Data Security Issues in Cloud Computing

MANAGEMENT INFORMATION SYSTEMS
DATA SECURITY ISSUES IN CLOUD COMPUTING
TO
SIR AFZAAL AHMED
SUBMITTED BY
ASAD ALI
BBA 8-D
1611224
MID-TERM ASSIGNMENT

Data security issues in cloud computing | Asad Ali
Abstract
Cloud computing has proven to be essential source of full filling computing needs by giving
solutions like networking, storage and developing web applications. However, it still has concerns
over security. In the past we have seen a lot of breaches which lead to leaking (which will be
discussed in this paper), manipulating and stealing of account credentials and data. In this paper,
we discuss about the data security issues with cloud computing, the reasons of breaches and
possible countermeasures in order to tackle them. In the end, I would be giving some personal
insight of what I think is the future of cloud computing and how this generation and the future one
can take full advantage of this technology.
Literature Review
Cloud computing is a program that allows user to store the data, manage it. It is considered by
many as to be one of the most important technologies in the current era (Gartner Inc., 2011). Cloud
computing is being done worldwide and has immense amount of potential. It works with minimal
human interaction by giving access to a shared pool (e.g. network, storage) which is convenient,
prevalent and accessible. Cloud computing acts like a language as well as a distributor which main
goal is to provide fast, reliable, and authentic storage of the data. It also allows several users to
share their operating system simultaneously (Zhao G, 2009). It helps in saving time, fastening the
work of development and enables the user to work according to the environment and adapt to the
changes if ever happens. Through effective and efficient computing, it helps in cost reduction too.
Cloud computing is a mixture of different services and acts as a technological hub. It provides
solution to the users and fulfill their computing needs while the servers acts as storage of data and
information. Cloud computing is a mature product while basically represents all the other
technological services (Marinos A, 2009). Out of many models, the one that is widely used is
prepared by NIST. The cloud computing model defined by NIST consist of three service and four
deployment models. If we compared the NIST model to the traditional IT model, the cloud
computing model stands out in many ways. Many IT experts say that the one main reason that they
don’t use cloud computing model is due to its security reasons (Sun Cloud Architecture
Introduction White Paper).

Cloud Computing Model
There are five players in the process of cloud computing. A cloud consumer (CS) is the one that
receives the service form the cloud provider by paying them. Cloud service provider (CSP) is the
one that gives the service to CS. Cloud auditor job is to look after the functions and performance.
Cloud broker is the connection between CS and CSP. Cloud carrier provides the connectivity so
that CSP can give service to CS.
Barriers to adoption
Although there are a lot of benefits provided by cloud computing, still there are some things that
concern the user. The risk at the security level is the main reason why so many people still don’t
opt for cloud computing (From hype to future: KPMG’s 2010 Cloud Computing survey). The data,
network and information can be either leaked or hacked. Since it is a newly developed concept, it
has a lot uncertainty in it (Rosado DG, 2012). For example, if I have an application of my own but
instead of using local server, I am using a server based in United States of America. Now due to
huge gap between the server and the application, the uncertainty of the encryption code whether it
is solid or not and the server not being local may result to low speed, there are chances that the
packets of data might get leaked of changed. Many business executive still have their doubts on
cloud service that is why they have come to the conclusion that security is the biggest issue in
cloud computing (Mather T, 2009).
Cloud Consumer
Cloud Auditor
Cloud Carrier
CloudProvider
Cloudbroker

SPI Model
SPI model is used to define the process of information technology at three levels, software,
infrastructure and platform.
The SPI model consists of 3 types of services:
Software as a service: It gives consumer the capability to use the software given by the cloud
provider to fulfill the computing needs. It can be accessed through an intermediate like web
browser. Some examples of SaaS are, Dropbox, Mail Chimp, Hub spot, YouTube etc.
Platform as a service: A service provided to the consumer where they can run their own
applications without installing any platform. For example, if I run a business and have an
application of it. It needs to be accessible 24/7 so that my customers don’t face any problem. In
order to that, I would need note.js (a runtime library that is used as service or backend for the
software) to run my application. For that I have to be online 24/7 because if I go offline, my
application would stop. So the solution to this is provided by Amazon web services, which is an
example of PaaS. It gives you a platform where you can upload your application and they will run
it for you. For starters it would be free but then they would start charging a minimal fee.
Infrastructure as a service: It is service that allows consumer to deploy any kind of application
and operating system of their own choice. An example of IaaS can be Google compute engine
(GCE). For example, if you are a big organization and want a server with specific attributes so that
you can run your application and serve it to your customers. Due to the competition being so
SaaS
PaaS
IaaS
Valuevisibilitytoendusers
End Users
Application
Developers
Network
Architects

extensive, all your load is being handled by the server. Your applications and data are very large
in size, so you would need a very high end server in order to store and run your soft wares. Since
the servers requires maintenance and it’s very costly, you can hire a third party i.e. IaaS which
does it for you in less money.
Out of all three, SaaS give the least customer control but gives the most security. PaaS gives more
control to customers compared to SaaS due to a little lower degree of conceptualization. IaaS
prefers giving control of security to the users.
SaaS Security Issues
It provides on demand services to the users like email, CRM etc. Since out of all three models,
SaaS gives the least control to the users, it do raises security concerns.
1. Application Security: The web application are deployed in SaaS application thrugh web
browsers. So any problems in the web application make SaaS applications vulnerable.
Hackers use web in order to attack the users’ data in order to change, manipulate and steal
it. OWASP has identified many threats that can be faced by SaaS.
2. Multi Tenancy: There are many people who use SaaS applications. Many of their data is
kept in the same servers. This may lead to leakage of the data. There should be a separate
more powerful server in order to keep the customers data separate from other customers.
3. Data Security: In SaaS, the security is in the hands of the provider. It’s the providers’ job
to look after the data while it’s being stored and processed. So this is a major issue since it
will concern many customers. Secondly, there are data backups in case of any mishaps.
The SaaS providers make the backup themselves but sometimes they offer this job to a
third party. Here comes the reliability issue. The third party contractor can either leak or
manipulate the data. The data is stored in SaaS servers, so they need to protect, secure and
segregate the data.
4. Accessibility: Since all the process is mobile and is done through internet, some major
issue that may concern user and the providers are stealing of information through malware,
insecure Wi-Fi, complications in operating system and proxy based hacking.

PaaS Security Issues
PaaS allows user to deploy their web based application in to their platform. To work, it needs
secure network and web browser. There are two security layers that PaaS looks after, one is its
own platform and the other is customers’ application. Just like SaaS, PaaS also faces security
issues.
1. Third Party Relationships: One more service that PaaS offers is third party web
components. So the customer now have to be reliable on not one, but two different security
measures on platforms.
2. Development Life Cycle: PaaS platforms gets updated very frequently in order to mitigate
the security concerns. Applications that are being developed in the cloud should be also up
to date. PaaS developers, for their security of data has to keep up with the system
development life cycle (SDLC) i.e. requirements, design, coding, testing and then
evaluation.
3. Infrastructure: In SaaS, software is provide to the users while in PaaS, development tools
are provided which doesn’t have any security assurance. In Paas, developers’ doesn’t have
the security in their hands, it’s completely up to the provider.
Iaas Security Issues
IaaS provides a lot of services. From networking to storage, all the services are accessed via
internet. In IaaS, users are given full control that means most of the security are in users’ hand.
Data is much more secured in IaaS as long as there are no loop holes. Some control is with IaaS
too. Like looking after storage and network. IaaS providers has to secure their servers in order to
minimize the risk of data theft.
1. Virtualization: Usage of multiple operating systems, running multiple application and
gathering a lot of information of different servers from one virtual depository is called
virtualization. Virtualization adds an extra layer to the security concern because they have
multiple boundaries, physical and virtual.

2. Virtual Machine Monitor: VMM is a low level monitor that isolates virtual machines into
a container to make them work independently, this of course reduces the security risks and
issues with the VM itself but the monitor is in itself is vulnerable if it gets compromised.
Other than that VMM monitor helps with migration between virtual machines, helps with
load balancing, fault tolerance and with maintenance by virtualizing the containers.
3. Shared Resource: In an IaaS with multiple virtual machines, the data sharing is an
essential feature, it helps to overcome the redundancy and increases the data storage for
other important things but on the dark side, VMs are vulnerable to attacks which might
result in an unauthorized data sharing of a VM with a network. Security leaks can also
cause unintentional sharing of sophisticated data between VMs without reporting through
a VMM.
4. Virtual Machine Rollback: Backups is one of the crucial features an IaaS is dependent
on. Data loss, compromise or security leaks can be minimized by rolling back the VM to
its previous state. This is possible by making frequent snapshots of the current state settings
of the machine. Roll backs is the best escape plan but with it comes a compromise with
security vulnerabilities and configuration errors. It can include a rolling back to a previous
patch which would be vulnerable to hacks. Rolling back will also re-enable the disabled
accounts which can result in data loss or security breach.
5. Virtual Networks: In a VM network, a secure approach for a VMs interconnectivity is to
assign itself to a host through a physical channel however most of the hypervisors use
virtual networks for it but this results in security breaches by hackers using sniffing and
spoofing packets between the VM sharing the data.
Countermeasures
1. Digital Signatures: In order to secure the data, digital signatures with RSA algorithm
should be used as it is said to be the most reliable one. The decryption can only be done by
the person who has encrypted it. Other personnel would be needing a lot of information in
order to crack it.
2. Web application scanners: Web applications are a very easy target. They are open to
masses and can be attacked by anyone. Web application scanner is used to scan the

application and look for the possible vulnerabilities regarding security. By scanning, we
can stop the manipulation of the customers’ data.
3. Virtual Network Security: In a paper by Wu et al. (2010), a frame work is presented that
can be used to secure the communication between virtual machines. In order to prevent
sniffing and spoofing, a virtual network model is used that can route the firewalls and
networks.
Infamous cloud security breaches
Microsoft:
In 2010, there was breach at Microsoft due to which all the business contact information was made
available to the public. It was traced back to its own Business Productivity Online Suite (BPOS).
The problem was solved within two hours but how long ago was the breach made, that is yet to be
known. However, Microsoft used its technology to erase the data from the users servers who might
have accidently downloaded it. People started to have second thoughts regarding Microsoft cloud
services i.e. Office 365.
Dropbox:
The consequences that Dropbox faced after the breach was opened to the public after four years.
In 2012, hackers attacked their cloud service and tapped more than 68 million accounts including
their credentials and information. Later it was being sold at black market for more than $1000
apiece. More than 5 gigabytes of data was stolen. They countered it by requesting their user base
to change their passwords and giving hopes to its customer about data security in future.
LinkedIn:
LinkedIn faced bad luck when within the span of 4 years, their system was breached twice. In
2012, around 6 million accounts were stolen and were later posted on a Russian forum. In 2016,
around 167 million passwords were hacked and were being sold at black market. They requested
their users to change their passwords and also came up with a solution. They introduced two way
authentication. When a person logs in in to LinkedIn, they would require to enter the password as
well as the security code which they will receive on their mobile phones.

Apple iCloud:
The breach that Apple faced is still the most high profile theft. The pictures of famous celebrities
like Jennifer Lawrence, Kate Upton etc. were leaked and posted at online platforms. First it was
thought that there individual cell phones were hacked, but later it was notified that iCloud faced a
breach. They urged their customers to imply stronger passwords. The solution that they came up
with is that the users will receive a notification if any suspicious activity were to be found.
Conclusion
Cloud Computing is the new breed of technology which is proving to be a life changer for the
users. It will help organizations to organize and secure their data. Although it has a lot benefits as
discussed above, the security issues are very alarming. We have discussed issues regarding SPI
model separately. As mentioned in the paper, the security of virtualization and storage are the
biggest concerns. In Pakistan, cloud computing is still unknown to the human kind. The biggest
reason is due to lack of technological education. Government should expose the citizen to the cloud
world. Big companies can invest their money in introducing cloud computing to Pakistan. Since it
is an untapped market, the businesses as well as the people will gain a lot from it
Future Research
Data security and privacy protection issues are very concerning. The objective should be to
develop a framework across all cloud services. Since there are a lot of employees in a work place,
a proper management should be done so that any breach from an employee or an ex-employee
could not take place. There should be a strict policy against unauthorized access. Responsibility
based security assurance systems will accomplish real-time inform, approval and evaluating for
the information proprietors when their private information being gotten to.
Personal Reflection
Nowadays, having a cloud service is very important for people. Not only accessing their services
related to web applications but also storage. Many people use iCloud, Google drive etc. in order
to save their work or pictures in order to keep their memories save with them. I personally have
seen people around me facing issues regarding iCloud security. Although with this many concerns,
it should be deemed unreliable, but the fact that it is cost and time saving cannot be ignored.

References
1. Gartner Inc. (2011): Gartner identifies the Top 10 strategic technologies.
2. Zhao G, Liu J, Tang Y, Sun W, Zhang F, Ye X, Tang N (2009): Cloud Computing: A
Statistics Aspect of Users. In First International Conference on Cloud Computing
(CloudCom), Beijing, China. Heidelberg: Springer Berlin; 347–358.
3. Marinos A, Briscoe G (2009): Community Cloud Computing. In 1st International
Conference on Cloud Computing (CloudCom), Beijing, China. Heidelberg: Springer-
Verlag Berlin.
4. KPMG: From hype to future: KPMG’s 2010 Cloud Computing survey.
5. Rosado DG, Gómez R, Mellado D, Fernández-Medina E (2012): Security analysis in the
migration to cloud environments. Future Internet, 4(2):469–487.
6. Mather T, Kumaraswamy S, Latif S (2009): Cloud Security and Privacy. Sebastopol, CA:
O’Reilly Media, Inc.
7. Jasti A, Shah P, Nagaraj R, Pendse R (2010): Security in multi-tenancy cloud. In IEEE
International Carnahan Conference on Security Technology (ICCST), KS, USA.
Washington, DC, USA: IEEE Computer Society; 35–41.
(“Data security and privacy protection issues in cloud computing,”). Retrieved from:
8. http://tarjomefa.com/wp-content/uploads/2017/07/7186-English-TarjomeFa.pdf
(“An Analysis of security issues for cloud computing,”). Retrieved from:
9. https://link.springer.com/article/10.1186/1869-0238-4-5
(“7 Most infamous cloud security breaches,”). Retrieved from:
10. https://blog.storagecraft.com/7-infamous-cloud-security-breaches/

Data Security Issues in Cloud Computing

More Related Content

Data Security Issues in Cloud Computing