T

he13t
hInter
naonal
Confer
enceonBus
ine
ssInfor
maonS
ecur
it
y
(
BIS
EC’
2022)
,Dec
ember2nd2022,
Bel
gra
de,Se
r bi
a

Towards creating Methodology for security assessment of

cloud containers- an overview of available tools
Aleksandar Jovanović1,* , Petar Milić2 and V Saraswathi3
1
Belgrade Metropolitan University, Faculty of Information Technology, Tadeusa Košćuška 63, Belgrade, Serbia
2
Faculty of Technical Sciences, Department of Computer Science and Informatics, University of Priština - Kosovska Mitrovica, Knjaza Miloša 7,
38220 Kosovska Mitrovica, Serbia
3
SRM IST, ECE Department, Kattankulathur, Chennai, India

Abstract
The most popular ways of initializing containerized workloads such as KUBERNETES, GKE, FARGATE and OPENSHIFT,
promise the transition towards cloud solution containers by offering commercial, open source or academic-based applications.
In the introduction part, we analyze cloud architecture and determine the relation of the cloud and security in the cloud,
mentioning conventional architectures.
By the analysis of work related to cloud security assessment and references in the field of container security in the
cloud and safety assessment criteria, we make a synthesis of methodological tools available and make a comparison of their
applicability, focusing on pros and cons. We present the questionnaire and discuss the results among the experts from IT
practice.
The results indicate that, despite commercially-driven advancements in the relatively novel scientific field, there is not an
overall consensus on using tools even for delicate questions such as security in the cloud architectures, which should involve
the binding application of unique methodology at least for most common cloud frameworks, such as the ones analyzed in the
paper. The criteria of previous inspection on cloud container images before the utilization, is of utter importance for creating
prospective methodologies. An in-depth survey and a real cloud threat incident analysis is necessary to get more specific
results for creating a methodology for assessing cloud container security.

Keywords
containers, security, tools, assessment, cloud, methodology

1. Introduction issues that these packages analyze and process, rather

than creating a common methodological framework.
There are continuous possibilities and issues that arise
with the development of fast internet connections, 5G
network development advancements and transfer to auto- 2. Similar studies
motive and Machine learning technologies and software.
One of the most indicative processes that are reflecting A research conducted by Seongmo et al. [1], has indicated
these advancements is the adoption of cloud technolo- a creation of CloudSafe platform, which gave results at a
gies and transfer of enterprises to Platform as a Service theoretical model of the cloud. In this study, the authors
(PaaS), Infrastructure as a Service (IaaS) and Software as a pointed towards a necessity for the testing on a actual
Service (SaaS) principles. The problematic of its security cloud system. The study focused on AWS, but had impli-
is somewhat taken for granted, because the enterprises cations for other Cloud providers in the proposed future
and relying on the prominent cloud providers, such as studies, such as Azure. In the research review study by
Amazon, Google, Microsoft, to supply with methods for Gudapati and Gaikwad [2], the authors focused on creat-
accessing cloud security issues in their packages. There ing guidelines for cloud security issues, and Nitiashree et
are commercial versions made by these companies, such al. [3], even proposed a three-stage data security model
as GKE, Kubernetes, and some that are reflecting the for cloud computing. All these researches have shown
latest academic-based open source research, such as Far- though, that a unique or coherent direction towards a
gate or Openshift, that operate within the boundaries of methodology for cloud containers either does not exist
their intended use, but focus on one or several central or is less usable for the current attacks that arise, but is
needed . However, the latter [3] succeeded in creating
BISEC’22: 13th International Conference on Business Information an Advanced Encryption Standard (AES) algorithm for
Security, December 03, 2022, Belgrade, Serbia Data security, with the last layer of the algorithm model,
*
Corresponding author.
$ aleksandar.jovanovic@metropolitan.ac.rs (A. Jovanović);
involving cryptography techniques. The study indicated
petar.milic@pr.ac.rs (P. Milić); saraswav@srmist.edu.in a relation between occurrence of public cloud threats
(V. Saraswathi) and the security of data which is transmitted from Cloud
Service Customer (CSC) to Cloud Service Provider (CSP).

50
 T
he13t
hInter
naonal
Confer
enceonBus
ine
ssInfor
maonS
ecur
it
y
(
BIS
EC’
2022)
,Dec
ember2nd2022,
Bel
gra
de,Se
r bi
a

The authors determined the issues such as contempo- Most of the sample included individuals with more
rary threats and methods for addressing them however than ten years of experience with software development,
did no survey among experts to check the findings of both in private companies and academic departments
its relevance. Some work was emphasized where it was of the University. The sample included 90% of individ-
pointed out by Nitiashree et al. [3], that security is the uals residing in Serbia, but involved either at Serbian
big issue in containers and that future research needs to companies or international software companies there.
be conducted in detail about it to solve these challeng-
ing issues. Despite these papers’ findings [4, 5, 6], no
unique methodology or market-based method are issued, 5. Results and discussion
other than recommendations made available by CIS [7].
According to the analysis we have performed, there is
Further more, so far companies have shown interest in
low level of attention paid to the security in cloud envi-
creating methodologies, as mentioned by [8] and some
ronment, and this is depicted on Figure 1. On the scale
involved surveys, such as the research done by Tabrizchi
from 1 - little to none till 5 - highly experienced, we can
and Rafsanjani [9]. A an annual report on cloud detec-
notice that respondents in our survey do not have ade-
tion security issues determined by Sysdig [10] and other
quate experience in working with cloud security issues
reports made by the private sector as well as the cloud-
which can lead to improper usage and configuration of
and other security-approach- reports made available by
cloud services. Thus, security issues will not be properly
global IT societies and organizations for security [7], also
resolved (see Figure 1).
contribute to the overall consensus on cloud-related is-
In accordance with previous statements, thus how have
sues. A scientific value of these researches is questionable
some levels of awareness about importance of security in
though, as they focus on addressing common threats and
cloud environment, stressed out that confidentiality and
commercial uses of the respective companies’ software
availability aspects of cloud security are among highest,
for dealing with threats. That is why this research was
as depicted on Figure 2. Keeping in mind the diversity
suggested and the following methodology applied.
of services that are available through cloud services, it
becomes clear why these aspects are major factor moti-
3. Aims and methods vating the proliferation of security issues.
Security vulnerabilities in cloud environment can lead
The aim of the paper is to progress towards creating to the leak of information about hosted services which
an assessment of the ongoing cloud security problems. is especially expressed if the background containers are
According to the analysis of scientific studies related to executed on one host that shares the same OS kernel,
cloud security assessment, available literature on cloud because an imperiled kernel leads to the invalidation of
container security guidelines and safety assessment cri- isolation provided by the container mechanism. In align
teria, we make a synthesis of tools available, opinions of with this statement, results of our analysis presented on
experts and make an overview of container utilization Figure 3 confirm these findings. Moreover, results shown
issues, and compare them to our results of the question- on Figure 4 indicate that previous inspection on cloud
naire among experts in software development. container images before usage is highly important.

4. Methodology
Analysis was performed by using a questionnaire, which
involved 29 members of the IT sector ( see Table 1), that
have been using cloud technologies and that pointed to-
wards different issues and aspects of creating a methodol-
ogy for security assessment of containers. The question-
naire has multiple choice answers and to some questions, Figure 1: Overall IT security.
the answers were given in the form of professional opin-
ions and statements regarding suggestions and views
towards certain IT–base problems. The questionnaire
was conducted over a three-month period. The sample
was heterogeneous in terms of background of software
the interviewees have been applying in their daily work,
with the criteria that all of them should have been do-
ing software development for at least one year and are Figure 2: Importance of different aspects of cloud security.
familiarized with Cloud-related problem.

51
 T
he13t
hInter
naonal
Confer
enceonBus
ine
ssInfor
maonS
ecur
it
y
(
BIS
EC’
2022)
,Dec
ember2nd2022,
Bel
gra
de,Se
r bi
a

Table 1
Number and percentage of Interviewees broken down by the criteria of experience with software development in general, that
were used in the questionnaire performed.

Number of Percentage in
interviewees (29) the overall sample (%)
0 - 10 years experience, none with CLOUD technologies 5(29) 17%
More than 10 years of experience, none with CLOUD technologies 6(29) 21%
0 – 10 years experience, 0 - 5 years with CLOUD technologies 5(29) 17%
More than 10 years of experience, more than 5 years with CLOUD technologies 13(29) 45%

Regarding differences in cloud providers, there is a lack

of standardized approaches for examination of relevant
parts of cloud infrastructures. Variety of realization styles
behind cloud services, such as APIs, management tools
as well as cloud strategies makes it difficult to explore,
but at the same time put a challenge to researchers to
make further research to overcome this issue. Either
by questionnaire or automatic assessments, revealing
Figure 3: Top breaches causes in cloud environments. detailed key differences between cloud providers will go
toward creation of unique approach for their assessments.

5.2. Conclusion
This paper indicated that even though commercially-
driven advancements in the a novel scientific field such
as CLOUD security, there is not an overall consensus
on creating a unique methodology for using tools which
Figure 4: Importance of cloud container images scanning involve the binding application or at least common frame-
before usage.
works, in terms of security in the cloud. The survey re-
sults analyzed in the paper indicated security patterns
for building secure systems and that previous inspec-
Therefore, security issues become the major barrier for tion on cloud container images before the utilization is
further adoption of container as well as cloud computing significant for creating prospective methodologies.
in general. Outsourced data and services in the cloud The comparison of the results with the literature in-
environment are subjected to the risks, among which dicates that a real cloud threat incident analysis is nec-
security is a key risk to which a carefully implementation essary to get more specific results on particular cloud
plan must be followed. Usage of security patterns for environments in the future and advance towards creating
building secure systems by describing ways to control a methodological framework.
specific threats fixes vulnerabilities and provides a safe
environment for proper utilization of cloud services (see
Figure 3). References
[1] S. An, A. Leung, J. B. Hong, T. Eom, J. S. Park, To-
5.1. Recommendations and future work ward automated security analysis and enforcement
As the next, step, an analysis of the international sample for cloud computing using graphical models for
has to be performed. For this purpose, one should obtain security, IEEE Access 10 (2022) 75117–75134.
interviewees who were based in other countries, so as to [2] G. S. Prasad, V. S. Gaikwad, A survey on user aware-
see if there is significant difference between the analyzed ness of cloud security, International Journal of En-
sample in this paper and the internationally-based one. gineering & Technology 7 (2018) 131–135.
If yes, the aim would be to determine the differences and [3] B. Nithiasree, R. Prakash, R. Shenbaga Sundar, A
try to focus on the creation of the overall recommen- survey on cloud security threats and solution for se-
dations for creating methodology for cloud containers cure data in data stages, 2021 International Journal
assessment in herms of security that would be globally of Computer Techniques (IJCT) 8 (2021).
applicable.

52
 T
he13t
hInter
naonal
Confer
enceonBus
ine
ssInfor
maonS
ecur
it
y
(
BIS
EC’
2022)
,Dec
ember2nd2022,
Bel
gra
de,Se
r bi
a

[4] K. Hashizume, D. G. Rosado, E. Fernández-Medina,

E. B. Fernandez, An analysis of security issues for
cloud computing, Journal of internet services and
applications 4 (2013) 1–13.
[5] H. Takabi, J. B. Joshi, G.-J. Ahn, Security and privacy
challenges in cloud computing environments, IEEE
Security & Privacy 8 (2010) 24–31.
[6] M. U. Shankarwar, A. V. Pawar, Security and privacy
in cloud computing: A survey, in: Proceedings of
the 3rd International Conference on Frontiers of
Intelligent Computing: Theory and Applications
(FICTA) 2014: Volume 2, Springer, 2015, pp. 1–11.
[7] C. Security, the Shared Responsibility Model with
CIS, Center for Internet Security (CIS),
2022. URL: CenterforInternetSecurity(CIS)
,CloudSecurityandtheSharedResponsibilityModelwithCIS,
(2022),.
[8] N. H. Hussein, A. Khalid, A survey of cloud comput-
ing security challenges and solutions, International
Journal of Computer Science and Information Se-
curity 14 (2016) 52.
[9] H. Tabrizchi, M. Kuchaki Rafsanjani, A survey
on security challenges in cloud computing: issues,
threats, and solutions, The journal of supercomput-
ing 76 (2020) 9493–9532.
[10] A. Newcomb, Sysdig, container security and us-
age report, 2021. URL: https://sysdig.com/blog/
sysdig-2021-container-security-usage-report/.

53