Available online at www.sciencedirect.

com
Available online at www.sciencedirect.com
ScienceDirect
ScienceDirect
Available online at www.sciencedirect.com
Procedia Computer Science 00 (2018) 000–000
Procedia Computer Science 00 (2018) 000–000 www.elsevier.com/locate/procedia
ScienceDirect www.elsevier.com/locate/procedia

Procedia Computer Science 134 (2018) 328–333

The 2nd International Workshop on Big Data and Networks Technologies (BDNT’2018)
The 2nd International Workshop on Big Data and Networks Technologies (BDNT’2018)
IaaS Cloud Model Security Issues on Behalf Cloud Provider and
IaaS Cloud Model Security Issues on Behalf Cloud Provider and
User Security Behaviors
User Security Behaviors
El Balmany Chawkia*, Asimi Ahmeda, Tbatou Zakariaea
El Balmany Chawkia*, Asimi Ahmeda, Tbatou Zakariaea
a
LabSiv Laboratory, Faculty of Sciences, Ibn Zohr University, Agadir, Morocco.
a
LabSiv Laboratory, Faculty of Sciences, Ibn Zohr University, Agadir, Morocco.

Abstract
Abstract
IaaS model is arguably the most fundamental service delivery model in cloud computing. It holds a wide variety of
IaaS modelIT
virtualized is resources
arguably the
andmost fundamental
furnished service services.
as on-demand delivery Platform
model in virtualization
cloud computing. It holds
represents thea quintessence
wide variety of
virtualized
this model IT resources
whereby userand
hasfurnished
the abilityastoon-demand services.
provision and managePlatform
its ownvirtualization
environmentrepresents thephysical
into remote quintessence of
servers
this model
(CPU, whereby
storage userwithin
servers) has the ability However,
Internet. to provision andare
users manage its own to
still reluctant environment
migrate its into
ownremote
privatephysical
data intoservers
cloud
(CPU, storage
servers becauseservers) within
of security, Internet.
which remainsHowever,
the mostusers are still
inhibitor reluctant
of cloud to migrategrowth.
computing’s its own private data into cloud
servers
In becausewe
this paper, of thoroughly
security, which remains
explore the most issues
the security inhibitor of cloud
within IaaScomputing’s growth. on behalf CSP and user
model components
In this paper,
security we thoroughly
behaviors. Furthermore,explore
the CSAthe Top
security issuesthat
12 threats within IaaSthemodel
hamper components
flexibility on behalf
and scalability CSPmodel.
of IaaS and user
security behaviors. Furthermore, the CSA Top 12 threats that hamper the flexibility and scalability of IaaS model.
© 2018
© 2018 The
The Authors.
Authors. Published
Published by
by Elsevier
Elsevier Ltd.
Ltd.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/3.0/)
This is an
© 2018 open
The accessPublished
Authors. article under the CC BY-NC-ND
by Elsevier Ltd. license (http://creativecommons.org/licenses/by-nc-nd/3.0/).
Peer-review under responsibility of the scientific committee of the 13th International Conference on Future Networks and
This is an open access
Communications, article under
FNC-2018 and thethe CCInternational
15th BY-NC-NDConference
license (http://creativecommons.org/licenses/by-nc-nd/3.0/).
on Mobile Systems and Pervasive Computing, MobiSPC 2018.
Keywords: IaaS ; Cloud; Security ; Issues ; Virtualization ; User ; CSP ; Behavior
Keywords: IaaS ; Cloud; Security ; Issues ; Virtualization ; User ; CSP ; Behavior

1. Introduction and notations

1. Introduction and notations
Cloud Computing is a new ubiquitous technology where IT resources are delivered to users as services, reachable
viaCloud Computing
Internet. Moreover, is acloud
new ubiquitous
computing technology
has given thewhere IT resources
opportunity are delivered
for users to users
to migrate there as services,
data reachable
and applications
via Internet.
towards Moreover,
the cloud. cloud
Instead computing
of working on has given with
a station the opportunity for users and
expensive resources to migrate there data
applications, usersand
takeapplications
advantage
towards
of the cloud. on-demand
cloud-delivered Instead of working
resourcesonanda station with expensive
applications resources and applications, users take advantage
with low cost.
of cloud-delivered
Thus, NIST [1] hason-demand resources
highlighted cloud and applications with
resource-exposure low cost.
models as: i) Infrastructure-as-a-Service (IaaS), where IT
Thus, NIST
resources [1] has highlighted
(computation, cloud and
data storage, resource-exposure
networking) aremodels as: i) Infrastructure-as-a-Service
delivered as services, so that users(IaaS), where IT
can benefit of
resources
managing (computation, data storage,
OS and applications. and networking) are
ii) Platform-as-a-Service delivered
(PaaS) as services,
is a model so that
where CSP users can
provides benefit of
a development
managing OSinand
environment applications.
hands of users toii) create
Platform-as-a-Service
and run their own(PaaS) is a modeliii)where
applications. CSP provides a development
Software-as-a-Service (SaaS) is a
environment
software in hands
licensing of usersmodel
and delivery to create and users
in which run their own
benefit applications.
from iii) Software-as-a-Service (SaaS) is a
remote applications.
software licensing and delivery model in which users benefit from remote applications.

* Corresponding author. Tel.: +212-648-727-210; Fax: +212-522-820696

* Corresponding
E-mail author. Tel.: +212-648-727-210; Fax: +212-522-820696
address: chawki.elbalmany@gmail.com
E-mail address: chawki.elbalmany@gmail.com

1877-0509 © 2018 The Authors. Published by Elsevier Ltd.

This is an ©
1877-0509
1877-0509 open
© 2018access
2018The article
TheAuthors.
Authors.under theby
Published
PublishedCCElsevier
byBY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/3.0/).
Ltd. Ltd.
Elsevier
This
This is
is an
an open
open access article under
access article under the
the CC
CC BY-NC-ND
BY-NC-NDlicense
license(http://creativecommons.org/licenses/by-nc-nd/3.0/)
(http://creativecommons.org/licenses/by-nc-nd/3.0/).
Peer-review under responsibility of the scientific committee of the 13th International Conference on Future Networks and
Communications, FNC-2018 and the 15th International Conference on Mobile Systems and Pervasive Computing, MobiSPC 2018.
10.1016/j.procs.2018.07.180
 El Balmany Chawki et al. / Procedia Computer Science 134 (2018) 328–333 329
2 C.EL BALMANY A. ASIMI Z. TBATOU / Procedia Computer Science 00 (2015) 000–000

The governance of cloud security [2] is significant in the SaaS and PaaS models where the CSP is the unique
responsible of managing and administrating the IT stack from the application or platform to the physical layer.
Regardless, IaaS model remains a topic of discussion the fact of preserving security requirements is handled with a
shared accountability between user and CSP respectively. Furthermore, the main intention of this review is to
appraise the security issues and vulnerabilities hampering the well-functioning of several IaaS model components on
behalf the CSP and user behaviors and responsibilities in order to fulfill expected security requirements.
This paper is structured as following, in section II, an overview of IaaS model and security properties, section III,
the security issues in IaaS components. Finally, in section IV, representing the CSA Top 12 threats and risks among
the different layers of IaaS (VMs, data storage, network) besides the role of each of user and CSP involved to deal
with. Beneath, the notations that will be used along this paper.

Nomenclature

IaaS Infrastructure-as-a-Service
CSP Cloud Service Provider
VM Virtual Machine
VMM Virtual Machine Monitor
QoS Quality of Service
SLA Service Level Agreement
CSA Cloud Security Alliance

2. Literature overview.

2.1. Overview cloud IaaS model components

Infrastructure-as-a-Service (IaaS) model is the most cloud service model. It holds a wide variety of resources
aggregated and managed over a full control of consumers. Services are delivered with advanced capabilities which
are the most relevant in forms of storage, network, computation, pay-per-use and on-demand provisioning [3]. In the
literature, most researches broach IaaS model which its services are situated upper infrastructure layer and the
physical hardware or network implemented in the infrastructure layer as illustrated in Fig. 1.

Fig. 1. IaaS model physical and software layers Fig. 2. Hypervisor in IaaS model

Basically Cloud IaaS model shapes two of the main features of components [4]: First, physical components
reflected in computer hardware, storage servers and network. Second, software components such as cloud software
or API (Application Program Interface) are thought of as a front door for users to reach the bunch of cloud services.
Furthermore, existing software technologies embraced in cloud computing such as utility computing whose
providing IT resources are delivered through an on-demand, pay-per-use billing method reachable by web services
[5] for main purpose to reduce the total cost of users’s use resources. Likewise, a legal contract offered by CSP as
330 El Balmany Chawki et al. / Procedia Computer Science 134 (2018) 328–333
C.EL BALMANY A.ASIMI Z.TBATOU / Procedia Computer Science 00 (2015) 000–000 3

part of agreements with the end user which represents a solution to guarantee suitable level of Quality of Service [6]
(QoS) and to determine each party’s benefits and liabilities is described within SLA. Finally, the platform
virtualization which remains the quintessence of this paradigm whereby CSP gets benefits from this feature as
shown in Fig. 2, where several operating systems and applications are run on a single physical system and common
resources are shared among users.

2.2. IaaS model security requirements

The fundamental perspective of this paper is to pinpoint IaaS model security. Security governance remains a
complicated task since several components and parties are involved. In order to appraise security issues over IaaS
model components, it is primordially an obligation to understand and give an assessment in which security in IaaS
model rather than other cloud services is a corporate task between User and CSP [7]. As well as, CSP has basically
limited responsibilities in the IaaS model. It is supposed to have a full control over the beneath hypervisor layer,
while end user is responsible to adjust his own environment and secure his virtual guest OS.
As shown in TABLE 1, IaaS model components are related to qualitative security requirements that should be
established on behalf users and CSP responsibilities in order to fulfill a well-functioning of the whole architecture
and guarantee the expected properties in each component with the appropriate behavior of the involved actor.

Table 1. Security properties required in each IaaS model component on behalf user and CSP behaviors.
Security Requirements Authentication Encryption Integrity Availability Access Control
Computing Hardware CSP - - CSP -
Virtualization CSP/USER - CSP/USER CSP CSP/USER
Data Storage - CSP/USER USER CSP CSP/USER
Networking - - - CSP CSP/USER
Cloud Software CSP - - CSP -
Utility Computing - - CSP - CSP
SLA - - - CSP CSP

3. IaaS model security issues

3.1. SLA security issues.

Despite of the paramount necessary of SLA to depict the availability and user’s data privacy, unfortunately, there
exists no standardization to perform an SLA between involved parties. According to Modi et al [8] many cloud
providers like Google, Amazon and SalesForce hide many parameters of the full proposed SLA to be clearly for
users that data is safety preserved. In the literature, several researches broach SLA security solutions, as well as
proposing Web Service level Agreement framework [9] performed for SLA monitoring and enforcement in SOA.
Some determine SLA in a trusted third party between CSP and user. Besides, Carvalho et al [10] has proposed a
state of art concerning security issues of SLA for cloud computing.

3.2. Utility Computing security issues

First obstacle that cripples usage this concept is the complexity of the cloud computing architecture. Well, it needs
a higher provisioning of metered services and permanent control of user’s usage. Furthermore, attackers intrude
resources without paying. Some attackers gain access to storage servers or for data mining. Either, a compromised
user can execute FRC Fraudulent Resource Consumption attack [11] using the metered bandwidth of web-based
service.
 El Balmany Chawki et al. / Procedia Computer Science 134 (2018) 328–333 331
4 C.EL BALMANY A. ASIMI Z. TBATOU / Procedia Computer Science 00 (2015) 000–000

3.3. Platform Virtualization security issues

Virtualization represents the quintessence of cloud computing particularly embraced in IaaS model. Consequently,
it remains the primary requirement widely discussed in several security researches due to its importance. According
to Vaquero et al [12], virtualization should be studied on its whole lifecycle, from VM image definition to its
undeployment. Some studies divide virtualization security issues in two categories: i) threats sourced from host OS,
ii) threats sourced from VM. Thus, platform virtualization is prone to attacks across different layers and scenarios.
First, in VMM [13] (hypervisor) where cloud provider is the first responsible on maintaining the availability of
virtual machines by performing automate hypervisor for scheduling multi-tenant resources and managing the
isolation of each running VMs. VMM is exposure to DoS attacks due to the lack of bandwidth under-provisioning
problems, further, performing cross-VM side-channel attacks due to its co-location. Further, VM escape, rollback,
migration, isolation [14] vulnerabilities whereby attacker can get full control of the hypervisor. VMM is directly
compromised with the VM-based rootkits attack which imperils trustworthy VMs, whereas it reveals the single point
of failure or unauthorized parties according to the authors [13] and [15]
In a nutshell, several vulnerabilities have been raised to falsify the confidentiality and integrity of tenant’s data
because of its dynamicity across VMs. Hypervisor is responsible on providing system’s flexibility in a large size of
available and maintained VMs.
Hence, sharing resources between VMs might expose security of each VM since the attacker can at least reach
only one compromised virtual machine image. Network Virtualization is another security challenge in the
virtualization since most VM monitors use network virtualization to interconnect directly and efficiently between
VMs. Network virtualization is prone to some attacks as sniffing and spoofing virtual network. Unless, hanging each
VM to its related host by devoted physical channels remains the most secure way to protect network virtualization
[16].

3.4. Networking and cloud software security issues

In IaaS model, network monitoring is the liability of CSP in order to sustain suitable level of QoS. Network is
exposure to several attacks due to the complexity of cloud computing architecture in priory. Otherwise,
vulnerabilities are intruded from cloud software and APIs within Internet protocols. Authentication, intrusion
backdoor attack and session hijacking are the major security threats provoking the scalability of network. A survey
[17] has discussed thoroughly security risks on network and intrusion detection and prevention as a services in cloud
computing Other researchers propose Network based Intrusion Detection System (NIDS) as a solution for listening
and provisioning network traffic by suggesting erasure codes and Intrusion prevention systems IPS to not only
detect vulnerabilities but also to correct it simultaneously. Moreover, loopholes in programming interfaces deployed
on guest VM and instruction processing are the primary targets and also exposure to vulnerabilities, in which
malicious codes can conflict with VMM or other VMs [18].

4. Cloud Security Alliance TOP 12 threats

Cloud Security Alliance (CSA) [19], the world’s leading organization dedicated to defining and raising awareness
of best practices to help ensure a secure cloud computing environment, today announced an updated. ‘Treacherous
12: Top 12 threats to Cloud Computing and Industry Insights”, a refreshed release to the 2016 report that includes
new real-world anecdotes and examples of recent incidents that relate to each of the 12 cloud computing threat
categories identified in the original paper.
In this section, according to the last communication of Cloud Security Alliance, we determine the impact of the
published risks related to the security properties by mapping the compromised IaaS component mentioned earlier.
Furthermore, we propose in brief some required solutions to achieve a certain level of security as mentioned in
TABLE 2.
 C.EL BALMANY A.ASIMI Z.TBATOU / Procedia Computer Science 00 (2015) 000–000 5
332 El Balmany Chawki et al. / Procedia Computer Science 134 (2018) 328–333

Table 2. Impact of CSA TOP 12 threats on IaaS model security

Risks and Effects Impact on IaaS model
Data Breach: is an incident in which sensitive, protected or confidential data is ‘Confidentiality of Data Storage’
released, viewed, stolen or used by an unauthorized individual or a result of human
Solution; Cryptographic Mechanisms [20], ABE [21]
error or poor security practice. Provide data storage and backup mechanisms.
Insufficient Identity, Credential and Access Management: Users should be ‘Authentication and access control - Virtualization
uniquely identifiable with a federated authentication (e.g. SAML) that works across level.’ Use strong multi-tier passwords and
the cloud providers. authentication mechanisms.
Insecure Interfaces and APIs: Due to open nature of cloud services, interfaces and ‘Authentication - Network and API Level’
APIs often use an anonymous access, clear text authentication of content transmission
and cloud Software vulnerabilities [22]. Data transmission is in encrypted form, strong access
control and authentication mechanism.
System Vulnerabilities: are exploitable bugs in programs that attackers use to ‘Confidentiality’.
infiltrate a computer system for the purpose of stealing data, taking control of the
system / disrupting service operations Afforded Services under control & Monitoring.

Account or Service Hijacking: Infrastructure Security, Using social engineering,
phishing, fraud or vulnerability exploits.
Malicious Insiders: A malicious insider threat to an organization is a current or
former employee who has authorized access to an organization’s network, system, or
data and intentionally exceeded or misused that access in a manner that negatively
affected the
Advanced Persistent Threats: (APTs) are a parasitical form of cyberattack that
infiltrates systems to establish a foothold in the computing infrastructure of target
companies from which they smuggle data and intellectual property.
Data loss: Data ownership, encryption, transmission, operational failure, data
disposal/data deletion and availability are all challenges in a cloud environment/
Insufficient Due Diligence: Developing a good roadmap and checklist for due
diligence when evaluating technologies and CSPs is essential for the greatest chance
of success. (Administrative)
Abuse and Nefarious Use of Cloud Services: Due to the often anonymous nature of
some cloud services, they attract use by criminal elements.
Denial of Service: forcing the targeted cloud service to consume inordinate amounts
of finite system resources such as processor power, memory, and disk space or
network bandwidth
‘Confidentiality, integrity and availability’
Adoption of strong authentication mechanisms, PDP
[23], PoR [24] and secure communication channel.
‘Confidentiality, integrity, or availability of data.’
Use agreement reporting and breach notifications,
security and management process is transparent
‘Intrusion detection’
Intrusion detection, Focus on outbound traffic,
Understand the changing threat, Manage the endpoint.
‘Data Privacy & Availability’
Encryption: Homomorphism [25], ABE, Provide data
storage and backup mechanisms.
These risk is different from the others mentioned
above. Administrative risks that only cloud
administrator and government have to deal with.
‘Authentication’
Observe the network status, provide robust registration
and authentication techniques. PaaS & IaaS.
‘Availability’
Service availability affected, may be create a fake
service, Strong authentication and authorization.

Shared Technology: sharing of resources and services among multiple clients. It Virtualization availability
increases dependence on logical segregation and other controls to ensure that one Isolation of data and copy must be ensured. Strong
tenant cannot interfere with the security of the other tenants. authentication and access control are some
mechanisms to prevent this issue.

Conclusion

IaaS model knows several security issues across its hardware and physical layers. As virtualization represents the
core of this model, this issues fall into two broad categories CSP and cloud user responsibilities. First, CSP
provisions, manages the entire IT stack, and have full control over hypervisor for listening and foreseeing network
traffic. Moreover, cloud users have to secure its self environment from in/outsider threats. IaaS model is an
interesting field of research; several studies have been proposed to achieve IaaS model security. In this paper, we
worked on proposing cryptographic and security techniques based on the aforementioned security issues in order to
interrupt threats and attacks on IaaS model components.
6 C.EL BALMANY A. ASIMI Z. TBATOU / Procedia Computer Science 00 (2015) 000–000

El Balmany Chawki et al. / Procedia Computer Science 134 (2018) 328–333 333

References

[1] Peter Mell, Timothy Grance, Recommendations of the National Institute of Standards and Technology. The NIST Definition of Cloud
Computing, NIST Special Publication 800-1452.
[2] Moura, J., Hutchison, D., Review and Analysis of Networking Challenges in Cloud Computing.
[3] F. Xhafa and N. Bessis (eds.), Inter-cooperative Collective Intelligence: Techniques and Applications, Studies in Computational Intelligence
495, DOI: 10.1007/978-3-642-35016-0_2, Springer-Verlag Berlin Heidelberg 2014
[4] Dawoud, W., Takouna, I., Meinel, C. Infrastructure as a service security: Challenges and solutions. Informatics and Systems (INFOS), The
7th International Conference on , vol., no., pp.1-8, 28-30 March 2010
[5] Dale D. Reitze, Using Commercial Web Services to Build Automated Test Equipment Cloud Based Applications, IEEE 2014.
[6] Syed Hamid Hussain Madni, Muhammad Shafie Abd Latiff, Yahaya Coulibaly and Shafi’i Muhammad Abdulhamid, Resource Scheduling
for Infrastructure as a Service (IaaS) in Cloud Computing: Challenges and Opportunities, Journal of Network and Computer Applications,
http://dx.doi.org/10.1016/j.jnca.2016.04.016
[7] Ravi Kumar, P., Herbert Raj, P., Jelciana, P., Exploring Data Security Issues and Solutions in Cloud Computing. The 6th International
Conference on Smart Computing and Communications. Volume 125, 2018, Pages 691-697. https://doi.org/10.1016/j.procs.2017.12.089
[8] Modi, C., Patel, D., Borisaniya, B. et al. J Supercomput (2013) 63: 561. https://doi.org/10.1007/s11227-012-0831-5
[9] Halboob W., Abbas H., Haouam K., Yaseen A. (2014) Dynamically Changing Service Level Agreements (SLAs) Management in Cloud
Computing. In: Huang DS., Jo KH., Wang L. (eds) Intelligent Computing Methodologies. ICIC 2014. Lecture Notes in Computer Science,
vol 8589. Springer, Cham
[10] C.Carvalho, R.M. Andrade, M.F De Castro, E. Coutinho, N.Agoulmine, State of the art and challenges of security SLA for cloud computing.
Computers and Electrical Engineering 000 (2017) 1–12. http://dx.doi.org/10.1016/j.compeleceng.2016.12.030
[11] Bhushan, K. & Gupta, B.B. Multimed Tools Appl (2017). https://doi.org/10.1007/s11042-017-5522-z.
[12] Vaquero, L.M., Rodero-Merino, L. & Morán, D. Computing (2011) 91: 93. https://doi.org/10.1007/s00607-010-0140-x
[13] Ashish Singh and Kakali Chatterjee, Cloud security issues and challenges: a survey, Journal of Network and Computer Applications,
http://dx.doi.org/10.1016/j.jnca.2016.11.027
[14] Varun Krishna Veeramachaneni, Security Issues and Countermeasures in Cloud Computing Environment, International Journal of
Engineering Science and Innovative Technology (IJESIT) Volume 4, Issue 5, September 2015
[15] Perez-Botero D, Szefer J, Lee RB. Characterizing hypervisor vulnerabilities in cloud computing servers. InProceedings of the 2013
international workshop on Security in cloud computing 2013 May 8 (pp. 3-10). ACM.
[16] Hashizume, K., Rosado, D.G., Fernández-Medina, E. et al. J Internet Serv Appl (2013) 4: 5. https://doi.org/10.1186/1869-0238-4-5
[17] S. Iqbal, L. Mat Kiah, B. Dhaghighi, M. Hussain, S. khan, M. Khurram Khan and K.K.R Choo, On Cloud Security Attacks: A Taxonomy
and Intrusion Detection and Prevention as a Service, Journal of Network and Computer Applications,
http://dx.doi.org/10.1016/j.jnca.2016.08.016
[18] Syed. H, Mehwish. F, Atif. S, Imran. R, Raja. S, Multilevel classification if security concerns in cloud computing. Applied Computing and
Informatics, Volume 13, issue 1, January 2017
[19] CLOUD SECURITY ALLIANCE The Treacherous 12 - Cloud Computing Top Threats in 2016.
[20] Nesrine Kaaniche, Maryline Laurent, Data Security and Privacy preservation in Cloud Storage Environments based on Cryptographic
Mechanisms, Computer Communications (2017), doi: 10.1016/j.comcom.2017.07.006.
[21] Saravana Kumar Na,Rajya Lakshmi G.Vb,Balamurugan Ba,*. Enhanced Attribute Based Encryption for Cloud Computing. International
Conference on Information and Communication Technologies (ICICT 2014).
[22] S. Subashini, V. Kavitha. A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer
Applications Volume 34, Issue 1, January 2011.
[23] Selvamani K, Jayanthi.S, A Review on Cloud Data Security and Its mitigation Techniques. International Conference on Computer,
Communication and Convergence (ICCC 2015).
[24] Shubham S, Surmila T. Public integrity auditing for shared dynamic cloud data. 6th International Conference on Smart Computing and
Communications, ICSCC 2017, 7-8 December 2017, Kurukshetra, India
[25] Oppermann A., Yurchenko A., Esche M., Seifert JP. (2017) Secure Cloud Computing: Multithreaded Fully Homomorphic Encryption for
Legal Metrology. In: Traore I., Woungang I., Awad A. (eds) Intelligent, Secure, and Dependable Systems in Distributed and Cloud
Environments. ISDDC 2017. Lecture Notes in Computer Science, vol 10618. Springer, Cham