Special Issue based on Proceedings of 4th International Conference on Cyber Security (ICCS 2018)

A Critical Review of Data Security in Cloud Computing Infrastructure

Rajesh Yadav a*, Anand Sharmab

a
Research Scholar, MUST, Lakshmangarh, Sikar-332311, India
b
Asst.Prof. CSE Deptt., MUST, Lakshmangarh, Sikar-332311, India

Abstract: Cloud computing is a newly evolved technology for complex systems that allow on‐ demand, flexible, scalable, and low cost services with
massive-scale services sharing among plentiful users. The wide receiver of the cloud computing idea has brought about significant effects in both fixed and
mobile communication systems prompting frontline research to give fitting system protocols and network architecture, alongside resource
administration/management components. In cloud computing, access control and security are two major problems. Therefore, Security of both services and
users is a substantial issue for the uses and trust of the cloud computing. This paper audits recent works concentrating on security issues, solutions, and
difficulties in cloud computing infrastructure.
Keywords: Cloud Computing, Cloud Security, Cloud Computing Infrastructure, User Authentication.

1. Introduction
Cloud computing is a moderately novel registering model which gives on
request business, and IT benefits over the Internet. Cloud computing
research has been seeing the exchange between the framework and
correspondence perspectives with a specific end goal to offer great
between inter-networking and interoperability between the frameworks
and systems. Security is the fundamental worries in adjusting Cloud
Computing. While authorizing the data and business world application to
an outsider cloud causes the safety and security issues are serious. Cloud
benefit clients need to understand the risk of information gaps in the cloud
system. In this paper, an overview of the different cloud computing
models, distinctive security risks that influence the cloud environment in
the area of integrity, classification, confidentiality and figuring on data
explored. This paper additionally gives the answers for the distinctive
security issues because of the cloud benefit conveyance models.
Types of Service models provided by the cloud are described below:
 Software as a service (SaaS):
It gives whole business applications conveyed over the web.
Developments in web innovation, for example, Ajax, alongside ubiquitous
network access, have made it conceivable to convey the amusing
highlights and usefulness of desktop applications in a web-based browser.
Different illustrations incorporate spreadsheet tools, word processing,
Gmail, WhatsApp, and SAP.
There is less work engaged with making an application utilizing PaaS than
the conventional approach, which includes securing and overseeing at least
one server for advancement, testing and creation, and introducing and
arranging server programming. Cases incorporate Hadoop, Force.com,
Microsoft Azure, and Google App motor.
 Infrastructure as service (IaaS):
Infrastructure as a Service provides clients with managerial/administrative,
internet/web-based access to essential computing assets such as storage,
networks, and processing power. IaaS offers infrastructure such as memory,
network, processor and storage, to the users on request.
Presently the inquiry emerges, if cloud computing is so high, for what
reason isn't everybody embracing it?
 In the cloud, the user/clients don't know about what's going on
inside.
 What’s more, regardless of whether the cloud supplier is
straightforward, it may have eavesdropper / third party intruders
who can tinker with the VMs and debases integrity and
confidentiality.
 Clouds are as yet vulnerable to data confidentiality,
trustworthiness, and accessibility, security issues in addition to
some inward and outside assaults.

As organizations interchange their IT frameworks to cloud-facilitated

 Platform as a service (PaaS):
Platform as a Service furnishes clients with a secure online system
wherever they can rapidly make test send and convey web applications
and administrations utilizing browser-based programming development
tools. It enables engineers to grow new applications with no pressure of
purchasing expensive tools and dealing with the neighbourhood servers.
environments, they confront latest security challenges. Moreover, as ever,
human instinct itself is a risk, with inadequately oversaw security
prompting shadow IT frameworks. It can in some cases be effortless for a
group of representatives to swing to outer items to satisfy a quick
requirement. IT assessment makers ought to comprehend what is affecting
their employees to swing to these arrangements, and when the IT
department should be required to help shape those choices.

INTERNATIONAL JOURNAL OF ADVANCED STUDIES OF SCIENTIFIC RESEARCH (IJASSR) ISSN 2460 4010
112
ABSTRACTED & INDEXED IN ELSEVIER-SSRN
 Special Issue based on Proceedings of 4th International Conference on Cyber Security (ICCS 2018)

Having the correct procedures is vital to protecting data and information,

notwithstanding when it isn't contained inside the enterprise.
2. Cloud Data Security
We have investigated the structure and substance of the system. We
attempt to feature the essential improvements and look to future patterns.
This investigated goes past simply taking a gander at PC frameworks, cell
phones, and different items, and reaches out into expansive ideas like the
economy, national security, information assurance, data protection and
privacy.
Systems to secure against those vulnerabilities are discharged routinely,
including for SSL/TLS convention libraries, for example, OpenSSL,
however, site proprietors still need to introduce them. We have found that
this is still not happening rapidly enough. The quantity of vulnerable
websites keeps on persevering a seemingly endless amount of time, with
almost no change to appear. While the transfer from SHA-1 certificates to
the significantly more grounded SHA-2 is picking up motion,
organizations must convey the new testimonies appropriately all together
for the progressions to be successful and effective.
 Immune system for Cloud Computing
This study takes an abnormal state perspective of Internet threats and
cyber security, highlighting the striking changes and progresses.
Although, we should not oversee that cyber-crime isn't harmless. For
instance, ransomware keeps individuals out of their PCs, holding treasured
family photographs to payment, seizing incomplete original copies for
books, and blocking access to government forms, saving money records,
and other important reports.
In addition, there are no ensures that paying the payoff will discharge those
latches. Organizations, and additionally home users’/ clients’ have
progressed toward becoming casualties, and depending on reinforcements is
frequently the last procession of defense when cybersecurity should be the
foremost. Directed assaults take valuable intellectual property from the
organizations, and an information disruption can scrap an organization’s
reputation―even devastating its survival. Cyber assurance/insurance claims
are rising in number and cost. In the widest sense, cyber security issues
debilitate national security and financial development, by which every one
of us is influenced.
 Nothing Is Automatically Immune
Any framework is not invulnerable to cybersecurity threats, and in this
study, the outcomes of overlooking the dangers from lack of concern,
carelessness, and inadequacy is clear. Around three years back a remarkable
number of vulnerabilities were recognized, and web assault misuse units are
adjusting and advancing them more rapidly than any time in recent
memory. As various gadgets are associated, susceptibilities will be misused.
Protective Internet-connected gadgets will turn out to be critical to assuring
the security of modern control frameworks and medical gadgets in the
network. Close by the growing number of software liabilities / vulnerability,
and the motorcade of attacks on various frameworks, the future will carry
with it a more prominent scope of assorted variety as threats against
Windows frameworks will stretch out to other working frameworks,
mobile, operating systems and additional IoT devices. The following table
consist of various issues, threats and possible solutions for the security
threat.

Table 1- Threats and solution for cloud computing security w.r.t. Data Integrity

IssueThreats 1st Solution 2nd solution Remark

At the point when data service is Provable Data Possession [PDP]: Proof of Retrievability Scalable PDP: It uses
outsourced to the cloud, at that Provable data Possession incidentally [POR]: it is also a lightweight symmetric/private key
point ensuring its storage is a lightweight remote data integrity convention, and it endeavors encryption rather than a
correctness and integrity emerges. checking model. This to limit the capacity in client asymmetric / public key to
Outsourcing data in the cloud is thought comprises of the customer and server decrease calculation
financially appealing for long- processing a hash value for file F side. The client stores/ save overhead. Scalable PDP has
term, extensive scale storage. with a key k (i.e., h (k, F)) and along just a key, which is used to included different operations
There is no assurance for data these lines sending F to the server. encode the file F keeping in on remote data.
trustworthiness. Since clients Once the customer finds a mind the end goal to get the
never again locally have their need to check the file, it discharges encoded F'. The assignment is
Data integrity

data, they can't use customary k and sends k to the server, which that an arrangement of
cryptographic natives to secure its is accordingly asked to recomputed sentinel values are implanted
correctness/rightness. In cloud the hash value, in light of the F and into F', and the server just
storage, applications convey k; after this, the server answers to the stores F' without
storage as a service. Servers keep customer with the hash result for knowing where the sentinels
a lot of data, and some of it may correlation. The customer can start might be. The sentinels are
be gotten to on various checks by keeping unique vague from common data
rare events. There is a conceivable keys and hash values. This blocks. In the test and
threat that data might be lost or approach gives solid verification that reaction convention, the
adjusted malevolently or the server still holds F. server is solicited to restore a
unintentionally. It can happen specific subset from sentinels
given mistake amid standard data in F.
reinforcement/backup and
reestablish or data movement.
INTERNATIONAL JOURNAL OF ADVANCED STUDIES OF SCIENTIFIC RESEARCH (IJASSR) ISSN 2460 4010
113
ABSTRACTED & INDEXED IN ELSEVIER-SSRN
 Special Issue based on Proceedings of 4th International Conference on Cyber Security (ICCS 2018)

Table 2- Threats and solution for cloud computing security w.r.t. Confidentiality

Issue Threats 1st Solution 2nd solution Remark

Data is stirred to the cloud owing to its Cryptography is the most
adaptability and cost proficiency. Since the utilized practice to anchor
client never again physically has the data, delicate data, so
thus its privacy, confidentiality, integrity and the data encryption method is
truthfulness of the information are at risk. utilized on the data well
before subcontracting. It
secures information
protection, data privacy and
furthermore forestalls
uninvited and spontaneous
access.
Cryptography makes conveying customary The minor arrangement is to Accessible encryption
data usage benefit, for example, plaintext download every one of the technique, which has increased
look over documented / non-documented data and decrypt/ decode it late consideration permits seek
data troublesome. locally. It is by all Accounts on encoded information. Here
Confidentiality

unfeasible, because of the at a more significant amount, a

Enormous transmission
capacity cost.
Cross Virtual Machine through Side Channel Placement prevention action
Attack has assumed a noteworthy part ever means to lessen the
of cryptography. As a rule, those attacks achievement rate of
happen when a system/machine spills subtle placement.
elements of its inward activity through some
startling vector-for instance, computation or
calculation. That cloud environment
covenants a windfall of potential side
channels because diverse VMs share
physical assets, for instance, processor, disk-
on a single PC or instruction cache.
conventional encryption method
utilizes a predefined encrypted
search record that lets clients
with proper tokens safely look
over the encoded information
through catchphrases without
first decrypting it.
Physical isolation New cache plans,
implementation, which can be which can conquer the
consolidated in Service Level attack, which works by
Agreements. Likewise, the estimating the conduct
infrastructure is imparted just to of the interactive
"friendly" VMs which are instruction cache.
possessed by the same client or
other dependable clients.

Table 3- Threats and solution for cloud computing security w.r.t. Computational Security

Issue Threats 1st Solution 2nd solution Remark

Computation outsourcing security: However, current An ongoing leap forward in fully holomorphic
outsourcing practice works in plaintext that is, it encryption (FHE) has demonstrated the
Computational security

uncovers the two data and computation results to the
commercial public cloud. This can raise enormous
security concerns, particularly when the outsourced
computation workloads contain delicate information, for
example, individual health data. Besides, the cloud's
operational subtle elements aren't sufficiently
straightforward to client's, and furthermore, the cloud
can carry on unfaithfully and return wrong outcomes.
general consequences of secure calculation
outsourcing to be suitable in principle at least
now. Holomorphic encryption is a kind of
encryption that enables calculations to happen
on the figure content to get the figure content,
and it is an indistinguishable outcome from
the calculations did on the open content.
Typically the holomorphic function underpins
either addition or multiplication.

Table 4- Threats and solution for cloud computing security w.r.t. Secure Virtualization

Issue Threats 1st Solution 2nd solution Remark

System performance gets barely Thought of an Advanced Cloud Conduct of cloud components
virtualization

debased, and a little performance Protection System (ACPS) to can be observed by logging and
Secure

penalty is experienced. This system guarantee the security of visitor intermittent checking of
goes about as an impediment towards virtual machines and of executable system files.
the acknowledgement of an ACPS appropriated distributed computing
system. middleware is proposed.

INTERNATIONAL JOURNAL OF ADVANCED STUDIES OF SCIENTIFIC RESEARCH (IJASSR) ISSN 2460 4010
114
ABSTRACTED & INDEXED IN ELSEVIER-SSRN
 Special Issue based on Proceedings of 4th International Conference on Cyber Security (ICCS 2018)

Table 5- Threats and solution for cloud computing security w.r.t. Crosscloud and interoperability

Issue Threats 1st Solution 2nd solution Remark

Security in the Different domains for users and Different trust strategies for For trust assignment, the
crosscloud situation is Service providers including customers and service providers Transaction factors and
Trust model for

interoperability
crosscloud and

a current issue. special trust agent. Time are considered.

security in

Crosscloud is only
able to handle a
limited number of
security threats in a
fairly small
environment.

Table 6- Threats and solution for cloud computing security w.r.t. service delivery models

Issue Threats 1st Solution 2nd solution Remark

Security threats in In SaaS, the client is dependent on the
SaaS provider for security measures. The
service provider must do the assignment
to track multiple users' from seeing each
other's data since it employs multitenant.
Security threats in service delivery models
Data locality can be given dependably to the SaaS
purchaser by Service level agreement (SLA) to
guarantee where the information is safely stored.
Because of multitenancy, various clients' data are
stored in a similar location. Intrusion should be

So it is difficult for the user to ensure
that security measures.
Security threats in Security of the PaaS by cloud service
PaaS provider.
Security threats in With IaaS, cloud clients have better
IaaS control over the security compared to
alternative models. Cloud service
provider ought to guarantee there is no
security loophole in the virtual machine.
avoided, and legitimate VM placement can
accomplish it and distinguishing occupant VM.
Data access risk can be tended to by incorporating
appropriate access approaches in the SaaS application
itself. Web application security tends to
the programming interface outline through which
virtualized system with assets.
Customer applications’ Security installed on a PaaS
platform.
Virtualization: It enables clients to make, duplicate,
share, migrate, and move back virtual machines,
which may enable them to run an assortment of uses.
Virtual machine security progresses toward becoming
as critical as physical machine security, and any
defect in it is possible that one may influence the
other. The Virtual Machine Monitor (VMM) is in
charge of virtual machines confinement; thusly, if the
VMM is compromised, its virtual machines may
conceivably be imperiled also.

3. Cloud Infrastructure Security

As IT security researchers, we ought to underscore counteractive action,
prevention, mitigation, detection and moderation that too a complete fixes.
Ideas obtained from the epidemiology, occurrence reaction arranging and
security tools are winding up more vital and valuable.
We as a whole need to remain digitally clean, solid and healthy, and
propensities for security should be relearned, again and again. Information
security can hardly wait for help tickets to open or for a favored security
tool to distinguish an issue definitively. Security needs to begin burrowing
through the information proactively amid non-rupture reaction time.
The infrastructure security can be seen, evaluated and implemented
concurring its building levels - the network, host and application levels.
3.1. Infrastructure Security - The Network Level
When taking a gander at the network level of infrastructure security, it is
imperative to recognize private clouds and public cloud. With private
clouds, there are no new assaults, vulnerabilities, or changes in risk
particular to this topology those data security individual needs to consider.
There are four unique risk factors in this case:
 Ensuring the secrecy and integrity of the association's
information in-travel to and from a public cloud;
 Ensuring appropriate access control (validation, authentication,
auditing and authorization) to whatever assets are utilized at
public cloud supplier;

INTERNATIONAL JOURNAL OF ADVANCED STUDIES OF SCIENTIFIC RESEARCH (IJASSR) ISSN 2460 4010
115
ABSTRACTED & INDEXED IN ELSEVIER-SSRN
 Special Issue based on Proceedings of 4th International Conference on Cyber Security (ICCS 2018)
 Ensuring the availability of the Internet-confronting assets in a
public cloud that is being utilized by an association, or have
been doled out to an association by public cloud suppliers;
 Replacing the built-up model of network zones and levels with
domains.
3.2. Infrastructure Security - The Host Level
While exploring host security and evaluating risks, the setting of cloud
services delivery models (PaaS, SaaS, and IaaS) and sending models
private, public, and hybrid, ought to be thought about. The host security
obligations in PaaS and SaaS services are exchanged for the provider of
cloud services. IaaS clients are basically in charge of securing the hosts
provisioned in the cloud.
3.3. Infrastructure Security - The Application Level
In a security system the application or software security is to be a basic
component. Most of the ventures with data/ information security
programs still can't seem to find application security methods to address
this domain. Planning, Designing and implementing various applications
goes for arrangement on a cloud platform will require existing application
security projects to rethink current methods/practices and benchmarks.
The application security range start from independent single-client
applications to modern multiuser online e-commerce applications used by
numerous clients. The level is in charge of overseeing:
 Application-level security;
 End client security;
 Application security at PaaS;
 Application security at SaaS;
 Application security at IaaS;
 Application security deployed by a customer
 Public cloud security restrictions
It can be condensed that infrastructure security and distributed computing
issues lie in the region of definition and arrangement of security
determined viewpoints each party delivers.
4. Protecting the IT infrastructure
In the face of these threats, and many others like them, the old advice
holds good for any infrastructure services, including file servers, web
servers, and other Internet-connected devices:
 Stay in touch about emerging threats.
 Include patches and updates.
 Use of various security integrated software, including anti-malware
methods and technology.
 Use a firewall for security that only allows known traffic, and reviews
all the access logs regularly for detection of any potentially suspicious
activity.
 Make use of multi-layer protection, so if any one layer is
compromised, there are other layers to secure different areas of the
system.
 Training to staff and implementation of right policies.
 Least-privilege basis access control.
 Install network intrusion prevention, detection and monitor email
services running on the server.
 Constantly keep backups offsite.
INTERNATIONAL JOURNAL OF ADVANCED STUDIES OF SCIENTIFIC RESEARCH (IJASSR)
ABSTRACTED & INDEXED IN ELSEVIER-SSRN
Apart from these one should be concerned about cloud systems too. Here
are some additional considerations:
 Safeguard all credentials used to access the cloud-based administration
functions and ensure access is controlled on a need-to-know basis.
 Understanding the settings of the cloud resources/nodes and configure
them accordingly.
 Event logging should be enabled to keep track of who is accessing data
in the cloud.
 Understand the cloud providers’ service-level agreements that consist of
how data in the cloud is secured.
 Cloud IP addresses should be included in vulnerability management
processes that perform audits on any services which are provided
through the cloud.
5. Conclusion
Cloud computing model can scale up services and virtual assets / resources
on request. To process clients traditional cluster system, cloud service gives
a considerable measure of points of interest. Cloud computing builds on
periods of research in virtualization, scattered figuring, benefit registering,
service computing and, all the more as of late, systems administration, and
web and software administrations. The cloud is a noteworthy test in how
processing of resources will be used since the point of the cloud computing
is to alter the financial aspects of the data center, however, before delicate
and directed information move into the public cloud. Issues of security
benchmarks and similarity must be tended to including solid verification,
secure authentication, assigned authorization, key management for encoded
information, data misfortune assurances and regulatory reporting. The
clients ought to know about the risks and shortcomings exhibit in the
present cloud computing environment before being a part of it.
All are components of a protected identity, data and infrastructure model
can be connected to the public and private cloud and also to IAAS, SAAS
and IAAS services. There is no enormous venture required to update
infrastructure, work and proceeding with cost.
This paper presented the latest work which is concentrating on security
issues, solutions, and difficulties in cloud computing infrastructure. In the
advancement of private and public clouds, the specialist service providers
should utilize the managing standards to embrace and expand security
methods/tools and secure products to create and offer end-to-end
dependable cloud computing and services.
REFERENCES
Cloud Standards Customer Council (2016). Cloud Security Standards: What to
Expect and What to Negotiate. http://www.cloud-
council.org/deliverables/cloud-security-standards-what-to-expect- and-what-
to-negotiate.htm
L. Tawalbeh, N.S. Darwazeh, R.S. Al-Qassas and F. AlDosari. ’A secure cloud
computing model based on data classification.’ Elsevier, pp 1153-1158,
2015.
Cloud Standards Customer Council (2015). Practical Guide to Cloud Service
Agreements. http://www.cloud-council.org/deliverables/practical-guide-to-
cloud-service-agreements.htm
Rao, Leena. "Critical Skills Education SaaS EverFi Raises $10M From Jeff
Bezos, Eric Schmidt, Ev Williams And Others." www.techcrunch.com.
Techcrunch, 14 Aug 2012. Web. 26 Nov 2012.
<http://techcrunch.com/2012/08/14/critical-skills-education-saas-everfi-
raises-10m-from-jeff- bezos-ericschmidt-ev-williams-and-others/>.
ISSN 2460 4010
116
 Special Issue based on Proceedings of 4th International Conference on Cyber Security (ICCS 2018)
McKendrick, Joe. "7 Predictions for Cloud Computing in 2013 That Make
Perfect Sense." Forbes. Forbes, 9 2012. Web. 10 Dec 2012.
<http://www.forbes.com/sites/joemckendrick/2012/12/09/7-predictions-
for-cloud-computing-in- 2013-that-make-perfect-sense/?ss=cloud-
computing>.
Chun-Ting Huang, Zhongyuan Qin, C.-C. Jay Ku, “Multimedia Storage
Security in Cloud Computing: An Overview,” 13th International
Workshop on Multimedia Signal Processing (MMSP), 2011.
Michael Armbrust , Armando Fox , Rean Griffith , Anthony D. Joseph ,
Randy Katz , Andy Konwinski , Gunho Lee , David Patterson , Ariel
Rabkin , Ion Stoica , Matei Zaharia, “A view of cloud computing,”
Communications of the ACM, v.53 n.4, April 2010.
“Cloud Computing and Security –.A Natural Match”, Trusted Computing
Group, April 2010.
Michael Gregg, “10 Security Concerns for Cloud Computing”, Expert
Reference Series of White Papers, Global Knowledge, 2010
“IBM Point of View: Security and Cloud Computing”, Cloud computing
White paper November, 2009.
ENISA.: Cloud Computing: Information Assurance Framework. ENISA,
http://www.enisa.europa.eu/, November 2009.
INTERNATIONAL JOURNAL OF ADVANCED STUDIES OF SCIENTIFIC RESEARCH (IJASSR)
ABSTRACTED & INDEXED IN ELSEVIER-SSRN
ENISA.: Cloud Computing: Benefits, risks and recommendations for
information security. ENISA, http://www.enisa.europa.eu/, November 2009.
“Architectural Strategies for Cloud Computing”, Oracle Corporation, August
2009.
J. W. Rittinghouse,J. F. Ransome, “Cloud Computing: Implementation,
Management and Security” CRC Press, ISBN: 978-1-4398-0680-7, 2009.
P. Gauravaram, A. McCullagh and Ed Dawson, “Collision Attacks on MD5 and
SHA-1: Is this the “Sword of Damocles” for Electronic Commerce?”,
AusCERT Asia Pacific Information Technology Security Conferenece, pp.
1-13, May 2006.
M.S.Hwang, and L.H. Li, "A New Remote User Authentication Scheme using
Smart Cards", IEEE Transactions on Consumer Electronics 46 (1) (2000)
28-30.
L.Lamport, “Password authentication with insecure communication,” Comm.
ACM 24(11), Nov 1981, 770–771.
ISO/IEC 27001 Information security management systems -- Requirements
https://www.iso.org/standard/54534.html
ISO/IEC 27017 Code of practice for information security controls based on
ISO/IEC 27002 for cloud services https://www.iso.org/standard/43757.html
ISSN 2460 4010
117