Cloud Security Auditing: Major Approaches and Existing Challenges

  • Suryadipta MajumdarEmail author
  • Taous Madi
  • Yosr Jarraya
  • Makan Pourzandi
  • Lingyu Wang
  • Mourad Debbabi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11358)


Cloud computing is emerging as a promising IT solution for enabling ubiquitous, convenient, and on-demand accesses to a shared pool of configurable computing resources. However, the widespread adoption of cloud is still being hindered by security and privacy concerns. Various cloud security and privacy issues have been addressed in the literature. However, the mere existence of such security mechanisms is usually insufficient to fully relieve cloud tenants from their security and privacy concerns. To increase tenants’ trust in cloud, it is of paramount importance to provide adequate auditing mechanisms and tools to verify the security postures of their applications. However, there are currently many challenges in the area of cloud auditing and compliance validation. There exists a significant gap between the high-level recommendations provided in most cloud-specific standards and the low-level logging information currently available in existing cloud infrastructures. Furthermore, the unique characteristics of cloud computing may introduce additional complexity to the task, e.g., the use of heterogeneous solutions for deploying cloud systems may complicate data collection and processing and the sheer scale of cloud, together with its self-provisioning, elastic, and dynamic nature. In this paper, we conduct a survey on the existing cloud security auditing approaches. Additionally, we propose a taxonomy identifying the classifications based on auditing objectives and auditing techniques. We further devise a systematic process flow for cloud security auditing. Also, we conduct a comparative study on existing works to identify their strengths and weaknesses. Finally, we report existing challenges in cloud security auditing.


Security auditing Cloud security Auditing challenges Survey 



The authors thank the anonymous reviewers for their valuable comments. This work is partially supported by the Natural Sciences and Engineering Research Council of Canada and Ericsson Canada under CRD Grant N01823 and by PROMPT Quebec.


  1. 1.
    Alimohammadifar, A., et al.: Stealthy probing-based verification (SPV): an active approach to defending software defined networks against topology poisoning attacks. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11099, pp. 463–484. Springer, Cham (2018). Scholar
  2. 2.
    Amazon Web Services: Security at scale: logging in AWS. Technical report, Amazon (2013)Google Scholar
  3. 3.
    Bjørner, N., Jayaraman, K.: Checking cloud contracts in Microsoft Azure. In: Natarajan, R., Barua, G., Patra, M.R. (eds.) ICDCIT 2015. LNCS, vol. 8956, pp. 21–32. Springer, Cham (2015). Scholar
  4. 4.
    Bleikertz, S., Vogel, C., Groß, T.: Cloud radar: near real-time detection of security failures in dynamic virtualized infrastructures. In: Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC), pp. 26–35. ACM (2014)Google Scholar
  5. 5.
    Bleikertz, S., Vogel, C., Groß, T., Mödersheim, S.: Proactive security analysis of changes in virtualized infrastructures. In: Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC), pp. 51–60. ACM (2015)Google Scholar
  6. 6.
    Cloud Security Alliance: Security guidance for critical areas of focus in cloud computing v3.0 (2011)Google Scholar
  7. 7.
    Cloud Security Alliance: Cloud control matrix CCM v3.0.1 (2014). Accessed 14 Feb 2018
  8. 8.
    Cloud Security Alliance: CSA STAR program and open certification framework in 2016 and beyond (2016). Accessed 14 Feb 2018
  9. 9.
    CUMULUS: Certification infrastructure for multi-layer cloud services project (CUMULUS). EU project (2012)Google Scholar
  10. 10.
    Distributed Management Task Force, Inc.: Cloud auditing data federation (2016).
  11. 11.
    Doelitzscher, F.: Security Audit Compliance for Cloud Computing. PhD thesis, Plymouth University (2014)Google Scholar
  12. 12.
    Doelitzscher, F., Fischer, C., Moskal, D., Reich, C., Knahl, M., Clarke, N.: Validating cloud infrastructure changes by cloud audits. In: Eighth World Congress on Services (SERVICES), pp. 377–384. IEEE (2012)Google Scholar
  13. 13.
    Dolzhenko, E., Ligatti, J., Reddy, S.: Modeling runtime enforcement with mandatory results automata. Int. J. Inf. Secur. 14(1), 47–60 (2015)CrossRefGoogle Scholar
  14. 14.
    ENISA: European union agency for network and information security (2016).
  15. 15.
    Foley, S.N., Neville, U.: A firewall algebra for OpenStack. In: Conference on Communications and Network Security (CNS), pp. 541–549. IEEE (2015)Google Scholar
  16. 16.
    Ghosh, N., Chatterjee, D., Ghosh, S.K., Das, S.K.: Securing loosely-coupled collaboration in cloud environment through dynamic detection and removal of access conflicts. IEEE Trans. Cloud Comput. 4, 1 (2014)Google Scholar
  17. 17.
    Gouglidis, A., Mavridis, I.: domRBAC: an access control model for modern collaborative systems. Comput. Secur. 31, 540–556 (2012)CrossRefGoogle Scholar
  18. 18.
    Gouglidis, A., Mavridis, I., Hu, V.C.: Security policy verification for multi-domains in cloud systems. Int. J. Inf. Secur. 13(2), 97–111 (2014)CrossRefGoogle Scholar
  19. 19.
    Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: Proceedings of 2015 Annual Network and Distributed System Security Symposium (NDSS 2015), February 2015Google Scholar
  20. 20.
    IBM: Safeguarding the cloud with IBM security solutions. Technical report, IBM Corporation (2013)Google Scholar
  21. 21.
    Ismail, Z., Kiennert, C., Leneutre, J., Chen, L.: Auditing a cloud provider’s compliance with data backup requirements: a game theoretical analysis. IEEE Trans. Inf. Forensics Secur. 11(8), 1685–1699 (2016)CrossRefGoogle Scholar
  22. 22.
    ISO Std IEC. ISO 27017. Information technology- Security techniques- Code of practice for information security controls based on ISO/IEC 27002 for cloud services (DRAFT) (2012). Accessed 14 Feb 2018
  23. 23.
    Kai, H., et al.: An efficient public batch auditing protocol for data security in multi-cloud storage. In: 8th ChinaGrid Annual Conference (ChinaGrid), pp. 51–56. IEEE (2013)Google Scholar
  24. 24.
    Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur. (TISSEC) 12(3), 19 (2009)CrossRefGoogle Scholar
  25. 25.
    Ligatti, J., Reddy, S.: A theory of runtime enforcement, with results. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 87–100. Springer, Heidelberg (2010). Scholar
  26. 26.
    Lu, Z., Wen, Z., Tang, Z., Li, R.: Resolution for conflicts of inter-operation in multi-domain environment. Wuhan Univ. J. Nat. Sci. 12(5), 955–960 (2007)CrossRefGoogle Scholar
  27. 27.
    Luo, Y., Luo, W., Puyang, T., Shen, Q., Ruan, A., Wu, Z.: OpenStack security modules: a least-invasive access control framework for the cloud. In: IEEE 9th International Conference on Cloud Computing (CLOUD) (2016)Google Scholar
  28. 28.
    Madi, T., et al.: ISOTOP: auditing virtual networks isolation across cloud layers in OpenStack. ACM Trans. Priv. Secur. (TOPS) 22, 1 (2018)CrossRefGoogle Scholar
  29. 29.
    Madi, T., Majumdar, S., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L.: Auditing security compliance of the virtualized infrastructure in the cloud: application to OpenStack. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (CODASPY), pp. 195–206. ACM (2016)Google Scholar
  30. 30.
    Majumdar, S., et al.: Proactive verification of security compliance for clouds through pre-computation: application to OpenStack. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 47–66. Springer, Cham (2016). Scholar
  31. 31.
    Majumdar, S., et al.: LeaPS: learning-based proactive security auditing for clouds. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 265–285. Springer, Cham (2017). Scholar
  32. 32.
    Majumdar, S., et al.: Security compliance auditing of identity and access management in the cloud: application to OpenStack. In: 7th International Conference on Cloud Computing Technology and Science (CloudCom), pp. 58–65. IEEE (2015)Google Scholar
  33. 33.
    Majumdar, S., et al.: User-level runtime security auditing for the cloud. IEEE Trans. Inf. Forensics Secur. 13(5), 1185–1199 (2018)CrossRefGoogle Scholar
  34. 34.
    Narain, S.: Network configuration management via model finding. In: Proceedings of the 19th Conference on Large Installation System Administration Conference (LISA), pp. 15–15 (2005)Google Scholar
  35. 35.
    NIST. SP 800–53. Recommended Security Controls for Federal Information Systems (2003)Google Scholar
  36. 36.
    Open Data Center Alliance: Open data center alliance usage: Cloud based identity governance and auditing rev. 1.0. Technical report, Open Data Center Alliance (2012)Google Scholar
  37. 37.
    OpenStack: OpenStack Congress (2015). Accessed 14 Feb 2018
  38. 38.
    OpenStack: OpenStack open source cloud computing software (2015). Accessed 14 Feb 2018
  39. 39.
    OpenStack: OpenStack user survey (2016). Accessed 14 Feb 2018
  40. 40.
    Petcu, D., Craciun, C.: Towards a security SLA-based cloud monitoring service. In: Proceedings of the 4th International Conference on Cloud Computing and Services Science (CLOSER), pp. 598–603 (2014)Google Scholar
  41. 41.
    Ren, K., Wang, C., Wang, Q.: Security challenges for the public cloud. IEEE Internet Comput. 16(1), 69–73 (2012)MathSciNetCrossRefGoogle Scholar
  42. 42.
    Schneider, F.B.: Enforceable security policies. Trans. Inf. Syst. Secur. (TISSEC) 3(1), 30–50 (2000)CrossRefGoogle Scholar
  43. 43.
    Skowyra, R., et al.: Effective topology tampering attacks and defenses in software-defined networks. In: Proceedings of the 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2015), June 2018Google Scholar
  44. 44.
    Solanas, M., Hernandez-Castro, J., Dutta, D.: Detecting fraudulent activity in a cloud using privacy-friendly data aggregates. Technical report, arXiv preprint (2014)Google Scholar
  45. 45.
    Tabiban, A., Majumdar, S., Wang, L., Debbabi, M.: PERMON: an openstack middleware for runtime security policy enforcement in clouds. In: Proceedings of the 4th IEEE Workshop on Security and Privacy in the Cloud (SPC 2018), June 2018Google Scholar
  46. 46.
    Tang, B., Sandhu, R.: Extending OpenStack access control with domain trust. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) NSS 2014. LNCS, vol. 8792, pp. 54–69. Springer, Cham (2014). Scholar
  47. 47.
    Ullah, K.W., Ahmed, A.S., Ylitalo, J.: Towards building an automated security compliance tool for the cloud. In: 12th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1587–1593. IEEE (2013)Google Scholar
  48. 48.
    Wang, C., Chow, S.S., Wang, Q., Ren, K., Lou, W.: Privacy-preserving public auditing for secure cloud storage. IEEE Trans. Comput. 62(2), 362–375 (2013)MathSciNetCrossRefGoogle Scholar
  49. 49.
    Wang, Y., et al.: TenantGuard: scalable runtime verification of cloud-wide VM-level network isolation. In: Proceedings of 2017 Annual Network and Distributed System Security Symposium (NDSS 2017), February 2017Google Scholar
  50. 50.
    Wang, Y., Wu, Q., Qin, B., Shi, W., Deng, R.H., Hu, J.: Identity-based data outsourcing with comprehensive auditing in clouds. IEEE Trans. Inf. Forensics Secur. 12(4), 940–952 (2017)CrossRefGoogle Scholar
  51. 51.
    Yau, S.S., Buduru, A.B., Nagaraja, V.: Protecting critical cloud infrastructures with predictive capability. In: 8th International Conference on Cloud Computing (CLOUD), pp. 1119–1124. IEEE (2015)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Suryadipta Majumdar
    • 1
    Email author
  • Taous Madi
    • 2
  • Yosr Jarraya
    • 3
  • Makan Pourzandi
    • 3
  • Lingyu Wang
    • 2
  • Mourad Debbabi
    • 2
  1. 1.Information Security and Digital ForensicsUniversity at AlbanyAlbanyUSA
  2. 2.CIISEConcordia UniversityMontrealCanada
  3. 3.Ericsson Security Research, Ericsson CanadaMontrealCanada

Personalised recommendations