Skip to main content

Advertisement

SpringerLink
Log in

Security issues in cloud environments: a survey

  • SPECIAL ISSUE PAPER
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

In the last few years, the appealing features of cloud computing have been fueling the integration of cloud environments in the industry, which has been consequently motivating the research on related technologies by both the industry and the academia. The possibility of paying-as-you-go mixed with an on-demand elastic operation is changing the enterprise computing model, shifting on-premises infrastructures to off-premises data centers, accessed over the Internet and managed by cloud hosting providers. Regardless of its advantages, the transition to this computing paradigm raises security concerns, which are the subject of several studies. Besides of the issues derived from Web technologies and the Internet, clouds introduce new issues that should be cleared out first in order to further allow the number of cloud deployments to increase. This paper surveys the works on cloud security issues, making a comprehensive review of the literature on the subject. It addresses several key topics, namely vulnerabilities, threats, and attacks, proposing a taxonomy for their classification. It also contains a thorough review of the main concepts concerning the security state of cloud environments and discusses several open research topics.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. General studies comprise studies not related with cloud security, such as mobile, scientific and green cloud computing, eGovernment, and optimization on cloud networks.

  2. OpenFlow is an innovative routing technology that separates the data plane from the forwarding plane and is an enabler toward Software-Defined Networking (SDN).

  3. Anti-* stands for anti-spam, anti-virus, anti-spyware and anti-phishing.

References

  1. 57un Blog: A BIG Password Cracking Wordlist. https://57un.wordpress.com/2013/03/09/a-big-password-cracking-wordlist/. Accessed May 2013 (2013)

  2. Aguiar, E., Zhang, Y., Blanton, M.: An Overview of Issues and Recent Developments in Cloud Computing and Storage Security, pp. 1–31. Springer, Berlin (2013)

    Google Scholar 

  3. Ahuja, S.P., Komathukattil, D.: A survey of the state of cloud security. Netw. Commun. Technol. 1(2), 66–75 (2012). doi:10.5539/nct.v1n2p66

    Google Scholar 

  4. Aihkisalo, T., Paaso, T.: Latencies of service invocation and processing of the REST and SOAP web service interfaces. In: IEEE 8th World Congress on Services (SERVICES), pp. 100–107. Honolulu, HI, USA (2012). doi:10.1109/SERVICES.2012.55

  5. Al-Aqrabi, H., Liu, L., Xu, J., Hill, R., Antonopoulos, N., Zhan, Y.: Investigation of IT security and compliance challenges in security-as-a-service for cloud computing. In: 15th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing Workshops (ISORCW), pp. 124–129. Shenzhen, Guangdong, China (2012). doi:10.1109/ISORCW.2012.31

  6. Alert Logic: State of Cloud Security Report: Targeted Attacks and Opportunistic Hacks. http://www.alertlogic.com/resources/security-intelligence-newsletter/download-cloud-security-report-spring2013/ (2013). Accessed Apr. 2013

  7. AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., Schuldt, J.: On the Security of RC4 in TLS. http://www.isg.rhul.ac.uk/tls/index.html (2013). Accessed Apr. 2013

  8. AlienVault: OSSIM Website. https://aws.amazon.com/marketplace/pp/B00BIUQRGC/ (2013). Accessed May 2013

  9. Amazon: Amazon Web Services: Overview of Security Processes. http://s3.amazonaws.com/aws_blog/AWS_Security_Whitepaper_2008_09.pdf (2011). White Paper. Accessed Sept. 2012

  10. Amazon: Amazon Elastic Compute Cloud (Amazon EC2). https://aws.amazon.com/ec2/ (2012). Accessed Apr. 2013

  11. Amazon: Amazon Virtual Private Cloud (Amazon VPC). http://aws.amazon.com/vpc/ (2012). Accessed Sept. 2012

  12. Amazon Web Services Discussion Forums: Low Entropy on EC2 Instances— Problem for Anything Related to Security. https://forums.aws.amazon.com/thread.jspa?messageID=249079 (2011). Accessed Apr. 2013

  13. Amoroso, E.: From the enterprise perimeter to a mobility-enabled secure cloud. IEEE Secur. Priv. 11(1), 23–31 (2013). doi:10.1109/MSP.2013.8

    Google Scholar 

  14. Anstee, D.: Q1 Key Findings from ATLAS. http://www.arbornetworks.com/corporate/blog/4855-q1-key-findings-from-atlas (2013). Accessed Apr. 2013

  15. Apache: CloudStack Website. https://cloudstack.apache.org/ (2013). Accessed May 2013

  16. Apprenda: Apprenda Website. http://apprenda.com (2013). Accessed Apr. 2013

  17. Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., Zaharia, M.: A view of cloud computing. Commun. ACM 53(4), 50–58 (2010). doi:10.1145/1721654.1721672

    Article  Google Scholar 

  18. Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R.H., Konwinski, A., Lee, G., Patterson, D.A., Rabkin, A., Zaharia, M.: Above the Clouds: A Berkeley View of Cloud Computing. Technical Report UCB/EECS-2009-28. Electrical Engineering and Computer Sciences University of California (2009)

  19. Ateniese, G., Di Pietro, R., Mancini, L.V., Tsudik, G.: Scalable and efficient provable data possession. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Networks, pp. 9:1–9:10. ACM, New York, NY, USA (2008)

  20. Aviram, A., Hu, S., Ford, B., Gummadi, R.: Determinating timing channels in compute clouds. In: Proceedings of the ACM Workshop on Cloud computing, Security, pp. 103–108 (2010). doi:10.1145/1866835.1866854

  21. Azmandian, F., Moffie, M., Alshawabkeh, M., Dy, J., Aslam, J., Kaeli, D.: Virtual machine monitor-based lightweight intrusion detection. SIGOPS Oper. Syst. Rev. 45(2), 38–53 (2011). doi:10.1145/2007183.2007189

    Article  Google Scholar 

  22. Back, G., Hsieh, W.C.: The KaffeOS Java runtime system. ACM Trans. Program. Lang. Syst. 27(4), 583–630 (2005). doi:10.1145/1075382.1075383

    Article  Google Scholar 

  23. Backstrom, L., Dwork, C., Kleinberg, J.: Wherefore art thou R3579X?: anonymized social networks, hidden patterns, and structural steganography. In: Proceedings of the 16th International Conference on World Wide Web, pp. 181–190. ACM, New York, NY, USA (2007). doi:10.1145/1242572.1242598

  24. Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: 29th IEEE Symposium on Reliable Distributed Systems, pp. 82–91. IEEE Computer Society, Washington, DC, USA (2010). doi:10.1109/SRDS.2010.39

  25. Banerjee, P., Friedrich, R., Bash, C., Goldsack, P., Huberman, B., Manley, J., Patel, C., Ranganathan, P., Veitch, A.: Everything as a service: powering the new information economy. Computer 44(3), 36–43 (2011). doi:10.1109/MC.2011.67

    Article  Google Scholar 

  26. Basak, D., Toshniwal, R., Maskalik, S., Sequeira, A.: Virtualizing networking and security in the cloud. SIGOPS Oper. Syst. Rev. 44(4), 86–94 (2010). doi:10.1145/1899928.1899939

    Article  Google Scholar 

  27. Begum, S., Khan, M.: Potential of cloud computing architecture. In: International Conference on Information and Communication Technologies, pp. 1–5. IEEE (2011). doi:10.1109/ICICT.2011.5983572

  28. Behl, A.: Emerging security challenges in cloud computing: an insight to cloud security challenges and their mitigation. In: World Congress on Information and Communication Technologies, pp. 217–222. IEEE (2011). doi:10.1109/WICT.2011.6141247

  29. Behl, A., Behl, K.: Security paradigms for cloud computing. In: 4th International Conference on Computational Intelligence, Communication Systems and Networks, pp. 200–205. IEEE (2012). doi:10.1109/CICSyN.2012.45

  30. Belqasmi, F., Singh, J., Glitho, R.: SOAP-based vs. RESTful web services: a case study for multimedia. IEEE Internet Comput. 16(4), 54–63 (2012). doi:10.1109/MIC.2012.62

    Article  Google Scholar 

  31. Bentounsi, M., Benbernou, S., Atallah, M.: Privacy-preserving business process outsourcing. In: IEEE 19th International Conference on Web Services, pp. 662–663. IEEE (2012). doi:10.1109/ICWS.2012.34

  32. Bernstein, D., Vij, D.: Intercloud security considerations. In: IEEE 2nd International Conference on Cloud Computing Technology and Science, pp. 537–544. IEEE Computer Society, Washington, DC, USA (2010)

  33. Bin Mat Nor, F., Jalil, K., Manan, J.L.: An enhanced remote authentication scheme to mitigate man-in-the-browser attacks. In: International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), pp. 271–276. Kuala Lumpur, Malaysia (2012). doi:10.1109/CyberSec.2012.6246086

  34. Boampong, P.A., Wahsheh, L.A.: Different facets of security in the cloud. In: Proceedings of the 15th Communications and Networking Simulation Symposium, pp. 5:1–5:7. Society for Computer Simulation International, San Diego, CA, USA (2012)

  35. Bowers, K.D., Juels, A., Oprea, A.: HAIL: a high-availability and integrity layer for cloud storage. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 187–198. ACM, New York, NY, USA (2009). doi:10.1145/1653662.1653686

  36. Box: Box Website. https://www.box.com/ (2013). Accessed Apr. 2013

  37. Bradbury, D.: Shadows in the cloud: Chinese involvement in advanced persistent threats. Netw. Secur. 2010(5), 16–19 (2010). doi:10.1016/S1353-4858(10)70058-1

    Article  Google Scholar 

  38. Brito, H.: Pentagon Creating “Rules of Engagement” for Responding to Advanced Attackers. Mandiant M-Unition (2013)

  39. Bugiel, S., Nürnberger, S., Pöppelmann, T., Sadeghi, A.R., Schneider, T.: AmazonIA: when elasticity snaps back. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 389–400. ACM, New York, NY, USA (2011). doi:10.1145/2046707.2046753

  40. Carriço, P.: Low entropy on VMs\(\ldots \) http://blog.pedrocarrico.net/post/17026199379/low-entropy-on-vms (2012). Accessed May 2013

  41. Carroll, M., Kotzé, P., Van der Merwe, A. (2011). Secure virtualization—benefits, risks and controls. In: Leymann, F., Ivanov, I., van Sinderen, M., Shishkov, B. (eds.) CLOSER, pp. 15–23. SciTePress

  42. Casale, A.: The Dangers of Recycling in the Cloud. TheMakegood (2013)

  43. Chen, C.C., Yuan, L., Greenberg, A., Chuah, C.N., Mohapatra, P.: Routing-as-a-Service (RaaS): a framework for tenant-directed route control in data center. In: Proceedings of the 30th IEEE International Conference on Computer Communications (INFOCOM), pp. 1386–1394 (2011) doi:10.1109/INFCOM.2011.5934924

  44. Chen, D., Zhao, H.: Data security and privacy protection issues in cloud computing. In: International Conference on Computer Science and Electronics Engineering, vol. 1, pp. 647–651. IEEE (2012). doi:10.1109/ICCSEE.2012.193

  45. Chen, T.H., lien Yeh, H., Shih, W.K.: An advanced ECC dynamic ID-based remote mutual authentication scheme for cloud computing. In: 5th FTRA International Conference on Multimedia and Ubiquitous Engineering (MUE), pp. 155–159. Crete, Greece (2011). doi:10.1109/MUE.2011.69

  46. Chen, X., Andersen, J., Mao, Z., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: IEEE International Conference on Dependable Systems and Networks (DNS) With FCTS and DCC, pp. 177–186. Anchorage, AK, USA (2008). doi:10.1109/DSN.2008.4630086

  47. Chen, Y., Paxson, V., Katz, R.H.: What’s New About Cloud Computing Security? Technical Report UCB/EECS-2010-5. EECS Department, University of California, Berkeley (2010). http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.html

  48. Chonka, A., Xiang, Y., Zhou, W., Bonti, A.: Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks. J. Netw. Comput. Appli. 34(4), 1097–1107 (2011). doi:10.1016/j.jnca.2010.06.004

    Article  Google Scholar 

  49. Choudhary, V.: Software as a service: implications for investment in software development. In: 40th Annual Hawaii International Conference on System Sciences, p. 209a. IEEE Computer Society, Washington, DC, USA (2007). doi:10.1109/HICSS.2007.493

  50. Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., Molina, J.: Controlling data in the cloud: outsourcing computation without outsourcing control. In: Proceedings of the ACM Workshop on Cloud Computing Security, pp. 85–90. ACM, New York, NY, USA (2009). doi:10.1145/1655008.1655020

  51. Christodorescu, M., Sailer, R., Schales, D.L., Sgandurra, D., Zamboni, D.: Cloud security is not (just) virtualization security: a short paper. In: Proceedings of the ACM Workshop on Cloud Computing Security (CCSW), pp. 97–102. ACM, Chicago, IL, USA (2009). doi:10.1145/1655008.1655022

  52. Chung, H., Park, J., Lee, S., Kang, C.: Digital forensic investigation of cloud storage services. Digit. Investig. (2012). doi:10.1016/j.diin.2012.05.015. Available online on 23 Jun. 2012

  53. Cisco: Cisco Data Center Infrastructure 2.5 Design Guide. http://www.cisco.com/univercd/cc/td/doc/solution/dcidg21.pdf (2007). Accessed Oct. 2012

  54. Cisco: Data Center Power and Cooling. http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns944/white_paper_c11-680202.pdf (2011). White Paper. Accessed Sept. 2012

  55. Cisco: Cisco Global Cloud Index: Forecast and Methodology, 2011–2016. http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns1175/Cloud_Index_White_Paper.pdf (2012). White Paper. Accessed Apr. 2013

  56. Cisco: 2013 Cisco Annual Security Report. http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html (2013). Accessed Apr. 2013

  57. Cisco: Cisco Cloud Services Router 1000V Series. http://www.cisco.com/en/US/products/ps12559/index.html (2013). Accessed Jul. 2013

  58. Citrix: Citrix Website. https://www.citrix.com/products.html?ntref=hp_nav_us (2013). Accessed Jun. 2013

  59. CloudBees: CloudBees Website. http://www.cloudbees.com/ (2013). Accessed Apr. 2013

  60. Corbató, F.J., Vyssotsky, V.A.: Introduction and overview of the Multics system. In: Proceedings of the Fall Joint Computer Conference, pp. 185–196. ACM, New York, NY, USA (1965)

  61. Coronado, C.: Blackhole Exploit Kit Leverages Margaret Thatcher’s Death. Trend Micro (2013)

  62. CSA: Top Threats to Cloud Computing. https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf (2010). Accessed Sept. 2012

  63. CSA: Security Guidance for Critical Areas of Focus in Cloud Computing v3.0. https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf (2011). Accessed Sept. 2012

  64. CSA: The Notorious Nine Cloud Computing Top Threats in 2013. https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf (2013). Accessed Jul. 2013

  65. Cuckoo Website: Cuckoo. http://www.cuckoosandbox.org/ (2013). Accessed Apr. 2013

  66. Curran, K., Dougan, T.: Man in the browser attacks. Int. J. Ambient Comput. Intell. 4(1), 29–39 (2012). doi:10.4018/jaci.2012010103

    Article  Google Scholar 

  67. Czajkowski, G., Daynàs, L.: Multitasking without compromise: a virtual machine evolution. ACM SIGPLAN Not. 47(4a), 60–73 (2012). doi:10.1145/2442776.2442785

    Article  Google Scholar 

  68. Dacosta, I., Chakradeo, S., Ahamad, M., Traynor, P.: One-time cookies: preventing session hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. 12(1), 1:1–1:24 (2012). doi:10.1145/2220352.2220353

    Article  Google Scholar 

  69. Dahbur, K., Mohammad, B., Tarakji, A.B.: A survey of risks, threats and vulnerabilities in cloud computing. In: Proceedings of the International Conference on Intelligent Semantic Web-Services and Applications, pp. 12:1–12:6. ACM, New York, NY, USA (2011)

  70. Darrow, B., Higginbothamm, S.: What We’ll See in 2013 in Cloud Computing. GigaOM (2012)

  71. de Borja, F.: Nebula One Seeks To Reinvent Cloud Computing. CloudTimes (2013)

  72. Dhage, S.N., Meshram, B.B., Rawat, R., Padawe, S., Paingaokar, M., Misra, A.: Intrusion detection system in cloud computing environment. In: Proceedings of the International Conference & Workshop on Emerging Trends in Technology, pp. 235–239. ACM, New York, NY, USA (2011). doi:10.1145/1980022.1980076

  73. Dinesha, H., Agrawal, V.: Multi-level authentication technique for accessing cloud services. In: International Conference on Computing, Communication and Applications, pp. 1–4. IEEE (2012). doi:10.1109/ICCCA.2012.6179130

  74. Ding, X., Zhang, L., Wan, Z., Gu, M.: De-anonymizing dynamic social networks. In: IEEE Global Telecommunications Conference, pp. 1–6. IEEE (2011). doi:10.1109/GLOCOM.2011.6133607

  75. Doel, K.: Scary Logins: Worst Passwords of 2012 and How to Fix Them. SplashData (2012)

  76. Dong, T.: Android. Dropdialer. https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909--0726-99 (2012). Accessed Apr. 2013

  77. Doroodchi, M., Iranmehr, A., Pouriyeh, S.: An investigation on integrating XML-based security into Web services. In: 5th IEEE GCC Conference Exhibition, pp. 1–5. IEEE (2009)

  78. Ducklin, P.: HElib. SOPHOS Nakedsecurity (2013)

  79. Duncan, A., Creese, S., Goldsmith, M.: Insider attacks in cloud computing. In: IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 857–862. IEEE Computer Society, Washington, DC, USA (2012). doi:10.1109/TrustCom.2012.188

  80. Dykstra, J., Sherman, A.T.: Acquiring forensic evidence from infrastructure-as-a-service cloud computing: exploring and evaluating tools, trust, and techniques. Digit. Investig. 9, Supplement(0), S90–S98 (2012). doi:10.1016/j.diin.2012.05.001

  81. Electronic Frontier Foundation: HTTPS Everywhere Website. https://www.eff.org/https-everywhere (2013). Accessed Apr. 2013

  82. ENISA: Cloud Computing: Benefits, Risks and Recommendations for Infomarion Security. http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment (2009). Accessed Sept. 2012

  83. Firdhous, M., Ghazali, O., Hassan, S.: A trust computing mechanism for cloud computing with multilevel thresholding. In: 6th IEEE International Conference on Industrial and Information Systems, pp. 457–461. IEEE (2011). doi:10.1109/ICIINFS.2011.6038113

  84. FireEye: FireEye Advanced Threat Report—2H 2012. http://www2.fireeye.com/rs/fireye/images/fireeye-advanced-threat-report-2h2012.pdf (2013). Accessed Apr. 2013

  85. Foster, I., Zhao, Y., Raicu, I., Lu, S.: Cloud computing and grid computing 360-degree compared. In: Grid Computing Environments Workshop, pp. 1–10. IEEE (2008). doi:10.1109/GCE.2008.4738445

  86. Garfinkel, T., Rosenblum, M.: When virtual is harder than real: security challenges in virtual machine based computing environments. In: Proceedings of the 10th Conference on Hot Topics in Operating Systems, vol. 10, pp. 20–20. USENIX Association, Berkeley, CA, USA (2005)

  87. Gartner: Assessing the Security Risks of Cloud Computing. http://cloud.ctrls.in/files/assessing-the-security-risks.pdf (2008). White Paper. Accessed Sept. 2012

  88. Gens, F.: IT Cloud Services User Survey, pt.2: Top Benefits & Challenges. IDC (2008)

  89. Gens, F.: New IDC IT Cloud Services Survey: Top Benefits and Challenges. IDC (2009)

  90. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC), STOC ’09, pp. 169–178. ACM, Bethesda, MD, USA (2009). doi:10.1145/1536414.1536440

  91. Geoffray, N., Thomas, G., Muller, G., Parrend, P., Frenot, S., Folliot, B.: I-JVM: a Java virtual machine for component isolation in OSGi. In: IEEE/IFIP Int. Conf. on Dependable Systems Networks (DSN), pp. 544–553. Estoril, Lisbon, Portugal (2009). doi:10.1109/DSN.2009.5270296

  92. Gomathisankaran, M., Tyagi, A., Namuduri, K.: HORNS: a homomorphic encryption scheme for cloud computing using Residue number system. In: 45th Annual Conference on Information Sciences and Systems (CISS), pp. 1–5. Baltimore, MD, USA (2011). doi:10.1109/CISS.2011.5766176

  93. Gong, C., Liu, J., Zhang, Q., Chen, H., Gong, Z.: The characteristics of cloud computing. In: 39th International Conference on Parallel Processing Workshop, pp. 275–279. IEEE Computer Society, Washington, DC, USA (2010). doi:10.1109/ICPPW.2010.45

  94. Gonzalez, N., Miers, C., Redigolo, F., Carvalho, T., Simplicio, M., Naslund, M., Pourzandi, M.: A quantitative analysis of current security concerns and solutions for cloud computing. In: IEEE 3rd International Conference on Cloud Computing Technology and Science, pp. 231–238. IEEE Computer Society, Washington, DC, USA (2011).

  95. Goodin, D.: Why Passwords have Never been Weaker—and Crackers have Never been Stronger. Ars Technica (2012)

  96. Goodrich, R.: What Is Doxing? TechNewsDaily (2013)

  97. Google: Google App Engine. https://developers.google.com/appengine/ (2013). Accessed Apr. 2013

  98. Green, M.: The threat in the cloud. IEEE Secur. Priv. 11(1), 86–89 (2013). doi:10.1109/MSP.2013.20

    Google Scholar 

  99. Grispos, G., Glisson, W.B., Storer, T.: Using smartphones as a proxy for forensic evidence contained in cloud storage services. In: 46th Hawaii International Conference on System Sciences (HICSS), pp. 4910–4919. Maui, HI, USA (2013). doi:10.1109/HICSS.2013.592

  100. Grobauer, B., Walloschek, T., Stocker, E.: Understanding cloud computing vulnerabilities. IEEE Secur. Priv. 9(2), 50–57 (2011). doi:10.1109/MSP.2010.115

    Article  Google Scholar 

  101. Grosse, E., Upadhyay, M.: Authentication at scale. IEEE Secur. Priv. 11(1), 15–22 (2013). doi:10.1109/MSP.2012.162

    Google Scholar 

  102. Gruschka, N., Iacono, L.: Vulnerable cloud: SOAP message security validation revisited. In: IEEE International Conference on Web Services, pp. 625–631. IEEE Computer Society, Washington, DC, USA (2009). doi:10.1109/ICWS.2009.70

  103. Gul, I., Rehman, A., Islam, M.: Cloud computing security auditing. In: The 2nd International Conference on Next Generation Information Technology, pp. 143–148. IEEE (2011)

  104. Habib, S., Ries, S., Muhlhauser, M.: Towards a trust management system for cloud computing. In: IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 933–939. IEEE Computer Society, Washington, DC, USA (2011). doi:10.1109/TrustCom.2011.129

  105. Hale, C.: bcrypt. http://codahale.com/how-to-safely-store-a-password/ (2010). Accessed May 2013

  106. Hamada, J.: Japanese One-Click Fraud Campaign Comes to Google Play. Symantec Blog (2013)

  107. Hart, J.: Remote working: managing the balancing act between network access and data security. Comput. Fraud Secur. 2009(11), 14–17 (2009). doi:10.1016/S1361-3723(09)70141-1

    Article  Google Scholar 

  108. Hayes, B.: Cloud computing. Commun. ACM 51(7), 9–11 (2008). doi:10.1145/1364782.1364786

    Article  Google Scholar 

  109. Helland, P.: Condos and clouds. Commun. ACM 56(1), 50–59 (2013). doi:10.1145/2398356.2398374

    Article  Google Scholar 

  110. Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Minding your Ps and Qs: detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium, pp. 205–220. USENIX, Bellevue, WA, USA (2012). doi:10.1109/ICCIAutom.2011.6183990

  111. Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security (HSTS). RFC 6797 (Proposed Standard) (2012). https://www.ietf.org/rfc/rfc6797.txt

  112. Honan, M.: How Apple and Amazon Security Flaws Led to My Epic Hacking. Wired (2012)

  113. HP: HP 2012 Cyber Risk Report. http://www.hpenterprisesecurity.com/collateral/whitepaper/HP2012CyberRiskReport_0213.pdf (2013). Accessed Apr. 2013

  114. HP: HP ArcSight. http://www8.hp.com/us/en/software-solutions/software.html?compURI=1340477 (2013). Accessed Apr. 2013

  115. Hua, J., Sakurai, K.: Barrier: a lightweight hypervisor for protecting kernel integrity via memory isolation. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing (SAC), pp. 1470–1477. ACM, Trento, Italy (2012). doi:10.1145/2231936.2232011

  116. Hunt, T.: 5 Ways to Implement HTTPS in an Insufficient Manner (and leak sensitive data). http://www.troyhunt.com/2013/04/5-ways-to-implement-https-in.html (2013). Accessed Apr. 2013

  117. Idziorek, J., Tannian, M.: Exploiting cloud utility models for profit and ruin. In: IEEE International Conference on Cloud Computing, pp. 33–40. IEEE Computer Society, Washington, DC, USA (2011)

  118. Idziorek, J., Tannian, M., Jacobson, D.: Detecting fraudulent use of cloud resources. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security, pp. 61–72. ACM, New York, NY, USA (2011). doi:10.1145/2046660.2046676

  119. Infosecurity: Recycled phones retain their previous owners’ data. Infosecurity Magazine (2013)

  120. Intel: Intel Digital Random Number Generator (DRNG): Software Implementation Guide. http://software.intel.com/sites/default/files/m/d/4/1/d/8/441_Intel_R_DRNG_Software_Implementation_Guide_final_Aug7.pdf (2012). Accessed May 2013

  121. Jackson, C.: 8 Cloud Security Concepts You Should Know. Network World (2010)

  122. Jackson, C., Barth, A.: ForceHTTPS: protecting high-security web sites from network attacks. In: Proceedings of the 17th International Conference on World Wide Web (WWW), pp. 525–534. ACM, Beijing, China (2008). doi:10.1145/1367497.1367569

  123. Jasti, A., Shah, P., Nagaraj, R., Pendse, R.: Security in multi-tenancy cloud. In: IEEE International Carnahan Conference on Security Technology, pp. 35–41. IEEE (2010). doi:10.1109/CCST.2010.5678682

  124. Jenkins, Q.: Spamhaus: DDoS Update—March 2013. Spamhaus (2013)

  125. Jensen, M., Gruschka, N., Herkenhöner, R.: A survey of attacks on web services. Comput. Sci. Res. Dev. 24, 185–197 (2009). doi:10.1007/s00450-009-0092-6

    Article  Google Scholar 

  126. Jensen, M., Gruschka, N., Luttenberger, N.: The impact of flooding attacks on network-based services. In: 3rd International Conference on Availability, Reliability and Security, pp. 509–513. IEEE Computer Society, Washington, DC, USA (2008)

  127. Jensen, M., Meyer, C.: Expressiveness considerations of XML signatures. In: IEEE 35th Annual Computer Software and Applications Conf. Workshop, pp. 392–397. IEEE Computer Society, Washington, DC, USA (2011)

  128. Jensen, M., Schäge, S., Schwenk, J.: Towards an anonymous access control and accountability scheme for cloud computing. In: IEEE 3rd International Conference on Cloud Computing, pp. 540–541. IEEE Computer Society, Washington, DC, USA (2010). doi:10.1109/CLOUD.2010.61

  129. Jensen, M., Schwenk, J.: The accountability problem of flooding attacks in service-oriented architectures. In: International Conference on Availability, Reliability and Security, pp. 25–32. IEEE (2009)

  130. Jensen, M., Schwenk, J., Gruschka, N., Iacono, L.: On Technical security issues in cloud computing. In: IEEE International Conference on Cloud Computing, pp. 109–116. IEEE Computer Society, Washington, DC, USA (2009). doi:10.1109/CLOUD.2009.60

  131. Jin, B., Wang, Y., Liu, Z., Xue, J.: A trust model based on cloud model and Bayesian networks. Procedia Environ. Sci. 11, Part A, 452–459 (2011). doi:10.1016/j.proenv.2011.12.072

    Article  Google Scholar 

  132. Kandukuri, B., Paturi, V., Rakshit, A.: Cloud security issues. In: IEEE International Conference on Services Computing, pp. 517–520. IEEE (2009). doi:10.1109/SCC.2009.84

  133. Kant, K.: Data center evolution: a tutorial on state of the art, issues, and challenges. Comput. Netw. 53(17), 2939–2965 (2009). doi:10.1016/j.comnet.2009.10.004

    Article  Google Scholar 

  134. Katsuki, T.: Crisis for Windows Sneaks onto Virtual Machines. Symantec Blog (2012)

  135. Kaufman, L.: Data security in the world of cloud computing. IEEE Secur. Priv. 7(4), 61–64 (2009)

    Article  Google Scholar 

  136. Kerrigan, B., Chen, Y.: A study of entropy sources in cloud computers: random number generation on cloud hosts. In: Proceedings of the 6th International Conference on Mathematical Methods, Models and Architectures for Computer Network Security (MMM-ACNS), pp. 286–298. Springer, St. Petersburg, Russia (2012). doi:10.1007/978-3-642-33704-8_24

  137. Khan, K., Malluhi, Q.: Establishing trust in cloud computing. IT Prof. 12(5), 20–27 (2010). doi:10.1109/MITP.2010.128

    Article  Google Scholar 

  138. Khorshed, M.T., Ali, A.S., Wasimi, S.A.: A survey on gaps, threat remediation challenges and some thoughts for proactive attack detection in cloud computing. Future Gener. Comput. Syst. 28(6), 833–851 (2012). doi:10.1016/j.future.2012.01.006

    Article  Google Scholar 

  139. King, C.I.: Intel Rdrand Instruction Revisited. http://smackerelofopinion.blogspot.co.uk/2012/10/intel-rdrand-instruction-revisited.html (2012). Accessed May 2013

  140. King, S., Chen, P.: SubVirt: implementing malware with virtual machines. In: IEEE Symposium on Security and Privacy, pp. 14 pp.-327. IEEE Computer Society, Washington, DC, USA (2006). doi:10.1109/SP.2006.38

  141. Kirkland, D.: Entropy (or rather the lack thereof) in OpenStack instances... and how to improve that. http://www.openstack.org/summit/san-diego-2012/openstack-summit-sessions/presentation/entropy-or-lack-thereof-in-openstack-instances (2012). Accessed May 2013

  142. Kufel, L.: Security event monitoring in a distributed systems environment. IEEE Secur. Priv. 11(1), 36–43 (2013). doi:10.1109/MSP.2012.61

    Google Scholar 

  143. Leder, F., Werner, T.: Know Your Enemy: Containing Conficker. http://www.honeynet.org/files/KYE-Conficker.pdf (2010). White Paper. Accessed May 2013

  144. Leder, F., Werner, T.: Containing Conficker. http://net.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ (2011). Accessed May 2013

  145. Lee, J.H., Park, M.W., Eom, J.H., Chung, T.M.: Multi-level intrusion detection system and log management in cloud computing. In: 13th International Conference on Advanced Communication Technology, pp. 552–555. IEEE (2011)

  146. Lemos, R.: Blue Security Folds Under Spammer’s Wrath. SecurityFocus (2013)

  147. Lenk, A., Klems, M., Nimis, J., Tai, S., Sandholm, T.: What’s inside the cloud? An architectural map of the cloud landscape. In: Proceedings of the ICSE Workshop on Software Engineering Challenges of Cloud Computing, pp. 23–31. IEEE Computer Society, Washington, DC, USA (2009). doi:10.1109/CLOUD.2009.5071529

  148. Leopando, J.: World Backup Day: The 3–2–1 Rule. Trend Micro TrendLabs (2013)

  149. Li, F., Lai, A., Ddl, D.: Evidence of advanced persistent threat: a case study of malware for political espionage. In: 6th International Conference on Malicious and Unwanted Software (MALWARE), pp. 102–109. Fajardo, PR, USA (2011). doi:10.1109/MALWARE.2011.6112333

  150. Li, H.C., Liang, P.H., Yang, J.M., Chen, S.J.: Analysis on cloud-based security vulnerability assessment. In: IEEE 7th International Conference on e-Business Engineering, pp. 490–494. IEEE (2010). doi:10.1109/ICEBE.2010.77

  151. Li, Q., Clark, G.: Mobile security: a look ahead. IEEE Secur. Priv. 11(1), 78–81 (2013). doi:10.1109/MSP.2013.15

    Google Scholar 

  152. Li, X., Loh, P., Tan, F.: Mechanisms of polymorphic and metamorphic viruses. In: European Intelligence and Security Informatics Conference (EISIC), pp. 149–154. Berkeley/Oakland, CA, USA (2011). doi:10.1109/EISIC.2011.77

  153. Liu, F., Su, X., Liu, W., Shi, M.: The design and application of Xen-based host system firewall and its extension. In: International Conference on Electronic Computer Technology, pp. 392–395. Macau, China (2009). doi:10.1109/ICECT.2009.83

  154. Liu, H.: A new form of DoS attack in a cloud and its avoidance mechanism. In: Proceedings of the ACM Workshop on Cloud Computing Security, pp. 65–76. ACM, New York, NY, USA (2010). doi:10.1145/1866835.1866849

  155. LivingSocial: LivingSocial Security Notice. https://livingsocial.com/createpassword (2013). Accessed May 2013

  156. Luo, S., Lin, Z., Chen, X., Yang, Z., Chen, J.: Virtualization security for cloud computing service. In: International Conference on Cloud and Service Computing, pp. 174–179. IEEE Computer Society, Washington, DC, USA (2011)

  157. Mandiant: APT1: Exposing One of China’s Cyber Espionage Units. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf (2013). Accessed Apr. 2013

  158. Mansfield-Devine, S.: Danger in the clouds. Netw. Secur. 2008(12), 9–11 (2008). doi:10.1016/S1353-4858(08)70140-5

    Article  Google Scholar 

  159. Marlinspike, M.: New tricks for defeating SSL in practice. https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf (2009). Accessed Apr. 2013

  160. Marlinspike, M.: sslstrip. http://www.thoughtcrime.org/software/sslstrip/ (2009). Accessed Apr. 2013

  161. Martin, D.: Implementing effective controls in a mobile, agile, cloud-enabled enterprise. IEEE Secur. Priv. 11(1), 13–14 (2013). doi:10.1109/MSP.2013.1

    Google Scholar 

  162. Mathisen, E.: Security challenges and solutions in cloud computing. In: Proceedings of the 5th IEEE International Conference on Digital Ecosystems and Technologies, pp. 208–212. IEEE (2011). doi:10.1109/DEST.2011.5936627

  163. McAfee: McAfee Threats Report—Fourth Quarter 2012. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2012.pdf (2013). Accessed Apr. 2013

  164. McCune, J., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: TrustVisor: efficient TCB reduction and attestation. In: IEEE Symposium on Security and Privacy (SP), pp. 143–158. Oakland, CA, USA (2010). doi:10.1109/SP.2010.17

  165. McGraw, G.: Software security. IEEE Secur. Priv. 2(2), 80–83 (2004). doi:10.1109/MSECP.2004.1281254

    Article  Google Scholar 

  166. McIntosh, M., Austel, P.: XML signature element wrapping attacks and countermeasures. In: Proceedings of the Workshop on Secure Web Services, pp. 20–27. ACM, New York, NY, USA (2005). doi:10.1145/1103022.1103026

  167. McKendrick, J.: 7 Predictions for Cloud Computing in 2013 That Make Perfect Sense. Forbes (2012)

  168. MEGA: The MEGA API. https://mega.co.nz/#developers (2013). Accessed Apr. 2013

  169. Microsoft: Microsoft Hyper-V Server 2012 Website. https://www.microsoft.com/en-us/server-cloud/hyper-v-server/ (2013). Accessed Jun. 2013

  170. Microsoft: Microsoft Security Intelligence Report: Volume 14. http://www.microsoft.com/security/sir/default.aspx (2013). Accessed Apr. 2013

  171. Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appli. (2012). doi:10.1016/j.jnca.2012.05.003. Available online 2 June 2012

  172. Mohamed, E., Abdelkader, H., El-Etriby, S.: Enhanced data security model for cloud computing. In: 8th International Conference on Informatics and Systems, pp. CC-12–CC-17. IEEE (2012)

  173. Mohan, V., Hamlen, K.W.: Frankenstein: stitching malware from benign binaries. In: Proceedings of the 6th USENIX Conference on Offensive Technologies, pp. 8–8. USENIX Association, Bellevue, WA, USA (2012)

  174. Monfared, A., Jaatun, M.: Monitoring intrusions and security breaches in highly distributed cloud environments. In: IEEE 3rd International Conference on Cloud Computing Technology and Science, pp. 772–777. IEEE Computer Society, Washington, DC, USA (2011). doi:10.1109/CloudCom.2011.119

  175. Morsy, M.A., Grundy, J., Müller, I.: An analysis of the cloud computing security problem. In: Proceedings of Asia Pacific Software Engineering Conference Cloud Workshop, pp. 1–6. IEEE Computer Society, Washington, DC, USA (2010)

  176. Moser, S.: Change I7d8c1f9b: add ’random _seed’ entry to instance metadata. https://review.openstack.org/#c/14550/ (2012). Accessed May 2013

  177. MPICH: MPICH Website. http://www.mpich.org/ (2013). Accessed Apr. 2013

  178. Musthaler, L.: DDoS-as-a-Service? You Betcha! It’s Cheap, It’s Easy, and It’s Available to Anyone. Security Bistro (2012)

  179. Narayanan, A., Shmatikov, V.: De-anonymizing social networks. In: 30th IEEE Symposium on Security and Privacy, pp. 173–187. IEEE Computer Society, Washington, DC, USA (2009). doi:10.1109/SP.2009.22

  180. Nathoo, N.: Cloud Wars—The Fall of Cloud Storage. CloudTimes (2013). Accessed Apr. 2013

  181. Nebula: Introducing Nebula One. https://www.nebula.com/nebula-one (2013). Accessed Apr. 2013

  182. Network-Tools: Network-Tools Website. http://network-tools.com/ (2013). Accessed Apr. 2013

  183. Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: IEEE Symposium on Security and Privacy, pp. 226–241. Athens, Greece (2005). doi:10.1109/SP.2005.15

  184. NIST: NIST Cloud Computing Reference Architecture. http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505 (2011). Accessed Jul. 2013

  185. NIST: The NIST Definition of Cloud Computing. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf (2011). Accessed Sept. 2012

  186. NIST: NIST Cloud Computing Program. http://www.nist.gov/itl/cloud/ (2012). Accessed Sept. 2012

  187. NIST: NIST Cloud Computing Security Reference Architecture. http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Reference_Architecture_2013.05.15_v1.0.pdf (2013). Accessed Jul. 2013

  188. Oberheide, J., Cooke, E., Jahanian, F.: Empirical exploitation of live virtual machine migration. In: Proceedings of the Black Hat Convention (2008). doi:10.1109/ICCIAutom.2011.6183990

  189. OCCI: OCCI Website. http://occi-wg.org/ (2013). Accessed Apr. 2013

  190. Okamura, K., Oyama, Y.: Load-based covert channels between Xen virtual machines. In: Proceedings of the ACM Symposium on Applied Computing, pp. 173–180. ACM, New York, NY, USA (2010). doi:10.1145/1774088.1774125

  191. O’Kane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Priv. 9(5), 41–47 (2011). doi:10.1109/MSP.2011.98

    Article  Google Scholar 

  192. O’Neill, M.: Cloud APIs—the Next Battleground for Denial-of-Service Attacks. CSA Blog (2013)

  193. Open Cloud Initiative (OCI): OCI Website. http://www.opencloudinitiative.org/ (2013). Accessed May 2013

  194. OpenNebula: OpenNebula Website. http://opennebula.org/ (2013). Accessed Apr. 2013

  195. OpenStack: OpenStack Website. http://www.openstack.org/ (2013). Accessed Apr. 2013

  196. Oracle: Oracle Java SE Critical Patch Update Advisory—April 2013. http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html (2013). Accessed Apr. 2013

  197. Oracle: VirtualBox Website. https://www.virtualbox.org/ (2013). Accessed Jun. 2013

  198. Ortega, A.: Your Malware Shall Not Fool Us With Those Anti Analysis Tricks. AlienVault Labs (2012)

  199. OSVDB: The Open Source Vulnerability Database Website. http://www.osvdb.org/ (2013). Accessed Apr. 2013

  200. OWASP: The Then Most Critical Web Application Security Risks. http://owasptop10.googlecode.com/files/OWASP (2010). Accessed Oct. 2012

  201. OWASP: The Then Most Critical Web Application Security Risks. https://www.owasp.org/index.php/Top_10_2013 (2013). Accessed Apr. 2013

  202. Oyama, Y., Giang, T.T.D., Chubachi, Y., Shinagawa, T., Kato, K.: Detecting malware signatures in a thin hypervisor. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing (SAC), pp. 1807–1814. ACM, Trento, Italy (2012). doi:10.1145/2231936.2232070

  203. Panah, A., Panah, A., Panah, O., Fallahpour, S.: Challenges of security issues in cloud computing layers. Rep. Opin. 4(10), 25–29 (2012)

    Google Scholar 

  204. Parallels: Oracle VM Server Website. http://www.oracle.com/us/technologies/virtualization/oraclevm/ (2013). Accessed Jun. 2013

  205. Parallels: Parallels Website. http://www.parallels.com/eu/products/ (2013). Accessed Jun. 2013

  206. Patel, A., Taghavi, M., Bakhtiyari, K., Júnior, J.C.: An intrusion detection and prevention system in cloud computing: a systematic review. J. Netw. Comput. Appli. (2012). doi:10.1016/j.jnca.2012.08.007. Available online 31 Aug. 2012

  207. Patel, P.: Solution: FUTEX \_WAIT hangs Java on Linux / Ubuntu in vmware or virtual box. http://www.springone2gx.com/blog/pratik_patel/2010/01/solution_futex_wait_hangs_java_on_linux_ubuntu_in_vmware_or_virtual_box(2010). Accessed May 2013

  208. Patidar, S., Rane, D., Jain, P.: A survey paper on cloud computing. In: 2nd International Conference on Advanced Computing Communication Technologies, pp. 394–398. IEEE (2012). doi:10.1109/ACCT.2012.15

  209. PCI Security Standards: PCI SSC Data Security Standards Overview. https://www.pcisecuritystandards.org/security_standards/index.php (2012). Accessed Oct. 2012

  210. Pearce, M., Zeadally, S., Hunt, R.: Virtualization: issues, security threats, and solutions. ACM Comput. Surv. 45(2), 1:71–1:739 (2013). doi:10.1145/2431211.2431216

    Article  Google Scholar 

  211. Pearson, S.: Privacy, security and trust in cloud computing. In: Pearson, S., Yee, G. (eds.) Privacy and Security for Cloud Computing, pp. 3–42. Springer London (2013). doi:10.1007/978-1-4471-4189-1_1

  212. Perez-Botero, D., Szefer, J., Lee, R.B.: Characterizing hypervisor vulnerabilities in cloud computing servers. In: Proceedings of the 2013 International Workshop on Security in Cloud Computing (SCC), pp. 3–10. ACM, New York, NY, USA (2013). doi:10.1145/2484402.2484406

  213. Pfaff, B., Pettit, J., Koponen, T., Amidon, K., Casado, M., Shenker, S.: Extending networking into the virtualization layer. In: Proceedings of the 8th ACM Workshop on Hot Topics in Networks. ACM SIGCOMM (2009)

  214. Prandini, M., Ramilli, M., Cerroni, W., Callegati, F.: Splitting the HTTPS stream to attack secure web connections. IEEE Secur. Priv. 8(6), 80–84 (2010). doi:10.1109/MSP.2010.190

    Article  Google Scholar 

  215. Prince, M.: The DDoS That Almost Broke the Internet. CloudFlare (2013)

  216. Prince, M.: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It). CloudFlare (2013)

  217. Prolexic: Prolexic Quarterly Global DDoS Attack Report Q1 2013. https://www.prolexic.com/knowledge-center-ddos-attack-report-2013-q1.html (2013). Accessed Apr. 2013

  218. Rahaman, M.A., Schaad, A., Rits, M.: Towards secure SOAP message exchange in a SOA. In: Proceedings of the 3rd ACM Workshop on Secure Web Services, pp. 77–84. ACM, New York, NY, USA (2006). doi:10.1145/1180367.1180382

  219. Ramgovind, S., Eloff, M., Smith, E.: The management of security in cloud computing. In: Information Security for South Africa, pp. 1–7. IEEE (2010). doi:10.1109/ISSA.2010.5588290

  220. Rasmusson, L., Aslam, M.: Protecting private data in the cloud. In: Proceedings of the 2nd International Conference on Cloud Computing and Services Science (CLOSER), pp. 5–12. Porto, Portugal (2012)

  221. Rauti, S., Leppänen, V.: Browser extension-based man-in-the-browser attacks against Ajax applications with countermeasures. In: Proceedings of the 13th International Conference on Computer Systems and Technologies (CompSysTech), pp. 251–258. ACM, Ruse, Bulgaria (2012) doi:10.1145/2383276.2383314

  222. RedHat: KVM Website. http://www.linux-kvm.org/ (2013). Accessed Jun. 2013

  223. RepoCERT: Botnet Using Plesk Vulnerability and Takedown. Seclists Website (2013)

  224. Rimal, B.P., Jukan, A., Katsaros, D., Goeleven, Y.: Architectural requirements for cloud computing systems: an enterprise cloud approach. J. Grid Comput. 9(1), 3–26 (2011). doi:10.1007/s10723-010-9171-y

    Article  Google Scholar 

  225. Ripe, NCC: Database Query. http://apps.db.ripe.net/search/query.html (2013). Accessed Apr. 2013

  226. Riquet, D., Grimaud, G., Hauspie, M.: Large-scale coordinated attacks: impact on the cloud security. In: 6th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, pp. 558–563. IEEE (2012). doi:10.1109/IMIS.2012.76

  227. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 199–212. ACM, New York, NY, USA (2009)

  228. Ristenpart, T., Yilek, S.: When good randomness goes bad: virtual machine reset vulnerabilities and hedging deployed cryptography. In: Proceedings of Network and Distributed Security Symposium (NDSS), pp. 1–18. The Internet Society, San Diego, CA, USA (2010)

  229. Roberts II, J.C., Al-Hamdani, W.: Who can you trust in the cloud?: a review of security issues within cloud computing. In: Proceedings of the Information Security Curriculum Development Conference, pp. 15–19. ACM, New York, NY, USA (2011). doi:10.1145/2047456.2047458

  230. Rocha, F., Abreu, S., Correia, M.: The final Frontier: confidentiality and privacy in the cloud. Computer 44(9), 44–50 (2011). doi:10.1109/MC.2011.223

    Article  Google Scholar 

  231. Rocha, F., Correia, M.: Lucy in the sky without diamonds: stealing confidential data in the cloud. In: IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops, pp. 129–134. IEEE (2011). doi:10.1109/DSNW.2011.5958798

  232. Rodero-Merino, L., Vaquero, L.M., Caron, E., Desprez, F., Muresan, A.: Building safe PaaS clouds: a survey on security in multitenant software platforms. Comput. Secur. 31(1), 96–108 (2012). doi:10.1016/j.cose.2011.10.006

    Article  Google Scholar 

  233. Rong, C., Nguyen, S.T., Jaatun, M.G.: Beyond lightning: a survey on security challenges in cloud computing. Comput. Electr. Eng. (2012). doi:10.1016/j.compeleceng.2012.04.015 Available online 19 May 2012

  234. Roy, I., Setty, S.T.V., Kilzer, A., Shmatikov, V., Witchel, E.: Airavat: security and privacy for MapReduce. In: Proceedings of the 7th USENIX Symposium on Networked Systems Design and Implementation, pp. 20–20. USENIX Association, Berkeley, CA, USA (2010)

  235. RSA: RSA SecurID Website. http://sweden.emc.com/security/rsa-securid.htm (2013). Accessed Jun. 2013

  236. RSA FirstWatch: Tales from the Darkside: Another Mule Recruitment Site. RSA Blog (2013)

  237. Rutkowska, J.: Subverting VistaTM Kernel for fun and profit. Black Hat Conv. (2008)

  238. Sabahi, F.: Cloud computing security threats and responses. In: IEEE 3rd International Conference on Communication Software and Networks, pp. 245–249. IEEE (2011). doi:10.1109/ICCSN.2011.6014715

  239. Sadashiv, N., Kumar, S.: Cluster, grid and cloud computing: a detailed comparison. In: 6th International Conference on Computer Science Education, pp. 477–482. IEEE (2011). doi:10.1109/ICCSE.2011.6028683

  240. Salah, K., Alcaraz, Calero J.: Using cloud computing to implement a security overlay network. IEEE Secur. Priv. 11(1), 44–53 (2013). doi:10.1109/MSP.2012.88

    Google Scholar 

  241. SAML v2.0: OASIS Website. https://www.oasis-open.org/standards#samlv2.0 (2005). Accessed Apr. 2013

  242. Santos, N., Gummadi, K.P., Rodrigues, R.: Towards trusted cloud computing. In: Proceedings of the Conference on Hot Topics in Cloud Computing. USENIX Association, Berkeley, CA, USA (2009)

  243. Schloesser, M., Guarnieri, C.: Vaccinating Systems Against VM-aware Malware. Rapid7 Labs (2013)

  244. Schloesser, M., Guarnieri, C.: Vaccinating Systems Against VM-aware Malware. https://github.com/rapid7/vaccination (2013). Accessed May 2013

  245. Schneier, B.: Homomorphic Encryption Breakthrough. https://www.schneier.com/blog/archives/2009/07/homomorphic_enc.html (2009). Accessed May 2013

  246. SecurityFocus: Xen CVE-2013-1920 Local Memory Corruption Vulnerability. SecurityFocus (2013)

  247. Sekar, V., Maniatis, P.: Verifiable resource accounting for cloud computing services. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security, pp. 21–26. ACM, New York, NY, USA (2011). doi:10.1145/2046660.2046666

  248. Sengupta, S., Kaulgud, V., Sharma, V.: Cloud computing security—trends and research directions. In: IEEE World Congress on Services, pp. 524–531. IEEE Computer Society, Washington, DC, USA (2011). doi:10.1109/SERVICES.2011.20

  249. Shin, S., Gu, G.: CloudWatcher: network security monitoring using OpenFlow in dynamic cloud networks (or: how to provide security monitoring as a service in clouds?). In: 20th IEEE International Conference on Network Protocols (ICNP), pp. 1–6. Austin, TX, USA (2012).doi:10.1109/ICNP.2012.6459946

  250. Shinotsuka, H.: Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems. Symantec Blog (2012)

  251. Singh, A.: Don’t Click the Left Mouse Button: Introducing Trojan UpClicker. FireEye Blog (2012)

  252. Sloan, K.: Security in a virtualised world. Netw. Secur. 2009(8), 15–18 (2009). doi:10.1016/S1353-4858(09)70077-7

    Article  Google Scholar 

  253. SNIA: Cloud Data Management Interface (CDMI). http://www.snia.org/cdmi (2013). Accessed Apr. 2013

  254. Somorovsky, J., Mayer, A., Schwenk, J., Kampmann, M., Jensen, M.: On breaking SAML: be whoever you want to be. In: Proceedings of the 21st USENIX Security Symposium, pp. 21–21. USENIX Association, Bellevue, WA, USA (2012)

  255. Songjie, Yao, J., Wu, C.: Cloud computing and its key techniques. In: International Conference on Electronic and Mechanical Engineering and Information Technology, vol. 1, pp. 320–324. IEEE (2011). doi:10.1109/EMEIT.2011.6022935

  256. Sood, A., Enbody, R.: Targeted cyberattacks: a superset of advanced persistent threats. IEEE Secur. Priv. 11(1), 54–61 (2013). doi:10.1109/MSP.2012.90

    Google Scholar 

  257. Sood, S.K.: A combined approach to ensure data security in cloud computing. J. Netw. Comput. Appli. 35(6), 1831–1838 (2012). doi:10.1016/j.jnca.2012.07.007

    Article  Google Scholar 

  258. Spoon Website: Browser Sandbox. http://spoon.net/browsers (2013). Accessed Apr. 2013

  259. Stamos, A., Becherer, A., Wilcox, N.: Cloud Computing Security: Raining on the Trendy New Parade. https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html (2009)

  260. Staten, J.: 2013 Cloud Predictions: We’ll Finally Get Real About Cloud. Forrester Blog (2012)

  261. Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appli. 34(1), 1–11 (2011). doi:10.1016/j.jnca.2010.07.006

    Article  Google Scholar 

  262. Sun, D., Chang, G., Sun, L., Wang, X.: Surveying and analyzing security, privacy and trust issues in cloud computing environments. Procedia Eng. 15, 2852–2856 (2011). doi:10.1016/j.proeng.2011.08.537

    Article  Google Scholar 

  263. Sun, K., Li, Y., Hogstrom, M., Chen, Y.: Sizing multi-space in heap for application isolation. In: Companion to the 21st ACM SIGPLAN Symposium on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA), pp. 647–648. ACM, Portland, OR, USA (2006). doi:10.1145/1176617.1176654

  264. Sun, M.K., Lin, M.J., Chang, M., Laih, C.S., Lin, H.T.: Malware virtualization-resistant behavior detection. In: IEEE 17th International Conference on Parallel and Distributed Systems (ICPADS), pp. 912–917. Tainan, Taiwan (2011). doi:10.1109/ICPADS.2011.78

  265. Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Memory deduplication as a threat to the guest OS. In: Proceedings of the 4th European Workshop on System Security, pp. 1:1–1:6. ACM, Salzburg, Austria (2011). doi:10.1145/1972551.1972552

  266. Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Software side channel attack on memory deduplication. In: 23rd ACM Symposium on Operating Systems Principles. ACM, Cascais, Portugal (2011). Poster

  267. Symantec: Internet Security Threat Report 2013. https://www.symantec.com/security_response/publications/threatreport.jsp (2013). Accessed Apr. 2013

  268. Symantec Security Response: Internet Explorer Zero-Day Used in Watering Hole Attack: Q &A. Symantec Blog (2012)

  269. Szefer, J., Keller, E., Lee, R.B., Rexford, J.: Eliminating the hypervisor attack surface for a more secure cloud. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 401–412. ACM, Chicago, IL, USA (2011). doi:10.1145/2046707.2046754

  270. Takabi, H., Joshi, J., Ahn, G.: Security and privacy challenges in cloud computing environments. IEEE Secur. Priv. 8(6), 24–31 (2010)

    Article  Google Scholar 

  271. Tang, M., Lv, Q., Lu, Z., Zhao, Q., Song, Y.: Dynamic virtual switch protocol using Openflow. In: 13th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel Distributed Computing (SNPD), pp. 603–608. Kyoto, Japan (2012). doi:10.1109/SNPD.2012.129

  272. Tanvi: Mixed Content Blocking Enabled in Firefox 23! Firefox Blog (2013)

  273. Taylor, G., Cox, G.: Digital randomness. IEEE Spectr. 48(9), 32–58 (2011). doi:10.1109/MSPEC.2011.5995897

    Article  Google Scholar 

  274. Taylor, M., Haggerty, J., Gresty, D., Lamb, D.: Forensic investigation of cloud computing systems. Netw. Secur. 2011(3), 4–10 (2011). doi:10.1016/S1353-4858(11)70024-1

    Article  Google Scholar 

  275. The Linux Foundation: Xen Website. http://http://www.xenproject.org/ (2013). Accessed Jun. 2013

  276. Thompson, H.: The human element of information security. IEEE Secur. Priv. 11(1), 32–35 (2013). doi:10.1109/MSP.2012.161

    Google Scholar 

  277. Thorsheim, P.: The Final Word on the LinkedIn Leak. http://securitynirvana.blogspot.pt/2012/06/final-word-on-linkedin-leak.html (2012). Accessed May 2013

  278. Toubiana, V., Nissenbaum, H.: Analysis of Google logs retention policies. J. Priv. Confid. 3(1), 3–26 (2011)

    Google Scholar 

  279. Townsend, M.: Managing a security program in a cloud computing environment. In: Information Security Curriculum Development Conference, pp. 128–133. ACM, New York, NY, USA (2009). doi:10.1145/1940976.1941001

  280. Trader, T.: GPU Monster Shreds Password Hashes. HPCwire (2012)

  281. Tripathi, A., Mishra, A.: Cloud computing security considerations. In: IEEE International Conference on Signal Processing, Communications and Computing, pp. 1–5. IEEE (2011). doi:10.1109/ICSPCC.2011.6061557

  282. Tsai, H.Y., Siebenhaar, M., Miede, A., Huang, Y., Steinmetz, R.: Threat as a service?: virtualization’s impact on cloud security. IT Prof. 14(1), 32–37 (2012). doi:10.1109/MITP.2011.117

    Article  Google Scholar 

  283. Tseng, H.M., Lee, H.L., Hu, J.W., Liu, T.L., Chang, J.G., Huang, W.C.: Network virtualization with cloud virtual switch. In: IEEE 17th International Conference on Parallel and Distributed Systems (ICPADS), pp. 998–1003. Tainan, Taiwan (2011). doi:10.1109/ICPADS.2011.159

  284. Vaquero, L.M., Rodero-Merino, L., Morán, D.: Locking the sky: a survey on IaaS cloud security. Computing 91(1), 93–118 (2011). doi:10.1007/s00607-010-0140-x

    Article  MATH  Google Scholar 

  285. Viega, J.: Cloud computing and the common man. Computer 42(8), 106–108 (2009). doi:10.1109/MC.2009.252

    Article  Google Scholar 

  286. VMware: VMware vSphere. https://www.vmware.com/support/product-support/vsphere/ (2013). Accessed Apr. 2013

  287. VMware: VMware Website. https://www.vmware.com/products/ (2013). Accessed Jun. 2013

  288. VMware: What is OVF? https://www.vmware.com/technical-resources/virtualization-topics/virtual-appliances/ovf.html (2013). Accessed Apr. 2013

  289. VMware Community Forums: Low/proc/sys/kernel/random/entr opy_avail causes exim to stop sending mail. http://communities.vmware.com/message/530909 (2006). Accessed May 2013

  290. Vu, Q.H., Pham, T.V., Truong, H.L., Dustdar, S., Asal, R.: DEMODS: a description model for data-as-a-service. In: IEEE 26th International Conference on Advanced Information Networking and Applications (AINA), pp. 605–612. Fukuoka, Japan (2012). doi:10.1109/AINA.2012.91

  291. Wang, C., Ren, K., Lou, W., Li, J.: Toward publicly auditable secure cloud data storage services. IEEE Netw. 24(4), 19–24 (2010). doi:10.1109/MNET.2010.5510914

    Article  Google Scholar 

  292. Wang, C., Wang, Q., Ren, K., Lou, W.: Ensuring data storage security in cloud computing. In: 17th International Workshop on Quality of Service, pp. 1–9. IEEE (2009). doi:10.1109/IWQoS.2009.5201385

  293. Wang, G., Ng, T.: The impact of virtualization on network performance of Amazon EC2 data center. In: Proceedings of the IEEE INFOCOM, pp. 1–9. Sand Diego, CA, USA (2010). doi:10.1109/INFCOM.2010.5461931

  294. Ward, M.: Facebook Users Suffer Viral Surge. BBC News (2009)

  295. Websense: 2013 Threat Report. https://www.websense.com/content/websense-2013-threat-report.aspx (2013). Accessed Apr. 2013

  296. Wei, J., Zhang, X., Ammons, G., Bala, V., Ning, P.: Managing security of virtual machine images in a cloud environment. In: Proceedings of the ACM Workshop on Cloud Computing Security, pp. 91–96. ACM, New York, NY, USA (2009). doi:10.1145/1655008.1655021

  297. Wu, H., Ding, Y., Winer, C., Yao, L.: Network security for virtual machine in cloud computing. In: 5th International Conference on Computer Sciences and Convergence Information Technology (ICCIT), pp. 18–21. Seoul, South Korea (2010). doi:10.1109/ICCIT.2010.5711022

  298. Wu, H., Ding, Y., Winer, C., Yao, L.: Network security for virtual machine in cloud computing. In: 5th International Conference on Computer Sciences and Convergence Information Technology, pp. 18–21. IEEE (2010). doi:10.1109/ICCIT.2010.5711022

  299. Wueest, C.: Mobile Scam: Winning Without Playing. Symantec Blog (2013)

  300. Xiao, Z., Xiao, Y.: Security and privacy in cloud computing. IEEE Commun. Surv. Tuts. 15(2), 843–859 (2013). doi:10.1109/SURV.2012.060912.00182

    Google Scholar 

  301. Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security, pp. 29–40. ACM, New York, NY, USA (2011). doi:10.1145/2046660.2046670

  302. Yang, J., Chen, Z.: Cloud computing research and security issues. In: International Conference on Computational Intelligence and Software Engineering, pp. 1–3. IEEE (2010). doi:10.1109/CISE.2010.5677076

  303. Yasinsac, A., Irvine, C.: Help! Is There a Trustworthy-Systems Doctor in the House? IEEE Secur. Priv. 11(1), 73–77 (2013). doi:10.1109/MSP.2013.10

    Google Scholar 

  304. Yilek, S.: Resettable public-key encryption: how to encrypt on a virtual machine. In: Proceedings of the International Conference on Topics in Cryptology, CT-RSA’10, pp. 41–56. Springer-Verlag, San Francisco, CA, USA (2010). doi:10.1007/978-3-642-11925-5_4

  305. Yu, A., Sathanur, A., Jandhyala, V.: A partial homomorphic encryption scheme for secure design automation on public clouds. In: IEEE 21st Conference on Electrical Performance of Electronic Packaging and Systems (EPEPS), pp. 177–180. Tempe, AZ, USA (2012). doi:10.1109/EPEPS.2012.6457871

  306. Yu, H., Powell, N., Stembridge, D., Yuan, X.: Cloud computing and security challenges. In: Proceedings of the 50th Annual Southeast Regional Conference, pp. 298–302. ACM, New York, NY, USA (2012). doi:10.1145/2184512.2184581

  307. Zabidi, M., Maarof, M., Zainal, A.: Malware analysis with multiple features. In: UKSim 14th International Conference on Computer Modelling and Simulation, pp. 231–235. Cambridge, London (2012). doi:10.1109/UKSim.2012.40

  308. Zhang, F., Huang, Y., Wang, H., Chen, H., Zang, B.: PALM: security preserving VM live migration for systems with VMM-enforced protection. In: 3rd Asia-Pacific Trusted Infrastructure Technologies Conference, pp. 9–18. IEEE Computer Society, Washington, DC, USA (2008). doi:10.1109/APTC.2008.15

  309. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), pp. 305–316. ACM, Raleigh, NC, USA (2012). doi:10.1145/2382196.2382230

  310. Zhou, M., Zhang, R., Xie, W., Qian, W., Zhou, A.: Security and privacy in cloud computing: a survey. In: 6th International Conference on Semantics Knowledge and Grid, pp. 105–112. IEEE Computer Society, Washington, DC, USA (2010)

  311. Zieg, M.: Separating fact from fiction in cloud computing. Data Center J. (2012)

  312. Zissis, D., Lekkas, D.: Addressing cloud computing security issues. Future Gener. Comput. Syst. 28(3), 583–592 (2010). doi:10.1016/j.future.2010.12.006

    Article  Google Scholar 

  313. Zou, B., Zhang, H.: Toward enhancing trust in cloud computing environment. In: 2nd International Conference on Control, Instrumentation and Automation, pp. 364–366 (2011). doi:10.1109/ICCIAutom.2011.6183990

Download references

Acknowledgments

We would like to thank all the anonymous reviewers for constructively criticizing this work.

Author information

Authors and Affiliations

  1. Department of Computer Science, Instituto de Telecomunicações, University of Beira Interior, Rua Marquês d’Ávila e Bolama, 6201-001 , Covilhã, Portugal

    Diogo A. B. Fernandes, Liliana F. B. Soares, João V. Gomes, Mário M. Freire & Pedro R. M. Inácio

Authors
  1. Diogo A. B. Fernandes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Liliana F. B. Soares
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. João V. Gomes
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mário M. Freire
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Pedro R. M. Inácio
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Diogo A. B. Fernandes.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Fernandes, D.A.B., Soares, L.F.B., Gomes, J.V. et al. Security issues in cloud environments: a survey. Int. J. Inf. Secur. 13, 113–170 (2014). https://doi.org/10.1007/s10207-013-0208-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-013-0208-7

Keywords

Search

Navigation