survey

Secure the Cloud: From the Perspective of a Service-Oriented Organization

Authors:
Arpan Roy

Infosys Labs, Dependability Center of Excellence, Infosys Ltd., Electronic City, Bangalore 560100, India

Infosys Labs, Dependability Center of Excellence, Infosys Ltd., Electronic City, Bangalore 560100, India
View Profile

,
Santonu Sarkar

Dept. of Computer Science and Information Systems, BITS Pilani K.K. Birla Goa Campus, Goa India

Dept. of Computer Science and Information Systems, BITS Pilani K.K. Birla Goa Campus, Goa India
View Profile

,
Rajeshwari Ganesan

Edgeverve Systems Limited, Systems Engineering Group, Electronic City, Bangalore 560100, India

Edgeverve Systems Limited, Systems Engineering Group, Electronic City, Bangalore 560100, India
View Profile

,
Geetika Goel

Jigsaw Academy, Bangalore 560038, India

Jigsaw Academy, Bangalore 560038, India
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 47 Issue 3Article No.: 41pp 1–30https://doi.org/10.1145/2693841

Published:17 February 2015Publication History

ACM Computing Surveys

Abstract

In response to the revival of virtualized technology by Rosenblum and Garfinkel [2005], NIST defined cloud computing, a new paradigm in service computing infrastructures. In cloud environments, the basic security mechanism is ingrained in virtualization—that is, the execution of instructions at different privilege levels. Despite its obvious benefits, the caveat is that a crashed virtual machine (VM) is much harder to recover than a crashed workstation. When crashed, a VM is nothing but a giant corrupt binary file and quite unrecoverable by standard disk-based forensics. Therefore, VM crashes should be avoided at all costs. Security is one of the major contributors to such VM crashes. This includes compromising the hypervisor, cloud storage, images of VMs used infrequently, and remote cloud client used by the customer as well as threat from malicious insiders. Although using secure infrastructures such as private clouds alleviate several of these security problems, most cloud users end up using cheaper options such as third-party infrastructures (i.e., private clouds), thus a thorough discussion of all known security issues is pertinent. Hence, in this article, we discuss ongoing research in cloud security in order of the attack scenarios exploited most often in the cloud environment. We explore attack scenarios that call for securing the hypervisor, exploiting co-residency of VMs, VM image management, mitigating insider threats, securing storage in clouds, abusing lightweight software-as-a-service clients, and protecting data propagation in clouds. Wearing a practitioner's glasses, we explore the relevance of each attack scenario to a service company like Infosys. At the same time, we draw parallels between cloud security research and implementation of security solutions in the form of enterprise security suites for the cloud. We discuss the state of practice in the form of enterprise security suites that include cryptographic solutions, access control policies in the cloud, new techniques for attack detection, and security quality assurance in clouds.

References

Mohamed Almorsy, John Grundy, and Amani Ibrahim. 2011. Collaboration-based cloud computing security management framework. In Proceedings of CLOUD. IEEE, Los Alamitos, CA, 364--371. Google ScholarDigital Library
Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang, Xiaolan Zhang, and Nathan C. Skalsky. 2010. HyperSentry: Enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of CCS. ACM, New York, NY, 38--49. Google ScholarDigital Library
Andrew Baumann, Marcus Peinado, and Galen Hunt. 2014. Shielding applications from an untrusted cloud with Haven. In Proceedings of OSDI. 267--283. Google ScholarDigital Library
Sebastian Biedermann, Martin Mink, and Stefan Katzenbeisser. 2012. Fast dynamic extracted honeypots in cloud computing. In Proceedings of CCSW. ACM, New York, NY, 13--18. Google ScholarDigital Library
Kevin D. Bowers, Ari Juels, and Alina Oprea. 2009. HAIL: A high-availability and integrity layer for cloud storage. In Proceedings of CCS. ACM, New York, NY, 187--198. Google ScholarDigital Library
Shakeel Butt, H. Andrés Lagar-Cavilla, Abhinav Srivastava, and Vinod Ganapathy. 2012. Self-service cloud computing. In Proceedings of CCS. ACM, New York, NY, 253--264. Google ScholarDigital Library
Jose M. Alcaraz Calero, Nigel Edwards, Johannes Kirschnick, Lawrence Wilcock, and Mike Wray. 2010. Toward a multi-tenancy authorization system for cloud services. IEEE Security and Privacy 8, 6, 48--55. Google ScholarDigital Library
Andrew T. Campbell, Hermann G. De Meer, Michael E. Kounavis, Kazuho Miki, John Vicente, and Daniel A. Villela. 1999. The Genesis Kernel: A virtual network operating system for spawning network architectures. In Proceedings of OPENARCH. IEEE, Los Alamitos, CA, 115--127.Google Scholar
Martim Carbone, Matthew Conover, Bruce Montague, and Wenke Lee. 2012. Secure and robust monitoring of virtual machines through guest-assisted introspection. In Research in Attacks, Intrusions, and Defenses. Lecture Notes in Computer Science, Vol. 7462. Springer, 22--41. Google ScholarDigital Library
Yanpei Chen, Vern Paxson, and Randy H. Katz. 2010. What's New about Cloud Computing Security. Technical Report No. UCB/EECS-2010-5. University of California, Berkeley.Google Scholar
Mihai Christodorescu, Reiner Sailer, Douglas Schales, Daniele Sgandurra, and Diego Zamboni. 2009. Cloud security is not (just) virtualization security. In Proceedings of CCSW. ACM, New York, NY, 97--102. Google ScholarDigital Library
William R. Claycomb and Alex Nicoll. 2012. Insider threats to cloud computing: Directions for new research challenges. In Proceedings of COMPSAC. IEEE, Los Alamitos, CA, 387--394. Google ScholarDigital Library
EMC Corporation. 2014. EMC² Home Page. Retrieved December 26, 2014, from http://www.emc.com/security/rsa-envision.htm.Google Scholar
Loek Essers. 2012. Cloud Failures Cost More Than $71 Million since 2007. Retrieved December 26, 2014, from http://www.infoworld.com/d/cloud-computing/cloud-failures-cost-more-71-million-2007-195895.Google Scholar
Ariel J. Feldman, William P. Zeller, Michael J. Freedman, and Edward W. Felten. 2010. SPORC: Group collaboration using untrusted cloud resources. In Proceedings of OSDI. 337--350. Google ScholarDigital Library
Deng-Guo Feng, Min Zhang, Yan Zhang, and Zhen Xu. 2011. Study on cloud computing security. Journal of Software 22, 1, 71--83.Google ScholarCross Ref
Bryan Ford. 2012. Icebergs in the clouds: The other risks of cloud computing. In Proceedings of HotCloud. 2--7. Google ScholarDigital Library
Armando Fox, Rean Griffith, Anthony Joseph, Randy Katz, Andrew Konwinski, Gunho Lee, David Patterson, Ariel Rabkin, and Ion Stoica. 2009. Above the Clouds: A Berkeley View of Cloud Computing. Technical Report 28. Department of EECS, University of California, Berkeley.Google Scholar
Rajeshwari Ganesan, Santonu Sarkar, and Naveen Tewari. 2012. An independent verification of errors and vulnerabilities in SaaS cloud. In Proceedings of the DSN Workshops. IEEE, Los Alamitos, CA, 1--6.Google ScholarCross Ref
Tal Garfinkel and Mendel Rosenblum. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of NDSS. 191--206.Google Scholar
Joseph Idziorek, Mark Tannian, and Doug Jacobson. 2012. Attribution of fraudulent resource consumption in the cloud. In Proceedings of CLOUD. IEEE, Los Alamitos, CA, 99--106. Google ScholarDigital Library
Infosys Limited. 2014. Infosys WalletEdge. Retrieved December 26, 2014, http://www.infosys.com/products-and-platforms/.Google Scholar
Seny Kamara and Kristin Lauter. 2010. Cryptographic cloud storage. In Financial Cryptography and Data Security. Lecture Notes in Computer Science, Vol. 6054. Springer, 136--149. Google ScholarDigital Library
Seny Kamara, Charalampos Papamanthou, and Tom Roeder. 2011. CS2: A Searchable Cryptographic Cloud Storage System. Technical Report MSR-TR-2011-58. Microsoft Research.Google Scholar
Sepandar D. Kamvar, Mario T. Schlosser, and Hector Garcia-Molina. 2003. The EigenTrust algorithm for reputation management in p2p networks. In Proceedings of WWW. ACM, New York, NY, 640--651. Google ScholarDigital Library
Lori M. Kaufman 2010. Can public-cloud security meet its unique challenges&quest; IEEE Security and Privacy 8, 4, 55--57. Google ScholarDigital Library
Safwan Mahmud Khan and Kevin W. Hamlen. 2012. Hatman: Intra-cloud trust management for Hadoop. In Proceedings of CLOUD. IEEE, Los Alamitos, CA, 494--501. Google ScholarDigital Library
Taesoo Kim, Marcus Peinado, and Gloria Mainar-Ruiz. 2012. STEALTHMEM: System-level protection against cache-based side channel attacks in the cloud. In Proceedings of the USENIX Security Symposium. 11--27. Google ScholarDigital Library
Ryan Ko, Stephen Lee, and Veerappa Rajan. 2013. Cloud computing vulnerability incidents: A statistical overview.Google Scholar
Ronald L. Krutz and Russell Dean Vines. 2010. Cloud Security: A Comprehensive Guide to Secure Cloud Computing. John Wiley & Sons. Google ScholarDigital Library
Lorenzo Martignoni, Pongsin Poosankam, Matei Zaharia, Jun Han, Stephen McCamant, Dawn Song, Vern Paxson, Adrian Perrig, Scott Shenker, and Ion Stoica. 2012. Cloud Terminal: Secure access to sensitive applications from untrusted systems. In Proceedings of USENIX ATC. 14--25. Google ScholarDigital Library
Tim Mather, Subra Kumaraswamy, and Shahed Latif. 2009. Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. O'Reilly Media Inc. Google ScholarDigital Library
Peter Mell and Timothy Grance. 2011. The NIST definition of cloud computing (draft). NIST Special Publication 800, 145. Google ScholarDigital Library
Microsoft. 2014. Security Development Lifecycle. Retrieved December 26, 2014, from http://www.microsoft.com/security/sdl/.Google Scholar
Jeffrey Naruchitparames and Mehmet H. Gunes. 2011. Enhancing data privacy and integrity in the cloud. In Proceedings of HPCS. IEEE, Los Alamitos, CA, 427--434.Google Scholar
Ricardo Neisse, Dominik Holling, and Alexander Pretschner. 2011. Implementing trust in cloud infrastructures. In Proceedings of CCGrid. IEEE, Los Alamitos, CA, 524--533. Google ScholarDigital Library
Anh Nguyen, Himanshu Raj, Shravan Rayanchu, Stefan Saroiu, and Alec Wolman. 2012. Delusional boot: Securing hypervisors without massive re-engineering. In Proceedings of EuroSys. ACM, New York, NY, 141--154. Google ScholarDigital Library
Masayuki Okuhara, Tetsuo Shiozaki, and Takuya Suzuki. 2010. Security architecture for cloud computing. Fujitsu Sci. Tech. J. 46, 4, 397--402.Google Scholar
Ioannis Papagiannis and Peter Pietzuch. 2012. CloudFilter: Practical control of sensitive data propagation to the cloud. In Proceedings of CCSW. ACM, New York, NY, 97--102. Google ScholarDigital Library
David A. Patterson, Garth Gibson, and Randy H. Katz. 1988. A case for redundant arrays of inexpensive disks (RAID). In Proceedings of SIGMOD. ACM, New York, NY, 109--116. Google ScholarDigital Library
Diego Perez-Botero, Jakub Szefer, and Ruby B. Lee. 2013. Characterizing hypervisor vulnerabilities in cloud computing servers. In Proceedings of SCCW. ACM, New York, NY, 3--10. Google ScholarDigital Library
Raluca Ada Popa, Jacob R. Lorch, David Molnar, Helen J. Wang, and Li Zhuang. 2011. Enabling security in cloud storage SLAs with CloudProof. In Proceedings of USENIX ATC. 31--44. Google ScholarDigital Library
Brian Prince. n.d. Trojan Blocks Cloud Antivirus Security Technology. Retrieved December 26, 2014, from http://usa.kaspersky.com/about-us/press-center/in-the-news/trojan-blocks-cloud-antivirus-security-technology.Google Scholar
Costin Raiciu, Mihail Ionescu, and Drago Niculescu. 2012. Opening up black box networks with CloudTalk. In Proceedings of HotCloud. 8--13. Google ScholarDigital Library
Sumant Ramgovind, Mariki Eloff, and Elme Smith. 2010. The management of security in cloud computing. In Proceedings of ISSA. IEEE, Los Alamitos, CA, 1--7.Google ScholarCross Ref
Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of CCS. ACM, New York, NY, 199--212. Google ScholarDigital Library
Mendel Rosenblum and Tal Garfinkel. 2005. Virtual machine monitors: Current technology and future trends. Computer 38, 5, 39--47. Google ScholarDigital Library
Mark D. Ryan. 2013. Cloud computing security: The scientific challenge, and a survey of solutions. Journal of Systems and Software 86, 9, 2263--2268. Google ScholarDigital Library
P. Saripalli and B. Walters. 2010. Quirc: A quantitative impact and risk assessment framework for cloud security. In Proceedings of CLOUD. IEEE, 280--288. Google ScholarDigital Library
Farzad Sabahi. 2011. Cloud computing security threats and responses. In Proceedings of ICCSN. IEEE, Los Alamitos, CA, 245--249.Google ScholarCross Ref
Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues. 2009. Towards trusted cloud computing. In Proceedings of HotCloud. 3. Google ScholarDigital Library
Nuno Santos, Rodrigo Rodrigues, Krishna P. Gummadi, and Stefan Saroiu. 2012. Policy-sealed data: A new abstraction for building trusted cloud services. In Proceedings of the USENIX Security Symposium. 10--23. Google ScholarDigital Library
Joshua Schiffman, Thomas Moyer, Christopher Shal, Trent Jaeger, and Patrick McDaniel. 2009. Justifying integrity using a virtual machine verifier. In Proceedings of ACSAC. IEEE, Los Alamitos, CA, 83--92. Google ScholarDigital Library
Aashish Sharma, Zbigniew Kalbarczyk, James Barlow, and Ravishankar Iyer. 2011. Analysis of security data from a large computing organization. In Proceedings of DSN. IEEE, Los Alamitos, CA, 506--517. Google ScholarDigital Library
Abhinav Srivastava, Himanshu Raj, Jonathon Giffin, and Paul England. 2012. Trusted VM snapshots in untrusted cloud infrastructures. In Research in Attacks, Intrusions, and Defenses. Lecture Notes in Computer Science, Vol. 7462. Springer, 1--21. Google ScholarDigital Library
Emil Stefanov, Marten van Dijk, Ari Juels, and Alina Oprea. 2012. Iris: A scalable cloud file system with efficient integrity checks. In Proceedings of ACSAC. ACM, New York, NY, 229--238. Google ScholarDigital Library
Marianthi Theoharidou, Nikolaos Tsalis, and Dimitris Gritzalis. 2013. In cloud we trust: Risk-assessment-as-a-service. In Trust Management VII. IFIP Advances in Information and Communication Technology, Vol. 401. 100--110.Google ScholarCross Ref
Donghai Tian, Qiang Zeng, Dinghao Wu, Peng Liu, and Changzhen Hu. 2012. Kruiser: Semi-synchronized non-blocking concurrent kernel heap buffer overflow monitoring. In Proceedings of NDSS.Google Scholar
Marten Van Dijk and Ari Juels. 2010. On the impossibility of cryptography alone for privacy-preserving cloud computing. In Proceedings of HotSec. 1--8. Google ScholarDigital Library
Marten Van Dijk, Ari Juels, Alina Oprea, Ronald L. Rivest, Emil Stefanov, and Nikos Triandopoulos. 2012. Hourglass schemes: How to prove that cloud files are encrypted. In Proceedings of CCS. ACM, New York, NY, 265--280. Google ScholarDigital Library
Luis Vaquero, Luis. Rodero-Merino, and Daniel. Morán. 2011. Locking the sky: A survey on IaaS cloud security. Computing 91, 1, 93--118. Google ScholarDigital Library
Venkatanathan Varadarajan, Thawan Kooburat, Benjamin Farley, Thomas Ristenpart, and Michael M Swift. 2012. Resource-freeing attacks: Improve your cloud performance (at your neighbor's expense). In Proceedings of CCS. ACM, New York, NY, 281--292. Google ScholarDigital Library
Yao Wang and G. Edward Suh. 2012. Efficient timing channel protection for on-chip networks. In Proceedings of NoCS. IEEE, Los Alamitos, CA, 142--151. Google ScholarDigital Library
Jinpeng Wei, Xiaolan Zhang, Glenn Ammons, Vasanth Bala, and Peng Ning. 2009. Managing security of virtual machine images in a cloud environment. In Proceedings of CCSW. ACM, New York, NY, 91--96. Google ScholarDigital Library
Lifei Wei, Haojin Zhu, Zhenfu Cao, Xiaolei Dong, Weiwei Jia, Yunlu Chen, and Athanasios Vasilakos. 2014. Security and privacy for storage and computation in cloud computing. Information Sciences 258, 371--386. Google ScholarDigital Library
Zhenyu Wu, Zhang Xu, and Haining Wang. 2012. Whispers in the hyper-space: High-speed covert channel attacks in the cloud. In Proceedings of the USENIX Security Symposium. 9--25. Google ScholarDigital Library
Zhi W. Chiachih Wu and Xuxian Jiang. 2013. Taming hosted hypervisors with (mostly) deprivileged execution. In Proceedings of NDSS. 141--154.Google Scholar
Yunjing Xu, Michael Bailey, Farnam Jahanian, Kaustubh Joshi, Matti Hiltunen, and Richard Schlichting. 2011. An exploration of L2 cache covert channels in virtualized environments. In Proceedings of CCSW. ACM, New York, NY, 29--40. Google ScholarDigital Library
Sara Yin. 2011. Google wallet aims to take mobile payments mainstream. PCMag. com, 1--2.Google Scholar
Younis A. Younis, Madjid Merabti, and Kashif Kifayat. 2013. Secure Cloud Computing for Critical Infrastructure: A Survey. Technical Report. Liverpool John Moores University, Liverpool, England.Google Scholar
Fengzhe Zhang, Jin Chen, Haibo Chen, and Binyu Zang. 2011. CloudVisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proceedings of SOSP. ACM, New York, NY, 203--216. Google ScholarDigital Library
Xinwen Zhang, Joshua Schiffman, Simon Gibbs, Anugeetha Kunjithapatham, and Sangoh Jeong. 2009. Securing elastic applications on mobile devices for cloud computing. In Proceedings of CCSW. ACM, New York, NY, 127--134. Google ScholarDigital Library
Wu Zhou, Peng Ning, Xiaolan Zhang, Glenn Ammons, Ruowen Wang, and Vasanth Bala. 2010a. Always up-to-date: Scalable offline patching of VM images in a compute cloud. In Proceedings of the 26th Annual Computer Security Applications Conference. ACM, 377--386. Google ScholarDigital Library
Wenchao Zhou, Micah Sherr, William R. Marczak, Zhuoyao Zhang, Tao Tao, Boon Thau Loo, and Insup Lee. 2010b. Towards a data-centric view of cloud security. In Proceedings of CDMW. ACM, New York, NY, 25--32. Google ScholarDigital Library
Wenchao Zhou, Yun Mao, Boon Thau Loo, and Martín Abadi. 2009. Unified declarative platform for secure networked information systems. In Proceedings of ICDE. IEEE, Los Alamitos, CA, 150--161. Google ScholarDigital Library

Index Terms

Secure the Cloud: From the Perspective of a Service-Oriented Organization
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Index terms have been assigned to the content through auto-classification.

Recommendations

Different facets of security in the cloud
CNS '12: Proceedings of the 15th Communications and Networking Simulation Symposium

Cloud computing is a long fantasized visualization of computing as a utility, where data owners can remotely store and access their data in the cloud anytime and from anywhere. Using a shared pool of configurable resources, users can be relieved from ...
Read More
Survey on DDoS Attacks and Defense Mechanisms in Cloud and Fog Computing

This article describes how cloud computing has emerged as a strong competitor against traditional IT platforms by offering low-cost and "pay-as-you-go" computing potential and on-demand provisioning of services. Governments, as well as organizations, ...
Read More
State-of-the-art cloud computing security taxonomies: a classification of security challenges in the present cloud computing environment
ICACCI '12: Proceedings of the International Conference on Advances in Computing, Communications and Informatics

Cloud computing has taken center stage in the present business scenario due to its pay-as-you-use nature, where users need not bother about buying resources like hardware, software, infrastructure, etc. permanently. As much as the technological benefits,...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 47, Issue 3
April 2015
602 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/2737799
Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering / University of Florida / Gainesville, FL
Issue’s Table of Contents
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 17 February 2015
- Accepted: 1 November 2014
- Revised: 1 October 2014
- Received: 1 March 2014
Published in csur Volume 47, Issue 3

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Cloud security
attack scenarios
enterprise security suites
open problems
service-oriented organization
Qualifiers
- survey
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 9
  Total Citations
  View Citations
- 2,072
  Total Downloads
- Downloads (Last 12 months)48
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Secure the Cloud: From the Perspective of a Service-Oriented Organization

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Different facets of security in the cloud

Survey on DDoS Attacks and Defense Mechanisms in Cloud and Fog Computing

State-of-the-art cloud computing security taxonomies: a classification of security challenges in the present cloud computing environment