Cloud Computing has emerged as the premier infrastructure for creating affordable, scalable and reliable IT solutions for companies of all sizes. However, as with all new technologies, Cloud Computing poses many demanding security considerations, and each must be addressed to ensure the confidentiality, integrity, availability, authenticity, and privacy of a developer’s product.
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Cloud Computing Security Challenges and Best Practices
1. 1 | P a g e
Cloud Computing: Infrastructure As A Service -
The Dual-Edged Sword of New Technology
By Mekhi D., Tyler L., William M.
Abstract:
Cloud Computing has emerged as the premier
infrastructure for creating affordable, scalable and
reliable IT solutions for companies of all sizes.
However, as with all new technologies, Cloud
Computing poses many demanding security
considerations, and each must be addressed to
ensure the confidentiality, integrity, availability,
authenticity, and privacy of a developer’s product.
This paper will focus on Infrastructure as a
service (IaaS), a subset of cloud computing that
provides virtualized computing resources over the
internet. An IaaS provider is responsible for
hosting infrastructure components such as servers,
storage space, and networking hardware to
alleviate the cost burden from their consumers of
having to maintain such facilities on-site.
Companies such as Amazon, Google, Microsoft and
Digital Ocean have created an industry worth
billions of dollars to provide this very service to
businesses of all sizes. For example, Lyft, the
second biggest ridesharing company in the world,
relies on Amazon’s IaaS, complemented by
Amazon’s SaaS, to run much of their external
consumer network. Lyft has credited much of the
success of their product to the demand-based
elastic server and resource allocation features
provided by Amazon Web Services.[13]
This paper will breakdown the security
challenges of IaaS usage and implementation into
physical infrastructure security considerations, the
necessary secure programming principles, and
cryptographic techniques for securing data, and
make recommendations for best practices when
moving to an IaaS solution.
Keywords— Infrastructure as a Service (IaaS),
Platform as a Service (PaaS), Amazon Web Services
(AWS), Virtual Personal Network (VPN),
Cryptography, Digital Certificate, Hardware Security
Module, PKI, Encryption,
I. INTRODUCTION
Infrastructure as a Service (IaaS) as a concept came
into fruition in the 1990’s alongside the usage of VPNs
by telecommunication companies. These companies
realized that they were able to switch from physical
point-to-point connections to VPN-enabled connections
with comparable quality of services, with a lowered
cost for both the consumer and the organization. VPNs
also gave organizations better control over sever
processing usage by allowing them to dynamically
allocate network traffic in response to demand. Over
time, as the technology matured, businesses extended
the boundaries of cloud computing to cover all servers
and most network infrastructure functions, and thus
IaaS was born[6].
“In terms of business, cloud computing is
becoming more and more important” [7]. In the last ten
years, with the creation of companies such as Amazon
Web Services, the IT industry has become dominated
by the usage of IaaS to provide the services
traditionally accomplished by hosting costly on-site
hardware installations. As Anand states, “the
advantages of cloud services for the customers include
lowering the costs for managing huge resources, as
now the companies need not manage the resources
which are managed by the CSPs such as Google,
Amazon, Microsoft etc. Moreover, the computer
resources may be used on demand basis such as on
pay-per-use basis by the customers”[4].
Though IaaS products are cost-effective and low
maintenance when provisioned correctly, consumers
are realizing that this freedom from a rigid cost
structure comes with a loss of security in three ways:
Users will lose their physical control over the
data once they outsource their data to cloud
servers, and the integrity of data may be
violated without user awareness [5].
Cloud server providers may behave unfaithfully
toward the data owners [5].
Even if the cloud server is honest, there still
exists the possibilities of cloud server failure
and management errors or adversary attacks,
which can lead to the corruption of stored data
[5].
2. 2 | P a g e
The next section will address the secure
programming principles and techniques necessary, and
commonly used, to address the common vulnerabilities
found within an organization’s usage and
implementation of an IaaS-modeled system.
II. SECURING THE PHYSICAL INFRASTRUCTURE
A. Availability and Natural Diasasters
One of the defining characteristics of an IaaS
model is guaranteeing high availably, in that if the
services are configured properly, the end users will not
have downtime because of hardware or service
limitations from the IaaS provider. Part of the allure of
using an IaaS provider is that provisioning a facility
with the necessary infrastructure to support high
availably is extremely costly, given that “to ensure the
facilities maintain uptime should they come under
attack from natural sources or otherwise, physical
security is not only limited to the outside of the
building. Data centres need utilities to be resilient and
redundant so if one system fails, there is a backup.
These include water, power, telephone lines and air
filtration systems to ensure security systems, heating,
ventilation and air conditioning continue to operate in
case of an area-wide power outage” [1].
Natural disasters and terrorist threats are of chief
concern when planning the design of data center
facilities, and to allay these concerns cloud data
centers must be built to withstand hurricanes,
earthquakes, terrorist attacks, loss of power and other
disasters. Certifications and compliance exist to certify
preparedness for these types of threats, such as Uptime
Institute Tier III and ISO27001, which both use
independent auditors to determine if a facility can
withstand extreme weather/threats and still offer high
availability, as well as have full redundancy in the
physical implementation of the hardware systems.
B. Controlling and Monitoring Access
Part of data security in an IaaS cloud data center
relies on controlling how the facility is accessed.
Keeping people out who are not supposed to have
access to hardware containing private data is a
fundamental component of defending against social
engineering and terrorist attacks. There are seven
broad categories that are implemented [1]:
Fencing or a physical barrier a minimum of
three meters in height.
Trembler wire on top of the fencing with a
zoned alarm system for identifying breaches
Surveillance cameras on all entrances, exits and
possible access points
Security team with on-site personal 24/7
Strict control of where vehicles can park for
building access
Photo authentication and access control with
different levels for appropriate areas of the
facility.
Biometrics for monitoring the amount of
people in a given area of the facility.
Physical security is just the starting point for
security in the cloud, secure programming techniques
also play an equal part in keeping information safe in a
cloud computing facility.
III. SECURE PROGRAMMING PRINCIPLES AND
TECHNIQUES
A. Choosing the Right IaaS Provider
True security starts from the foundation up,
the security of an organization’s program will only
be as secure as the infrastructure in which the
program will be run/executed. As such, one of the
most important and time-consuming parts of the
implementation of an IaaS service is choosing the
right provider who best meets your business needs,
currently and in the future. When organizations are
considering the outsourcing of internal technologies
through IaaS, they must understand the different
features that each IasS provider has to offer, and
how each tooling set will interact with the current
system the organization has in place. Only then can
an informed decision be made to determine which
service provider can provide the most applicable
categorized gains to all organizational stakeholders.
The following is an overview of some of the
considerations that must be taken when developing
a secure IaaS pipeline:
Type of Cloud Service Required: There are
various types of cloud services.. The chart
below will provide more detail on the types and
how they can be used. The various types are
designed to be specific to an organization’s
needs.
3. 3 | P a g e
Table 1 [14]: Comparison of Cloud
Computing Service Models
Model Scope Managed By Security
Level
Public
Model
General
Public and
Industries
Cloud
Service
Providers
Low
Private
Model
Single
Organization
Single
Organization
High
Community
Mode
Organizations
having
similar
policies and
same security
concerns
Many
organizations
and IaaS
providers
High
Hybrid
Model
Public and
organization
Public and
organization
Medium
Security Redundancy: An IaaS must have
multi layers of security, such as Input Data
Validation tools. Without these layers of
security, an organization not only risk the
security of their application, but will not be
able to effectively protect the sensitive
information that must be transmitted through
the third-party IaaS network.
Providers who cater to business size/ Flexible
capacity: Many of the industry leaders in IaaS
chose to specialize their service to a desired
client business size. When considering IaaS
providers, one must look at providers that are
able to provide a level of service a given
business requires and determine if the IaaS
provider will be able to grow as the business
needs increase. [13]
Integration/ Interoperability: An IaaS provider
should be assessed on the ability of the IaaS to
smoothly integrate with existing software.
When systems are not compatible, it can lead to
security flaws due to missing features in the
new host system. Fixing this issue requires
expensive refactoring of the existing products,
but refactoring has its own set of problems and
bugs that can crop up even after the products
are in production in the new environment.[12]
Usability: Usability is defined as the ease of
use and learnability of a platform which is very
important for modern-day companies. One
must determine if a company’s existing staff
will be able to smoothly operate the new
network infrastructure with limited business
disruption before switching to an IaaS based
solution.
Provider’s offering of Cloud Management
Tools: In addition to the IaaS product suite,
some IaaS providers will provision their
consumers with cloud management tools.
These tools allow organizations optimize their
service and gain insight on their own processes
through analytical tooling and services
provided by the IaaS providers.[12]
Providers with Disaster Recovery Solutions:
Companies will never know when they’re
about to be the target of malicious breach,
especially when most network traffic may run
through the third-party’s IaaS product. Even
though cyber-attacks cannot be fully prevented,
Disaster Recovery Solutions are a valuable
resource in the effort to minimize the business
disruption of such an attack.[12]
The bullet points above illustrate a process that
is unique to every organization and must be
adapted around the business needs of a given
industry. IaaS providers can also be evaluated on
the Security-by-Design principles to gain a firm
understanding on what are the necessary
foundational security features that must be
exhibited in any potential IaaS provider. [13]
B. Security-By-Design
Security-by-Design is defined as an approach to
security that has been molded as a foundational
platform for any developer/organization to formalize
infrastructure design and automate security controls so
that one can build security into every part of an
infrastructure. Because of this formalization of
principles, there are common rules that can be applied
to emerging technologies, in this case adapted for IaaS
technology[14]:
Principle of Least Privilege: IaaS Providers and
consumers must focus on having solid tooling and
procedures for monitoring and controlling access
control. The most effective method of
accomplishing this goal is to follow the principle
of least privilege. The principle requires that only
the necessary permissions are granted to users, to
prevent privilege creep. The principle also
addresses credential sharing, as in order to quickly
isolate a security incident you must ensure that
4. 4 | P a g e
each member/group has their own credentials on
the system.
Layered Security: Security must be a concern
addressed throughout the infrastructure on both the
provider and consumer side of the service.
“…distributed architectures, massive resource
sharing and virtual machine (VM) instances
synchronization imply more data in transit in the
cloud, thus requiring VPN mechanisms for
protecting the system against sniffing, spoofing,
man-in-the-middle and side-channel attacks” [6].
For example, if utilizing AWS there must be well
defined and proper security control in the
following areas:
o Edge Network
o Virtual Private Cloud
o Subnet
o Load Balancer
o Every Instance
o Operating system
o Application Logic
o IAM
Each component is necessary for the creation
of a secure infrastructure.
Procedures of Incident Response &
Management: Even with the best security
measures in place, a security developer must
understand that failure is always a possibility. The
only way to plan for an inevitable moment of
failure is to have an established Incident Response
Plan in place to effectively respond to a breach.
An incident plan must be in place on both sides of
the consumer-provider relationship, and these
plans should be shared in order to ensure
efficiency when responding to a security incident.
The rule of thumb is to approach a development
project from a pessimistic view, so all the potential
flaws can be addressed before they become a
vulnerability in the product once in production.
Data Prioritization: At the end of the day, data
security is not an option when considering cloud
security principles. Data is the main target of
attack by malicious actors, and as such should be
protected at all cost, within reason. When
considering data as applied to cloud technologies,
it can be categorized as follows:
o Data in Transit: Data in transit is
classified as data transmitted between
servers within the organizational
infrastructure or between the servers and
the internet. Some of the common
methods of securing the above stated data
is the usage of proper transmission
protocols such as Transport Layer Security
(TLS) or HTTPS. Unfortunately, using
secure protocols is often not enough to
secure data in transit, as the virtual
machines that are used in cloud computing
communicate with each other over an
internal software backplane that cannot be
monitored/controlled with standard
network security controls [8].
o Data at Rest: Data at rest is classified as
data stored in storage mediums, including
block storage, databases, and object
storage. The most prevalent security best
practice is the usage of encryption to
protect this data.[8]
Security by Design was created to act as a guideline
for the development of any given security system. The
principles can be followed to ensure that security is
placed at all necessary layers of a given system, in
both the physical and virtual components.
C. Data Validation (Input/ Output)
Data Validation is defined as the process of
ensuring data has undergone “cleansing”, which
ensures that the data is correctly formatted and
relevant to the application. For IaaS providers to
ensure that data is correctly protected within the cloud
infrastructure, developers need to classify the data
accurately and monitor how and when it is accessed.
The most important and common data validation
process occurs when verifying the username and
password of a potential user on a platform. The new
wave in technology is interconnectivity, which is the
ability to access multiple databases in one application
to expediate the process of a task completion for the
end user. With the two following aspects combined,
the need for proper data validation principles has never
been so intense. To properly perform this task, data
validation processes/procedures must be maintained on
all sides of the data transaction, meaning that as the
consumer, one must have correct data validation
procedures in place as well. This ensures that if
inaccurate data manages to surpass the provider’s data
validation processes, it won’t allow the inaccurate data
to be inputted for authorization into an organization’s
system. When developing data validation procedures,
experts like to categorize the processes into input and
output related data validation. These two types will be
explained in more detail below:
5. 5 | P a g e
Input Validation: is defined as the proper testing
of an input supplied by a user or an application.
The purpose is to prevent improperly formatted
data from entering the input system (IS), which
deters malicious actors from attempting to breach
the system. Failure to perform this process can
lead to injection attacks, memory leakage, and
eventually compromised systems. The common
techniques used to accomplish input validation
include:
o Whitelisting: The process of dictating to the
IS to only pass along data if it is included in
the “whitelist” of expected data. This is the
preferred method as it is easier to predict the
allowable data input types than it is to predict
every possible unallowable data field [5].
o Blacklisting: The process of dictating to the
IS to not pass along a data item if it is
specified on the “blacklist”. This method is
generally less used due to the time-consuming
nature and inability to fully predict every
unallowable data field input.
Output Encoding: The process of transforming all
characters of an untrusted output into an
alternative representation for comparison purposes
to validate the output before continuing along the
data stream process. The purpose of which is to
convert the data into a safe format where the input
can be displayed as data to the user without the
actual execution of code within the browser.
Failure to follow output encoding procedures can
lead to cross-site scripting vulnerabilities by
allowing for the injection of client-side script
code.
Data Validation is a process that must be included
into every application, to act as a preventive measure
against a variety of malicious attacks. Preventive
measures will eventually fail, so in order to prepare for
this inevitability procedures must be in place that can
alert the appropriate staff and provide the necessary
information for the isolation and remediation of a
potential attack. This is where the principles of
security monitoring come into play.
D. Real-Time Security Monitoring
Due to the interconnectivity of modern information
systems, the approach to monitoring data has been
completely reshaped in the past two decades. Before
the age of Big Data, monitoring principles were slow-
acting reactive measures that would only alert the user
after an attack had occurred with very minimal
information being provided, providing the user with
limited courses of remediation. Now monitoring
principles have been re-tooled as fast reactive
measures that issue alerts against an ongoing attack,
accompanied with hefty amounts of information that
provide the user with multiple methods of remediation
in real-time to minimize the business disruption cause
by a breach.
IaaS provides bundle security services in their
subscription services. Typically, these services are
automated solutions responsible for the constant
supervision of virtual and physical servers to identify
any potential security threats. The correct utilization
of these procedures will create various benefits for any
organization, including the following:
Prevents loss of business due to customer
frustration by ensuring that their Personally
Identifiable Information (PII) is safe.
Used effectively, IaaS security services can
minimize the risk/ease of using the cloud for
the transferring and storage of data.
Security features allow businesses to fully
utilize the cloud without the improper
hindering of the business procedures
Establishment of a network baseline, which can
used for comparison purposes to identify any
inconsistent activity. Allowing for faster
response times to security incidents.
Collection of incident-related data to be stored
in case the type of attack wagered was
encountered again, and to provide
organizations with the necessary evidence to
proceed with legal actions, if necessary, in the
event of an attack.
Monitoring acts as the last line of defense in most
systems, and in a world where attackers don’t work on
the 9-5 time frame this system must continuous be
running to be fully effective.
IV. CRYPTOGRAPHY
Cryptography has a variety of definitions depending
on the person you ask. According to Pathan,
“Cryptography is a science that employs mathematical
logic to keep information secure and includes
techniques such as hiding information in images
(steganography), hiding information in storage, or in
transit.” [10] We can store sensitive information and
transmit information securely over insecure networks
to reduce the risk of an attacker altering or viewing
that information.
There are many different types of algorithms that
have been used for cryptographic purposes, going back
to the German Enigma machine in WWII to present
6. 6 | P a g e
day methods like AES and RSA. These algorithms
take plaintext and logically scramble the data via
encryption, which then becomes the ciphertext.
Cryptographic keys are truly random after the
algorithm is performed on the data, which is essential
to keeping this information out of the wrong hands.
Truly random keys make it nearly impossible for
attackers to access data if the algorithm is up to
today’s standards, which are decided by Cryptanalysis
professionals in concert with research and community
consensus. This standard is an evolving benchmark, as
computing power continues to increase and become
less of a factor in the time it takes for cryptographic
keys to be cracked.
Cryptography uses ciphers to encrypt and decrypt
the data. There are two major ciphers, stream cipher
and block cipher. Stream ciphers encrypt the data one
bit at a time. Block ciphers chunk the data into 64-bit
blocks and encrypt each block separately [10].
There are many functions that cryptography serves
for an organization. The main areas of security are
confidentiality, integrity, and availability.
Cryptography covers confidentiality, integrity,
authentication, and non-repudiation [10].
Confidentiality is insuring that only authorized
individuals can access confidential information
when they need to.
Integrity is the accuracy of information from the
time the message is sent to the time it is read.
Creating a hash for a message is one way to
ensure message integrity. If the hash at the
beginning is the same as the hash that the
receiver sees, then the message has not been
altered.
Authentication is the validation of identities
between all parties in communication with each
other and ensuring that they are who they say
they are.
Nonrepudiation exists so that someone cannot
deny actions in communications in effort to
make sure that everyone is liable for a message
that they send.
Cryptography has many sub-departments such as
Public Key Infrastructure (PKI), Key Management,
Secure Shell Keys (SSH), symmetric cryptography,
and asymmetric cryptography. Cryptographic
professionals working in an organization would be
responsible for making sure web servers have valid
certificates, Linux systems have valid SSH Keys, data
is encrypted in all three formats (rest, transit, use),
digital signatures are attached to messages, encryption
keys are rotated based on a validity period, and
essentially all confidential data in the organization is
safe from unauthorized access.
V. DIGITAL CERTIFICATES
Digital certificates are used to authenticate a user in
electronic transactions [10]. Certificates can be
compared to a driver’s license. They can be placed on
a web server in order to encrypt the data and function
over port 443 (Https). The other resides on the user’s
machine. This works as a handshake. The user and
server make a mutual hello to establish connection, the
server provides the certificate, the server and user
exchange cryptographic keys, user sends their
certificate, messages are sent/receives over an
encrypted channel.
The virtualized nature of IaaS solutions leads to
most organizations utilizing a Public Key
Infrastructure (PKI) setup which requires a dedicated
group to manage digital certificates and hardware
security modules to store the encryption keys [10].
PKI uses asymmetric cryptography which uses two
keys, public and private but both are mathematically
generated. The sender encrypts the data with the
receiver’s public key so that the message can only be
decrypted by the receiver with their private key. This
is compared to symmetric cryptography where only
one key is used to encrypt and decrypt data by the
sender and receiver.
Web transactions are encrypted using Secure
Sockets Layer (SSL) or Transport Layer Security
(TLS) which is more prevalent today as TLS is
considered more secure than SSL. Of course, both TLS
and SSL have many versions with the intention to
improve the current state. The most current and
approved standard for TLS in 1.2. TLS 1.3 is released
but still requires some tune ups which is why most
organizations haven’t adopted the new protocol.
Nonrepudiation and digital signatures use digital
certificates as their proof of identity. This makes sure
that the sender is who they say they are and so that they
cannot deny any messages that were sent with their
digital signature in the future.
VI. HARDWARE SECURITY MODULES (HSM)
Hardware Security Modules (HSM) are pieces of
equipment that are usually one unit in a server rack
that store items such as encryption keys. HSMs require
a pin entry device and several members of the
cryptography team to log in to the HSM for separation
of duties. Not one person should be able to login and
perform all the functions as that person would be a
superuser. Usually, one person would enter half of the
administrator password, someone else would enter the
7. 7 | P a g e
other half, one person would perform the functions and
configuration required on the HSM, and another
person would enter the pin into the device. Each action
is supervised by someone else in case of mistakes.
There are several types of HSMs depending on the
industry. There is equipment for the payment card
industry, key management, and federal requirements
and highly confidential data. Now, they can be
virtualized for easier access and less capital costs for
the organization. Basically, the end goal with an HSM
is storing sensitive data in a way that no third party can
tamper with the data housed on it. An HSM will be
virtualized with remote access capabilities or the
hardware will be on premise with physical access [11].
They have firewall controls within each device as well
as multi-tenancy options [11]. The HSM has several
partitions where each is usually assigned to a specific
application and their corresponding encryption keys.
Each key has a life cycle and needs to be replaced after
a certain amount of time that is determined by NIST or
any governing body that your organization falls under.
Hardware Security Module
VII. CRYPTO IN THE CLOUD
Cloud security has been one of the more popular
topics ever since the beginning of cloud computing.
How can an organization utilize cloud computing
while remaining secure? We can do this with a
Hardware Security Module (HSM). End-to-end
communication between the organization and cloud
application will go through the HSM for encryption
[11]. This way, if the cloud provider suffers a data
breach, the organization’s data resides the HSM,
which is encrypted separately with the organization
having complete control over the security of their data
in the cloud.
This strategy also ensures that the cloud provider
isn’t tampering with the organization’s data. Placing
data in the cloud is essentially taking your personal
data and letting it sit on someone else’s computer
where you can still access it if you need to. At any
time, that person can remove your access but still have
your data. They could also be accessing your data
without your knowledge. As an organization who is
responsible for that data, we need to make sure we
have the control over security so that security isn’t
based on trust. This route should be taken by
organizations to make sure their data is secure in the
cloud.
Cloud computing isn’t going away, but rather
becoming more prevalent in the world today. Security
professionals need to understand the cryptography
aspects and apply them in their organization to
optimize data security in the cloud. We need to
remember that security depends on the appropriate
protection mechanism of the weakest link in the entire
security organization [10]. If that weakest link is the
cloud, but the rest of the organization has minimal
vulnerabilities, they are not secure because all of that
data in the cloud can be compromised at any given
time. That data may be highly confidential and could
possibly cost the organization a significant amount of
money or even running the business into the ground.
Oil is no longer the world’s most valuable resource,
data is. We need to spend the money, time, effort, and
invest into professionals and can keep the
organization’s data secure and keep the name of the
organization out of media headlines.
VIII. CONCLUSION
IaaS services have significant benefits in
comparison to the on-site, departmentally managed IT
infrastructure that was the prevailing norm for many
years. The level of access, ease of management, and
dynamic provision capabilities that IaaS services offer
bring the complexity and cost of managing
sophisticated hardware and software to a new level of
approachability and affordability. Successful
utilization of IaaS cloud services requires careful
consideration of data security in IaaS products.
However, ss long as careful research is done into an
IaaS provider’s facility, and the right application of
cryptographic protocols and secure programming
techniques is used on the client side, a reasonable
amount of security can be achieved for most IT
solutions. Additionally, the flexibility of IaaS products
make it possible to scale services and applications with
low security priority in the cloud alongside in-house
servers to create hybrid systems that are both secure
and cost-effective.
8. 8 | P a g e
IX. REFERENCES
[1] Watkins, Darren. “Protecting Your Data Infrastructure.” Credit
Control, vol. 38, no. 3/4, Mar. 2017,pp.57–59. EBSCOhost.
[2] Anand, A. (2017). “Cloud computing and cloud related
security issues.” International Journal of Advanced Research
in Computer Science, 8(5) Retrieved from
https://reddog.rmu.edu/login?url=https://reddog.rmu.edu:3479/
docview/1912631341?accountid=2836
[3] D. Gonzales, J. M. Kaplan, E. Saltzman, Z. Winkelman and D.
Woods, "Cloud-Trust—a Security Assessment Model for
Infrastructure as a Service (IaaS) Clouds," in IEEE
Transactions on Cloud Computing, vol. 5, no. 3, pp. 523-536,
1 July-Sept. 2017.
[4] Kratzke, Nane. (2018). “A Brief History of Cloud Application
Architectures.” Applied Sciences. no. 8, pp. 1368. EBSCOhost.
[5] Xu, Zhiyan, et al. “Security Analysis of a Publicly Verifiable
Data Possession Scheme for Remote Storage.” Journal of
Supercomputing, vol. 73, no. 11, Nov. 2017, pp. 4923–4930.
EBSCOhost.
[6] Gonzalez, N., Miers, C., Redígolo, F., Simplício, M.,
Carvalho, T., Näslund, M., & Pourzandi, M. (2012). “A
quantitative analysis of current security concerns and solutions
for cloud computing.” Journal of Cloud Computing, 1(1), 1-
18.
[7] Müller, A., Ludwig, A., & Franczyk, B. (2017). “Data security
in decentralized cloud systems – system comparison,
requirements analysis and organizational levels.” Journal of
Cloud Computing, 6(1), 1-9.
[8] X. Yin, X. Chen, L. Chen, G. Shao, H. Li and S. Tao,
"Research of Security as a Service for VMs in IaaS Platform,"
in IEEE Access, vol. 6, pp. 29158-29172, 2018.
[9] Bhadauria, R., Chaki, R., Chaki, N., & Sanyal, S. (2014).
“SECURITY ISSUES IN CLOUD COMPUTING.” Acta
Technica Corviniensis - Bulletin of Engineering, 7(4), 159-
177. Retrieved from
https://reddog.rmu.edu/login?url=https://reddog.rmu.edu:3479/
docview/1618069466?accountid=28365
[10] Al-Sakib Khan Pathan. “Basics of Security and Cryptography”.
Vol 1. Pp 1-10, 2017.
[11] Ultimaco. “Ultimaco Brings the Power of Hardware Security
Module Technology to the Cloud”. Vol 1, pp 1-2, 2015.
[12] Bhardwaj S., Jain L., Sandeep J.(2015). “Cloud Computing: A
Study Of Infrastructure As A Service (Iaas).” International
Journal Of Engineering And Information Technology,2(1), 1-
10.
[13] Chong N.(2019). “Cloud Computing Challenges in a General
Perspective.” Journal of Computing and Management Studies,
1(3), 1-5.
[14] Rashid A., Amit C.(2019) “Cloud Computing Characteristics
and Services: A Brief Review.” International Journal of
Computer Sciences and Engineering, 7(2),1-6.