Your SlideShare is downloading. ×
  • Like


Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Cloud computing security issues and challenges


In the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, recession-hit companies are increasingly …

In the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, recession-hit companies are increasingly realizing that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost. But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about just how safe an environment it is. This paper discusses security issues, requirements and challenges that cloud service providers (CSP) face during cloud engineering. Recommended security standards and management models to address these are suggested for technical and business community.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Cloud computing security issues and challenges Krešimir Popović, Željko Hocenski Institute of Automation and Process Computing Faculty of Electrical Engineering Osijek Kneza Trpimira 2b, Osijek, 31000, Croatia Phone: (+385) (0)31-234 810 Fax: (+385) (0)31 224 605 E-mail:popovic@etfos.hrAbstract - In the last few years, cloud computing has grown provider must ensure that customers can continue to havefrom being a promising business concept to one of the fastest the same security and privacy controls over theirgrowing segments of the IT industry. Now, recession-hit applications and services, provide evidence to thesecompanies are increasingly realizing that simply by tapping customers that their organization and customers are secureinto the cloud they can gain fast access to best-of-breed and they can meet their service-level agreements, and showbusiness applications or drastically boost their how can they prove compliance to their auditors.infrastructure resources, all at negligible cost. But as moreand more information on individuals and companies isplaced in the cloud, concerns are beginning to grow aboutjust how safe an environment it is. This paper discussessecurity issues, requirements and challenges that cloudservice providers (CS P) face during cloud engineering.Recommended security standards and management modelsto address these are suggested for technical and businesscommunity. I. INTRODUCTION Cloud service providers (CSP) (e.g. Microsoft, Google, Fig. 1. Results of IDC ranking security challenges (3Q2009,Amazon,, GoGrid) are leveraging n=263)virtualization technologies combined with self-servicecapabilities for computing resources via the Internet. In Regardless of how the cloud evolves, it needs some formthese service provider environments, virtual machines from of standardization (e.g. Information Technologymultiple organizations have to be co-located on the same Infrastructure Library -ITIL, ISO/IEC 27001/27002, Openphysical server in order to maximize the efficiencies of Virtualization Format (OVF) [2][3][4]) so that the market canvirtualization. Cloud service providers must learn from the evolve and thrive. Standards should allow clouds tomanaged service provider (MSP) model and ensure that interoperate and communicate with each other no mattertheir customers’ applications and data are secure if they which vendor provides cloud services.hope to retain their customer base and competitiveness. This professional paper discusses security and privacyToday, enterprises are looking toward cloud computing issues as challenges, and recommends control objectiveshorizons to expand their on-premises infrastructure, but to technical and business community. It also highlymost cannot afford the risk of compromising the security of recommends OVF standard as vendor and platformtheir applications and data. independent, open, secure, portable, efficient and International Data Corporation (IDC) conducted a extensible format for the packaging and distribution ofsurvey [1] (see Fig.1.) of 263 IT executives and their line-of- software to be run in virtual machines (software stack thatbusiness colleagues to gauge their opinions and incorporates the target applications, libraries, services,understand their companies’ use of IT cloud services. configuration, relevant data, and operating system).Security ranked first as the greatest challenge or issue ofcloud computing. Corporations and individuals are concerned about how II. SECURITY IN THE CLOUDsecurity and compliance integrity can be maintained in thisnew environment. Even more concerning, though, is the A. Security issues and challengescorporations that are jumping to cloud computing whilebeing oblivious to the implications of putting criticalapplications and data in the cloud. Moving critical Heightened security threats must be overcome in orderapplications and sensitive data to a public and shared to benefit fully from this new computing paradigm. Somecloud environment is a major concern for corporations that security concerns are listed and discussed below:are moving beyond their data center’s network perimeterdefense. To alleviate these concerns, a cloud solution
  • 2. 1) Security concern #1: With the cloud model control can make a request to stop processing it. If a dataphysical security is lost because of sharing computing subject exercises this right to ask the organizationresources with other companies . No knowledge or control to delete his data, will it be possible to ensure thatof where the resources run. all of his information has been deleted in the2) Security concern #2: Company has violated the law cloud?(risk of data seizure by (foreign) government). - Compliance: What are the applicable laws,3) Security concern #3: Storage services provided by one regulations, standards, and contractualcloud vendor may be incompatible with another vendor’s commitments that govern this information, andservices if user decides to move from one to the other (e.g. who is responsible for maintaining theMicrosoft cloud is incompatible with Google cloud). [5] compliance? Clouds can cross multiple4) Security concern #4: Who controls the jurisdictions in multiple states.encryption/decryption keys? Logically it should be the - Storage: Where is the data in the cloud stored?customer. Was it transferred to another data center in5) Security concern #5: Ensuring the integrity of the data another country? Privacy laws in various(transfer, storage, and retrieval) really means that it countries place limitations on the ability ofchanges only in response to authorized transactions. A organizations to transfer some types of personalcommon standard to ensure data integrity does not yet information to other countries.exist. - Retention: How long is personal information (that6) Security concern #6: In case of Payment Card Industry is transferred to the cloud) retained? WhoData Security Standard (PCI DSS) data logs must be enforces the retention policy in the cloud, andprovided to security managers and regulators . [6][7][8] how are exceptions to this policy (such as litigation holds) managed?7) Security concern #7: Users must keep up to date withapplication improvements to be sure they are protected. - Destruction: How can we know that the cloud service provider (CSP) didn’t retain additional8) Security concern #8: Some government regulations copies? Did the CSP really destroy the data, orhave strict limits on what data about its citizens can be just make it inaccessible to the organization? Isstored and for how long, and some banking regulators the CSP keeping the information longer thanrequire that customer’s financial data remain in their home necessary so that it can mine the data for its owncountry. use?9) Security concern #9: The dynamic and fluid nature of - Audit and monitoring: How can organizationsvirtual machines will make it difficult to maintain the monitor their CSP and provide assurance toconsistency of security and ensure the auditability of relevant stakeholders that privacy requirementsrecords. are met when their PII is in the cloud?10) Security concern #10: Customers may be able to sue - Privacy breaches: How can we ensure that thecloud service providers if their privacy rights are violated, cloud service provider (CSP) notifies us when aand in any case the cloud service providers may face breach occurs, and who is responsible fordamage to their reputation. Concerns arise when it is not managing the breach notification process (andclear to individuals why their personal information is costs associated with the process)? If contractsrequested or how it will be used or passed on to other include liability for breaches resulting fromparties. negligence of the CSP, how is the contract enforced and how is it determined who is at fault?Privacy sensitive information: [9] - Personally identifiable information (PII [10]): any B. Security management standards information that could be used to identify or locate an individual (e.g. state, name, address) or Standards that are relevant to security management information that can be correlated with other practices in the cloud are Information Technology information to indentify an individual (e.g. credit Infrastructure Library (ITIL), ISO/IEC 27001/27002 and card number, Internet protocol (IP) address). Open Virtualization Format (OVF). - Information on religion, race, health, union membership, sexual orientation, job performance, financial information, biometric information or any 1) Information Technology Infrastructure Library (ITIL): it other information that may be considered is set of best practices and guidelines that define an sensitive. integrated, process-based approach for managing information technology services. ITIL can be applied - Data collected from computer devices (e.g. across almost every type of IT environment including notebook, smartphone, iPad). cloud operating environment. ITIL seeks to ensure that - Information uniquely traceable to a user device effective information security measures are taken at (e.g. IP address, Radio Frequency Identity (RFID) strategic, tactical, and operational levels. Information MAC address). security is considered an iterative process that must be controlled, planned, implemented, evaluated, andAdditional considerations to be aware of: maintained. - Access: Data subjects have a right to know what personal information is held and, in some cases,
  • 3. ITIL provides a systematic and professional approach to - “How do I ensure that the current security levelsthe management of IT service provision. Adopting its are appropriate for your needs? “guidance offers users a huge range of benefits that include: - “How do I apply a security baseline throughout your operation? “ - Reduced costs Simply to say, they help to respond to the question: - Improved IT services through the use of proven “how do I ensure that my services are secure?” best practice processes - Improved customer satisfaction through a more professional approach to service delivery 3) Open Virtualization Format: OVF enables efficient, - Standards and guidance flexible, and secure distribution of enterprise software, - Improved productivity facilitating the mobility of virtual machines and giving - Improved use of skills and experience customers vendor and platform independence. Customers - Improved delivery of third party services through can deploy an OVF formatted virtual machine on the the specification of ITIL or ISO 20000 as the virtualization platform of their choice. standard for service delivery in services With OVF, customers’ experience with virtualization is procurements greatly enhanced, with more portability, platform - ITIL helps you separate administrative tasks and independence, verification, signing, versioning, and technical tasks so that you assign the most licensing terms. OVF lets you: appropriate resources - better measure technical support performance - Improve your user experience with streamlined The ITIL-process Security Management describes the installationsstructured fitting of information security in the management - Offer customers virtualization platformorganization. It is based on the code of practice for independence and flexibilityinformation security management now known as ISO/IEC - Create complex pre-configured multi-tiered27002. services more easily - Efficiently deliver enterprise software throughITIL breaks information security down into: portable virtual machines - Policies: The overall objectives an organization is - Offer platform-specific enhancements and easier attempting to achieve adoption of advances in virtualization through - Processes: What has to happen to achieve the extensibility objectives The rising investments to virtual appliances (IBM, - Procedures: Who does what and when to achieve Microsoft, Hewlett-Packard, Dell, VMware, and XenSource) the objectives: not only simplify the deployment of applications for - Work instructions: Instructions for taking specific individual users but also power next-generation cloud actions computing architectures. Rather than the considerable time required to build a specialized distribution with A basic goal of security management is to ensure applications, most cloud computing infrastructures provideadequate information security. The primary goal of ready-to-deploy virtual appliances to satisfy any need.information security, in turn, is to protect information And because a virtual appliance is simply a file with aassets against risks, and thus to maintain their value to the wrapper (the XML description), its easy to replicate andorganization. This is commonly expressed in terms of distribute such appliances with all security and privacyensuring their confidentiality, integrity and availability, configurations.along with related properties or goals such as authenticity, In the future, clouds that are enabled by aaccountability, non-repudiation and reliability. virtualization layer will provide new go-to-market opportunities, and software appliances (software productsNote: Organizations and management systems cannot be that integrate operating system and layered software intocertified as “ITIL-compliant.” Only practioners can be an easily managed composite package that can becertified. deployed aboard industry-standard client or server hardware, either on a virtual machine or directly on the2) International Organization for Standardization (ISO) hardware) will help simplify this transition. Cloud27001/27002: ISO/IEC 27001 formally defines the computing, in conjunction with software appliances, willmandatory requirements for an Information Security also create new business models that will allow companiesManagement System (ISMS). It is also a certification to sell a single product on premises, on demand, or in astandard and uses ISO/IEC 27002 to indicate suitable hybrid deployment model. While both of theseinformation security controls within the ISMS. technologies remain relatively immature, it is necessary to start understanding the new dynamics that will start to emerge to sell software and hardware to end users. Essentially, the ITIL, ISO/IEC 20000, and ISO/IEC Note: Software appliances market should exceed27001/27002 frameworks help IT organizations internalize revenue of $360.9 million by the end of 2010, $1,184.4 billionand respond to basic questions such as: by the end of 2012. [11]
  • 4. C. Security management models acquired and swallowed up by a larger company. But you must be sure your data will remain This section describes twenty recommended security available even after such an event. Ask potentialmanagement models and their requirements for cloud providers how you would get your data back andcomputing that cloud service providers should definitely if it would be in a format that you could importconsider as they develop or refine their compliance into a replacement application.programs. To address the security issues listed above, SaaS providers will need to incorporate and enhance security1) Software-as-a-Service (SaaS) security: SaaS is the practices used by the managed service providers anddominant cloud service model for the foreseeable future develop new ones as the cloud computing environmentand the area where the most critical need for security evolves.practices and oversight will reside. Just as with a managedservice provider, corporations or end users will need to 2) Security management (People): One of the mostresearch vendors’ policies on data security before using important actions for a security team is to develop a formalvendor services to avoid losing or not being able to access charter for the security organization and program. Thetheir data. The technology analyst and consulting firm charter should be aligned with the strategic plan of theGartner lists [12] seven security risks which one should organization or company the security team works for. Lackdiscuss with a cloud-computing vendor: of clearly defined roles and responsibilities, and agreement on expectations, can result in a general feeling of loss and confusion among the security team about what is expected - Privileged user access: Get as much information of them, how their skills and experienced can be leveraged, as you can about the people who manage your and meeting their performance goals. data. Ask providers to supply specific information 3) Security governance: A security steering committee on the hiring and oversight of privileged should be developed whose objective is to focus on administrators, and the controls over their access . providing guidance about security initiatives and alignment - Regulatory compliance: Make sure that the with business and IT strategies. This committee must vendor is willing to undergo external audits and/or clearly define the roles and responsibilities of the security security certifications. team and other groups involved in performing information - Data location: When you use the cloud, you security functions. probably wont know exactly where your data is 4) Risk management: Risk management entails hosted. In fact, you might not even know what identification of technology assets [13]; identification of country it will be stored in. Ask providers if they data and its links to business processes, applications, and will commit to storing and processing data in data stores; and assignment of ownership and custodial specific jurisdictions, and whether they will make a responsibilities. Actions should also include maintaining a contractual commitment to obey local privacy repository of information assets. Owners have authority requirements on behalf of their customers. and accountability for information assets including - Data segregation: Make sure that encryption is protection requirements, and custodians implement available at all stages, and that these encryption confidentiality, integrity, availability, and privacy controls. schemes were designed and tested by experienced 5) Risk assessment: Security risk assessment is critical to professionals. helping the information security organization make - Recovery: Even if you dont know where your data informed decisions when balancing the dueling priorities of is, a cloud provider should tell you what will business utility and protection of assets [14][15]. A formal happen to your data and service in case of a information security risk management process should disaster. Any offering that does not replicate the proactively assess information security risks as well as plan data and application infrastructure across multiple and manage them on a periodic or as -needed basis. More sites is vulnerable to a total failure. Ask your detailed and technical security risk assessments in the form provider if it has "the ability to do a complete of threat modeling should also be applied to applications restoration, and how long it will take." and infrastructure. - Investigative support: Investigating inappropriate 6) Security awareness: People are the weakest link for or illegal activity may be impossible in cloud security. Knowledge and culture are among the few computing. Cloud services are especially difficult effective tools to manage risks related to people. Not to investigate, because logging and data for providing proper awareness and training to the people who multiple customers may be co-located and may may need them can expose the company to a variety of also be spread across an ever-changing set of security risks for which people, rather than system or hosts and data centers. If you cannot get a application vulnerabilities, are the threats and points of contractual commitment to support specific forms entry. Social engineering attacks, lower reporting of and of investigation, along with evidence that the slower responses to potential security incidents, and vendor has already successfully supported such inadvertent customer data leaks are all possible and activities, then only safe assumption is that probable risks that may be triggered by lack of an effective investigation and discovery requests will be security awareness program. impossible. 7) Education and training: Programs should be developed - Long-term viability: Ideally, your cloud that provide a baseline for providing fundamental security computing provider will never go broke or get and risk management skills and knowledge to the security
  • 5. team and their internal partners. This entails a formal machines for migration to a cloud environment whenprocess to assess and align skill sets to the needs of the team and to provide adequate training and 16) Identity Access Management (IAM): identity andmentorship-providing a broad base of fundamental access management is a critical function for everysecurity, inclusive of data privacy, and risk management organization, and a fundamental expectation of SaaSknowledge. customers is that the “principle of least privilege” is8) Policies and standards: Many resources and templates granted to their data. The principle of least privilege statesare available to aid in the development of information that only the minimum access necessary to perform ansecurity policies and standards. A cloud computing operation should be granted, and that access should besecurity team should first identify the information security granted only for the minimum amount of time necessary.and business requirements unique to cloud computing, 17) Change management: The security team can createSaaS, and collaborative software application security . security guidelines for standards and minor changes, toPolicies should be developed, documented, and provide self-service capabilities for these changes and toimplemented, along with documentation for supporting prioritize the security team’s time and resources on morestandards and guidelines. To maintain relevancy, these complex and important changes to production.policies, standards, and guidelines should be reviewed at 18) Physical security: Since customers lose control overregular intervals or when significant changes occur in the physical assets, security model may need to bebusiness or IT environment. reevaluated. The concept of the cloud can be misleading at9) Third party risk management: Lack of a third-party risk times, and people forget that everything is somewheremanagement program may result in damage to the actually tied to a physical location. The massive investmentprovider’s reputation, revenue losses, and legal actions required to build the level of security required for physicalshould the provider be found not to have performed due data centers is the prime reason that companies don’t builddiligence on its third-party vendors. their own data centers, and one of several reasons why10) Vulnerability assessment: Classifies network assets to they are moving to cloud services in the first place. Somemore efficiently prioritize vulnerability-mitigation programs, samples of controls mechanisms:such as patching and system upgrading.11) Security image testing: Virtualization-based cloud - 24/7/365 onsite security.computing provides the ability to create “Test image” VM - Biometric hand geometry builds and to clone multiple copies. Gold image VMsalso provide the ability to keep security up to date and - Security cameras should monitor activityreduce exposure by patching offline. Offline VMs can be throughout the facility.patched off-network, providing an easier, more cost- - Heat, temperature, air flow, and humidity shouldeffective, and less production-threatening way to test the all be kept within optimum ranges for the computerimpact of security changes. equipment.12) Data governance: This framework should describe - Policies, processes, and procedures are criticalwho can take what actions with what information, and elements of successful physical security that canwhen, under what circumstances, and using what methods. protect the equipment and data housed in the13) Data security: Security will need to move to the data hosting center.level so that enterprises can be sure their data is protectedwherever it goes. For example, with data-level security, the 19) Disaster recovery: In the SaaS environment, customersenterprise can specify that this data is not allowed to go rely heavily on 24/7/365 access to their services and anyoutside of the European Union. It can also force encryption interruption in access can be catastrophic. Using theof certain types of data, and permit only specified users to virtualization software virtual server can be copied, backedaccess the data. It can provide compliance with the up, and moved just like a file (live migration). Benefits are:Payment Card Industry Data Security Standard (PCI DSS).14) Application security: This is where the security - Quickly reallocating computing resources withoutfeatures and requirements are defined and application any downtimesecurity test results are reviewed. Application security - Ability to deliver on service-level agreements andprocesses, secure coding guidelines, training, and testing provide high-quality servicescripts and tools are typically a collaborative effo rtbetween the security and the development teams.Although product engineering will likely focus on the 20) Data privacy: A privacy steering committee shouldapplication layer, the security design of the application also be created to help make decisions related to dataitself, and the infrastructure layers interacting with the privacy. The security compliance team, if one even exists,application, the security team should provide the security will not have formalized training on data privacy . Therequirements for the product development engineers to answer is to hire a consultant in this area, hire a privacyimplement. expert, or have one of your existing team members trained15) Virtual machine security: In the cloud environment, properly. This will ensure that your organization isphysical servers are consolidated to multiple virtual prepared to meet the data privacy demands of its customersmachine instances on virtualized servers. Not only can data and security teams replicate typical security controls forthe data center at large to secure the virtual machines, theycan also advise their customers on how to prepare these
  • 6. III. CONCLUSION [6] We have argued that it is very important to take security [7] privacy into account when designing and using cloud Security_Standard, 24 January 2010services. In this paper security in cloud computing waselaborated in a way that covers security issues and [8] J. Salmon, “Clouded in uncertainty – the legal pitfalls ofchallenges, security standards and security management cloud computing”, Computing, 24 Sept 2008,models. - Security issues indicate potential problems which ouded-uncertainty-4229153 might arise. - Security standards offer some kind of security [9] S. Pearson, “Taking Account of Privacy when Designing templates which cloud service providers (CSP) Cloud Computing Services”, CLOUD’09, M ay 23, 2009, could obey. The most promising standard for the Vancouver, Canada future would be OVF format which promises creation of new business models that will allow [10] Wikipedia, 20 January 2010, companies to sell a single product on premises, on demand, or in a hybrid deployment model. ion - Security management models offer recommendations based on security standards [11] International Data Corporation, B. Waldman, A. Gillen and best practices. [16] ment.2009-07-28.4081031793/IDC- These are all very important topics which will be The%20M arket%20for%20Software%20Appliances_en.pdfcertainly discussed in the upcoming years of cloud , July 2009computing. Based on IDC survey [17] the security andvulnerability market should exceed revenue of $4.4 billion [12] Gartner: Seven cloud-computing security risks, 02 Julyby the end of 2013, with a climbing annual growth rate 2008, -central/gartner-resulting in a compound annual growth rate (CAGR) of seven-cloud-computing-security-risks-853?page=0,010.8%. This survey shows that products that fall within thesecurity and vulnerability management market will remain in [13] Wikipedia, 6 February 2010,high demand. REFERENCES [14] Wikipedia, 27 January 2010,[1] International Data Corporation, content/uploads/2009/12/idc_cloud_challenges_2009.jpg, [15] D. Catteddu, Giles Hogben: European Network and 2009 Information Security Agency, November 2009,[2] Information Technology Infrastructure Library, computing-risk-assessment [16] Cloud Security Alliance, Security Guidance for Critical[3] International Organization for Standardization, Areas of Focus in Cloud Computing V2.1,, December 2009[4] Distributed Management Task Force, [17] International Data Corporation, Worldwide Security and Vulnerability M anagement 2009–2013 Forecast and 2008 017_1.0.0.pdf, 22.02.2009 Vendor Shares, A_2009.p[5] M . Casassa-M ont, S. Pearson and P. Bramhall, “Towards df Accountable M anagement of Identity and Privacy: Sticky Policies and Enforceable Tracing Services”, Proc. DEXA 2003, IEEE Computer Society, 2003, pp. 377-382