International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com

Volume 3, Issue 2, March April 2014 ISSN 2278-6856


Volume 3, Issue 2 March April 2014 Page 111


Abstract: Now a days, cloud computing has become a
significant technology trend. The cloud computing technology
benefits include cost savings, high availability of resources,
and easy scalability. The cloud users can remotely store their
data and enjoy the on-demand high-quality applications and
services from cloud resources. The data security is one of the
major concerns as the users of cloud storage services no
longer physically maintain direct control over their data in
cloud. Thus shifting of all data over the cloud has
implications for privacy and security. One possible solution of
this problem is to encrypt data before storage over cloud but
data encryption alone is insufficient. Also the cloud
computing has state-of-the-art vulnerabilities due to the core
technologies used in it. This paper explains the potential risks
and vulnerabilities, challenges associated with various
services of cloud computing technologies and recommends
methods to mitigate them. These security issues should be
taken into account seriously in order to avoid disastrous for
an organizations reputation and existence. The cloud service
provider should provide the Security as a Service and Data
protection as a Service to achieve the trust of the customer
and feel them that their data will remain secured and
protected in the cloud.

Keywords: Cloud computing security, encryption,
security as service, data protection as a service.

1. INTRODUCTION
Cloud computing is a virtual pool of resources such as
software, platform & infrastructure that is dynamically
scalable and reconfigured at a very low cost to meet the
need of the customer. All services of the cloud computing
such as storage, application development and access
application are accessed through Internet. It can be used
on any kind of devices such as laptops, PCs, smartphones,
tablets. Cost saving, high availability of the resources,
dynamic scalability are the few of the advantages of cloud
computing. Google, Amazon, Microsoft are the big
players to provide various services to the cloud users.
Every cloud provider deployed a data centre that includes
various platforms for the development of applications on
cloud and hardware to support the application developed
and various infrastructures such as network, database.
Cloud service provider uses the service-level agreements
(SLA) with the consumer to provide the services.
The National Institute of Standards and Technology
(NIST) [1] (US Government agency) which is responsible
for developing standards and guidelines for technologies
defines the cloud computing as . . . a pay-per-use model
for enabling available, convenient, on-demand network
access to a shared pool of configurable computing
resources (e.g. networks, servers, storage, applications,
services) that can be rapidly provisioned and released
with minimal management effort or service provider
interaction. The most significant benefit of using the
cloud is that it works on the pay-per-use model, consumer
only pay for what he used the resources such as
application, CPU, network and bandwidth etc.
Basically Cloud computing provides three kind of
services. These three services are Software as a Service
(SaaS), Platform as a Service (PaaS), and Infrastructure
as a Service (IaaS) model called SPI model. This model is
called SPI model (Figure1).
SaaS comes at top of the cloud stack. SaaS layer is
basically used by the consumer for the use of the
applications running on the cloud. The main benefit of
using SaaS is that a user doesnt need to purchase the
costly licensed softwares. All the software on the cloud
are licensed and fully supported by their respective
vendors. Consumer only pays for the software use. It
replaces the use of software from traditional to rent
model, thus reducing the users physical equipment
deployment and management costs. All the applications
are accessed through Internet using web browser and
there is no need to install anything extra locally.
PaaS provides the environment for the application
development. It is basically used by application
developers, testers and administrators to develop and
testing softwares. it support the entire software
development life cycle and provides the virtual machines,
operating systems, applications, services, development
frameworks, transactions, and control structures.
IaaS provides the infrastructure such as storage, network,
CPUs on demand, rent basis. It is based on the concept of
virtualization. IaaS creates a virtual environment and let
the users to share a resource without them knowing to run
their applications. Virtual environment includes virtual
computers, cloud storage, network infrastructure
components such as firewalls and configuration services.
Usage fees are calculated on the basis of per CPU hour,
data GB stored per hour, network bandwidth consumed,
network infrastructure used per hour.

Figure 1 SPI Model
Cloud Computing Security: Risks and Threats

GD Makkar
1
, Vivek Panwar
2


1&2
GRDIMT, Deptartment of CSE,
Dehradun 248001, India
International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 3, Issue 2, March April 2014 ISSN 2278-6856


Volume 3, Issue 2 March April 2014 Page 112


Clouds can be deployed by three ways: Private, Public and
Hybrid. Private cloud is owned by enterprise itself and
used exclusively for that organization only. This enables
the organization to have greater control over their data
and processes. All the resources are managed by that
organization. Public cloud is managed by the
organization who sells the cloud services (SaaS, PaaS,
IaaS) globally. The cloud is operated and managed at a
data center owned by a service vendor that has the
provision for the bulk data storage, multiple CPU
processing etc. services on public cloud is provided on the
pay-per-use basis. Popular public clouds are Amazons
AWS EC2, Rackspace Cloud Suite, and Microsofts
Azure Service Platform, Google. Hybrid cloud is the
combination of the both private and public cloud allows a
organization to use their private cloud with the services of
public cloud.

2. CLOUD SECURITY
The biggest problem on cloud computing is the security
and privacy of the user data storage and management. All
the user data is stored at the Cloud Service Provider
(CSP). Although CSP take all measures to provide best
security but still it is tough to have full faith on the CSP
due to the state-of-the-art risks associated with the cloud.
Virtualization which is the back bone of the cloud
computing and is also a big threat to the security [2].
Virtualization which allows having several machine
images on a single server. If the two virtual machines are
running on a server, it is quite possible that one can
access both virtual machine and have unauthorized access
to the data and application of the other user and also a
attach launch to one virtual machine can also affect the
other virtual machine on the same server. Security level
agreement (SLA) is negotiated between CSP and the
consumer that defines the risks associated with the cloud
services. The major securities flaws exist on the cloud are
due to DDoS, malware, IP vulnerabilities, insecure
cryptography, Fraudulent Resource Consumption (FRC)
etc.

3. SECURITY CHALLENGES IN THE
CLOUD
3.1 Establishing the trust between CSP and consumer
In cloud user computations are executed remotely at the
data centre of the cloud service provider. Cloud
computing uses the distributed computing architecture for
the execution. It is the CSP responsibility to ensure the
security and privacy of the users stored data and the
execution of users application.
Reputation and degree of control are the two primary
components that sustain the trust on CSP. Degree of
control plays a significant role to maintain the trust on
CSP. Cloud service provider should provide the user to
have control over the store data, data during processing,
software, Regulatory compliances, and billing [3].
Control over stored data: The consumer owns the
stored data and should be able to monitor and control all
operations remotely for valid as well as invalid users. CSP
should provide the control to the consumers so that they
can clear the server cache for the temporary data once the
process is over also consumer should be able to
permanently remove the deleted data from the memory
thereby prevent others retrieving data residue. The
consumer should also be able to remotely close all ports to
its cloud-based servers when they arent in use.
Control over data during processing: Not only the data
resided in secondary storage but also the data moving
during processing need to be protected. When a consumer
is working with an application at cloud, a lot of data
transit between the cloud site and consumer site that can
be easily captured by the intruder. When data is in
process, it is decrypted and should be revealed to the
server only.
Control over Software: Usually we overlook the
protection of application used. On cloud platforms, clients
develop and run their own software, which include
important business logic that can be hacked by intruder
and misused it. A consumer should have control being
using his software be able to hide what computation the
software is doing. Similarly, consumer might also want to
protect their software usage patterns. If a consumer is
using a particular function very frequently, a usage patter
can be drawn that shows which functions are used
frequently and more important to the consumer.
Control over Regulatory Compliance: Although several
cloud providers offer third-party certifications indicating
that they comply with certain regulations, the client
doesnt have enough control to know how providers are
achieving those compliances. There are various third
party regulatory compliances provider such as Cloud
Security Alliance (CSA), National Institute of Standards
and Technology (NIST), and European Network and
Information Security Agency (ENISA). Consumer should
have control over which regulatory compliance is to be
used and even he/she should be able to use hybrid
regulatory compliance.
Control over Billing: Over the cloud, user only pay-as-
per-use. Consumer incurred all the cost he/she subscribed
for. Consumer should be able to monitor how many
resources such as bandwidth, CPU time and memory
he/she used in a particular day, week and month. Usually
a consumer knows how many resources he used in a
month. If any intruder uses a client bandwidth
(Fraudulent Resource Consumption) without his/her
knowledge, client has incurred all this cost. If a consumer
has control over billing, he/she can set the maximum
limit of his/her bill according to his/her usage pattern.

3.2 Privacy and Data Protection
Privacy is a core issue for security challenge in the cloud
computing. Many organizations dont feel comfortable for
storing their private data outside of their premise at third
party site. Although cloud computing is also associated
International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 3, Issue 2, March April 2014 ISSN 2278-6856


Volume 3, Issue 2 March April 2014 Page 113


with traditional state-of-the-art vulnerabilities such as IP
vulnerabilities, DoS etc. CSP must ensure their customers
for the high security and privacy of their data that it will
be fully protected from the unauthorized access and
availability will be high. Identity of the consumer will be
fully protected and maintained and all the transaction
histories will be kept secured. All the database measures
will be applied to maintain the consistency of the data.
CSP will record every piece of information about the data
like who created it, who and when it was modified and so
on as these information could be used for auditing.
Privacy is a significant challenge for the cloud service
provider and keep track on whether the information is
being used by the valid user or the intruder. CSP not only
provide security and privacy to the user data but also to
the application deployed by user on the cloud.

3.3 Organizational Security Management
One of the core frameworks of implementing cloud
computing is the virtualization that works on the concept
of multi-tenancy where multiple virtual machines resides
on a single server shared by multiple users. In the multi-
tenant environment, one tenant could be highly targeted
by the intruders, which could substantially affects the
other tenants.
It could be possible that CSP have a malicious employee
in their organization that can take the advantage of their
position and misuse the clients information for amoral
purposes [4]. CSP must ensure that no their employee is
wicked.

4. VULNERABILITIES ON CLOUD
4.1 Core-Technology Vulnerabilities
All cloud services are accessed through web browser.
Web applications, virtualization and cryptography are the
core technologies of cloud computing. These core
technologies are vulnerable to state-of-the art. If an
attacker be able to enter the virtualized environment of
cloud, he/she will be getting full unauthorized access on
the server that will affect the various users who are
connected with the server. Attacking to one tenant on a
server may also harm to the other tenants.
To secure data on the cloud, cryptography is required not
only when the data is stored but also during transit. If the
user uses the weak encryption, it can be easily captured by
the intruder and misused. No one can think about using
the cloud without good encryption.

4.2 Insecure Interfaces and Application
Programming Interfaces
Data in the cloud are usually stored through the
application. Malfunctions and error in the software
interface can lead to an intruder to get inside the software
and have unauthorized access of the user data. For
example, a flaw in Apache allowed an attacker to gain
complete control over the web server [5]. These
malfunctions are exists due to the poorly designed or
implemented security measures. Software interface must
be made fully secured against the accidental and
malicious disclosure.

4.3 Malicious Insiders
A malicious insider is an employee of the CSP who take
the advantage of his/her position to get the clients private
information and misuse it for amoral purpose. It is always
worrying aspect that a clandestine employee can have
access to consumers data and use private data for their
own means [4].
Sometime CSP unintentionally can also be act as
malicious. This insidious form of the malicious insider
problem is through PaaS based services. If the service
provider offers a platform that allows developers to
develop an application that interact with users data i.e.
Facebook Applications, users may unknowingly allow
these developers access to all their data. For example, it is
well known on the Facebook Platform that once a user
adds an application, the application may have the ability
to access all users information, if allowed to do so.
Similar when a developer added his application in the
Google play store and user installed application in
mobile, it unknowingly give access to the users private
information such as phone status and identity, network
access, mobile location, contacts etc. Even if the
application developers are not malicious this does not
mean that the application cannot be hacked.

4.4 Virtualization Issues
The virtualization which is the core technology of cloud
computing allows CSP to host several machine images on
a single server and each machine image is allocated to
each user dynamically. Ristenpart, Tromer et al. [2]
practically demonstrated the attack on virtualization
framework. They reveal this attack on Amazon EC2.
They gave two conclusions. First, if they have access to
one virtual machine, they can easily map the internal
structure of the cloud by having unauthorized access to
other virtual machines that are co-resident with the
virtual machine they have access. Secondly, they
demonstrated that they were able to, intentionally, add a
virtual machine to the cloud so that it was co-resident
with another machine. Finally, the they showed that once
a machine was co-resident, they would be able to launch
several attacks that would allow them to get information
regarding CPU cache use, network traffic rates and
keystroke timings etc.

4.5 Data Availability Issue (DoS)
Availability issues arise when the data is available but it
is made inaccessible to the consumer. Attacker sends the
flood of requests to the server that it is not able to respond
to the genuine users. Such attack is called Denial of
Services (DoS) attacks, attempt to flood the service with
requests in an order to overtake the service and stop all
the services of the server.
One of the benefits of Cloud Computing is that consumers
are charged on the basis of pay-as-per-use. Increase in the
International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 3, Issue 2, March April 2014 ISSN 2278-6856


Volume 3, Issue 2 March April 2014 Page 114


resources consumption, network usage and hardware
maintenance are the consequences of the flooding attack.
Ultimately this will also increase the amount of money
the consumer will be charged for resource usage.
Moreover, these monetary increases will have adverse
affect on the operational expenditure of the service
provider.

4.6 Internet protocol vulnerabilities
All the cloud services are accessed through Internet via
web browsers using a standard Internet protocol which is
untrusted. Cloud computing is prone to the state-of-the-
art all vulnerabilities related to the Internet protocol.

4.7 Resource sharing vulnerability
One of the greatest benefit of using cloud computing that
helps the users to decrease their expenditure is resource
sharing. User doesnt owns the resources while rent them
and pay-as-per-use. Server, network, storages and
software all are used on sharing basis. It reduces the
burden on user to purchase the resources and licensed
softwares. In malice of all these benefits, resource
sharing also leads to vulnerability. Resources used by one
user will be allocated to the other user later for use. It is
quite possible, for storage resources, it might have some
remained temporary data of the pervious user and server
cache was not refreshed before it made available to the
other user.

4.8 Injection flaws
Injection flaws allow an intruder to send malicious code
through the web application inside the system or server.
Scripts written in Python, Perl or any other programming
language can be injected and executed into the unsecure
application. When the web application receives external
HTTP request, it must be carefully examine otherwise an
intruder can inject special characters or malicious code in
the information which will certainly transfer these to the
external system for execution. The most common type of
injection is SQL injection. In this type of attack, when a
application send a request to the database, the attacker
append its malicious SQL command into the content of
that request and trick the web application to forward fake
queries to the databases [6]. With a successful SQL
injection, an intruder can login without any
authentication process and access the users private
information.

4.9 Security Misconfiguration
The web server and application server are the backbone of
a web application. They provide a number of services
such as mail, data storage, running web applications etc.
if these servers are not properly managed and configured,
it will lead to variety of security breaches. Security
misconfiguration can happen at the application level, the
framework, the web server, the custom code and the
platform. Attackers use the unpatched flaws, unprotected
files and directories to have illegal access of the system.
The defaults account must always be changed because the
attacker can discover the standard admin page and log in
with those defaults passwords [7].

4.10 Insecure cryptographic storage
In the cloud, the need to store sensitive information by the
web application in the database is important. The
information can be a credit card number, account details
and username & passwords or any other private
information. Therefore, the use of encryption is necessary.
Amateur users usually make a mistake while using
encryption. Failure to cipher critical data, insecure
storage of keys, certificates and passwords, poor selection
of encryption algorithms are a few of the major mistakes.
Database is the backbone of every organization. Usually
databases are handled using application and on cloud by
web applications. Almost every application is connected
to a database; the username and password that is used to
make these connection should be encrypted using
powerful encryption algorithm such as RC4_128 with
MD5 for message authentication and RSA as the key
exchange mechanism [8] so that no unauthorized user can
easily access the users private data. The web application
must have cryptographic support. When a user is making
payment using credit card or debit card, his/her personal
account number, the cardholders name and the
expiration date should be encrypted when transmitting
across different network [9].

4.11 Authentication and Identity Management
An identity management (IDM) mechanism helps to
authenticate users to utilize the services on the cloud on
the basis of valid credentials [10]. Existing password-
based authentication is not enough to authenticate users.
It poses significant risks and an intruder can easily by
bypass this authentication process. The following
problems arise when the user has weak user
authentication mechanisms:

Denial of service due to account lockout: when a user
fails to access his/her account after several unsuccessful
authentication attempts, this usually leads to lock the
account and user has to wait either for some time to try
again or ask their service provider to unlock the
account. Attackers can benefit of this lock and attempts
such failed authentication to launch DoS attacks
against a user.
Insufficient or faulty authorization check: insufficient
or faulty authorization check allows the unauthorized
user to access the private data and information. URL-
guessing attacks are the cause of missing authorization
in which user modify the URLs to get access of the
other users account.

4.12 Fraudulent Resource Consumption (FRC)
Vulnerability
A consumer uses and pay for the cloud services and
resources such as bandwidth, storage and CPU hours etc.
International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 3, Issue 2, March April 2014 ISSN 2278-6856


Volume 3, Issue 2 March April 2014 Page 115


cloud consumers has to incur all computational costs for
all leased resources used, regardless of whether the
resources were consumed in good faith.
Cloud consumers only pay for the resources they consume
and for the time they use such resources. In the agreement
between the cloud service provider (CSP) and consumer,
cloud consumers has to incur all computational costs for
all leased resources used, regardless of whether the
resources were consumed in good faith. An attacker can
perform the distributed denial-of-service (DDoS) attack
on the cloud services and resources.
An attacker can consume the metered bandwidth of cloud
services thus increasing the consumers financial burden.
This is fraudulent resource consumption (FRC) attack
[11].
Whenever cloud service provider receives a request, it is
always serviced with a reply thus causes the financial
burden on the cloud consumer. Cloud consumer (the
victim) has to incur cost every time a cloud application
(the attack target) services a reply. Malicious use is more
burdensome, because the additional bandwidth used has
no associated business value. CSPs dont monitor how
many times consumer uses the applications so its up to
the cloud consumer to prevent, monitor, and respond to
such fraudulent behavior [12].

5. CONCLUSIONS
Cloud computing is one of the emerging technology in
use today. Cloud computing offers numerous advantages
to enterprises. It is a much more flexible and scalable
solution (It is fast, flexible, robust and scalable.). It is
cost-effective and economical because a user is charged
only for what he or she utilizes. It provides software,
platform and infrastructure as a service to a user. User
doesnt need big IT infrastructure to run costly business
applications and also need not to purchase licensed
softwares to use them. User can rent them and pay for all
these on the basis of pay-as-per-use model.
Security is a major concern for cloud computing
providers. Both the user and cloud service providers are
equally responsible for the security. These responsibilities
differ by the kind of cloud services been consumed.
Service providers have the responsibility to ensure that
the proper security and isolation protections be there
against data loss, misuse, or privacy violation within the
cloud.
One of the main concerns of users in the cloud
environment is data security and privacy. The huge
amount of data and resources available in the cloud
makes it a best place for attackers to exploit it when
moving on cloud. Customer has to decide whether he/she
wants to store their important files in a single storage or
replicate them in multiple storages. Indeed, it is good idea
to store the important files and data that is geographically
distributed to protect against any unavailability that could
be caused by natural disasters or power shortages or any
DoS attack. Some of todays cloud providers (such as
Amazon) allow their customers to choose where to store
and replicate their data.
The main theme of this paper was that cloud consumer
should also know about the vulnerabilities associated with
the cloud. It doesnt mean these vulnerabilities cannot be
removed. CSP should provide some degree of control to
the consumer and it is necessary that both consumer and
CSP have faith and confidence on each other.

References
[1] P. Mell and T. Grance, The NIST Definition of
Cloud Computing, National Institute of Standards
and Technology, Information Technology
Laboratory, Technical Report Version September
20122.
[2] T. Ristenpart and E. Tromer et al., Hey, You, Get
Off of My Cloud: Exploring Information Leakage in
Third-Party Compute Clouds, ACM Conference on
Computer and Communications Security CCS'09.
Nov. 2009.
[3] K. M. Khan and Q. Malluhi, Trust in Cloud
Services: Providing More Controls to Clients, Qatar
University, published by the IEEE Computer Society,
2013, http://ComputingNow.computer.org.
[4] P. Wong. Conversations About the Internet #5:
Anonymous Facebook Employee, The Rumpus. Jan.
2010. url:
http://therumpus.net/2010/01/conversations-about-
the-internet-5-anonymous-facebook-employee.
[5] C. Ho. Apache aw opens systems up to attack
ZDNet UK. Mar. 2010. url:
http://www.zdnet.co.uk/news/security-
threats/2010/03/08/apache-flaw-opens-systems-up-to-
attack-40077943/
[6] The Open Web Application Security Project
(OWASP), A6 2004 Injection Flaws, url:
http://www.owasp.org/index.php/A6_2004_Injection
_Flaws.
[7] The Open Web Application Security Project
(OWASP), Top 10 2010-A6-Security
misconfiguration, url:
http://www.owasp.org/index.php/Top_10_2010-A6-
Security_Misconfiguration.
[8] N. Sharma and V. S. Rathore, Different Data
Encryption Methods Used in Secure Auto Teller
Machine Transactions, International Journal of
Engineering and Advanced Technology (IJEAT)
ISSN: 2249 8958, Volume-1, Issue-4, April 2012.
[9] Payment Card Industry Data Security Standard,
Navigating the PCI DSS, PCI Security Standard
Council LLC: October 2010, url:
https://www.pcisecuritystandards.org/documents/navi
gating_dss_v20.pdf.
[10] E. Bertino, F. Paci and R. Ferrini, Privacy-
Preserving Digital Identity Management for Cloud
Computing, IEEE Computer Society Data
Engineering Bulletin, Mar. 2009, pp. 14.
International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 3, Issue 2, March April 2014 ISSN 2278-6856


Volume 3, Issue 2 March April 2014 Page 116


[11] J. Idziorek, M. Tannian and D. Jacobson, Detecting
Fraudulent Use of Cloud Resources, Proc. 3rd ACM
Workshop on Cloud Computing Security Workshop
(CCSW 11), ACM, 2011, pp. 6172.
[12] J. Idziorek, M. F. Tannian and Doug Jacobson, "The
Insecurity of Cloud Utility Models," IT Professional,
vol. 15, no. 2, pp. 22-27, March-April 2013.