAL
inevitably result in diminished trust by customers. In one
of the larges breaches of payment card data ever, cyber
criminals stole over 40 million customer credit and debit
card numbers from Target. The breach led customers to
stay away from Target stores and led to a loss of business
for the company, which ultimately impacted the
company's revenue[18].
Attacks
1. Zombie Attack – Also known as flooding attack.
In this, the attackers send the cloud with numerous
requests from different users requesting for Virtual
Machines(VMs). This might lead to slowing of server or
even can cause load to be increased so much as to occur
Denial of Service (DoS).
2. Server Injection - It's an attack whereby a hostile
user submits code to one of your web forms, instead of
whatever data you were trying to collect. The hostile
code either queries your database in a way you don't
expect or breaks out of your web application and
performs operations directly on your cloud server.
3. Man-in-the middle Attack - If secure socket layer
(SSL) is not properly configured, then any attacker is able
to access the data exchange between two parties. This
cryptographic attack is carried out when an attacker can
place themselves in the communication's path between
the users. Here, there is the possibility that they can
interrupt and change communications.
4. Phishing Attack – Phishing attack is a well-
known attack where attacker directs user to a link which
is a fake version of some service to get the sensitive data.
This link can be hosted on cloud platform without being
detected as an independent link.
Solutions
Solutions for threats, vulnerabilities and attacks
on cloud computing can be solved mostly by following a
security architecture like one described in section 2.
Also, cloud computing security challenges can be
handled practically by performing security assessment
[19]
. The architecture of cloud includes various
securitycomponents like Access Management, Security
API, Network Security and Storage Security. These
components areembedded in the cloud architecture to
provide secure cloud computing. However, following
Vol. 3 Issue 11 July to Sept. 2017 'kks/k lfjrk
154
are the most popular solutions to the problems:
1. Network Protection - Network infrastructure
security levels can be enhanced by DNSSEC- Domain
Name System Security implementation, developing
Denial of Service prevention and router security tactics.
[20]
.
2. End to End Encryption – This type of encryption
is based on asymmetric keys, here through the data is
encrypted by using same encryption algorithm for all
users but the set of keys for every encryption is different
for different set of users.
3. Secure Interfaces and APIs - the interfaces and
APIs are important to implement automation,
orchestration, and management. The cloud provider has
to ensure that any vulnerability is mitigated.
4. Insider Attack – Tighter screening and deeper
background check for employees is very useful in
decreasing inside unauthorized access.
5. Validation of cloud consumers - the cloud
provider has to take adequate precautions to screen the
cloud consumer to prevent important features of cloud
being used for malicious attack purposes. The provider
should ensure that virtual boundaries are enforced
strictly.
Conclusion
Security issues are one of the most burning
concern in cloud computing technology. Though major
threats remain mostly same over the years but the
techniques of threats are advancing like never before.
Most risks and faults are identified too late to prevent
causing harm to revenue and trust of users. Though
much research is done in identifying the threats,
formation of uniform global protocols for cloud is yet to
see the light of day. Also, much work is to be done in the
field of training and educating employees on security of
cloud. This paper deals with the complexity of cloud
infrastructure and its security while explaining the
threats caused by it. However, future works can be done
on filling the gaps in security and linking of SaaS, PaaS
and IaaS.
References
1. Cloud Computing Predictions 2018. (2017).
https://www.forrester.com/report/Predictions+2018+
53
QUARTERLY BI-LINGUAL RESEARCH JOURNAL
Cloud+Computing+Accelerates+Enterprise+Transforma 11. U b e r D a t a b r e a c h . 2 0 1 6 .
tion+Everywhere/-/E-RES139611 https://www.telegraph.co.uk/technology/2017/11/21/
2. State of the Cloud Report. (2017). uber-cyber-breach-sees-57-million-users-data-
https://www.rightscale.com/lp/state-of-the-cloud exposed/
3. Data Breach: The Cloud Multiplier Effect. (2014). 12. Dro p b o x Data L eak.2017.
http://www.netskope.com/reports/ponemon-2014- https://www.forbes.com/sites/leemathews/2017/12/
data-breach-cloud-multiplier-effect/ 11/billion-hacked-passwords-dark-
4. Cloud Computing Benefits, risks and web/#6dae866521f2
recommendations for information security by ENISA. 13. LinkedIn Data Leak. 2016.
(2012). https://resilience.enisa.europa.eu/cloud- https://www.forbes.com/sites/thomasbrewster/2016/
security-and-resilience/publications/cloud-computing- 05/18/linkedin-2012-password-hack-gets-much-
benefits-risks-and-recommendations-for-information- worse/#5e2117334f3c
security/ 14. V.KRISHNA REDDY, Dr. L.S.S.REDDY.
5. National Institute of Standards and Technology, 2011.https://www.researchgate.net/profile/Vuyyuru_
The NIST Definition of Cloud Computing, Information Reddy/publication/299572565_Security_Architecture_
Technology Laboratory, 2009. of_Cloud_Computing/links/56ffe79508aee995dde81a
6. L. Vaquero, L. Rodero-Merino, J. Caceres, and 6f/Security-Architecture-of-Cloud-
M. Lindner, “A Break in the Clouds: Towards a Cloud Computing.pdf?origin=publication_detail
Definition,” ACM SIGCOMM Computer Communication 15. T. Schreiber, “Session Riding a Widespread
Review, Volume 39 Issue 1, pages 50-55, January 2009. Vulnerability in Today'sWeb Applications” [Online],
7. P. Mell and T. Grance, “The NIST Definition of A v a i l a b l e :
Cloud Computing” Recommendation of NIST, Special http://www.securenet.de/papers/Session_Riding.pdf,
P u b l i c a t i o n 8 0 0 - 1 4 5 , 2 0 1 1 . white paper, 2004. [Accessed: 20-Jul-2011].
http://csrc.nist.gov/publications/nistpubs/800- 16. AWS S3 Availability Report.
145/SP800-145.pdf 2008.https://status.aws.amazon.com/s3-
8. Sharma, R. & Trivedi, R. K. (2014). Literature 20080720.html
review: Cloud Computing –Security Issues, Solution and 17. AWS S3 Availability Report. 2017.
Technologies. International Journal of Engineering https://aws.amazon.com/message/41926/
Research, Vol. 3, Issue 4, pp. 221-225. 18. https://www.reuters.com/article/us-target-
9. Dr. U Ravi Babu. INTERNATIONAL JOURNAL breach/target-cyber-breach-hits-40-million-payment-
FOR RESEARCH IN EMERGING SCIENCE AND cards-at-holiday-peak-idUSBRE9BH1GX20131219
TECHNOLOGY, VOLUME-4, ISSUE - 1, JAN – 19. Carl Almond, “A Practical Guide to Cloud
2017 C o m p u t i n g S e c u r i t y ” ,
10. Symantec Report. 2018. http://www.avanade.com/Documents/Research%20a
https://resource.elq.symantec.com/LP=4717?cid=7013 nad%20Insights/practicalguidetocloudcomputingsecuri
8000001QNHyAAO&inid=symc_cloud-application- ty574834.pdf, August 2009.
security-cloudsoc_fam_to_leadgen_form_LP- 20. Diana Kelley,” Cloud computing security model
4717_1H-2017-shadow-data-report overview: Network Infrastructure issues”,
http://searchcloudsecurity.techtarget.com/tip/ , 2009.

Vol. 3 Issue 11 July to Sept. 2017 'kks/k lfjrk 53

154 QUARTERLY BI-LINGUAL RESEARCH JOURNAL