Abstract
In response to the revival of virtualized technology by Rosenblum and Garfinkel [2005], NIST defined cloud computing, a new paradigm in service computing infrastructures. In cloud environments, the basic security mechanism is ingrained in virtualization—that is, the execution of instructions at different privilege levels. Despite its obvious benefits, the caveat is that a crashed virtual machine (VM) is much harder to recover than a crashed workstation. When crashed, a VM is nothing but a giant corrupt binary file and quite unrecoverable by standard disk-based forensics. Therefore, VM crashes should be avoided at all costs. Security is one of the major contributors to such VM crashes. This includes compromising the hypervisor, cloud storage, images of VMs used infrequently, and remote cloud client used by the customer as well as threat from malicious insiders. Although using secure infrastructures such as private clouds alleviate several of these security problems, most cloud users end up using cheaper options such as third-party infrastructures (i.e., private clouds), thus a thorough discussion of all known security issues is pertinent. Hence, in this article, we discuss ongoing research in cloud security in order of the attack scenarios exploited most often in the cloud environment. We explore attack scenarios that call for securing the hypervisor, exploiting co-residency of VMs, VM image management, mitigating insider threats, securing storage in clouds, abusing lightweight software-as-a-service clients, and protecting data propagation in clouds. Wearing a practitioner's glasses, we explore the relevance of each attack scenario to a service company like Infosys. At the same time, we draw parallels between cloud security research and implementation of security solutions in the form of enterprise security suites for the cloud. We discuss the state of practice in the form of enterprise security suites that include cryptographic solutions, access control policies in the cloud, new techniques for attack detection, and security quality assurance in clouds.
- Mohamed Almorsy, John Grundy, and Amani Ibrahim. 2011. Collaboration-based cloud computing security management framework. In Proceedings of CLOUD. IEEE, Los Alamitos, CA, 364--371. Google ScholarDigital Library
- Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang, Xiaolan Zhang, and Nathan C. Skalsky. 2010. HyperSentry: Enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of CCS. ACM, New York, NY, 38--49. Google ScholarDigital Library
- Andrew Baumann, Marcus Peinado, and Galen Hunt. 2014. Shielding applications from an untrusted cloud with Haven. In Proceedings of OSDI. 267--283. Google ScholarDigital Library
- Sebastian Biedermann, Martin Mink, and Stefan Katzenbeisser. 2012. Fast dynamic extracted honeypots in cloud computing. In Proceedings of CCSW. ACM, New York, NY, 13--18. Google ScholarDigital Library
- Kevin D. Bowers, Ari Juels, and Alina Oprea. 2009. HAIL: A high-availability and integrity layer for cloud storage. In Proceedings of CCS. ACM, New York, NY, 187--198. Google ScholarDigital Library
- Shakeel Butt, H. Andrés Lagar-Cavilla, Abhinav Srivastava, and Vinod Ganapathy. 2012. Self-service cloud computing. In Proceedings of CCS. ACM, New York, NY, 253--264. Google ScholarDigital Library
- Jose M. Alcaraz Calero, Nigel Edwards, Johannes Kirschnick, Lawrence Wilcock, and Mike Wray. 2010. Toward a multi-tenancy authorization system for cloud services. IEEE Security and Privacy 8, 6, 48--55. Google ScholarDigital Library
- Andrew T. Campbell, Hermann G. De Meer, Michael E. Kounavis, Kazuho Miki, John Vicente, and Daniel A. Villela. 1999. The Genesis Kernel: A virtual network operating system for spawning network architectures. In Proceedings of OPENARCH. IEEE, Los Alamitos, CA, 115--127.Google Scholar
- Martim Carbone, Matthew Conover, Bruce Montague, and Wenke Lee. 2012. Secure and robust monitoring of virtual machines through guest-assisted introspection. In Research in Attacks, Intrusions, and Defenses. Lecture Notes in Computer Science, Vol. 7462. Springer, 22--41. Google ScholarDigital Library
- Yanpei Chen, Vern Paxson, and Randy H. Katz. 2010. What's New about Cloud Computing Security. Technical Report No. UCB/EECS-2010-5. University of California, Berkeley.Google Scholar
- Mihai Christodorescu, Reiner Sailer, Douglas Schales, Daniele Sgandurra, and Diego Zamboni. 2009. Cloud security is not (just) virtualization security. In Proceedings of CCSW. ACM, New York, NY, 97--102. Google ScholarDigital Library
- William R. Claycomb and Alex Nicoll. 2012. Insider threats to cloud computing: Directions for new research challenges. In Proceedings of COMPSAC. IEEE, Los Alamitos, CA, 387--394. Google ScholarDigital Library
- EMC Corporation. 2014. EMC2 Home Page. Retrieved December 26, 2014, from http://www.emc.com/security/rsa-envision.htm.Google Scholar
- Loek Essers. 2012. Cloud Failures Cost More Than $71 Million since 2007. Retrieved December 26, 2014, from http://www.infoworld.com/d/cloud-computing/cloud-failures-cost-more-71-million-2007-195895.Google Scholar
- Ariel J. Feldman, William P. Zeller, Michael J. Freedman, and Edward W. Felten. 2010. SPORC: Group collaboration using untrusted cloud resources. In Proceedings of OSDI. 337--350. Google ScholarDigital Library
- Deng-Guo Feng, Min Zhang, Yan Zhang, and Zhen Xu. 2011. Study on cloud computing security. Journal of Software 22, 1, 71--83.Google ScholarCross Ref
- Bryan Ford. 2012. Icebergs in the clouds: The other risks of cloud computing. In Proceedings of HotCloud. 2--7. Google ScholarDigital Library
- Armando Fox, Rean Griffith, Anthony Joseph, Randy Katz, Andrew Konwinski, Gunho Lee, David Patterson, Ariel Rabkin, and Ion Stoica. 2009. Above the Clouds: A Berkeley View of Cloud Computing. Technical Report 28. Department of EECS, University of California, Berkeley.Google Scholar
- Rajeshwari Ganesan, Santonu Sarkar, and Naveen Tewari. 2012. An independent verification of errors and vulnerabilities in SaaS cloud. In Proceedings of the DSN Workshops. IEEE, Los Alamitos, CA, 1--6.Google ScholarCross Ref
- Tal Garfinkel and Mendel Rosenblum. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of NDSS. 191--206.Google Scholar
- Joseph Idziorek, Mark Tannian, and Doug Jacobson. 2012. Attribution of fraudulent resource consumption in the cloud. In Proceedings of CLOUD. IEEE, Los Alamitos, CA, 99--106. Google ScholarDigital Library
- Infosys Limited. 2014. Infosys WalletEdge. Retrieved December 26, 2014, http://www.infosys.com/products-and-platforms/.Google Scholar
- Seny Kamara and Kristin Lauter. 2010. Cryptographic cloud storage. In Financial Cryptography and Data Security. Lecture Notes in Computer Science, Vol. 6054. Springer, 136--149. Google ScholarDigital Library
- Seny Kamara, Charalampos Papamanthou, and Tom Roeder. 2011. CS2: A Searchable Cryptographic Cloud Storage System. Technical Report MSR-TR-2011-58. Microsoft Research.Google Scholar
- Sepandar D. Kamvar, Mario T. Schlosser, and Hector Garcia-Molina. 2003. The EigenTrust algorithm for reputation management in p2p networks. In Proceedings of WWW. ACM, New York, NY, 640--651. Google ScholarDigital Library
- Lori M. Kaufman 2010. Can public-cloud security meet its unique challenges? IEEE Security and Privacy 8, 4, 55--57. Google ScholarDigital Library
- Safwan Mahmud Khan and Kevin W. Hamlen. 2012. Hatman: Intra-cloud trust management for Hadoop. In Proceedings of CLOUD. IEEE, Los Alamitos, CA, 494--501. Google ScholarDigital Library
- Taesoo Kim, Marcus Peinado, and Gloria Mainar-Ruiz. 2012. STEALTHMEM: System-level protection against cache-based side channel attacks in the cloud. In Proceedings of the USENIX Security Symposium. 11--27. Google ScholarDigital Library
- Ryan Ko, Stephen Lee, and Veerappa Rajan. 2013. Cloud computing vulnerability incidents: A statistical overview.Google Scholar
- Ronald L. Krutz and Russell Dean Vines. 2010. Cloud Security: A Comprehensive Guide to Secure Cloud Computing. John Wiley & Sons. Google ScholarDigital Library
- Lorenzo Martignoni, Pongsin Poosankam, Matei Zaharia, Jun Han, Stephen McCamant, Dawn Song, Vern Paxson, Adrian Perrig, Scott Shenker, and Ion Stoica. 2012. Cloud Terminal: Secure access to sensitive applications from untrusted systems. In Proceedings of USENIX ATC. 14--25. Google ScholarDigital Library
- Tim Mather, Subra Kumaraswamy, and Shahed Latif. 2009. Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. O'Reilly Media Inc. Google ScholarDigital Library
- Peter Mell and Timothy Grance. 2011. The NIST definition of cloud computing (draft). NIST Special Publication 800, 145. Google ScholarDigital Library
- Microsoft. 2014. Security Development Lifecycle. Retrieved December 26, 2014, from http://www.microsoft.com/security/sdl/.Google Scholar
- Jeffrey Naruchitparames and Mehmet H. Gunes. 2011. Enhancing data privacy and integrity in the cloud. In Proceedings of HPCS. IEEE, Los Alamitos, CA, 427--434.Google Scholar
- Ricardo Neisse, Dominik Holling, and Alexander Pretschner. 2011. Implementing trust in cloud infrastructures. In Proceedings of CCGrid. IEEE, Los Alamitos, CA, 524--533. Google ScholarDigital Library
- Anh Nguyen, Himanshu Raj, Shravan Rayanchu, Stefan Saroiu, and Alec Wolman. 2012. Delusional boot: Securing hypervisors without massive re-engineering. In Proceedings of EuroSys. ACM, New York, NY, 141--154. Google ScholarDigital Library
- Masayuki Okuhara, Tetsuo Shiozaki, and Takuya Suzuki. 2010. Security architecture for cloud computing. Fujitsu Sci. Tech. J. 46, 4, 397--402.Google Scholar
- Ioannis Papagiannis and Peter Pietzuch. 2012. CloudFilter: Practical control of sensitive data propagation to the cloud. In Proceedings of CCSW. ACM, New York, NY, 97--102. Google ScholarDigital Library
- David A. Patterson, Garth Gibson, and Randy H. Katz. 1988. A case for redundant arrays of inexpensive disks (RAID). In Proceedings of SIGMOD. ACM, New York, NY, 109--116. Google ScholarDigital Library
- Diego Perez-Botero, Jakub Szefer, and Ruby B. Lee. 2013. Characterizing hypervisor vulnerabilities in cloud computing servers. In Proceedings of SCCW. ACM, New York, NY, 3--10. Google ScholarDigital Library
- Raluca Ada Popa, Jacob R. Lorch, David Molnar, Helen J. Wang, and Li Zhuang. 2011. Enabling security in cloud storage SLAs with CloudProof. In Proceedings of USENIX ATC. 31--44. Google ScholarDigital Library
- Brian Prince. n.d. Trojan Blocks Cloud Antivirus Security Technology. Retrieved December 26, 2014, from http://usa.kaspersky.com/about-us/press-center/in-the-news/trojan-blocks-cloud-antivirus-security-technology.Google Scholar
- Costin Raiciu, Mihail Ionescu, and Drago Niculescu. 2012. Opening up black box networks with CloudTalk. In Proceedings of HotCloud. 8--13. Google ScholarDigital Library
- Sumant Ramgovind, Mariki Eloff, and Elme Smith. 2010. The management of security in cloud computing. In Proceedings of ISSA. IEEE, Los Alamitos, CA, 1--7.Google ScholarCross Ref
- Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of CCS. ACM, New York, NY, 199--212. Google ScholarDigital Library
- Mendel Rosenblum and Tal Garfinkel. 2005. Virtual machine monitors: Current technology and future trends. Computer 38, 5, 39--47. Google ScholarDigital Library
- Mark D. Ryan. 2013. Cloud computing security: The scientific challenge, and a survey of solutions. Journal of Systems and Software 86, 9, 2263--2268. Google ScholarDigital Library
- P. Saripalli and B. Walters. 2010. Quirc: A quantitative impact and risk assessment framework for cloud security. In Proceedings of CLOUD. IEEE, 280--288. Google ScholarDigital Library
- Farzad Sabahi. 2011. Cloud computing security threats and responses. In Proceedings of ICCSN. IEEE, Los Alamitos, CA, 245--249.Google ScholarCross Ref
- Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues. 2009. Towards trusted cloud computing. In Proceedings of HotCloud. 3. Google ScholarDigital Library
- Nuno Santos, Rodrigo Rodrigues, Krishna P. Gummadi, and Stefan Saroiu. 2012. Policy-sealed data: A new abstraction for building trusted cloud services. In Proceedings of the USENIX Security Symposium. 10--23. Google ScholarDigital Library
- Joshua Schiffman, Thomas Moyer, Christopher Shal, Trent Jaeger, and Patrick McDaniel. 2009. Justifying integrity using a virtual machine verifier. In Proceedings of ACSAC. IEEE, Los Alamitos, CA, 83--92. Google ScholarDigital Library
- Aashish Sharma, Zbigniew Kalbarczyk, James Barlow, and Ravishankar Iyer. 2011. Analysis of security data from a large computing organization. In Proceedings of DSN. IEEE, Los Alamitos, CA, 506--517. Google ScholarDigital Library
- Abhinav Srivastava, Himanshu Raj, Jonathon Giffin, and Paul England. 2012. Trusted VM snapshots in untrusted cloud infrastructures. In Research in Attacks, Intrusions, and Defenses. Lecture Notes in Computer Science, Vol. 7462. Springer, 1--21. Google ScholarDigital Library
- Emil Stefanov, Marten van Dijk, Ari Juels, and Alina Oprea. 2012. Iris: A scalable cloud file system with efficient integrity checks. In Proceedings of ACSAC. ACM, New York, NY, 229--238. Google ScholarDigital Library
- Marianthi Theoharidou, Nikolaos Tsalis, and Dimitris Gritzalis. 2013. In cloud we trust: Risk-assessment-as-a-service. In Trust Management VII. IFIP Advances in Information and Communication Technology, Vol. 401. 100--110.Google ScholarCross Ref
- Donghai Tian, Qiang Zeng, Dinghao Wu, Peng Liu, and Changzhen Hu. 2012. Kruiser: Semi-synchronized non-blocking concurrent kernel heap buffer overflow monitoring. In Proceedings of NDSS.Google Scholar
- Marten Van Dijk and Ari Juels. 2010. On the impossibility of cryptography alone for privacy-preserving cloud computing. In Proceedings of HotSec. 1--8. Google ScholarDigital Library
- Marten Van Dijk, Ari Juels, Alina Oprea, Ronald L. Rivest, Emil Stefanov, and Nikos Triandopoulos. 2012. Hourglass schemes: How to prove that cloud files are encrypted. In Proceedings of CCS. ACM, New York, NY, 265--280. Google ScholarDigital Library
- Luis Vaquero, Luis. Rodero-Merino, and Daniel. Morán. 2011. Locking the sky: A survey on IaaS cloud security. Computing 91, 1, 93--118. Google ScholarDigital Library
- Venkatanathan Varadarajan, Thawan Kooburat, Benjamin Farley, Thomas Ristenpart, and Michael M Swift. 2012. Resource-freeing attacks: Improve your cloud performance (at your neighbor's expense). In Proceedings of CCS. ACM, New York, NY, 281--292. Google ScholarDigital Library
- Yao Wang and G. Edward Suh. 2012. Efficient timing channel protection for on-chip networks. In Proceedings of NoCS. IEEE, Los Alamitos, CA, 142--151. Google ScholarDigital Library
- Jinpeng Wei, Xiaolan Zhang, Glenn Ammons, Vasanth Bala, and Peng Ning. 2009. Managing security of virtual machine images in a cloud environment. In Proceedings of CCSW. ACM, New York, NY, 91--96. Google ScholarDigital Library
- Lifei Wei, Haojin Zhu, Zhenfu Cao, Xiaolei Dong, Weiwei Jia, Yunlu Chen, and Athanasios Vasilakos. 2014. Security and privacy for storage and computation in cloud computing. Information Sciences 258, 371--386. Google ScholarDigital Library
- Zhenyu Wu, Zhang Xu, and Haining Wang. 2012. Whispers in the hyper-space: High-speed covert channel attacks in the cloud. In Proceedings of the USENIX Security Symposium. 9--25. Google ScholarDigital Library
- Zhi W. Chiachih Wu and Xuxian Jiang. 2013. Taming hosted hypervisors with (mostly) deprivileged execution. In Proceedings of NDSS. 141--154.Google Scholar
- Yunjing Xu, Michael Bailey, Farnam Jahanian, Kaustubh Joshi, Matti Hiltunen, and Richard Schlichting. 2011. An exploration of L2 cache covert channels in virtualized environments. In Proceedings of CCSW. ACM, New York, NY, 29--40. Google ScholarDigital Library
- Sara Yin. 2011. Google wallet aims to take mobile payments mainstream. PCMag. com, 1--2.Google Scholar
- Younis A. Younis, Madjid Merabti, and Kashif Kifayat. 2013. Secure Cloud Computing for Critical Infrastructure: A Survey. Technical Report. Liverpool John Moores University, Liverpool, England.Google Scholar
- Fengzhe Zhang, Jin Chen, Haibo Chen, and Binyu Zang. 2011. CloudVisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proceedings of SOSP. ACM, New York, NY, 203--216. Google ScholarDigital Library
- Xinwen Zhang, Joshua Schiffman, Simon Gibbs, Anugeetha Kunjithapatham, and Sangoh Jeong. 2009. Securing elastic applications on mobile devices for cloud computing. In Proceedings of CCSW. ACM, New York, NY, 127--134. Google ScholarDigital Library
- Wu Zhou, Peng Ning, Xiaolan Zhang, Glenn Ammons, Ruowen Wang, and Vasanth Bala. 2010a. Always up-to-date: Scalable offline patching of VM images in a compute cloud. In Proceedings of the 26th Annual Computer Security Applications Conference. ACM, 377--386. Google ScholarDigital Library
- Wenchao Zhou, Micah Sherr, William R. Marczak, Zhuoyao Zhang, Tao Tao, Boon Thau Loo, and Insup Lee. 2010b. Towards a data-centric view of cloud security. In Proceedings of CDMW. ACM, New York, NY, 25--32. Google ScholarDigital Library
- Wenchao Zhou, Yun Mao, Boon Thau Loo, and Martín Abadi. 2009. Unified declarative platform for secure networked information systems. In Proceedings of ICDE. IEEE, Los Alamitos, CA, 150--161. Google ScholarDigital Library
Index Terms
- Secure the Cloud: From the Perspective of a Service-Oriented Organization
Recommendations
Different facets of security in the cloud
CNS '12: Proceedings of the 15th Communications and Networking Simulation SymposiumCloud computing is a long fantasized visualization of computing as a utility, where data owners can remotely store and access their data in the cloud anytime and from anywhere. Using a shared pool of configurable resources, users can be relieved from ...
Survey on DDoS Attacks and Defense Mechanisms in Cloud and Fog Computing
This article describes how cloud computing has emerged as a strong competitor against traditional IT platforms by offering low-cost and "pay-as-you-go" computing potential and on-demand provisioning of services. Governments, as well as organizations, ...
State-of-the-art cloud computing security taxonomies: a classification of security challenges in the present cloud computing environment
ICACCI '12: Proceedings of the International Conference on Advances in Computing, Communications and InformaticsCloud computing has taken center stage in the present business scenario due to its pay-as-you-use nature, where users need not bother about buying resources like hardware, software, infrastructure, etc. permanently. As much as the technological benefits,...
Comments