ABSTRACT
As organizational needs expand beyond current limits, companies seek flexible, cost-effective, and proven ways of providing their services without compromising security. Cloud computing present businesses and companies a massive chance for growth and efficient consumer IT service delivery over the internet. However, the added level of risk culminating from a combination of various technologies results in security and privacy issues. This paper is going to explore the main vulnerabilities and threats highlighted in Cloud Computing literature as the basis of developing counter applications.
Introduction
Cloud computing is considered a game-changer in scientific and industrial communities. It is increasingly infiltrating into industrial systems, businesses, government organizations, private entities and learning institutions. According to Gardner, (2012) Cloud computing technology tops the list of the most essential and innovative technologies in recent times. Its growth and adoption rate is exponential with better prospects in the coming years.
The technology presents itself as a computational paradigm as well as a distribution architecture founded on providing better, secure, convenient, quick and affordable services over the internet. The cloud enhances scalability, agility, collaboration, better adaptation to fluctuations and demand, cost-effective services and acceleration of project development through optimized computing power.
Literature review
According to the National Institute of Standards and Technology, Cloud computing is a model of ubiquitous, convenient, on-demand network access to a shared pool of resources such as computer networks, servers, storage, services and applications. These resources can be provisioned with and released with minimal service provider interaction or management b effort.
Cloud is defined by five essential features, four deployment models and three service models. Clod computing provides many benefits.
- Measured service
- Elasticity
- On-demand service
- Broad network access
- Pooling of resources
Given the number of technologies it leverages (SOA, Web 2.0, and Virtualization) on the internet platform, Rittinghouse, (2009) argued that cloud computing is essentially a converged maturity of these the very technology it depends on and the services they offer. This is because; it accords the user common business applications through the web browser to execute their needs, while their software and data are stored on the servers.
Businesses can change or add new products without time or cost constraints. With the available on-demand cloud resources new configurations are easy to bed set up and used in hours and the cost depends on the amount of time used.
Transitions, mergers, and acquisitions can be realized without much resource. If the organization wish to expand its niche as a result of acquisitions and mergers, cloud based services provides the required scalabilities. Others such as accessibility and cost reduction are the motivation behind their adoption.
In spite of the numerous benefits it accords the users, its adoption is subject to some significant barriers. Some of the notable barriers are security, compliance, privacy and legal issues in that order.
The new paradigm represented by cloud computing presents great uncertainty in the handling of security at all levels i.e. networks, host, application, and data. According to Morsy, (2010), this is exacerbated by the fact that the combining technologies have their original security issues all of which are carried forward to the clouds. Traditional security mechanisms such as authentication, authorization and identity are insufficient to handle the heterogeneous, completely distributed and virtualized cloud environment.
Methodology
Question formulation
The question considers the most significant issues in cloud computing including threats, risks and vulnerabilities. The research will be guided by the following questions:
Question 1: What is the security level of the data which stored in the cloud?
Question 2: What is the performance of the data in the cloud?
Question 3: How will data be managed in the cloud?
Question 4: How will data compliance and regulatory compliance be achieved for data in the cloud?
Question 5: What security/privacy vulnerabilities and threats are frequently encountered in cloud computing?
Sources
Results obtained reflected threats and vulnerabilities classification based on data security, trust, network security, application security, middleware and storage security. The clouds provide three fundamental service models; SaaS, PaaS, and IaaS. SaaS model is based on a high degree of integrated functionality with minimal customer extensibility and control. IaaS, on the other hand, provide greater customer control over security due to lower degree of abstraction.
SaaS security issues
Because SaaS provides application services demanded by the user such as SCM, ERP, CRM and Email, they have less control over security resulting in security concerns.
Multi-tenancy issues arise from the third maturity model where all customers use a single instance of applications. Resources are utilized efficiently but scalability is limited, making data from multiple tenants and stored in the same database vulnerable to leakage.
Data security in the clouds is not guaranteed. In SaaS, organizational data is processed in plain-text format and stored in the clouds. SaaS provider is mandated with the security of data during processing and storage. Third-party service providers contracted to provide backup services raises concerns together with disparate compliance and regulation issues arising from privacy, segregation and data security in their datacenters.
Accessibility of applications and data in the cloud is made easier via public computers and mobile devices but comes with an additional security tag arising from mobile malware, insecure Wi-Fi networks and proximity-based hacking.
PaaS
PaaS facilitates cloud-based application deployment without the need for hardware and software layers. Security issues include those associated with the platform itself and those of customer applications on PaaS.
PaaS models inherit security vulnerabilities associated with third-party service components such as mashups in addition to web-hosted development tools and services.
Developers are faced with the challenge of flexibility in developing secure applications in the shortest SDLC time possible and providing room for frequent upgrades. Frequent updates accord them the flexibility to keep up with the changing environment, while at the same time presenting a security loophole. The underlying infrastructure also presents a dilemma because while developers are in control of applications running on it, they do not guarantee that the development tools provided by PaaS providers are safe.
IaaS
IaaS has the pool of resources such as servers, networks, storage, and virtualized systems. Security is improved except in the management of the virtual machine monitor. Noted security issues include;
- The extra layer created by virtualization may introduce a new attack platform
- Compromise of one virtual machine leads to subsequent compromise of others
- Shared resources between VMs decreases their security
- Virtual machine rollbacks introduce security vulnerabilities and previously disabled accounts which is a security risk.
- The offline life cycle of the virtual machine presents vulnerabilities for malicious code and malwares.
- Virtual machine networks links (routed and bridged) presents window of attacks such as sniffing and virtual network spoofing.
Analysis
The two most common and detrimental attacks in the cloud are associated with data storage and virtualization. Attacks to lower abstraction layers have greater impacts to other layers.
Vulnerabilities in cloud computing can be summarized as shown in table 1
Fig. 1 Description of vulnerabilities and threats in cloud computing
Conclusion
Cloud computing is a relatively new paradigm that presents unparalleled benefits to its adopters. However, considerable security issues are raised potentially slowing down its adoption. Since cloud computing leverages many technologies, it inherits the individual security issues and potentially adds other compliance and legal complications pending the development of its universal framework and security standard. This paper has presented the security issues based on the IaaS, PaaS, and SaaS. The top most challenge encountered has to do with virtualization. Different virtualization technologies present different security challenges which are difficult to counter. The research exhibited shortcomings in relation to the available material in the literature concerning PaaS security issues. Future researchers may be encouraged to delve more with the issues in PaaS service model.
This research is essential because it explicitly make known of the difference between vulnerabilities and threats unlike other surveys.
References
Grobauer B, W. T. (2011). Understanding Cloud Computing vulnerabilities. . IEEE Security Privacy , 9(2):50–57.
Inc, G. (2012). Gartner identifies the Top 10 strategic technologies for 2011. Online. Available: http://www.gartner.com/it/page.jsp?id=1454221.
Keiko Hashizume1, D. G.-M. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and applications , 4/1-5.
Lorna Uden, F. H. (2012). 7th International Conference on Knowledge Management in Organizations: Service and Cloud Computing. Springer.
Morsy MA, G. J. (2010). An analysis of the Cloud Computing Security problem. Proceedings of APSEC 2010 Cloud Workshop. . Sydney: APSEC.
Rittinghouse JW, R. (2009). Security in the Cloud. In: Cloud Computing. Implementation, Management, and Security,. CRS.
