Cybersecurity threats in cloud computing

Main Article Content

Julian Jang Jaccard

Keywords

Internet;, cyberattacks; security;

Abstract

Recently we have witnessed the emergence of cloud computing as a new computing model that offers resources (e.g., compute, storage, network, etc.) as general utilities to be leased and released on-demand by users through the Internet. Given its innovative nature and reliance on the Internet, the cloud inherently comes with a number of vulnerabilities that increase the space for cyber attacks. This paper aims to provide an overview of major potential risks to privacy and security in the cloud. Various emerging threats and attack methods are discussed, and some speculative future research directions are presented. 


 

Abstract 18 | PDF Downloads 0

References

Almorsy, M., Grundy, J., & Ibrahim, A. S. 2012. Supporting automated vulnerability analysis using formalized vulnerability signatures. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pp.100-109
Ateniese, G., Burns, R., Curtmola, R., Herring, J., Kissner, L., Peterson, Z., & Song, D. 2007. Provable data possession at untrusted stores. In Proceedings of the 14th ACM conference on Computer and communications security, pp. 598-609. http://doi.org/10.1145/1315245.1315318
Annas, G. J. 2003. HIPAA regulations-a new era of medical-record privacy?.New England Journal of Medicine, 348(15), 1486-1490. http://doi.org/10.1056/NEJMlim035027
Buyya, R., Yeo, C. S., Venugopal, S., Broberg, J., & Brandic, I. 2009. Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation computer systems, 25(6), 599-616. http://doi.org/10.1016/j.future.2008.12.001
Cappelli, D. M., Moore, A. P., & Trzeciak, R. F. 2012. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison-Wesley Professional
Chen, Y., Paxson, V., & Katz, R. H. 2010. What’s new about cloud computing security. University of California, Berkeley Report No. UCB/EECS-2010-5 January, 20(2010), 2010-5.
Choo, K. K. R. 2006. Issue report on business adoption of Microsoft Passport. Information management & computer security, 14(3), 218-234. http://doi.org/10.1108/09685220610670387
Czajkowski, G. 2000. Application isolation in the Java virtual machine. In ACM SIGPLAN Notices, 35(10), 354-366. http://doi.org/10.1145/354222.353195
CSA. 2013. The Notorious Nine Cloud Computing Top Threats in 2013. Cloud Security Alliance. [Internet]. Accessed 15 July 2013. Available from: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
DHS. 2009. Roadmap for Cybersecurity Research. Department of Homeland Security. [Internet]. Accessed 15 July 2013. Available from: www.cyber.st.dhs.gov/docs/DHS-Cybersecurity-Roadmap.pdf
Dahbur, K., Mohammad, B., & Tarakji, A. B. 2011. A survey of risks, threats and vulnerabilities in cloud computing. In Proceedings of the 2011 International conference on intelligent semantic Web-services and applications, pp. 1-6.
Drago, I., Mellia, M., M Munafo, M., Sperotto, A., Sadre, R., & Pras, A. (2012, November). Inside dropbox: understanding personal cloud storage services. In Proceedings of the 2012 ACM conference on Internet measurement conference, pp. 481-494. http://doi.org/10.1145/354222.353195
Dwork, C. 2006. Differential privacy. In Automata, languages and programming, pp. 1-12
Kirda, E., Kruegel, C., Vigna, G., & Jovanovic, N. 2006. Noxes: a client-side solution for mitigating cross-site scripting attacks. In Proceedings of the 2006 ACM Symposium on Applied Computing , pp. 330-337. http://doi.org/10.1145/1141277.1141357
FIPS. 2001. Advanced encryption Standard (AES). Federal Information Processing Standards Publication 197.[Internet]. Accessed 22 August 2013. Available from: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
FIPS. 1999. Data Encryption Standard (DES). Federal Information Processing Standards Publication 46-3.[Internet]. Accessed 22 August 2013. Available from: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf‎
Fielding, R. 2000. Representational state transfer. Architectural Styles and the Design of Network-based Software Architecture, Doctoral dissertation, University of California, Irvine
Fisher, S. 2007. The architecture of the apex platform, salesforce. com's platform for building on-demand applications. In Software Engineering-Companion, 2007. ICSE 2007 Companion. pp. 3-3.
Fung, B., Wang, K., Chen, R., & Yu, P. S. 2010. Privacy-preserving data publishing: A survey of recent developments. ACM Computing Surveys (CSUR), 42(4), No.14
Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., & Boneh, D. 2003. Terra: A virtual machine-based platform for trusted computing. In ACM SIGOPS Operating Systems Review, 37(5), 193-206. http://doi.org/10.1145/1165389.945464
Grobauer, B., Walloschek, T., & Stocker, E. 2011. Understanding cloud computing vulnerabilities. IEEE Security & Privacy, 9(2), 50-57. http://doi.org/10.1109/MSP.2010.115
Goode, B. 2002. Voice over Internet protocol (VoIP). Proceedings of the IEEE,90(9), 1495-1517. http://doi.org/10.1109/JPROC.2002.802005
Halfond W. G. J., & Orso A. 2005. AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering (ASE '05). ACM, New York, NY, USA, 174-183.
Hernandez, R. T. 1988. ECPA and online computer privacy. Fed. Comm. LJ,41, 17.
Hunker, J., & Probst, C. W. 2011. Insiders and insider threats—an overview of definitions and mitigation techniques. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 2(1), 4-27
Hooper, C., Martini, B., & Choo, K. K. R. 2013. Cloud computing and its implications for cybercrime investigations in Australia. Computer Law & Security Review, 29(2), 152-163. http://doi.org/10.1016/j.clsr.2013.01.006
IETF. 1995. Public-Key Infrastructure (X.509). Internet Engineering Task Force (IETF) pkix charter. [Internet]. Accessed 22 August 2013. Available from: http://datatracker.ietf.org/wg/pkix/charter/
IETF. 2006. Lightweight Directory Access Protocol (LDAP). Internet Engineering Task Force (IETF) RFC 4511. [Internet]. Accessed 22 August 2013. Available from: http://tools.ietf.org/html/rfc4511
Iseminger, D. 1999. Active Directory Services for Microsoft Windows 2000. Microsoft Press.
Jansen, W. A. 2011. Cloud hooks: Security and privacy issues in cloud computing. In 2011 44th Hawaii International Conference on System Sciences (HICSS, )pp. 1-10.
Jansen, W., & Grance, T. 2011. Guidelines on security and privacy in public cloud computing. NIST special publication, 800-144.
Jensen, M., Schwenk, J., Gruschka, N., & Iacono, L. L. 2009. On technical security issues in cloud computing. In IEEE International Conference on Cloud Computing, pp. 109-116
Liu, D. 2012. Homomorphic encryption for database querying. Australian Provisional Patent 2012902653, 2012
Liu, D., & Wang, S. 2012. Programmable order-preserving secure index for encrypted database query. In IEEE 5th International Conference on Cloud Computing, pp. 502-509
Mahajan, M. 2007. Proof Carrying Code. INFOCOMP Journal of Computer Science, 6, 100-109
Nepal, S., & Pathan, M. 2014. Security, Privacy and Trust in Cloud Systems. Springer. http://doi.org/10.1007/978-3-642-38586-5
Nickell, C. G., & Denyer, C. 2007. An introduction to SAS 70 audits. Benefits Law Journal, 20(1), 58-68.
NIST. 2009. The NIST definition of Cloud Computing, version 15. National Institute of Standards and Technology (NIST), Information Technology Laboratory. [Internet]. Accessed 15 July 2013. Available from: http://www.csrc.nist.gov
NIST. 2013. Software Assurance Metrics And Tool Evaluation (SAMATE). National Institute of Standards and Technology (NIST), Information Technology Laboratory. [Internet]. Accessed 15 July 2013. Available from: http://samate.nist.gov/Main_Page.html
OASIS. 2005. Security Assertion Markup Language (SAML) v2.0. Organization for the Advancement of Structured Information Standards (OASIS). [Internet]. Accessed 22 August 2013. Available from: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
OASIS. 2006a. Web Services Security Language (WS-Security). Organization for the Advancement of Structured Information Standards (OASIS). [Internet]. Accessed 15 July 2013. Available from: https://www.oasis-open.org/standards#wssv1.1
OASIS. 2006b. Service Provisioning Markup Language (SPML). Organization for the Advancement of Structured Information Standards (OASIS). [Internet]. Accessed 15 July 2013. Available from: https://www.oasis-open.org/news/pr/service-provisioning-markup-language-spml-ratified-as-oasis-standard
OASIS. 2009. Web Services Federation Language (WS-Federation) Version 1.2. Organization for the Advancement of Structured Information Standards (OASIS). [Internet]. Accessed 22 August 2013. Available from: http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.html
OASIS. 2013. Extensible Access Control Markup Language (XACML) v3.0. Organization for the Advancement of Structured Information Standards (OASIS). [Internet]. Accessed 22 August 2013. Available from: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
Pearson, S., & Benameur, A. 2010. Privacy, security and trust issues arising from cloud computing. In IEEE Second International Conference on Cloud Computing Technology and Science, pp. 693-702
Popovic, K., & Hocenski, Z. 2010. Cloud computing security issues and challenges. In 2010 proceedings of the 33rd international convention MIPRO, pp. 344-349.
Sengupta, S., Kaulgud, V., & Sharma, V. S. 2011. Cloud Computing Security-Trends and Research Directions. In 2011 IEEE World Congress on Services (SERVICES), pp. 524-531. http://doi.org/10.1109/SERVICES.2011.20
Shaw, A. 2009. Data breach: from notification to prevention using PCI DSS. Colum. JL & Soc. Probs., 43, 517
Sheldon, F. T., & Vishik, C. 2010. Moving toward trustworthy systems: R&D Essentials. Computer, 43(9), 31-40. http://doi.org/10.1109/MC.2010.261
Shacham, H., & Waters, B. 2008. Compact proofs of retrievability. In Advances in Cryptology-ASIACRYPT, pp. 90-107
Subashini, S., & Kavitha, V. 2011. A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications, 34(1), 1-11. http://doi.org/10.1016/j.jnca.2010.07.006
Svantesson, D., & Clarke, R. 2010. Privacy and consumer risks in cloud computing. Computer Law & Security Review, 26(4), 391-397. http://doi.org/10.1016/j.clsr.2010.05.005
Takabi, H., Joshi, J. B., & Ahn, G. J. 2010. Security and privacy challenges in cloud computing environments. IEEE Security & Privacy, 8(6), 24-31. http://doi.org/10.1109/MSP.2010.186
TPM. 2011. Tusted Platform Module (TPM) Main Specifications v1.2. [Internet]. Accessed 22 August 2013. Available from http://www.trustedcomputinggroup.org/resources/tpm_main_specification
Wang, H. 2010. Privacy-preserving data sharing in cloud computing. Journal of Computer Science and Technology, 25(3), 401-414. http://doi.org/10.1007/s11390-010-9333-1
W3C. 2000. Simple object access protocol (SOAP) 1.1. W3C Note 08 May 2000 [Internet]. Accessed 22 August 2013. Available from: http://www.w3.org/TR/2000/NOTE-SOAP-20000508/
W3C. 2013. Hypertext Markup Language Version 5. (HTML-5), Editor’s Draft 15 July 2013. W3C. [Internet]. Accessed 15 July 2013. Available from: http://www.w3.org/html/wg/drafts/html/master/
Yao, J., Chen, S., Nepal, S., Levy, D., & Zic, J. 2010. Truststore: making amazon s3 trustworthy with services composition. In Proceedings of the 2010 10th IEEE/ACM International Conference on Cluster, Cloud and Grid Computing, pp. 600-605
Yadav, P., Mishra, P., Sharma, T., & Sharma. V. 2013. Security Issues In Cloud Computing And Associated Mitigation Techniques. International Journal of Innovative Research and Development, 2(5), 495-513
Zhang, Y., & Joshi, J. 2009. Access control and trust management for emerging multidomain environments. Emerald Group Publishing
Zhang, Q., Cheng, L., & Boutaba, R. 2010. Cloud computing: state-of-the-art and research challenges. Journal of Internet Services and Applications, 1(1), 7-18. http://doi.org/10.1007/s13174-010-0007-6
Sdata. In Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems. pp. 139-147
Zissis, D., & Lekkas, D. 2012. Addressing cloud computing security issues. Future Generation Computer Systems, 28(3), 583-592. http://doi.org/10.1016/j.future.2010.12.006