A Survey on Cloud Computing Security – Challenges and Trust Issues

A Survey on Cloud Computing Security –
Challenges and Trust Issues
Nabeel Mohammad Abdullah Al-Jaser
College of Computer
Qassim University
Qassim - Saudi Arabia
nabel142436@gmail.com
ABSTRACT
A traditional computing environment requires a costly
infrastructure to offer a better service to users. The introduction
of cloud computing has changed the working environment from
traditional to virtual. A larger number of IT companies are
utilizing the cloud. On the one hand, the cloud attracts more
number of consumers by offering services with minimized
capital cost and virtual infrastructure. On the other hand, there
are a risk and security challenges in cloud computing that
makes the user not to move completely towards it. The cloud
environment is more vulnerable to security breaches and data
theft. Moreover, insider attacks are more frequent in larger
enterprises. An unauthenticated user can cause more damage
to company reputation. The cloud service providers are trying
to provide a secure work environment for users. However,
there is a lack of global standards and policies to invoke
security measures in cloud computing. This study aims to
highlight and classify security challenges and trust issues in the
cloud environment.
The survey was conducted in various institutions and
governmental organizations in Saudi Arabia to study the
opinions of stakeholders on cloud computing security
challenges and risks.
General Terms
Cloud Computing, Security, Trust, Survey.
Keywords
Service Models, Challenges, Risks.
1. INTRODUCTION
The term “Cloud” is used as a metaphor to represent Internet.
It is used to indicate the complex infrastructure of a network
that stores a huge number of data. The concept of CC differs
from the computer network and other old-style computing
concepts. It is scalable and follows the technique of
encapsulation to represent an abstract entity [1]. The client can
access a different level of service that can be configured,
dynamically.
In the present situation, Cloud Computing (CC) has become a
new trend in the field of computing to store data in remote
computers, where they can access this data using Internet
applications. Once an Enterprise has adopted (CC), it should
take into account the benefits it could achieve and the
shortcomings and the changes in the usage-practices that the
CC might do. It is flexible and cost-effective and it is a better
alternative to procure and maintain complex hardware and
software. A study developed by [2], which is based on cloud
services, shown that the cloud services had maintained a strong
growth throughout the recent years. The challenges in CC
should be sorted out before migrating applications to the cloud
for providing an improved service to the stakeholders.
The outcome of a broader search on CC reveals that security is
one of the primary challenges of CC, should be resolved to
provide a better operating environment for organizations.
Even in the secured environment, some threats and security
breaches are discovered and cause a monetary or data loss for
an organization. Therefore, finding the issues in security and
developing a solution to handle these issues are the necessary
steps to implement CC in an organization [3].
This paper aims to select the security and trust issues in CC and
to investigate common solutions used to overcome the potential
security threats. The research questions that are handled in this
study:
1. What are the challenges related to security in cloud
computing?
2. What are the existing solutions to deal with security issues
in CC?
3. How does an organization deal with a specific security
issue, which does not have strategies to mitigate risk?
The structure of this study is organized as follows. The
overview and background of CC are explained in the next
section. Section III provides an overview of the security
challenges and risks in the cloud computing models. Section IV
shows the survey results and discusses the outcomes. Finally,
section V concludes the thesis with the output of this thesis with
its future directions.
2. BACKGROUND
Cloud Computing became one of the most familiar
technologies for distributing and retrieving data. The invention
of CC has provided a new way to connect a set of systems and
share resources. These resources could be managed with
limited efforts or interaction [4]. CC provides many benefits
that can be achieved. These benefits could range from reducing
cost, increasing storage, and increasing flexibility. When
organizations use CC services and resources, the expenses
come down to its minimal levels. On the other hand, CC
increases the data storage since the data is stored in many
remote computers or servers rather than limited storage local
computers. Moreover, it provides high flexibility of storing,
retrieving, and controlling the data in addition to reaching them
whenever and wherever needed, not as the traditional systems
work.
2.1 Cloud Service Models
The concept of CC model is to provide real-time operations to
users to access a network and avail several services through a
protected environment. CC characteristics are real-time on-
demand services where a user can individually utilize
computing capabilities automatically with no need for any
interfaces. On the other hand, the availability of broader
network capabilities leads users to access remote systems and
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 18, No. 5, May 2020
7 https://sites.google.com/site/ijcsis/
ISSN 1947-5500

mobile devices. Some of the features of CC are pooling of
resources, faster elasticity, and controlled services. Figure 1
shows the service models in a cloud environment. The service
models are broadly classified as applications, platforms, and
infrastructure.
Fig. 1: Cloud Service Models
In SaaS, the SP provides for users or customers a set of
resources installed onto cloud infrastructure that supported
with the required applications [5]. A consumer using this
service can control his content as well as the application-
hosting environment, but on the other hand, he will not get any
control over the infrastructure itself. While in PaaS, the SPs
give consumers the ability to deploy a platform onto their cloud
infrastructure with the corresponding applications. In contrast,
they will not be able to accomplish or control the cloud
infrastructure, but they will be able to control and monitor
applications and possibly configure the vital settings for the
application-hosting environment [6]. IaaS enables customers to
avail of some fundamental computing utilities such as storage,
networks, a pool of services, and so on. By accessing this
environment, the user can control the operating system, data
space, applications and limit the services to a limited number
of users for selected components such as Amazon EC2, Rack
space, Nimbus [7].
2.2 Cloud Deployment Models
The cloud services can be deployed on some models includes
private, hybrid, community, and public deployment models for
availing the benefits of cloud computing [8][9]. These models
are illustrated in Figure 2.
Fig. 2: Cloud Deployment Models
Public cloud: This kind of cloud is developed for large
industrial groups, communities, and the public. The
infrastructure is made for the organizations that are providing
services via clouds.
Private cloud: This cloud is used to deploy services for an
organization that designs it as it is the only one who has the
right to access the cloud even if it is managed by third a party
which might be located somewhere else.
Hybrid cloud: In this type of deployment model, two or more
clouds could be integrated, such as private, public, or a
community by standardized technology that enables the
portability of application as well as data.
Community cloud: Sometimes the need can arise to share the
cloud infrastructure by many organizations with the need to
support a precise community with some interesting anxieties.
This model can be created by an outsider or any third party and
not only the organization itself.
The use of these deployments models and services can change
the way that the systems are interlinked in a way the work is
accomplished in the organization by making the resources that
are used by the cloud computing more dynamic and expandable
[10]. In this case, when the consumer uses more resources than
usual, then he has to spend more money, and on the other hand,
he needs to pay less money when he uses fewer resources [11].
In this manner, the cost of the user or organization's usage will
be reduced, and this can increase the opportunity of managing
resources.
2.3 Security in Cloud Computing
The implementation of cloud security in small scale companies
could not be cost-effective for the management. The
management will tend to share common clouds with other
organizations. When multiple organizations share a common
resource then there is a risk of misuse of data. During this kind
of situation, maintaining the privacy of data and secure it from
hackers and malware is the primary challenges for SPs [12].
2.3.1 Data Security
Data protection or security is the primary service to be applied
in the cloud to protect user transactions. The term
confidentiality refers to the process of protecting data stored in
a third-party location or outside the organization boundary.
Some measures should be taken to protect data from any
threats.
The process of archiving data in a remote location or server
raises some issues related to data privacy and confidentiality.
Some of these challenges are discussed below [13]:
1. The primary challenge of CC is data privacy. Users’
personal information, confidential business transactions, and
Government information have to be secured properly in CC.
There is no protocol or any policy in CC to assure the
confidentiality of data to users.
2. The service level agreement should be established
between the organization and Cloud SP to maintain the privacy
of users’ data. It will support organizations to minimize data
loss and risk-oriented to data confidentiality.
3. The rights such as obligations, status, privacy, and
confidentiality can be modified or changed by a user through
cloud SP. The user can make a request to SP based on type and
category of users’ information
4. An unauthenticated usage of remote storage can lead to
access the important files such as the legal status information
of personal and business. It may cause damage to the reputation
of an organization.
Vol. 18, No. 5, May 2020
ISSN 1947-5500

5. Disclosing the information on the storage location of
information about privacy and confidentiality may cause
adverse effects to cloud protection. A false obligation to
process or store data into a remote location can cause damage
to data privacy.
6. Information can be stored in multiple legal locations,
however, the legal consequences will differ for each location.
7. The cloud SP can access the user civil records to verify
their past activities. They can check whether a user is linked
with any criminal activity or not.
8. Sometimes the information cannot be accessed by an
authenticated user due to legal agreement between SP and
organization. It may cause a user not to retrieve important data
in time.
2.3.2 Data Integrity
The constraints and transactions of a database can support an
isolated system to maintain data integrity. However, it is not
easy to maintain it for a distributed database, where data is
stored in multiple locations. Therefore, the CC environment
should apply an effective mechanism to maintain data integrity
for cloud storage [14].
The lack of controls or methods for data integrity can impose
many problems/issues in the cloud environment. Developers
and management staff should handle data integrity carefully
and not compromise for any kind of cloud-based application.
An improper data integrity control can lead to data
manipulation or even loss of data. In some rare cases, the SP
can remove rarely used data and failed to inform users about
the data removal [15]. There is a lack of universal policy for
exchanging data in a cloud environment. It will give restricted
access to users and allow users to access limited resources.
2.3.3 Data Availability
Data availability is one of the prime issues in a cloud
environment. Users can experience downtime errors while
accessing important data or information [16]. Therefore, a
service level agreement should mention the downtime of the
server, so that the client will not face any problems and adjust
their timings for accessing data.
3. SECURITY CHALLENGES
Security is the primary issue for an organization during the
transition from a traditional networking system to a cloud
environment. The transaction of data from one to another place
is too hard in cloud systems due to security threats. The
consumer should be vigilant during the transaction of data and
understand the risk of data threats in CC environment [17]. The
cloud SP cannot carry out any technical countermeasures for
malicious activities without understanding the clients’
infrastructure.
In SaaS, the user must rely on the SP to find appropriate
security restrictions, and the SP must work to create privacy for
each user to prevent their data from being overlapped.
Therefore, it is difficult for the user to confirm that the SP has
implemented all security restrictions and the service is
available at any time and any place [18].
Users are greatly disturbed by the absence of operations over
the data and information to store and secure it in a form of SaaS.
They are also facing trust issues like spying on data, service
breach, and data unavailability that could cause monetary and
legal obligations.
Vulnerabilities in web applications lead to a security
vulnerability in an application, sasin this scenario, all
customers who use the cloud can be affected in the event of any
vulnerability. The challenge with SaaS security does not differ
from a web application, but some issues related to Internet
security like network firewall and protective measures (IDS
and IPS) that could not solve a problem as a whole, the security
problems cannot be defended by applications effectively at the
network level and needs defenses at a level of service.
In a SaaS-based environment, there should be trust between the
user and the SP in terms of data security, and the SP must
provide a mechanism to protect data and applications [19].
When an organization stores sensitive data for it in the cloud,
SPs must provide physical and logical security. Easy access to
data, and upon additional security checks to detect security
gaps in applications and fear of harmful employees in the
organization who can use the less secured modules in the data
security model.
In the cloud environment, data is communicated through the
Internet. Users will not have confidence in network security
when data flows in an information leakage medium, and this
encourages the intruder to use the data package to analyze the
weakness in network security. Moreover, security problems
must be considered and controlled at the lowest levels of
application such as network and host infiltration, and SPs
should pay attention to this element.
Weaknesses in the cloud computing environment are related to
all applications, such as applications that are relevant to the
Internet and engineering applications directed from device to
device. So, we must consider the load balance in the basic
systems in the security problem.
Cloud service such as PaaS aims to provide developers with an
opportunity to develop a useful application on a platform. It
will be more scalable than SaaS at a low cost for the customer
and provide features. It provides safety features and
functionalities, where compact capabilities are not perfect.
With IaaS, a programmer makes a better monitor of security in
the absence of a protection gap in a virtual simulation. As a
concept, virtual systems may be able to solve these problems,
however, in normal practice, there are a lot of problems in
safety.
4. SURVEY RESULTS & DISCUSSION
The Survey is a method of collecting original data in a large
population that is difficult to observe directly. Surveys
typically help researchers to understand generalize results to a
population by preparing questions and distributing them to a
sample from the population.
The survey has been prepared to obtain the users' opinions that
help to define common vulnerabilities, challenges, and major
threats in CC.
The questionnaire was distributed to the participant by a link
that was made online to view it and solve questions. A number
of participants in the questionnaire are 169 participants. 59.2%
of participants work in the public and governmental sectors,
which means 100 people out of 169, while 40.8% of them (69
participants) work in the private sectors.
4.1 Security and Privacy Issues
Data privacy has always been important. An individual entity
may contain the personal data of millions of customers—data
that requires to maintain the privacy and safeguard the
customers' identities safe and secured as possible, and support
the organization to save the company's reputation. Figure 3
shows the importance of privacy and security for participants
in the conducted questionnaire (1: Nothing, 2: Not good, 3:
Good, 4: Best, 5: Enormous).
Vol. 18, No. 5, May 2020
ISSN 1947-5500

Fig. 3: Importance of privacy and security
Some companies have written security policies to be referred
to and to apply security procedures better. The answer to a
question if your institution has formal written cloud security
policies, 38.5% of participants their establishments do not have
written security policies, and 31.4% do not know if the
institution has a written policy or not, while 30.2% only have
written policies.
The services provided by SP must be reliable and safe for
beneficiaries to trust them. The SP must be qualified with
relevant certificates to increase reliability. According to
respondents, 34.9% do not know whether their institutions are
eligible or not. while 27.2% had a third party responsible for
certificates to support trust issues. Figure 4 illustrates these
responses to question whether SPs that provide cloud services
to enterprises are qualified or not.
Fig. 4: The rate of SP qualifications
There are several security techniques used in cloud computing
to build trust among customers and cloud SPs. Companies
differ according to the security levels used in trust. 26.6% of
participants in the questionnaire do not know whether their
institution or organization any security techniques to achieve
trust. While 4.7% only of respondents their establishments do
not use any techniques to support confidence. A service-level
agreement (SLA) is the most popular technique used in scanned
institutions (28.4%). It is a commitment between a cloud SP
and a customer. Relevant service aspects such as quality,
availability, and responsibilities are agreed upon among the SP
and the service user. 17.8% of participants their institutions use
claims-based access control, while 8.9%, use the security
coding service as a way to support confidence between SPs and
their consumers. The security levels vary according to the
nature of the establishment and its security requirements.
Figure 5 shows a set of popular ways used to establish trust.
Fig. 5: Trust techniques that used in institutions
The security levels vary according to the nature of the
establishment and its security requirements, in which a
company has a required safety level according to the nature of
its work.
In the survey, the main security services (authentication, access
control, data confidentiality, data integrity, and non-
repudiation) have been evaluated by participants. In SaaS, most
respondents think that applying security services is very
important for application and software services. The security
categories of the PaaS model were evaluated as follows. Half
of the respondents see that authentication and data integrity
procedures are not important for platform services, while
another half believes that it is very important. Most of the
participants ensure the necessity of using access control
techniques to protect platform-related services against any
potential threats. In terms of data confidentiality and
nonrepudiation, most of the respondents consider that
confidentiality and assurance of services are important for
platform services. The necessity of security requirements for
the infrastructure services was evaluated by the survey
participants. A large percentage of participants (60%) believe
that authentication and access control procedures are not
important for infrastructure services, while the rest see it as
more important. In terms of data confidentiality and
nonrepudiation, 50% of respondents consider that
confidentiality and assurance of services are important for
infrastructure services. While the importance of data integrity
is less than confidentiality.
4.2 Cloud Security Challenges and Risks
In the conducted survey, common vulnerabilities in the cloud
environment were investigated according to the opinions of
participants. 17.8% of participants don’t have information on
vulnerabilities may affect the performance of their cloud
environment. The covered vulnerabilities in the questionnaire
summarized as follows:
• Cloud-based techniques nature such as virtualization
and web services.
• Poor key management and control.
• Weak authentication and authorization services.
• Storage and data recovery risks.
• Network-based security implementations.
Figure 4.16 shows the convergence of the results obtained,
which reflects the effect of vulnerabilities on CC environments
in different areas.
Fig. 6: The effect of common security vulnerabilities
Regarding attacks facing the establishments through CC, the
results were 40.8% considered a denial of service the greatest
threat to cloud computing security. While 30.8% see theft of
service attack threatens CC resources. The results for other
threats were as shown in Figure 7; 29% for Phishing, 19.5%
chose Cloud malware injection, 16% selected Botnets, 15.4%
for VM rollback attack, 14.8% considered Cross VM side
channels an essential threat effect CC, 13% said they had
targeted that share Memory is the problem, and 7.7% for Audio
Vol. 18, No. 5, May 2020
ISSN 1947-5500

Steganography. Only 11.8% of participants in the questionnaire
did not know which threat and attack consider the most
effective attack threatens resources and services on cloud
computing.
Fig. 7: The most effective attack threatens CC
4.3 Security Solutions and Defenses
Several solutions and methods have been proposed researchers
and developers to defend against possible threats in CC
environments. This study focuses on a set of methods that the
organization may adopt to ensure security in CC. 29.6% of
respondents believe that Encryption or Hash calculation
methods are the best way must be used by institutions to ensure
security. While 25.4% considered building Secure frameworks
will be more suite for CC environments. Unfortunately, 20.1%
of participants in the questionnaire do not know which method
used by their institution to provide security. Figure 4.18 shows
all results on approaches might be introduced by institutions to
ensure security in cloud computing.
Fig. 8: Approaches used by institutions to ensure security
5. CONCLUSION
Cloud computing offers several benefits to enterprise and
individual users. Many enterprises are initiating to change their
working environment from traditional to virtual mode.
However, the security issues are making them reluctant to
deploy cloud. A simple error in a security measure can cause
serious problems to the cloud operating environment. The
growth of new technologies is providing more security tools
and techniques to the cloud. Though, in the current situation,
there is no global standard and protocols to provide a protective
environment to cloud users.
This study has focused on security challenges and trust issues
in the cloud. A survey is conducted with a set of 169
participants. A set of questions was prepared to understand the
respondent’s knowledge about cloud security and trust issues.
The participants were requested to respond to the queries in a
controlled environment. The questionnaire was structured as
multiple-choice questions. The responses were collected and
analyzed to generate knowledge or recommendation.
The outcome of this survey has shown that at least 20% of
respondents did not know any information regarding cloud
security. Some participants could not provide any ideas or
suggestions for improving cloud security. It is evident from the
study that the organization must educate the employees to
understand the consequences of data theft and other security
flaws in a cloud environment. The future work of this study is
to investigate the possibilities and strategies to improve the
level of security of the cloud.
6. REFERENCES
[1] S. Kannan, M. Roberts, P. Mayes, D. Brelsford, J. F.
Skovira, Workload Management with LoadLeveler,
Poughkeepsie, NY, USA: IBM Redbooks, 2001.
[2] Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J.
and Ghalsasi, A. Cloud computing - the business
perspective. Decision Support Systems, 2011; 51 (1):
176–189.
[3] Voorsluys, W., Brober, J. and Buyya, R. Introduction
to cloud computing. In: Buyya, R., Broberg, J. and
Goscinski, A. (eds.), Cloud Computing Principles
and Paradigms. New Jersey: John Wiley & Sons Inc;
2011.
[4] Khalil H A Al-Shqeerat, Faiz M A Al-Shrouf,
Mohammad R Hassan and Hassen Fajraoui. Cloud
Computing Security Challenges in Higher
Educational Institutions - A Survey. International
Journal of Computer Applications 161(6):22-29,
March 2017.
[5] Peng, G.C. and Nunes, J.M.B. Surfacing ERP
exploitation risks through a risk ontology. Industrial
Management & Data Systems, 2009; 109 (7): 926–
942.
[6] D. A. Patterson, "The Data Center is the Computer",
Communications of the ACM, vol. 51, no. 1, pp. 105-
105, Jan. 2008.
[7] Hussein NH, Khalid A (2016) A survey of cloud
computing security challenges and solutions. Int J
Comput Sci Inf Secur 14(1):52.
[8] J. Shneidman, C. Ng, D. C. Parkes, A. AuYoung, A.
C. Snoeren, A. Vahdat, B. N. Chun, "Why Markets
Could (But Don't Currently) Solve Resource
Allocation Problems in Systems", Proceedings of the
10th Workshop on Hot Topics in Operating Systems
(HotOS X), June 2005.
[9] C. A. Waldspurger, T. Hogg, B. A. Huberman, J. O.
Kephart, W. S. Stornetta, "Spawn: A Distributed
Computational Economy", IEEE Transactions on
Software Engineering, vol. 18, no. 2, pp. 103-117,
Feb. 1992.
[10] M. Crouhy, D. Galai, R. Mark, The Essentials of Risk
Management, New York, NY, USA:McGraw-Hill,
2006.
[11] Tim Mather, Subra Kumaraswamy, and Shahed
Latif, "Cloud Security and Privacy", s.l.; O'Reilly,
2009.
[12] Mell, P. and Grance, T. The NIST definition of cloud
computing - recommendations of the National
Institute of Standards and Technology,
http://csrc.nist.gov/publications/nistpubs/800-
145/SP800-145.pdf.
[13] Salesforce.com outage hits thousands of businesses,
DOI=http://news.cnet.com/8301-1001_3-10136540-
92.html.
[14] Bernd Grobauer, Tobias Walloschek and Elmar
Stöcker, "Understanding Cloud-Computing
Vulnerabilities", IEEE Security and Privacy, 10 Jun.
Vol. 18, No. 5, May 2020
ISSN 1947-5500

2010, IEEE computer Society Digital Library, IEEE
Computer Society.
[15] Armbrust, M., Fox, A., Griffith, R., Joseph, A.D.,
Katz, R., Konwinski, A., Lee, G., Patterson, D.,
Rabkin, A., Stoica, I. and Zaharia, M. A view of
cloud computing. Communications of the ACM,
2010; 53 (4): 50–58.
[16] Alneyadi S, Sithirasenan E, Muthukkumarasamy V
(2016) A survey on data leakage prevention systems.
J Netw Comput Appl 62:137–152.
[17] Jyothi P, Anuradha R, Vijayalata DY (2013)
Minimizing internal data theft in cloud through
disinformation attacks. Int J Adv Res Comput
Commun Eng 2(9).
[18] Hobson, D. Global Secure Systems: Into the Cloud
we go.....have we thought about security issues?
DOI= http://www.globalsecuritymag.com/David-
Hobson-Global-Secure-Systems,20090122,7110.
1/2009.
[19] Cavoukian A (2010) The 7 foundational principles:
implementation and mapping of fair information
practices.
Vol. 18, No. 5, May 2020
ISSN 1947-5500

A Survey on Cloud Computing Security – Challenges and Trust Issues

More Related Content

What's hot

Similar to A Survey on Cloud Computing Security – Challenges and Trust Issues

Recently uploaded

A Survey on Cloud Computing Security – Challenges and Trust Issues