A Classification and Characterization of Security Threats in Cloud Computing
A Classification and Characterization of Security Threats in Cloud Computing
net/publication/308172311
CITATIONS
READS
32
5,896
3 authors, including:
Tariqul Islam
D. Manivannan
Syracuse University
University of Kentucky
8 PUBLICATIONS 49 CITATIONS
77 PUBLICATIONS 1,497 CITATIONS
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Tariqul Islam on 16 September 2016.
The user has requested enhancement of the downloaded file.
A Classification and Characterization of Security Threats in
Cloud Computing
Tariqul Islam and D. Manivannan
Department of Computer Science Sherali Zeadally
University of Kentucky College of Communication and Information
Lexington, KY 40506 University of Kentucky
Lexington, KY 40506
email:{pavel.tariq@,
mani@cs.}uky.edu email: {[email protected]}
Abstract
Security and privacy are the most critical issues that need to be addressed in designing a
computing environment that is reliable and trustworthy. Like all other computing paradigms, Cloud
Computing is no different. Since data and storage are outsourced to third party service providers,
users lose direct control of data management and have to depend solely on the providers who may
not always be de- pendable. This distinctive feature of Cloud Computing makes it susceptible to
several security threats and vulnerabilities. Although some of the security issues such as network and
virtualization security, authentication, access control, confidentiality, and integrity are not new to
computing, the effect of such issues is exacerbated in cloud environment because of the unique
features (e.g., multi-tenancy, data and resource sharing, virtualization, etc.) it possesses. In this paper,
we classify and characterize the various security and privacy challenges associated with cloud
computing.
Key words: Cloud Computing, Multi-tenancy, Privacy, Security, Threat, Virtualization, Vulnerability
1 Introduction
Due to the advantages such as flexibility and availability in obtaining computing resources at lower cost, interest
in cloud computing has gained tremendous momentum in the last few years [6]. Cloud Computing is an
abstraction based on the idea of pooling physical resources and presenting them as virtual resources. It is indeed a
novel model for provisioning resources, staging applications, and platform- independent consumer access to
services [63]. One of the widely used definitions of Cloud Computing is by NIST: “Cloud computing is a model
for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released
with minimal management effort or service provider interaction” [46].
Cloud Computing has become one of the fastest growing paradigms of modern computing world. Since users
pay only for the services they use, organizations’ initial investment to adopting cloud is very low [2].
Organizations now have the flexibility to acquire resources or services on demand. As a result, development
initiatives are now at lower risk of missing the business targets [45]. In the last few years, researchers have
extensively studied various aspects of Cloud Computing including Resource Management [54, 25, 47, 81, 44, 51,
48, 75], Access Control [23,
1
10], Security and Auditing [68, 77, 19, 69, 64, 71, 38], issues related to Cloud Federation [18, 32, 11]. There
2
are also several general surveys, one survey on scientometric analysis of cloud literature [24] and one on cloud
migration [29]. The demand of cloud services is increasing at a rapid pace causing cloud service providers to
overcome their limitations by creating a robust architecture to guarantee sustainable service [12]. Quality of
Service (QoS) is another important factor that needs to be met by a service provider under service level agreement
[4]. Moreover, highly scalable networks, load balancing capabilities, and the ability to provide failover makes
Cloud Computing services highly reliable. By outsourcing IT services to third party providers, companies can
focus more on their core business [63]. Despite the ever-growing interests in cloud and the plethora of services
offered at a reasonable cost, Cloud Computing is susceptible to numerous threats and vulnerabilities. Several
surveys [2, 30, 4] and technical journal articles [66, 84] published by industry experts indicate that security and
privacy are the most prevailing barriers that are delaying its large-scale adoption. In Berkeley view of Cloud
Computing [6], the following ten obstacles have been identified to be hindering the widespread deployment of
Cloud Computing: 1) availability of service, 2) data lock-in, 3) data confidentiality and auditability, 4) data
transfer bottlenecks, 5) performance unpredictability, 6) scalable storage, 7) bugs in large distributed systems, 8)
scaling quickly, 9) reputation fate sharing, and 10) software licensing. Besides these, the use of virtualization
technology also introduces potential threats like hypervisor vulnerabilities, virtual machine sprawl, virtual
machine side channel attacks, etc. [52, 57, 83]. Therefore, it is crucial to have a clear understanding of the security
threats associated with Cloud Computing.
Researchers are constantly identifying security and privacy loop holes in Cloud Computing. Morsi et al. [49]
have analyzed the existing challenges and grouped them according to architecture, service delivery model, cloud
characteristic, and cloud stake-holder related issues. Jensen et al. [34] have focused only on the technical security
issues that arise from the usage of cloud services, especially issues related to the underlying cloud infrastructure.
Subashini et al. [65] have presented a survey on security issues based on the service delivery models, emphasizing
mainly SaaS issues. Similar work has been done by Bhadauria et al. [9] who discussed security challenges relat-
ing to the public cloud. They have also analyzed security at different levels (i.e., Network, Host, and Application
level). Security and privacy challenges in Cloud Computing have been extensively surveyed by other researchers
also [21, 20, 53, 31]. Although these surveys are valuable, they lack a comprehensive approach. Most of the
classifications have focused on specific issues such as service delivery models, deployment models, or cloud
infras- tructures. Some of them did not discuss the threats associated with other distributed computing systems
that can become more threatening in Cloud Computing environments. Identity management, access control,
governance, legal, and compliance issues are not covered in some of the surveys. Gonzalez et al. [20] have
presented the most extensive classification on cloud security issues in recent times. They have used a quantitative
approach to identify the number of references related to each category of challenges and their solutions. Thus,
they provided some insight on the issues that have received attention from the researchers and the issues which
have not been talked about that much. Although they have succeeded in presenting a taxonomy of cloud security
they did not delve into technical details. Therefore, a complete characterization and classification of security and
privacy issues in cloud computing is needed. From a consumer’s perspective, it is vital to identify and analyze the
critical issues before deciding to outsource their sensitive data to cloud.
In this paper, we identify a variety of security and privacy threats and vulnerabilities along with some related
governance and legal concerns that are considered to hinder the growth of Cloud Computing. Following are the
major contributions of this work:
• We have summarized the important issues related to security in Cloud Computing, as identified by ENISA,
CSA, and NIST.
• We identified, characterized and classified the major security threats and vulnerabilities in Cloud Computing
systems. Unlike existing surveys, our classification and characterization gives a clear picture of the security
threats in Cloud Computing systems which are barriers for the widespread adoption of Cloud Computing.
• We want to emphasize that we do not present a survey of existing solutions proposed for various security
threats in the Cloud environment. This is beyond the scope of this work.
The paper is organized as follows. In Section 2, we present an overview of Cloud Computing features that
includes its key characteristics, and service and deployment models. In Section 3, we highlight three existing
frame- works that focus on the critical threats and vulnerabilities in this field. In Section 4, we identify and
classify the main security and privacy issues in Cloud Computing and Section 5 concludes the paper summarizing
the issues presented in the paper.
Broad Network Access Services are available over the network and can be accessed from heterogeneous platforms
(e.g., laptops, cell phones, and PDA’s) through standard interfaces.
Resource Pooling Service providers’ physical and virtual resources are dynamically allocated and de-allocated to
the clients according to their changing need in a location independent manner.
Rapid Elasticity Computing capabilities can be rapidly provisioned to quickly scale out and rapidly released as
well to quickly scale in.
Measured Service Resource usage is monitored and measured, therefore, users pay only for the services they use.
• Data Breaches: An organization’s sensitive internal data can fall into the hands of its counterparts due to
side channel timing attacks on the virtual machines. This type of attack can be designed extract private
cryptographic keys that are used in other virtual machines residing on the same physical server.
• Data Loss: Stored data can be lost due to accidental deletion, loss of encryption key, or worse, a physical
catastrophe such as flood, earthquake, fire, etc.
• Account or Service Traffic Hijacking: Phishing, fraud, and exploitation of software vulnerabilities facilitate
attackers to gain access to customer credentials, and that aids to launch subsequent attacks.
• Insecure Interfaces and APIs: Cloud service providers and third parties use application programming inter-
faces to offer different services to customers. Lack of robust identity and access management policy can
lead to additional complexities and may increase the risk as well.
• Denial of Service: Attackers generate huge amount of fake requests to a certain cloud server so that the
server is forced to consume processor power, memory, disk space, and network bandwidth. This eventually
causes an intolerable system slowdown and keeps other customers off the service.
• Malicious Insiders: System administrators, current or former employees, contractors, or other third party
service providers who have or had the access privilege may misuse this and may cause intentional damage,
affecting the confidentiality, integrity, and availability of an organization’s sensitive data.
• Insufficient Due Diligence: Lack of proper understanding of the service provider environment and improper
assessment of the operational ins-and-outs may put an organization into critical situation if it rushes to
adopt the technology.
• Shared Technology Vulnerabilities: Hypervisor vulnerabilities, cross VM side channel attack, VM sprawl,
and many other possible threats due to the shared multi-tenant architecture can expose the entire
environment to a potential compromise.
• Loss of Governance: Transferring data to the cloud means transferring the control to the service provider.
On a number of issues this may have security implications.
• Lock-in: Since there is no well-established standard for data and service portability, dependency on a
partic- ular cloud service provider often makes it tough for the client to migrate from one provider to
another.
• Insecure or Incomplete Data Deletion: Deleting data from the Cloud storage does not guarantee that it will
be inaccessible in future. In fact, if data is not securely erased by the provider or the disk is not encrypted
by the client, data could be reconstructed later.
• Availability Chain: A Cloud service provider can delegate some of its work to a third party or even can use
the service of another service provider. Thus, a potential for cascading failures is created that may affect
service availability.
Next, we classify and characterize the key security threats and vulnerabilities in Cloud Computing.
4.2.2 VM Escape
Virtual machines are designed to support strong isolation between the host and the VMs. But the vulnerabilities
in the operating system running inside the VMs can aid attackers to insert malicious program into it. When that
program is run, VM breaks the isolated boundaries and starts communicating with the operating system directly
bypassing the Virtual Machine Monitor (VMM) layer. Such an exploit opens the door to attackers to gain access
to the host machine and launch further attacks [42].
4.2.3 VM Sprawl
VM sprawling occurs when a large number of virtual machines exist in the environment without proper
management or control. Since they retain the system resources (i.e., memory, disks, network channels etc.) during
this period, these resources cannot be assigned to other VMs, and they are effectively lost [42]. Dabrowski et al.
[14] demonstrate two circumstances that can cause VM sprawling and contribute to the creation of orphan VMs.
VMs are usually allocated and terminated upon request from the users, and the system generates the
acknowledgement messages in response. The problem arises when VM creation or termination is completed but
the messages are lost in transit. Users retry by generating new requests until they become successful, and this
causes orphan VMs to grow in number. Eventually system resources get exhausted and that leads to a collapse in
the overall performance of the system. Migrating the orphan VMs to another lightly-loaded physical server may
solve the issue to a certain extent. But, ensuring the same level of security configurations, Quality of Service
(QoS), and enforcing privacy policies is always a challenge [59].
Identity Management: Secure and efficient management of provisioning and deprovisioning of users to systems
and applications is one of the major challenges in Cloud Computing [1]. Frequent change in users’ roles
and responsibilities inside the organization, turnover of users, changes in the business (e.g., mergers and
acquisitions, process outsourcing) are the factors that affect establishing a sustainable IAM process [45].
Authentication: Authenticating the identity of a user or a system in a secure and dependable way is another key is-
sue. Other challenges include proper credential management, ensuring robust authentication, compliance
with the password standard, encryption management, and managing trust across all types of cloud services
[45, 1].
Authorization and Access Control: Establishing fine-grained authorization and access control policies for users to
access the systems resources (i.e., applications, databases, etc.) is another vital requirement [1]. In addition
to providing cloud-based identity and access management services, adapting to the continuous changes in
users’ roles or privileges and maintaining control over access to resources are also challenging [30].
Federation Management: Federated identity management lets organizations authenticate their users (providing
single sign on facility) by exchanging identity information between the the Service Provider (SP) and the
Identity Provider (IdP) [78]. Since identity information are dynamically distributed across security
domains, it poses significant security and privacy challenges. Insecure communication network and weak
user authen- tication scheme in Web identity chain can lead to replay attacks, session hijacking, and
phishing attacks [43]. Furthermore, reliance on IdP for identity management may cause identity theft and
data breaches if the IdP behaves maliciously [22].
10
4.4.1 Data Confidentiality
Confidentiality refers to limiting information access and disclosure only to authorized users or system. One of
the fundamental principles of confidentiality is “need-to-know” or “least privilege” [84]. In effect, access to vital
and sensitive information should be restricted only to those individuals or systems that have a specific need to
get or use that information. In cloud-computing environment, due to the large number of parties, devices and
applications involved, the number of access points also increases. Therefore, the risk of data breaches increases
as well. The potential concerns that might affect confidentiality of the data stored in a public Cloud are: 1) access
control (authentication and authorization) mechanisms, 2) data protection scheme, 3) encryption algorithm used,
and
4) encryption key management.
11
request. As the only protection is at the
12
application level, a single vulnerability at this level threatens the data of all tenants which could also lead to cross-
tenant data leakage, making the cloud much less secure than dedicated physical resources [16].
4.5 Governance
In Cloud environment, consumer relinquishes control to the Cloud service provider on a number of critical issues
(e.g., policies, procedures, and security mechanisms of deployed services) that have security implications [2, 20].
Following are the issues that stem from this loss of governance:
Improper Data Sanitization: If data is not securely erased by the service provider, data could be reconstructed
later from the disk (considering disks are not encrypted by the client).
Data and Information leakage: From consumers’ perspective, transferring data to the Cloud means giving up con-
trol over the data backup procedures, file systems, redundancy, security policies, and other relevant configu-
rations.
Vendor Lock-in: No firmly-established standard exists for data and service portability in Cloud Computing envi-
ronment yet. Therefore, if a consumer becomes dependent on a particular service provider then it would be
difficult to migrate to another service provider.
Data Location: Data can be stored redundantly in multiple geographical locations and detailed information about
the data location may not be disclosed to the client. That means, when data crosses borders, the governing,
legal, compliance, and regulatory administrations can be ambiguous and raise a variety of other security
concerns.
Contracts and Electronic Discovery: Legal issues may arise when dealing with electronic discovery that involves
the identification, collection, and analysis of stored data in the discovery phase of a litigation.
Laws and Regulations: Different countries have different types of security and privacy laws and regulations at
various levels (i.e., local, national, state, etc.) which makes legal and compliance issues more complicated.
A summary of the security threats and vulnerabilities discussed in Section 4 is presented in Table 1.
5 Conclusion
In this paper, we discussed the essential characteristics of cloud, its service delivery and deployment models, com-
pelling reasons for adopting it, and the barriers that hinder its wide adoption. We also surveyed three well-known
cloud security frameworks namely ENISA, CSA, and NIST that aim to provide a compilation of risks,
vulnerabilities and also the best practices to resolve them. These three entities provide a comprehensive overview
of the current security, privacy, and trust issues, and thus, help in understanding the current status of Cloud
security. Then, we presented a variety of security and privacy concerns associated with Cloud Computing,
identified major threats and vulnerabilities, and classified them into six categories: Network Security,
Virtualization and Hypervisor Security, Identity and Access Management, Data and Storage Security, Governance,
and Legal and Compliance issues. Each of these categories identified several threats and vulnerabilities, resulting
in further classification. It is evident from our discussion that for the wide spread adoption of the cloud, these
issues must be addressed thoroughly. Therefore, enrichment of the existing solution techniques as well as more
innovative approaches need to mitigate these prob- lems are needed. Though Cloud Computing is a hot area, it is
still in its infancy, and its widespread adoption will depend mostly on how the ever increasing security concerns
will be addressed in the upcoming days.
References
[1] CSA DOMAIN 12. https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf.
[2] ENISA, Cloud Computing: Benefits, Risks and Recommendations for Information Security.
https://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment.
[3] Security Guidance for Critical Areas of Focus in Cloud Security Computing V3.0.
http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf.
[4] CLOUD SECURITY ALLIANCE. The Notorious Nine: Cloud Computing Top Threats in 2013.
[5] G. I. Apecechea, M. S. Inci, T. Eisenbarth, and B. Sunar. Fine Grain Cross-VM Attacks on Xen and
VMware. In Proc. BDCloud, pages 737–744, 2014.
[6] M. Armburst, A. Fox, R. Griffith, A.D. Joseph, R.H Katz, A. Konwinski, G. Lee, D.A. Peterson, A. Rabkin,
I. Stoica, and M. Zaharia. Above the Clouds: A Berkely View of Cloud Computing. Technical Report
UCB/EECS-2009-28, University of California at Berkely, eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-
2009- 28.html, 2009.
[7] M. R. Asghar, M. Ion, G. Russello, and B. Crispo. Securing Data Provenance in the Cloud. In Proc. iNetSeC,
pages 145–160, 2011.
[8] G. Ateniese, R. D. Pietro, L.V. Mancini, and G. Tsudik. Scalable and Efficient Provable Data Possession. In
Proceedings of SecureComm, 2008.
[9] R. Bhadauria and S. Sanyal. Survey on Security Issues in Cloud Computing and Associated Mitigation
Tech- niques. CoRR abs/1204.0764, April 2012.
[10] J.M. Alcaraz Calero, N. Edwards, J. Kirschnick, L. Wilcock, and M. Wray. Toward a Multi-Tenancy Autho-
rization System for Cloud Services . IEEE Security & Privacy, 8(6):48–55, Nov.-Dec. 2010.
[11] H.C.H. Chen and P.P.C. Lee. Enabling Data Integrity Protection in Regenerating-Coding-Based Cloud
Storage: Theory and Implementation. IEEE Transactions on Parallel and Distributed Systems, 25(2):407–
416, 2014.
[12] R. Chow, P. Golle, M. Jakobsson, E. Shi, J. Staddon, R. Masuoka, and J. Molina. Controlling Data in the
Cloud: Outsourcing Computation without Outsourcing Control. In Proc. of the 2009 ACM Workshop on
Cloud Computing Security, pages 85–90, 2009.
[13] C. Chu, S.S.M. Chow, W. Tzeng, J. Zhou, and R.H. Deng. Key-Aggregate Cryptosystem for Scalable Data
Sharing in Cloud Storage. IEEE Transactions on Parallel and Distributed Systems, 25(2):468–477, 2014.
[14] C. Dabrowski and K. Mills. VM Leakage and Orphan Control in Open-Source Clouds. In Proc. 3rd IEEE
International Conference on Cloud Computing Technology and Science (CloudCom), pages 554–559, 2011.
[15] C. Erway, A. Kupcu, C. Papamanthou, and R. Tamassia. Dynamic Provable Data Possession. In Proceedings
of the 16th ACM Conference on Computer and Communications Security, 2009.
[16] M. Factor, D. Hadas, A. Hamama, N. Har’El, E.K. Kolodner, A. Kurmus, and A. Shulman-Peleg. Secure
Logical Isolation for Multi-tenancy in Cloud Storage. In Proc. MSST, pages 1–5, 2013.
[17] A.J. Feldman, W.P. Zeller, M.J. Freedman, and E.W. Felten. SPORC: Group Collaboration using Untrusted
Cloud Resources. In Proc. OSDI, pages 337–350, 2010.
[18] Yuan Feng, Baochun Li, and Bo Li. Price Competition in an Oligopoly Market with Multiple IaaS Cloud
Providers. IEEE Transactions on Computers, 63(1):59–73, January 2014.
[19] M. Godfrey and M. Zulkernine. Preventing Cache-Based Side-Channel Attacks in a Cloud Environment.
IEEE Transactions on Cloud Computing, 2(4):395–408, Oct.-Dec. 2014.
[20] N. Gonzalez, C. Miers, F. RedALıgolo, T. Carvalho, M. SimplALıcio, M. Naslund, and M. Pourzandi. A
Quantitative Analysis of Current Security Concerns and Solutions for Cloud Computing. In Proc. of 3rd
IEEE CloudCom, 2011.
[21] B. Grobauer, T. Walloschek, and E. Stocker. Understanding Cloud Computing Vulnerabilities. IEEE Security
& Privacy, 9(2):50–57, March-April 2011.
[22] M. Hackett and K. Hawkey. Security, Privacy and Usability Requirements for Federated Identity . In In
Proceedings of the Workshop on Web 2.0 Security & Privacy, 2012.
[23] Heng He, Ruixuan Li, Xinhua Dong, and Zhao Zhang. Secure, Efficient and Fine-Grained Data Access
Control Mechanism for P2P Storage Cloud. IEEE Transactions on Cloud Computing, 2(4):471–484, Oct-
Dec 2014.
[24] L. Heilig and S. Voss. A Scientometric Analysis of Cloud Computing Literature. IEEE Transactions on
Cloud Computing, 2(3):266–278, July-Sept. 2014.
[25] Hua-Jun Hong, De-Yu Chen, Chun-Ying Huang, and Kuan-Ta. Placing Virtual Machines to Optimize Cloud
Gaming Experience. IEEE Transactions on Cloud Computing, 3(1):42–53, Jan.- March 2015.
[26] I. Hydara, A. Bakar, M. Sultan, H. Zulzalil, and Novia Admodisastro. Current State of Research on Cross-
site Scripting (XSS) - A Systematic Literature Review. Information & Software Technology, 58:170–186,
Feb. 2015.
[27] A.S. Ibrahim, J. Hamlyn-Harris, and J. Grundy. Emerging Security Challenges of Cloud Virtual
Infrastructure. In Proc. of APSEC Cloud Workshop, 2010.
[28] J.C. Roberts II and W. Al-Hamdani. Who Can You Trust in the Cloud? A Review of Security Issues Within
Cloud Computing. In Proc. of the Information Security Curriculum Development Conference, pages 15–19,
2011.
[29] P. Jamshidi, A. Ahmad, and C. Pahl. Cloud Migration Research: A Systematic Review. IEEE Transactions
on Cloud Computing, 1(2):142–157, July-December 2013.
[30] W. Jansen and T. Grance. Guidelines on Security and Privacy in Public Cloud Computing Special
Publication. http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf.
[31] W.A. Jansen. Cloud Hooks: Security and Privacy Issues in Cloud Computing. In Proc. 44th Hawaii Interna-
tional Conference on Systems Science, January 2011.
[32] C. Jayalath, J. Stephen, and P. Eugster. Universal Cross-Cloud Communication. IEEE Transactions on Cloud
Computing, 2(2):103–116, April-June 2014.
[33] M. Jensen, N. Gruschka, and Ralph Herkenho¨ner. A Survey of Attacks on Web Services. Computer
Science - R&D, 24(4):185–197, Nov. 2009.
[34] M. Jensen, J. Schwenk, N. Gruschka, and L.L. Iacon. On Technical Security Issues in Cloud Computing. In
Proc. of IEEE International Conference on Cloud Computing, pages 109–116, 2009.
[35] I. M. Khalil, A. Khreishah, and M. Azeem. Cloud Computing Security: A Survey. Computers, 3(1):1–35,
Mar. 2014.
[36] H. R. Kouchaksaraei and A. G. Chefranov. Countering Wrapping Attack on XML Signature in SOAP
Message for Cloud Computing . CoRR, abs/1310.0441, 2013.
[37] M. Le and Y. Tamir. ReHype: Enabling VM Survival Across Hypervisor Failures. In Proc. VEE, pages 63–
74, 2011.
[38] Jin Li, Jingwei Li, Xiaofeng Chen, Chunfu Jia, and Wenjing Lou. Identity-Based Encryption with
Outsourced Revocation in Cloud Computing. IEEE Transactions on Computers, 64(2):425–437, Feb. 2015.
[39] A. Liu, Y. Yuan, and A. Stavrou. QLProb: A Proxybased Architecture towards Preventing SQL Injection
Attacks. In Proc. SAC, March 2009.
[40] X. Liu, Y. Zhang, B. Wang, and J. Yan. Mona: Secure Multi-Owner Data Sharing for Dynamic Groups in the
Cloud. IEEE Transactions on Parallel and Distributed Systems, 24(6):1182–1191, 2013.
[41] F. Lombardi and R. D. Pietro. Secure Virtualization for Cloud Computing. Journal of Network and
Computer Applications, 34(4):1113–1122, July 2011.
[42] S. Luo, Z. Lin, X. Chen, Z. Yang, and J. Chen. Virtualization Security for Cloud Computing Services. In
Proc. Int. Conf on Cloud and Service Computing, pages 174–179, December 2011.
[43] E. Maler and D. Reed. The Venn of Identity: Options and Issues in Federated Identity Management . IEEE
Security & Privacy, 6(2):16–23, Apr. 2008.
[44] C. Mastroianni, M. Meo, and G. Papuzzo. Probabilistic Consolidation of Virtual Machines in Self-
Organizing Cloud Data Centers. IEEE Transactions on Cloud Computing, 1(2):215–228, July-December
2013.
[45] T. Mather, S. Kumaraswamy, and S. latif. Cloud Security and Privacy: An Enterprise Perspective on Risks
and Compliance - 1st edition. O’Reilly Media, 2009.
[46] P. Mell and T. Grance. The NIST Definition of Cloud Computing - Special Publication 800-145. National
Institute of Standards and Technology, August 2011.
[47] I. S. Moreno, P. Garraghan, P. Townend, and Jie Xu. Analysis, Modeling and Simulation of Workload
Patterns in a Large-Scale Utility Cloud. IEEE Transactions on Cloud Computing, 2(2):208–221, April-June
2014.
[48] H. Morshedlou and M. R. Meybodi. Decreasing Impact of SLA Violations:A Proactive Resource Allocation
Approachfor Cloud Computing Environments. IEEE Transactions on Cloud Computing, 2(2):156–167,
April- June 2014.
[49] M.A. Morsy, J. Grundy, and I. Mu¨ller. An Analysis of the Cloud Computing Security Problem. In Proc.
of APSEC Cloud Workshop, November 2010.
[50] Y. Mundada, A. Ramachandran, and N. Feamster. SilverLine: Data and Network Isolation for Cloud
Services. In Proc. HotCloud, 2011.
[51] C. Papagianni, A. Leivadeas, S. Papavassiliou, V. Maglaris, and C. Cervello-Pastor A. Monje. On the Op-
timal Allocation of Virtual Resources in Cloud Computing Networks. IEEE Transactions on Computers,
62(6):1060–1071, June 2013.
[52] M. Pearce, S. Zeadally, and R. Hunt. Virtualization: Issues, security threats, and solutions . ACM Comput.
Surv., 45(2):17, Apr. 2013.
[53] S. Pearson and A. Benameur. Privacy, Security and Trust Issues Arising from Cloud Computing . In Proc. of
IEEE 2nd International Conference on Cloud Computing Technology and Science (CloudCom), 2010.
[54] A. S. Prasad and S. Rao. A Mechanism Design Approach to Resource Procurement in Cloud Computing.
IEEE Transactions on Computers, 63(1):17–30, January 2014.
[55] A. Rahumed, H.C.H. Chen, Y. Tang, P.P.C. Lee, and J.C.S. Lui. A Secure Cloud Backup System with
Assured Deletion and Version Control. In Proc. 3rd Int’l Workshop Security in Cloud Computing, 2011.
[56] D. Reimer, A. Thomas, G. Ammons, T. W. Mummert, B. Alpern, and Vasanth Bala. Opening Black Boxes:
Using Semantic Information to Combat Virtual Machine Image Sprawl. In Proc. VEE, pages 111–120, 2008.
[57] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, You, Get Off of My Cloud: Exploring Informa-
tion Leakage in Third-Party Compute Clouds. In Proc. ACM Conference on Computer and Communications
Security, 199-212 2009.
[58] S. Ruj, M. Stojmenovic, and A. Nayak. Decentralized Access Control with Anonymous Authentication of
Data Stored in Clouds. IEEE Transactions on Parallel and Distributed Systems, 25(2), Feb. 2014.
[59] F. Sabahi. Secure Virtualization for Cloud Environment Using Hypervisor-based Technology. In Proc. Int.
Journal of Machine Learning and Computing, pages Vol.2, No.2, 39–45, February 2012.
[60] R. Schwarzkopf, M. Schmidt, N. Fallenbeck, and B. Freisleben. Multi-layered Virtual Machines for Security
Updates in Grid Environments. In Proc. EUROMICRO-SEAA, pages 563–570, 2009.
[61] R. Schwarzkopf, M. Schmidt, N. Fallenbeck, and B. Freisleben. Checking Running and Dormant Virtual
Machines for the Necessity of Security Updates in Cloud Environments. In Proc. CloudCom, pages 239–
246, 2011.
[62] R. Schwarzkopf, M. Schmidt, C. Strack, S. Martin, and B. Freisleben. Increasing Virtual Machine Security
in Cloud Environments. Journal of Cloud Computing, July 2012.
[64] J. Spring. Monitoring Cloud Computing by Layer, Part 1. IEEE Security & Privacy, 9(2):66–68, March-
April 2011.
[65] S. Subashini and V.Kavitha. A Survey on Security Issues in Service Delivery Models of Cloud Computing.
Journal of Network and Computer Applications, 34(1):1–11, January 2011.
[66] H. Takabi, J.B.D. Joshi, and G. Ahn. Security and Privacy Challenges in Cloud Computing Environments.
IEEE Security & Privacy, 8(6):24–31, 2010.
[67] Y. Tang, P.P.C. Lee, J.C.S. Lui, and R. Perlman. FADE: Secure Overlay Cloud Storage with File Assured
Deletion. In Proc. 6th Int’l ICST Conf. Security and Privacy in Comm. Networks (SecureComm), 2010.
[68] P. K. Tysowski and M. A. Hasan. Hybrid Attribute- and Re-Encryption-Based Key Management for Secure
and Scalable Mobile Applications in Clouds. IEEE Transactions on Cloud Computing, 1(2):172–186, July-
December 2013.
[69] Boyang Wang, Baochun Li, and Hui Li. Oruta: Privacy-preserving Public Auditing for Shared Data in the
Cloud. IEEE Transactions on Cloud Computing, 2(1):43–56, Jan. - March 2014.
[70] C. Wang, Q. Wang, K. Ren, and W. Lou. Ensuring Data Storage Security in Cloud Computing. In
Proceedings of the 17th International Workshop on Quality of Service, pages 1–9, 2009.
[71] Cong Wang, S.S.M. Chow, Qian Wang, Kui Ren, and Wenjing Lou. Privacy-Preserving Public Auditing for
Secure Cloud Storage. IEEE Transactions on Computers, 62(2):362–375, Feb. 2011.
[72] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou. Enabling Public Verifiability and Data Dynamics for Storage
Security. In Proceedings of the 14th European Conference on Research in Computer Security, 2009.
[73] Q. Wang, C. Wang, K. Ren, W. Lou, and J. Li. Enabling Public Auditability and Data Dynamics for Storage
Security in Cloud Computing. IEEE Transactions on Parallel and Distributed Systems, 22(5), May 2011.
[74] W. Wang, Z. Li, R. Owens, and B. Bhargava. Secure and Efficient Access to Outsourced Data. In Proc. ACM
Workshop Cloud Computing Security (CCSW), Nov. 2009.
[75] Yang Wang and Wei Shi. Budget-Driven Scheduling Algorithms for Batches of MapReduce Jobs in
Heteroge- neous Clouds. IEEE Transactions on Cloud Computing, 2(3):306–319, July-Sept. 2014.
[76] J. Wei, X. Zhang, G. Ammons, V. Bala, and P. Ning. Managing Security of Virtual Machine Images in a
Cloud Environment. In Proc. CCSW, pages 91–96, 2009.
[77] Kaiping Xue and Peilin Hong. A Dynamic Secure Group Sharing Framework in Public Cloud Computing.
IEEE Transactions on Cloud Computing, 2(4):459–470, Oct.-Dec 2014.
[78] L. Yan, C. Rong, and G. Zhao. Strengthen Cloud Computing Security with Federal Identity Management
Using Hierarchical Identity-Based Cryptography. In Proceedings of the 1st International Conference on
Cloud Computing, pages 167–177, 2009.
[79] K. Yang and X. Jia. An Efficient and Secure Dynamic Auditing Protocol for Data Storage in Cloud
Computing.
IEEE Transactions on Parallel and Distributed Systems, 24(9):1717–1726, 2013.
[80] S. Yu, C. Wang, K. Ren, and W. Lou. Achieving Secure, Scalable, and Fine-grained Data Access Control in
Cloud Computing. In Proceedings of IEEE INFOCOM, 2010.
[81] S. Zaman and D. Grosu. A Combinatorial Auction-Based Mechanism for Dynamic VM Provisioning and
Allocation in Clouds. IEEE Transactions on Cloud Computing, 1(2):129–141, July-December 2013.
[82] K. Zeng. Publicly Verifiable Remote Data Integrity. In Proceedings of the 10th International Conference on
Information and Communications Security, pages 419–434, Oct. 2008.
[83] Y. Zhang, M. Ion, G. Russello, and B. Crispo. Cross-VM Side Channels and their Use to Extract Private
Keys. In Proc. ACM CCCS, pages 305–316, 2012.
[84] D. Zissis and D. Lekkas. Addressing Cloud Computing Security Issues. Future Generation Comp. Syst.,
28(3):583–592, 2012.
[85] K. Zunnurhain and S. Vrbsky. Security Attacks and Solutions in Clouds. In Proc. 1st International
Conference on Cloud Computing, page 145–156, 2010.
[86] K. Zunnurhain, S. V. Vrbsky, and R. Hasan. FAPA: Flooding Attack Protection Architecture in a Cloud
System.
International Journal of Cloud Computing, 3(4):379–401, Nov. 2014.
20
View publication stats