Security and privacy issues in cloud computing

Architectures and Protocols for Secure Information Technology Infrastructures

Volumn , Issue , 2013, Pages 1-45

  Sen, Jaydip ^a,b  

^a TATA CONSULTANCY SERVICES   (India)

^b NATIONAL INSTITUTE OF SCIENCE AND TECHNOLOGY   (India)

Author keywords

[No Author keywords available]

Indexed keywords

INTEROPERABILITY;

COST EFFICIENCY; CRITICAL CHALLENGES; DEPLOYMENT MODELS; FUTURE TRENDS; GARTNER HYPE CYCLE; SECURITY AND PRIVACY ISSUES; SERVICE QUALITY; TIME TO MARKET;

CLOUD COMPUTING;

EID: 84902383043     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.4018/978-1-4666-4514-1.ch001     Document Type: Chapter

References (112)

1. Alliance for Telecommunications Industry Solutions. (n.d.). Homepage. Retrieved from http://www.atis.org
2. Amazon S3 Availability Event. (2008). Retrieved from http://status.aws.amazon.com/s3-20080720.html
3. AOL Apologizes for Release of User Search Data. (2006). Retrieved from news.cnet.com/2010-1030_3-6102793.html
4. Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R. H., &Konwinsky, A.,Zaharia, M. (2009). Above the clouds: A Berkeley view of cloud computing (Technical Report No. UCB/ EECS-2009-28). Berkeley, CA: University of California at Berkeley. Retrieved from http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf
5. Association for Retail Technology Standards (ARTS). (n.d.). Homepage. Retrieved from http://www.nrf-arts.org
6. Badger, L., Grance, T., Patt-Corner, R., &Voas, J. (2011). Draft cloud computing synopsis and recommendations (Special Publication 800-146). National Institute of Standards and Technology (NIST). US Department of Commerce. Retrieved from http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf
7. Bertion, E., Paci, F., &Ferrini, R. (2009, March). Privacy-preserving digital identity management for cloud computing. IEEE Computer Society Data Engineering Bulletin, 1-4.
8. Biggs &Vidalis. (2009). Cloud computing: The impact on digital forensic investigations. In Proceedings of the 7th International Conference for Internet Technology and Secured Transactions (ICITST'09). London, UK: ICITST.
9. Blaze, M., Kannan, S., Lee, I., Sokolsky, O., Smith, J. M., Keromytis, A. D., &Lee, W. (2009). Dynamic trust management. IEEE Computer, 42(2), 44-52. doi:10.1109/MC.2009.51.
10. Bruening, P. J., &Treacy, B. C. (2009). Cloud computing: Privacy, security challenges. Washington, DC: Bureau of National Affairs.
11. Center for the Protection of Natural Infrastructure (CPNI). (2010). Information security briefing on cloud computing, 01/2010. Retrieved from http://www.cpni.gov.uk/Documents/Publications/2010/2010007-ISB_cloud_computing.pdf
12. Chen, Y., Paxson, V., &Katz, R. H. (2010). What's new about cloud computing security? (Technical Report UCB/EECS-2010-5). Berkeley, CA: EECS Department, University of California, Berkeley. Retrieved from http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.html
13. Chor, B., Kushilevitz, E., Goldreich, O., &Sudan, M. (1998). Private information retrieval. Journal of the ACM, 45(9), 965-981. doi:10.1145/293347.293350.
14. Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., &Molina, J. (2009). Controlling data in the cloud: Outsourcing computation without outsourcing control. In Proceedings of the ACM Workshop on Cloud Computing Security (CCSW'09), (pp. 85-90). Chicago, IL: ACM Press. Cloud Security Alliance. (n.d.). Homepage. Retrieved from https://cloudsecurityalliance.org
15. Cloud Security Alliance (CSA). (2009). Security guidance for critical areas of focus in cloud computing. CSA. Retrieved from https://cloudsecurityalliance.org/csaguide.pdf
16. CNet. (2009). FTC questions cloud computing security. Retrieved from http://news.cnet.com/8301-13578_3-10198577-38.html?part=rss&subj=news&tag=2547-1_3-0-20
17. Cryptographic Key Management Project. (n.d.). Website. Retrieved from http://csrc.nist.gov/ groups/ST/key_mgmt/
18. Distributed Management Task Force. (n.d.). Homepage. Retrieved from http://www.dmtf.org
19. Don't Cloud Your Vision. (n.d.). Retrieved from http://www.ft.com/cms/s/0/303680a6-bf51-11ddae63-0000779fd18c.html?nclick_check=1
20. European Network and Information Security Agency (ENISA). (2009). Cloud computing: Benefits, risks and recommendations for information security. Geneva, Switzerland: ENISA.
21. European Telecommunication Standards Institute. (n.d.). Homepage. Retrieved from http://www.etsi.org
22. Flexiscale Suffers 18-Hour Outage. (2008). Retrieved from http://www.thewhir.com/webhosting-news/flexiscale-suffers-18-hour-outage
23. Forum, T. M. (n.d.). Homepage. Retrieved from http://www.tmforum.org
24. Gajek, S., Jensen, M., Liao, L., &Schwenk, J. (2009). Analysis of signature wrapping attacks and countermeasures. In Proceedings of the IEEE International Conference on Web Services, (pp. 575-582). Los Angeles, CA: IEEE.
25. Garfinkel, S., &Shelat, A. (2003). Remembrance of data passed: A study of disk sanitization practices. IEEE Security and Privacy, 1(1), 17-27. doi:10.1109/MSECP.2003.1176992.
26. Gartner Hype-Cycle. (2012). Cloud computing and big data. Retrieved from http://www.gartner.com/technology/research/hype-cycles/
27. Gentry, C. (2009). Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC'09), (pp. 169-178). Bethesda, MD: ACM.
28. Gruschka, N., &Iacono, L. L. (2009). Vulnerable cloud: SOAP message security validation revisited. In Proceedings of IEEE International Conference on Web Services (ICWS'09), (pp. 625-631). Los Angeles, CA: IEEE.
29. IBM Blue Cloud Initiative Advances Enterprise Cloud Computing. (n.d.). Retrieved from http://www-03.ibm.com/press/us/en/pressrelease/26642.wss
30. Institute of Electrical and Electronics Engineers (IEEE). (n.d.). Homepage. Retrieved from http://www.ieee.org
31. International Telecommunication Union - Telecommunication Standardization Sector (ITU-T). (n.d.). Homepage. Retrieved form http://www.itu.int/ITU-T
32. Internet Engineering Task Force. (n.d.). Homepage. Retrieved from http://www.ietf.org
33. Joshi, J. B. D., Bhatti, R., Bertino, E., &Ghafoor, A. (2004). Access control language for multidomain environments. IEEE Internet Computing, 8(6), 40-50. doi:10.1109/MIC.2004.53.
34. Ko, M., Ahn, G.-J., &Shehab, M. (2009). Privacyenhanced user-centric identity management. In Proceedings of IEEE International Conference on Communications, (pp. 998-1002). Dresden, Germany: IEEE.
35. Latest Cloud Storage Hiccups Prompts Data Security Questions. (n.d.). Retrieved from http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130682&source=NLT_PM
36. Leavitt, N. (2009). Is cloud computing really ready for prime time? IEEE Computer, 42(1), 15-20. doi:10.1109/MC.2009.20.
37. Leighon, T. (2009). Akamai and cloud computing: A perspective from the edge of the cloud (White Paper). Akamai Technologies. Retrieved from http://www.essextec.com/assets/cloud/akamai/cloud-computing-perspective-wp.pdf
38. Lowensohn, J., &McCarthy, C. (2009). Lessons from Twitter's security breach. Retrieved from http://news.cnet.com/8301-17939_109-10287558-2.html
39. Molnar, D., &Schechter, S. (2010). Self hosting vs. cloud hosting: Accounting for the security impact of hosting in the cloud. In Proceedings of the Workshop on the Economics of Information Security. Retrieved from http://weis2010.econinfosec.org/papers/session5/weis2010_schechter.pdf
40. Netflix Prize. (n.d.). Retrieved from http://www.netflixprize.com/
41. Network World. (2008). Loss of customer data spurs closure of online storage service the linkup. Retrieved from http://www.networkworld.com/news/2008/081108-linkup-failure.html?page=1
42. News, B. B. C. (2009). Facebook users suffer viral surge. Retrieved from http://news.bbc.co.uk/2/hi/technology/7918839.stm
43. Object Management Group. (n.d.). Homepage. Retrieved from http://www.omg.org
44. Open Cloud Computing Interface. (n.d.). Homepage. Retrieved from http://occi-wg.org
45. Open Cloud Consortium. (n.d.). Homepage. Retrieved from http://opencloudconsortium.org
46. Organization for the Advancement of Structured Information Standards. (n.d.). Homepage. Retrieved from http://www.oasis-open.org
47. Post, W. (2008). Lithuania weathers cyber attack, braces for round 2. Retrieved from http://blog.washingtonpost.com/securityfix/2008/07/lithuania_weathers_cyber_attac_1.html
48. Ristenpart, T., Tromer, E., Shacham, H., &Savage, S. (2009). Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09), (pp. 199-212). Chicago: ACM Press.
49. Security Bulletin, M. MS07-049. (2007). Vulnerability in virtual PC and virtual server could allow elevation of privilege (937986). Retrieved from http://www.microsoft.com/technet/security/bulletin/ms07-049.mspx
50. Security Evaluation of Grid Environments. (n.d.). Retrieved from http://www.slideworld.com/slideshows.aspx/Security-Evaluation-of-Grid-Environments-ppt-217556
51. Sen, J. (2010a). An agent-based intrusion detection system for local area networks. International Journal of Communication Networks and Information Security, 2(2), 128-140.
52. Sen, J. (2010b). An intrusion detection architecture for clustered wireless ad hoc networks. In Proceedings of the 2nd IEEE International Conference on Intelligence in Communication Systems and Networks (CICSyN'10), (pp. 202-207). Liverpool, UK: CICsyN.
53. Sen, J. (2010c). A robust and fault-tolerant distributed intrusion detection system. In Proceedings of the 1st International Conference on Parallel, Distributed and Grid Computing (PDGC'10), (pp. 123-128). Waknaghat, India: PDGC.
54. Sen, J. (2010d). A distributed trust management framework for detecting malicious packet dropping nodes in a mobile ad hoc network. International Journal of Network Security and its Applications, 2(4), 92-104.
55. Sen, J. (2010e). A distributed trust and reputation framework for mobile ad hoc networks. In Proceedings of the 1st International Workshop on Trust Management in Peer-to-Peer Systems (IWTMP2PS), (pp. 538-547). Chennai, India: Springer.
56. Sen, J. (2010f). A trust-based robust and efficient searching scheme for peer-to-peer networks. In Proceedings of the 12th International Conference on Information and Communication Security (ICICS) (LNCS), (vol. 6476, pp. 77-91). Barcelona, Spain: Springer.
57. Sen, J. (2010g). Reputation- and trust-based systems for wireless self-organizing networks. In Security of Self-Organizing Networks: MANET, WSN, WMN, VANET (pp. 91-122). Boca Raton, FL: CRC Press. doi:10.1201/EBK1439819197-7.
58. Sen, J. (2011a). A robust mechanism for defending distributed denial of service attacks on web servers. International Journal of Network Security and its Applications, 3(2), 162-179.
59. Sen, J. (2011b). A novel mechanism for detection of distributed denial of service attacks. In Proceedings of the 1st International Conference on Computer Science and Information Technology (CCSIT'11), (pp. 247-257). Springer.
60. Sen, J. (2011c). A secure and efficient searching for trusted nodes in peer-to-peer network. In Proceedings of the 4th International Conference on Computational Intelligence in Security for Information Systems (CISIS'11) (LNCS), (vol. 6694, pp. 101-109). Berlin: Springer.
61. Sen, J., Chowdhury, P. R., &Sengupta, I. (2006c). A distributed trust mechanism for mobile ad hoc networks. In Proceedings of the International Symposium on Ad Hoc and Ubiquitous Computing (ISAHUC'06), (pp. 62-67). Surathkal, India: ISAHUC.
62. Sen, J., Chowdhury, P. R., &Sengupta, I. (2007). A distributed trust establishment scheme for mobile ad hoc networks. In Proceedings of the International Conference on Computation: Theory and Applications (ICCTA'07), (pp. 51-57). Kolkata, India: ICCTA.
63. Sen, J., &Sengupta, I. (2005). Autonomous agentbased distributed fault-tolerant intrusion detection system. In Proceedings of the 2nd International Conference on Distributed Computing and Internet Technology (ICDCIT'05) (LNCS), (vol. 3186, pp. 125-131). Bhubaneswar, India: Springer.
64. Sen, J., Sengupta, I., &Chowdhury, P. R. (2006a). A mechanism for detection and prevention of distributed denial of service attacks. In Proceedings of the 8th International Conference on Distributed Computing and Networking (ICDCN'06) (LNCS), (vol. 4308, pp. 139-144). Berlin: Springer.
65. Sen, J., Sengupta, I., &Chowdhury, P. R. (2006b). An architecture of a distributed intrusion detection system using cooperating agents. In Proceedings of the International Conference on Computing and Informatics (ICOCI'06), (pp. 1-6). Kuala Lumpur, Malaysia: ICOCI.
66. Sen, J., Ukil, A., Bera, D., &Pal, A. (2008). A distributed intrusion detection system for wireless ad hoc networks. In Proceedings of the 16th IEEE International Conference on Networking (ICON'08), (pp. 1-5). New Delhi, India: IEEE.
67. Shacham, H., &Waters, B. (2008). Compact proofs of retrievability. In Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: (ASIACRYPT'08) (LNCS), (vol. 5350, pp. 90-107). Melbourne, Australia: Springer.
68. Shin, D., &Ahn, G.-J. (2005). Role-based privilege and trust management. Computer Systems Science and Engineering Journal, 20(6), 401-410.
69. Sinclair, S., &Smith, S. W. (2008). Preventive directions for insider threat mitigation using access control. In Stolfo, S., Bellovin, S. M., Hershkop, S., Keromytis, A. D., Sinclair, S., &Smith, W. (Eds.), Insider Attack and Cyber Security: Beyond the Hacker. London: Springer. doi:10.1007/978- 0-387-77322-3_10.
70. Song, D., Wagner, D., &Perrig, A. (2000). Practical techniques for searches on encrypted data. In Proceedings of the IEEE Symposium on Research in Security and Privacy, (pp. 44-55). Oakland, CA: IEEE.
71. Storage Networking Industry Association. (n.d.). Homepage. Retrieved from http://www.snia.org
72. Takabi, H., Joshi, J. B. D., &Ahn, G.-J. (2010). Security and privacy challenges in cloud computing environments. IEEE Security and Privacy, 8(6), 24-31. doi:10.1109/MSP.2010.186.
73. Tracker, S. (n.d.). VMWare shared folder bug lets local users on the guest OS gain elevated privileges on the host OS. Security Tracker ID: 1019493. Retrieved from http://securitytracker.com/id/1019493
74. Trusted Computing Group (TCG). (2010). Cloud computing and security- A natural match. Retrieved from http://www.trustedcomputinggroup.org
75. World, C. (2008). Extended gmail outage hits apps admins. Retrieved from http://www.computerworld.com/s/article/9117322/Extended_Gmail_outage_hits_Apps_admins
76. World, P. C. (2007). Salesforce.com warns customers of phishing scam. Retrieved from http://www.pcworld.com/businesscenter/article/139353/article.html
77. Xen Vulnerability. (n.d.). Retrieved from http://secunia.com/advisories/26986/
78. Zetter, K. (2010). Google hackers targeted source code of more than 30 companies. Wired Threat Level. Retrieved from http://www.wired.com/threatlevel/2010/01/google-hack-attack/
79. Zhang, Y., &Joshi, J. (2009). Access control and trust management for emerging multidomain environments. In Upadhyay, S., &Rao, R. O. (Eds.), Annals of Emerging Research in Information Assurance, Security and Privacy Services (pp. 421-452). Dublin, Ireland: Emerald Group Publishing.
80. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., &Ho, A. Warfield, A. (2003). Xen and the art of virtualization (Technical Report). Cambridge, UK: University of Cambridge. Retrieved from www.cl.cam.ac.uk/research/srg/netos/papers/2003-xensosp.pdf
81. Bhattacherjee, B., Abe, N., Goldman, K., Zadrozny, B., Chillakuru, V. R., Del Caprio, M., &Apte, C. (2006). Using secure coprocessors for privacy preserving collaborative data mining and analysis. In Proceedings of the 2nd International Workshop on Data Management on New Hardware (DaMoN'06). Chicago, IL: ACM Press.
82. Boneh, D., &Waters, B. (2007). Conjunctive, subset, and range queries on encrypted data. In Proceedings of the 4th Conference on Theory of Cryptography (TCC'07), (pp. 530-534). TCC.
83. Brandic, I., Music, D., Leitner, P., &Dustdar, S. (2009). VieSLAF framework: Enabling adaptive and versatile SLA-management. In Proceedings of the 6th International Workshop on Grid Economics and Business Models (GECON'09), (pp. 60-73). Delft, The Netherlands: GECON.
84. Cavoukian, A. (2008). Privacy in the clouds: A white paper on privacy and digital identity: Implications for the internet. Retrieved from http://www.ipc.on.ca/images/resources/privacyintheclouds.pdf
85. Chappel, D. (2008). Introducing the azure services platform. Retrieved from http://download.microsoft.com
86. Chong, F., Carraro, G., &Wolter, R. (2006). Multitenant data architecture. Retrieved from http://msdn.microsoft.com/en-us/library/aa479086.aspx
87. Creeger, M. (2009). Cloud computing: An overview. ACM Queue-. Distributed Computing, 7(5), 2.
88. DeCandia, G., Hastorun, D., Jampani, M., Kakulapati, G., Lakshman, A., &Pilchin, A. Vogels, W. (2007). Dynamo: Amazon's highly available key-value store. In Proceedings of the 21st ACM SIGOPS Symposium on Operating Systems Principles (SOSP'07), (pp. 205-220). Stevenson, WA: SOSP.
89. Desisto, R. P., Plummer, D. C., &Smith, D. M. (2008). Tutorial for understanding the relationship between cloud computing and SaaS. Stamford, CT: Gartner.
90. Emig, C., Brandt, F., Kreuzer, S., &Abeck, S. (2007). Identity as a service- Towards a serviceoriented identity management architecture. In Proceedings of the 13th Open European Summer School and IFIP TC6.6 Conference on Dependable and Adaptable Network and Services (EUNICE' 07), (pp. 1-8). Twente, The Netherlands: EUNICE.
91. Everett, C. (2009). Cloud computing- A question of trust. Computer Fraud &Security, (6): 5-7. doi:10.1016/S1361-3723(09)70071-5.
92. Gellman, R. (2009). Privacy in the clouds: Risks to privacy and confidentiality from cloud computing. World Privacy Forum (WPF) Report. Retrieved from http://www.worldprivacyforum.org/cloudprivacy.html
93. Golden, B. (2009). Capex vs. opex: Most people miss the point about cloud economics. Retrieved from http://www.cio.com/article/484429/Capex_vs._Opex_Most_People_Miss_the_point_About_Cloud_Economic
94. Heritage, T. (2009). Hosted informatics: Bringing cloud computing down to earth with bottom-line benefits for pharma. Next Generation Pharmaceutical, (17).
95. Itani, W., Kayssi, A., &Chehab, A. (2009). Privacy as a service: Privacy-aware data storage and processing in cloud computing architectures. In Proceedings of the 8th IEEE International Conference on Dependable, Automatic and Secure Computing (DASC'09), (pp. 711-716). Chengdu, China: DASC.
96. Kaufman, L. M. (2009). Data security in the world of cloud computing. IEEE Security &Privacy, 7(4), 61-64. doi:10.1109/MSP.2009.87.
97. Messmer, E. (2009). Gartner on cloud security: Our nightmare scenario is here now. Network World Retrieved from http://www.networkworld.com/news/2009/102109-gartner-cloud-security.html
98. Open Cloud Manifesto. (n.d.). Retrieved from http://www.opencloudmanifesto.org/Open%20Cloud%20Manifesto.pdf
99. Pearson, S. (2009). Taking account of privacy when designing cloud computing services. In Proceedings of the ICSE Workshop on Software Engineering Challenges of Cloud Computing (CLOUD'09), (pp. 44-52). Vancouver, Canada: ICSE.
100. Pearson, S., &Charlesworth, A. (2009). Accountability as a way forward for privacy protection in the cloud. In Proceedings of the 1st International Conference on Cloud Computing (CloudCom'09), (pp. 131-144). Beijing, China: CloudCom.
101. Petry, A. (2007). Design and implementation of a xen-based execution environment. (Diploma Thesis). Technische Universitat Kaiserslautern, Kaiserslautern, Germany.
102. Price, M. (2008). The paradox of security in virtual environments. IEEE Computer, 41(11), 22-38. doi:10.1109/MC.2008.472.
103. RightScale Inc. (2009). RightScale cloud management features. Retrieved from http://www.rightscale.com/products/cloud-management.php
104. Rochwerger, R., Caceres, J., Montero, R. S., Breitgand, D., Elmroth, E., &Galls, A. et al. (2009, September). The reservoir model and architecture for open federated cloud computing. IBM Systems Journal.
105. Schubert, L., Kipp, A., &Wesner, S. (2009). Above the clouds: From grids to service-oriented operating systems. In Tselentis, G. et al. (Eds.), Towards the Future Internet- A European Research Perspective (pp. 238-249). Amsterdam: IOS Press.
106. Sims, K. (2009). IBM blue cloud initiative advances enterprise cloud computing. Retrieved from http://www-03.ibm.com/press/us/en/pressrelease/26642.wss
107. Sotomayor, B., Montero, R. S., Llorente, I. M., &Foster, I. (2009). Virtual infrastructure management in private and hybrid cloud. IEEE Internet Computing, 13(5), 14-22. doi:10.1109/ MIC.2009.119.
108. Tech Republic. (2013). Cloud computing security: Making virtual machines cloud ready. Retrieved from http://www.techrepublic.com/whitepapers/cloud-computing-security-making-virtual-machines-cloud-ready/1728295
109. Vaquero, L. M., Rodero-Merino, L., Caceres, J., &Linder, M. (2009). A break in the clouds: Towards a cloud definition. ACM SIGCOMM Computer Communication Review, 39(1), 50-55. doi:10.1145/1496091.1496100.
110. Vouk, M. A. (2008). Cloud computing - Issues, research and implementations. In Proceedings of the 30th International Conference on Information Technology Interfaces (ITI'08), (pp. 31-40). Cavtat, Croatia: ITI.
111. Vozmediano, R. M., Montero, R. S., &Llorente, I. M. (2011). Multi-cloud deployment of computing clusters for loosely-coupled MTC applications. IEEE Transactions on Parallel and Distributed Systems, 22(6), 924-930. doi:10.1109/ TPDS.2010.186.
112. Zimory Gmb, H. (2009). Zimory distributed cloud - Whitepaper. Retrieved from http://www.zimory.de/index.php?eID=tx_nawsecuredl&u=0&file=fileadmin/user_upload/pdf/Distributed_Clouds_Whitepaper.pdf&t=1359027268&hash=93c5f42f8c91817a746f7b8cff55fbdc68ae7379