2017 IEEE 3rd International Conference on Collaboration and Internet Computing
Security failure trends of cloud computing
Zachariah Pabi Gariba
School of Computing
University of South Africa
Florida Park, Johannesburg, South Africa
[email protected]
[email protected]
Abstract- Cloud computing technology is causing a shift
in Information Communication Technology usage by
transforming the approaches businesses employ information
technology services. This benefits computing usage by
allowing users to share hardware resources via multiplexing
of virtual machines which are the basic units of cloud
computing. Small and new businesses which often lack good
financial standing but desire to use the cloud, need not own
these resources, but only pay for their use at a reduced price.
This alleviates the cost of technological maintenance and
operation. However, the services provided by third-party
cloud service providers involve inherent security threats. The
relocation of corporate resources to an external
administrative jurisdiction escalates security concerns such as
trust, assurance and transparency. There may be devastating
effects to clients, should their financial transactions and
corporate information be compromised as a result of a service
provider’s security challenges. This research employs a
quantitative case study to analyse the security challenges of
popular cloud computing services existing within the past four
years. An overview of security vulnerabilities in cloud
computing is presented; a preliminary cloud security
framework is developed and the role of computing formalisms
is investigated.
Keywords- cloud computing, formal methods,
information security, trust, security failure, privacy, cloud
security modelling
I. INTRODUCTION
Arguably the accepted definition for cloud computing is
that given by the National Institute of Standards and
Technology (NIST) [1] which defines cloud computing as
“ICT sourcing and delivery model for enabling convenient,
on-demand network access to a shared pool of configurable
computing resources that can be rapidly provisioned and
released with minimal management effort or service
provider interaction”. The basic unit of cloud computing
comprises a virtual machine (VM) [2] which is installed on
a host to provide various internet applications. The VM
primary function is to improve on resource sharing among
multiple users and improve computer performance in terms
of resource utilisation and application flexibility. Given a
0-7695-6303-1/17/31.00 ©2017 IEEE
DOI 10.1109/CIC.2017.00041
John Andrew Van Der Poll
Graduate School of Business Leadership
University of South Africa
Midrand, South Africa
virtualised platform, different user applications are
managed by their own operating systems which run on the
same hardware, independent of the host operating system.
Virtualisation can is employed for both hardware and
software in a functional and layered manner [3].
For small and newly created business organisations that
lack strong financial strength for establishing in-house data
centres [4], cloud computing could be a cost effective
technological solution for them. They may decide to
transfer part of their services, data and infrastructure to a
cloud computing service provider for the aforementioned
benefits, namely, performance, flexibility, and
opportunities. This computing paradigm is causing a shift
[5] in technology which may well transform the approaches
on how businesses employ information technology
services. Clients deploying cloud will have to only rent and
pay for its usage at reduced cost. This alleviates the burden
of software maintenance, operation and support on the part
of the client.
NIST considers cloud computing as a threefold model
comprising of service models, deployment models and
essential characteristics. There are four cloud deployment
models outlined by NIST, comprising of private, public,
hybrid and community models [6] as indicated in Fig. 1. In
addition to these, there are three service models being
Software as a Service (SaaS), Platform as a Service (PaaS)
and Infrastructure as a Service (IaaS). In the public model,
the physical infrastructures are generally managed by a
service provider which is located off-site in the control of
the service provider [7]. In private, the physical
infrastructure is controlled by a service provider with an
extension lead by management and security control policies
controlled by the organisation. In a community deployment
model, the physical infrastructures are controlled by
numerous organisations that have mutual interests for
example mission, policy, security requirements and
247
compliance considerations. However, the hybrid involves
two or more of these [8]. The essential features comprise of
On-demand Self-Service, Broad Network Access, Resource
Pooling, Rapid Elasticity and Measured Service.
The main benefit of IaaS is that it provides granular control
for choosing the core components for the infrastructure. In
PaaS there are core hosting OSs and voluntary building
block services for running your clients applications. Its
benefits are that the client needs not be concerned about the
running updates and hardware upgrades. For SaaS, clients
utilise only the applications that are needed in their
business. The key benefit of SaaS is that it incurs little or
no upfront investment on software licensing.
Fig. 1: Utilising cloud computing models
Security is a critical issue for a cloud system [5], [7], [9],
[10], [11] and [12] because the various models are mostly
located off-site whilst providing services to the clients. A
company which depends on cloud computing for its
transactions implies its vital documents and data will be
managed by a third party service provider at an unknown
location. Should the service provider experience security
248
challenges and as a result be unable to deliver, then the
business may suffer a significant setback.
The objective of this research is to investigate and
synthesise security failures of some popular cloud
computing services and their negative impact to business.
The available literature to inform our study indicates little
scholarly work on the annual analyses of security failure
rates of present cloud computing services.
II. RESEARCH QUESTIONS
Subsequently, the research questions (RQs) for our work
are:
x RQ1: What are the cloud security aspects
underlying the failure of cloud services?
x RQ2: How may the said cloud security challenges
be addressed?
The layout of the paper is as follows: Section III presents a
brief overview of the literature on cloud computing and
information security issues applicable to the cloud. Section
IV illustrates our modelling of available security solution
for cloud usage. Section V presents the research method
which we employed in our study whilst Section VI gives
the result of the security incidents obtained from popular
cloud services. Section VII presents the discussion on the
results obtained, Section VIII gives formalizing our
security framework and Section IX is the conclusions and
future work in this area.
III. LITERATURE REVIEW
The ISO [13] defines information security as the
safeguarding of confidentiality, integrity and availability
(CIA) of information. Also, [14] indicates that ensuring
confidentiality, integrity and availability has been the
industry standard for employing information security.
However, the US National Infrastructure Protection Center
supplemented CIA with authentication and non-repudiation
as additional requirements to the CIA. Cloud computing
security frameworks available in the literature [5], [10],
[15], [18] focus on preventing unauthorised users from
accessing cloud resources. However it should be noted that
CSPs (Cloud Service Providers) are also a source of attacks
and failures.
The security elements elicited above, namely,
confidentiality, integrity, authentication, non-repudiation
and service reliability [14], [19] and [20], have been
employed to form information security elements and ought
to be adhered to consistently in IS (Information Security).
These five (5) aspects may be categorised into
cryptographic and non-cryptographic approaches of
security. The cryptographic group consist of the first four
elements whilst the non-cryptographic category is made up
of the last element, namely, service reliability. The various
approaches for addressing each of these security aspects are
given in TABLE I.
Cloud computing being a relatively recent computing
paradigm introduces new security vulnerabilities and risk
into a computing system. Conventional security
vulnerabilities are also inherited by cloud computing,
however, the impact of these are arguably less than the new
security issues introduced by cloud computing. Some of
these security aspects with respect to the implementation of
cloud security have been researched in [15] and [21] – [26].
Furthermore, numerous studies, e.g. [12], [16] and [27] –
[29] have been conducted on security variability of cloud
computing with respect to the conventional information
security issues.
A survey by these authors [30] on 244 IT directors on cloud
services indicates that security is a contentious challenge as
indicated by 74.6% of the respondents. Also, a study on
Amazon Web Service security [17] indicated security ought
to be the major component of the cloud rather than
auxiliary operations. Extensive surveys on cloud security
aspects like risks, threats and vulnerabilities are illustrated
in [12], [15], [26] and [30]. Absence of security constraints
in cloud Service Level Agreements (SLAs) [31] may well
cause loss of trust. The NIST Reference Architecture (RA)
framework for understanding and communicating the
components of a cloud has been illustrated in [1]. The
principal actors in this framework include Service
Consumer, Service Provider, Broker, Auditor and Cloud
Carrier.
The study in [10] proposes a security as a service (SECaaS)
model aimed at allowing users control over their cloud
computing security. The principal element of its
architecture is the security manager which allows
subscribers to select their needed security measures.
Limitations of such frameworks are potential
communication overhead between the cloud-hosting
subscribers’ data and those presenting security services.
A cloud adoption assessment model as in [32] assists
organisations in accepting and incorporating the cloud into
business organisations’ information technology, defines
new capabilities, improves on organisational readiness and
provides strategies for successful implementation. The
research reported on in this paper uses systematic literature
reviews [33] and case studies to evaluate model
effectiveness.
The importance of cloud computing to business is vast and
has been motivated in Section I. However, cloud security
elements, combined with conventional computing security
aspects pose major risks. Our literature survey indicated
there are numerous works available on cloud-unique
security features and solutions which we have synthesised
in TABLE I. However, the researchers found little
information on how efficient these unique features have
affected cloud computing security in present times

TABLE I
COMPARING DIFFERENT CLOUD RELATING SECURITY SOLUTIONS

Security solution Authors Components

Ajigini, van der Poll and

Security challenge Developed a model for security challenges during the migration of sensitive information
Kroeze
model from a proprietary system to an open source system.
[35]

It illustrates an extensible procedure for constructing compliance relating to SLA security

controls.
Hale and Gamble [36]
Service level
Agreement (SLA) Built a framework known as SecAgreement which allows for security metrics to be
Hale and Gamble [37]
expressed in terms of service descriptions and objectives. SecAgreement also allows for
CSPs to embed security in their SLAs.

249
 Developed a cloud security overlay network, which provides for integrated security
Privacy and integrity Salah et al. [38] services. They considered popular security software, intrusion detection systems, distributed
denial-of-service prevention and security management.

Suggested a scheme which inherits flexibility and fine-grained access control in supporting
Access control Wan, June, and Deng [39]
compound attributes of attribute-set-based encryption.

Xia, Liu, Chen and Zang Suggested an approach for striking a balance between security and functionality in cloud
VM migration
[40] computing. This allows users to audit their logs to check for malicious rollbacks in the VM.

Wang, Wu, Grace and Presented HyperLock, a methodical approach to strictly segregate privileged, but potentially
Hypervisor
Jiang [41] vulnerable, hosted hypervisors from a compromising hosting operating system.

Indicated the constituents and sources of an information security policy for organisations
Security policy Höne and Eloff [43] which is a vital document. These are mostly from various international security standards
which served as a guild.

Presented a framework for establishing, implementing, monitoring, operating, reviewing,

ISO/IEC [19] improving and maintaining an Information Security Management System.

International standards Developed an information security governance framework which can be used by
organisations to ensure they are governing information security in a holistic manner, thereby
Da Veiga and Eloff [44] mitigating risk.

Highlighted on availability issues and how cloud computing could be made more secure and
Hassam, Kamboh and
Availability available. The factors which affect availability include migration, software failure, hardware
Azum [45]
error and human error.

The above discussion together with the information in
TABLE I present an answer to our RQ1 above.
In the following section we suggest a preliminary
framework to facilitate security for cloud computing.
IV. TOWARDS A CLOUD
SECURITY FRAMEWORK
Our framework is illustrated in Fig. 2 and follows a
rudimentary structure proposed in [35]. The content is
synthesised from the information in TABLE I as well as the
CIA grouping, augmented by authentication and non-
repudiation (refer Section III). During the security policy
phase, the policies and procedures on the security to be
adopted for cloud are developed by the top hierarchy. The
data and information stage involves the categorisation of
corporate data using well-established data classification
frameworks. The privacy phase involves trust on how this
classified data would be managed. Naturally, this will
include the Cloud Service Provider (CSP) who is a third
party authorised to have access to the data.
In the SLA stage, aspects relating to the drawing up of
compliances to the security controls are determined. Also,
security metrics and agreements on managing corporate
data are signed between the CSP and the organisation. The
risk management stage involves the identification of the
risks in cloud usage, categorising of risks and mitigation
processes of each identified risk. Sub frameworks to be
used for the risk analyses are determined.
Data confidentiality addresses the encryption mechanism to
be employed for the data by the CSP, whilst the availability
phase aims to ensure cloud users always have access to
their service – the cloud service should be available
especially for corporates. The authentication phase involves
the systems that are used to identify the users. Such
authentication may be biometric systems and audio
identification. The access control regulates authorised
users, based on privileges which are granted to certain data
categories (refer the use of Formal Methods in Section VIII
below).

250

Fig. 2: Modelling security aspects for cloud usage
At this point Fig. 2 above gives a partial answer to our
RQ2.
Following the security aspects mentioned before and the
development of a framework from these, we next elicit
actual cloud security challenges during the past couple of
years and quantify the frequency and occurrences of these.
V. METHODS
In this study we employed an inductive approach with
respect to our research questions. A quantitative choice of
data collection was done in case studies through collecting
information from scholarly literature and websites. A cross-
sectional time horizon was embarked on to compare
security failures, financial implications and recommended
counter measures among various service providers. The
sample size was 12 CSPs among the population of cloud
service providers. Our survey utilises a four year period
beginning from the year 2013 to 2016. This is viewed as
sufficient to make valid conclusions and inductive
comparisons.
We enumerated 12 CSPs against their respective dates of
security incidents with the impact on both clients and
business in TABLE II and recommended possible identified
threats also against counter measures. The date consists of
the months and their respective years of the occurrence. A
251
tick (9) is used to indicate a CSP had an incident within a
specific year. Multiples of it within a year correspond with
the quantity of the incident noted. The listing of the
months under the date is in a sequential order of occurrence
of attack incidents with corresponding CSP.
In the following section we discuss the challenges
experienced by 12 CSPs during the period 2013 – 2016.
VI. RESULTS
In 2013, studies identified four different and major cloud
computing brands whose systems experienced security
attacks. These are Amazon AWS Service, Microsoft
Window Azure, Adobe (twice) and Target which were
attacked in January, February, October and November
respectively. Adobe, had attacks twice in that year with a
disclosure of customers’ records and privacy issues which
affected 152 million clients and 38 million accounts [46].
Amazon Web Service had a Denial of Service (DoS) attack
which resulted in interruptions and a destruction of service.
For Microsoft Window Azure, there was a threat of
removal of service and disclosure of information. We
postulate that strong authentication and data confidentiality
could have prevented this attack. However, for Target,
there was disclosure, and an identity and privacy theft
threat which affected 70 million credit cards [47]. Strong
privacy, strong authentication and good data confidentiality
might well have resolved these.
In 2014 the CSPs identified were Dropbox, Home depot,
Amazon AWS service, Apple iCloud and Microsoft. The
security breaches were noted in January, April, June,
September and November respectively. Dropbox had a
web server error which resulted in a global outage. Home
Depot had a malware attack which affected 56 million
credit cards [48], which is possibly caused by threats of
destruction, corruption and disclosure. In addition,
Amazon AWS had a challenge with code space which
compromised its business. The study suggested destruction,
corruption and disclosure of information as the threats
which affected it. For Apple iCloud, hackers accessed
customer photos which breached on privacy and data
confidentiality leading to a disclosure of clients’ pictures.
However, for Microsoft Azure, their website crashed
possibly caused by worms and viruses, compromising
availability and resulting in destruction and interruption. A
strong authentication mechanism might well have
prevented this attack.
In 2015, Google IaaS, Apple’s iCloud and Verizon cloud
were identified. To be specific, the date in which these
security breaches took place were February and March for
Google, March and May for Apple’s iCloud and lastly only
in May for Verizon. It should be noted that Google IaaS
and Apple’s iCloud recorded security breaches twice
during that particular year. With respect to each company’s
cloud systems, for Google, most zones were disabled
because outbound data got lost. The entire Google attack
could have been addressed by improved availability. The
iCloud attack was due to a DNS error causing outage for 12
hours [49]. However, Verizon’s challenges were caused by
system maintenance issues, causing outages by interruption
to clients. Arguably, a good risk assessment could have
prevented this.
In 2016, Verizon, Twitter, Microsoft office 365, Symantec
cloud and Apple iCloud were identified. The security
failures occurred in January, April and June. Verizon had a
network connection error which made the system
unavailable, possibly caused by threat of destruction and
interruption. For Twitter, faulty codes were uploaded
causing 8 hours of outages, compromising access control
and limiting availability. Also, for Microsoft Office 365,
damage to cloud resources resulted in Europeans being
unable to access their emails through their phones, due to
the threat of destruction and interruption which would have
been avoided by a good availability and risk management.
Furthermore, Apple had general outages which made it
hard for customers to access various services. This might
have had threats of destruction and interruption which
could have been avoided by improved availability and risk
management. However for Symantec cloud, management
of clients’ security was disrupted for 24 hours making it
difficult to send emails and administer web security
services [50]. A good availability mechanism could
possibly have prevented these threats of destruction and
interruption.
The above discussions are synthesised in TABLE II.

TABLE II
CLOUD COMPUTING SECURITY FAILURE RATE ISSUES

Date
Service
No. Month 2013 2014 2015 2016 Effects Threats Counter measures
provider

• Identity theft • Data confidentiality

38 million accounts
1 Adobe Oct √√ • Removal • Privacy
affected
• Disclosure • Authentication

• Worms & viruses

$5 million revenue • Availability
Jan., • Removal
2 Amazon AWS √ √ loss • Authentication
Feb. • Corruption
4 hours global outage • Data confidentiality
• Interruption

Sept.,
• Identity theft • Availability
Mar., Nude photo surfaced
3 Apple iCloud √ √√ √ • Disclosure • Data confidentiality
May, Global outages
• Interruption • Privacy
Jun.

• Interruption • Risk management

4 Dropbox Jan. √ Global outages
• Destruction • Availability

• Worms & viruses

Feb., • Availability
5 Google-IaaS √√ 45mins outages • Corruption
Mar • Risk management
• Interruption

56 million emails • Destruction • Access control

6 Home deport Apr. √
compromised • Removal • Data confidentiality

252
 Date
Service
No. Month 2013 2014 2015 2016 Effects Threats Counter measures
provider

Microsoft Feb. Global denial of • Destruction • Data confidentiality

7 √ √
Azure Nov. access • Worms & viruses • Risk management

Microsoft office Mobile email access • Destruction • Availability

8 Jan. √
365 was denied • Interruption • Risk management

Web security and • Destruction

9 Symantec cloud Apr. √ • Availability
email affected • Interruption

70 million credit cards • Identity theft • Privacy

10 Target Nov. √
compromised • Disclosure • Data confidentiality

• Corruption • Availability
11 Twitter Jan. √ 8 hours global outage
• Destruction • Access control

May, Service provider cut • Availability

12 Verizon cloud √ √ • Interruption
Jan. service • Risk management

VII. DISCUSSION
We produce TABLE III as a summary of the security and Google-IaaS. There was none which experienced three
incidents categorised into 4 groups, occurrences 1 to 4. This attacks representing 0.0%. However, Apple iCloud
gives a general overview of the security for the entire years representing 9.1% had four attacks. This is the only cloud
and a cross tabulation of service providers against attacks. service provider which had the largest security attacks within
Category 1 represents one security incident, category 2 the period of consideration for this research. The total count
represents two security incidents, category 3 represents three is 11 which indicate that in reality 11 cloud computing
security incidents and category 4 represents four security service providers experienced attacks.
incidents. The columns within the occurrence depict the
grouping of cloud services, according to how often these Further quantifying the above by multiplying the count
occurred within the four year period. Also, the count row in against the occurrences and summing up gives a total of
the cloud service provider section of the table indicates the twenty (20) cloud computing security attacks for the period of
number of service providers for a category. Furthermore, the study. Subsequently, the total number of cloud computing
percentage (%) of the total row indicates the percentage of attacks is obtained by:
each category in comparison to the total. A graphical view is
indicated in Fig 3 which is a bar chart on the count of ( ∗ )
occurrences of the security attacks.
TABLE III
As per TABLE III we note from the count categories, six A CROSS TABULATION OF FAILURE RATE VS COUNT
cloud computing service providers each had an attack within
Failure rate
the four years of the study. This represents the largest number Total
of service providers in a category, in this case representing 1 2 3 4
54.6%. In real terms the service providers which fall within 6 4 0 1 11
Count
this category are Symantec cloud, Target, Twitter, Dropbox,
Home depot and Microsoft office 365. Also, four service % of
54.6 36.4 0.0 9.1 100.0
providers had attacks twice within the period of Total
consideration. This is the second largest group of providers
representing 36.4% of the entire sample. TABLE II above
indicates that these companies are Adobe, Verizon, Amazon

253
 User(x): x is a user.
7
6 Use(x, y): x uses y for personal purposes.

5 Naturally, formulae [1] and [2] above are not equivalent, and
4 the question arises which of these are to be preferred by a
Failure rate
3
Count
2 [1] any or all users are prohibited from using any or all
1 proprietary information for personal purposes. In [2], variable
0 y is inside the scope of x, and therefore becomes a function of
1 2 3 4
Fig. 3: Failure rate against count
In addition to putting in place a framework like Fig. 2 above
to facilitate cloud security, one may as a next step tidy up
some of the security policies, access control, data privacy,
etc. This is addressed in the following section.
VIII. FORMALISING CLOUD
SECURITY ASPECTS
The use of Formal Methods (FMs) involving discrete
mathematics and logic has often been proposed as a software
methodology to construct provably correct or at least highly
dependable software. To this end, numerous formal
specification languages have been developed over time to
facilitate the construction of correct software. Examples of
such languages are Z [51] and CafeOBJ [52] to name but a
few.
An example on how FMs may assist information security
may be in order.
Example 1
Consider a security policy document containing the following
requirement:
x Users shall not use proprietary information for personal
purposes.
To avoid any ambiguity, a policy writer may opt for
formalising the above, potentially ambiguous, natural
language statement. At least two (2) formulations come to the
fore:
[1] (x) (y) ( User(x)šProprietary_Info(y) →™Use(x, y) )
policy developer. It turns out (using e.g. the OTTER theorem
prover [53]) that [1] → [2], but not the other way round. In
x. The nett effect is that certain users may not use company
information for personal purposes, but a user who is a top-
level executive may indeed be allowed to use company
information for personal purposes. These scenarios may or
may not be allowed, depending on company security policies.
This example illustrates important aspects around data
privacy, confidentially and access control as prescribed by the
relevant security policies of a company. These attributes are
embedded in Fig 3, developed for cloud security and policy
developers may decide to formalise critical aspects of a cloud
security policy to remove (at least some) ambiguity in the
said policies.
The above presentations together with Fig. 3 give a more
comprehensive answer to our RQ2.
IX. CONCLUSION
In this work, we surveyed a number of cloud security aspects
and constructed a framework for addressing some of the
cloud security concerns. Our framework is illustrated in Fig 2
and its content was synthesised from the information in
TABLE I as well as the CIA grouping, augmented by
authentication and non-repudiation.
We also surveyed the available literature to identify the major
cloud security attacks incidents during 2013 – 2016. The
rationale for considering these years is to enable us to make
appropriate conclusions on the utilisation of cloud and its
security drawbacks. Furthermore, we have been able to
categorise attacks per year as in TABLE II. Service availability
was identified as the primary security mechanism which is
affecting cloud computing security. Furthermore, twenty (20)
security attacks on cloud computing within a four year period
ought to be a concern for the industry, with Apple’s iCloud
having been attacked most frequently.

[2] (x)( User(x)š(y) (Proprietary_Info(y)→™Use(x, y)) )
Where:
Proprietary_Info(y): y is proprietary information.
It must be mentioned that these authors [54] did an earlier
cloud vulnerability related work between January 2008 and
February 2012 with 172 incidents. Their findings indicate that
56% of the vulnerability incidents were identified by top

254
three providers which are Amazon, Google and Microsoft.
Our study also identified these top three providers within the
last four years. This indicates the significance of our work,
namely, vulnerability still manifests in the top three incidents
for cloud providers, which is a challenging security issue in
cloud computing presently.
A number of possibilities for addressing cloud security
concerns exist and we postulated the use of Formal Methods
(FMs) to assist cloud developers to design provably correct
solutions. To this end we constructed an example on adhering
to data privacy and confidentiality with respect to access
control underwritten by an underlying security policy (cf. a
component in Fig 2). Following this approach a developer
may choose to formalise any number of components in Fig 2.
We anticipate this to a rich source for future work in this area,
whereby specifiers and designers can specify, develop and
verify the correctness and efficiency of a cloud security
system.
REFERENCES
[1] R. B. Bohn and J. Messina, “NIST Cloud Computing Reference
Architecture,” pp. 594–596, 2011.
[2] X. Zhang, Y. Zhang, X. Zhao, G. Huang, and Q. Lin,
“SmartRelationship: a VM relationship detection framework for cloud
management,” Proc. 6th Asia-Pacific Symp. Internetware Internetware
- INTERNETWARE 2014, pp. 72–75, 2014.
[3] K. Bilal, S. U. R. Malik, O. Khalid, A. Hameed, E. Alvarez, V.
Wijaysekara, R. Irfan, S. Shrestha, D. Dwivedy, M. Ali, U. Shahid
Khan, A. Abbas, N. Jalil, and S. U. Khan, “A taxonomy and survey on
Green Data Center Networks,” Futur. Gener. Comput. Syst., vol. 36,
no. c, pp. 189–208, 2014.
[4] C. Shruti and V. S. Dexit, “Cloud Computing,” vol. 40, no. 2, pp. 145–
162, 2010.
[5] H. Yu, N. Powell, D. Stembridge, and X. Yuan, “Cloud computing and
security challenges,” Proceeding ACM-SE ’12 Proc. 50th Annu.
Southeast Reg. Conf., p. 298, 2012.
[6] P. A. Boampong and L. A. Wahsheh, “Different facets of security in
the cloud,” Proc. 15th Commun. Netw. Simul. Symp., p. 5, 2012.
[7] M. Carroll, A. van der Merwe, and P. Kotzé, “Secure cloud computing:
Benefits, risks and controls,” in 2011 Information Security for South
Africa, 2011, pp. 1–9.
[8] I. Gul, a ur Rehman, and M. H. Islam, “Cloud computing security
auditing,” Next Gener. Inf. Technol. (ICNIT), 2011 2nd Int. Conf., pp.
143–148, 2011.
[9] P. Samarati, “Data Security and Privacy in the Cloud,” 2015.
[10] M. Hussain and H. Abdulsalam, “SECaaS: security as a service for
cloud-based applications,” Proc. Second Kuwait Conf. e-Services e-
Systems - KCESS ’11, pp. 1–4, 2011.
[11] A. Bouti and J. Keller, “Securing cloud-based computations against
malicious providers,” ACM SIGOPS Oper. Syst. Rev., vol. 46, no. 2, p.
38, 2012.
[12] K. Dahbur, B. Mohammad, and A. B. Tarakji, “A Survey of Risks,
Threats and Vulnerabilities in Cloud Computing,” Computing, pp. 1–6,
2011.
[13] ISO, “ISO/IEC Std. ISO 27002:2005, Information Technology -
Security Techniques - Code of Practice for Information Security
Management,” 2005.
[14] M. Whitman and H. Mattord, “Principles of information security,”
Thompson Course Technology, no. 3, 2009.
[15] M. Lauer, “Data Security in the Cloud Why Cloud Computing ?,”
Seminar, pp. 61–64, 2011.
[16] M. Gusev, S. Ristov, and a Donevski, “Security vulnerabilities from
255
inside and outside the eucalyptus cloud,” ACM Int. Conf. Proceeding
Ser., pp. 95–101, 2013.
[17] S. Narula, A. Jain, and Prachi, “Cloud Computing Security: Amazon
Web Service,” 2015 Fifth Int. Conf. Adv. Comput. Commun. Technol.,
pp. 501–505, 2015.
[18] J. Che, Y. Duan, T. Zhang, and J. Fan, “Study on the security models
and strategies of cloud computing,” Procedia Eng., vol. 23, pp. 586–
593, 2011.
[19] ISO/IEC, “International Standard ISO/IEC 27001,” Iso/Iec, vol. 2005,
p. 34, 2005.
[20] R. Saint-germain, “Information Security Management Best Practice
Based on ISO/IEC 17799,” Inf. Manag. J., vol. 39, no. 4, pp. 60–66,
2005.
[21] J. Wei, X. Zhang, G. Ammons, V. Bala, and P. Ning, “Managing
security of virtual machine images in a cloud environment,” Proc. 2009
ACM Work. Cloud Comput. Secur. - CCSW ’09, no. Vm, p. 91, 2009.
[22] W. Jansen and T. Gance, “Guidelines on Security and Privacy in Public
Cloud Computing,” 2011.
[23] M. Anisetti, C. A. Ardagna, F. Gaudenzi, and E. Damiani, “A
certification framework for cloud-based services,” Proc. 31st Annu.
ACM Symp. Appl. Comput., pp. 440–447, 2016.
[24] A. Youssef and M. Alageel, “A Framework for Secure Cloud
Computing,” Int. J. Comput. Sci., vol. 9, no. 4, pp. 487–500, 2012.
[25] R. K. Chakrawarti and K. Singhai, “The Architechtural Framework for
Public Cloud Security,” 2014.
[26] M. Ali, S. U. Khan, and A. V. Vasilakos, “Security in cloud computing:
Opportunities and challenges,” Inf. Sci. (Ny)., vol. 305, pp. 357–383,
2015.
[27] B. Hay, K. Nance, and M. Bishop, “Storm clouds rising: Security
challenges for IaaS cloud computing,” Proc. Annu. Hawaii Int. Conf.
Syst. Sci., pp. 1–7, 2011.
[28] D. A. B. Fernandes, L. F. B. Soares, J. V Gomes, M. M. Freire, and P.
R. M. Inácio, “Security issues in cloud environments: A survey,” Int. J.
Inf. Secur., vol. 13, no. 2, pp. 113–170, 2014.
[29] S. Pearson, Privacy , Security and Trust in Cloud Computing. Springer-
Verlag, 2013.
[30] M. Jouini and L. B. A. Rabai, “Surveying and analyzing security
problems in cloud computing environments,” Proc. - 2014 10th Int.
Conf. Comput. Intell. Secur. CIS 2014, pp. 689–693, 2015.
[31] M. Almorsy, J. Grundy, and A. S. Ibrahim, “Supporting automated
vulnerability analysis using formalized vulnerability signatures,” Proc.
27th IEEE/ACM Int. Conf. Autom. Softw. Eng. - ASE 2012, p. 100,
2012.
[32] U. Nasir and M. Niazi, “Cloud computing adoption assessment model
(CAAM),” Profes ’11, vol. 44, no. 0, pp. 34–37, 2011.
[33] B. Kitchenham, O. Pearl Brereton, D. Budgen, M. Turner, J. Bailey,
and S. Linkman, “Systematic literature reviews in software engineering
– A systematic literature review,” Inf. Softw. Technol., vol. 51, no. 1,
pp. 7–15, Jan. 2009.
[34] A. Vorster and L. Labuschagne, “A framework for comparing different
information security risk analysis methodologies,” SAICSIT ’05 Proc.
2005 Annu. Res. Conf. South African Inst. Comput. Sci. Inf. Technol. IT
Res. Dev. Ctries., no. July 2005, pp. 95–103, 2005.
[35] O. A. Ajigini, J. A. Van Der Poll, and J. H. Kroeze, “Towards a model
on security challenges during closed source software to OSS
migrations,” 2014 9th Int. Conf. Internet Technol. Secur. Trans. ICITST
2014, pp. 274–283, 2012.
[36] M. L. Hale and R. Gamble, “Risk propagation of security SLAs in the
cloud,” 2012 IEEE Globecom Work. GC Wkshps 2012, pp. 730–735,
2012.
[37] M. L. Hale and R. Gamble, “Building a compliance vocabulary to
embed security controls in cloud SLAs,” Proc. - 2013 IEEE 9th World
Congr. Serv. Serv. 2013, pp. 118–125, 2013.
[38] K. Salah, J. M. Alcaraz Calero, S. Zeadally, S. Al-Mulla, and M.
Alzaabi, “Using cloud computing to implement a security overlay
network,” IEEE Secur. Priv., vol. 11, no. 1, pp. 44–53, 2013.
[39] Z. Wan, L. June, and R. Deng, “HASBE: A Hierarchical Attribute-
Based Solution for Flexible and Scalable Access Control in Cloud
Computing,” IEEE Trans. Inf. FORENSICS Secur., vol. 217, no. 2, pp.
1946–1951, 2013.
[40] Y. Xia, Y. Liu, H. Chen, and B. Zang, “Defending against VM rollback
attack,” Proc. Int. Conf. Dependable Syst. Networks, 2012.
[41] Z. Wang, C. Wu, M. Grace, and X. Jiang, “Isolating commodity hosted [48] R. Sidel, “Home Depot’s 56 Million Card Breach Bigger Than
hypervisors with HyperLock,” Proc. 7th ACM Eur. Conf. Comput. Syst. Target’s,” The Wall Street Journal, 2014. [Online]. Available:
- EuroSys ’12, p. 127, 2012. https://www.wsj.com/articles/home-depot-breach-bigger-than-targets-
[42] P. Siani, “Privacy and Security for Cloud Computing,” in Computer 1411073571.
Communications and Networks, 2013, pp. 1–42. [49] P. Olson, “Apple’s iCloud Services Slow To A Crawl,” Forbes, 2015.
[43] K. Höne and J. H. P. Eloff, “Information security policy — what do [Online]. Available:
international information security standards say?,” Comput. Secur., vol. https://www.forbes.com/sites/parmyolson/2015/05/21/apples-icloud-
21, no. 5, pp. 402–409, 2002. services-slow-to-a-crawl/#183834a95d85.
[44] A. Da Veiga and J. H. P. Eloff, “An Information security governance [50] Symantec, “Internet Security Threat Report,” no. April, pp. 1–77, 2017.
framework,” Inf. Syst. Manag., vol. 24, no. 4, pp. 361–372, 2007. [51] J.M. Spivey, “The Z notation: A reference manual”, 2nd ed. Oxford,
[45] S. Hassan, A. A. Kamboh, and F. Azam, “Analysis of Cloud 2001. [Online]. Available:
Computing Performance, Scalability, Availability, & Security,” 2014. http://spivey.oriel.ox.ac.uk/mike/zrm/zrm.pdf.
[46] A. Levin, “Why the Adobe Hack Scares Me — And Why It Should [52] R. Diaconescu and K. Futatsugi, “CafeOBJ Report: The Language,
Scare You,” Huffpost, 2014. [Online]. Available: Proof Techniques, and Methodologies for Object-Oriented Algebraic
http://www.huffingtonpost.com/adam-levin/why-the-adobe-hack- Specification”, (Amast Series in Computing) Hardcover, July 1998.
scares_b_4277064.html. [53] W. McCune, W., 1994. “Otter 3.0 reference manual and guide (Vol.
[47] CBCNews, “Target data hack affected 70 million people,” 2014. 9700) ”, Argonne, IL: Argonne National Laboratory, 1994.
[Online]. Available: http://www.cbc.ca/news/business/target-data-hack- [54] R. Ko, S. Lee, and V. Rajan, “Cloud Computing Vulnerability
affected-70-million-people-1.2491431. Incidents: A Statistical Overview,” Cloud Secur. Alliance, p. 21, 2013.

256