During this phase, the search in the defined sources must be executed and the obtained studies must be evaluated according to the established criteria. Tebaa M, El Hajji S, El Ghazi A: Homomorphic encryption method applied to Cloud Computing. Online. Security Issues, Data Security, Private Protection. It provides the following security management features: access control framework, image filters, provenance tracking system, and repository maintenance services. Ormandy T: An empirical study into the Security exposure to hosts of hostile virtualized environments. With IaaS, cloud users have better control over the security compared to the other models as long there is no security hole in the virtual machine monitor [21]. Besides secure development techniques, developers need to be educated about data legal issues as well, so that data is not stored in inappropriate locations. The capability provided to the consumer is to deploy onto the cloud infrastructure his own applications without installing any platform or tools on their local machines. Platform as a Service (PaaS). In conclusion, there is less material in the literature about security issues in PaaS. Infrastructure as a Service (IaaS). statement and Owens D: Securing elasticity in the Cloud. Proceedings of Black Hat Security Conference, Washington, DC 2008. http://www.eecs.umich.edu/fjgroup/pubs/blackhat08-migration.pdf. An attacker can compromise the migration module in the VMM and transfer a victim virtual machine to a malicious server. 10/16/2019; 2 minutes to read; In this article. The Register, 08-Jun-2009. Zhang S, Zhang S, Chen X, Huo X: Cloud Computing Research and Development Trend. The security issues are a little different, depending on whether you use a public cloud or private cloud implementation of IaaS. Security Issues in Cloud Deployment Models. This question had to be related with the aim of this work; that is to identify and relate vulnerabilities and threats with possible solutions. Also, running these filters may raise privacy concerns because they have access to the content of the images which can contain customer’s confidential data. Same as SaaS, PaaS also brings data security issues and other challenges that are described as follows: Moreover, PaaS does not only provide traditional programming languages, but also does it offer third-party web services components such as mashups [10, 38]. Washington, DC, USA: IEEE Computer Society; 2009:1–4. Washington, DC, USA: IEEE Computer Society; 2011:1–10. Thus, these images are fundamental for the the overall security of the cloud [46, 49]. Then, fragments are scattered in a redundant fashion across different sites of the distributed system. For example, an attacker with a valid account can create an image containing malicious code such as a Trojan horse. In Proceedings of the 2012 ACM conference on Computer and communications security, New York, NY, USA. Security challenges in SaaS applications are not different from any web application technology, but traditional security solutions do not effectively protect it from attacks, so new approaches are necessary [21]. Computer 2009, 42(8):106–108. Accessed: 02-Aug-2011, Berger S, Cáceres R, Pendarakis D, Sailer R, Valdez E, Perez R, Schildhauer W, Srinivasan D: TVDc: managing Security in the trusted virtual datacenter. Journal of Internet Services and Applications, http://www.gartner.com/it/page.jsp?id=1454221, https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf, http://www.cpni.gov.uk/Documents/Publications/2010/2010007-ISB_cloud_computing.pdf, http://www.techrepublic.com/whitepapers/from-hype-to-future-kpmgs-2010-cloud-computing-survey/2384291, https://cloudsecurityalliance.org/research/top-threats, http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, http://msdn.microsoft.com/en-us/library/aa479086.aspx, https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Guidance_v1.pdf, http://www.keeneview.com/2009/03/what-is-platform-as-service-paas.html, http://www.tml.tkk.fi/Publications/C/25/papers/Reuben_final.pdf, http://www.academia.edu/760613/Survey_of_Virtual_Machine_Migration_Techniques, http://www.savvis.com/en-us/info_center/documents/hos-whitepaper-securingvirutalcomputeinfrastructureinthecloud.pdf, https://downloads.cloudsecurityalliance.org/initiatives/secaas/SecaaS_Cat_1_IAM_Implementation_Guidance.pdf, http://www.eecs.umich.edu/fjgroup/pubs/blackhat08-migration.pdf, https://creativecommons.org/licenses/by/2.0. These malicious images can be the starting point of the proliferation of malware by injecting malicious code within other virtual machines in the creation process. In Security engineering for Cloud Computing: approaches and Tools. SaaS provides application services on demand such as email, conferencing software, and business applications such as ERP, CRM, and SCM [30]. Virtualized environments are vulnerable to all types of attacks for normal infrastructures; however, security is a greater challenge as virtualization adds more points of entry and more interconnection complexity [45]. SaaS cloud security issues are naturally centered around data and access because most shared security responsibility models leave those two as the sole responsibility for SaaS customers. For instance, most virtualization platforms such as Xen provide two ways to configure virtual networks: bridged and routed, but these techniques increase the possibility to perform some attacks such as sniffing and spoofing virtual network [45, 52]. In SaaS, organizational data is often processed in plaintext and stored in the cloud. SaaS, PaaS, and IaaS: A security checklist for cloud models Key security issues can vary depending on the cloud model you're using. Security of PaaS clouds is considered from multiple perspectives including access control, privacy and service continuity while protecting both the service provider and the user. TCCP [63] enables providers to offer closed box execution environments, and allows users to determine if the environment is secure before launching their VMs. IBM J Res Dev 2009, 53(4):560–571. Owens K: Securing virtual compute infrastructure in the Cloud. We systematically analyze now existing security vulnerabilities and threats of Cloud Computing. Waltham, MA: Elsevier Inc; 2011. In Proceedings of the 40th annual Hawaii International conference on system sciences. The current focus of the hacking community on breaking SSL will become a major exploit vector in the near future. This presentation will help you architecturally understand each of the service models -- Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) -- and the security risks you can expect with each, as well as how IaaS, PaaS and SaaS security issues and risks affect not only data security but also organizational compliance efforts. Shared responsibility in the cloud. We have expressed three of the items in Table 4 as misuse patterns [46]. Heidelberg: Springer-Verlag Berlin; 2009. Therefore, any vulnerability associated to these technologies also affects the cloud, and it can even have a significant impact. Other Data Related Security Issues Other minor data related security issues can occur through Data location, Multi-tenancy and Backup in cloud computing. TVDc [73, 74] insures isolation and integrity in cloud environments. Current homomorphic encryption schemes support limited number of homomorphic operations such as addition and multiplication. A malicious virtual machine can be migrated to another host (with another VMM) compromising it. The authors declare that they have no competing interests. VMs located on the same server can share CPU, memory, I/O, and others. There are some well-known encryption schemes such as AES (Advanced Encryption Standard). 2009. PaaS (Platform-as-a-Service) ist eine vollständige Entwicklungs- und Bereitstellungsumgebung in der Cloud, über die Sie Zugang zu den erforderlichen Ressourcen erhalten, um verschiedenste Lösungen bereitstellen zu können – von einfachen cloudbasierten Apps bis hin zu ausgereiften cloudfähigen Unternehmensanwendungen. Keeping the VMM as simple and small as possible reduces the risk of security vulnerabilities, since it will be easier to find and fix any vulnerability. 2 0 obj HyperSafe’s goal is to protect type I hypervisors using two techniques: non-bypassable memory lockdown which protects write-protected memory pages from being modified, and restricted pointed indexing that converts control data into pointer indexes. Venkatesha S, Sadhu S, Kintali S: Survey of virtual machine migration techniques. %PDF-1.5 The remainder of the paper is organized as follows: Section 2 presents the results obtained from our systematic review. Available: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Available: Zhang Y, Liu S, Meng X: Towards high level SaaS maturity model: methods and case study. Security of PaaS clouds is considered from multiple perspective including access control, service continuity and privacy while protecting together the service provider and the user. Also, some current solutions were listed in order to mitigate these threats. endobj Las Vegas, US: CSREA Press; 2010:36–42. Furthermore, we describe the relationship between these vulnerabilities and threats; how these vulnerabilities can be exploited in order to perform an attack, and also present some countermeasures related to these threats which try to solve or improve the identified problems. Some of these vulnerabilities are the following: Lack of employee screening and poor hiring practices [16] – some cloud providers may not perform background screening of their employees or providers. In Second International Conference on Future Networks (ICFN’10), Sanya, Hainan, China. This work was supported in part by the NSF (grants OISE-0730065). Lack of security education – people continue to be a weak point in information security [53]. Attack vect… This useful feature can also raise security problems [42, 43, 47]. Jensen M, Schwenk J, Gruschka N, Iacono LL: On technical Security issues in Cloud Computing. In Proceedings of the 2009 conference on Hot topics in cloud computing, San Diego, California. Traditional security mechanisms such as identity, authentication, and authorization are no longer enough for clouds in their current form [11]. In Proceedings of the IEEE symposium on Security and privacy. 【PaaS】An examination of PaaS security challenges ccxxjj1980 Created: Sep 23, 2013 01:33:03 Latest reply: Sep 23, 2013 08:33:30 2283 2 0 0 display all floors display all floors #1 <> PaaS application security comprises two software layers: Security of the PaaS platform itself (i.e., runtime engine), and Security of customer applications deployed on a PaaS platform [10]. of Computer Science, University of California, Santa Barbara: ; 2009. http://www.academia.edu/760613/Survey_of_Virtual_Machine_Migration_Techniques, Ranjith P, Chandran P, Kaleeswaran S: On covert channels between virtual machines. This information can be expressed in a more detailed way using misuse patterns [62]. For each vulnerability and threat, we identify what cloud service model or models are affected by these security problems. In Services Computing conference. Its very nature however makes it open to a variety of security issues that can affect both the providers and consumers of these cloud services. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). Jansen W, Grance T: Guidelines on Security and privacy in public Cloud Computing. UK: Department of Conputer Science; 2007. IaaS providers must undertake a substantial effort to secure their systems in order to minimize these threats that result from creation, communication, monitoring, modification, and mobility [42]. CSA has issued an Identity and Access Management Guidance [65] which provides a list of recommended best practiced to assure identities and secure access management. Cloud Computing appears as a computational paradigm as well as a distribution architecture and its main objective is to provide secure, quick, convenient data storage and net computing service, with all computing resources visualized as services and delivered over the Internet [2, 3]. Available: http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment Available: Dahbur K, Mohammad B, Tarakji AB: A survey of risks, threats and vulnerabilities in Cloud Computing. Accessed: 05-Jun-2011. KPMG: From hype to future: KPMG’s 2010 Cloud Computing survey.. 2010. Garfinkel T, Rosenblum M: When virtual is harder than real: Security challenges in virtual machine based computing environments. Understanding what vulnerabilities exist in Cloud Computing will help organizations to make the shift towards the Cloud. Security web services standards describe how to secure communication between applications through integrity, confidentiality, authentication and authorization. If the image is not “cleaned”, this sensitive information can be exposed to other users. Data may be stored on different places with different legal regimes that can compromise its privacy and security. volume 10. In some cases, this switch has required major changes in software and caused project delays and even productivity losses. The VMM is a low-level software that controls and monitors its virtual machines, so as any traditional software it entails security flaws [45]. Cloud computing security issues and challenges 1. The Open Web Application Security Project (OWASP) has identified the ten most critical web applications security threats [32]. Security controls in Cloud Computing are, for the most part, no different than security controls in any IT environment. The security of this data while it is being processed, transferred, and stored depends on the provider. Pittsburgh, PA: CMU-CS-01–120; 2001. Gaithersburg, MD: NIST, Special Publication 800–144; 2011. The adoption of SaaS applications may raise some security concerns. Available: . However, most hypervisors use virtual networks to link VMs to communicate more directly and efficiently. It’s important to understand the division of responsibility between you and Microsoft. Using covert channels, two VMs can communicate bypassing all the rules defined by the security module of the VMM [48]. As a result, security is sometimes inconsistent, and can be seen as a barrier to moving applications to the cloud. Traditional web applications, data hosting, and virtualization have been looked over, but some of the solutions offered are immature or inexistent. Washington, DC, USA: IEEE Computer Society; 2007. Unfortunately, integrating security into these solutions is often perceived as making them more rigid [4]. In National Days of Network Security and Systems (JNS2). Also, PaaS users have to depend on both the security of web-hosted development tools and third-party services. Virtual networks are also target for some attacks especially when communicating with remote virtual machines. NY, USA: ACM New York; 2009:128–133. Cloud Computing leverages many technologies (SOA, virtualization, Web 2.0); it also inherits their security issues, which we discuss here, identifying the main vulnerabilities in this kind of systems and the most important threats found in the literature related to Cloud Computing and its environment as well as to identify and relate vulnerabilities and threats with possible solutions. Cloud Computing is a flexible, cost-effective, and proven delivery platform for providing business or consumer IT services over the Internet. PaaS security practices. An analysis of security issues for cloud computing. SaaS provides software delivered over the web while PaaS offers development tools to create SaaS applications. Malicious users can store images containing malicious code into public repositories compromising other users or even the cloud system [20, 24, 25]. For example, a malicious VM can infer some information about other VMs through shared memory or other shared resources without need of compromising the hypervisor [46].