Volume 2, Issue 9, September 2012 ISSN: 2277 128X

International Journal of Advanced Research in

Computer Science and Software Engineering
Research Paper
Available online at: www.ijarcsse.com
An Overview and Study of Security Issues & Challenges in
Cloud Computing
Rajesh Piplode* Umesh Kumar Singh
Department of Computer Science Institute Of Computer Science
Govt. Holkar Science College Indore-India Vikram University Ujjain-India

Abstract—Cloud computing is a promising technology to facilitate development of large-scale, on-demand, flexible

computing infrastructures. But without security embedded into innovative technology that supports cloud computing,
businesses are setting themselves up for a fall. The trend of frequently adopting this technology by the organizations
automatically introduced new risk on top of existing risk. Obviously putting everything into a single box i.e. into the
cloud will only make it easier for hacker. This paper presents an overview and the study of the cloud computing. Also
include the several security and challenging issues, emerging application and the future trends of cloud computing.

Keywords— Cloud Computing, Security, SMM.

I. INTRODUCTION
Cloud computing is currently one the most hyped IT innovations. Most IT companies announce to plan or (suddenly)
already have IT products according to the cloud computing paradigm. Though cloud computing itself is still not yet
mature enough, it is already evident that its most critical flaw in security [1][2].
In the nearest future, we can expect to see a lot of new security exploitation events around cloud computing providers
and users, which will shape the cloud computing security research directions for the next decade. Hence, we have seen a
rapid evolution of a cloud computing security discipline, with ongoing efforts to cope with the idiosyncratic requirements
and capabilities regarding privacy and security issues that this new paradigm rises.
In this development, we closely watch cloud computing security on a very technical level, focussing primarily on attacks
and hacking attempts related to cloud computing providers and systems. We pointed out lately, the specific security
threats and vulnerabilities of services and service-oriented architectures require new security criteria, so do attacks on
cloud computing scenarios. In this work-in-progress paper, we try to anticipate the classes of security issues that will
arise from the cloud computing paradigm, and we give preliminary some solution for these, based on the notion of attack
surfaces.

II. CLOUD COMPUTING

The National Institute of Standards and Technology (NIST) Information Technology Laboratory, cloud computing is
defined as follows:
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction.
This cloud model promotes availability and is composed of five essential characteristics, three service models, and four
deployment models [3,4,5].
Essential Characteristics
 On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and
network storage, as needed automatically without requiring human interaction with each service’s provider.

 Broad network access. Capabilities are available over the network and accessed through standard mechanisms that
promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

 Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant
model, with different physical and virtual resources dynamically assigned and reassigned according to consumer
demand. There is a sense of location independence in that the customer generally has no control or knowledge over
the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g.,
country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and
virtual machines.

© 2012, IJARCSSE All Rights Reserved Page | 115

 Rajesh et al , International Journal of Advanced Research in Computer Science and Software Engineering 2 (9),
September- 2012, pp. 115-120
 Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly
scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often
appear to be unlimited and can be purchased in any quantity at any time.

 Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering
capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and
active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the
provider and consumer of the utilized service.

Fig. 1 Cloud Computing Framework

Service Models:
 Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications
running on a cloud infrastructure. The applications are accessible from various client devices through a thin client
interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying
cloud infrastructure including network, servers, operating systems, storage, or even individual application
capabilities, with the possible exception of limited user-specific application configuration settings.

 Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud
infrastructure consumer-created or acquired applications created using programming languages and tools supported
by the provider. The consumer does not manage or control the underlying cloud infrastructure including network,
servers, operating systems, or storage, but has control over the deployed applications and possibly application
hosting environment configurations.

 Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage,
networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary
software, which can include operating systems and applications. The consumer does not manage or control the
underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly
limited control of select networking components (e.g., host firewalls).

Deployment Models:
 Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization
or a third party and may exist on premise or off premise.

 Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community
that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be
managed by the organizations or a third party and may exist on premise or off premise.

 Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned
by an organization selling cloud services.

 Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that
remain unique entities but are bound together by standardized or proprietary technology that enables data and
application portability (e.g., cloud bursting for load-balancing between clouds).

III. ISSUES IN CLOUD

Security is the most important issue in cloud computing. We are residing everything in providers premises which makes
the information highly unsecured [6]. It’s a main obstacle in adoption of cloud computing. According to the IDC’s survey
© 2012, IJARCSSE All Rights Reserved Page | 116
 Rajesh et al , International Journal of Advanced Research in Computer Science and Software Engineering 2 (9),
September- 2012, pp. 115-120
on the cloud services, security concerns are number one issue facing cloud computing [7][8]. IDC’s findings in the
survey of 224 IT executives are shown in fig.2.

Figure 2. Analysis of major issues of cloud computing

Difficulties or overheads in front of cloud computing are the danger of-Disrupts Services, Theft of Information, Loss
of Privacy, Damage of information. These problems prevent the organizations to adopt the cloud computing services.
These can be removed by applying highly trusted security protocols.IEEEtran.bst files, whereas the Microsoft Word
templates are self-contained. Causal Productions has used its best efforts to ensure that the templates have the same
appearance.

IV. SECURITY CONCERN

Heightened security threats must be overcome in order to benefit fully from this new computing paradigm. Some security
concerns are listed and discussed below:
1) Security concern #1: Company has violated the law (risk of data seizure by (foreign) government).
2) Security concern #2: Storage services provided by one cloud vendor may be incompatible with another vendor’s
services if user decides to move from one to the other (e.g. Microsoft cloud is incompatible with Google cloud). [9]
3) Security concern #3: Who controls the encryption/decryption keys? Logically it should be the customer.
4) Security concern #4: Ensuring the integrity of the data (transfer, storage, and retrieval) really means that it changes
only in response to authorized transactions. A common standard to ensure data integrity does not yet exist.
5) Security concern #5: Some government regulations have strict limits on what data about its citizens can be stored and
for how long, and some banking regulators require that customer’s financial data remain in their home country.
6) Security concern #6: Customers may be able to sue cloud service providers if their privacy rights are violated, and in
any case the cloud service providers may face damage to their reputation. Concerns arise when it is not clear to
individuals why their personal information is requested or how it will be used or passed on to other parties.
7) Security concern #7: With the cloud model control physical security is lost because of sharing computing resources
with other companies. No knowledge or control of where the resources run.
8) Security concern #8: The dynamic and fluid nature of virtual machines will make it difficult to maintain the
consistency of security and ensure the audit ability of records.
9) Security concern #9: In case of Payment Card Industry Data Security Standard (PCI DSS) data logs must be provided
to security managers and regulators. [10][11[12]
10) Security concern #10: Users must keep up to date with application improvements to be sure they are protected.

V. SOME SOLUTION FOR SECURITY ISSUES IN CLOUD COMPUTING

Following approaches can be helpful for secure cloud computing-
 Investigation Support: Audit tools provided to the users to determine how their data is stored, protected, used, and
verify policy enforcement. But investigation of illegal activity is quite difficult because data for multiple customers
may be collocated and may also be geographically spread across set of hosts and datacenters. To solve this audit
tools must be contractually committed along with the evidence.
 Network Security: A user can deny the access of any Internet based service by using IP Spoofing which can be a
cause of security harm [6]. To solve this we can use Digital Signature technique. SSL (Secure Socket Layer)
Protocol is used for managing security of message transmission on The Internet. Which also avoid resource hacking.
 Encryption Algorithm: Obviously cloud service providers encrypt the user’s information using strong encryption
algorithm. But problem is that encryption accident can make data totally unusable and encryption also complicates
the availability [6]. To solve this problem the cloud provider must provide evidence that encryption scheme were
designed and tested by experienced specialists.
 Backup: Natural disaster may damage the physical devices that may cause of data loss. To avoid this problem
backup of information is the key of assurance of service provided by vendor
 Customer satisfaction: Very hard for the customer to actually verify the currently implemented security practices
and initiatives of a cloud computing provided by the service provider because the customer generally has no access

© 2012, IJARCSSE All Rights Reserved Page | 117

 Rajesh et al , International Journal of Advanced Research in Computer Science and Software Engineering 2 (9),
September- 2012, pp. 115-120
to the provider’s facility which can be comprised of multiple facilities spread around the globe [8]. Solution for this
Provider should get some standard certificate from some governing or standardized institution that ensures users that
provider has established adequate internal control and these control are operating efficiently.

VI. SECURITY MANAGEMENT MODEL(CMM)

This section describes twenty recommended security management models and their requirements for cloud computing
that cloud service providers should definitely consider as they develop or refine their compliance programs [13].
1) Security management (People): One of the most important actions for a security team is to develop a formal charter
for the security organization and program. The charter should be aligned with the strategic plan of the organization or
company the security team works for. Lack of clearly defined roles and responsibilities, and agreement on expectations,
can result in a general feeling of loss and confusion among the security team about what is expected of them, how their
skills and experienced can be leveraged, and meeting their performance goals.
2) Security governance: A security steering committee should be developed whose objective is to focus on providing
guidance about security initiatives and alignment with business and IT strategies. This committee must clearly define the
roles and responsibilities of the security team and other groups involved in performing information security functions.
3) Software-as-a-Service (SaaS) security: SaaS is the dominant cloud service model for the foreseeable future and the
area where the most critical need for security practices and oversight will reside. Just as with a managed service provider,
corporations or end users will need to research vendors’ policies on data security before using vendor services to avoid
losing or not being able to access their data. The technology analyst and consulting firm Gartner lists [14] seven security
risks which one should discuss with a cloud-computing vendor:
Privileged user access: Get as much information as you can about the people who manage your data. Ask providers to
supply specific information on the hiring and oversight of privileged administrators, and the controls over their access.
Regulatory compliance: Make sure that the vendor is willing to undergo external audits and/or security certifications.
Data location: When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might
not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in
specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on
behalf of their customers.
Data segregation: Make sure that encryption is available at all stages, and that these encryption schemes were designed
and tested by experienced professionals.
Recovery: Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and
service in case of a disaster. Any offering that does not replicate the data and application infrastructure across multiple
sites is vulnerable to a total failure. Ask your provider if it has "the ability to do a complete restoration, and how long it
will take."
Investigative support: Investigating inappropriate or illegal activity may be impossible in cloud computing. Cloud
services are especially difficult to investigate, because logging and data for multiple customers may be co-located and
may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to
support specific forms of investigation, along with evidence that the vendor has already successfully supported such
activities, then only safe assumption is that investigation and discovery requests will be impossible.
Long-term viability: Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a
larger company. But you must be sure your data will remain available even after such an event. Ask potential providers
how you would get your data back and if it would be in a format that you could import into a replacement application. To
address the security issues listed above, SaaS providers will need to incorporate and enhance security practices used by
the managed service providers and develop new ones as the cloud computing environment evolves.
4) Risk management: Risk management entails identification of technology assets [15]; identification of data and its links
to business processes, applications, and data stores; and assignment of ownership and custodial responsibilities. Actions
should also include maintaining a repository of information assets. Owners have authority and accountability for
information assets including protection requirements, and custodians implement confidentiality, integrity, availability,
and privacy controls.
5) Risk assessment: Security risk assessment is critical to helping the information security organization make informed
decisions when balancing the dueling priorities of business utility and protection of assets [16][17]. A formal information
security risk management process should proactively assess information security risks as well as plan and manage them
on a periodic or as -needed basis. More detailed and technical security risk assessments in the form of threat modeling
should also be applied to applications and infrastructure.
6) Data governance: This framework should describe who can take what actions with what information, and when, under
what circumstances, and using what methods.
7) Virtual machine security: In the cloud environment, physical servers are consolidated to multiple virtual machine
instances on virtualized servers. Not only can data center security teams replicate typical security controls for the data
center at large to secure the virtual machines, they can also advise their customers on how to prepare these machines for
migration to a cloud environment when appropriate.
8) Disaster recovery: In the SaaS environment, customers rely heavily on 24/7/365 access to their services and any
interruption in access can be catastrophic. Using the virtualization software virtual server can be copied, backed up, and
moved just like a file (live migration). Benefits are:
© 2012, IJARCSSE All Rights Reserved Page | 118
 Rajesh et al , International Journal of Advanced Research in Computer Science and Software Engineering 2 (9),
September- 2012, pp. 115-120
 Quickly reallocating computing resources without any downtime
 Ability to deliver on service-level agreements and provide high-quality service
9) Third party risk management: Lack of a third-party risk management program may result in damage to the provider’s
reputation, revenue losses, and legal actions should the provider be found not to have performed due diligence on its
third-party vendors.
10) Vulnerability assessment: Classifies network assets to more efficiently prioritize vulnerability-mitigation programs,
such as patching and system upgrading.
11) Security image testing: Virtualization-based cloud computing provides the ability to create “Test image” VM secure
builds and to clone multiple copies. Gold image VMs also provide the ability to keep security up to date and reduce
exposure by patching offline. Offline VMs can be patched off-network, providing an easier, more cost-effective, and less
production-threatening way to test the impact of security changes.
12) Security awareness: People are the weakest link for security. Knowledge and culture are among the few effective
tools to manage risks related to people. Not providing proper awareness and training to the people who may need them
can expose the company to a variety of security risks for which people, rather than system or application vulnerabilities,
are the threats and points of entry. Social engineering attacks, lower reporting of and slower responses to potential
security incidents, and inadvertent customer data leaks are all possible and probable risks that may be triggered by lack of
an effective security awareness program.
13) Change management: The security team can create security guidelines for standards and minor changes, to provide
self-service capabilities for these changes and to prioritize the security team’s time and resources on more complex and
important changes to production.
14) Data security: Security will need to move to the data level so that enterprises can be sure their data is protected
wherever it goes. For example, with data-level security, the enterprise can specify that this data is not allowed to go
outside of the European Union. It can also force encryption of certain types of data, and permit only specified users to
access the data. It can provide compliance with the Payment Card Industry Data Security Standard (PCI DSS).
15) Data privacy: A privacy steering committee should also be created to help make decisions related to data privacy.
The security compliance team, if one even exists, will not have formalized training on data privacy. The answer is to hire
a consultant in this area, hire a privacy expert, or have one of your existing team members trained properly. This will
ensure that your organization is prepared to meet the data privacy demands of its customers and regulators.
16) Application security: This is where the security features and requirements are defined and application security test
results are reviewed. Application security processes, secure coding guidelines, training, and testing scripts and tools are
typically a collaborative effort between the security and the development teams. Although product engineering will likely
focus on the application layer, the security design of the application itself, and the infrastructure layers interacting with
the application, the security team should provide the security requirements for the product development engineers to
implement.
17) Identity Access Management (IAM): identity and access management is a critical function for every organization, and
a fundamental expectation of SaaS customers is that the “principle of least privilege” is granted to their data. The
principle of least privilege states that only the minimum access necessary to perform an operation should be granted, and
that access should be granted only for the minimum amount of time necessary.
18) Education and training: Programs should be developed that provide a baseline for providing fundamental security
team and their internal partners. This entails a formal process to assess and align skill sets to the needs of the security
team and to provide adequate training and mentorship-providing a broad base of fundamental security, inclusive of data
privacy, and risk management knowledge.
19) Physical security: Since customers lose control over physical assets, security model may need to be reevaluated. The
concept of the cloud can be misleading at times, and people forget that everything is somewhere actually tied to a
physical location. The massive investment required to build the level of security required for physical data centers is the
prime reason that companies don’t build their own data centers, and one of several reasons why they are moving to cloud
services in the first place. Some samples of controls mechanisms:
- 24/7/365 onsite security.
 Biometric hand geometry readers.
 Security cameras should monitor activity throughout the facility.
 Heat, temperature, air flow, and humidity should all be kept within optimum ranges for the computer equipment.
 Policies, processes, and procedures are critical elements of successful physical security that can protect the
equipment and data housed in the hosting center.
20) Policies and standards: Many resources and templates are available to aid in the development of information security
policies and standards. A cloud computing security team should first identify the information security and business
requirements unique to cloud computing, SaaS, and collaborative software application security. Policies should be
developed, documented, and implemented, along with documentation for supporting standards and guidelines. To
maintain relevancy, these policies, standards, and guidelines should be reviewed at regular intervals or when significant
changes occur in the business or IT environment.

VII. CONCLUSION AND FUTURE WORK

© 2012, IJARCSSE All Rights Reserved Page | 119

 Rajesh et al , International Journal of Advanced Research in Computer Science and Software Engineering 2 (9),
September- 2012, pp. 115-120
Cloud computing is the future of IT industries It helps the industries to get efficient use of their IT Hardware and
Software resources at low cost. This paper totally discuss about the cloud computing security issues and Challenges. This
paper also analyze cloud computing vulnerabilities, security threats cloud computing faces and presented the security
objective that need to be achieved. On one hand, the security-sensitive applications of a Cloud computing require high
degree of security on the other hand, cloud computing are inherently vulnerable to security attacks. Therefore, there is a
need to make them more secure and robust to adapt to the demanding requirements of these networks. The future of
cloud computing is really appealing, giving the vision of cheap communications. At present, the general trend in cloud
computing is toward mesh architecture and large scale. Improvement in bandwidth and capacity is required, which
implies the need for a higher frequency and better spatial spectral reuse. Large scale cloud computing is another
challenging issue in the near future which can be already foreseen.

REFERENCES
[1] Ricardo vilaca, Rui oliveira 2009. Clouder: A Flexible Large Scale Decentralized Object Store. Architecture
Overview. Proceeding of WDDDM ’09
[2] Michael Miller. 2009. Cloud Computing-Web Based Application that change the way you collaborate online.
Publishing of QUE, 2nd print.
[3] National Institute Of Standard and technology. csrc.nist.gov/groups/ SNS/cloud-computing/cloud-def-v15.doc,
2009
[4] Open Security Architecture http://www.opensecurityarchitecture.org/
[5] Tim Mather, Subra Kumaraswamy, Shahed Latif Cloud Security and Privacy : An Enterprise perspective of Risks
[6] GregBoss, Padma Malladi, Dennis Quan, Linda Legregni and Harold hall 2007. Cloud Computing. Available from
www.ibm.com/developerworks/websphere/zones/hipods/.
[7] Anthony T.Velte, Toby J.Velte and Robert Elsenpeter 2010. Cloud Computing- A Practical Approach. Publishing
of Tata McGRAW Hil.
[8] Nils Gruschka and Meiko Jensen, “Attack Surfaces: A Taxonomy for Attacks on Cloud Services”. IEEE rd
International Confrence on Cloud Computing,2010.
[9] M. Casassa-Mont, S. Pearson and P. Bramhall, “Towards Accountable Management of Identity and Privacy: Sticky
olicies and Enforceable Tracing Services”, Proc. DEXA 2003, IEEE Computer Society, 2003, pp. 377-382
[10] https://www.pcisecuritystandards.org/index.shtml
[11] http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_ Security_Standard, 24 January 2010
[12] J. Salmon, “Clouded in uncertainty – the legal pitfalls of cloud computing”, Computing, 24 Sept 2008,
http://www.computing.co.uk/computing/features/2226701/clouded-uncertainty-4229153
[13] Krešimir Popović, Željko Hocenski,” Cloud computing security issues and challenges”, MIPRO 2010, May 24-28,
2010, Opatija, Croatia
[14] Gartner: Seven cloud-computing security risks, 02 July 2008,http://www.infoworld.com/d/security-
central/gartnerseven-cloud-computing-security-risks-853?page=0,0
[15] Wikipedia, 6 February 2010, http://en.wikipedia.org/wiki/Risk_management
[16] Wikipedia, 27 January 2010, http://en.wikipedia.org/wiki/Risk_assessment
[17] D.Catteddu, Giles Hogben : European Network and Information Security Agency, November 2009,
http://www.enisa.europa.eu/act/rm/files/deliverables/cloudcomputing-risk-assessmen

AUTHORS PROFILE
Rajesh Piplode has received his Master of Philosophy in Computer Science (M.Phil.-CS) from Institute of Computer
Science, Vikram University. He is presently working as Guest lecturer in Department of Computer Science, Govt.
Holkar(Autonomous) Science Collage, Indore - India. His research interest includes Security in-Coloud computing,
Wireless Mesh Network and Information Technology based education.

Dr. Umesh Kumar Singh obtained his Ph.D. in Computer Science from Devi Ahilya University, Indore-INDIA. He is
currently Reader (Director) in Institute of Computer Science, Vikram University, Ujjain-INDIA. He served as professor
in Computer Science and Principal in Mahakal Institute of Computer Sciences (MICS-MIT), Ujjain. He is formally
Director I/C of Institute of Computer Science, Vikram University Ujjain. He has served as Engineer (E&T) in education
and training division of CMC Ltd., New Delhi in initial years of his career. He has authored a book on “Internet and Web
technology “and his various research papers are published in national and international journals of repute. Dr. Singh is
reviewer of International Journal of Network Security (IJNS), IJCSIS, ECKM Conferences and various Journals of
Computer Science. His research interest includes network security, secure electronic commerce, client-server computing
and IT based education.

© 2012, IJARCSSE All Rights Reserved Page | 120