SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING

A REVIEW PAPER TO INVESTIGATE AND PROVIDE SOLUTIONS

FOR SOLVING PROBLEMS RELATED TO CLOUD SECURITY

Submitted by

Rushabh Kankariya (20BIT0362)

Manvi Aggarwal (20BIT0194)

Under the guidance of

Dr. Siva Rama Krishnan Somayaji

Abstract

Amazon was one of the first companies to start its cloud-based services in 2002, with the goal of
"enabling developers to build innovative and entrepreneurial applications on their own." In 2006,
Amazon went on to introduce S3, following which it released its mega-successful concept of
EC2 (Elastic Cloud Computing). Following this, Google came up with the Google App Engine in
2008 with a PaaS model (the first of its kind). Along with this came the problems of preserving
data and preventing data leakage. One of the most important aspects of this industry is the
reliability of the cloud provider and their techniques for data protection. Therefore, it becomes
absolutely essential to continuously improve and update these platforms with the latest security
measures. In this paper we wish to understand the security concerns of security in cloud
computing and what are some of the ways that can be taken to prevent the theft or loss of data.
We have reviewed multiple research papers and written a summary on those and thee solutions
proposed by them in a simpler manner. Based on all that we have read we have created a
summary of what are some of the major challenges in the field of security and what are some
popular ways to overcome these issues.

Keywords:

Introduction

Cloud computing has become increasingly popular in recent years among both businesses and
consumers. While there are many advantages to cloud computing, such as cost savings,
scalability, and increased flexibility, there are also numerous security concerns related to cloud
environments. With the increasing frequency of cyberattacks and data breaches, it is becoming
more and more difficult for businesses of different sizes to guarantee the security of cloud-based
systems. Some of the major breaches you might have heard of in recent times are the the3
Accenture breach in August 2021 where almost 60TB of data was stolen for a ransom of up to
$50 million, wherein they had access to private credentials of Accenture’s clients. These kinds of
cloud leaks where even the major companies are not spared tells us that cloud is not yet fully
secured and ready to use especially not for those who are on a tighter budget and growing
companies who want to make a name for themselves. Major cloud users like Amazon and
Google have also suffered some losses at the hands these malicious hackers but they have tried to
resolve the issue as soon as possible and taken immediate action to prevent this kind of breach
from happening ever again. We can take the learnings from these companies and implement
them if we want to build our own private cloud architecture or else be aware of the possible
threats faced by the companies using a shared cloud architecture.
Challenges with Cloud Security

As more and more organizations move to cloud-based services, the use of third-party providers
and APIs has become increasingly prevalent. While these services can offer many benefits, they
can also introduce significant security risks if not properly managed.
Third-party providers may have access to sensitive data, and if their security practices are not up
to par, this data could be compromised. APIs, which allow different software applications to
communicate with each other, can also create security risks if not properly managed. Attackers
can exploit vulnerabilities in APIs to gain access to sensitive data or launch attacks on other
systems.

Another common issue is the lack of user education around cloud security. Many users may not
fully understand the risks associated with using cloud-based services and may not take the
necessary precautions to protect their data. This can include using weak passwords, failing to
implement multi-factor authentication, and sharing sensitive information with unauthorized third
parties.

Data privacy is a major problem in cloud computing since cloud providers may have access to
sensitive data stored in the cloud. Researchers must investigate alternative encryption algorithms
and key management procedures to ensure data security and privacy.

Identity and access management is essential for cloud computing security to manage user
identities and access limitations. Secure authentication and authorization methods must be
designed to prevent unauthorized access to cloud resources.

Cloud computing system security architecture is an area of research that requires attention.
Researchers must create robust and scalable security frameworks to protect cloud computing
systems from a variety of threats, such as malware, cyberattacks, and data breaches.
Since security concerns begin with the cloud service provider, researchers must assess the cloud
service provider's security practices and policies. Such challenges include data governance,
data placement, and service level agreements. Another issue in cloud computing security is
ensuring compliance with regulatory regulations like HIPAA, PCI DSS, and GDPR.
Researchers must develop auditing and monitoring systems to ensure regulatory compliance for
cloud providers and clients. We need severe measures to tackle all of these problems, and
although current techniques are being developed, they are still not enough. As we have seen,
attacks are not uncommon on these cloud platforms. By launching an attack on different XML
signature packages, we have succeeded in getting customers from all the cloud management
authorities. This allows creating a new section in the individual cloud by deleting and adding the
picture [13].

Literature Survey

A study done in the year 2020 proposes a blockchain-based cloud integrity protection
mechanism that involves setting up a virtual private network to secure the data in transit, using a
data encryption-based authentication method to protect the identity of the user and the data, and
checking the integrity of data distributed over various clouds of the system[3].

Abroshan, H., in his paper, presents a cryptography solution to improve security in cloud
computing systems that is proven to be effective with a very low impact on performance. The
solution uses an advanced Blowfish algorithm for data encryption and an elliptic-curve-based
algorithm to encrypt its key. In addition, a digital signature technique is implemented to ensure
data integrity. [4]

Another study proposes a multi-level cryptography-based security model for cloud computing
based on a hybrid approach of symmetric and asymmetric key cryptography algorithms (DES
and RSA, respectively) implemented in Java and CloudSim. [6]

The authors, Kumar, Y. K., & Shafi, R. M., in their paper published in 2020, propose an
effective mechanism with a distinctive feature of data integrity and privacy to secure user data in
cloud systems using a public key cryptosystem that uses the concept of the modified RSA
algorithm. [8]

Through all the research papers we have studied, one of the most common techniques we found
was the use of encryption techniques and setting up administrative policies. However, most of
the encryption algorithms are outdated and can be cracked to extract the data. We found a
technique that used MapReduce to separate public and private data to make it easier and provide
better security for data with higher sensitivity while keeping costs at bay. They even brought on
the integration of ML algorithms in resolving several cloud computing security challenges,
resulting in increased data privacy, improved accuracy and consistency, stronger trust, flexibility,
cloud workload protection, and so on. The researchers even went as far as changing the base
architecture to provide certain features like enabling anonymity while performing permission
control depending on user identities and other 3rd party applications like Cerebus for
verification. This makes the client feel more secure about their data, as they know exactly how
and what is working in what manner. Zero-trust security, a security model, is finally catching
up, and it verifies each access request before giving access to resources because it is based on the
premise that all network traffic is potentially hostile. Multi-factor authentication (MFA),
encryption, and identity and access management (IAM) solutions can all be used to establish
zero trust in the cloud. Development of more effective intrusion detection and prevention
systems that can detect and respond to threats in real-time and reduce any chances of human
error in the system.

Case Studies

1. A major AWS data breach occurred in 2019, when Capital One suffered a data breach
that affected 106 million customers. A misconfigured firewall on an AWS server led to
the breach, which made it possible for the hacker, a former AWS engineer, to access
customer data.

2. RCR Technology Corporation, hired by Indiana Family and Social Services

Administration, was responsible for exposing 187,000 patients’ information because of a
 programming error. Because of the mistake, they emailed many clients with
information about other clients’ demographic data, types of benefits received, monthly
benefit amount, employer information, financial data, bank balances, and other assets,
medical information such as providers, disability benefits, and medical condition, and
specific information about the client’s household members like name, gender, and date of
birth (McCann, 2013).

Research gap

Although the amount of research on cloud security has increased dramatically in recent years,
there are still a number of research gaps that need to be filled. Some of the major gaps are in
serverless computing security. With serverless computing gaining popularity, it is necessary to
provide security procedures specifically for this kind of architecture.
Research on data privacy and protection in the cloud has been conducted, but more substantial
solutions are still required to guarantee data security even while processed and stored in the
cloud. Thirdly, cloud IoT device security As the Internet of Things (IoT) quickly grows, a large
number of devices are now linked to it. However, there is still a lot of concern about the security
of these devices, and more study is required to provide efficient security solutions.
Mechanisms for ensuring responsibility and trust in cloud environments are needed, especially in
multi-tenant settings where different users use the same resources. Risk assessment and
management: Given the complexity of cloud systems, it is important to improve risk assessment
and management methods in order to detect and reduce security threats.
In general, there is still a lot of study to be done on cloud security. Even with theoretical
knowledge, the lack of exceptional resources required to make the hardware is lacking, and
therefore these ideas cannot be verified through experimentation. Threat modeling: For cloud
systems, more thorough and precise threat modeling methodologies are required. Current
methodologies occasionally overlook the distinctive risks and vulnerabilities present in cloud
settings. Security issues with multi-tenancy: Although multi-tenancy is an important aspect of
cloud computing, it also poses certain security difficulties. On how to secure the security of
information and resources shared across different tenants, more study is required. It will be more
crucial than ever to close these research gaps and create efficient security solutions as the use of
cloud computing expands.

Security suggestions and solutions

Encryption is the most common solution to guarantee data security, uprightness, and secrecy.
The study recommends the use of cloud tracking (CTB) and cloud protection systems to protect
the cloud environment and prevent service attacks. CTB is used to use data marketing algorithms
to specify and identify attack sources, while cloud protection systems are applied to the edge of
the router and identify system vulnerabilities. If it is determined that an attack is occurring, a
warning will be sent to the administrator to prevent the computer from accessing cloud services.
Cloud computing vendors can verify their data structures and information using biometric
highlights and double matrix entities.
This allows authorized customers to access certain information at limited times, which is more
productive than personal code. Additionally, cloud clients must ensure that virtual machines are
utilized to accomplish cloud tasks. End customers can use disruptive environment frameworks to
monitor overall traffic through a cloud network, log records, and customer practices to determine
if clients are neglecting customer routes. Any client found to be abusing security arrangements or
authorized use is classified as spam and prevented from accessing cloud management. The third-
party APIs should be very well verified, and proper terms and conditions must be implied in the
deal to protect the user’s data. Vulnerabilities or flaws in third-party code can compromise the
security of your cloud environment. Since they regularly handle your data and will be the first to
notice any anomalies, training the staff is a crucial part of protecting your data in the cloud. So if
they are well versed in the ways of working of the cloud, they can easily detect these problems
and tackle them at the base level. Also, this helps prevent attacks like phishing and DOS. Proper
SLA’s must be signed with third-party service providers to ensure the safety and quality of the
data and services provided. More than often, it is an insider attack that causes the loss of
confidentiality of data, which makes the cloud service provider lose clients. Maximum efforts
must be made while hiring key personnel, and proper rules must be set up to prevent the losses.
Along with cloud security controls, organizations also need to perform regular audits to
measure their security policies and maintain compliance.

Future Directions

The development of OSINT tools like Maltego, Spyse, and SpiderFoot can allow integration
into the cloud to enhance security, and if a breach still occurs, then these tools should be used to
find out why the breach occurred, who was responsible for it, and what can be done to prevent
this in the future. There is a rising demand for security solutions that can manage and safeguard
data across many cloud platforms; hence, multi-cloud environments should be deployed. Future
studies in cloud security are anticipated to concentrate on creating tools that offer seamless
protection across various clouds. Edge computing is gaining popularity as a means of processing
data closer to its source, at the network's edge. We should never stop believing that AI and ML
are the future and that they will have a significant impact on the creation and administration of
the cloud. ML models may be developed to safeguard the data as well as be used to stop these
assaults on the cloud. The development of quantum computing poses a serious threat to
traditional encryption techniques used in cloud environments. The development of post-quantum
encryption methods that can fend off quantum assaults will likely be the main focus of future
research in cloud security. It is necessary to keep the 3rd party API’s up to date and patch them
whenever necessary, to mitigate potential security risks.

Conclusion

In conclusion, we must accept the fact that while the biggest cloud providers like Google Cloud,
Azure, and AWS have intensive security controls such as encryption, access controls,
monitoring, and compliance in place, no system can ever be 100% secure. Security incidents can
still take place due to human error, misconfigurations, external attacks, and other factors
outside of the cloud provider's control. It is important to note that sometimes security breaches
occur due to vulnerabilities in third-party software or services that are used in conjunction with
cloud platforms. Therefore, it is essential for both the cloud provider and the customer to do their
part to ensure their applications and data are secure. Cloud providers need to constantly improve
and update their controls, while the user needs to avoid falling into the trap of cyberattacks.

References

[1] Lourens, M., Kaushik, M., Goyal, J., Singh, R., Kuchhal, S., & Tiwari, M. (2022,
April). The role of implementing cloud computing technology in addressing critical
security issues and overcoming the challenges effectively. In 2022 2nd International
Conference on Advance Computing and Innovative Technologies in Engineering
(ICACITE) (pp. 2303-2306). IEEE.

[2] Butt, U. A., Mehmood, M., Shah, S. B. H., Amin, R., Shaukat, M. W., Raza, S. M., ...
& Piran, M. J. (2020). A review of machine learning algorithms for cloud computing
security. Electronics, 9(9), 1379.

[3] Wei, P., Wang, D., Zhao, Y., Tyagi, S. K. S., & Kumar, N. (2020). Blockchain data-
based cloud data integrity protection mechanism. Future Generation Computer Systems,
102, 902-911.

[4] Abroshan, H. (2021). A hybrid encryption solution to improve cloud computing

security using symmetric and asymmetric cryptography algorithms. International Journal
of Advanced Computer Science and Applications, 12(6), 31-37.

[5] Kaur, A., & Singh, G. (2020). Cloud Computing Security Issues and Challenges.
International Journal of Scientific Research in Computer Science, Engineering and
Information Technology, 265-270.

[6] Kumar, S., Karnani, G., Gaur, M. S., & Mishra, A. (2021, April). Cloud security
using hybrid cryptography algorithms. In 2021 2nd international conference on intelligent
engineering and management (ICIEM) (pp. 599-604). IEEE.
[7] Aburuotu, E. C., & Ojekudo, N. A. (2022). An Improved Security Solution for Cloud
Computing Management Infrastructures: The Insider Perspective. Central Asian Journal
of Theoretical and Applied Science, 3(10),

[8] Kumar, Y. K., & Shafi, R. M. (2020). An efficient and secure data storage in cloud
computing using modified RSA public key cryptosystem. International Journal of
Electrical and Computer Engineering, 10(1), 530.

[9] Khan, M. A., Quasim, M. T., Alghamdi, N. S., & Khan, M. Y. (2020). A secure
framework for authentication and encryption using improved ECC for IoT-based medical
sensor data. IEEE Access, 8, 52018-52027.

[10] Checking For Identity-Based Remote Data Integrity Cloud Storage with Perfect Data
Privacy
Mahesh Akarapu1, Sheshikala Martha2, Koteshwar Rao Donthamala1, B Prashanth1, G.
Sunil2 and K. Mahender1
Published under license by IOP Publishing Ltd

[11] The HybrEx Model for Confidentiality and Privacy in Cloud

Computing Steven Y. Ko† , Kyungho Jeon† , Ramses Morales ´ ∗
†University at Buffalo, The State University of New York and ∗Xerox
Research Center Webster

[12] Jung, Taeho & Li, Xiang-Yang & Wan, Zhiguo. (2012). MoneyControl: Control
Cloud Data Anonymously with Multi-Authority

[13] Shitharth, S., Alotaibi, F.S., Manoharan, H. et al. Reconnoitering the significance of
security using multiple cloud environments for conveyance applications with blowfish
algorithm. J Cloud Comp 11, 76 (2022). https://doi.org/10.1186/s13677-022-00351-0

[14] M. Kang and H. -Y. Kwon, "A Study on the Needs for Enhancement of Personal
Information Protection in Cloud Computing Security Certification System," 2019
International Conference on Platform Technology and Service (PlatCon), Jeju, Korea
(South), 2019, pp. 1-5, doi: 10.1109/PlatCon.2019.8669413.

[15] S. Mishra, M. Kumar, N. Singh and S. Dwivedi, "A Survey on Cloud Computing
Security Challenges & Solutions," 2022 6th International Conference on Intelligent
Computing and Control Systems (ICICCS), Madurai, India, 2022, pp. 614-617, doi:
10.1109/ICICCS53718.2022.9788254.

[16] A. B. Nassif, M. A. Talib, Q. Nasir, H. Albadani and F. M. Dakalbab, "Machine

Learning for Cloud Security: A Systematic Review," in IEEE Access, vol. 9, pp. 20717-
20735, 2021, doi: 10.1109/ACCESS.2021.3054129.

[17] .A new lightweight cryptographic algorithm for enhancing data security in cloud
computing Author links open overlay panel Fursan Thabit, Associate Prof Sharaf
Alhomdy, Abdulrazzaq H.A. Al-Ahdal, Prof Dr Sudhir Jagtap

[18] Enhancing Blockchain security in cloud computing with IoT environment using
ECIES and cryptography hash algorithm P. Velmurugadass, S. Dhanasekaran, S.
Shasi Anand ⇑ , V. Vasudevan Tw

[19] An analytical review and analysis for the data control and security in cloud
computing Makrand Samvatsar1* and Priyesh Kanungo2

[20] Lee, B. H., Dewi, E. K., & Wajdi, M. F. (2018, April). Data security in cloud
computing using AES under HEROKU cloud. In 2018 27th wireless and optical
communication conference (WOCC) (pp. 1-5). IEEE

[21] Sailakshmi, V. (2021). Analysis of Cloud Security Controls in AWS, Azure, and
Google Cloud.