Advertisement

International Journal of Information Security

, Volume 13, Issue 2, pp 113–170 | Cite as

Security issues in cloud environments: a survey

  • Diogo A. B. FernandesEmail author
  • Liliana F. B. Soares
  • João V. Gomes
  • Mário M. Freire
  • Pedro R. M. Inácio
SPECIAL ISSUE PAPER

Abstract

In the last few years, the appealing features of cloud computing have been fueling the integration of cloud environments in the industry, which has been consequently motivating the research on related technologies by both the industry and the academia. The possibility of paying-as-you-go mixed with an on-demand elastic operation is changing the enterprise computing model, shifting on-premises infrastructures to off-premises data centers, accessed over the Internet and managed by cloud hosting providers. Regardless of its advantages, the transition to this computing paradigm raises security concerns, which are the subject of several studies. Besides of the issues derived from Web technologies and the Internet, clouds introduce new issues that should be cleared out first in order to further allow the number of cloud deployments to increase. This paper surveys the works on cloud security issues, making a comprehensive review of the literature on the subject. It addresses several key topics, namely vulnerabilities, threats, and attacks, proposing a taxonomy for their classification. It also contains a thorough review of the main concepts concerning the security state of cloud environments and discusses several open research topics.

Keywords

Clouds Cloud computing Issues Security Survey 

Notes

Acknowledgments

We would like to thank all the anonymous reviewers for constructively criticizing this work.

References

  1. 1.
    57un Blog: A BIG Password Cracking Wordlist. https://57un.wordpress.com/2013/03/09/a-big-password-cracking-wordlist/. Accessed May 2013 (2013)
  2. 2.
    Aguiar, E., Zhang, Y., Blanton, M.: An Overview of Issues and Recent Developments in Cloud Computing and Storage Security, pp. 1–31. Springer, Berlin (2013)Google Scholar
  3. 3.
    Ahuja, S.P., Komathukattil, D.: A survey of the state of cloud security. Netw. Commun. Technol. 1(2), 66–75 (2012). doi: 10.5539/nct.v1n2p66 Google Scholar
  4. 4.
    Aihkisalo, T., Paaso, T.: Latencies of service invocation and processing of the REST and SOAP web service interfaces. In: IEEE 8th World Congress on Services (SERVICES), pp. 100–107. Honolulu, HI, USA (2012). doi: 10.1109/SERVICES.2012.55
  5. 5.
    Al-Aqrabi, H., Liu, L., Xu, J., Hill, R., Antonopoulos, N., Zhan, Y.: Investigation of IT security and compliance challenges in security-as-a-service for cloud computing. In: 15th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing Workshops (ISORCW), pp. 124–129. Shenzhen, Guangdong, China (2012). doi: 10.1109/ISORCW.2012.31
  6. 6.
    Alert Logic: State of Cloud Security Report: Targeted Attacks and Opportunistic Hacks. http://www.alertlogic.com/resources/security-intelligence-newsletter/download-cloud-security-report-spring2013/ (2013). Accessed Apr. 2013
  7. 7.
    AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., Schuldt, J.: On the Security of RC4 in TLS. http://www.isg.rhul.ac.uk/tls/index.html (2013). Accessed Apr. 2013
  8. 8.
    AlienVault: OSSIM Website. https://aws.amazon.com/marketplace/pp/B00BIUQRGC/ (2013). Accessed May 2013
  9. 9.
    Amazon: Amazon Web Services: Overview of Security Processes. http://s3.amazonaws.com/aws_blog/AWS_Security_Whitepaper_2008_09.pdf (2011). White Paper. Accessed Sept. 2012
  10. 10.
    Amazon: Amazon Elastic Compute Cloud (Amazon EC2). https://aws.amazon.com/ec2/ (2012). Accessed Apr. 2013
  11. 11.
    Amazon: Amazon Virtual Private Cloud (Amazon VPC). http://aws.amazon.com/vpc/ (2012). Accessed Sept. 2012
  12. 12.
    Amazon Web Services Discussion Forums: Low Entropy on EC2 Instances— Problem for Anything Related to Security. https://forums.aws.amazon.com/thread.jspa?messageID=249079 (2011). Accessed Apr. 2013
  13. 13.
    Amoroso, E.: From the enterprise perimeter to a mobility-enabled secure cloud. IEEE Secur. Priv. 11(1), 23–31 (2013). doi: 10.1109/MSP.2013.8 Google Scholar
  14. 14.
    Anstee, D.: Q1 Key Findings from ATLAS. http://www.arbornetworks.com/corporate/blog/4855-q1-key-findings-from-atlas (2013). Accessed Apr. 2013
  15. 15.
    Apache: CloudStack Website. https://cloudstack.apache.org/ (2013). Accessed May 2013
  16. 16.
    Apprenda: Apprenda Website. http://apprenda.com (2013). Accessed Apr. 2013
  17. 17.
    Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., Zaharia, M.: A view of cloud computing. Commun. ACM 53(4), 50–58 (2010). doi: 10.1145/1721654.1721672 CrossRefGoogle Scholar
  18. 18.
    Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R.H., Konwinski, A., Lee, G., Patterson, D.A., Rabkin, A., Zaharia, M.: Above the Clouds: A Berkeley View of Cloud Computing. Technical Report UCB/EECS-2009-28. Electrical Engineering and Computer Sciences University of California (2009)Google Scholar
  19. 19.
    Ateniese, G., Di Pietro, R., Mancini, L.V., Tsudik, G.: Scalable and efficient provable data possession. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Networks, pp. 9:1–9:10. ACM, New York, NY, USA (2008)Google Scholar
  20. 20.
    Aviram, A., Hu, S., Ford, B., Gummadi, R.: Determinating timing channels in compute clouds. In: Proceedings of the ACM Workshop on Cloud computing, Security, pp. 103–108 (2010). doi: 10.1145/1866835.1866854
  21. 21.
    Azmandian, F., Moffie, M., Alshawabkeh, M., Dy, J., Aslam, J., Kaeli, D.: Virtual machine monitor-based lightweight intrusion detection. SIGOPS Oper. Syst. Rev. 45(2), 38–53 (2011). doi: 10.1145/2007183.2007189 CrossRefGoogle Scholar
  22. 22.
    Back, G., Hsieh, W.C.: The KaffeOS Java runtime system. ACM Trans. Program. Lang. Syst. 27(4), 583–630 (2005). doi: 10.1145/1075382.1075383 CrossRefGoogle Scholar
  23. 23.
    Backstrom, L., Dwork, C., Kleinberg, J.: Wherefore art thou R3579X?: anonymized social networks, hidden patterns, and structural steganography. In: Proceedings of the 16th International Conference on World Wide Web, pp. 181–190. ACM, New York, NY, USA (2007). doi: 10.1145/1242572.1242598
  24. 24.
    Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: 29th IEEE Symposium on Reliable Distributed Systems, pp. 82–91. IEEE Computer Society, Washington, DC, USA (2010). doi: 10.1109/SRDS.2010.39
  25. 25.
    Banerjee, P., Friedrich, R., Bash, C., Goldsack, P., Huberman, B., Manley, J., Patel, C., Ranganathan, P., Veitch, A.: Everything as a service: powering the new information economy. Computer 44(3), 36–43 (2011). doi: 10.1109/MC.2011.67 CrossRefGoogle Scholar
  26. 26.
    Basak, D., Toshniwal, R., Maskalik, S., Sequeira, A.: Virtualizing networking and security in the cloud. SIGOPS Oper. Syst. Rev. 44(4), 86–94 (2010). doi: 10.1145/1899928.1899939 CrossRefGoogle Scholar
  27. 27.
    Begum, S., Khan, M.: Potential of cloud computing architecture. In: International Conference on Information and Communication Technologies, pp. 1–5. IEEE (2011). doi: 10.1109/ICICT.2011.5983572
  28. 28.
    Behl, A.: Emerging security challenges in cloud computing: an insight to cloud security challenges and their mitigation. In: World Congress on Information and Communication Technologies, pp. 217–222. IEEE (2011). doi: 10.1109/WICT.2011.6141247
  29. 29.
    Behl, A., Behl, K.: Security paradigms for cloud computing. In: 4th International Conference on Computational Intelligence, Communication Systems and Networks, pp. 200–205. IEEE (2012). doi: 10.1109/CICSyN.2012.45
  30. 30.
    Belqasmi, F., Singh, J., Glitho, R.: SOAP-based vs. RESTful web services: a case study for multimedia. IEEE Internet Comput. 16(4), 54–63 (2012). doi: 10.1109/MIC.2012.62 CrossRefGoogle Scholar
  31. 31.
    Bentounsi, M., Benbernou, S., Atallah, M.: Privacy-preserving business process outsourcing. In: IEEE 19th International Conference on Web Services, pp. 662–663. IEEE (2012). doi: 10.1109/ICWS.2012.34
  32. 32.
    Bernstein, D., Vij, D.: Intercloud security considerations. In: IEEE 2nd International Conference on Cloud Computing Technology and Science, pp. 537–544. IEEE Computer Society, Washington, DC, USA (2010)Google Scholar
  33. 33.
    Bin Mat Nor, F., Jalil, K., Manan, J.L.: An enhanced remote authentication scheme to mitigate man-in-the-browser attacks. In: International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), pp. 271–276. Kuala Lumpur, Malaysia (2012). doi: 10.1109/CyberSec.2012.6246086
  34. 34.
    Boampong, P.A., Wahsheh, L.A.: Different facets of security in the cloud. In: Proceedings of the 15th Communications and Networking Simulation Symposium, pp. 5:1–5:7. Society for Computer Simulation International, San Diego, CA, USA (2012)Google Scholar
  35. 35.
    Bowers, K.D., Juels, A., Oprea, A.: HAIL: a high-availability and integrity layer for cloud storage. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 187–198. ACM, New York, NY, USA (2009). doi: 10.1145/1653662.1653686
  36. 36.
    Box: Box Website. https://www.box.com/ (2013). Accessed Apr. 2013
  37. 37.
    Bradbury, D.: Shadows in the cloud: Chinese involvement in advanced persistent threats. Netw. Secur. 2010(5), 16–19 (2010). doi: 10.1016/S1353-4858(10)70058-1 CrossRefGoogle Scholar
  38. 38.
    Brito, H.: Pentagon Creating “Rules of Engagement” for Responding to Advanced Attackers. Mandiant M-Unition (2013)Google Scholar
  39. 39.
    Bugiel, S., Nürnberger, S., Pöppelmann, T., Sadeghi, A.R., Schneider, T.: AmazonIA: when elasticity snaps back. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 389–400. ACM, New York, NY, USA (2011). doi: 10.1145/2046707.2046753
  40. 40.
    Carriço, P.: Low entropy on VMs\(\ldots \) http://blog.pedrocarrico.net/post/17026199379/low-entropy-on-vms (2012). Accessed May 2013
  41. 41.
    Carroll, M., Kotzé, P., Van der Merwe, A. (2011). Secure virtualization—benefits, risks and controls. In: Leymann, F., Ivanov, I., van Sinderen, M., Shishkov, B. (eds.) CLOSER, pp. 15–23. SciTePressGoogle Scholar
  42. 42.
    Casale, A.: The Dangers of Recycling in the Cloud. TheMakegood (2013)Google Scholar
  43. 43.
    Chen, C.C., Yuan, L., Greenberg, A., Chuah, C.N., Mohapatra, P.: Routing-as-a-Service (RaaS): a framework for tenant-directed route control in data center. In: Proceedings of the 30th IEEE International Conference on Computer Communications (INFOCOM), pp. 1386–1394 (2011) doi: 10.1109/INFCOM.2011.5934924
  44. 44.
    Chen, D., Zhao, H.: Data security and privacy protection issues in cloud computing. In: International Conference on Computer Science and Electronics Engineering, vol. 1, pp. 647–651. IEEE (2012). doi: 10.1109/ICCSEE.2012.193
  45. 45.
    Chen, T.H., lien Yeh, H., Shih, W.K.: An advanced ECC dynamic ID-based remote mutual authentication scheme for cloud computing. In: 5th FTRA International Conference on Multimedia and Ubiquitous Engineering (MUE), pp. 155–159. Crete, Greece (2011). doi: 10.1109/MUE.2011.69
  46. 46.
    Chen, X., Andersen, J., Mao, Z., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: IEEE International Conference on Dependable Systems and Networks (DNS) With FCTS and DCC, pp. 177–186. Anchorage, AK, USA (2008). doi: 10.1109/DSN.2008.4630086
  47. 47.
    Chen, Y., Paxson, V., Katz, R.H.: What’s New About Cloud Computing Security? Technical Report UCB/EECS-2010-5. EECS Department, University of California, Berkeley (2010). http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.html
  48. 48.
    Chonka, A., Xiang, Y., Zhou, W., Bonti, A.: Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks. J. Netw. Comput. Appli. 34(4), 1097–1107 (2011). doi: 10.1016/j.jnca.2010.06.004 CrossRefGoogle Scholar
  49. 49.
    Choudhary, V.: Software as a service: implications for investment in software development. In: 40th Annual Hawaii International Conference on System Sciences, p. 209a. IEEE Computer Society, Washington, DC, USA (2007). doi: 10.1109/HICSS.2007.493
  50. 50.
    Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., Molina, J.: Controlling data in the cloud: outsourcing computation without outsourcing control. In: Proceedings of the ACM Workshop on Cloud Computing Security, pp. 85–90. ACM, New York, NY, USA (2009). doi: 10.1145/1655008.1655020
  51. 51.
    Christodorescu, M., Sailer, R., Schales, D.L., Sgandurra, D., Zamboni, D.: Cloud security is not (just) virtualization security: a short paper. In: Proceedings of the ACM Workshop on Cloud Computing Security (CCSW), pp. 97–102. ACM, Chicago, IL, USA (2009). doi: 10.1145/1655008.1655022
  52. 52.
    Chung, H., Park, J., Lee, S., Kang, C.: Digital forensic investigation of cloud storage services. Digit. Investig. (2012). doi: 10.1016/j.diin.2012.05.015. Available online on 23 Jun. 2012
  53. 53.
    Cisco: Cisco Data Center Infrastructure 2.5 Design Guide. http://www.cisco.com/univercd/cc/td/doc/solution/dcidg21.pdf (2007). Accessed Oct. 2012
  54. 54.
    Cisco: Data Center Power and Cooling. http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns944/white_paper_c11-680202.pdf (2011). White Paper. Accessed Sept. 2012
  55. 55.
    Cisco: Cisco Global Cloud Index: Forecast and Methodology, 2011–2016. http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns1175/Cloud_Index_White_Paper.pdf (2012). White Paper. Accessed Apr. 2013
  56. 56.
    Cisco: 2013 Cisco Annual Security Report. http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html (2013). Accessed Apr. 2013
  57. 57.
    Cisco: Cisco Cloud Services Router 1000V Series. http://www.cisco.com/en/US/products/ps12559/index.html (2013). Accessed Jul. 2013
  58. 58.
    Citrix: Citrix Website. https://www.citrix.com/products.html?ntref=hp_nav_us (2013). Accessed Jun. 2013
  59. 59.
    CloudBees: CloudBees Website. http://www.cloudbees.com/ (2013). Accessed Apr. 2013
  60. 60.
    Corbató, F.J., Vyssotsky, V.A.: Introduction and overview of the Multics system. In: Proceedings of the Fall Joint Computer Conference, pp. 185–196. ACM, New York, NY, USA (1965)Google Scholar
  61. 61.
    Coronado, C.: Blackhole Exploit Kit Leverages Margaret Thatcher’s Death. Trend Micro (2013)Google Scholar
  62. 62.
    CSA: Top Threats to Cloud Computing. https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf (2010). Accessed Sept. 2012
  63. 63.
    CSA: Security Guidance for Critical Areas of Focus in Cloud Computing v3.0. https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf (2011). Accessed Sept. 2012
  64. 64.
    CSA: The Notorious Nine Cloud Computing Top Threats in 2013. https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf (2013). Accessed Jul. 2013
  65. 65.
    Cuckoo Website: Cuckoo. http://www.cuckoosandbox.org/ (2013). Accessed Apr. 2013
  66. 66.
    Curran, K., Dougan, T.: Man in the browser attacks. Int. J. Ambient Comput. Intell. 4(1), 29–39 (2012). doi: 10.4018/jaci.2012010103 CrossRefGoogle Scholar
  67. 67.
    Czajkowski, G., Daynàs, L.: Multitasking without compromise: a virtual machine evolution. ACM SIGPLAN Not. 47(4a), 60–73 (2012). doi: 10.1145/2442776.2442785 CrossRefGoogle Scholar
  68. 68.
    Dacosta, I., Chakradeo, S., Ahamad, M., Traynor, P.: One-time cookies: preventing session hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. 12(1), 1:1–1:24 (2012). doi: 10.1145/2220352.2220353 CrossRefGoogle Scholar
  69. 69.
    Dahbur, K., Mohammad, B., Tarakji, A.B.: A survey of risks, threats and vulnerabilities in cloud computing. In: Proceedings of the International Conference on Intelligent Semantic Web-Services and Applications, pp. 12:1–12:6. ACM, New York, NY, USA (2011)Google Scholar
  70. 70.
    Darrow, B., Higginbothamm, S.: What We’ll See in 2013 in Cloud Computing. GigaOM (2012)Google Scholar
  71. 71.
    de Borja, F.: Nebula One Seeks To Reinvent Cloud Computing. CloudTimes (2013)Google Scholar
  72. 72.
    Dhage, S.N., Meshram, B.B., Rawat, R., Padawe, S., Paingaokar, M., Misra, A.: Intrusion detection system in cloud computing environment. In: Proceedings of the International Conference & Workshop on Emerging Trends in Technology, pp. 235–239. ACM, New York, NY, USA (2011). doi: 10.1145/1980022.1980076
  73. 73.
    Dinesha, H., Agrawal, V.: Multi-level authentication technique for accessing cloud services. In: International Conference on Computing, Communication and Applications, pp. 1–4. IEEE (2012). doi: 10.1109/ICCCA.2012.6179130
  74. 74.
    Ding, X., Zhang, L., Wan, Z., Gu, M.: De-anonymizing dynamic social networks. In: IEEE Global Telecommunications Conference, pp. 1–6. IEEE (2011). doi: 10.1109/GLOCOM.2011.6133607
  75. 75.
    Doel, K.: Scary Logins: Worst Passwords of 2012 and How to Fix Them. SplashData (2012)Google Scholar
  76. 76.
    Dong, T.: Android. Dropdialer. https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909--0726-99 (2012). Accessed Apr. 2013
  77. 77.
    Doroodchi, M., Iranmehr, A., Pouriyeh, S.: An investigation on integrating XML-based security into Web services. In: 5th IEEE GCC Conference Exhibition, pp. 1–5. IEEE (2009)Google Scholar
  78. 78.
    Ducklin, P.: HElib. SOPHOS Nakedsecurity (2013)Google Scholar
  79. 79.
    Duncan, A., Creese, S., Goldsmith, M.: Insider attacks in cloud computing. In: IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 857–862. IEEE Computer Society, Washington, DC, USA (2012). doi: 10.1109/TrustCom.2012.188
  80. 80.
    Dykstra, J., Sherman, A.T.: Acquiring forensic evidence from infrastructure-as-a-service cloud computing: exploring and evaluating tools, trust, and techniques. Digit. Investig. 9, Supplement(0), S90–S98 (2012). doi: 10.1016/j.diin.2012.05.001
  81. 81.
    Electronic Frontier Foundation: HTTPS Everywhere Website. https://www.eff.org/https-everywhere (2013). Accessed Apr. 2013
  82. 82.
    ENISA: Cloud Computing: Benefits, Risks and Recommendations for Infomarion Security. http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment (2009). Accessed Sept. 2012
  83. 83.
    Firdhous, M., Ghazali, O., Hassan, S.: A trust computing mechanism for cloud computing with multilevel thresholding. In: 6th IEEE International Conference on Industrial and Information Systems, pp. 457–461. IEEE (2011). doi: 10.1109/ICIINFS.2011.6038113
  84. 84.
    FireEye: FireEye Advanced Threat Report—2H 2012. http://www2.fireeye.com/rs/fireye/images/fireeye-advanced-threat-report-2h2012.pdf (2013). Accessed Apr. 2013
  85. 85.
    Foster, I., Zhao, Y., Raicu, I., Lu, S.: Cloud computing and grid computing 360-degree compared. In: Grid Computing Environments Workshop, pp. 1–10. IEEE (2008). doi: 10.1109/GCE.2008.4738445
  86. 86.
    Garfinkel, T., Rosenblum, M.: When virtual is harder than real: security challenges in virtual machine based computing environments. In: Proceedings of the 10th Conference on Hot Topics in Operating Systems, vol. 10, pp. 20–20. USENIX Association, Berkeley, CA, USA (2005)Google Scholar
  87. 87.
    Gartner: Assessing the Security Risks of Cloud Computing. http://cloud.ctrls.in/files/assessing-the-security-risks.pdf (2008). White Paper. Accessed Sept. 2012
  88. 88.
    Gens, F.: IT Cloud Services User Survey, pt.2: Top Benefits & Challenges. IDC (2008)Google Scholar
  89. 89.
    Gens, F.: New IDC IT Cloud Services Survey: Top Benefits and Challenges. IDC (2009)Google Scholar
  90. 90.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC), STOC ’09, pp. 169–178. ACM, Bethesda, MD, USA (2009). doi: 10.1145/1536414.1536440
  91. 91.
    Geoffray, N., Thomas, G., Muller, G., Parrend, P., Frenot, S., Folliot, B.: I-JVM: a Java virtual machine for component isolation in OSGi. In: IEEE/IFIP Int. Conf. on Dependable Systems Networks (DSN), pp. 544–553. Estoril, Lisbon, Portugal (2009). doi: 10.1109/DSN.2009.5270296
  92. 92.
    Gomathisankaran, M., Tyagi, A., Namuduri, K.: HORNS: a homomorphic encryption scheme for cloud computing using Residue number system. In: 45th Annual Conference on Information Sciences and Systems (CISS), pp. 1–5. Baltimore, MD, USA (2011). doi: 10.1109/CISS.2011.5766176
  93. 93.
    Gong, C., Liu, J., Zhang, Q., Chen, H., Gong, Z.: The characteristics of cloud computing. In: 39th International Conference on Parallel Processing Workshop, pp. 275–279. IEEE Computer Society, Washington, DC, USA (2010). doi: 10.1109/ICPPW.2010.45
  94. 94.
    Gonzalez, N., Miers, C., Redigolo, F., Carvalho, T., Simplicio, M., Naslund, M., Pourzandi, M.: A quantitative analysis of current security concerns and solutions for cloud computing. In: IEEE 3rd International Conference on Cloud Computing Technology and Science, pp. 231–238. IEEE Computer Society, Washington, DC, USA (2011).Google Scholar
  95. 95.
    Goodin, D.: Why Passwords have Never been Weaker—and Crackers have Never been Stronger. Ars Technica (2012)Google Scholar
  96. 96.
    Goodrich, R.: What Is Doxing? TechNewsDaily (2013)Google Scholar
  97. 97.
    Google: Google App Engine. https://developers.google.com/appengine/ (2013). Accessed Apr. 2013
  98. 98.
    Green, M.: The threat in the cloud. IEEE Secur. Priv. 11(1), 86–89 (2013). doi: 10.1109/MSP.2013.20 Google Scholar
  99. 99.
    Grispos, G., Glisson, W.B., Storer, T.: Using smartphones as a proxy for forensic evidence contained in cloud storage services. In: 46th Hawaii International Conference on System Sciences (HICSS), pp. 4910–4919. Maui, HI, USA (2013). doi: 10.1109/HICSS.2013.592
  100. 100.
    Grobauer, B., Walloschek, T., Stocker, E.: Understanding cloud computing vulnerabilities. IEEE Secur. Priv. 9(2), 50–57 (2011). doi: 10.1109/MSP.2010.115 CrossRefGoogle Scholar
  101. 101.
    Grosse, E., Upadhyay, M.: Authentication at scale. IEEE Secur. Priv. 11(1), 15–22 (2013). doi: 10.1109/MSP.2012.162 Google Scholar
  102. 102.
    Gruschka, N., Iacono, L.: Vulnerable cloud: SOAP message security validation revisited. In: IEEE International Conference on Web Services, pp. 625–631. IEEE Computer Society, Washington, DC, USA (2009). doi: 10.1109/ICWS.2009.70
  103. 103.
    Gul, I., Rehman, A., Islam, M.: Cloud computing security auditing. In: The 2nd International Conference on Next Generation Information Technology, pp. 143–148. IEEE (2011)Google Scholar
  104. 104.
    Habib, S., Ries, S., Muhlhauser, M.: Towards a trust management system for cloud computing. In: IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 933–939. IEEE Computer Society, Washington, DC, USA (2011). doi: 10.1109/TrustCom.2011.129
  105. 105.
    Hale, C.: bcrypt. http://codahale.com/how-to-safely-store-a-password/ (2010). Accessed May 2013
  106. 106.
    Hamada, J.: Japanese One-Click Fraud Campaign Comes to Google Play. Symantec Blog (2013)Google Scholar
  107. 107.
    Hart, J.: Remote working: managing the balancing act between network access and data security. Comput. Fraud Secur. 2009(11), 14–17 (2009). doi: 10.1016/S1361-3723(09)70141-1 CrossRefGoogle Scholar
  108. 108.
    Hayes, B.: Cloud computing. Commun. ACM 51(7), 9–11 (2008). doi: 10.1145/1364782.1364786 CrossRefGoogle Scholar
  109. 109.
    Helland, P.: Condos and clouds. Commun. ACM 56(1), 50–59 (2013). doi: 10.1145/2398356.2398374 CrossRefGoogle Scholar
  110. 110.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Minding your Ps and Qs: detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium, pp. 205–220. USENIX, Bellevue, WA, USA (2012). doi: 10.1109/ICCIAutom.2011.6183990
  111. 111.
    Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security (HSTS). RFC 6797 (Proposed Standard) (2012). https://www.ietf.org/rfc/rfc6797.txt
  112. 112.
    Honan, M.: How Apple and Amazon Security Flaws Led to My Epic Hacking. Wired (2012)Google Scholar
  113. 113.
  114. 114.
  115. 115.
    Hua, J., Sakurai, K.: Barrier: a lightweight hypervisor for protecting kernel integrity via memory isolation. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing (SAC), pp. 1470–1477. ACM, Trento, Italy (2012). doi: 10.1145/2231936.2232011
  116. 116.
    Hunt, T.: 5 Ways to Implement HTTPS in an Insufficient Manner (and leak sensitive data). http://www.troyhunt.com/2013/04/5-ways-to-implement-https-in.html (2013). Accessed Apr. 2013
  117. 117.
    Idziorek, J., Tannian, M.: Exploiting cloud utility models for profit and ruin. In: IEEE International Conference on Cloud Computing, pp. 33–40. IEEE Computer Society, Washington, DC, USA (2011)Google Scholar
  118. 118.
    Idziorek, J., Tannian, M., Jacobson, D.: Detecting fraudulent use of cloud resources. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security, pp. 61–72. ACM, New York, NY, USA (2011). doi: 10.1145/2046660.2046676
  119. 119.
    Infosecurity: Recycled phones retain their previous owners’ data. Infosecurity Magazine (2013)Google Scholar
  120. 120.
    Intel: Intel Digital Random Number Generator (DRNG): Software Implementation Guide. http://software.intel.com/sites/default/files/m/d/4/1/d/8/441_Intel_R_DRNG_Software_Implementation_Guide_final_Aug7.pdf (2012). Accessed May 2013
  121. 121.
    Jackson, C.: 8 Cloud Security Concepts You Should Know. Network World (2010)Google Scholar
  122. 122.
    Jackson, C., Barth, A.: ForceHTTPS: protecting high-security web sites from network attacks. In: Proceedings of the 17th International Conference on World Wide Web (WWW), pp. 525–534. ACM, Beijing, China (2008). doi: 10.1145/1367497.1367569
  123. 123.
    Jasti, A., Shah, P., Nagaraj, R., Pendse, R.: Security in multi-tenancy cloud. In: IEEE International Carnahan Conference on Security Technology, pp. 35–41. IEEE (2010). doi: 10.1109/CCST.2010.5678682
  124. 124.
    Jenkins, Q.: Spamhaus: DDoS Update—March 2013. Spamhaus (2013)Google Scholar
  125. 125.
    Jensen, M., Gruschka, N., Herkenhöner, R.: A survey of attacks on web services. Comput. Sci. Res. Dev. 24, 185–197 (2009). doi: 10.1007/s00450-009-0092-6 CrossRefGoogle Scholar
  126. 126.
    Jensen, M., Gruschka, N., Luttenberger, N.: The impact of flooding attacks on network-based services. In: 3rd International Conference on Availability, Reliability and Security, pp. 509–513. IEEE Computer Society, Washington, DC, USA (2008)Google Scholar
  127. 127.
    Jensen, M., Meyer, C.: Expressiveness considerations of XML signatures. In: IEEE 35th Annual Computer Software and Applications Conf. Workshop, pp. 392–397. IEEE Computer Society, Washington, DC, USA (2011)Google Scholar
  128. 128.
    Jensen, M., Schäge, S., Schwenk, J.: Towards an anonymous access control and accountability scheme for cloud computing. In: IEEE 3rd International Conference on Cloud Computing, pp. 540–541. IEEE Computer Society, Washington, DC, USA (2010). doi: 10.1109/CLOUD.2010.61
  129. 129.
    Jensen, M., Schwenk, J.: The accountability problem of flooding attacks in service-oriented architectures. In: International Conference on Availability, Reliability and Security, pp. 25–32. IEEE (2009)Google Scholar
  130. 130.
    Jensen, M., Schwenk, J., Gruschka, N., Iacono, L.: On Technical security issues in cloud computing. In: IEEE International Conference on Cloud Computing, pp. 109–116. IEEE Computer Society, Washington, DC, USA (2009). doi: 10.1109/CLOUD.2009.60
  131. 131.
    Jin, B., Wang, Y., Liu, Z., Xue, J.: A trust model based on cloud model and Bayesian networks. Procedia Environ. Sci. 11, Part A, 452–459 (2011). doi: 10.1016/j.proenv.2011.12.072 CrossRefGoogle Scholar
  132. 132.
    Kandukuri, B., Paturi, V., Rakshit, A.: Cloud security issues. In: IEEE International Conference on Services Computing, pp. 517–520. IEEE (2009). doi: 10.1109/SCC.2009.84
  133. 133.
    Kant, K.: Data center evolution: a tutorial on state of the art, issues, and challenges. Comput. Netw. 53(17), 2939–2965 (2009). doi: 10.1016/j.comnet.2009.10.004 CrossRefGoogle Scholar
  134. 134.
    Katsuki, T.: Crisis for Windows Sneaks onto Virtual Machines. Symantec Blog (2012)Google Scholar
  135. 135.
    Kaufman, L.: Data security in the world of cloud computing. IEEE Secur. Priv. 7(4), 61–64 (2009)CrossRefGoogle Scholar
  136. 136.
    Kerrigan, B., Chen, Y.: A study of entropy sources in cloud computers: random number generation on cloud hosts. In: Proceedings of the 6th International Conference on Mathematical Methods, Models and Architectures for Computer Network Security (MMM-ACNS), pp. 286–298. Springer, St. Petersburg, Russia (2012). doi: 10.1007/978-3-642-33704-8_24
  137. 137.
    Khan, K., Malluhi, Q.: Establishing trust in cloud computing. IT Prof. 12(5), 20–27 (2010). doi: 10.1109/MITP.2010.128 CrossRefGoogle Scholar
  138. 138.
    Khorshed, M.T., Ali, A.S., Wasimi, S.A.: A survey on gaps, threat remediation challenges and some thoughts for proactive attack detection in cloud computing. Future Gener. Comput. Syst. 28(6), 833–851 (2012). doi: 10.1016/j.future.2012.01.006 CrossRefGoogle Scholar
  139. 139.
    King, C.I.: Intel Rdrand Instruction Revisited. http://smackerelofopinion.blogspot.co.uk/2012/10/intel-rdrand-instruction-revisited.html (2012). Accessed May 2013
  140. 140.
    King, S., Chen, P.: SubVirt: implementing malware with virtual machines. In: IEEE Symposium on Security and Privacy, pp. 14 pp.-327. IEEE Computer Society, Washington, DC, USA (2006). doi: 10.1109/SP.2006.38
  141. 141.
    Kirkland, D.: Entropy (or rather the lack thereof) in OpenStack instances... and how to improve that. http://www.openstack.org/summit/san-diego-2012/openstack-summit-sessions/presentation/entropy-or-lack-thereof-in-openstack-instances (2012). Accessed May 2013
  142. 142.
    Kufel, L.: Security event monitoring in a distributed systems environment. IEEE Secur. Priv. 11(1), 36–43 (2013). doi: 10.1109/MSP.2012.61 Google Scholar
  143. 143.
    Leder, F., Werner, T.: Know Your Enemy: Containing Conficker. http://www.honeynet.org/files/KYE-Conficker.pdf (2010). White Paper. Accessed May 2013
  144. 144.
    Leder, F., Werner, T.: Containing Conficker. http://net.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ (2011). Accessed May 2013
  145. 145.
    Lee, J.H., Park, M.W., Eom, J.H., Chung, T.M.: Multi-level intrusion detection system and log management in cloud computing. In: 13th International Conference on Advanced Communication Technology, pp. 552–555. IEEE (2011)Google Scholar
  146. 146.
    Lemos, R.: Blue Security Folds Under Spammer’s Wrath. SecurityFocus (2013)Google Scholar
  147. 147.
    Lenk, A., Klems, M., Nimis, J., Tai, S., Sandholm, T.: What’s inside the cloud? An architectural map of the cloud landscape. In: Proceedings of the ICSE Workshop on Software Engineering Challenges of Cloud Computing, pp. 23–31. IEEE Computer Society, Washington, DC, USA (2009). doi: 10.1109/CLOUD.2009.5071529
  148. 148.
    Leopando, J.: World Backup Day: The 3–2–1 Rule. Trend Micro TrendLabs (2013)Google Scholar
  149. 149.
    Li, F., Lai, A., Ddl, D.: Evidence of advanced persistent threat: a case study of malware for political espionage. In: 6th International Conference on Malicious and Unwanted Software (MALWARE), pp. 102–109. Fajardo, PR, USA (2011). doi: 10.1109/MALWARE.2011.6112333
  150. 150.
    Li, H.C., Liang, P.H., Yang, J.M., Chen, S.J.: Analysis on cloud-based security vulnerability assessment. In: IEEE 7th International Conference on e-Business Engineering, pp. 490–494. IEEE (2010). doi: 10.1109/ICEBE.2010.77
  151. 151.
    Li, Q., Clark, G.: Mobile security: a look ahead. IEEE Secur. Priv. 11(1), 78–81 (2013). doi: 10.1109/MSP.2013.15 Google Scholar
  152. 152.
    Li, X., Loh, P., Tan, F.: Mechanisms of polymorphic and metamorphic viruses. In: European Intelligence and Security Informatics Conference (EISIC), pp. 149–154. Berkeley/Oakland, CA, USA (2011). doi: 10.1109/EISIC.2011.77
  153. 153.
    Liu, F., Su, X., Liu, W., Shi, M.: The design and application of Xen-based host system firewall and its extension. In: International Conference on Electronic Computer Technology, pp. 392–395. Macau, China (2009). doi: 10.1109/ICECT.2009.83
  154. 154.
    Liu, H.: A new form of DoS attack in a cloud and its avoidance mechanism. In: Proceedings of the ACM Workshop on Cloud Computing Security, pp. 65–76. ACM, New York, NY, USA (2010). doi: 10.1145/1866835.1866849
  155. 155.
    LivingSocial: LivingSocial Security Notice. https://livingsocial.com/createpassword (2013). Accessed May 2013
  156. 156.
    Luo, S., Lin, Z., Chen, X., Yang, Z., Chen, J.: Virtualization security for cloud computing service. In: International Conference on Cloud and Service Computing, pp. 174–179. IEEE Computer Society, Washington, DC, USA (2011)Google Scholar
  157. 157.
    Mandiant: APT1: Exposing One of China’s Cyber Espionage Units. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf (2013). Accessed Apr. 2013
  158. 158.
    Mansfield-Devine, S.: Danger in the clouds. Netw. Secur. 2008(12), 9–11 (2008). doi: 10.1016/S1353-4858(08)70140-5 CrossRefGoogle Scholar
  159. 159.
    Marlinspike, M.: New tricks for defeating SSL in practice. https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf (2009). Accessed Apr. 2013
  160. 160.
    Marlinspike, M.: sslstrip. http://www.thoughtcrime.org/software/sslstrip/ (2009). Accessed Apr. 2013
  161. 161.
    Martin, D.: Implementing effective controls in a mobile, agile, cloud-enabled enterprise. IEEE Secur. Priv. 11(1), 13–14 (2013). doi: 10.1109/MSP.2013.1 Google Scholar
  162. 162.
    Mathisen, E.: Security challenges and solutions in cloud computing. In: Proceedings of the 5th IEEE International Conference on Digital Ecosystems and Technologies, pp. 208–212. IEEE (2011). doi: 10.1109/DEST.2011.5936627
  163. 163.
    McAfee: McAfee Threats Report—Fourth Quarter 2012. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2012.pdf (2013). Accessed Apr. 2013
  164. 164.
    McCune, J., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: TrustVisor: efficient TCB reduction and attestation. In: IEEE Symposium on Security and Privacy (SP), pp. 143–158. Oakland, CA, USA (2010). doi: 10.1109/SP.2010.17
  165. 165.
    McGraw, G.: Software security. IEEE Secur. Priv. 2(2), 80–83 (2004). doi: 10.1109/MSECP.2004.1281254 CrossRefGoogle Scholar
  166. 166.
    McIntosh, M., Austel, P.: XML signature element wrapping attacks and countermeasures. In: Proceedings of the Workshop on Secure Web Services, pp. 20–27. ACM, New York, NY, USA (2005). doi: 10.1145/1103022.1103026
  167. 167.
    McKendrick, J.: 7 Predictions for Cloud Computing in 2013 That Make Perfect Sense. Forbes (2012)Google Scholar
  168. 168.
    MEGA: The MEGA API. https://mega.co.nz/#developers (2013). Accessed Apr. 2013
  169. 169.
    Microsoft: Microsoft Hyper-V Server 2012 Website. https://www.microsoft.com/en-us/server-cloud/hyper-v-server/ (2013). Accessed Jun. 2013
  170. 170.
    Microsoft: Microsoft Security Intelligence Report: Volume 14. http://www.microsoft.com/security/sir/default.aspx (2013). Accessed Apr. 2013
  171. 171.
    Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appli. (2012). doi: 10.1016/j.jnca.2012.05.003. Available online 2 June 2012
  172. 172.
    Mohamed, E., Abdelkader, H., El-Etriby, S.: Enhanced data security model for cloud computing. In: 8th International Conference on Informatics and Systems, pp. CC-12–CC-17. IEEE (2012)Google Scholar
  173. 173.
    Mohan, V., Hamlen, K.W.: Frankenstein: stitching malware from benign binaries. In: Proceedings of the 6th USENIX Conference on Offensive Technologies, pp. 8–8. USENIX Association, Bellevue, WA, USA (2012)Google Scholar
  174. 174.
    Monfared, A., Jaatun, M.: Monitoring intrusions and security breaches in highly distributed cloud environments. In: IEEE 3rd International Conference on Cloud Computing Technology and Science, pp. 772–777. IEEE Computer Society, Washington, DC, USA (2011). doi: 10.1109/CloudCom.2011.119
  175. 175.
    Morsy, M.A., Grundy, J., Müller, I.: An analysis of the cloud computing security problem. In: Proceedings of Asia Pacific Software Engineering Conference Cloud Workshop, pp. 1–6. IEEE Computer Society, Washington, DC, USA (2010)Google Scholar
  176. 176.
    Moser, S.: Change I7d8c1f9b: add ’random _seed’ entry to instance metadata. https://review.openstack.org/#c/14550/ (2012). Accessed May 2013
  177. 177.
    MPICH: MPICH Website. http://www.mpich.org/ (2013). Accessed Apr. 2013
  178. 178.
    Musthaler, L.: DDoS-as-a-Service? You Betcha! It’s Cheap, It’s Easy, and It’s Available to Anyone. Security Bistro (2012)Google Scholar
  179. 179.
    Narayanan, A., Shmatikov, V.: De-anonymizing social networks. In: 30th IEEE Symposium on Security and Privacy, pp. 173–187. IEEE Computer Society, Washington, DC, USA (2009). doi: 10.1109/SP.2009.22
  180. 180.
    Nathoo, N.: Cloud Wars—The Fall of Cloud Storage. CloudTimes (2013). Accessed Apr. 2013Google Scholar
  181. 181.
    Nebula: Introducing Nebula One. https://www.nebula.com/nebula-one (2013). Accessed Apr. 2013
  182. 182.
    Network-Tools: Network-Tools Website. http://network-tools.com/ (2013). Accessed Apr. 2013
  183. 183.
    Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: IEEE Symposium on Security and Privacy, pp. 226–241. Athens, Greece (2005). doi: 10.1109/SP.2005.15
  184. 184.
    NIST: NIST Cloud Computing Reference Architecture. http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505 (2011). Accessed Jul. 2013
  185. 185.
    NIST: The NIST Definition of Cloud Computing. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf (2011). Accessed Sept. 2012
  186. 186.
    NIST: NIST Cloud Computing Program. http://www.nist.gov/itl/cloud/ (2012). Accessed Sept. 2012
  187. 187.
  188. 188.
    Oberheide, J., Cooke, E., Jahanian, F.: Empirical exploitation of live virtual machine migration. In: Proceedings of the Black Hat Convention (2008). doi: 10.1109/ICCIAutom.2011.6183990
  189. 189.
    OCCI: OCCI Website. http://occi-wg.org/ (2013). Accessed Apr. 2013
  190. 190.
    Okamura, K., Oyama, Y.: Load-based covert channels between Xen virtual machines. In: Proceedings of the ACM Symposium on Applied Computing, pp. 173–180. ACM, New York, NY, USA (2010). doi: 10.1145/1774088.1774125
  191. 191.
    O’Kane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Priv. 9(5), 41–47 (2011). doi: 10.1109/MSP.2011.98 CrossRefGoogle Scholar
  192. 192.
    O’Neill, M.: Cloud APIs—the Next Battleground for Denial-of-Service Attacks. CSA Blog (2013)Google Scholar
  193. 193.
    Open Cloud Initiative (OCI): OCI Website. http://www.opencloudinitiative.org/ (2013). Accessed May 2013
  194. 194.
    OpenNebula: OpenNebula Website. http://opennebula.org/ (2013). Accessed Apr. 2013
  195. 195.
    OpenStack: OpenStack Website. http://www.openstack.org/ (2013). Accessed Apr. 2013
  196. 196.
    Oracle: Oracle Java SE Critical Patch Update Advisory—April 2013. http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html (2013). Accessed Apr. 2013
  197. 197.
    Oracle: VirtualBox Website. https://www.virtualbox.org/ (2013). Accessed Jun. 2013
  198. 198.
    Ortega, A.: Your Malware Shall Not Fool Us With Those Anti Analysis Tricks. AlienVault Labs (2012)Google Scholar
  199. 199.
    OSVDB: The Open Source Vulnerability Database Website. http://www.osvdb.org/ (2013). Accessed Apr. 2013
  200. 200.
    OWASP: The Then Most Critical Web Application Security Risks. http://owasptop10.googlecode.com/files/OWASP (2010). Accessed Oct. 2012
  201. 201.
    OWASP: The Then Most Critical Web Application Security Risks. https://www.owasp.org/index.php/Top_10_2013 (2013). Accessed Apr. 2013
  202. 202.
    Oyama, Y., Giang, T.T.D., Chubachi, Y., Shinagawa, T., Kato, K.: Detecting malware signatures in a thin hypervisor. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing (SAC), pp. 1807–1814. ACM, Trento, Italy (2012). doi: 10.1145/2231936.2232070
  203. 203.
    Panah, A., Panah, A., Panah, O., Fallahpour, S.: Challenges of security issues in cloud computing layers. Rep. Opin. 4(10), 25–29 (2012)Google Scholar
  204. 204.
    Parallels: Oracle VM Server Website. http://www.oracle.com/us/technologies/virtualization/oraclevm/ (2013). Accessed Jun. 2013
  205. 205.
    Parallels: Parallels Website. http://www.parallels.com/eu/products/ (2013). Accessed Jun. 2013
  206. 206.
    Patel, A., Taghavi, M., Bakhtiyari, K., Júnior, J.C.: An intrusion detection and prevention system in cloud computing: a systematic review. J. Netw. Comput. Appli. (2012). doi: 10.1016/j.jnca.2012.08.007. Available online 31 Aug. 2012
  207. 207.
    Patel, P.: Solution: FUTEX \_WAIT hangs Java on Linux / Ubuntu in vmware or virtual box. http://www.springone2gx.com/blog/pratik_patel/2010/01/solution_futex_wait_hangs_java_on_linux_ubuntu_in_vmware_or_virtual_box(2010). Accessed May 2013
  208. 208.
    Patidar, S., Rane, D., Jain, P.: A survey paper on cloud computing. In: 2nd International Conference on Advanced Computing Communication Technologies, pp. 394–398. IEEE (2012). doi: 10.1109/ACCT.2012.15
  209. 209.
    PCI Security Standards: PCI SSC Data Security Standards Overview. https://www.pcisecuritystandards.org/security_standards/index.php (2012). Accessed Oct. 2012
  210. 210.
    Pearce, M., Zeadally, S., Hunt, R.: Virtualization: issues, security threats, and solutions. ACM Comput. Surv. 45(2), 1:71–1:739 (2013). doi: 10.1145/2431211.2431216 CrossRefGoogle Scholar
  211. 211.
    Pearson, S.: Privacy, security and trust in cloud computing. In: Pearson, S., Yee, G. (eds.) Privacy and Security for Cloud Computing, pp. 3–42. Springer London (2013). doi: 10.1007/978-1-4471-4189-1_1
  212. 212.
    Perez-Botero, D., Szefer, J., Lee, R.B.: Characterizing hypervisor vulnerabilities in cloud computing servers. In: Proceedings of the 2013 International Workshop on Security in Cloud Computing (SCC), pp. 3–10. ACM, New York, NY, USA (2013). doi: 10.1145/2484402.2484406
  213. 213.
    Pfaff, B., Pettit, J., Koponen, T., Amidon, K., Casado, M., Shenker, S.: Extending networking into the virtualization layer. In: Proceedings of the 8th ACM Workshop on Hot Topics in Networks. ACM SIGCOMM (2009)Google Scholar
  214. 214.
    Prandini, M., Ramilli, M., Cerroni, W., Callegati, F.: Splitting the HTTPS stream to attack secure web connections. IEEE Secur. Priv. 8(6), 80–84 (2010). doi: 10.1109/MSP.2010.190 CrossRefGoogle Scholar
  215. 215.
    Prince, M.: The DDoS That Almost Broke the Internet. CloudFlare (2013)Google Scholar
  216. 216.
    Prince, M.: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It). CloudFlare (2013)Google Scholar
  217. 217.
    Prolexic: Prolexic Quarterly Global DDoS Attack Report Q1 2013. https://www.prolexic.com/knowledge-center-ddos-attack-report-2013-q1.html (2013). Accessed Apr. 2013
  218. 218.
    Rahaman, M.A., Schaad, A., Rits, M.: Towards secure SOAP message exchange in a SOA. In: Proceedings of the 3rd ACM Workshop on Secure Web Services, pp. 77–84. ACM, New York, NY, USA (2006). doi: 10.1145/1180367.1180382
  219. 219.
    Ramgovind, S., Eloff, M., Smith, E.: The management of security in cloud computing. In: Information Security for South Africa, pp. 1–7. IEEE (2010). doi: 10.1109/ISSA.2010.5588290
  220. 220.
    Rasmusson, L., Aslam, M.: Protecting private data in the cloud. In: Proceedings of the 2nd International Conference on Cloud Computing and Services Science (CLOSER), pp. 5–12. Porto, Portugal (2012)Google Scholar
  221. 221.
    Rauti, S., Leppänen, V.: Browser extension-based man-in-the-browser attacks against Ajax applications with countermeasures. In: Proceedings of the 13th International Conference on Computer Systems and Technologies (CompSysTech), pp. 251–258. ACM, Ruse, Bulgaria (2012) doi: 10.1145/2383276.2383314
  222. 222.
    RedHat: KVM Website. http://www.linux-kvm.org/ (2013). Accessed Jun. 2013
  223. 223.
    RepoCERT: Botnet Using Plesk Vulnerability and Takedown. Seclists Website (2013)Google Scholar
  224. 224.
    Rimal, B.P., Jukan, A., Katsaros, D., Goeleven, Y.: Architectural requirements for cloud computing systems: an enterprise cloud approach. J. Grid Comput. 9(1), 3–26 (2011). doi: 10.1007/s10723-010-9171-y CrossRefGoogle Scholar
  225. 225.
    Ripe, NCC: Database Query. http://apps.db.ripe.net/search/query.html (2013). Accessed Apr. 2013
  226. 226.
    Riquet, D., Grimaud, G., Hauspie, M.: Large-scale coordinated attacks: impact on the cloud security. In: 6th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, pp. 558–563. IEEE (2012). doi: 10.1109/IMIS.2012.76
  227. 227.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 199–212. ACM, New York, NY, USA (2009)Google Scholar
  228. 228.
    Ristenpart, T., Yilek, S.: When good randomness goes bad: virtual machine reset vulnerabilities and hedging deployed cryptography. In: Proceedings of Network and Distributed Security Symposium (NDSS), pp. 1–18. The Internet Society, San Diego, CA, USA (2010)Google Scholar
  229. 229.
    Roberts II, J.C., Al-Hamdani, W.: Who can you trust in the cloud?: a review of security issues within cloud computing. In: Proceedings of the Information Security Curriculum Development Conference, pp. 15–19. ACM, New York, NY, USA (2011). doi: 10.1145/2047456.2047458
  230. 230.
    Rocha, F., Abreu, S., Correia, M.: The final Frontier: confidentiality and privacy in the cloud. Computer 44(9), 44–50 (2011). doi: 10.1109/MC.2011.223 CrossRefGoogle Scholar
  231. 231.
    Rocha, F., Correia, M.: Lucy in the sky without diamonds: stealing confidential data in the cloud. In: IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops, pp. 129–134. IEEE (2011). doi: 10.1109/DSNW.2011.5958798
  232. 232.
    Rodero-Merino, L., Vaquero, L.M., Caron, E., Desprez, F., Muresan, A.: Building safe PaaS clouds: a survey on security in multitenant software platforms. Comput. Secur. 31(1), 96–108 (2012). doi: 10.1016/j.cose.2011.10.006 CrossRefGoogle Scholar
  233. 233.
    Rong, C., Nguyen, S.T., Jaatun, M.G.: Beyond lightning: a survey on security challenges in cloud computing. Comput. Electr. Eng. (2012). doi: 10.1016/j.compeleceng.2012.04.015 Available online 19 May 2012
  234. 234.
    Roy, I., Setty, S.T.V., Kilzer, A., Shmatikov, V., Witchel, E.: Airavat: security and privacy for MapReduce. In: Proceedings of the 7th USENIX Symposium on Networked Systems Design and Implementation, pp. 20–20. USENIX Association, Berkeley, CA, USA (2010)Google Scholar
  235. 235.
    RSA: RSA SecurID Website. http://sweden.emc.com/security/rsa-securid.htm (2013). Accessed Jun. 2013
  236. 236.
    RSA FirstWatch: Tales from the Darkside: Another Mule Recruitment Site. RSA Blog (2013)Google Scholar
  237. 237.
    Rutkowska, J.: Subverting VistaTM Kernel for fun and profit. Black Hat Conv. (2008)Google Scholar
  238. 238.
    Sabahi, F.: Cloud computing security threats and responses. In: IEEE 3rd International Conference on Communication Software and Networks, pp. 245–249. IEEE (2011). doi: 10.1109/ICCSN.2011.6014715
  239. 239.
    Sadashiv, N., Kumar, S.: Cluster, grid and cloud computing: a detailed comparison. In: 6th International Conference on Computer Science Education, pp. 477–482. IEEE (2011). doi: 10.1109/ICCSE.2011.6028683
  240. 240.
    Salah, K., Alcaraz, Calero J.: Using cloud computing to implement a security overlay network. IEEE Secur. Priv. 11(1), 44–53 (2013). doi: 10.1109/MSP.2012.88 Google Scholar
  241. 241.
    SAML v2.0: OASIS Website. https://www.oasis-open.org/standards#samlv2.0 (2005). Accessed Apr. 2013
  242. 242.
    Santos, N., Gummadi, K.P., Rodrigues, R.: Towards trusted cloud computing. In: Proceedings of the Conference on Hot Topics in Cloud Computing. USENIX Association, Berkeley, CA, USA (2009)Google Scholar
  243. 243.
    Schloesser, M., Guarnieri, C.: Vaccinating Systems Against VM-aware Malware. Rapid7 Labs (2013)Google Scholar
  244. 244.
    Schloesser, M., Guarnieri, C.: Vaccinating Systems Against VM-aware Malware. https://github.com/rapid7/vaccination (2013). Accessed May 2013
  245. 245.
    Schneier, B.: Homomorphic Encryption Breakthrough. https://www.schneier.com/blog/archives/2009/07/homomorphic_enc.html (2009). Accessed May 2013
  246. 246.
    SecurityFocus: Xen CVE-2013-1920 Local Memory Corruption Vulnerability. SecurityFocus (2013)Google Scholar
  247. 247.
    Sekar, V., Maniatis, P.: Verifiable resource accounting for cloud computing services. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security, pp. 21–26. ACM, New York, NY, USA (2011). doi: 10.1145/2046660.2046666
  248. 248.
    Sengupta, S., Kaulgud, V., Sharma, V.: Cloud computing security—trends and research directions. In: IEEE World Congress on Services, pp. 524–531. IEEE Computer Society, Washington, DC, USA (2011). doi: 10.1109/SERVICES.2011.20
  249. 249.
    Shin, S., Gu, G.: CloudWatcher: network security monitoring using OpenFlow in dynamic cloud networks (or: how to provide security monitoring as a service in clouds?). In: 20th IEEE International Conference on Network Protocols (ICNP), pp. 1–6. Austin, TX, USA (2012).doi: 10.1109/ICNP.2012.6459946
  250. 250.
    Shinotsuka, H.: Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems. Symantec Blog (2012)Google Scholar
  251. 251.
    Singh, A.: Don’t Click the Left Mouse Button: Introducing Trojan UpClicker. FireEye Blog (2012)Google Scholar
  252. 252.
    Sloan, K.: Security in a virtualised world. Netw. Secur. 2009(8), 15–18 (2009). doi: 10.1016/S1353-4858(09)70077-7 CrossRefGoogle Scholar
  253. 253.
    SNIA: Cloud Data Management Interface (CDMI). http://www.snia.org/cdmi (2013). Accessed Apr. 2013
  254. 254.
    Somorovsky, J., Mayer, A., Schwenk, J., Kampmann, M., Jensen, M.: On breaking SAML: be whoever you want to be. In: Proceedings of the 21st USENIX Security Symposium, pp. 21–21. USENIX Association, Bellevue, WA, USA (2012)Google Scholar
  255. 255.
    Songjie, Yao, J., Wu, C.: Cloud computing and its key techniques. In: International Conference on Electronic and Mechanical Engineering and Information Technology, vol. 1, pp. 320–324. IEEE (2011). doi: 10.1109/EMEIT.2011.6022935
  256. 256.
    Sood, A., Enbody, R.: Targeted cyberattacks: a superset of advanced persistent threats. IEEE Secur. Priv. 11(1), 54–61 (2013). doi: 10.1109/MSP.2012.90 Google Scholar
  257. 257.
    Sood, S.K.: A combined approach to ensure data security in cloud computing. J. Netw. Comput. Appli. 35(6), 1831–1838 (2012). doi: 10.1016/j.jnca.2012.07.007 CrossRefGoogle Scholar
  258. 258.
    Spoon Website: Browser Sandbox. http://spoon.net/browsers (2013). Accessed Apr. 2013
  259. 259.
    Stamos, A., Becherer, A., Wilcox, N.: Cloud Computing Security: Raining on the Trendy New Parade. https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html (2009)
  260. 260.
    Staten, J.: 2013 Cloud Predictions: We’ll Finally Get Real About Cloud. Forrester Blog (2012)Google Scholar
  261. 261.
    Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appli. 34(1), 1–11 (2011). doi: 10.1016/j.jnca.2010.07.006 CrossRefGoogle Scholar
  262. 262.
    Sun, D., Chang, G., Sun, L., Wang, X.: Surveying and analyzing security, privacy and trust issues in cloud computing environments. Procedia Eng. 15, 2852–2856 (2011). doi: 10.1016/j.proeng.2011.08.537 CrossRefGoogle Scholar
  263. 263.
    Sun, K., Li, Y., Hogstrom, M., Chen, Y.: Sizing multi-space in heap for application isolation. In: Companion to the 21st ACM SIGPLAN Symposium on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA), pp. 647–648. ACM, Portland, OR, USA (2006). doi: 10.1145/1176617.1176654
  264. 264.
    Sun, M.K., Lin, M.J., Chang, M., Laih, C.S., Lin, H.T.: Malware virtualization-resistant behavior detection. In: IEEE 17th International Conference on Parallel and Distributed Systems (ICPADS), pp. 912–917. Tainan, Taiwan (2011). doi: 10.1109/ICPADS.2011.78
  265. 265.
    Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Memory deduplication as a threat to the guest OS. In: Proceedings of the 4th European Workshop on System Security, pp. 1:1–1:6. ACM, Salzburg, Austria (2011). doi: 10.1145/1972551.1972552
  266. 266.
    Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Software side channel attack on memory deduplication. In: 23rd ACM Symposium on Operating Systems Principles. ACM, Cascais, Portugal (2011). PosterGoogle Scholar
  267. 267.
    Symantec: Internet Security Threat Report 2013. https://www.symantec.com/security_response/publications/threatreport.jsp (2013). Accessed Apr. 2013
  268. 268.
    Symantec Security Response: Internet Explorer Zero-Day Used in Watering Hole Attack: Q &A. Symantec Blog (2012)Google Scholar
  269. 269.
    Szefer, J., Keller, E., Lee, R.B., Rexford, J.: Eliminating the hypervisor attack surface for a more secure cloud. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 401–412. ACM, Chicago, IL, USA (2011). doi: 10.1145/2046707.2046754
  270. 270.
    Takabi, H., Joshi, J., Ahn, G.: Security and privacy challenges in cloud computing environments. IEEE Secur. Priv. 8(6), 24–31 (2010)CrossRefGoogle Scholar
  271. 271.
    Tang, M., Lv, Q., Lu, Z., Zhao, Q., Song, Y.: Dynamic virtual switch protocol using Openflow. In: 13th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel Distributed Computing (SNPD), pp. 603–608. Kyoto, Japan (2012). doi: 10.1109/SNPD.2012.129
  272. 272.
    Tanvi: Mixed Content Blocking Enabled in Firefox 23! Firefox Blog (2013)Google Scholar
  273. 273.
    Taylor, G., Cox, G.: Digital randomness. IEEE Spectr. 48(9), 32–58 (2011). doi: 10.1109/MSPEC.2011.5995897 CrossRefGoogle Scholar
  274. 274.
    Taylor, M., Haggerty, J., Gresty, D., Lamb, D.: Forensic investigation of cloud computing systems. Netw. Secur. 2011(3), 4–10 (2011). doi: 10.1016/S1353-4858(11)70024-1 CrossRefGoogle Scholar
  275. 275.
    The Linux Foundation: Xen Website. http://http://www.xenproject.org/ (2013). Accessed Jun. 2013
  276. 276.
    Thompson, H.: The human element of information security. IEEE Secur. Priv. 11(1), 32–35 (2013). doi: 10.1109/MSP.2012.161 Google Scholar
  277. 277.
    Thorsheim, P.: The Final Word on the LinkedIn Leak. http://securitynirvana.blogspot.pt/2012/06/final-word-on-linkedin-leak.html (2012). Accessed May 2013
  278. 278.
    Toubiana, V., Nissenbaum, H.: Analysis of Google logs retention policies. J. Priv. Confid. 3(1), 3–26 (2011)Google Scholar
  279. 279.
    Townsend, M.: Managing a security program in a cloud computing environment. In: Information Security Curriculum Development Conference, pp. 128–133. ACM, New York, NY, USA (2009). doi: 10.1145/1940976.1941001
  280. 280.
    Trader, T.: GPU Monster Shreds Password Hashes. HPCwire (2012)Google Scholar
  281. 281.
    Tripathi, A., Mishra, A.: Cloud computing security considerations. In: IEEE International Conference on Signal Processing, Communications and Computing, pp. 1–5. IEEE (2011). doi: 10.1109/ICSPCC.2011.6061557
  282. 282.
    Tsai, H.Y., Siebenhaar, M., Miede, A., Huang, Y., Steinmetz, R.: Threat as a service?: virtualization’s impact on cloud security. IT Prof. 14(1), 32–37 (2012). doi: 10.1109/MITP.2011.117 CrossRefGoogle Scholar
  283. 283.
    Tseng, H.M., Lee, H.L., Hu, J.W., Liu, T.L., Chang, J.G., Huang, W.C.: Network virtualization with cloud virtual switch. In: IEEE 17th International Conference on Parallel and Distributed Systems (ICPADS), pp. 998–1003. Tainan, Taiwan (2011). doi: 10.1109/ICPADS.2011.159
  284. 284.
    Vaquero, L.M., Rodero-Merino, L., Morán, D.: Locking the sky: a survey on IaaS cloud security. Computing 91(1), 93–118 (2011). doi: 10.1007/s00607-010-0140-x CrossRefzbMATHGoogle Scholar
  285. 285.
    Viega, J.: Cloud computing and the common man. Computer 42(8), 106–108 (2009). doi: 10.1109/MC.2009.252 CrossRefGoogle Scholar
  286. 286.
    VMware: VMware vSphere. https://www.vmware.com/support/product-support/vsphere/ (2013). Accessed Apr. 2013
  287. 287.
    VMware: VMware Website. https://www.vmware.com/products/ (2013). Accessed Jun. 2013
  288. 288.
  289. 289.
    VMware Community Forums: Low/proc/sys/kernel/random/entr opy_avail causes exim to stop sending mail. http://communities.vmware.com/message/530909 (2006). Accessed May 2013
  290. 290.
    Vu, Q.H., Pham, T.V., Truong, H.L., Dustdar, S., Asal, R.: DEMODS: a description model for data-as-a-service. In: IEEE 26th International Conference on Advanced Information Networking and Applications (AINA), pp. 605–612. Fukuoka, Japan (2012). doi: 10.1109/AINA.2012.91
  291. 291.
    Wang, C., Ren, K., Lou, W., Li, J.: Toward publicly auditable secure cloud data storage services. IEEE Netw. 24(4), 19–24 (2010). doi: 10.1109/MNET.2010.5510914 CrossRefGoogle Scholar
  292. 292.
    Wang, C., Wang, Q., Ren, K., Lou, W.: Ensuring data storage security in cloud computing. In: 17th International Workshop on Quality of Service, pp. 1–9. IEEE (2009). doi: 10.1109/IWQoS.2009.5201385
  293. 293.
    Wang, G., Ng, T.: The impact of virtualization on network performance of Amazon EC2 data center. In: Proceedings of the IEEE INFOCOM, pp. 1–9. Sand Diego, CA, USA (2010). doi: 10.1109/INFCOM.2010.5461931
  294. 294.
    Ward, M.: Facebook Users Suffer Viral Surge. BBC News (2009)Google Scholar
  295. 295.
    Websense: 2013 Threat Report. https://www.websense.com/content/websense-2013-threat-report.aspx (2013). Accessed Apr. 2013
  296. 296.
    Wei, J., Zhang, X., Ammons, G., Bala, V., Ning, P.: Managing security of virtual machine images in a cloud environment. In: Proceedings of the ACM Workshop on Cloud Computing Security, pp. 91–96. ACM, New York, NY, USA (2009). doi: 10.1145/1655008.1655021
  297. 297.
    Wu, H., Ding, Y., Winer, C., Yao, L.: Network security for virtual machine in cloud computing. In: 5th International Conference on Computer Sciences and Convergence Information Technology (ICCIT), pp. 18–21. Seoul, South Korea (2010). doi: 10.1109/ICCIT.2010.5711022
  298. 298.
    Wu, H., Ding, Y., Winer, C., Yao, L.: Network security for virtual machine in cloud computing. In: 5th International Conference on Computer Sciences and Convergence Information Technology, pp. 18–21. IEEE (2010). doi: 10.1109/ICCIT.2010.5711022
  299. 299.
    Wueest, C.: Mobile Scam: Winning Without Playing. Symantec Blog (2013)Google Scholar
  300. 300.
    Xiao, Z., Xiao, Y.: Security and privacy in cloud computing. IEEE Commun. Surv. Tuts. 15(2), 843–859 (2013). doi: 10.1109/SURV.2012.060912.00182 Google Scholar
  301. 301.
    Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security, pp. 29–40. ACM, New York, NY, USA (2011). doi: 10.1145/2046660.2046670
  302. 302.
    Yang, J., Chen, Z.: Cloud computing research and security issues. In: International Conference on Computational Intelligence and Software Engineering, pp. 1–3. IEEE (2010). doi: 10.1109/CISE.2010.5677076
  303. 303.
    Yasinsac, A., Irvine, C.: Help! Is There a Trustworthy-Systems Doctor in the House? IEEE Secur. Priv. 11(1), 73–77 (2013). doi: 10.1109/MSP.2013.10 Google Scholar
  304. 304.
    Yilek, S.: Resettable public-key encryption: how to encrypt on a virtual machine. In: Proceedings of the International Conference on Topics in Cryptology, CT-RSA’10, pp. 41–56. Springer-Verlag, San Francisco, CA, USA (2010). doi: 10.1007/978-3-642-11925-5_4
  305. 305.
    Yu, A., Sathanur, A., Jandhyala, V.: A partial homomorphic encryption scheme for secure design automation on public clouds. In: IEEE 21st Conference on Electrical Performance of Electronic Packaging and Systems (EPEPS), pp. 177–180. Tempe, AZ, USA (2012). doi: 10.1109/EPEPS.2012.6457871
  306. 306.
    Yu, H., Powell, N., Stembridge, D., Yuan, X.: Cloud computing and security challenges. In: Proceedings of the 50th Annual Southeast Regional Conference, pp. 298–302. ACM, New York, NY, USA (2012). doi: 10.1145/2184512.2184581
  307. 307.
    Zabidi, M., Maarof, M., Zainal, A.: Malware analysis with multiple features. In: UKSim 14th International Conference on Computer Modelling and Simulation, pp. 231–235. Cambridge, London (2012). doi: 10.1109/UKSim.2012.40
  308. 308.
    Zhang, F., Huang, Y., Wang, H., Chen, H., Zang, B.: PALM: security preserving VM live migration for systems with VMM-enforced protection. In: 3rd Asia-Pacific Trusted Infrastructure Technologies Conference, pp. 9–18. IEEE Computer Society, Washington, DC, USA (2008). doi: 10.1109/APTC.2008.15
  309. 309.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), pp. 305–316. ACM, Raleigh, NC, USA (2012). doi: 10.1145/2382196.2382230
  310. 310.
    Zhou, M., Zhang, R., Xie, W., Qian, W., Zhou, A.: Security and privacy in cloud computing: a survey. In: 6th International Conference on Semantics Knowledge and Grid, pp. 105–112. IEEE Computer Society, Washington, DC, USA (2010)Google Scholar
  311. 311.
    Zieg, M.: Separating fact from fiction in cloud computing. Data Center J. (2012)Google Scholar
  312. 312.
    Zissis, D., Lekkas, D.: Addressing cloud computing security issues. Future Gener. Comput. Syst. 28(3), 583–592 (2010). doi: 10.1016/j.future.2010.12.006 CrossRefGoogle Scholar
  313. 313.
    Zou, B., Zhang, H.: Toward enhancing trust in cloud computing environment. In: 2nd International Conference on Control, Instrumentation and Automation, pp. 364–366 (2011). doi: 10.1109/ICCIAutom.2011.6183990

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Diogo A. B. Fernandes
    • 1
    Email author
  • Liliana F. B. Soares
    • 1
  • João V. Gomes
    • 1
  • Mário M. Freire
    • 1
  • Pedro R. M. Inácio
    • 1
  1. 1.Department of Computer Science, Instituto de TelecomunicaçõesUniversity of Beira InteriorCovilhãPortugal

Personalised recommendations