Trend of IT is
cloud computing and it is the modern computing for business and enterprises. It
helps the enterprises to start their service without initial investment. It has
many advantages for provides as well as users with respect to service delivery.
Users are increased to adopt the cloud for their computing services. But, the
hardest part of the cloud is security. Are the data are kept safe? It is
necessary to know the security challenges on the data outsourced to cloud. This
paper presents different challenges with respect to security and also describes
the security solution to control it. Cloud users must know the security threats
and challenges before migrate their data or business to cloud environment.
Cloud; Security; Cryptography; Encryption; Data Outsourcing;
Cloud computing is a new evolving paradigm
to a wide range of users like individuals, businesses and governments to
provide virtual resources such as CPUs, memory, hard drives, bandwidth,
platforms, and applications in an on-demand environment. Cloud storage has
become a boon to the enterprises, to have an infinite space for their data storage
Every day, the data is growing at a rapid
rate in enterprises. To store data, a large number of processing units, hard
drives, network infrastructure and other resources are required. Clusters and
grids 2 distributed systems are used to store huge amount of data by
enterprises. However, these distributed systems have increased the resources
requirements in data management and task scheduling. Additionally, investment in maintaining data
centers and data management increases the financial overhead. As a result,
enterprises store their incredible abundance of data on cloud to reduce data
management cost. In addition, an emerging class of entrepreneurs is taking
advantage of clouds as they might not have enough finance to purchase resources
or ensure the necessary security for data storage and maintenance.
The current cloud computing system mainly consists of
three service models, Software as a Service (SaaS), which provides online
software to users and it is controlled by CSPs. Platform as a Service (PaaS),
which enables the web application developers to easily host their online web
application on the cloud platforms and user only control the application
whatever they are hosted in the cloud. Infrastructure as a Service (IaaS),
provides computing infrastructure in virtualized manner based on the users
The cloud system is deployed in four models, Public
cloud, which is operated and controlled by third party service providers and it
is accessed by any internet users. It is more cost effective and adaptable to
all levels of IT users but it has some security related issues. Private cloud,
which is maintained by individual organization or institution, is lunched for
their computing needs. It is more expensive and secured cloud model. Community
cloud is used for specific community of users such as Government, Medical and
Education. Hybrid cloud is the
integration of any two or three clouds for maintaining sensitive and
has five essential characteristics which provide unique features to the cloud
than other computing 4. On-Demand Self-Service, It enables users to use cloud computing resources without human intervention between the users
and the Cloud Service Providers
(CSP). Broad Network Access, High-bandwidth
communication links must be available to connect to the cloud services.
High-bandwidth network communication provides access to a large pool of
computing resources. Location-Independent and
Resource Pooling, Computing resources are pooled
to serve multiple users using a multi-tenant model, with different physical and
virtual resources dynamically assigned and reassigned according to users’
demand. Applications require resources. However,
these resources can be located anywhere
in the geographic locations physically and assigned as virtual components
whenever they are needed. Scalability, it enables new nodes to be added or dropped from the network like physical
servers, with limited modifications to infrastructure set up and software.
Cloud architecture can scale horizontally or vertically, according to users’demand.
Measured Service, Users are billed
automatically based on the usage of cloud resources. Cloud systems automatically control and optimize resource usageby
leveraging a metering capability at some level of abstraction appropriate to
the type of service (e.g., storage, processing, bandwidth, and active user
accounts). The cloud computing
architecture with these layers and four of its deployment models are shown in Figure 1 5.
Fig. 1 Services and Deployment Models
As the data is stored on Cloud Service
Providers’ (CSP) servers, confidentiality, integrity, availability,
authentication and access control are the most challenging factors in data
security. The three pillars of cloud data security are confidentiality, integrity
and availability (CIA) 6. If these requirements are achieved by any cloud community then it is
a highly secured system. But in reality,
achieving the CIA is difficult. To achieve a significant role of cloud
computing security, it is
necessary to have a security model that supports CIA with the
adoption of universal standards. Cloud enables users to outsource their data in an
efficient and also cost effective. But, outsourcing data may open different
security related challenges.
II. DATA OURSOUCING
the Data Owners (DOs) archive their data on their own data centers. But the
investment on data management is very expensive as their data volume is huge.
Data outsourcing offers resources for storing the data and sensitive
information online wherein the users can take the benefit of privilege to
access it remotely, avoiding the burden of the data storage 7. Data
outsourcing has become an essential arrangement for enterprises for data
management which includes planning, analysis and servicing of the network. Enterprises use data outsourcing
paradigm to store, monitor and maintain their data. The enterprises which use the data
outsourcing, hire the computing resources with the capabilities of scalability
of expanding the resources with a little up-front IT infrastructure investment
costs 8. Enterprises exploit external servers or third party service
providers’ services for data management. Data outsourcing gives benefits to
enterprises by reducing or averting the cost involved in investing expensive
resources like hardware, software, upgrading software and hardware, hiring
proficient administrators and other experts.
In this modern era, cloud computing has emerged as a
feasible and readily available platform to a wide range of users like
individuals, businesses and governments to store their sensitive and
confidential data which reduces the investment on new software, hardware and
storage medium. There are various types of cloud storage systems. Some of them
store email messages, some for storing pictures, while others store all types
of data in their data pool. Most of the enterprises use the cloud for archiving
their data. When, talk about a cloud service provider, hundreds of servers is
involved. When a data owner stores data in cloud, it is stored in more than one
server. The CSP maintains the data with their dedicated structure in order to
offer higher availability. With this attribute of CSP, users can access their
data at any time from any location.
DOs of enterprises or startups use the advantage of pay-per-use feature of
cloud. Cloud storage is a key for backup outsourcing of any enterprises or
government agencies. Since the backup is on cloud, universal access of data is
possible. This reduces the capital expenditure on resources. It nullifies the storage
management problem of DOs as well as ensuring that users can access data from
any location. Hence cloud storage is more versatile and suitable for
well-established businesses as well as startups.
A. Issues Arising In Adoption Of Data Outsourcing
National Institute of Standards and Technology 9 pinpoints security, interoperability and
portability are the major concerns in adoption of cloud. Furthermore, 10, a survey was
conducted by International Data Corporation (IDC) IT group, to rate the cloud
services and its issues in 2009. From the respondents’ rating, it is clearly
stated that the security is the major concern in cloud computing paradigm with
87.5% of the votes. In 11,
have reviewed attribute based security issues in cloud. They addressed
confidentiality, integrity, availability, privacy and accountability attributes
and the threats against these attributes in their review.
As promising as it is, data outsourcing in cloud
computing is also facing many security issues 12 including data access, data segregation,
authentication, authorization, identity management, policy integration, bug
exploitation, recovery, accountability, visibility under virtualization,
malicious insiders, management console security, account control, and multi-tenancy
issues 1314. Analyzing the current security state of cloud storage, it is essential
to identify countermeasures against threats and vulnerabilities 151617. Researches on solutions to various data security issues include
cryptography, public key infrastructure, standardization of APIs, and improving
virtual machine support and legal support 18. Public
clouds clutch the highest risk of data exposure and so it must be managed with
proper caution. Hence understanding the challenges and security risks in cloud
environment and developing solutions are essential to the success of this
evolving paradigm 19. Security
of data in cloud is a challenge and is of supreme importance as many flaws and
concerns are yet to be identified.
factors in data security include confidentiality, integrity, availability, data
access, data separation, identity management, backup authentication and access
control 20. The people involved in service providers can
get access to the data stored in their servers. In this scenario, if the
service providers misuse the data for their gain, then it would be a great loss
to the data owners. Moreover the multi-tenancy feature of cloud may lead a data
leakage to the other users of the cloud who use the same cloud to store their
data. Hence, data confidentiality is the most vital factor to be considered to
secure the data in cloud 21. To ensure data
confidentiality, cloud providers, data owners and users should take proactive
measures. The entities of cloud can be public sources or businesses which
process sensitive information. The degree of security varies from user to user.
The data from public sources may not require a high degree of security. On the other hand, businesses handling
sensitive data viz banks, other financial establishments or governments require
a high level of security for their sensitive data on cloud. In this scenario,
data owners should maintain adequate security measures on their data and
applications. At the same time, attackers can target weaker entity/entities of
a cloud provider which have lack of security in them. Other entities which
reside in the provider may also be compromised. The multi-tenancy nature of
cloud architecture provides chance for malicious attacks on hundreds of sites
When the data is
stored and maintained by the data owners at their premises, authentication and
authorization mechanisms are enough to protect the data from unauthorized
access 22. Since data in
cloud computing is placed in the hands of third parties, ensuring the data
confidentiality both at rest and in transit is of greater importance. As data
is stored in the cloud, the user does not know where it is stored and who all
can access the data. Once data is stored on cloud, data owners are disconnected
from their data is the most alarming factor 23. Moreover, the cloud data can be
tampered by inside attackers and outside attackers 24. Inside attackers are the cloud administrators and
other personnel related to cloud service provider. The multi-tenancy 25 feature of cloud allows more than one user to share the resources to
store their data. Henceforth, other users who have access to the same platform
of cloud can be the outside attackers. Naturally, the data owners worry about the
confidentiality of the data, since the cloud data can be tampered by inside
attackers or outside attackers. This phenomenon prevents the cloud adoption by
enterprises to store their data. To ensure data confidentiality, the data
owners must provide security for their data before they store data on cloud. Hence, a technique should be incorporated to
have the data stored securely on cloud. The technique used for maintaining data
confidentiality is cryptography 26. Cryptography
provides security for data storage and data transmission 27. Various
cryptographic algorithms are proposed to encrypt data before the data is
outsourced, which can make the world of cloud storage more secure, reliable and
admirable in such a diminutive time.
III. CRYPTOGRAPHY AND CLOUD SECURITY
Cryptography is the science that is used for information security,
where cryptographers jumble the information in order to hide confidential
information from any unauthorized users. The process is known as cipher or
cryptographic system 28. Cryptanalysis is “breaking the code”
29, a technique to obtain the original message
from the encrypted message without having any facts and ideas of encryption
particulars. Cryptology is the study of cryptography and cryptanalysis fields.
Cryptography transforms the original message into an unreadable format so that
any malicious users can not access the information 30. The original, meaningful and readable message
is known as plaintext and the scrambled message which gives no meaning is known
as cipher text in the cryptography field. The process of converting plaintext
into cipher text is called encryption that occurs at data owner’s side. The
cipher text which cannot be understood by any unauthorized people is stored on
cloud. When authorized users attempt to access the data, it would be in an
encrypted format in cloud 31. After they receive
data with their credentials, they will decrypt the data to see the contents of
information which happens at the user’s side. The reverse process of converting
ciphertext into plaintext is called decryption 32.
Cryptographic algorithms are categorized into three forms namely:
1) Symmetric algorithm 2) Asymmetric algorithm 3) Data Integrity algorithm –
Hash function 26. Symmetric encryption algorithm also known as
conventional cryptography uses a single key known as a secret key for
encryption and decryption. Asymmetric encryption algorithm, also known as
public key cryptography, uses two keys: public key is used for encryption
process whereas the private key is used in decryption process. Data integrity
algorithm is used to find out if there are any changes in the data. Hash
function accepts any message as an input and produces fixed size of
output. It breaks the original message
into a chunk of data and creates a unique fixed length signature called hash
value by one-way compression function.
Since asymmetric encryption
algorithms are computationally complex algorithms, they take comparatively
longer time for encryption and decryption processes than symmetric encryption
algorithm. Due to this reason, symmetric algorithm is suitable for cloud
There are two types of symmetric key algorithms viz. stream cipher and block
Stream cipher encrypts one bit at a time whereas block cipher encrypts a fixed
length of data referred as a block of data at a time. Generally, block cipher
algorithms are used for dealing with huge amounts of data whereas stream cipher
algorithms are meant for less computational applications but it can handle only
small size of data. Additionally, block ciphers are hardware and software
optimized algorithms 35.
Since encryption occurs on a group of data at a time with feedback modes, block
ciphers are not prone to attacks 36. Due to all the
aforementioned factors block cipher symmetric encryption algorithms are well
suitable to secure cloud data in terms of achieving confidentiality.
IV. SECURITY CHALLENGES ON OUTSOURCED DATA IN CLOUD
Data in the cloud is in transit or at rest, attacks on data are
possible. The attacks can be in the form
of active attack and passive attack 37. Passive attacks are in the
nature of interception attacks which compromises the confidentiality of data.
Active attacks can be in three natures:
attack on availability of data
attack on integrity of data
attack on authenticity of data.
ensures only the authorized users can gain access to the data. Confidentiality
guards the data from unauthorized users gaining knowledge of transmitted
information contents. The
following are some of the vulnerabilities in a cloud 38.
Some of the open issues and threats that needs urgent attention are as
Shared Technology vulnerabilities – increased
leverage of resources gives the attackers a single point of attack, which can
cause damage disproportional to its importance. An example of share technology
is a hypervisor or cloud orchestration.
Data Breach – with data protection moving
from cloud consumer to cloud service provider, the risk of accidental,
malicious, and intentional data breach is high.
Account of Service traffic hijacking – one of the
biggest advantages of cloud is access through Internet, but the same is a risk
of account compromise. Loosing access to privileged account might mean loss of
Denial of Service (DoS) – any denial of
service attack on the cloud provider can affect all tenets
Malicious Insider – a determined
insider can find more ways to attack and cover the track in a cloud scenario.
Internet Protocol – many
vulnerabilities inherent in IP such as IP spoofing, ARP spoofing, DNS Poisoning
are real threats.
Injection Vulnerabilities –
vulnerabilities such as SQL injection flaw, OS injection, and LDAP injection at
the management layer can cause major issues across multiple cloud consumers.
API & Browser Vulnerabilities – Any
vulnerability in cloud provider’s API or Interface poses a significant risk,
when coupled with social engineering or browser based attacks; the damage can
Changes to Business Model – cloud
computing can be a significant change to a cloud consumer’s business model. IT
department, and business needs to adapt or face exposure to risk.
Abusive use – certain features of cloud
computing can be used for malicious attack purposes such as the use of trail
period of use to launch zombie or DDoS attacks.
Malicious Insider – a malicious
insider is always a major risk, however, a malicious insider at the cloud
provider can cause significant damage to multiple consumers.
Availability –the probability that a system
will work as required and when required.
V. SECURITY MEASURES AND SOLUTION
The vulnerabilities and threats in the
cloud are well documented. Each cloud service provider and cloud consumer has
to devise security measures and controls to mitigate the risks based on their
assessment. However, the following are some of the best practices in
countermeasures and controls that can be considered:
the data in a cloud delivery model might traverse through many geographical
locations; it is imperative to encrypt the data end-to-end.
Ø Scanning for
malicious activities – end-to-end encryption while highly recommended,
induces new risks, as encrypted data cannot be read by the Firewall or IDS.
Therefore, it is important to have appropriate controls and countermeasures to
mitigate risks from malicious software passing through encryption.
Ø Validation of
– the cloud provider has to take adequate precautions to screen the cloud
consumer to prevent important features of cloud being used for malicious attack
Interfaces and APIs – the interfaces and APIs are important to
implement automation, orchestration, and management. The cloud provider has to
ensure that any vulnerability is mitigated.
Ø Insider attacks – cloud
providers should take precaution to screening employee and contractors, along
with strengthening internal security systems to prevent any insider attacks.
Ø Secure leveraged
– in a shared/multi-tenancy model, the cloud provider has secure shared
resources such as hypervisor, orchestration, and monitoring tools.
Continuity plans –
Business continuity plan is a process of documenting the response of the organization
to any incidents that cause unavailability of whole or part of a
Cloud provides huge amount of computing
resources. But, it has some security related hurdles to adopt its services.
Cloud users must know these security challenges in cloud before start use the
services. This paper presented a detailed view of cloud computing basis and the
security challenges. The paper has also described security threats and
solutions to control security attacks. If all issues related to security are
addressed, then cloud users can use safe cloud environment.