LOVELY

PROFESSIONAL
UNIVERSITY

Term Paper on
Security Issues In Cloud

Submitted to- Submitted by-

Ankita Sharma Aman Chaudhary
(Assistant Professor) K17UG(11714187)
Roll no.47
 A term paper on Security Issues in Cloud
Ankita Sharma,
Assistant Professor, Department of Computer Science
and Engineering, Lovely Professional University
Phagwara Punjab India
Abstract
Cloud services comes as an option of relief in time of age
where data is our gold and data storage is becoming more
and more expensive for organizations and companies.
Although these organizations are easily adapting to the
cloud services but they still fear to store their sensitive
data over the cloud, there are many reasons for that and
Cloud Security is one of them. What type of security
issues companies are worried about? This paper will
discuss different security issues and their possible
mitigation. The study is carried out to on a variety of
research paper based on cloud security risks and
challenges to list some major threats to cloud security. So
this paper can be helpful for those who want to acquire
knowledge about various cloud security challenges and
issue.
The Cloud
Cloud computing has five key attributes which grant
it some advantages over similar technologies and
these attributes include:
• Multitenancy (shared resources): Unlike
previous computing models, which assumed
dedicated resources dedicated to a single user or
owner, cloud computing is based on a business
model in which resources are shared at the network,
host and application level.
• Massive scalability: Cloud computing provides
the ability to scale to tens of thousands of systems,
as well as the ability to massively scale bandwidth
and storage space.
• Elasticity: Users can rapidly increase and de-crease
their computing resources as needed, as well as
Aman Chaudhary(K17UG,11714187)
UG Student, Department of Computer Science and
Engineering, Lovely Professional University Phagwara
Punjab India, ac91986@gmail.com.
release resources for other uses when they are no
longer required.
• Pay as you go: Users pay for only the re-
sources they actually use and for only the time
they require them.
• Self-provisioning of resources: Users self-
provision resources, such as additional systems
(processing capability, software & storage) and
network resources (Mather et al., 2009).
There is a buzz around cloud computing, as users
of the cloud services only have to pay for what they
use and the resources that they need to cope with
demanding situations can be adjusted depending on
the demand (Hamilton, 2008; Hosangar et al., 2008).
This is recognized as the cloud delivery model (SPI)
which consists of three services known as Software-
as-a-service (SaaS), Platform-as-a-service (PaaS) and
Infrastructure-as-a-service (IaaS).
Software-as-a-service allows the users to utilize
various applications from the cloud rather than using
applications on their own computer (Krebs, 2008).
The cloud service provider would usually provide
some sort of software development environment to
allow applications to be developed for use within the
cloud. The application programming interface (API)
which the users use to access and interact with the
software allows the user to use the software without
having to worry about how or where the data is being
stored or how much disk space is available as the
cloud service provider will manage this for them.
Platform-as-a-service operates at a lower level than
the SaaS. It is responsible for the management of the
storage space, bandwidth allocation and computing
resources available for the ap-plications. It retrieves
the resources needed to run the software and
dynamically scales up these resources when more is
needed. This service holds a key attribute of the cloud
mentioned above as self-provisioning of resources.
Infrastructure-as-a-service dynamically scales
bandwidth allocation and server resources for the
cloud. This service allows the cloud to operate during
high traffic/ demanding situations as resources are
dynamically increased as they are needed. The pay as
you go attribute plays a large role in this service as the
user is charged for how much bandwidth or server
resources are needed.
There are three main types of cloud deployment
models - public, private and hybrid clouds.
• Public Clouds: These are the most common
type of cloud. This is where multiple customers
can access web applications and services over
the internet. Each individual customer has their
own resources which are dynamically
provisioned by a third-party vendor. This third-
party vendor hosts the cloud for multiple
customers from multiple data centers, manages
all the security, and provides the hardware and
infrastructure for the cloud to operate. The
customer has no control or insight into how the
cloud is man-aged or what infrastructure is
available.
• Private Clouds: Emulate the concept of cloud
computing on a private network. They allow
users to have the benefits of cloud computing
without some of the pit-falls. Private clouds
grant complete control over how data is
managed and what security measures are in
place. This can lead to users having more
confidence and control. The major issue with
this deployment model is that the users have
large expenditures as they have to buy the
infrastructure to run the cloud and also have to
manage the cloud themselves.
• Hybrid Clouds: It is the combination of both
public and private cloud as it provides the
services of both private and public to the
customer or organization. Depending upon the
data the customer can store it in private cloud if
the data is sensitive and can store it on the
public cloud if the organization wants that all
the members can access the data.
Security Issues in Cloud
Arun Krishna Chitturi and Purushotham Swarnalatha [8]
did a good work of identifying and categorizing security
issues into three major levels, that are Communication
Level, Computational Level and SLA Level Challenges.
They have Sub-Categorizes Network, Application, Host,
Virtualization, Data level risks in these three parent
categories covering almost every type of security issue.
Walker [5] has provided with 12 major risks which
concern cloud security, some of them are data breaches,
broken authentication, Hacked interface and Application
Program Interfaces, exploited system vulnerabilities,
account hijacking, malicious insiders.
Network Level Security Challenges
Network Level security Challenges and issues are those
which pose risk to the secretiveness and integrity of the
data. Following are some the issues which come in this
category:
1. Domain Name Server Attacks- Domain hijacking,
Domain phishing, Typo-squatting are some of the type of
DNS attacks. These attacks are meant to steal data and
bring down websites.
2. Prefix Hijacking in Border Gateway Protocol- In
BGP hijacking the attackers take control of IP prefix and
reroute the traffic.
3. Sniffer Attacks- In sniffer attacks, attackers try to
steal or intercept the data packets by hijacking the
network using some sniffing applications.
4. Issue of Reused IP Addressing- In this type of
attacks, attackers spoof the IP address of source and
make impossible for the process of 3-way handshaking to
happen.
Application Level Security Challenges
Applications need security to minimize the possibility
attacks because attackers try to take control over them to
manipulate their formats, following are some of the
issues in Application layer:
1. Cookie Poisoning- In this type of attacks cookies are
manipulated or forged to bypass the security.
2. DDOS Attack- In this attack, attacker attempt to
utilize the resources of target by flooding it with internet
traffic.
3. Dictionary Attack- This attack targets passphrase or
passwords by brute force technique.
4. Hidden Field Manipulation Attack- Attackers target
the hidden field values of the forms to change post
requests to server.
5. CAPTCHA breaking- Attackers try to bypass the
captcha.
Security Issues in Host Level
Host level Issues are related to operating system on
which applications runs. Following are some of the
issues-
1. Viruses, Trojan horses, and worms- These are
computer programs that harm, modify or steal the target's
data.
2. Foot-printing- In these attackers gather as much
information about the target that it become easy to hack.
3. Password Cracking- It is the process of discovering
the password of a system.
4. Profiling- It is the technique to create profiles of target
to analyze its behavior and pattern for malicious
practices.
5. Unauthorized Access- It is the practice of gaining
access to the system after bypassing the security
measures.
Computational Level Security
Challenges
The computational level security concerns are securely
and suitably implementing the virtualization.
Concerns in virtualization
The main type of virtualization are server, desktop,
network, application and machine. Laniepce [9] has
provided the layers of virtualization as three layers, first
one physical layer having all the hardware infrastructure,
second virtualization layer having hypervisor/ V.M.M,
and lastly virtual layer having all the guest OS and
privileged applications.
1. Virtual-layer security risks- VM undergo their own
life cycles of different conditions such as creation,
power-off, prolong, destroyed, resumed, pending,
running, suspended, shut-down, etc [1].
following are some of the VM security risks:
• VM Cloning- Creating a copy of existing
(parent) VM by copying parent's ID, MAC
address, Computer name, Internet Protocol (IP)
address is known as cloning. Now, if both the
parent and the child Vm’s uses the same
network and there occurs a duplication of
Internet Protocol address then it causes security
concerns.
• VM Migration- For better load balancing and
energy saving VM's resources can be migrated
for one server to another server. The migration
process may lead to security risks for migrated
VM as well as new hosting machine.
• VM Isolation- The VM's are isolated from one
another for ensuring safety and security. But
whenever there comes a case of multiple use of
same IP address then the isolation among VM's
break, and this can lead in to serious security
risks.
• VM rollback- In the scenario where a VM is
rolled back when it was affected by viruses or
malware, it can re-surface the security
vulnerabilities. Sabahi[5] told a secure way to
protect memory snapshots by using hashing and
per-page encryption technique. If the VM
rollback is not done in secure manner then it can
lead to harmful viruses.
• VM Escape- Since VM runs in an isolated
environment so that no direct interaction with
the hypervisor is done. But the attackers run
some code on the VM and make it interact
directly with the host operating system. This
type of attack can give access to the all other
VMs as well as the host operating system.
• VM Sprawl- It is the situation where VMs are
created and deployed without any control, which
lead to VM's multiplication over time and most
of them are inactive, wasting only host's
resources [10]. Therefore, to maintain the
 effective and efficient management of host's
resources, VM sprawl need to be controlled.
• VM Poaching- When VM started to take more
resources than it is allocated to then it can starve
other VM running on the same hypervisor. This
can lead to abnormal behavior of the entire
system.
• VM Hyper jumps/VM hopping- It is an type
of attack where attackers access from one VM to
another by exploiting vulnerabilities of
hypervisor. This type attack can give access to
other VM’s and host system also.
Virtualization (Hypervisor)
Layer Security Challenges
Hypervisors provide virtual-layer environment to run
multiple VMs (operating systems) along each other. The
most common virtualization s are full-virtualization,
para-virtualization and hardware assisted virtualization.
Qin [6] stated that hypervisors are used to monitor the
different stages of life processes of the VMs. Sabahi [5]
has indicated that hypervisor generally suffer from
single-reason-of-failure. Nalini [1] has provided a list of
the Security concerns of hypervisor layer:
• Basic Information Security (authentication,
authorization and integrity).
• Virtual Machine to Virtual Machine attack.
• Risks in Virtual networking.
• Virtualized trusted computing.
• Hyper-jacking.
• Issues due to resource sharing.
• VM Introspection.
• Hypervisor Integrity protection and isolation of
VM's.
Hardware Level Security
challenges
The physical layer consists of components like Central
Processing Unit (CPU), storage, memory and
networking, etc., which are distributed among VMs by
the virtualization layer over the cloud. Since, the VMs
are isolated to work in a protected manner but if attackers
exploit the vulnerabilities of Virtual-layer and try to take
control of mandatory access control and discretionary
access control.
Data Level Security Risks
Data is the main entity of the cloud and as per the Cloud
Security Alliance breaches are done mostly for data.
Subramanian [1] have classified the data security as data-
in-transit and data-in-rest. Data-in-rest pose additional
security risk than data-in-transit because for attackers it is
more attractive, also data is transferred in secured way
using SSL and TLS. Another issue arises about security
and privacy of data is because now organizations hire
third party to manage and secure their data which store
data in remote places [5]. Chen [11] stated that there
seven stages in the life cycle of data, Generation, transfer,
Use, Share, Storage, Archival, Destruction and all of
these life stages need security.
Following are some of the Data level security challenges:
• Data Leakage- Sabahi [5] has stated that when
data is moving from single-tenant to multi-
tenant then data leakage occurs. Ashish Singh
[7] has stated that deletion, alteration and theft
of data, encryption key are some reasons of data
loss and leakage.
• Data Integrity- Data Integrity can be defined as
the access and modification of data by
authorized persons only. Some of the breach of
data integrity are lack of authentication,
authorization and access control, weak
encryption keys [ 7]. Ashish has told to use
Service Oriented Architecture (SOA) approach
to solve the data Integrity issues.
• Data Recovery- Data recovery can be defined
as the process of accessing the corrupted or
deleted data form the storage. Subramanian [1]
has stated four phases of the data recovery
which are repairing the hard drive disc, imaging
the drive to new drive, logical recovery of files,
partition and then repairing the retrieved
damaged files.
• Data Isolation- Isolation is very important
criteria and factor for the security of cloud
architecture, therefore there should be isolation
between sensitive data and non-sensitive data so
that in case of breach important data can be
saved. Isolation is also important among the
VMs so that virtual machine to virtual machine
attacks can be prevented. Data can be isolated
using access control and encryption technique
[ Subramanian]. According to Ashish [7], multi-
tenant technology can be used for data isolation
because each tenant manages their features
individually.
• Data Location- When organizations use cloud
for storage services, they want to ensure the
location of the data because unknown location
of data storage leads to security issues. That is
why now organizations now hesitate to put their
data in untrusted cloud service providers. Sabahi
 [5] raises a point that unknown location of data
can cause lack of control for the customers who
just have moved to cloud.
• Data Segregation- Data in cloud stored in
shared environment, with the data of different
users and systems, therefore it is very important
to keep data segregated. Data segregation can be
achieved using highly secure protocols and
encryptions. According to Subramanian [1],
SQL injection imperfection, data validation and
insecure storage are some of the reasons of data
segregation vulnerabilities.
• DATA Lock-in- Data lock-in can be explained
as the inability to move the data from one cloud
vendor to another. If the data is breached and
customer is in lock-in period with the cloud
provider, then he cannot move his data to
another provider. Lock-in also a great obstacle
in cloud interoperability and portability.
Service Level Agreement (SLA)
Many organizations are moving from traditional servers
to the cloud to store their data. And it is very good for
them because there many advantages of this such as
lower cost of entry, lower maintenance, better availability
and access from all over the globe [4]. Also, there are
high standard and SLA present in cloud availability that
service providers offer. But when it comes to security,
confidentiality and integrity the same amount of SLA
goodness (Sec-SLA) [3] and standard cannot be found.
SLAs are used to provide Quality of service to an
acceptable level, also it is important for service provider
to include security in its services for effective transfer of
responsibility. As per Subramanian [1], some standard are
there who provide security though Sec-SLAs, which are
SPECS (Secure Provisioning of Cloud Services) and
ENISA (European Network and Information Security
Agency).
Conclusion
This paper has discussed many security challenges faced
within communication, computation and Service Level
Agreement. Also, the issues which concern virtualization
layer, hardware, data is explored. Today, there are various
security challenges which provide several chances for
hackers to exploit, that is why cloud computing is seems
incomplete in case of cloud security. This paper tried to
explore some root risks for the cloud security, but as a
new day brings a new technology to this field, therefore
there is a need of constant search of vulnerabilities and
the ways to mitigate them. This paper can be used as
mean of further research of unexplored paths to
strengthen cloud security.
References
1. Subramanian, N., Jeyaraj, A.: Recent security
challenges in cloud computing. Comput. Electr.
Eng. 71, 28–42 (2018).
2. Walker, K.: Cloud security alliance announces
software defined perimeter (sdp) initiative
(online) (2013).
https://cloudsecurityalliance.org/media/news/csa-
announcessoftwaredefined-
perimeter-sdp-initiative/. Accessed October, 2014.
3. Shirlei Aparecida de Chaves, Carlos Becker Westphall
and Flavio Rodrigo Lamin,:SLA Perspective in Security
Management for Cloud Computing (2010).
4. Hoehl M. Security SLA for cloud proposal for
standard cloud computing security SLAs – key metrics
for safeguarding confidential data in the cloud. SANS
institute 2015https://www.sans.org/reading-
room/whitepapers/cloud/proposal-standard-cloud-
computing-security-slas-key-metrics-safeguarding-
confidentialdat-
35872.
5. Sabahi F. Secure virtualization for cloud environment
using hypervisor-based technology. Int J Mach
6. Qin Z, Zhang Q, Wan C, Di Y. State-of-the-art
virtualization security in cloud computing. J Inf Comput
Sci 2012;9(6):1487–97http://www.joics.com.
7. Ashish Singh and Kakali Chatterjee, Cloud security
issues and challenges: a survey, Journal of
8. Chitturi A.K., Swarnalatha P. (2020) Exploration of
Various Cloud Security Challenges and Threats. In: Das
K., Bansal J., Deep K., Nagar A., Pathipooranam P.,
Naidu R. (eds) Soft Computing for Problem Solving.
Advances in Intelligent Systems and Computing, vol
1057. Springer, Singapore.
9. Laniepce S, Lacoste M, Kassi-Lahlou M, Bignon F,
Lazri K, Wailly A. Engineering intrusion prevention
services for iaas clouds: the way of the hypervisor, 2013
IEEE seventh international symposium on service-
oriented system engineering.
10. Bose,R., Sarddar, D.:Asecure hypervisor-based
technology create a secure cloud environment.
Int. J. Emerg. Res. Manage. Technol. ISSN (2014): 2278-
9359.
11. Chen D, Zhao H. Data security and privacy protection
issues in cloud computing, International conference on
computer science and electronics engineering 2012.