BISEC 2022 Paper 1441-2
BISEC 2022 Paper 1441-2
BISEC 2022 Paper 1441-2
he13t
hInter
naonal
Confer
enceonBus
ine
ssInfor
maonS
ecur
it
y
(
BIS
EC’
2022)
,Dec
ember2nd2022,
Bel
gra
de,Se
r bi
a
Abstract
The most popular ways of initializing containerized workloads such as KUBERNETES, GKE, FARGATE and OPENSHIFT,
promise the transition towards cloud solution containers by offering commercial, open source or academic-based applications.
In the introduction part, we analyze cloud architecture and determine the relation of the cloud and security in the cloud,
mentioning conventional architectures.
By the analysis of work related to cloud security assessment and references in the field of container security in the
cloud and safety assessment criteria, we make a synthesis of methodological tools available and make a comparison of their
applicability, focusing on pros and cons. We present the questionnaire and discuss the results among the experts from IT
practice.
The results indicate that, despite commercially-driven advancements in the relatively novel scientific field, there is not an
overall consensus on using tools even for delicate questions such as security in the cloud architectures, which should involve
the binding application of unique methodology at least for most common cloud frameworks, such as the ones analyzed in the
paper. The criteria of previous inspection on cloud container images before the utilization, is of utter importance for creating
prospective methodologies. An in-depth survey and a real cloud threat incident analysis is necessary to get more specific
results for creating a methodology for assessing cloud container security.
Keywords
containers, security, tools, assessment, cloud, methodology
50
T
he13t
hInter
naonal
Confer
enceonBus
ine
ssInfor
maonS
ecur
it
y
(
BIS
EC’
2022)
,Dec
ember2nd2022,
Bel
gra
de,Se
r bi
a
The authors determined the issues such as contempo- Most of the sample included individuals with more
rary threats and methods for addressing them however than ten years of experience with software development,
did no survey among experts to check the findings of both in private companies and academic departments
its relevance. Some work was emphasized where it was of the University. The sample included 90% of individ-
pointed out by Nitiashree et al. [3], that security is the uals residing in Serbia, but involved either at Serbian
big issue in containers and that future research needs to companies or international software companies there.
be conducted in detail about it to solve these challeng-
ing issues. Despite these papers’ findings [4, 5, 6], no
unique methodology or market-based method are issued, 5. Results and discussion
other than recommendations made available by CIS [7].
According to the analysis we have performed, there is
Further more, so far companies have shown interest in
low level of attention paid to the security in cloud envi-
creating methodologies, as mentioned by [8] and some
ronment, and this is depicted on Figure 1. On the scale
involved surveys, such as the research done by Tabrizchi
from 1 - little to none till 5 - highly experienced, we can
and Rafsanjani [9]. A an annual report on cloud detec-
notice that respondents in our survey do not have ade-
tion security issues determined by Sysdig [10] and other
quate experience in working with cloud security issues
reports made by the private sector as well as the cloud-
which can lead to improper usage and configuration of
and other security-approach- reports made available by
cloud services. Thus, security issues will not be properly
global IT societies and organizations for security [7], also
resolved (see Figure 1).
contribute to the overall consensus on cloud-related is-
In accordance with previous statements, thus how have
sues. A scientific value of these researches is questionable
some levels of awareness about importance of security in
though, as they focus on addressing common threats and
cloud environment, stressed out that confidentiality and
commercial uses of the respective companies’ software
availability aspects of cloud security are among highest,
for dealing with threats. That is why this research was
as depicted on Figure 2. Keeping in mind the diversity
suggested and the following methodology applied.
of services that are available through cloud services, it
becomes clear why these aspects are major factor moti-
3. Aims and methods vating the proliferation of security issues.
Security vulnerabilities in cloud environment can lead
The aim of the paper is to progress towards creating to the leak of information about hosted services which
an assessment of the ongoing cloud security problems. is especially expressed if the background containers are
According to the analysis of scientific studies related to executed on one host that shares the same OS kernel,
cloud security assessment, available literature on cloud because an imperiled kernel leads to the invalidation of
container security guidelines and safety assessment cri- isolation provided by the container mechanism. In align
teria, we make a synthesis of tools available, opinions of with this statement, results of our analysis presented on
experts and make an overview of container utilization Figure 3 confirm these findings. Moreover, results shown
issues, and compare them to our results of the question- on Figure 4 indicate that previous inspection on cloud
naire among experts in software development. container images before usage is highly important.
4. Methodology
Analysis was performed by using a questionnaire, which
involved 29 members of the IT sector ( see Table 1), that
have been using cloud technologies and that pointed to-
wards different issues and aspects of creating a methodol-
ogy for security assessment of containers. The question-
naire has multiple choice answers and to some questions, Figure 1: Overall IT security.
the answers were given in the form of professional opin-
ions and statements regarding suggestions and views
towards certain IT–base problems. The questionnaire
was conducted over a three-month period. The sample
was heterogeneous in terms of background of software
the interviewees have been applying in their daily work,
with the criteria that all of them should have been do-
ing software development for at least one year and are Figure 2: Importance of different aspects of cloud security.
familiarized with Cloud-related problem.
51
T
he13t
hInter
naonal
Confer
enceonBus
ine
ssInfor
maonS
ecur
it
y
(
BIS
EC’
2022)
,Dec
ember2nd2022,
Bel
gra
de,Se
r bi
a
Table 1
Number and percentage of Interviewees broken down by the criteria of experience with software development in general, that
were used in the questionnaire performed.
Number of Percentage in
interviewees (29) the overall sample (%)
0 - 10 years experience, none with CLOUD technologies 5(29) 17%
More than 10 years of experience, none with CLOUD technologies 6(29) 21%
0 – 10 years experience, 0 - 5 years with CLOUD technologies 5(29) 17%
More than 10 years of experience, more than 5 years with CLOUD technologies 13(29) 45%
5.2. Conclusion
This paper indicated that even though commercially-
driven advancements in the a novel scientific field such
as CLOUD security, there is not an overall consensus
on creating a unique methodology for using tools which
Figure 4: Importance of cloud container images scanning involve the binding application or at least common frame-
before usage.
works, in terms of security in the cloud. The survey re-
sults analyzed in the paper indicated security patterns
for building secure systems and that previous inspec-
Therefore, security issues become the major barrier for tion on cloud container images before the utilization is
further adoption of container as well as cloud computing significant for creating prospective methodologies.
in general. Outsourced data and services in the cloud The comparison of the results with the literature in-
environment are subjected to the risks, among which dicates that a real cloud threat incident analysis is nec-
security is a key risk to which a carefully implementation essary to get more specific results on particular cloud
plan must be followed. Usage of security patterns for environments in the future and advance towards creating
building secure systems by describing ways to control a methodological framework.
specific threats fixes vulnerabilities and provides a safe
environment for proper utilization of cloud services (see
Figure 3). References
[1] S. An, A. Leung, J. B. Hong, T. Eom, J. S. Park, To-
5.1. Recommendations and future work ward automated security analysis and enforcement
As the next, step, an analysis of the international sample for cloud computing using graphical models for
has to be performed. For this purpose, one should obtain security, IEEE Access 10 (2022) 75117–75134.
interviewees who were based in other countries, so as to [2] G. S. Prasad, V. S. Gaikwad, A survey on user aware-
see if there is significant difference between the analyzed ness of cloud security, International Journal of En-
sample in this paper and the internationally-based one. gineering & Technology 7 (2018) 131–135.
If yes, the aim would be to determine the differences and [3] B. Nithiasree, R. Prakash, R. Shenbaga Sundar, A
try to focus on the creation of the overall recommen- survey on cloud security threats and solution for se-
dations for creating methodology for cloud containers cure data in data stages, 2021 International Journal
assessment in herms of security that would be globally of Computer Techniques (IJCT) 8 (2021).
applicable.
52
T
he13t
hInter
naonal
Confer
enceonBus
ine
ssInfor
maonS
ecur
it
y
(
BIS
EC’
2022)
,Dec
ember2nd2022,
Bel
gra
de,Se
r bi
a
53