See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/261024371

Security of cloud computing, storage, and networking

Conference Paper · May 2012

DOI: 10.1109/CTS.2012.6261019

CITATIONS
READS
27
234

1 author:

Mohamed Hamdi
École Supérieure des Communications de Tunis
183 PUBLICATIONS 1,729 CITATIONS

Some of the authors of this publication are also working on these related projects:

ASSET (Adaptive Security for Smart Internet of Things in eHealth)- asset.nr.no View project

All content following this page was uploaded by Mohamed Hamdi on 10 October 2015.

The user has requested enhancement of the downloaded file.

 Security of Cloud Computing, Storage, and
Networking
Mohamed Hamdi
School of Communication Engineering, Technopark El Ghazala, 2083 Tunisia
Email: mmh@supcom.rnu.tn

Abstract—Convergence and ubiquity are the key character-

istics of tomorrows service provision infrastructures. Cloud became fashionable. In a cloud computing environment, the
architectures will constitute cost-efficient backbones that will entire data reside over a set of networked resources, enabling
support the transmission, storage, and computing of the appli- the data to be accessed through virtual machines. Since these
cations contents. These architectures can be used for business, datacenters may lie in any corner of the world beyond the
scientific, and pervasive computing purposes. The diversity of
reach and control of users, there are multifarious security
the services delivered through cloud infrastructures increases
their vulnerability to security incidents and attacks. The cost and privacy challenges that need to be understood and taken
and complexity reduction requirements render the design and care of. Also, one can never deny the possibility of a server
development of protection mechanisms even more challenging. breakdown that has been witnessed, rather quite often in the
In addition, key design features such as confidentiality, privacy, recent times. There are various issues that need to be dealt
authentication, anonymity, survivability, dependability, and
with respect to security and privacy in a cloud computing
fault- tolerance are, in some extent, conflicting. The objective of
this tutorial is to present the state-of-the-art of security and scenario. In this chapter, the fundamental concepts of cloud
explore research directions and technology trends to address the computer security will be explored, including cloud security
protec- tion of cloud communications and networking services, cloud security principles, cloud security
infrastructures. An emphasis will be made on the collaboration requirements, and testing techniques. The purpose of the
of mobile devices in cloud based infrastructures. The
chapter is to convey to the reader the ability to: ” Understand
fundamental concepts of cloud computing security will be
explored, including cloud security services, cloud security security management challenges and opportunities in cloud
principles, cloud security requirements, and testing techniques. environments ” Examine cloud computing risk, threats, and
vulnerabilities ” Specify, validate, and implement preventive
Keywords – Cloud computing security; risk analysis; dis- and reactive security poli- cies for in a virtual environment ”
tributed attacks and threats; software and data isolation. Develop business continuity and disaster recovery plans for
cloud computing ” Conduct security investigation missions to
analyze attacks against cloud computing This chapter
I. INTRODUCTION addresses various aspects related to the security of cloud
computing. The following items give an overview of the most
Cloud computing is clearly one of today’s most enticing
important issues that will be discussed in the following
technology areas due, at least in part, to its cost-efficiency
sections:
and flexibility. This technology holds the potential to
eliminate the requirements for setting up of excessively
• Overview on cloud infrastructures: Cloud infrastructures
expensive com- puting infrastructure for the IT-based
allow the delivery of computing, storage, and networking
solutions and services that the industry uses. It promises to
as services rather than products. This section provides an
provide a flexible IT architecture, accessible through
overview on the cloud delivery and deployment models.
internet for lightweight portable devices. This would allow
The terminology introduced by the US National Institute
many-fold increase in the capacity or capabilities of the
for Standards and Technology (NIST) will be used.
existing and new software. However, despite the surge in
Three models will be covered in this context: (a)
activity and interest, there are significant, persistent concerns
Software as a Service (SaaS), (b) Platform as a Service
about cloud computing that are impeding momentum and
(PaaS), and
will eventually compromise the vision of cloud computing as
(c) Infrastructure as a Service (IaaS). The major benefits
a new IT procurement model. When thinking about solutions
brought by cloud computing, including flexibility and
to cloud computing adoption problem, it is important to
resiliency, cost-effectiveness, data-centric storage, and
realize that many of the issues are essentially old problems in
scalability, will be highlighted.
a new setting, although they may be more acute. For example,
• Risk and threat analysis in cloud computing: This section
corporate partnerships and off- shore outsourcing involve
gives a detailed technical analysis of some attacks that
similar trust and regulatory issues. Similarly, open source
have been recently conducted against cloud infrastruc-
software enables IT departments to quickly build and deploy
tures. To imbue a practical flavor to the attendee, a study
applications, but at the cost of control and governance.
of the attacks that have targeted cloud infrastructures
Moreover, virtual machine attacks and Web service
(study of recent cases: Yahoo, SONY, ) will be
vulnerabilities existed long before cloud computing
presented. These attacks have been selected from
concrete cases cited by the CSI/FBI crime and security
survey and the
 U.S. Computer Emergency Response Team. Key • Amazon Web Services (Public Cloud, IaaS): Arguably
findings of a recent survey of cloud-computing providers one of the most mature clouds, launched in July 2002
per- formed by the Ponemon Institute [1] will also be not really with an IaaS offering, more just pieces of it.
studied. A special emphasis will be placed on the Its EC2, or Elastic Compute Cloud, which is classified as
analysis of the vulnerabilities making the number of an IaaS offering launched officially (non-beta) in
attacks against cloud computing dramatically increase. October 2008.
• Software and data isolation: A continual threat to a • Rackspace Cloud Hosting : Launched publicly in Febru-
cloud computing environment is that malicious code can ary 2008.
interfere with the hypervisor or other virtual machines. • GoGrid (Public Cloud, IaaS): Launched in April 2008.
This section gives an overview of the cloud computing • Salesforce.com (Public Cloud, SaaS, and PaaS):
weaknesses such as buffer or out of memory exploits Although the company was launched March 1999,
can compromise the VM, underlying hypervisor and ul- Salesforces PaaS, Force. com was launched in January
timately the host operating system. Sophisticated attacks 2008.
such as mapping a cloud infrastructure to target a specific • Google Apps Engine (Public Cloud, PaaS): Its first
service or organization will be given a special interest. public beta was launched in April 2008. GovCloud,
The mathematical techniques used in the literature to Googles form of Google Apps that addresses and meets
model the propagation of malicious code, mainly worms, govern- ment security mandates was only launched in
will be covered. The countermeasures that should be im- September 2009.
plemented to thwart such propagation will be discussed.
More recent applications have used the cloud infrastructure
for the provision of advanced services such as multimedia
II. CLOUD COMPUTING BASICS streaming [6], virtual reality [7], and robotics [8]. The richness
Before delving into the details related to the security of the cloud components and the complexity of the underlying
of cloud computing infrastructure, this section provides an architecture has considerably witnessed the proliferation of
overview on the fundamentals aspects related to the area topic. the services based on cloud computing but it has also been at
the origin of many malicious actions that will be described in
The cloud computing paradigm refers to the development the following section.
and implementation of models for enabling ubiquitous, con-
venient, on-demand access to a shared set of configurable
III. THREATS AND RISKS OF CLOUD INFRASTRUCTURES
computing resources (e.g. networks, servers, storage, appli-
cations, and services). This encompasses the consideration of The rapid growing of the cloud computing market has
network access techniques that guarantee fluid service motivated malicious users to revise attacks techniques in
provider interaction with the cloud users [3]. In the associated order to cope with the features of cloud infrastructures. This
business model, users only pay only for the services they section highlights the security requirements that stem from
actually exploit, without prior commitment, enabling cost the characteristics of cloud computing architectures and gives
reductions in IT deployment and a scalability of far greater a technical description of the most relevant attack scenarios.
resources, which are abstracted to users in order to appear
unlimited, and presented through a simple interface that hides
the back-office processes [4]. A. Security requirements for cloud computing

In the literature, three cloud-based service models have In [2], a set of security requirements for cloud computing
been proposed [5]. have been enumerated:
1) Software as a Service (SaaS): providing applications • Service and data availability: Network reliability is a
running in the cloud, where the customer has virtually key cornerstone for cloud computing and cloud ser-
no access control or management of the internal infras- vices. Since a cloud is accessed over public networks
tructure (typically the Internet), the cloud provider must address
2) Platform as a Service (PaaS): providing a set of tools the potential for catastrophic loss of Internet backbone
that support certain technologies of development and connectivity. The same concern should be a primary
all the necessary environment for deploying applications consideration for cloud service consumers who entrust
created by the customer, who is able to control and critical infrastructure to the cloud. Availability is also a
manage them within the limits of its application primary concern for private cloud infrastructures.
3) Infrastructure as a Service (IaaS): providing basic com- • Confidentiality and privacy:
puting resources such as processing, storage and • Disaster recovery and business continuity: Users and
network bandwidth where the client can run any application providers should get insurance that the cloud
operating services persist in case of the occurrence of security
incidents and disasters. The minimal core services that
The proliferation of cloud computing services is illustrated are mandatorily available should be specified in the
by the number of applications that are being proposed in this continuity plan as well as the policy to use redundant
context. Below is a list of cloud-based services that have been systems. The recovery procedures should also be clearly
often cited by researchers and scientists addressed in order to minimize the downtime duration.
 • Cloud provider viability: Concerns about provider via- background being involved in DoS attacks since they just
bility are raised when proprietary interfaces are used to have to download easy-to-use tools and scripts. All what is
administrate the services accessible to the users. required is time coordination so that the attack campaign puts
• Risk tolerance: When the user choose to put information down the victim resources. Perfect illustrations of such attacks
assets into the cloud, awareness of the amount of risk scenarios are the operations conducted by the Anonymous
corresponding to the global situation should be groups against multiple governmental infrastructures. Other,
estimated. The impact and the frequency of the identified and more technical, issues regarding these DDoS attacks are
threats should be used to provide an accurate prediction polymorphism and evasion. Multiple attacks vectors are sent
of the risk events. The amount of uncertainty should also to the victim infrastructures to enhance the efficiency of the
be quantified to estimate the residual risk. The risk DoS in terms of delay and probability of success. The most
analysis process turns out to be more challenging in common vectors are
the context of cloud computing since many processes
cannot be conducted as in traditional networks. For • HTTP Get flood attack: targeting the web application
instance, infor- mation classification models should be resources and further modifying the target URL during
adapted to cope with the context where multiple data the attack
having different security levels uploaded by users having • TCP connection flood on port 80: targeting the web
different access grants should be managed in a single application resources
infrastructure. • SYN flood attack: targeting the server TCP/IP stack
• Cost-effectiveness: One of the key factors used by cloud • UDP flood attack: targeting network bandwidth resources
providers to promote their solutions is that they cost less
than acquiring a whole hardware/software architecture. Evasion techniques are used by the attackers to bypass
This assumption should not be affected by the security preven- tive and reactive security mechanisms. They break
functionalities that should be provided to protect the into four categories [13]
cloud-based services. Strong arguments should be given 1) Packet splitting: Consists in splitting IP datagrams or
to the users to make them accept outsourcing the security TCP streams into non-overlapping fragments or seg-
of their data and application. ments. If the security system does not completely re-
• Regulation and legislation compliance: When the data assemble the IP fragments or TCP segments to restore
stored or transmitted through the cloud architecture falls the original application content, it may neglect an attack
under regulatory compliance restrictions, the appropriate embedded in the content targeted at the victim host.
deployment (private, public or hybrid) should first be 2) Duplicate insertion: Consists in inserting duplicate or
determined. Privacy is a crucial issue in cloud overlapping segments (or IP fragments) to confuse the
computing, especially with the proliferation of social security system [13]. The efficiency of this technique
web. Preventive countermeasures should be implemented depends on whether the victim handles the dupli-
to enforce the prohibition of any form of privacy cate/overlapping fragments as anomalies because it
violation. In addition, reactive mechanisms should be lacks related information such as network topology and
used to investigate the cases of privacy violation and the victims operating system.
take the necessary actions. 3) Payload mutation: Consists in transforming malicious
packet payloads into semantically equivalent ones. The
transformed payloads will look different from the sig-
B. Attacks against cloud architectures natures known and expected by the security system, so
The diversity of services that can be implemented based the attack can evade the detection.
on cloud computing is probably the major factor motivating 4) Shellcode mutation: Consists in encoding a shellcode
the proliferation of attack techniques and methodologies. In into polymorphic forms to evade a protection system
addition to financial gain, multiple aspects may be at the that prevents/detects a shellcode according to the
origin of malicious actions including organizational signatures extracted from one or a few variants of that
concurrence, political hacktivism, and privacy violation. In shellcode.
the following, a list of the most important attacks that can be One key fact that have been noticed based on the security
conducted against cloud infrastructures is given. Due to space surveys is that application-level attacks are, by far, more
limitations, a brief description is provided for each of these bandwidth-efficient than network-level attacks. This is mainly
attacks. The interested reader would refer to [9] for a complete because, at the application level, attackers often use script
survey of cloud computing attacks. injection tools rather flooding tools. This is corroborated by
According to multiple security survey reports [10], [11], Figure 1.
[12], most of the attacks that are being conducted against The most important attacks that can be performed at the ap-
information systems and communication networks belong to plication layer include SQL injection and Cross Site Scripting
the Denial of Service (DoS) category. The major novelties (XSS) attacks, and direct node injection. It is easier to target
regarding these attacks is that coordination is hybrid (i.e., the application logic or framework of an application than the
manual and automated) in the sense that public messages actual server behind the hardened network perimeter. Applica-
are broadcasted to Internet users to participate in the attack tions are mostly developed by the businesses themselves and
process. This allows users that do not have a technical
 B. Identity management
Identity management schemes in cloud computing use
active bundle schemes, where predicates are evaluated over
encrypted data and multiparty computing. This presumes that
the used encryption schemes allow the execution of predicates
without violating confidentiality and privacy, which is often
hard to fulfill. These techniques do not need trusted third party
(TTP) for the verification or approval of user identity. As a
result, the user anonymity is guaranteed and the identity is not
disclosed. As an alternative to existing public key
infrastructures, ID- based encryption schemes [15] may also
be used in the cloud computing context. A shortcut of such
identity management schemes is that active bundle may not
be executed at all at the host of the requested service. It
would leave the system vulnerable. The identity remains a
Figure 1. Bandwidth-efficiency of network and application attacks [12]. secret and the user is not granted permission to his requests.

developer’s do not have a common, standard set of secure C. Software isolation

development policies. This creates a target rich environment To address the security of the hypervisors, different
of vulnerabilities to be exploited. domains are used for providers and users, each with a special
In [11], some vulnerabilities that are specific to cloud com- trust agent [16]. This encompasses the use of different
puting have been pointed out. Specifically, security trust strategies for service providers and customers so as to
weaknesses at the Application Programming Interfaces (APIs) take time and transaction factors into account for trust
available to cloud users are crucial since cloud provisioning, assignment. Despite the efficiency of this approach, its
management, orchestration, and monitoring are all performed scalability is question- able. Software isolation in a very
using these interfaces. Moreover, the improper user of cloud large scale cross cloud environment is hard to guarantee. This
components may lead to the use of these components to scheme is able to handle only a limited number of security
conduct malicious actions against third victims. Other security threats in a fairly small environment. In addition, they often
aspects relate to the hypervisor, which is the controller that have a negative impact on the system performance because of
allows multiple operating systems to be run on a system they important computational load.
at a time. Since multiple operating systems can be running
on the same hard- ware platform, it turns out to be hard to
D. Border Gateway Protocol security
keep track of all and hence maintaining all the operating
systems secure is difficult. Effectively, a guest system may In [17], a Border Gateway Protocol (BGP) architecture
run a malicious code on the host system and bring the system has been suggested to detect the cases where an autonomous
down or take full control of the system and block access to system may announce itself wrongly as the destination for
other guest operating systems. all the data that is being transferred over that network. This
allows the implementation of anomaly detection and incident
IV. PROTECTION OF CLOUD INFRASTRUCTURES response mechanisms in cloud computing environments. It
also gives us the flexibility to run the secure BGP protocol on
This section reviews the most important security schemes some of the autonomous systems in order to protect the whole
that have been proposed in the literature to protect cloud network. The use of this approach should be accompanied by
computing systems. additional protection techniques since it is itself vulnerable to
DoS attacks.
A. SaaS protection
V. CONCLUSION
An approach proposed in [14] uses a homomorphic token
with distributed verification of erasure-coded data towards en- This paper provides a tutorial of cloud security techniques,
suring data storage security. This approach supports dynamic tools, and countermeasures. The security challenges faced by
operations on data blocks such as: update, delete and append cloud used and providers have been first highlighted. Then,
without data corruption and loss. Moreover, it is efficient the paper has covered the attacks that can be conducted
against data modification and server colluding attacks as well against cloud-based services. Finally, the countermeasures
as Byzantine failures. Malicious server location is possible that are typically used to thwart the aforementioned attacks
using the tokens generated through homomorphic cryptosys- have been discussed. In spite of the abundance of standards
tems. However, granularity is the most important weakness of and products dealing with the protection of cloud computing
data isolation systems since the existing approaches are not systems, many aspects are still being investigated.
efficient when the size of the data subject to attacks is small.
 1) Homomorphic encryption for cloud architectures: Be- [2] V. Winkler, “Securing the Cloud Cloud Computer: Security Techniques
cause the execution of programs is distributed by nature and Tactics,” Elsevier Inc., ISBN: 978-1-59749-592-9, 2011.
in cloud computing, users cannot be certain where [3] P. Mell, T. Grance, “The NIST Definition of Cloud Computing,”
NIST Special Publication 800-145, September 2011 (available at
their input and output data is managed. This raises http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf).
confidentiality and privacy issues that are not fully [4] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. Katz et al., “A View
solved by existing security solutions. An alternative that of Cloud Computing,” Communications of the ACM. Association for
Computing Machinery, vol. 53, no. 4, 2010. p. 5058.
has been introduced in [18] consists in operating on [5] B. Sosinky, “Cloud Computing Bible,” Wiley, ISBN: 0470903562, 2011.
encrypted functions and encrypted data. This allows [6] Zixia Huang, Chao Mei, Li Erran Li, Thomas Woo, “CloudStream:
addressing the crucial problem of delivering a program delivering high-quality streaming videos through a cloud-based SVC
proxy,” IEEE Infocom, USA, April, 2011.
that can be executed by a third-party without revealing [7] Cindy M. Robertson, Blair MacIntyre, Bruce Walker. “An Evaluation
confidential data. The use of homomorphic encryption of Graphical Context as a Means for Ameliorating the Effects of
have also been assessed in other contexts where the Registration Error,” IEEE Transactions on Visualization and Computer
Graphics, 2009, 15(2), pp.179-192.
confidential information is split into multiple pieces that [8] Y. Chen, Z. Du, M. Garcia-Acosta, “Robot as a Service in Cloud Com-
are processed independently by multiple entities [19]. puting,” Proceedings of the 2010 Fifth IEEE International Symposium
Due to its promising performances and usage scenarios, on Service Oriented System Engineering, USA, 2010.
[9] S. Subashini, V. Kavitha, “A survey on security issues in service
homomorphic encryption has been cited in the MIT delivery models of cloud computing,” Journal of Network and
technology review [20]. Computer Applications, Vol. 34(1), pp 111, Academic Press Ltd., UK,
2) Protection of cloud-based multimedia streaming: Users 2011, ISSN: 1084-8045.
[10] Computer Security Institute, “Computer Crime and Security Survey,”
are eager to enjoy the convenience and advantages that 2010/2011.
networks have provided. Meanwhile, a wide proportion [11] Cloud Security Alliance, ”Top Threats to Cloud Computing,” 2010.
of the terminals that are being used to download and [12] Radware, ”Global Application and Network Security Report,” 2011.
[13] T-H. Cheng, Y-D. Lin, Y-C. Lai, P-C. Lin, “Evasion Techniques:
pro- cess multimedia streams are short on both the Sneaking through Your Intrusion Detection/Prevention Systems,” IEEE
energy and computing resources necessary for the Communications Surveys and Tutorials, Issue 99, pp. 1-10, 2011.
implementation of complex multimedia [14] C. Wang, Q. Wang, K. Ren, W. Lou, “Ensuring Data Storage Security
in Cloud Computing,” 17th International workshop on Quality of
coding/decoding schemes. Cloud providers may deploy Service, USA, 2009.
multimedia streaming services to support the provision [15] Q. Liu, G. Wang, J. Wu, “Efficient Sharing of Secure Cloud Storage
of monitoring, surveillance, virtual reality, and gaming Services,” International Conference on Computer and Information Tech-
nology, GB, 2010.
applications on mobile platforms. New compression [16] S Pal, S. Khatua, N. Chaki, S. Sanyal, “A New Trusted and
techniques have been recently pro- posed to exploit the Collaborative Agent Based Approach for Ensuring Cloud Security,”
abundant resources available in cloud environments in Annals of Faculty Engineering Hunedoara International Journal of
Engineering, Vol. 10, Issue 1, January 2012.
order to allow the implementa- tion of advanced [17] J. Karlin, S. Forrest, J. Rexford, “Autonomous Security for Autonomous
multimedia processing functionalities on resource- Systems,” Proc. of Complex Computer and Communication Networks,
impoverished mobile and hand-held termi- nals (e.g., Vol. 52, Issue. 15, pp. 2908- 2923, Elsevier, NY, USA, 2008.
[18] M. Brenner, J. Wiebelitz, G. von Voigt, M. Smith, “Secret program
iPads, smartphones) [21]. Cloud-based secure execution in the cloud applying homomorphic encryption ,” Digital
multimedia coding/decoding algorithms and protocols Ecosystems and Technologies Conference, Korea, 2011.
should focus on the study of: (a) the ability of mobile [19] M. Gomathisankaran, A. Tyag, K. Namuduri, “HORNS: A
homomorphic encryption scheme for Cloud Computing using Residue
terminals to delegate the execution of computing inten- Number System
sive decoding algorithms to the cloud infrastructure, (b) ,” 45th Annual Conference on Information Sciences and Systems, USA,
the quality of service versus security balance, (c) the 2011.
[20] Technology review, Top 10 Emerging Technologies,
impact analysis of terminal mobility on cloud streaming, Massachusetts Institute of Technology. (Available at
and (d) the cost-effectiveness of the proposed http://www.technologyreview.com/tr10/).
algorithms and protocols. Progressive multimedia [21] http://desktop.onlive.com/
[22] M. Hamdi, N. Boudriga, “Chaotic progressive access control for
cryptography [22] will be a solid alternative to achieve JPEG2000 images repositories”, IEEE Globecom 2008, Computer and
these objectives. Information Network Security Symposium, New Orleans, LA, USA,
3) Digital investigation in cloud computing: Cloud com- Nov. 30-Dec. 4, 2008.
[23] S. Zimmerman, D. Glavach, “Cyber Forensics in the Cloud,” IA
puting systems rely on complex overlaying mechanisms Newsletter, Volume 14 Number 1, 2011.
that allow the implementation of flask [24] K. Ruan, J. Carthy, T. Kechadi, M. Crosbie, “Cloud forensics: An
hardware/software architectures. This elasticity poses a overview,” 7th IFIP International Conference on Digital Forensics,
USA, 2011.
challenge to the forensics investigator due to the high
volatility of re- sources such as disk space and
memory. Moreover, the distribution of the cloud
infrastructure hardens the respect of agreements
between users and providers since multiple legislations
and regulations should be referred to [23], [24]. Cloud
forensics will be among the topics that will be
consistently addressed by researchers in the near future.

REFERENCES
[1] “Security of Cloud Computing Providers Study,” Ponemon Institute,
2011.
View publication stats