Abstract
The incredible growth in the cloud applications and services reflects a positive swing in the thought processes of the business decision makers for cloud adoption. However, ever-evolving security and privacy issues continue to influence the decision makers to delay the cloud adoption. In this integrationist exposition, the previous publications are enriched and enhanced to holistically analyze different threats to cloud computing to conceptualize a three-dimensional model of cloud security assurance. These three dimensions, namely Security Solution, Security Operation, and Security Compliance, are interwoven to address the top threats to cloud computing, which are identified and reported by the cloud security alliance (CSA) research group in their latest and previous reports. The model will help practitioners to design and implement a security assurance system for a cloud ecosystem to strengthen trust in the cloud and accelerate its adoption to bring agility and velocity in cloud applications and services delivery in a cost-effective way.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alhamazani K, Ranjan R, Mitra K, Rabhi F, Jayaraman PP, Khan SU, Guabtni A, Bhatnagar V (2015) An overview of the commercial cloud monitoring tools: research dimensions, design issues, and state-of-the-art. Computing 97(4):357–377. https://doi.org/10.1007/s00607-014-0398-5
Ali M, Khan SU, Vasilakos AV (2015) Security in cloud computing: opportunities and challenges. Inf Sci 305:357–383. https://doi.org/10.1016/j.ins.2015.01.025
Ardagna CA, Asal R, Damiani E, Vu QH (2015) From security to assurance in the cloud: a survey. ACM Comput Sur 48(1):1–50. https://doi.org/10.1145/2767005
CISA (2018) Cloud security guidance v0.2. Homeland Security, USA
Coppolino L, D’Antonio S, Mazzeo G, Romano L (2017) Cloud security: emerging threats and current solutions. Comput Electr Eng 59:126–140. https://doi.org/10.1016/j.compeleceng.2016.03.004
CSA (2010) Top threats to cloud computing. Tech. rep. V1.0, Cloud Security Alliance
CSA (2013) The notorious nine: cloud computing top threats in 2013. Tech. rep., Cloud Security Alliance
CSA (2016) The treacherous 12–cloud computing top threats in 2016. Tech. rep., Cloud Security Alliance
CSA (2019) Top threats to cloud computing: the egregious eleven. Tech. rep., Cloud Security Alliance
CSA (2020) Security Trust Assurance and Risk (STAR). https://cloudsecurityalliance.org/star/
Dobran B (2018) 23 cloud monitoring tools: the definitive guide for 2020. https://phoenixnap.com/blog/cloud-monitoring-tools
Fernandes DAB, Soares LFB, Gomes JV, Freire MM, Inácio PRM (2014) Security issues in cloud environments: a survey. Int J Inf Secur 13(2):113–170. https://doi.org/10.1007/s10207-013-0208-7
FISMA: Federal Information Security Modernization Act (2020). https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
Gartner (2019) Gartner forecasts worldwide public cloud revenue to grow 17. https://www.gartner.com/en/newsroom/press-releases/2019-11-13-gartner-forecasts-worldwide-public-cloud-revenue-to-grow-17-percent-in-2020
GDPR (2018) EU data protection rules. https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules_en
Grobauer B, Walloschek T, Stocker E (2011) Understanding cloud computing vulnerabilities. IEEE Secur Privacy 9(2):50–57. https://doi.org/10.1109/MSP.2010.115
Hashizume K, Rosado DG, Fernández-Medina E, Fernandez EB (2013) An analysis of security issues for cloud computing. J Internet Serv Appl 4(1):1–13. https://doi.org/10.1186/1869-0238-4-5
HIPAA: Health Information Privacy (1996). https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
Hong JB, Nhlabatsi A, Kim DS, Hussein A, Fetais N, Khan KM (2019) Systematic identification of threats in the cloud: a survey. Comput Netw 150:46–69. https://doi.org/10.1016/j.comnet.2018.12.009
ISO: ISO/IEC 27001:2013—information security management systems requirements (2013). https://www.iso.org/standard/54534.html
ISO: ISO/IEC 27002:2013—code of practice for information security controls (2013). https://www.iso.org/standard/54533.html
ISO: ISO/IEC 27018:2014—code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (2014). https://www.iso.org/standard/61498.html
ISO: ISO/IEC 27017:2015—code of practice for information security controls based on ISO/IEC 27002 for cloud services (2015). https://www.iso.org/standard/43757.html
Jansen W, Grance T (2011) Guidelines on security and privacy in public cloud computing (SP 800-144). National Institute of Standards & Technology, Gaithersburg, MD, USA. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf
Khan S, Gani A, Wahab AWA, Bagiwa MA, Shiraz M, Khan SU, Buyya R, Zomaya AY (2016) Cloud log forensics: foundations, state of the art, and future directions. ACM Comput Surv 49(1):1–42. https://doi.org/10.1145/2906149
Krishnan S (2017) A hybrid approach to threat modelling. https://blogs.sans.org/appsecstreetfighter/files/2017/03/A-Hybrid-Approach-to-Threat-Modelling.pdf
Kumar R, Goyal R (2019) Assurance of data security and privacy in the cloud: a three-dimensional perspective. Softw Qual Prof 21
Kumar R, Goyal R (2019) On cloud security requirements, threats, vulnerabilities and countermeasures: a survey. Comput Sci Rev 33:1–48. https://doi.org/10.1016/j.cosrev.2019.05.002
Liu F, Tong J, Mao J, Bohn R, Messina J, Badger L, Leaf D (2011) NIST cloud computing reference architecture (SP 500-292). National Institute of Standards & Technology, Gaithersburg, USA. http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=909505
Mell PM, Grance T (2011) The NIST definition of cloud computing (SP 800-145). Tech. rep., National Institute of Standards & Technology, Gaithersburg, USA. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
Mogull R, Arlen J, Gilbert F, Lane A, Mortman D, Peterson G, Rothman M (2017) Security guidance for critical areas of focus in cloud computing v4.0. CSA
NCSC (2018) Cloud security guidance v1.0. https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles
NIST (2013) Security and privacy controls for federal information systems and organizations (SP 800-253). National Institute of Standards & Technology, Gaithersburg, USA. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
PCI-DSS (2018) Requirements and security assessment procedures. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
Rahman NHA, Glisson WB, Yang Y, Choo KKR (2016) Forensic-by-design framework for cyber-physical cloud systems. IEEE Cloud Comput 3(1):50–59. https://doi.org/10.1109/MCC.2016.5
Scandariato R, Wuyts K, Joosen W (2015) A descriptive study of Microsoft’s threat modeling technique. Requir Eng 20(2):163–180. https://doi.org/10.1007/s00766-013-0195-2
Sgandurra D, Lupu E (2016) Evolution of attacks, threat models, and solutions for virtualized systems. ACM Comput Surv 48(3). https://doi.org/10.1145/2856126
Sookhak M, Gani A, Talebian H, Akhunzada A, Khan SU, Buyya R, Zomaya AY (2015) Remote data auditing in cloud computing environments: a survey, taxonomy, and open issues. ACM Comput Surv 47(4):1–34. https://doi.org/10.1145/2764465
Stackify (2017) Best log management tools: 51 useful tools for log management, monitoring, analytics, and more. https://stackify.com/best-log-management-tools/
Subramanian N, Jeyaraj A (2018) Recent security challenges in cloud computing. Comput Electr Eng 71:28–42. https://doi.org/10.1016/j.compeleceng.2018.06.006
Tabrizchi H, Kuchaki Rafsanjani M (2020) A survey on security challenges in cloud computing: issues, threats, and solutions. J Supercomput. https://doi.org/10.1007/s11227-020-03213-1
Zhang Q, Cheng L, Boutaba R (2010) Cloud computing: state-of-the-art and research challenges. J Internet Serv Appl 1(1):7–18. https://doi.org/10.1007/s13174-010-0007-6
Zissis D, Lekkas D (2012) Addressing cloud computing security issues. Future Gen Comput Syst 28(3):583–592. https://doi.org/10.1016/j.future.2010.12.006
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Kumar, R., Goyal, R. (2021). Top Threats to Cloud: A Three-Dimensional Model of Cloud Security Assurance. In: Smys, S., Palanisamy, R., Rocha, Á., Beligiannis, G.N. (eds) Computer Networks and Inventive Communication Technologies. Lecture Notes on Data Engineering and Communications Technologies, vol 58. Springer, Singapore. https://doi.org/10.1007/978-981-15-9647-6_53
Download citation
DOI: https://doi.org/10.1007/978-981-15-9647-6_53
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-9646-9
Online ISBN: 978-981-15-9647-6
eBook Packages: EngineeringEngineering (R0)