A Survey on Security issues and challenges in

Public Cloud Computing

1

GnanaPrakasam T, 2Rajiv Kannan A

Assistant Professor in Computer Science and Engineering, The Kavery Engineering College, Mecheri,
Tamil Nadu, India
1
Professor in Computer Science and Engineering, K.S.R College of Engineering, Tiruchengode,
Tamil Nadu, India
1
trainergnanam@gmail.com,2rajiv5757@yahoo.co.in

Abstract Cloud computing discusses the facts, handling

control, and system deposited on isolated servers which are
easily available in the Internet as conflicting to one's individual
terminals. For consumers, cloud computing provisions can
fetch around foremost fee concessions and proficiencies. It
unseals the world of computing to a wider range of uses and
supplements the ease of use by providing access through any
network link. There is much delicate information and data that
are secured and kept in the computers, and these are at present
being relocated to the cloud. Along with these advantages there
are also some drawbacks too. Eventually the consumers have
less control over the unprivileged access to the data and have
minimum awareness of where it is located. There are several
safety hazards to the data that are located on the cloud. The
cloud can be besieged by mischievous people who can access
those data through unsafe internet links. There are numerous
disputes that require to be dispensed with reverence for
safekeeping and confidentiality in a cloud computing set-up.
This wide-ranging review paper targets to briefly examine
unanswered questions, threatening the Cloud Computing.
Keywords Cloud Computing, security, longevity, recovery, data
segregation

I. INTRODUCTION
Internet has been a driving force to various technologies that
have been developed. Cloud computing is seen as a trend in
the present day scenario with almost all the organizations
trying to make an entry into it [1]. The advantages of using
cloud computing are reduced hardware and maintenance
cost, accessibility around the globe, and flexibility. Fig. 1
shows the basic cloud platform and the various applications
that cloud providers contribute to the consumers.

A few existing techniques that contribute to the cloud

computing are:
1. Virtualization
Virtualization is a remarkable technology used in cloud
computing settings. The idea of cloud computing has taken
the consideration and fancy of formations of all scopes since
its capability distribution model converts the power of
virtualization into quantifiable business significance. Cloud
computing includes virtualization and the way to implement
it [2]. Cloud and Virtualization together support and
distributing enhanced possessions, on-demand applications,
elasticity and scalability.
2. Web Service, SOA and Mash-up
The objective of a Service Oriented Architecture (SOA) is
amplified IT compliances, condensed charge of request
improvement and upkeep, and better configuration among IT
specialists and corporate employers [3]. Cloud Computing
and SOA Services provide:

Cloud Computing & Virtualization Referring /

Executions

SOA Accessing / Applications

Complex Event Processing (CEP) Checking /

Operations

XML / SOAP / REST Web Services constructed

Compound Requests and SOA Resolutions

Software Development,
Applications.

comprising

Mobile

Mash-ups allow developers to combine interesting data and

then visualize that data through a web application. In
practice, a mash-up requires a data source and a web
visualization platform. Mash-up is a technique by which a
website or Web application uses data, presentation or
functionality from two or more sources to create a new
service [4].

3. Application Programming Interface (API)

An application-programming interface is a unique
significant technique of cloud computing. Without an API,
there is no cloud computing. API facilitates Amazon Simple
Storage Service (S3), cloud services such as Amazon Elastic
Compute Cloud (EC2) and Twitter. These organizations use
this technique to access the service [5]. Cloud APIs fall into
three overall groupings:

out a thorough investigation of the cloud computing security

issues and challenges.
Several security issues have to be considered before an
enterprise switches to the cloud computing model [13]. They
are:

Restricted consumer admission: A hazard which

deals with who accesses the data of a business in
the cloud.

Control APIs, which permit cloud structure to be

supplemented, restructured, or detached in actual
time.

Data APIs, through which data are streamed along

the channels to and from the cloud.

Governing Agreement: A threat concerning

warranties and guidelines in relation to a cloud
service.

Application Functionality APIs, which facilitate

the functionality with which end customers
interrelate.

Data Position: A danger about who stores the data

in a specific site.

Data Separation: A feature which deals with the

dispute that ones facts must not fuse with
somebody elses data.

Data Retrieval: A subject which suggests that

clients might not be able to get their data back.

Long-Term Feasibility: A characteristic which

means that the cloud provider relies in provision for
infinity [14].

The remainder of this paper is organized into different

sections in which the background is presented in section II.
In section III, Threats to security in Public cloud Computing
are discussed in terms of Basic, Network Level and
application level Securities. In section IV, recommendations
and suggestions are provided to overcome the security
challenges and the paper is concluded in section V.
II. BACKGROUND
The Cloud Computing exploration group discussed various
custom circumstances and associated desires that may occur
in the cloud model. These models reflect use cases from
various view-points including those of customers, designers
and security engineers [6]. ENISA examined the different
security risks connected to the influences and weaknesses in
the cloud computing [7]. Discussions were held with respect
to the security specifications and objectives related to data
locations, segregations and data recovery [8]. Related work
has been done in high level security fears in the cloud
computing models such as data integrity, imbursement and
privacy of complex material [9].
Different authors have studied the possible vulnerabilities in
technology related, cloud-characteristics related and security
concerns related issues and risks [10]. Works have been
carried out in association with the Administration of Security
in cloud computing, focusing on cloud security issues with
the help of observations done by the International Data
corporation enterprise [11]. A survey by cloud security
alliance (CSA) & IEEE indicates that enterprises, almost in
all the sectors, are keen to implement cloud computing.
However, security measures are needed both to accelerate
the cloud adoption in a wider range and to respond to the
regulatory advice from different governing bodies [12, 32].
Several studies have been carried out concerning the security
matters in cloud computing and these efforts have carried

III. THREATS TO SECURITY IN PUBLIC CLOUD

COMPUTING
Due to involvement of many technologies such as linkages,
databanks, working arrangements, resource planning,
business supervision, concurrency regulator and memory
organization, several safe keeping disputes rise in cloud
computing [15]. Security requires a holistic approach.
Security at different levels such as Basic level, Network
level, and application level is necessary to keep the cloud up
and running continuously.
1. Basic Security
A. Emulating and speedy resource assembling
The demands in IT lead to accumulation of Virtual
Machines, causing VM trail. Along with the cloud selfservice gateways, VMs can rapidly be provisioned and
willingly emulated and motivated between physical servers.
However, weaknesses or formation flaws may be unintentionally disseminated. It is problematic to preserve an
auditable record of the security state of a VM at some
opinion of interval [16]. A query arises about the possible
security risks in the use of shared pre-built images which are
vital.

B. Data Remnants
In a cloud organization, records are repeatedly relocated to
style the pre-eminent usage of resources which means that
initiatives might not constantly recognize their data location
[17]. This may be correct about any cloud prototype, but is
typically accurate in the public cloud. To compromise the
greatest cost savings, industries want service providers to
enhance resource convention.
Also, if data is relocated, remaining data may be left behind
which can be accessed by illegal handlers [18]. This
unauthorized access is considered unpreventable in public
cloud till date. However, new security practices must be
introduced to relocate data without any remnants in the old
location.
C. Adaptable Limits
A cloud organization produces an adaptable limit. Additional
sections and users throughout the organization can deliver
computer resources, and a cloud portal can also be stretched
to exterior sources such as associates [19]. However, with
this amplified access comes an increased risk of data
outflow. In addition, businesses are tackled with handling
and safeguarding a dissimilar set of mobile equipment, often
developed by the employee. With this tendency towards
consumerization, the cloud is often used for consistent
access to requests and data on wandering endpoints. Security
must provide a stability of stretchy access and data guard
[20].
D. Unencrypted data
Un-encrypt are apparently a weakness for delicate data. Data
encryption helps to address outward threats, threats from
spiteful insiders, and the need for supervisory agreement
[21]. With data encryption issues, such as data remnants and
an adaptable limit become relatively less because even if the
data is accessed by an unlicensed consumer, it cannot be
interpreted. However, many out dated encryption
clarifications can permit customers to a vulnerable situation
in the cloud. If there is no solution to provide policy-based
management methodologies with identity and integritybased server authentication, unlicensed servers may obtain
the encrypted data [22].
E. Shared multi-tenant environments of the public cloud
The multi-tenant construction of the public cloud raises fears
about the grasping of an industrys cloud data, or sharing
their storage dimensions. And with these apprehensions
there comes a craving for prominence [23]. One customer in
this environment should not be allowed to access the data of
another resident.
F. Control and availability

The most common knowledge about the usage of common

data center or public cloud give the organizations a better
feeling that they have good control over the data with regard
to security and accessibility [24]. Service providers can
form their cloud set-up to offer high convenience and
presentation, maintained by their cloud computing
specialists [25]. Often this substructure and staff outstrip the
limit of an enterprise that can facilitate the delivery in-house.
However, all data centers, whether in-house or through a
service provider may undergo outages.
G. Invaders Practice on the cloud
Invaders have a practice of using cloud computing
techniques to support their assaults. Computing resources of
the public cloud can promote attacks. In the multi-tenant
environment attackers can attain inter-VM attacks by
connecting their personal VM and then polluting the visitor
of other residents on the same host machine [26]. This type
of attack can result in stolen computer resources for using as
trusted data access. Invaders also generate their own
personal clouds to circulate resources.
2. Network Level Security
There are different network issues that occur in cloud
computing some of which are discussed below:
A. Denial of Service
When a hacker surpluses a network server or web server
with recurrent appeal of services to destruct the network, the
denial of service cannot keep up with them. The server
cannot validate the clients consistent requirements. In such
a situation, in cloud computing, when the hacker attacks a
server by sending numerous requests to the server, then the
server is unable to respond properly and more over the
server gets hanged [27]. This can be avoided by reducing
the privileges of the users connected to a server.
B. Man in the Middle Attack
If the secure socket layer (SSL) is not designed properly, this
kind of problem arises. In this situation, a network link can
be easily hacked by an unknown person, when both the
parties establish communication [28]. One of the remedies
for this type of attack is to install and configured the secure
socket layer properly, before the parties establish the
communication among themselves.

C. Port Scanning

Port scan attack is one of the most popular reconnaissance

techniques attackers used to discover services they can break
into. All machines connected to a network run many services
that used TCP or UDP ports and there are more than six
thousand defined ports available [29]. Normally, port scan
does not make any direct damage just by scanning.
Potentially a port scan helps the attacker find which ports are
available to launch various attacks. Port scanning tools can
be used legitimately for administrators and users to learn
network vulnerabilities. [30].
D. SQL Injection Attack
SQL injection is an attack in which a malicious code is
implanted into the strings which in future impedes
occurrences of SQL servers parsing and execution.
Therefore, any Procedure that constructs SQL statements
should be studied for injection vulnerabilities because SQL
server implements all syntactically effective queries that it
accepts. Even parameterized data can be influenced by an
accomplished and determined attacker. [31].
E. Cross Site Scripting
Cross Site Scripting which is also known as XSS or CSS is
commonly supposed to be one of the most collective
application layer hacking techniques.

The content of a SOAP message protected by an XML

Signature as specified in WS-Security can be altered without
invalidating the signature. This so called wrapping attack or
XML rewriting attack [7] is possible because the referencing
schemes used to locate parts of a SOAP message document
differ from the signature verification function and the
application logic.
To avoid this type of attack, it is better to use a digital
signature authorized by a third party and the mixture of WSsecurity with XML signature to a particular component.
XML should have the list of components so that it can reject
the messages that have malicious files and also reject the
unexpected messages from the client [10].
B. Browser Security
As a client directs an appeal to the server by web browser, it
has to make use of SSL to encrypt the credentials to
authenticate the user. If there is a third party, intermediary
host can decrypt the data. The hacker may use some sniffing
interfaces on the intermediary host and retrieve some
valuable data and thereby enter into the cloud as a valid user
[28]. To avoid this, vendor can use WS-security techniques
on web browsers. It uses the message level that in turn uses
XML encryption for constant encryption of SOAP messages
which do not have to be decrypted at intermediary hosts.

Cross-site scripting indicates the hacking technique that

influences vulnerabilities in the code of a web application to
allow an attacker to send malicious content from an end-user
and collect some types of data from the victim [17]. Cross
site scripting attacks can provide ways to buffer overflows,
DOS attacks and inserting spiteful software into the web
browsers for violation of users credentials [32]. Hackers are
constantly experimenting with a wide repertoire of hacking
techniques to compromise websites and web applications
and make off with a treasure trove of sensitive data including
credit card numbers, social security numbers and even
medical records.

C. Cloud Malware Injection Attack

3. Application Level Security

D. Data Protection

A.XML Signature Element Wrapping

Data protection in cloud computing is a very significant

feature. It is very difficult to have a check on the
performance of the cloud provider and the confidentiality
and handling of a sensitive data by them, in case of several
conversions of data [30]. One of the measures to prevent
such an attack is that a consumer of cloud computing should
check whether the data is handled legally or not.

Naive use of XML Signature may result in signed

documents remaining vulnerable to undetected modification
by an adversary. In the typical usage of XML Signature to
protect SOAP messages, an adversary may be capable of
modifying valid messages in order to gain unauthorized
access to protected resources [23].

Malware injection attack has spread like wildfire these days,

and countless websites have been affected. The attack is
done via a compromised FTP, and many believe that the
virus can actually sniff out FTP passwords and send it back
to the hacker. The hacker then uses your FTP password to
access your website and add malicious frame coding to
infect other visitors who browse your website [18]. Most
web browsers will put up a notice when theyve detected
malware in your website. This prevents other people from
unknowingly downloading the malware.

E. Incomplete Data Deletion

Unfinished data removal is more dangerous in cloud

computing environment. It does not remove complete data
because duplication of data is positioned in supplementary
servers. For example, when a client requests to remove a
cloud resource, it will not be removed completely in some
operating systems. Precise data erasure is not likely possible
because replicas of data are deposited in the adjacent replica
which are not existing [27]. Necessary steps should be taken
so that Virtualized private networks shall be used for
securing the data and appropriate query can be used to
remove the data completely in all the servers.
F. Inter-VM Attacks
Each physical host has a soft-switch to enable VMs to
interconnect with one another because inter-VM
communications do not always leave the physical host; they
are unprotected by firewalls and other hardware-based
protection. In the event a VM is compromised, it can attack
other VMs on the same host without detection from existing
tools [19]. Moreover, once an attacker compromises one
element of a virtual environment, other elements may also
be compromised if virtualization-aware security is not
implemented.
G. Instant-On Gaps
Virtualized environments are not essentially less secure than
their physical counterparts, but in some cases, the real-world
usage of virtualization can bring vulnerabilities, and
managers are conscious of these vulnerabilities and take
necessary measures to eradicate them [12]. Instant-on gaps
are instances of such vulnerability. When VMs are triggered
and deactivated in quick cycles, providing security to those
VMs and keeping them up-to-date can be challenging.
H. Resource Contention
Another concern in the public cloud is resource contention.
A security issue can arise when the resource contention is
the result of a Denial of Service (DoS) attack on another
tenant of the shared infrastructure. The public cloud is a
shared resource that can potentially expose all tenants in the
cloud to security risks when one tenant becomes the target of
a DoS attack. However, private cloud provides businesses
with inherent protection from DoS attacks directed at other
businesses by avoiding shared infrastructure [21].
IV. Findings and Recommendations
Cloud computing has gained over numerous subjects in
gaining credit for its virtues. Its safety shortages and
advantages need to be sensibly considered before making a
choice to use it. Both the cloud client and cloud supplier
must be conscious of their individual security assurances.

Encryption is merely a resolution for protection in a multitenant atmosphere, endorsing that ones data cannot be
observed by others. In addition, self-defending VMs can
shield in contradiction of inter- VM attacks and other
vulnerabilities in a public cloud.
Cloud computing is a lean-to virtualization, adding
computerization to a virtual background. Progressions in
virtualization tools empower initiatives to acquire more
computing power of the physical servers. The outdated data
center impression is dwindling to permit cost savings and
promote IT solutions through merging of servers. Service
providers have discovered that they can use virtualization to
enable multi-tenant instead of single-tenant or singlepurpose physical servers. The thorough and well configured
public cloud can have different altitudes of controls and
ensure security. A smart reaction to the risk of data position
is to select several cloud services and store different data in
different clouds, thereby reducing the risk of data location.
VIII. Conclusion
Cloud computing moves the application software and data
bases to servers in large data centers on the internet, where
the management of the data and services are not fully
trustworthy. This unique attribute raises many new security
challenges in areas such as software and data security,
recovery, and privacy, as well as legal issues in areas such as
regulatory compliance and auditing, all of which have not
been well understood.
There are many new technologies emerging at a rapid rate,
each with technological advancements and with the potential
of making human lives easier. However, one must be very
careful to understand the security risks and challenges posed
in utilizing these technologies. Cloud computing is no
exception.
In this paper key security considerations and challenges
which are currently faced in Cloud Computing are
highlighted.
Cloud Computing is a new phenomenon which is set to
revolutionize the way we use the internet, though there is
much to be cautious about. Cloud computing has the
potential to become a front runner in promoting a secure,
virtual and economically viable IT solution in the upcoming
periods provided the challenges and issues are eradicated by
formulating better security mechanisms.
Cloud computing is a typical amendment of outdated
computing. It is tough to associate one feature of the system
with another. While outmoded computing, allows a designer
to be slacker about security, cloud computing condition
insists a good developer facing these difficulties directly.
When the provider finds solutions to these difficulties, the

structure becomes more secure. Subsequently, the cloud

client can reach the system quicker without any data loss.
Therefore, it is the duty of the provider to deliver security
from the top-down, bottom-up and also laterally, to defend
the system and to safeguard the interests of the cloud
benefactor. This study has taken care to well verse the
providers with enough information that are to be considered
when designing a cloud. The several issues which have been
discussed help a developer to strengthen the security system
while constructing a cloud application.
REFERENCES
[1]

[2]
[3]
[4]

[5]
[6]

[7]

[8]
[9]

[10]
[11]
[12]
[13]
[14]
[15]
[16]

Lewis, Grace. Cloud Computing: Finding the Silver Lining,

Not
the
Silver
Bullet
Internet:
http://www.sei.cmu.edu/newsitems/cloudcomputing.cfm, Oct.25
2009.
Dormann, Will, Rafail, Jason. Securing Your Web Browser.
Internet:http://www.cert.org/tech_tips/securing_browser,
Sep.
28, 2006.
Jansen, Wayne, Grance Timothy. Guidelines on Security and
Privacy in Public Cloud Computing. in National Institute of
Standards and Technology, Vol. 12, Jan 2011.
Strowd, Harrison & Lewis, Grace. T-Check in System-ofSystems Technologies: Cloud Computing,(CMU/SEI-2010-TN009), Software Engineering Institute, Carnegie Mellon
University,Mar 1, 2010.
Lewis,
Grace.
Basics
about
Cloud
Computing.
Internet:http://www.sei.cmu.edu/library/abstracts/whitepapers/cl
oudcomputingbasics.cfm,Dec 13,2010.
J. Brodkin. Gartner: Seven cloud-computing security risks.
Infoworld,Available:
http://www.infoworld.com/d/securitycentral/gartner-seven-loudcomputingsecurity-risks-853?,
Mar.
13, 2010.
ENISA.
"Cloud
computing:
benefits,
risks
and
recommendationsforinformationsecurity."
Available:http://www.enisa.europa.eu/act/rm/files/deliverables/cl
oud-computingrisk-assessment, Jul. 10, 2010.
R. K. Balachandra, P. V. Ramakrishna and A. Rakshit. Cloud
Security Issues. In Proc.09 IEEE International Conference on
Services Computing, 2009, pp 517-520.
P. Kresimir and H. Zeljko. "Cloud computing security issues and
challenges." In Proc.Third International Conference on
Advances in Human-oriented and PersonalizedMechanisms,
Technologies, and Services, 2010, pp. 344-349.
B. Grobauer, T. Walloschek and E. Stcker, "Understanding
Cloud ComputingVulnerabilities," IEEE Security and Privacy,
vol. 99, 2010.
S. Subashini, and V. Kavitha. A survey on security issues in
service deliverymodels of cloud computing. J Network
Computing, Jul,2010.
S. Ramgovind, M. M. Eloff, E. Smith. The Management of
Security in Cloud Computing, InProc. 2010 IEEE International
Conference on Cloud Computing, 2010.
M. A. Morsy, J. Grundy and Mller I. An Analysis of the Cloud
Computing Security Problem, in Proc. APSEC 2010 Cloud
Workshop, 2010.
S. Arnold. Cloud computing and the issue of privacy.KM
World, pp14-22.Available: www.kmworld.com, Aug. 19, 2009.
A. Paul. Demystifying the cloud. Important opportunities,
crucial choices.Global Net-optex Incorporated, pp4-14.
Available: http://www.gni.com, Dec. 13, 2009.
M. Klems, A. Lenk, J. Nimis, T. Sandholm and S. Tai. Whats
Inside the Cloud? An Architectural Map of the Cloud
Landscape. IEEE Xplore, pp 23-31, Jun. 2009.

[17] C. Weinhardt, A. Anandasivam, B. Blau, and J. Stosser.

Business Models in the Service World. IT Professional, vol.
11, pp. 28-33, 2009.
[18] N. Gruschka, L. L. Iancono, M. Jensen and J. Schwenk. On
Technical Security Issues inCloud Computing, in Proc. 09
IEEE International Conference on Cloud Computing, Jul.2009pp
110-112.
[19] N. Leavitt. Is Cloud Computing Really Ready for Prime Time?
Computer, vol. 42, pp. 15-20, May. 2009.
[20] M. Jensen, J. Schwenk, N. Gruschka and L. L. Iacono, "On
Technical Security Issues in Cloud Computing." in Proc IEEE
ICCC, 2009, pp. 109-116.
[21] Peter Mell and Tim Grance.The NIST Definition of Cloud
Computing, National Institute of Standards and Technology
(NIST), Information Technology Laboratory, version 15, Oct.
2009.
[22] Wang, Lizhe von Laszewski. Cloud computing: A Perspective
study, Proc. Grid Computing Environments workshop, Nov. 16,
2008.
[23] Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. A
view of cloud computing.Communications of the ACM, Volume
53 Issue 4, pages 50-58. Apr. 2010.
[24] Tim Mather, Subra Kumaraswamy, Shahed Latif. Cloud
Security and Privacy: An Enterprise perspective of Risks and
Compliance, O'Reilly Media, Inc., Feb. 2009.
[25] Siani Pearson. Taking Account of Privacy when Designing
Cloud Computing Services. in Proc. ICSE Workshop on
Software Engineering Challenges of Cloud Computing, pages
44-52. May 2009.
[26] Jinpeng Wei, Glenn Ammons, Vasanth Bala, Peng Ning.
Managing security of virtual machine images in a cloud
environment. In Proc. CCSW '09: ACM workshop on Cloud
computing security pages 91-96. Nov. 2009.
[27] Miranda Mowbray, Siani Pearson. A Client-Based Privacy
Manager for Cloud Computing. in Proc. COMSWARE 09
Fourth International ICST Conference on Communication
System Software and Middleware, Jun. 2009.
[28] Flavio Lombardi, Roberto Di Pietro. Transparent Security for
Cloud, inProc.SAC '10, ACM Symposium on Applied
Computing, pages 414-415,Mar. 2010.
[29] Weichao Wang, Zhiwei Li, Rodney Owens, Bharat Bhargava.
Secure and Efficient Access to Outsourced Data,in
Proc.CCSW '09, ACM workshop on Cloud computing security,
pages 55-65. Nov. 2009.
[30] Richard Chow, Philippe Golle, Markus Jakobsson, Elaine Shi.
Controlling Data in the Cloud Outsourcing Computation
without Outsourcing Control,in Proc. ACM workshop on Cloud
computing security, pages 85-90. Nov. 2009.
[31] Xinwen Zhang, Joshua Schiffman, Simon Gibbs. Securing
Elastic Applications on Mobile Devices for Cloud Computing,
in Proc. CCSW '0, ACM workshop on Cloud computing security,
pages- 127-134. Nov. 2009.
[32] Shilpashree, Srinivasamurthy, David Q. Liu, Survey on Cloud
Computing Security Technical Report, Department of
Computer Science, Indiana University Purdue University Fort
Wayne Jul. 2010.