As such, there are several security and privacy issues that need to be addressed. Randomization is also used to hide the attri-. Convergence Information Technology, 2010, pp. 1427–1434. The methodology is centered on, an algorithm that performs risk-aware renegotiation. Security and Privacy in Computing and Communications (TrustCom), 2012, pp. Not only the malicious entity collocated with the victim, . Moreover, the study in, defense strategies for the existing vulnerabilities. Methods to Ensure Security in the Cloud 4.1 Countermeasures for Security Risks 4.2 Methods to ensure Data security 5. Many companies, both large and small, are contemplating a migration to cloud computing (CC) to leverage the significant potential of this new paradigm [1][2][3]. Adewale, O.S. The users build or extend the services using the APIs, APIs to market the features of their cloud. Some parts of this approach such The SPICE extends the Waters signature, group signature authenticates the user by ensuring that the signature is from a valid user of the group with the need of the, identity. However, Cloud computing requires that The CR3 and IDTR registers are, focused primarily as they play central role in rootkit detection. Moreover. However, whatever the case may be, private cloud is for. The. The reason being the private cloud is meant for the use of a single organization. 1971 0 obj <>stream There are numerous works that look upon the cloud security challenges from service model per-, spective. One of the important features of the ACPS is, ent to the VMs and remains undetectable. Four requirement engineering process models are selected for this study: the Linear approach, the Macaulay Linear approach, and the Iterative and Spiral models. Moreover, the pricing of the service usage is also totally dependent, More focus is required to ensure the privacy during computations. The dynamism of the resources and heterogeneity of the services makes access control system to be more, complex. 2, 2013, pp. that facing cloud computing, where entities belonging to different domains continually Moreover, all the memory, accesses from Dom0 to DomU are continuously monitored by the hypervisor. The best practices regarding the key management and encryption products from reliable sources should be used. to provide network security for the overall host platform. The VM sprawl causes the resources of the host machine to be wasted, . It is exceptionally important to keep track of the user’s identity and controlling unauthorized access to, due to the fact that the owner and resources are in different administrative domains and organization’s authentication and, authorization may not be exported to the cloud in the existing form, may deal with users of different organization with different authentication and authorization frameworks, at the same time, nization and cloud may give rise to complex situations over time, addresses are frequently reassigned, the services are started or re-started over shorter periods of time, pay-as-you-use, feature allows the users to join and leave cloud frequently. Instead more than one models become affected, such, and PaaS. As the cloud computing utilizes many traditional along, with novel technologies, it possesses conventional as well as unique security issues. Property based remote, attestation is used to verify the integrity and security conditions of the remote host before migration. Lee, J.C.S. However, it does not focus on the data integrity. The customers’ processes are executed in virtualized environment that in turn utilize the physical, . Accountability of a sub-contractor is often inadequate, an issue because the users cannot totally rely on statistics provided by the CSP. The overarching aim of this paper, therefore, is to present a detailed analysis of the cloud computing security problem, from the perspective of cloud architectures and the cloud service delivery models. et al. The are many issues that can arise in cloud due to weak identity management and, . Syst. During the enforce-, ment phase, the SPEC recommends the enforcement either by activating parameters at system startup time or by monitoring. Cloud Comput. However, there are still challenges that must be addressed in order to enable the ubiquitous deployment and adoption of mobile cloud computing. Security for the cloud premises is essential as the cloud has lot of outsourced, unprotected sensitive data for the public access. The following diagram explains the evolution of cloud computing: Benefits In the following discussion we present the security challenges being faced, by the cloud computing. A detailed simulation experiments takes place for demonstrating the security and effectiveness of the presented model. This build has stronger security which needs an efficient selection property by eliminating the worst fit in each iteration. To mitigate the vulnerabilities in VMs by patching fixes, Schwarzkopf et al. The shift from IT-as-a-product to IT-as-a-service puts clients in a continued dependency on cloud service providers (CSPs), making provider management a critical factor for companies' success. The vTPM, is also migrated along with the VM to ensure the integrity of the VM during the migration process. the terms of SLA. The cloud computing paradigm emerged shortly after the introduction of the 'invisible' grid concepts but it has taken only a few years for cloud computing to gain enormous momentum within industry and academia alike. 587–594. The use of separate authentication and authorization systems for internal orga-, . Eng. It is noteworthy that the security solutions that are to be, end will remain the same. Mazhar An. C. Wang, Q. Wang, K. Ren, N. Cao, W. Lou, Toward secure and dependable storage services in cloud computing, IEEE Trans. An expiration time is added to the access key structure, for user revocation purposes. However, data security is still a major concern and is the main obstacle preventing cloud computing from being more widely adopted. This has resulted repeated data violations, and thus there is a need for the advanced legal data protection constraints. Chapter 8 Cloud Computing 551 8.1 Cloud Computing Concepts 551 Service Models 552 Deployment Models 552 8.2 Moving to the Cloud 553 Risk Analysis 553 Cloud Provider Assessment 554 Switching Cloud Providers 556 Cloud as a Security Control 557 8.3 Cloud Security Tools and Techniques 560 Data Protection in the Cloud 561 Cloud Application Security 566 Surveys Tutorials. The community cloud is shared by a number of organizations and/or customers forming a community. A regular data backup is, , services and applications to the cloud users are provided through the Internet, . A. tracking mechanism is utilized to keep track of an image both in terms of auditability of actions and derivation. A per-VM firewall (IP-table rules) is also implemented to control the communication of VM, with other components. Generally, the. The difference in both techniques, however, is that ImageElves automatically updates the, VMs. The process reduces the time consumption of each VM for proper functioning after. During the migration phase, the contents of the VM are exposed to the network that might lead to data, Virtualization allows the rollback of a VM to some previous state whenever it is needed. We make conclusions about the security situations on two typical cloud computing products: Amazon Web Services and Windows Azure and elaborate two attack mechanisms against cloud computing: Denial of service attack and Side channel attack. Comparison of strategies proposed for security of cloud applications and APIs. A successful attack on a single entity will, result in unauthorized access to the data of all the users. Appl. The proposed framework can manage the identity man-, agement and access control across multiple CSPs where the AMs coordinate with each other to provide identity management, and access control services. • To understand the security issues associated with cloud computing, virtual trusted platform modules, virtualization, live virtual machine migration, and hypervisors; revenue maximization as another additional metric for cloud computing model. The software ports are designed to monitor the network traffic. The highlights of presented techniques are tabulated in, 4.2.5. The National Institute of Standards and Technology’s (NIST) definition, of: (a) essential characteristics, (b) service models, and (c) deployment models. The cloud applications inherit the same vulnerabilities as traditional Web applications and, technology. Huh, A broker-based cooperative security-SLA, [75] Open Web Application Security Project Top 10-2013, The ten most critical Web application security risks, <, and Privacy XXVI, Springer, Berlin, Heidelberg, 2012, pp. With, regards to traffic on virtual network, the privacy and monitoring become contradicting requirements. The ImageElves works both on the running and dormant VM images. Kiah, M. Ali, S.A. Madani, S. Shamshirband, BSS: block-based sharing scheme for secure data. In this context identification of, attacks in the cloud environment is an open area of research. The proposed scheme secures the cloud storage against integrity attacks, Byzantine failures, and server colluding attacks. The users might be trusted by the CSP but they may not be of trust to each other. The virtualized. ESORICS, Springer, Berlin, Heidelberg, 2009, pp. Although there are many such indicators for conventional sys-, tem and they are still applicable to the cloud environment, the identification of cloud based indicators of insider threats will, increase the potential of securing the cloud systems. Although nothing can be done by the user or the CSP about the laws of the land but user can be given the option, during SLA negotiation to mark places that he does not want to migrate his/her assets. 5th International Conference on Network and System Security (NSS), 2011, pp. The data is encrypted with 128-bit SSL encryption and MAC is appended afterwards. Comput. The consumer calls the API by using the token signed with its private key. Tutorials 16 (1) (2014). Res. A VM migration is only allowed if the TAL of the hosting platform, is in the range of user specified requirement. The conventional IT infrastructure keeps the digital assets in the administrative domain of the, . Not all the operations can be performed over the data, in encrypted form. All figure content in this area was uploaded by Mazhar Ali, All content in this area was uploaded by Mazhar Ali on Nov 07, 2017, Security in cloud computing: Opportunities and challenges, COMSATS Institute of Information Technology, Abbottabad, Pakistan, The cloud computing exhibits, remarkable potential to provide cost effective, easy to man-. For instance, it is difficult to measure that logical, segregation of different organizational data is provided to the level as promised in the SLA. To verify data correctness, a, data blocks indices is transmitted to the cloud. However, the virtual network needs more attention. Security Symposium (NDSS), San Diego, CA, 2013. The MAC is also calculated with, package is stored at the cloud along with the, KM for decryption through blinded RSA. Fan, Study on the security models and strategies of cloud computing, Proc. In case of successful update, other VMs of that particular class. Zomaya, Trends and challenges in cloud data centers, IEEE Cloud Comput. The SECaaS works at all levels (SaaS, PaaS, IaaS) and secures the services. The detected, suspicious activities are recorded by the warning recorder module and are stored in the warning pool. on Computer and Communications Security, 2011, pp. 23 (2011), S.M.S. The aforesaid technologies generate. The NIST definition considers the cloud computing as a threefold model of service provisioning (, . The, transfer of VM and vTPM is carried on the established trusted channel. However, the discussion of the security issues in, confidentiality, integrity, availability, accountability, and privacy-preservability with little discussion on the technologies, causing the vulnerability origination. Recent advancements in the domain of cloud computing (CC) and big data technologies leads to an exponential increase in cloud data, huge replica data utilized the available memory space and maximum computation brought a major issue to the restricted cloud storage space. The HyperCo_er involves both the hardware and software to protect VMs in execution. work interfaces. The out of control cost of power in terms of electricity generation, personnel hardware and limited spaces in data centers have encouraged a significant number of enterprises to move more infrastructures into a third party provided Cloud. on Security of Info and Networks, 2013, pp. criteria of judging a normal and malicious behavior. The migration of a VM is coordinated by the migra-, tion manager module that ensures the migration of all of the relevant information (VM state and security context state) to, the destination. The scheme compares the first attribute of, the packet header at the root nodes of the tree and on matching node search proceeds to next level of tree. and ensure optimal fulfillment of customer’s security needs. The bridge in turn connects to the physical network. 66 (3) (2013) 1687–1706, Gener. in utilization and energy consumption in a static setting as workloads run with lower frequencies and energy Broad network access, is sometimes referred to as ubiquitous network access in the literature, The cloud’s resources are shared among multiple customers by pooling in a multi-tenant environment. Conference on Cloud Computing, 2013, pp. The implementers should secure each virtualized OS in each of the guest VMs. The, scheme to ample the trust level in the key. networks are able to generate the following security challenges in the cloud environment. Rahimi, J. Ren, C.H. The proposed scheme allows the user to rate the requirement of confidentiality, availability. The attributes should be validated at master source or as close as. Some of the available directions for future work are also discussed. organizations trust that a service provider’s platforms are secured and provide a sufficient level of integrity for the client’s data. The community cloud may be managed by any of the organizations in the community or a third party. The authors in, presented reviews on the security issues of the cloud computing. Based on the security requirements and attacks against cloud computing, we systematically summarize the current security protection mechanisms and further make a comparison among them. The CSP is dealt as a host, while the services owner acts as an authorizing user. for cloud computing, J. W. Liu, S. Peng, W. Du, W. Wang, G.S. The discussed approaches are proposed to counter either one or multiple security issues. Despite of intensive research efforts by the research community, there still are open issues that need to be addressed for, providing a secure cloud environment. Besides data, the code of VM also becomes vulnerable to attackers during migration, The migration module can be compromised by an attacker to relocate the VM to a compromised server or under the control, of compromised VMM. 273–279. The group signatures are used over the certificates, for authentication. If security is not correctly enforced at the destination locations, and not properly updated in the source locations, security of the migrating virtual machine as well as the co-located machines can be compromised. The security solutions at the client end (mobile device) need lighter versions that mobile devices. The keys are generated using bilinear multiplicative groups. The, integrity of the platform is ensured before moving any application to it. Moreover, the frequent updates of APIs may introduce, 3.2.4. 5 (2). The SR value above eight, value three to public partition. The openflow device reconfigures the network, according to the developed rules. Dependable Secure Comput. Therefore, we look at the challenges at abstract level irrespective of the service model. The migration of VMs, data, and applications across multiple physical nodes, . The attestation and integrity verification ensure that the VM is not migrated to a com-, hopping and useless migrations. The rules generator develops the, rules for the suspect traffic and forwards them to the openflow device. butes that are not required by any particular CSP. Much has changed in the realm of cloud security since the Security for Cloud Computing: Ten Steps to Ensure Success, Version 2.0 whitepaper was published in March, 2015. The taxonomy of the secu-, rity challenges in the cloud computing is depicted in, The cloud services are normally available to the customers through the Internet, mechanisms are used for communication between the customers and the cloud, in transmission of either data/information or applications between the customer and the cloud. The public, community, and hybrid clouds, possess more cloud specific vulnerabilities and risks due to presence of users from different origins and administrative con-, resources introduces many security concerns. 18–21. Sharing of VM images in the image repositories, . A third party audit may put, the data of other organizations (that do not agree upon the audit conducting third party) to risk, regulatory laws, such as Health and Human Services Health Insurance Portability and Accountability Act, Besides the technical issues presented in the preceding discussion, legal issues pertaining to the cloud computing also, arise due to presence of CSP resources in geographically different and sometimes conflicting legal jurisdictions, data of the user is migrated to a location having different laws, it becomes difficult for the user to configure the security, policies to comply with the new legal jurisdictions. Counter measures for communication issues, To secure the communication and network, the CSA guidelines, IDS, IPS, and firewalls to protect the data in transit. The presented technique also prevents the cross VM denial of service (DoS), SnortFlow utilizes the features of Snort and OpenFlow systems. On the other hand, cloud providers can, . Vasilakos, K. Li, A.Y. The proposed architecture provides. The shared network layer. During, retrieval, the image decrypt module interacts with the key management server to retrieve the decryption key and decrypts, the image for loading into a VM. Use of virtual devices and conventional physical devices with close-fitting assimilation with. The authors in. Any request to the services is mediated by the, can grant or deny resource according to the access control policies. ... API (Application Programming Interface) : est un ensemble de fonctions permettant d'accéder aux services d'une application, par l'intermédiaire d'un langage de programmation. Moreover, virtual network isolation is introduced by utilizing layer-two tunnel, Virtual Private Network (VPN) between virtual bridges. The user application is then registered with the security providing clouds that provide security services. The, vocabulary allows the organizations to compare the security services of different CSPs at a glance. An analysis of the common state of practice of the cryptographic operations that provide those security capabilities reveals that the management of cryptographic keys takes on an additional complexity in cloud environments compared to enterprise IT environments due to: (a) difference in ownership (between cloud Consumers and cloud Providers) and (b) control of infrastructures on which both the Key Management System (KMS) and protected resources are located. In this paper, we intend to tackle this problem, specifically for intrusion detec-tion/prevention and VPN/IPsec as main security mechanisms. inspection utility is used in the SVM to introspect the code of GVM. The guest OS is marginally modified to check for available system configuration and resources. Web application and application programming interface (API) security, one of the essential requirements for a cloud application to be utilized and managed over the Web, provided by the CSP is always located at the cloud with users accessing it ubiquitously. Mag. The scheme requires the users to register with the cloud and obtain unique, ID. Such a trust model is unsuitable for cloud computing, where interactions are carried out between prior unknown entities. The work in, cube model, multi-tenancy model, and risk assessment model. Jaatun, Beyond lightning: a survey on security challenges in cloud computing, Comput. Moreover, the proposed sanitization process depends on the optimal key generation, which is performed by the hybrid meta-heuristic algorithm. Un Nouveau Modèle de Gestion Dynamique de la Confiance pour la Fédération des Identités Dans le Cloud Computing, An efficient secure data deduplication method using radix trie with bloom filter (SDD-RT-BF) in cloud environment, A multi-objective privacy preservation model for cloud security using hybrid Jaya-based shark smell optimization, A contingency lens on cloud provider management processes, Tailoring the Cyber Security Framework: How to Overcome the Complexities of Secure Live Virtual Machine Migration in Cloud, A study secure multi authentication based data classification model in cloud based system, Machine Learning Evaluation of the Requirement Engineering Process Models for Cloud Computing and Security Issues, Securing patient Health Record in Blockchain With Abe Access Control, A Well-Organized Safeguarded Access on Key Propagation by Malleable Optimization in Blend With Double Permutation, Trusted Virtual Machine Model Based on High-Performance Cipher Coprocessor, Elliptic Curve Cryptography for Securing Cloud Computing Applications, Preservation of Security Configurations in the Cloud, Cloud adoption issues: Interoperability and security, Security and Privacy in Cloud Computing: Towards a Comprehensive Framework, On-demand security architecture for cloud computing, A Survey on Security Issues in Service Delivery Models of Cloud Computing, Android Platform-based Security Technology, Design, Development and Demonstration of a future-proof active smart Micro-grid system, Mobile cloud computing: Challenges and future research directions. 29 (5) (2013) 1278–, A.R. Khan, M. Othman, S.A. Madani, S.U. indicates that none of the presented technique fulfills all the tabulated security requirements. 4. The encryption and decryption on disk and network I/O is also performed by the VM-shim. Ryan, Cloud computing security: the scientific challenge, and a survey of solutions, J. Syst. Research endeavors in this respect to find the solutions for multi. Federated Identity Management is considered the most useful solution that simplifies the user experience, by providing secure access to services belonging to different domains, while reducing the complexity and cost of managing a large number of user accounts. keeps track of execution and analyzes system behavior through meditation. i.e. This scan is only, allowed at the boot up time with a temporary hypervisor so as to avoid any attack from user, After the scan the temporary hypervisor is disabled. , the source IP can be at root with the destination IP at leaf nodes. Currently, there exists little work in solving multi tenancy issues. Moreover, the MAC addresses are replaced by the. The diameter-AAA employs network based access control to filter the illegitimate access request to the cloud, applications. In the following, we detail some of the solutions in the lit-. Summary 6. Hypervisor or VMM is software that essentially manages and controls the virtualization in a cloud computing system. Design of tree-rule firewall using IP address and port ranges [69]. To create a sustainable basis in terms of security in Cloud Computing, in September 2010 the German Federal Officefor Information Secu-rity Therefore, a broad framework that, ensures privacy while performing computations is the need for security. Customers outsource their applications and data to the cloud with the trust that their assets are secure within. confidentiality, integrity, and availability services for VMs during execution phase. COMSATS Institue of Information Technology, Abbottabad, Pakistan, . The prototype was imple-, ing the hypervisor and running VMs. 4.2.3. Network Comput. upsurges the capabilities of the hardware resources by optimal and shared utilization. These were the research objectives: For decryption all the data is downloaded from the cloud and, proposed a time based proxy re-encryption combined, presents the comparison of the methodologies pre-, recommends that the security to the cloud applications and APIs, Security and privacy requirements (both functional and regulatory) should be defined in accordance to the needs of the, The risks and attack vectors specific to the cloud computing must be explored and assimilated into the security require-. The exterior redirects and updates the memory state at VMM from, SVM to GVM. Critical Areas in Cloud Computing V.3” and “Security as a Service Implementation Guidance”. The cloud computing, upsurges the capabilities of the hardware resources by optimal and shared utilization. The periodic, checksum verification also keeps the cloud entry points under constant monitoring. In particular, wherever it is Therefore, insecure APIs can be troublesome for both the cloud and the users. 29 (5) (2013) 1254–1264. 28 (2) (2012) 379–390, Aerospace Electron. The top ten risks in the web appli-, cations have been identified by Open Web Application Security Project in 2013 to be the, The development, management, and use of Web applications must take into consideration the above given risks to safe-, guard the web applications and users resources. 115–124. This document, the Cloud Computing Security Requirements Guide (SRG), documents cloud security requirements in a construct similar to other SRGs published by DISA for the DoD. 19 (2), R. Schwarzkopf, M. Schmidt, C. Strack, S. Martin, B. Freisleben, Increasing virtual machine security in cloud environments, J. For other frameworks, there is no specified model to manage trust between cloud service providers and identity providers, as cloud service providers must decide by themselves which identity providers are trustworthy. Secure and efficient management of identities remains one of the greatest challenges Conference on Innovations in Information Technology (IIT), 2013, pp. as cluster and grid, and The pre-allocation of resources eliminates the need of hypervisor to dynamically manage them. The, tographic keys become vulnerable to leakage, in case of malicious sniffing and spoofing of virtual network, transit belonging to users can suffer from costly breaches due to risks presented in Section, Security configurations of the cloud network infrastructure are of significant importance in providing secure cloud ser-, the cloud environment. Inform. The public/private key pair generated by KMs is represented by (, postulates the policies under which access to the file is valid. APIs. A.N. The (web services agreement) ws-agreement, and semantics of publicizing the competences of the service providers and to create the template based agreements, and to, monitor the agreement acquiescence. The traditional security software like antivirus and IDS are not possible to run continuously on the mobile, concept of offloading computation can also be used to run heavy security programs on the cloud that provide malicious code, and intrusion detection on the mobile device, The mobile device can be the source of user location leakage especially due to location based services, said is the serious privacy issue and leads to even worse situation if a foe knows the user whereabouts, location cloaking can be used to preserve user location privacy by concealing the user exact geographic position, Authentication is another issue on resource constrained mobile devices. Intell. The authors used a Virtual TPM (vTPM) bound with a VM that certifies the integrity of the VM. ments. 243–248. Besides, BF is applied for the implementation of data updating and enhance the retrieval of ownership verifying efficiently. The memory contents and the results, of CPU registers verification are sent to a separate machine called monitor machine (that acts as a trusted third party). Security vulnerability assessment tools should cover the virtualized environment. On the other hand, a malicious user can upload an image that contains a malware. The alert is pushed into, alert interpreter that analyzes the generated alert and invokes the rules generator. tication, respectively. A pre-shared master key between, the data owner and the CSP allows the CSP to generate the re-encryption keys. Nevertheless, virtualization also introduces security challenges to. their status of a unique entity, but share standardized or proprietary technology. The VMs management and isolation is the, . Chow, Y. In the cloud computing environment, with the complex network environment, the virtualization platform faces many security problems. The Mirage provides a four-, , the authors proposed encrypted virtual disk images in cloud (EVDIC) that exploits encryption to secure the VM, targeted at providing updated software installs, and patches for the, to identify and rectify images with outdated software and, presents the comparative summary of the presented schemes, proposed an architecture that provides a secure runtime virtualization environment to a VM. maintenance of repository is also provided by the Mirage. The user registers with a trusted party called, the registrar and obtains a single credential for all the services provided by the CSP. Likewise. The generated OS view is used by the defense modules of the CloudSec. Cloud computing solutions must be supported by facilities that meet Uptime Institute Tier-3 or higher rating. The software-based network components, such as bridges, routers, and software-based network configurations, support the networking of VMs over the same host. sniffing and spoofing over the real network. Then, we derive a set of formulas that compare security configurations before and after migration. Version 3.0 includes the following updates: New worldwide privacy regulations taken into account. The trusted authority, administers the domain level authorities that in turn manage subordinate domain authorities at the next level or the users, in domain. Deployment and configuration of large number of security solutions itself may be risky. The firewall layer is responsible for safeguarding against the spoofing attacks from the shared network. Randomization is applied to the signatures for providing unlinkability. A similar mechanism of logging and auditing to protect against the VM roll-, integrity of the snapshots. The DCPortalsNg, then builds its own data of mapping networks to tenant and tenants to network. attributes similar to that of the revoked user. Various studies were conducted to adopt the privacy preservation in the cloud, and most of the state-of-the-art techniques fail to handle the optimal privacy when dealing with sensitive data, as it requires separate data sanitization and restoration models. The data recovery vulnerability can pose major threats to the sensitive user data, sons, for example, (a) the disk needs to be changed, (b) the data no longer needs to be there, and (c) termination of service, also contributes to the risk of device sanitization. of Cloud Computing, DOI: 10.5171/2017.736545 Figure 1: A conceptual view of cloud computing Cloud computing features The CC has a number of features that characterizes and distinguishes it from other paradigms and that are identified and briefly described below for a better understanding. Some of these challenges include security, privacy and trust, bandwidth and data transfer, data management and synchronization, energy, Green computing denotes energy efficiency in all components of computing systems i.e. In case of ambiguities, it is harder to claim the loss at a, CSP. An important factor is the key strength, With limited abilities of text input, passwords, usually used for authentication purposes in the MCC that can be vulnerable to theft over time, generation can be used for secure authentication. nizations data and applications adds more to the severity. The employed approach includes security parameters in the SLA to let the end user judge the security offerings and require-. These tools are mathematical algorithms, statistical models and Machine Learning (ML) algorithms. References 7. B. The cloud module is not used just to store the data, but also to process them on cloud premises. Services Comput. Resource virtualization: The If valid, the access is granted to the consumer. The proposed partitions, are public, private, and limited access partitions. Each channel is assigned a unique logical ID that is used to monitor the source of packets originating from. To prevent the attacks on network, infrastructure, the ACPS utilizes the method presented in, warnings are recorded in the warning pool. Security and privacy for the multi tenancy is one of the, grave challenge for the cloud computing. on Services Computing (SCC), 2013, pp. At the least level, there is a need to harmonize different security. If the memory pages and vCPU contain private, information of DomU, the hypervisor make sure that they are encrypted. secure the data in the cloud. lation is present between different VMS, the access to same physical resources can lead to data breach and cross-VM attacks. Moreover, the listed-rule firewalls decrease performance due to sequential rule searching, and arrangement of bigger rules after the smaller rules. The MCC requires the form of encryption that requires least storage, processing, . information security, cloud computing elicits one of two responses: • Security issues make cloud computing very risky. Comprehending the security threats and counter measures will help organizations to carry, out the cost benefit analysis and will urge them to shift to the cloud. The download is allowed based on user authentication that is carried out, cooperatively by data owner and the cloud. Parallel Distrib. The data in the public partition needs no authentication. Comput. However, it is not clear that how the information is secured during. Moreover, unlike the traditional IT setup, the cloud, . Security issues from the technological and operational point of view were not in the, scope of the aforesaid study. Inform. The lack of control over the data results in greater data security risks than the con-, Although the cloud computing ensures the cost economy and also relieves the users from, . Based on the SR value, the data is allotted space in one of the three proposed partitions in the cloud. Pietro, Secure virtualization for cloud computing, J. Netw. Khan, A review on remote data auditing in single cloud server: taxonomy and open issues, J. Netw. The author discusses related challenges, opportunities, and solutions. Comput. Cloud computing is predicted to expand in the mobile environment leveraging on the rapid advances in wireless access technologies. Access scientific knowledge from anywhere. Z. Xiao, Y. Xiao, Security and privacy in cloud computing, IEEE Commun. Information. Kiah, S.A. Madani, M. Ali, Enhanced dynamic credential generation scheme for protection of user identity in mobile-cloud, A.N. aspects of the research topic; hence, the main areas of interest are; ISRA, Cloud Computing, and ISRA within cloud computing. performance due to Cyberguarder and 5% increase in the energy consumption. cloud specific characteristics and technologies. All the con-, trol transitions between VMM and VMs are intercepted by the CloudVisor to, CloudVisor may hide the general purpose registers (by encrypting) from the VMM, while exposing only the necessary ones. All of the processing, movement, and management of data/application are performed within the organizati, al administrative domain. The user revocation is dealt by changing the encryption parameters of all such data that has. 1) The sensitivity of the information to be stored and/or processed in the cloud; and 2) The potential impact of an event that results in the loss of confidentiality, integrity or availability of that information • Cloud Security Model (CSM) defined 6 Information Impact Levels • Cloud Computing SRG defines 4 Information Impact Levels However, unlike the normal computing machines, the mobile devices are resource constrained, of low processing power, less storage capacity, limited energy, and capricious internet connectivity does not allow compute, and storage mandating applications to run on mobile devices, new computing paradigm called MCC that enhances the abilities of mobile devices by moving the storage and compute, processes by using the computation and storage services of the cloud. �;�2��̍o:0��y�6^n``��:Ɉ�쁳�������a`φ��ؗ�̺�m�>�#�u? The SaaS only provides software through Internet making it a model to distribute the soft-, ware through Web. The proposed framework showed detection and defense capabilities against rootkit, code. With the rapid developments occurring in cloud computing and services, there has been a growing trend of using the cloud for large-scale data storage. ... Fernandes D. et al. There is a need of standardized formats and protocols that can help the customers. The concluding remarks constitute the last part of the paper. It can also be observed that trusted computing can form a good basis of providing, secure and trusted platforms because of the fact that it secures the platform right from the boot time and, the states periodically. It also verifies that data is stored at the correct partitions in the cloud. A user can create his/her own VM image or can use an, . Moreover, there exists com-, munication within cloud between VMs. However, the future discussion has not been dis-, reviewed the security and privacy challenges in the cloud computing and discussed the, elaborated the security issues in the cloud along with the approach-, detailed the security issues in the cloud computing in depth with brief discussion on, surveyed the popular security models of cloud computing, such as. Nevertheless, the discussion on future research directions is lacking in, current and latest security solutions. The restart of VM is only allowed if the integrity checks are valid. Also presented here is a generic architecture that evaluates 30 recently proposed mobile cloud computing research architectures (i.e., published since 2010). Eng. At the start of each operation the hash, of the VM snapshot is calculated over its registers, memory contents, and image disk. The memory locations within, the processors and outside used for storing data temporarily may be the target of attack. The monitoring is performed based on the logical IDs assigned by the routing layer. 13 (2) (2014). Clouds provide a powerful computing platform that enables individuals and organizations to perform variety levels of tasks such as: use of online storage space, adoption of business applications,development of customized computer software, and Vasilakos, Security and privacy for storage and computation in cloud computing, Inform. The users are allowed to upload and download images from the repository, . This becomes a serious challenge as malicious activities of the VMs go beyond the monitoring of security tools. The results of the update checker and OPS are generated in the form of report to inform both the user of VM and, the system administrator. Information Security Risk Assessment Sci. The ABE was introduced in, messages using the attributes and decryption can be performed by users possessing those attributes. 4.2. The obtained constraints are then submitted to a constraint solver, namely Sugar, in order to verify the properties and to pinpoint potential misconfiguration problems. JCSMC 3: 1262-1273. Syst. Moreover, the survey presents the recent solutions pre-, sented in the literature to counter the security issues. Z. Tari, Security and privacy in cloud computing, IEEE Cloud Comput. H.T. Any access to the host system is regulated and mediated by the HyperLock. In the Mobile Cloud, Mobile cloud computing promises several benefits such as extra battery life and storage, scalability, and reliability. The proposed model utilizes both the bridge and, route modes of Xen hypervisor for virtual network configuration. This survey details the security issues that arise due to the very nature of cloud computing. • Security issues are more perceptual than prohibitive [2].” Paradoxically, both positions have merit. Sah, S. Shakya, H. Dhungana, A security management for cloud based applications and services with diameter-AAA, in: IEEE International. Syst. Moreover, the authors in, visor shadowing technique to further safeguard the VMs running on the host system. All of the participating clouds retain. The basic working of ImageElves resembles the technique presented in, software running on the VMs. to lack of administrative control of owner organization. The CSA recommends the following key points for access control and identity, The Attribute Based Encryption (ABE) has been employed to provide access control in the cloud environment that speci-, fies and enforces the access control policies cryptographically. The evaluation of SnortFlow exhibited good performance in terms of traffic analysis. Yiu, Spicesimple privacy-preserving identity-management for cloud environment, in: Applied. Parallel Distrib. The user does not know the location of the assets due to location transparency offered by the cloud, and therefore, cannot exactly know his/her legal rights and responsibilities. This makes Federated Identity Management systems more scalable and flexible to deploy and maintain in cloud computing environments. Fernandes, L. FB. The proposed model. This avoids the cross tenant attack on the virtual network. The cloud computing model does not deliver users with full control over data. Thus, our paper contributes to cloud sourcing research by deepening the understanding of client-provider relationships and by introducing a viable CSP management instrument contingent on three salient factors of cloud service provisioning. Comput. The ACPS provides various security services to the CSP resources including network against attacks on user and. keys for avoiding data leakage to the revoked user. The purpose of this policy is to provide an overview of cloud computing and the security and privacy challenges involved. A VMM can provide larger attack vector due to more, . In this paper, the authors discuss security issues for cloud computing and present a layered framework for secure clouds and then focus on two of the layers, i.e., the storage layer and the data layer. A VMM is prohibited to overwrite the extend-, ed page table for any VM in case of a mismatch between the page ownership and the page table. 1–30. The sharing of network components provides attacker the window of cross-tenant, . The SLA is a document that specifies the terms and conditions between the user and CSP. Mag. The presence of multi-tenants using virtualized resources that may correspond to same physical, . Therefore, organizations are looking for new ways to manage their relationship with cloud providers. Thus, the process can be overcome by utilizing an efficient shielded access on a key propagation (ESAKP) technique along with an adaptive optimization algorithm for password generation and performing double permutation. Built in security measures should be adopted for virtualized OS. kle tree. The encrypted and non encrypted sensitive data is sent to cloud environment and evaluate the parameters with different encryption algorithms. The scaling of resources up and down is performed dynamically and the usage of services is metered and reported to the, customer and CSP. Despite the provided advantages, the cloud computing, is not exclusive of risks with security being the key risk, Security is one of the biggest obstacles that hamper the widespread adoption of cloud computing, and research organization are reluctant in completely trusting the cloud computing to shift digital assets to the third-party, organizations. The access for decryption is granted to the users satisfying the attributes and policies in the. There are many reported bugs in the VMM that let the attacker to take, VM sprawl is a situation where a number of VMs on the host system is continuously increasing and most, . In the proposed cloud, special collaboration methods are offered as services to reduce the time and cost of development hence they become plug and play components to be used when needed. risks of cloud computing. virtual networks raise some unique security concerns in addition to the concerns faced by conventional physical networks. The aforementioned limitations served as motivation for a, . Similarly, private cloud, may or may not be located at organization’s geographical site. In this paper we detail the challenges based on three abstract domains, namely, (a) architectural issues, (b) com-, munication issues, and (c) contractual and legal issues. The access control is provided at check-in and checkout times. Comput. The large code base of the hypervisors broadens the attack surface of the hypervisors. proposed the use of TPM and Elliptic Curve Cryptography (ECC) to provide a secure platform for, proposed the provision of Security as a Service (SECaaS) in the cloud environment. The solutions to these challenges are also the same as employed conventionally, such as, Secure Socket Layer, . The above given models providing the mentioned characteristics are implemented using var-, ious technologies, for example virtualization and multi-tenancy. The authors also propose a comprehensive security framework for Cloud computing environments and discuss various approaches to address the challenges, existing solutions and future work needed to provide a trustworthy Cloud computing environment. It checks for the updates of the installed software and identifies the VMs (both dormant and, running) that need to be updated. 113–120. The research activities mostly, focus on the specific issue and try to resolve that issue or in most encouraging scenario few related issues may be the target, of the researchers. Virtualized network poses a hindrance to the goal of such preventive measures, The virtualized network is shared among multiple VMs that causes the possibility of certain attacks, such as, Denial, Service (DoS), spoofing and sniffing of virtual network. A VMM is a software component that manages all the VMs and their access to the hardware. As shown in Fig. The computational security is ensured against partial computation and use, computational cost. Lastly, it is worthy to mention that although the security solutions provide, also introduce computational and cost overhead. Support Syst. Therefore, a compromised hypervisor will only affect the, paired VM keeping the other VMs on the host secure. Waters, Efficient identity-based encryption without random oracles, in: Advances in Cryptology EUROCRYPT, Springer, Berlin, Heidelberg, 2005, pp. The trusted authority generates and distributes the system parameters and root master key to the domain autho-, rities. This allows reasoning on whether the aforemen-tioned security properties hold. The de-privileged, nent, that is decoupled from the OS and is executed in the user mode. Multi-tenancy results in optimal use of resources and different customers are segregated, The NIST divides the services provided by the cloud computing into three categories, namely: (a) software as a service, (SaaS), (b) platform as a service (PaaS), and (c) infrastructure as a service (IaaS). Such a case, results in risk of privacy breach of other users, In this section, we discuss various approaches proposed in the literature to counter the security issues discussed in Sec-, going into the details of the counter measures, we describe the recommendations specified by the CSA in that particular, 4.1. Comput. 1–6. This result in the modification of the GVM and gives the effect that program is being run in the GVM. The SecAgreement extends the template of the ws-agreement to incorporate security constraints and metrics into. The ontologies used the concept of service, matchmaking to differentiate between different offerings. The access control in the proposed platform is based on the OAuth (Open Authorization) that is token based access con-, trol mechanism. In short, any compromised service model gives access to other layer of the service model. The user generates an authentication, certificate from the obtained credentials. The ws-agreement mainly captures the agreement based on quality of service. The resource allocated to a particular user may be assigned to the other user at, some later point of time. The insider attacks can be avoided to an extent by having definite. The CSA recommends the following major measures. In the end, the discus-. Third party security technology should be used to cut down dependency on the CSP. International Symposium on High Performance Computer Architecture, 2013, pp. Control Markupup Language (XACML) messages, and XML wrapping attacks. 1 (1) (2014) 54–57, Z. Tavakoli, S. Meier, A. Vensmer, A framework for security context migration in a firewall secured. 9 (4) (2012) 373–392. Comparison of techniques countering contractual and legal issues in the cloud. To protect the cloud applications from unauthorized access, the authors in, protocol. The Hyper-, utilized the principle of least privilege to reduce the attack surface of hyper-, adopted a similar approach to reduce the attack surface by providing an isolated runtime environ-, also reduce the trusted computing base and restrict the functionality of hypervisor in root mode for secur-, presented a design that does not reduce the hypervisor attack surface. 86 (09) (2013) 2263–2268, M. Sadiku, S. Musa, O. Momoh, Cloud computing: opportunities and challenges, IEEE Potentials 33 (1) (2014) 34–36, E. Schweitzer, Reconciliation of the cloud computing model with US federal electronic health record regulations, J. Dimensions, Design Issues, and State-of-the-Art, arXiv preprint arXiv:1312.6170, 2013. SPI (software, platform, and infrastructure). The HyperCheck was implemented both, for open and closed source BIOS. The compromised hypervisor may grant all the privileges to the successful attacker putting all other, resources into danger zone. , an extension of the ABE, categorizes user attributes into a recursive set based arrangement and, extended the ASBE to present Hierarchical Attribute-Set-Based Encryption (HASBE) that utilizes hierarchical user, proposed a decentralized approach for authentication and controlling access to the cloud storage. The current audit, based on the, the CSP itself might not be a satisfactory option for many. ments. The proposed methodology also recommends the, use of encryption while moving applications between platforms. Although virtual devices have been, proposed to secure the virtual network, a comprehensive strategy to monitor the traffic on the virtual network is needed to, avoid malicious flow of information. ing a comprehensive security solution in cloud computing. The aforementioned reasons, reviewed the security issues at different levels of, . efficiency, and heterogeneity. Shadow hypervisors are created and, each of the VMs is paired with a separate shadow hypervisor. The cloud services are delivered to the customer through the Internet, applications are used to access and manage cloud resources that makes Web applications an important component of the, logically. The aim of this paper is to do research on security in Cloud Computing by authenticating a Blob by some secure algorithm like HMAC for an account [12]. The migration of user’s assets (data, applications, etc.) and with the limited instruction set. This document outlines the Government of Saskatchewan security policy for Cloud Computing. The Guestvisor emulates the hardware for the VMs. Manual tests must be carried out periodically to ensure secure session management of web applications. management and role based access control. The data in the cloud is much more vulnerable to risks in, terms of confidentiality, integrity, and availability in comparison to the conventional computing model, increasing number of users and applications leads to enhanced security risks. Public cloud solutions are seen as the most vulnerable options from a security perspective, leaving many federal customers to seek private alternatives to overcome security challenges. 42 (2014) 120–134, S. Yazji, P. Scheuermann, R.P. The trusted computing is used for attestation and integrity verification, of source and destination platforms. Employee of SaaS providers, having access to information may also act as a potential risk, Besides the data at rest, the data being processed also comes across security risks, resources are shared among multiple tenants. La sécurité est certainement l'un des enjeux majeurs du cloud computing et prend une place centrale dans toutes discussions concernant ce paradigme [2,6. This concern originates from the fact that sensitive data stored in the public clouds is managed by commercial service providers who might not be totally trustworthy. The initial essential step toward providing such solutions is to identify a context that determines all security issues. The rollback, . • To propose and implement an end-to-end security architectural blueprint for cloud environments, providing an integrated view of protection mechanisms, and then to validate the proposed framework to improve the integrity of live VM migration. The perfect segregation of numerous tenants and allocated resources is a com-, plex task and needs much higher level of security. Mobile, Q. Duan, Y. Yan, A.V. All of the information about, software packages and the VMs is stored at the central database. The DCPortalsNg interacts, with the open stack through a neutron plugin and obtains all of the required virtual network information. (2014), [73] S.H. The authors in, es that can be employed to tackle the vulnerabilities. The, security constraints are not semantically netted for risk quantification in ws-agreement. The authors in. �L� The routing layer establishes a dedicated logical channel between virtual and, physical network. . The authors in, service cancelation to reduce the security risks in post violation/cancelation environment. Initially, a convergent encryption approach is applied for preventing the leakage of data and employed role re-encryption process for attaining authorized deduplication resourcefully. 587–604, Springer, New York, 2014, pp. extensions in ws-agreement the users can quantify the risk of using the services of any CSP and opt for the cloud services that, In a cloud environment, the user assets are exposed to extreme risk in case of violation of security SLA or cancelation of, any of the security services. Our final cloud management framework comprises ten processes for effective CSP management based on a literature study and twelve expert interviews. The algorithm updates the risk, evaluation according to the changes in the SLA. The key is generated by key management server (a third, party that is not a part of the cloud) through the password of the user. Hoang, C. Lee, D. Niyato, P. Wang, A survey of mobile cloud computing: architecture, applications, and approaches, Wireless, X.