See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/267697749

Security Challenges in Cloud Computing

Article · January 2010

CITATIONS

60
READS

7,730

3 authors, including:

Levent Ertaul
California State University, East Bay
31 PUBLICATIONS 272 CITATIONS

All content following this page was uploaded by Levent Ertaul on 22 December 2014.

The user has requested enhancement of the downloaded file.

 Security Challenges in Cloud Computing
L. Ertaul1, S. Singhal2, and G. Saldamli3
1
Mathematics and Computer Science, CSU East Bay, Hayward, CA, USA
2
Mathematics and Computer Science, CSU East Bay, Hayward, CA, USA
3
MIS, Bogazici University, Istanbul, TURKEY

Abstract - Cloud Computing is one of the biggest buzzwords in the computer world these days. It allows resource sharing that
includes software, platform and infrastructure by means of virtualization. Virtualization is the core technology behind cloud resource
sharing. This environment strives to be dynamic, reliable, and customizable with a guaranteed quality of service. Security is as much
of an issue in the cloud as it is anywhere else. Different people share different point of view on cloud computing. Some believe it is
unsafe to use cloud. Cloud vendors go out of their way to ensure security. This paper investigates few major security issues with
cloud computing and the existing counter measures to those security challenges in the world of cloud computing..

Keywords: Cloud Computing Security, Distributed Networks Security, Network Security

1 Introduction
Cloud computing is a pay-per-use model for enabling convenient, on-demand network access to a shared pool of configurable
computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction [1]
[4][5]. Typically there are three types of resources that can be provisioned and consumed using cloud: software-as-a-service,
platform-as-a- service, and infrastructure-as-a-service [1][2][3][5].

Cloud computing services themselves fall into three major categories. The first type of cloud computing service is known as
Software-as-a-service (SAAS). This service provides capability to the service subscribers to access provider’s software applications
running on a cloud infrastructure. The service providers manage and control the application. Customer does not have to own the
software but instead only pay to use it through a web API [1] [2]. For example, Google Docs relies on JAVA Script, which runs in the
Web browser [3].

The second type of cloud service is called Platform-as- a-service (PaaS). It is another application delivery model. PaaS lets the
consumer to deploy their applications on the providers cloud infrastructure using programming languages and tools supported by the
provider. The consumer does not have to manage the underlying cloud infrastructure but has control over the deployed application [1]
[2]. A recent
example is the Google App Engine, a service that lets developer to write programs to run them on Google’s infrastructure [3].

The third and final type of cloud computing is known as Infrastructure-as-a-service (IaaS). This service basically delivers
virtual machine images as a service and the machine can contain whatever the developers want [3]. Instead of purchasing
servers, software, data center resources, network equipment, and the expertise to operate them, customers can buy these
resources as an outsourced service delivered through the network cloud [2]. The consumer can automatically grow or shrink the
number of virtual machines running at any given time to accommodate the changes in their requirement. For example, host
firewalls [1] [2] [3].

There are different kinds of cloud deployment models available. We will discuss three major types of cloud. The first one
is Private cloud. This is also known as internal cloud.

This paper is organized as follows. In section 2, we briefly describe the cloud computing architecture. In section 3, we
briefly describe the applications of cloud computing. In section 4, we discuss the major security challenges in cloud computing
environment and their existing counter measures. In section 5, we briefly discuss the cloud related working groups. In section 6,
we discuss the security standards in cloud computing. Finally, in section 7, we conclude.

2 Cloud Computing Architecture

Cloud computing system is divided into two sections: the front end and the back end. Theses two ends connect to each
other usually through Internet. The front end is the user side and back end is the “cloud” section of the system. The front end
includes the client’s computer and the application required to access the cloud computing system. As shown in figure 1, on the
back end of the system are the various computers, servers and data storage systems that create the “cloud” of computing
services [2][5][6]. A central server administers the system, monitoring traffic and client demands to ensure everything runs
smoothly. It follows a set of rules called protocols and uses a special kind of software called middleware [2][5].
 Figure 1. High-Level Cloud Middleware Architecture Example

Cloud middleware also referred to as cloud OS, is the major system that manages and controls services. Middleware allows
networked computers to communicate with each other [6]. Google App Engine and Amazon EC2/S3 are examples of cloud
middleware [20]. An Application Programming Interface (APIs) for applications, acquisition of resources such as computing power
and storage, and machine image management must be available to make applications suitable for network clouds [2][5][13].

In a simplified vision of the cloud computing architecture, as shown in figure 2, first of all, Client sends service requests. Then
system management finds correct resources. After that, system provisioning finds correct resources. After the computing resources are
found then the client request is executed. Finally, results of the service requests are sent to the clients [2][6][13].

Figure 2. Cloud computing Workflow

In the next section we discuss different applications of cloud computing environment and how using cloud can be so beneficial
for organizations of all the sizes.

3 Cloud Computing Applications

The applications of cloud computing are practically limitless. With the right middleware, a cloud computing system can
practically run all the applications a personal computer can run.
- Clients will be able to access their applications and data at any time from anywhere using any computer linked to Internet [6].
- Traditionally, Organizations that rely on computers for their operations have to buy all the required software or software
licenses for every employee. Cloud computing system gives an option to these organizations to get access to all the required
computer applications without even buying those applications. Instead, company can pay a pay-per-use fee to a cloud service
provider [4] [6].
- Cloud computing system will reduce the hardware costs on client side. User will not have to buy the computer with most
memory, nor has he to buy the large hard drive to store his data. Cloud system will take care of this client’s need. Client just
have to buy a computer terminal with a monitor, input devices with just enough processing power to run the middleware
necessary to connect to the cloud system [4][6][[18].
- In most of the companies servers and digital storage devices take up a huge space. Some companies do not have a large
physical apace available on-site so they rent space to store their servers and databases. Cloud computing system gives these
companies an option to store their data on someone else’s (cloud service providers) hardware thus freeing these companies of
requirement to have their own physical space on the client side [6] [17].
- Client can make use of cloud system’s huge processing power. Like in grid computing, client can send huge complex
calculations on cloud for processing. Sometimes complex calculations can take years for individual computer to compute. The
cloud system in this case will use the processing power of required number of available computers on the back end to speed up
the calculation [1][6][8].
Cloud computing offers significant advantage over the traditional computing system but it has its own issues.

In the next section we discuss about the major security challenges in cloud computing environment and their existing
counter measures.

4 Cloud Computing Challenges

Security and privacy are the two major concerns about cloud computing. In the cloud computing world, the virtual
environment lets user access computing power that exceeds that contained within their physical world. To enter this virtual
environment a user is required to transfer data throughout the cloud. Consequently several security concerns arises [4] [7] [8]
[16].

4.1 Information Security

It is concerned with protecting the confidentiality, integrity and availability of data regardless of the form the data may
take [9].
 - Losing control over data: Outsourcing means losing significant control over data. Large banks don’t want to run a program
delivered in the cloud that risk compromising their data through interaction with some other program [3][10]. Amazon Simple
Storage Service (S3) APIs provide both bucket- and object level access controls, with defaults that only permit authenticated
access by the bucket and/or object creator. Unless a customer grants anonymous access to their data, the first step before a user
can access data is to be authenticated using HMAC-SHA1 signature of the request using the user’s private key [9][15][16].
Therefore, the customer maintains full control over who has access to their data. [13].
- Data Integrity: Data integrity is assurance that data changes only in response to authorized transactions. For example, if the client
is responsible for constructing and validating database queries and the server executes them blindly, the intruder will always be able to
modify the client- side code to do whatever he has permission to do with the backend database. Usually, that means the intruder can
read, change, or delete data at will [3]. The common standard to ensure data integrity does not yet exists [8]. In this new world of
computing users are universally required to accept the underlying premise of trust. In fact, some have conjectured that trust is the
biggest concern facing cloud computing [7].
- Risk of Seizure: In a public cloud, you are sharing computing resources with other companies.. Exposing your data in an
environment shared with other companies could give the government “reasonable cause” to seize your assets because another
company has violated the law. Simply because you share the environment in the cloud, may put data at risk of seizure [4][8]. The only
protection against the risk of seizure for user is to encrypt their data. The subpoena will compel the cloud provider to turn over user’s
data and any access it might have to that data, but cloud provider won’t have user’s access or decryption keys. To get at the data, the
court will have to come to user and subpoena user. As a result, user will end up with the same level of control user have in his private
data center [4][16].
- Incompatibility Issue: Storage services provided by one cloud vendor may be incompatible with another vendor’s services should
you decide to move from one to the other. Vendors are known for creating what the hosting world calls “sticky services” – services
that an end user may have difficulty transporting from one cloud vendor to another. For example, Amazon’s “Simple Storage Service”
[S3] is incompatible with IBM’s Blue Cloud, or Google, or Dell [4][8][13]. Amazon and Microsoft both declined to sign the newly
published Open Cloud Manifesto. Amazon and Microsoft pursue interoperability on their own terms [11][12][14].
- Constant Feature Additions: Cloud applications undergo constant feature additions, and users must keep up to date with
application improvements to be sure they are protected. The speed at which applications will change in the cloud will
affect both the SDLC (Software development life cycle) and security [4][8]. Updates to AWS infrastructure are done in such a
manner that in the vast majority of cases they do not impact the customer and their Service use [9][13] . AWS communicates
with customers, either via email, or through the AWS Service Health Dashboard when there is a chance that their Service use
may be affected [9].
- Failure in Provider’s Security: Failure of cloud provider to properly secure portions of its infrastructure – especially in the
maintenance of physical access control – results in the compromise of subscriber systems. Cloud can comprise multiple entities,
and in such a configuration, no cloud can be more secure than its weakest link [3][7]. It is expected that customer must trust
provider’s security. For small and medium size businesses provider security may exceed customer security. It is generally
difficult for the details that help ensure that the right things are being done [3][7].
- Cloud Provider Goes Down: This scenario has a number of variants: bankruptcy, deciding to take the business in another
direction, or a widespread and extended outage. Whatever is going on, subscriber risk losing access to their production system
due to the actions of another company. Subscriber also risk that the organization controlling subscriber data might not protect it
in accordance with the service levels to which they may have been previously committed [4]. The only option user have is to
chose a second provider and use automated, regular backups, for which many open source and commercial solutions exist, to
make sure any current and historical data can be recovered even if user cloud provider were to disappear from the face of the
earth [4].

4.2 Network Security

Network security measures are needed to protect data during their transmission, between terminal user and computer and
between computer and computer [21][22].

- Distributed Denial of Service (DDOS) Attack: In DDOS attack servers and networks are brought down by a huge amount of
network traffic and users are denied the access to a certain Internet based Service. In a commonly recognized worst-case
scenario, attackers use botnets to perform DDOS. In order to stop hackers to stop attacking the network, subscriber or provider
face blackmail [21][14]. Amazon Web Service (AWS) Application Programming Interface (API) endpoints are hosted on large,
Internet-scale, world-class infrastructure that benefits from the same engineering expertise that has built Amazon into the
world’s largest online retailer. Proprietary DDOS mitigation techniques are used. Additionally, Amazon’s networks are multi-
homed across a number of providers to achieve Internet access diversity [9].
- Man in the Middle Attack: This attack is a form of active eavesdropping in which the attacker makes independent
connections with the victims and relays messages between
them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is
controlled by the attacker [21]. All of the AWS APIs are available via SSL-protected endpoints which provide server authentication.
Amazon EC2 AMIs automatically generate new SSH host certificates on first boot and log them to the instance’s console. Customers
can then use the secure APIs to call the console and access the host certificates before logging into the instance for the first time.
Customers are encouraged to use SSL for all of their interactions with AWS [9].
- IP Spoofing: Spoofing is the creation of TCP/IP packets using somebody else’s IP address. Intruder gain unauthorized access to
computer, whereby he sends messages to a computer with an IP address indicating that the message is coming from a trusted host.
[21][22]. Amazon EC2 instances cannot send spoofed network traffic. The Amazon-controlled, host-based firewall infrastructure
will not permit an instance to send traffic with a source IP or MAC address other than its own [9].
- Port Scanning: If the Subscriber configures the security group to allow traffic from any source to a specific port, then that
specific port will be vulnerable to a port scan. Since a port is a place where information goes into and out of the computer, port
scanning identifies open doors to a computer [21]. There is no way to stop someone from port scanning your computer while you
are on the Internet because accessing an Internet server opens a port which opens a door to your computer [8]. Port scans by
Amazon Elastic Compute Cloud (EC2) customers are a violation of the Amazon EC2 Acceptable use Policy (AUP). Violations of
the AUP are taken seriously, and every reported violation is investigated. Customers can report suspected abuse. When port
scanning is detected it is topped and blocked. Post scans of Amazon EC2 instances are generally ineffective because, by default,
all inbound ports on Amazon EC2 instances are closed and are only opened by the customer [9].
- Packet Sniffing: Packet sniffing by Other Tenants: Packet sniffing is listening (with software) to the raw network device for
packets that interest you. When that software sees a packet that fits certain criteria, it logs it to a file. The most common criteria
for an interesting packet is one that contains words like “login” or “password” [21][22]. It is not possible for a virtual instance
running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While customers can
place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them [9].
Even two virtual instances that are owned by the same customer, located on the same physical host, cannot listen to each other’s
traffic. Attacks such as ARP cache poisoning do not work within Amazon EC2. While Amazon EC2 does provide ample
protection against one customer inadvertently or maliciously attempting to view another’s data, as a standard practice customers
should encrypt sensitive traffic [9]
4.3 Security Issues
They are more complex in a virtualized environment because you now have to keep track of security on two tiers: the
physical host security and the virtual machine security. If the physical host server’s security becomes compromised, all of the
virtual machines residing on that particular host server are impacted. And a compromised virtual machine might also wreak
havoc on the physical host server, which may then have an ill effect on all of the other virtual machines running on that same
host [23].

Instance Isolation: Isolation ensuring that different instances running on the same physical machine are isolated from
each other. Virtualization efficiencies in the cloud require virtual machines from multiple organizations to be co- located on the
same physical resources. Although traditional data center security still applies in the cloud environment, physical segregation
and hardware-based security cannot protect against attacks between virtual machines on the same server [18]. Administrative
access is through the Internet rather than the controlled and restricted direct or on-premises connection that is adhered to in the
traditional data center model. This increase risk of exposure will require stringent monitoring for changes in system control and
access control restriction [8]. Different instances running on the same physical machine are isolated from each other via Xen
hypervisor. Amazon is active in the Xen community, which ensures awareness of the latest developments. In addition, the AWS
firewalls reside within the hypervisor layer, between the physical network interface and the instance’s virtual interface. All
packets must pass through this layer, thus an instance’s neighbors have no more access to that instance than any other host in the
Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms
[9].

Host Operating System: Administrators with a business need to access the management plans are required to us multi-
factor authentication to gain access to purpose-built administration hosts. These administrative hosts are systems that are
specifically designed, built, configured, and hardened to protect the management plane of the cloud. All such access is logged
and audited. When an employee no longer has a business need to access the management plane, the privileges and access to
those hosts and relevant systems are revoked [18].

Guest Operating System: Virtual instances are completely controlled by the customer. Customers have full root access or
administrative control over accounts, services, and applications. AWS does not have any access rights to customer instances and
cannot log into the guest OS. AWS recommends a base set of security best practices including: customer should disable
password-based access to their hosts, and utilize some form of multi-factor authentication to gain access to their instances, or at
a minimum certificate-based
SSH Version 2 access [9][13][15]. Additionally, customers should employ a privilege escalation mechanism with logging on a per-
user basis. For example, if the guest OS is Linux, After hardening their instance, they should utilize certificate- based SSHv2 to access
the virtual instance, disable remote root login, use command-line logging, and use ‘sodu’ for privilege escalation. Customers should
generate their own key pairs in order to guarantee that hey are unique, and not shared with other customers or with AWS [9]. AWS
Multi- Factor Authentication (AWS MFA) is an additional layer of security that offers enhanced control over AWS account settings.
It requires a valid six-digit, single-use code from an authentication device in your physical possession in addition to your standard
AWS account credentials before access is granted to an AWS account settings. This is called Multi- Factor Authentication because
two factors are checked before access is granted to your account: customer need to provide both their Amazon email-id and password
(the first “factor”: something you know) AND the precise code from customer authentication device (the second “factor”: something
you have).

4.4 General Security Issues

In addition to the above mentioned issues there are few other general security issues that are delaying cloud computing adoption
and needs to be taken care of.

Data Location: When user uses the cloud, user probably won’t know exactly where his data is hosted, what country it will be
stored in [3][4][8]? Amazon does not even disclose where their data centers are located. They simply clam that ach data center is
hosted in a nondescript building with a military-grade perimeter. Even if customer know that their database server is in the us-east-1a
availability zone, customer do not know where that data center9s0 behind that availability zone is located, or even which of he three
East Coast availability zones us-east-1a represents [4].

Data Sanitization: Sanitization is the process of removing sensitive information from a storage device. In cloud computing
users are always concerned about, what happens to data stored in a cloud computing environment once it has passed its user’s “use by
date” [18]. When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that
ensures customer data are not exposed to unauthorized individuals. AWS uses the technique DoD 5220.22-M as per National
Industrial Security Program Operating manual to destroy data, as part of the decommissioning process [9][13]. When item and
attribute data are deleted within a domain, removal of the mapping within the domain starts immediately, and is also generally
complete within seconds. Once the mapping is removed, there is no remote access to the deleted data. The storage area is then made
available only for write operations and the data are overwritten by newly stored data [9].
 Job Starvation due to some virus or worm: It is where one job takes up a huge amount of resource resulting in a
resource starvation for the other jobs. Customer can reserve the resources in advance. Customer can also reduce the priority of
the affected tasks/job [16] [18].

In the next section of our paper we discuss about the various cloud related working groups and their contribution in the
cloud computing environment.

5 Cloud Related Working Groups

A working group is an assembled, cooperative collaboration of researchers working on new research activities that would
be difficult for any one member to develop alone. Working groups generally strive to create an informational document a
standard, or find some resolution for problems related to a system or network. Most often, the working group attempts to
assemble experts on a topic. Working groups are sometimes also referred to as task groups or technical advisory groups.

The Open Cloud Consortium (OCC) is organized into several different working groups [8]. For example, the working
group on Standards and Interoperability for Clouds. The purpose of the OCC is to support the development of standards for
cloud computing and to develop framework for interoperability among various clouds [19]. There is also a working group on
wide area clouds and the impact of network protocols on clouds. The focus of this working group is on developing technology
for wide area clouds, including creation of methodologies and benchmarks to be used for evaluating wide area clouds. This
working group is tasked to study the applicability of variants of TCP and the use of other network protocols for clouds.

The working group on information sharing, security and clouds has a primary focus on standards and standard-based
architectures for sharing information between clouds. This is especially true for clouds belonging to different organizations and
subject to possibly different authorities and policies. This group is also concerned with security architectures for clouds. Finally,
there is an Open Cloud Test-bed working group that manages and operates the open cloud test-bed [19].

Another very active group in the field of cloud computing is Distributed management Task Force (DMTF) [8]. According
to their web site, the distributed management task force enables more effective management of millions of IT systems
worldwide by bringing the IT industry together to collaborate on the development, validation and promotion of systems
management standards [24][25].

This group spans the industry with 160 member companies and organizations, and more than 4,000 active participants
crossing 43 countries. The DMTF board of
directors id led by 16 innovative, industry- leading technology companies.

The DMTF started the Virtualization Management Initiative (VMAN). The VMAN unleashes the power of virtualization by
delivering broadly supported interoperability and portability standards to virtual computing environments. VMAN enables IT
managers to deploy preinstalled, pre configured solutions across heterogeneous computing networks and to manage those applications
through their entire life cycle [20][25].

In the next section we discuss about the major security standards for cloud computing and their application in cloud computing
environment.

6 Standards for Security in Cloud Computing

Security standards define the processes, procedures, and practices necessary for implementing a security program. These
standards also apply to cloud related IT activities and include specific steps that should be taken to ensure a secure environment is
maintained that provides privacy and security of confidential information in a cloud environment. Security standards are based on a
set of key principles intended to protect this type of trusted environment. A basic philosophy of security is to have layers of defense, a
concept known as defense in depth. This means having overlapping systems designed to provide security even if one system fails. An
example is s firewall working in conjunction with intrusion- detection system (IDS). Defense in depth provides security because there
is no single point of failure and no single entry vector at which an attack can occur. For this reason, a choice between implementing
network security in the middle part of a network (i.e., in the cloud) or at the endpoints is a false dichotomy [8]. No single security
system is a solution by itself, so it is far better to secure all systems. This type of layered security is precisely what we are seeing
develop in cloud computing. Traditionally, security was implemented at the endpoints, where the user controlled access. An
organization had no choice except to put firewalls, IDSs, and antivirus software inside its own network. Today, with the advent of
managed security services offered by cloud providers, additional security can be provided inside the cloud [8][9].

Security Assertion Markup Language (SAML): SAML is an XML-based standard for communicating authentication,
authorization, and attribute information among online partners. It allows businesses to securely send assertions between partner
organizations regarding the identity and entitlements of a principal. SAML standardizes queries for, and responses that contain, user
authentication, entitlements, and attribute information in an XML format. This format can then be used to request security information
about a principal from a SAML authority. A SMAL authority,
sometimes called the asserting party, is a platform or application that can relay security information. The relying party or
assertion consumer or requesting party is a partner site that receives the security information. The exchanged information deals
with a subject’s authentication status, access authorization, and attribute information. A subject is an entity in a particular
domain by an email address is a subject, as might be a printer [8]. SAML is built on a number of existing standards, namely,
SOAP, HTTP and XML. SAML relies on HTTP as its communications protocol and specifies the use of SOAP.

Open Authentication (OAuth): OAuth is an open protocol, initiated by Blaine Cook and Chris Messina, to allow secure
API authorization in a simple, standardized method for various types of web applications. OAuth is a method for publishing and
interacting with protected data. For developers, OAuth provides users access to their data while protecting account credentials.
It also allows users to grant access to their information, which is shared by the service provider and consumers without sharing
all of their identity. OAuth is the baseline, and other extensions and protocols can be built on it. By design, OAuth Core 1.0 does
not provide many desired features, like automated discovery of endpoints, language support, support for XML-RPC and SOAP,
standard definition of resource access, OpenID integration, signing algorithms, etc [8]. The core deals with fundamental aspects
of the protocol, namely, to establish a mechanism for exchanging a user name and password for a token with defined rights and
to provide tools to protect the token. It is important to understand that security and privacy are not guaranteed by the protocol. In
fact, OAuth by itself provides no privacy at all and depends on other protocols such as SSL to accomplish that.

OpenID: It is an open, decentralized standard for user authentication and access control. It allows users to log onto many
services using the same digital identity. It is a single- sign-on (SSO) method of access control. OpenID replaces the common
log-in process, i.e. a log-in name and a password, by allowing users to log in once and gain access to resources across
participating systems. An OpenID is in the form of a unique URL and is authenticated by the entity hosting the OpenID URL
[9]. The OpenID protocol does not rely on a central authority to authenticate a user’s identity. Neither the OpenID protocol nor
any websites requiring identification can mandate that a specific type of authentication be used; nonstandard forms of
authentication such as smart cards, biometrics, or ordinary password are allowed [8].

SSL/TLS: Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographically secure
protocols designed to provide security and data integrity for communications over TCP/IP. TLS and SSL encrypt the segments
of network connections at the transport layer. The TLS protocol allows client/server applications to communicate across a
network in a way
specifically designed to prevent eavesdropping, tampering, and message forgery [21]. TLS provides endpoint authentication and data
confidentiality by using cryptography. TLS authentication is one way- the server is authenticated, because the client already knows
the server’s identity. In this case, the client remains unauthenticated [12] . TLS also supports a more secure bilateral connection mode
whereby both ends of the connection can be assured that they are communicating with whom they believe they are connected. This is
known as mutual (assured) authentication. TLS involves three basic steps. The first step deals with peer negotiation for algorithm
support. During this phase, the client and server negotiate cipher suites, which determines which ciphers are used. In the next step,
key exchange and authentication is decided. During this phase, a decision is made about the key exchange and authentication
algorithm to be used, and determine the message authentication codes. The key exchange and authentication algorithms are typically
public key algorithms. The finals step is about the symmetric cipher encryption and message encryption. The message authentication
codes are made up from cryptographic hash functions. Once these decisions are made, data transfer may begin [9][12].

7 Conclusions
The cloud computing phenomenon is generating a lot of interest worldwide because of its lower total cost of ownership,
scalability, competitive differentiation, reduced complexity for customers, and faster and easier acquisition of services. While cloud
offers several advantages, people come to the cloud computing topic from different points of view. Some believe that cloud to be an
unsafe place. But few people find it safer then their own security provisioning, especially small businesses that do not have resources
to ensure the necessary security themselves. Several large financial organizations and some government agencies are still holding
back. They indicate that they will not consider moving to cloud anytime soon because they have no good way to quantify their risks.
To gain total acceptance from all potential users, including individuals, small businesses to Fortune 500 firms and government, cloud
computing require some standardization in the security environment and third- party certification to ensure that standards are met.

8 References
[1] http://csrc.nist.gov/groups/SNS/cloud-computing/index.html.
[2] Cisco White Paper, http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/n
s537/white_paper_c11-532553.html, published 2009, pp. 1-6.
[3] John Viega, McAffee, Cloud Computing and the Common Man,” published on the IEEE Journal ON Cloud Computing Security, pp. 106-108,
August 2009.
[4] George Reese, “Cloud Application Architectures”, First edition, O’Reilly Media, April 2009, ISBN 9780596156367, pp. 2-4, 99-118.
[5] http://en.wikipedia.org/wiki/Cloud_computing.
[6]
http://communication.howstuffworks.com/cloud computing1.htm.
[7] John Harauz, Lori M. Kaufman, Bruce Potter, “Data Security in the World of Cloud Computing,” published on the IEEE Journal on
Cloud Computing Security, July/August 2009, Vol. 7, No.4, pp. 61-64.
[8] John W. Rittinghouse, James F. Ransome, “Cloud Computing Implementation, Management, and Security”, CRC Press, August 17, 2009,
ISBN 9781439806807, pp. 147-158, 183-212.
[9] Amazon White Paper, http://aws.amazon.com/about-aws/whats- new/2009/06/08/new-aws-security-center-and-security- whitepaper/ ,
published June 2009.
[10] Marco Descher, Philip Masser, Thomas Feilhauer, A Min Tjoa, David Huemer, “ Retaining Data Control to the Client Infrastructure
Clouds”, published on the IEEE, 2009 International Conference on Availability, Reliability and Security, pp. 9-15.
[11] David Bernstein, Erik Ludvigson, Krishna Sankar, Steve Diamond, Monique Morrow, “Blueprint for the Intercloud – Protocols and
Formats for Cloud Computing Interoperability, submitted to IEEE, 2009 Fourth International Conference on Internet and Web
Applications and Services, pp. 328-335.
[12] Liang-Jie Zhang, Qun Zhou, “CCOA: Cloud Computing Open Architecture”, published on IEEE, 2009 IEEE International Conference on
Web Services, pp. 607-615.
[13] Amazon White Paper, “Introduction to Amazon Virtual Private Cloud”, Available: http://aws.amazon.com/about-aws/whats-
new/2009/08/26/introducing-amazon-virtual-private-cloud/ , published Aug 26, 2009, pp. 6-8.
[14] Rajkumar Buyya, Chee Shin Yeo, Srikumar Venugopal, “Market-Oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT
Services as Computing Utilities”, grid Computing and Distributed Systems and Software Engineering, The University of Melbourne,
Australia.
[15] Jinesh Varia, Amazon Web Services, “Building GrepTheWeb in the Cloud, Part 1: Cloud Architectures”, Available:
http://developer.amazonwebservices.com/connect, July 2008, pp. 1-7.
[16] Jon Brodkin, “ Gartner: Seven Cloud-Computing Security Risks”, Available: http://www.infoworld.com, published July 2008, pp. 1-3.
[17] IBM CIO White Paper, “ Staying aloft in tough times”, April 2009, pp. 3-19.
[18] Steve Hanna, Juniper Networks, “Cloud Computing: Finding the Silver Lining”, published 2009, pp. 2-30.
[19] Manifesto, “Open Cloud Manifesto, Dedicated to the belief that the cloud should be open”, Available: www.opencloudmanifesto.org,
published Spring 2009, pp-1-7.
[20] Peter Fingar, “ Dot.Cloud: the 21st century business platform built on cloud computing”, First edition, Meghan-Kiffer Press, February 18,
2009, ISBN 9780929652498, pp. 81-99.
[21] William Stallings, “Network Security essentials”, Third edition, Prentice Hall, July 29,2006, ISBN 9780132380331, pp-2.
[22] http://en.wikipedia.org/wiki/Network_security
[23] http://searchservervirtualization.techtarget.com/news/column/0, 294698,sid94_gci1217705,00.html
[24] http://www.service- architecture.com/xml/articles/distributed_management_task_for ce_dmtf.html.
[25] http://www.dmtf.org/about/cloud- incubator/CloudIncubatorCharter2009-04-16.pdf

View publication stats