Ministry of Higher Education

Jahan University
Directorate of Academic Affairs
Faculty of Computer Science
Department of Networking

Analyze Latest cloud computing threats and

challenges

Submitted by: Imran khan “Zazai”

Supervisor: Muhammad Faheem “Naseri”

Judge:

Year: 1401
Dedication
This Thesis is dedicated to my parents who have supported me all the way since the beginning
of my studies and who taught me that the best kind of knowledge is that which is learned for its
own sake. Also this thesis is dedicated to my beloved brothers who stand with me when things
look bleaks and who encourage and support me. Finally, this thesis is dedicated all those who
believe in the richness of learning. No word of thanks can be enough for them, for their
encouragement, support and belief in me.
Acknowledgement
None of this work would have been possible without the blessing of Allah Almighty. This thesis
would not have possible without the support of many people. I would like to express my
gratitude to my supervisor Muhammad Fahim “Naseri” who was abundantly helpful and offered
invaluable assistance, support and guidance. Thanks to him and and I thanks to all my friends
wo helped me to complete the thesis.
Abstract
Cloud Computing is one of the emerging technologies in the world. It is a computing technology
that provides sharable computing resources like software, platform, storage, applications etc.
As a service to the customers on demand over the internet. Cloud computing is a Pay-per-Use-
On Demand model that can conveniently access shared IT resources through internet. Its
advantages include cost savings, scalability, high availability, resilience, flexibility, efficiency
and outsourcing non-core activities. Cloud computing offers an innovative business model for
organizations to adopt IT services without upfront investment. The main objective of this thesis
is to analyze the latest cloud threats and challenges, to understand the Cloud computing, to
understand the latest cloud threats and challenges, to understand the solution of challenges. I
have research main question is what is Cloud computing, what is latest cloud computing threats
and challenges, what are the solution for cloud challenges. For answer this questions I assume
the cloud computing is the delivery of various software services over the internet through
remote servers. I assume the Data breaches threat, Data lose threat, Account hijacking threat,
Insecure API threats, Virtual threat, multi cloud challenges, Performance challenges, Downtime
challenges, Lack of knowledge challenges. I assume if user used traditional IT process, Cloud
solution certificate, GDPR, multi cloud management to prevent cloud challenges. This thesis is
based on secondary data. The data is gathers by literature analysis, internet and books for data
gathering. Insufficient Due Diligence threat, the users must be ready to work on the cloud
architecture and they must be aware of its threats and risks. There is no complete solution that
can prevent the cloud challenges and give its customers a full security. These solutions can
reduce the level of the impact of these challenges and give its customers some kind of
protection. Cloud is a double-edge sword and clearly there are both threats and challenges with
the cloud.

Keywords: Cloud computing, Threats and Challenges, Deployment model, Services model
 Table of contents

A. Introduction ..................................................................................................................................vii
B. Literature Review .........................................................................................................................vii
C. Problem Statement .......................................................................................................................vii
D. Research Objectives ...................................................................................................................... ix
E. Research need................................................................................................................................ ix
F. Research Questions ....................................................................................................................... ix
G. Hypothesis..................................................................................................................................... ix
H. Research Methodology ................................................................................................................ ixx
I. Research Innovation ...................................................................................................................... ix
J. Research Design ............................................................................................................................ ix
K. Research limitation ......................................................................................................................... x
Chapter one
Fundamental and Genralities
Topic One: Introduction to Cloud Computing… ................................................................................ 1
Section One: Histroy of Cloud Computing.................................................................................... 4
Sub-Section One: Advantages of Cloud Computing ….............................................................. 5
Sub-Section Two: Disadvantages of Cloud Computing …......................................................... 7
Section Two: Deployment Model … .............................................................................................. 7
Sub-Section One: Benefits of Pulic,Private,Hybrid Clouds … ................................................... 9
Sub-Section Two: Risks of Pulic,Private,Hybrid Clouds …..................................................... 11
Topic Two: Cloud Services Delivery Models ….............................................................................. 12
Section One: Infrastructure as a Services (IaaS)........................................................................... 12
Sub-Section One: Platform as a Services (PaaS)… .................................................................. 13
Sub-Section Two: Software as a services (SaaS)...................................................................... 13
Section Two: Advantages of IaaS, PaaS, SaaS … ........................................................................ 13
Sub-Section One: Disdvantages of IaaS, PaaS, SaaS …........................................................... 16
Sub-Section Two: Services providers … .................................................................................. 18
Chapter Two
Data Analysis and Finding

Topic One: Cloud Computing Security … ....................................................................................... 19

Section One: Cloud Computing Security Method ........................................................................ 20
Sub-Section One: Physical Security ......................................................................................... 22
Sub-Section Two: Cloud Security Services … ......................................................................... 23

i
 Section Two: Security and Privacy of Cloud Computing ............................................................. 24
Sub-Section One: The Key Concern in Cloud Computing … .................................................. 25
Sub-Section Two: Responsible For Protecting Privacy … ....................................................... 26
Topic Two: Cloud Computing Threats … ........................................................................................ 27
Section One: Most Cloud Computing Threats .............................................................................. 28
Sub-Section One: Other Threats … .......................................................................................... 30
Sub-Section Two: Virtual Threats … ....................................................................................... 33
Section Two: Cloud Computing Challenges ............................................................................... 35
Sub-Section One:Other Cloiud Challenges............................................................................... 37
Sub-Section Two: Solution Cloud Computing Challenge… ………………………………….40
Finding………………………………………………………………………………………………

Conclusion ....................................................................................................................................... 43
Recommendation.............................................................................................................................. 44
References ........................................................................................................................................ 45

ii
iii
 List of Tables
Table 1: Services providers .................................................................................................................. 14

iv
 List of Figures
Figure 1: Cloud Computing.................................................................................................................... 2
Figure 2: Benefits ................................................................................................................................... 5
Figure 3: Hybrid ..................................................................................................................................... 6
Figure 4: benefits of private cloud.......................................................................................................... 8
Figure 5: Benefits of public cloud .......................................................................................................... 9
Figure 6: Cloud services ....................................................................................................................... 11
Figure 7: PaaS Issues ........................................................................................................................... 13

v
 List of Abbreviations
AICPA American Institute of Certified Public
Accountants.
APIs Application Programming Interface
APTs Advanced Persistent Threats
ARPANET Advanced Research Projects Agency Network,
ASP Applications Service Provision.
CC Cloud Computing
CERN CERN
CIA Confidentiality Integrity Availability.
CICA Canadian Institute of Chartered Accountants.
CPAs Certified Public Accountants.
CPU Central Processing Unit.
CRM Customer Relationship Management.
CSA Cloud Security Alliance.
CSAC Cloud Solution Certification.
CSP Cloud Services Provider.
DARPA Defense Advanced Research Projects Agency.
DdoS Distributed Denial of Service.
DOS Denial-of-Service.
EC2 Elastic Compute Cloud.
GAPP Generally Accepted Privacy Principles.
GDPR The General Data Protection Regulation.
HIPAA Health Insurance Portability and Accountabilty
Act of 1996
HTML Hyper Text Markup Language
IaaS Infrastructure as a Services.
IBM International Business Machine
ID Identity.
IDM Identity management
IDS Intrusion Detection Systems.
IP Intellectuall Property
IT Information Technology.
ITC Information and Technology Community.
JVM Java Virtual Machine.
MFA Multifactor Authentication.
NIST National Institute of Standards and Technology’s
OECD Organization for Economic Cooperation and
Development.
OS Operating System.
OTPs One Time Password

vi
PaaS Platform as a ServicesHyper
PII Personally Identifiable Information.
SaaS Software as a Services
SLAs Service Level Agreements.
SP Special Publication.
SQL Structured Query Language
SSL Secure Sockets Layers
TLS Transport Layer Security
UPS Uninterruptible Power Supply
WMs Virtual Machines.
XSS Cross site scripting attacks.

vii
Research Methodology
 A. Introduction
Cloud computing is becoming a more popular word and technology among computing world.
Cloud computing is a modern technology, which makes data access easy, new idea to make
online infrastructure computing environment. Generally normal users store, process
information on their limited storage systems. To perform any tasks like data process they have
to install an application or program which takes space in the traditional hard disk storage
systems. Often customers felt that it is difficult to carry always their storage devices with them.
They are looking for the alternatives to carry their files or large quantity of data and also access
their information wherever they go. Here cloud computing provides the solution for those type
of clients. Along with individual user many organizations want outsource their data to make it
available to other locations business process. Cloud computing provide flexibilities which are
not offered by personal storage devices like how much use just pay for it. User can access many
applications and services along with storage just with an internet enabled device. Hosting Tag
(2012). Major companies like Google, Microsoft, and Amazon and many more, contribute their
part in developing and advancing the cloud technology and providing g services to a huge
number of customers. And further many types of services are adding in to the cloud computing
like SaaS, PaaS, and IaaS. Not only specialized services and also some other packages for
example pay-as-you-go, on-demand to attract millions of consumers. While on consumer’s
view due to the benefits provided by cloud services many are considering it is an important
aspect to adopt it and starting to setup applications or utilizing services in cloud computing. So
many researchers predicted that cloud become more extend, be adopted by millions of clients
and be expand by multiple of providers as it provides profits for both users and providers. Hence
cloud computing is a slogan not only among computing professionals but also between normal
computing users. Zhou (2010). When the sensitive information and application started moving
in to the cloud, process those resources in the form virtual resources opens many new challenges
including security, privacy, Interoperability, Cloud migration, Cloud cost and many more.
Cloud computing is a long-dreamed vision of computing and still it is in development stage. It
is general in every ongoing development may involve and pose to new flaws or risks including
cloud computing. Similarly, along with attractive benefits, cloud computing also brings critical
problems especially regarding threats and challenges. So as it is in early stages, many
challenges will continue to occur. It is clear that there is a demand for extensive discussion of
security challenges in cloud. This thesis primarily aims to discuss the major threats and
challenges. And further draw security and privacy of cloud computing and key privacy concern
and providers addressing the requirement of protection of privacy. And the remainder of this
thesis is formed in to two chapters as follows. In chapter 1 present background of cloud
computing, Chapter 2 analyze latest cloud threats and challenges.

B. Literature Review
Online journals, e-books, internet databases, Google Scholar, white papers published by cloud
venders and security bulletin reports helped a great deal in getting a better understanding
of the relevant literature sources. A lot of books were consulted for literature review written on

vii
the relevant research areas. According to John W. Ritting and James F Ransome (2010). The
book “Cloud computing: implementation, management and security” revealed significant
concepts of cloud security, common standard in cloud computing and the evolution of cloud
services. The authors have remarkably well highlighted the areas of cloud implementation,
According to Velte Anthony ( 2014 ) to cloud architecture and cloud security. The book “Cloud
computing: a practical approach, described cloud computing basic principles such as; cloud
storage mechanism, cloud development and the procedures for migrating to a cloud. The in-
depth analysis of these important facts helped in understanding the cloud structure to a great
deal. According to George Yee (2017) the book “Privacy and Security for Cloud
Computing”Provided a comprehensive knowledge about privacy issues which a cloud user is
facing today. The security threats to a cloud and the solutions developed by various
organizations are documented in a very reader-friendly way. According to Dawson and
Raghavan (2019) the book “An Investigation into the Detection and Mitigation of Denial of
Service (DoS) Attacks” described the future threat of DOS attacks and the current security
measures to tackle DOS attacks. They highlighted the possibility of cyber wars and proposed
mitigation strategies to undertake the severity of DOS attacks. The notable articles, which
helped in getting in-depth knowledge of the relevant literature sources, According to Dimitrioa
and Lekkas (2020) “Addressing cloud computing security issues” by Dimitrios and Lekkas,
“Steps to Defend Against DOS Attacks” by Ahsan Habib, Debashish Royt, Cloud security
defense to protect cloud computing against HTTP-DoS and XML-DoS attacks” by Ashley
Chonka, Yang Xiang, Wanlei Zhou, Alessio Bonti. The article according to Kazi Zunnurhain
and Susan V. Vrbsky “Security Attacks and Solutions in Cloud helped in knowing the security
attacks to a cloud and their solution strategies adopted by the cloud venders today. These
literature sources provided a solid foundation for not only understanding the problem but also
in setting the desired research roadmap as they revealed the latest research work being done
in the cloud security field. The literature about information security, grid computing, internet
communication protocols assisted in knowing these areas in detail because the in-depth analysis
of these areas is actually a precondition to conduct research in cloud s. The published interviews
of various cloud security analysts such as interview of Pat Gelsinger, President of “EMC
Information Infrastructure Products” helped in knowing the structure and threats related to
cloud security.
C. Problem Statement
Several security management standards and measures have been intended to safeguard the cloud
but nevertheless cloud security is at a high risk due to the innovative hacking techniques. A lot
of other measures are also being undertaken by different cloud venders but are themselves, not
flawless (Zissis, 212). This research addresses the security threats and challenges to cloud
computing and its self-doubting These threats can result in temporary suspension of cloud
services and in worst case scenario; it can result as a total cloud breakdown. This research will
analyze the latest cloud threats and challenge, how they affect the cloud and underlying some
solution to minimize the challenges.

viii
 D. Research Objectives
The main objective of this research is analyzing the threat and challenges in the cloud
computing. The main objectives are
 To analyzed the Cloud computing.
 To analyzed the latest cloud threats and challenges.
 To analyzed the solution of challenges.
E. Research need
The main purpose of doing this research is to analyzed the latest cloud threats and
challenges of cloud computing. Also this is my bachelor thesis, therefore it is necessary to have
a research in final semester. Without this I’m not able to seek for the Bachelor’s degree from
university.
F. Research Questions
 What is Cloud computing?
 What is latest cloud computing threats and challenges?
 What is the solution for cloud challenges?
G. Hypothesis
 I assume the cloud computing is the delivery of various software services over the internet
through remote servers.
 I assume the Data breaches threat, Data lose threat, Account hijacking threat, Insecure API
threats, Virtual threat, multi cloud challenges, Performance challenges, Downtime
challenges, Lack of knowledge challenges.
 I assume if user used traditional IT process, Cloud solution certificate, GDPR, multi cloud
management to prevent cloud challenges.

H. Research Methodology
This thesis is based on secondary data. The data is gathers by literature analysis, internet and
books for data gathering.

I. Research Innovation
This Research includes understanding how different types of threats might affect various
elements such as availability, integrity, confidentiality or privacy. Also this Research can help
identify any existing vulnerabilities within the system which could be exploited by attackers or
malicious actors. Once identified, organizations can then begin developing strategies to mitigate
these risks effectively while also making sure their data remains secure from unauthorized
access or manipulation.

J. Research Design
This thesis is categorized as two Chapters. First Chapter I describes the cloud computing
overview, advantages, disadvantages. Base services. Deployment models Chapter two I
ix
 describe and analyzed the threats and challenges in cloud computing and the solution of the
challenges. For completion this thesis I used secondary data process. The data is gathers by
literature analysis, internet and books for data gathering.
K. Research limitation
In collecting of data I faced some issues that I have listed below:
 In Afghanistan very few amount of book are written about my related topic.
 Limited to access to data.

x
 Chapter one
Fundamental and Generalities
Topic One: Introduction of cloud computing
Cloud computing is a model for enabling convenient, on-demand network access to a shared
pool of configurable resources (e.g., networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal management efforts or service provider
interaction.
Enterprises can use these resources to develop, host and run services and applications on
demand in a flexible manner in any devices, anytime, and anywhere. According to the U.S.
National Institute of Standards and Technology’s (NIST) definition published in the NIST
Special Publication SP 800-145, “cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of configurable computing resources
(e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction.” 1
This definition is widely accepted as a valuable contribution toward providing a clear
understanding of cloud computing technologies and cloud services and it has been submitted
as the U.S. contribution for an International standardization. The NIST definition also provides
a unifying view of five essential characteristics that all cloud services exhibit: on-demand self-
service, broad network access, resource pooling, rapid elasticity, and measured service
Furthermore, NIST identifies a simple and unambiguous taxonomy of three “service models
“available to cloud Consumers (Infrastructure-as-a-Service (IaaS), Platform-as-a Service
(PaaS), Software-as-a-Service (SaaS)) and four “cloud deployment modes” (Public, Private,
Community and Hybrid) that together categorize ways to deliver cloud services. Since the cloud
service model is an important architectural factor when discussing key managements aspects in
a cloud environment.
Cloud Computing is a new term given to a technological evolution of distributed
computing and grid computing. Cloud computing has been evolving over a period of time
and many companies are finding it interesting to use. Without the development of
ARPANET (Advance Research Projects Agency Network) by J.C.R. Licklider in 1960’s
and many other researchers who dreamt of improvingthe interconnection of systems,
Cloud computing would never have come into existence. The advent of ARPANET,
which helped to connect (for sharing, transferring, etc.)a group of computers, lead
to the invention of Internet (where bridging thegap between systems became easy). 2
Cloud computing is a technology paradigm that is offering useful services to consumers.
Cloud computing has the long-term potential to change the way information technology is
provided and used. The entire cloud ecosystem consists of majorly four different entities.
Which vital role to fulfill the requirement of all the stake holders. The role played by each
individual depends on their position in the market and their business strategy. It changes the
way of providing and managing commuting resources, such as CPU, Database and storage
system. Today leading players such as Amazon, Google, IBM, Microsoft and Salesforc.com
offer their cloud infrastructure for services. Wikipedia defines it as ― An Internet-based

1
https://www.tutorialspoint.com/cloud_computing/cloud_computing_platform_as_a_service.htm
2
https://www.ibm.com/cloud/learn/hybrid-cloud

1
computing, whereby shared resources, software and information are provided to computers
and other devices on-demand, like a public utility.

Section One: History of cloud computing

The concept of Cloud Computing came into existence in the year 1950 with implementation
of mainframe computers, accessible via thin/static clients. Since then, cloud computing has
been evolved from static clients to dynamic ones and from software to services. The
following diagram explains the evolution of cloud computing:3

Figure 1: Cloud computing history

1963, DARPA (the Defense Advanced Research Projects Agency) presented MIT with $2
million for Project MAC. The funding included a requirement for MIT to develop technology
allowing for a “computer to be used by two or more people, simultaneously.” In this case, one
of those gigantic, archaic computers using reels of magnetic tape for memory became the
precursor to what has now become collectively known as cloud computing. It acted as a
primitive cloud with two or three people accessing it.
The word “virtualization” was used to describe this situation, though the word’s meaning later
expanded. In 1969, J. C. R. Licklider helped develop the ARPANET (Advanced Research
Projects Agency Network), a “very” primitive version of the Internet. JCR, or “Lick,” was both
a psychologist and a computer scientist, and promoted a vision called the “Intergalactic
Computer Network,” in which everyone on the planet would be interconnected by way of
computers, and able to access information from anywhere.
(What could such an unrealistic, impossible-to-pay-for, fantasy of the future look like?) The
Intergalactic Computer Network, otherwise known as the internet, is necessary for access to the
cloud. The meaning of virtualization began shifting in the 1970s, and now describes the creation
of a virtual machine, that acts like a real computer, with a fully functional operating system.
The concept of virtualization has evolved with the internet, as businesses began offering
“virtual” private. Networks as a rentable service. The use of virtual computers became popular
in the 1990s, leading to the development of the modern cloud computing infrastructure.

3
https://en.wikipedia.org/wiki/Cloud_computing

2
A. Cloud Computing in the Late 1990s
In its early stages, the cloud was used to express the empty space between the end user and the
provider. In 1997, Professor Ramnath Chellapa of Emory University defined cloud computing
as the new “computing paradigm, where the boundaries of computing will be determined by
economic rationale, rather than technical limits alone.” This somewhat ponderous description
rings true in describing the cloud’s evolution. The cloud gained popularity as companies gained
a better understanding of its services and usefulness. In 1999, Salesforce became a popular
example of using cloud computing successfully.
s They used it to pioneer the idea of using the Internet to deliver software programs to the end
users. The program (or application) could be accessed and downloaded by anyone with Internet
access. Businesses could purchase the software in an on-demand, cost-effective manner,
without leaving the office. 4

B. Cloud Computing in the Early 2000s

In 2002, Amazon introduced its web-based retail services. It was the first major business to
think of using only 10% of its capacity (which was commonplace at the time) as a problem to
be solved. The cloud computing infrastructure model allowed them to use their computer’s
capacity much more efficiently. Soon after, other large organizations followed their example.
In 2006, Amazon launched Amazon Web Services, which offers online services to other
websites, or clients. One of Amazon Web Services’ sites, called Amazon Mechanical Turk,
provides a variety of cloud-based services including storage, computation, and “human
intelligence.” Another of Amazon Web Services’ sites is the Elastic Compute Cloud (EC2),
allowing individuals to rent virtual computers and use their own programs and applications. In
the same year, Google launched Google Docs services.

Google Docs was originally based on two separate products, Google Spreadsheets and Writely.
Google purchased Writely, which offers renters the ability to save documents, edit documents,
and transfer them into blogging systems. (These documents are compatible with Microsoft
Word.) Google Spreadsheets (acquired from 2Web Technologies, in 2005) is an Internet-based
program allowing users to develop, update, and edit spreadsheets, and to share the data online.
An Ajax-based program is used, which is compatible with Microsoft Excel.
The spreadsheets can be saved in an HTML format. In 2007, IBM, Google, and several
universities joined forces to develop a server farm for research projects needing both fast
processors and huge data sets. The University of Washington was the first to sign up and use
resources provided by IBM and Google. Carnegie Mellon University, MIT, Stanford
University, the University of Maryland, and the University of California at Berkeley, quickly
followed suit. The universities immediately realized computer experiments can be done faster
and for less money, if IBM and Google were supporting their research.5
C. 2010 and Beyond
Although private clouds were initiated in 2008, they were still undeveloped, and not very
popular. Concerns about poor security in public clouds was a strong driving force promoting
the use of private clouds. In 2010, companies like AWS, Microsoft, and OpenStack had

4
https://en.wikipedia.org/wiki/Cloud_computing
5 https://www.tutorialspoint.com/cloud_computing/cloud_computing_platform_as_a_service.htm

3
developed private clouds that were fairly functional. (2010 was also when OpenStack made an
open-sourced, free, do-it-yourself cloud, which became very popular, available to the general
public) The concept of hybrid clouds was introduced in 2011. A fair amount of interoperability
is needed between a private and public cloud, and the ability to shift workloads back and forth
between the two clouds. At this time, very few businesses had systems capable of doing this,
though many wanted to, because of the tools and storage public clouds could offer. In 2011,
IBM introduced the IBM Smart Cloud framework, in support of Smarter Planet (a cultural
thinking project).
Then, Apple launched the iCloud, which focuses on storing more personal information (photos,
music, videos, etc.). Also, during this year, Microsoft began advertising the cloud on television,
making the general public aware of its ability to store photos, or video, with easy access. Oracle
introduced the Oracle Cloud in 2012, offering the three basics for business, IaaS (Infrastructure-
as-a-Service), PaaS (Platform-as-a-Service), and SAAS (Software-as-a-Service). These
“basics” quickly became the norm, with some public clouds offering all of these services, while
other focused on offering only one. 6
Software-as-a-service became quite popular. Cloud Bolt was founded in 2012. This company
gets credit for developing a hybrid cloud management platform that helped organizations build,
deploy and manage both private and public clouds. They resolved the interoperability problems
between public and private clouds. Multi-clouds began when organizations started using SaaS
providers for certain services, such as human resources, customer relations management, and
supply chain management. This started becoming popular in roughly 2013-2014. While this
use of SaaS providers is still quite popular, a philosophy of using multiple clouds for their
specific services and advantages has developed.
This philosophy includes not becoming trapped into using a specific cloud because of
“interoperability problems. “By 2014, cloud computing had developed its basic features, and
security had become a major concern.
Cloud security has become a fast-growing service, because of its importance to customers.
Cloud security has advanced significantly in the last few years, and now provides protection
comparable to traditional IT security systems. This includes the protection of critical
information from accidental deletion, theft, and data leakage. Having said that, security is, and
may always be, the primary concern of most cloud users. Currently, one of the primary users
of cloud services are application developers. In 2016 the cloud began to shift from developer-
friendly to developer-driven. 7
Application developers began taking full advantage of the cloud for the tools it had available.
A large number of services strive to be developer-friendly to draw more customers. Realizing
the need, and the potential for profit, cloud vendors developed (and continue to develop) the
tools apps developers want and need. Financial services, etc.). Further advancement in this
area of Internet resulted in development of Applications Service Provision (ASP), grid and
utility computing and cloud computing.
Cloud computing introduced a new paradigm which changed the traditional
interconnection of systems to a pool of shared resources that can be accessed through

6
https://www.ibm.com/cloud/learn/hybrid-cloud
7
https://en.wikipedia.org/wiki/Cloud_computing

4
internet. Wikipedia defines it as ―An Internet-based computing, whereby shared resources,
software and information are provided to computers and other devices on-demand, like a public
utility. A technical definition is ―A computing capability that provides an abstraction between
the computing resource and its underlying technical architecture (e.g., servers, storage, and
networks), enabling convenient, on- demand network access to a shared pool of configurable
computing resources that can be rapidly provisioned and released with minimal management
effort or service provider interaction8

Sub-Section One: Advantages of cloud computing

Since cloud technology is implemented incrementally (step- by-step), it saves organizations
total expenditure. Saving organizations Cloud Computing has numerous advantages. Some of
them are listed below.
A. Reduced Cost money.
B. Increased Storage: Organizations can store more data than on private computer systems.
C. Highly Automated: No longer do IT personnel need to worry about keeping software up to
date.
D. Flexibility: Cloud computing offers much more flexibility than past computing methods.
E. More Mobility: Employees can access information wherever they are, rather than having to
remain at their desks. Unlike traditional systems (storing data in personal computers
and accessingonly when near it).
F. Allows IT to Shift Focus: No longer having to worry about constant server updates and
other computing issues, government organizations will be free to concentrate on innovation.
These benefits of cloud computing draw lot of attention from Information and
Technology Community (ITC). A survey by ITC in the year 2008, 2009 shows that
many companies and individuals are noticing that CC is proving to be helpfulwhen
compared to traditional computing methods. 9

Figure 2: Benefits of cloud computing

8
https://www.ibm.com/cloud/learn/hybrid-cloud
9
https://www.ibm.com/cloud/learn/hybrid-cloud

5
Sub-Section Two: Disadvantages of cloud computing
There are also several disadvantages of cloud computing some of this drawback are given
below.
A. Expenses can be quickly reduced: During times of recession or business cutbacks (like the
energy industry is currently experiencing), loud computing offers a flexible cost structure,
thereby limiting Exposure.
B. Flexible capacity: Cloud is the flexible facility that can be turned up, down or off depending
upon circumstances. For example, a sales promotion might be wildly popular, and capacity
can be added quickly to avoid crashing servers and losing sales. When the sale is over,
capacity can shrink to reduce costs.
C. Facilitate M&A activity: Cloud computing accommodates faster changes so that two
companies can become one much faster and more efficiently. Traditional computing might
require years of migrating applications and decommissioning data centers before two
companies are running on the same IT stack.
D. Less environmental impact: With fewer data centers worldwide and more efficient
operations, we are collectively having less of an impact on the environment. Companies
who use shared resources improve their ‘green’ credentials.
E. Downtime: Businesses receive cloud computing services only through the Internet. When
there is an internet outage or weak connectivity, services get interrupted and this increases
downtime. Therefore, one of the major criticisms of cloud computing is its high dependency
on the Internet.
F. Vendor lock-in: Vendor lock-in is the biggest disadvantage of cloud computing.
Organizations may face problems when transferring their services from one vendor to
another. As different vendors provide different platforms, that can cause difficulty moving
from one cloud to another. 10

Section Two: Cloud computing deployment model

Deployment models define the type of access to the cloud, i.e., how the cloud is located? Cloud
can have any of the 3 types of access: Public, Private, and Hybrid.11

Figure 3: Deployment model

10
https://www.infoworld.com/article/3226386/what-is-saas-software-as-a-service-defined.html
11
https://en.wikipedia.org/wiki/Cloud_computing

6
A. Private Cloud
Private cloud is a new term that some vendors have recently used to describe offerings that
emulate cloud computing on private networks. It is set up within an organization’s internal
enterprise data center. In the private cloud, scalable resources and virtual applications provided
by the cloud vendor are pooled together and available for cloud users to share and use. It differs
from the public cloud in that all the cloud resources and applications are managed by the
organization itself, similar to Intranet functionality.
Utilization on the private cloud can be much more secure than that of the public cloud because
of its specified internal exposure. Only the organization and designated stakeholders may have
access to operate on a specific Private cloud. Private Cloud allows systems and services to be
accessible within an organization. The Private Cloud is operated only within a single
organization.
However, it may be managed internally by the organization itself or by third-party. The
organization premise using virtualization layer. It also facilitates flexibility, scalability,
provisioning, automation and monitoring and thus offers the greatest level of control,
configurability support, high availability or fault tolerant solutions and advanced
security which is missing in public cloud. Basically, very concept of private clouds is
driven by concerns around security and keeping assets within the firewall which results
it to significantly more expensive with typically modest economies of scale.
B. Public cloud
Public cloud describes cloud computing in the traditional mainstream sense, whereby resources
are dynamically provisioned on a fine-grained, self-service basis over the Internet, via web
applications/web services, from an off-site third-party provider who shares resources and bills
on a fine-grained utility computing basis. 12 It is typically based on a pay-per-use model, similar
to a prepaid electricity metering system which is flexible enough to cater for spikes in demand
for cloud optimization. Public clouds are less secure than the other cloud models because it
places an additional burden of ensuring all applications and data accessed on the public cloud
are not subjected to malicious attacks. All the physical infrastructure are owned by the
provider of the services which were provided off-site over the Internet hosted at cloud
vendor’s premises. Here the customer has no control and limited visibility over where the
service is hosted as all these massive hardware installations are distributed throughout
the country or across the globe seamlessly. 13

This massive size enables economies of scale that permit maximum scalability to meet
varying requirements of different customers and thus provides greatest level of
efficiency, maximum reliability through shared resources but with rider cost of added
vulnerability. Public Cloud allows systems and services to be easily accessible to general
public. The IT giants such as Google, Amazon and Microsoft offer cloud services via Internet.

12
https://www.investopedia.com/terms/c/cloud-computing.asp

13
https://www.infoworld.com/article/3226386/what-is-saas-software-as-a-service-defined.html

7
 C. Hybrid cloud

Hybrid Cloud is a mixture of public and private cloud. Non-critical activities are performed
using public cloud while the critical activities are performed using private cloud. The hybrid
cloud model is dependent on internal IT infrastructure; therefore, it is necessary to ensure
redundancy across data centers.
Sub-Section One: Benefits of Private, Public, Hybrid clouds models

A. Benefits of Private cloud

There are many benefits of deploying cloud as private cloud model. The following diagram
shows some of those benefits:

Figure 4: benefits of private cloud

• High Security and Privacy: Private cloud operations are not available to general public and
resources are shared from distinct pool of resources. Therefore, it ensures
high security and privacy.
• More Control: The private cloud has more control on its resources and hardware than public
cloud because it is accessed only within an organization.
• Cost and Energy Efficiency: The private cloud resources are not as cost effective as resources
in public clouds but they offer more efficiency than public cloud resource. 14
B. Benefits of public model
There are many benefits of deploying cloud as public cloud model. The following diagram
shows some of those benefits:
• Cost Effective: Since public cloud shares same resources with large number of customers it
turns out inexpensive.
• Reliability: The public cloud employs large number of resources from different locations. If
any of the resources fails, public cloud can employ another one.
• Flexibility: The public cloud can smoothly integrate with private cloud, which gives customers
a flexible approach.

14
https://www.tutorialspoint.com/cloud_computing/cloud_computing_platform_as_a_service.htm

8
• Location Independence: Public cloud services are delivered through Internet, ensuring
location independence.
• Utility Style Costing: Public cloud is also based on pay-per-use model and resources are
accessible whenever customer needs them.
• High Scalability: Cloud resources are made available on demand from a pool of resources, i.e.,
they can be scaled up or down according the requirement. 15

Figure 5: Benefits of public cloud

C. Benefits of hybrid cloud

There are many benefits of deploying cloud as hybrid cloud model. The following shows some
of those benefits:
• Scalability
• It offers features of both, the public cloud scalability and the private cloud scalability.
• Flexibility
• It offers secure resources and scalable public resources.
• Cost Efficiency
• Public clouds are more cost effective than private ones. Therefore, hybrid clouds can be
cost saving.
• Security
• The private cloud in hybrid cloud ensures higher degree of security.
Sub-Section Two: Disadvantages of Private, Public, Hybrid clouds models
Here are some disadvantages of private, public hybrid clouds models are given below:
A. Disadvantages of private cloud model
Here are the disadvantages of using private cloud model:
• Restricted Area of Operation: The private cloud is only accessible locally and is very
difficult to deploy globally.
• High Priced: Purchasing new hardware in order to fulfill the demand is a costly transaction.

15
https://www.tutorialspoint.com/cloud_computing/cloud_computing_platform_as_a_service.htm

9
• Limited Scalability: The private cloud can be scaled only within capacity of internal hosted
resources.
• Additional Skills: In order to maintain cloud deployment, organization requires skilled
expertise.
• Low Security: In public cloud model, data is hosted off-site and resources are shared
publicly, therefore does not ensure higher level of security.
• Less Customizable: It is comparatively less customizable than private cloud.
B. Disadvantages of hybrid cloud model.
Here are some disadvantages of hybrid cloud model:
• Networking Issues: Networking becomes complex due to presence of private and public
cloud.
• Security Compliance: It is necessary to ensure that cloud services are compliant with
security policies of the organization.
• Infrastructure Dependency: The hybrid cloud model is dependent on internal IT. Therefore
it is necessary to ensure redundancy across data centers.
C. Disadvantages of public cloud
Here are some disadvantages of public cloud model:
• Security Compliance It is necessary to ensure that cloud services are compliant with security
policies of the organization.
• Low Security in public cloud model, data is hosted off-site and resources are shared
publicly, therefore does not ensure higher level of security.
• Less Customizable it is comparatively less customizable than private cloud.

Topic Two: Cloud Services Delivery Models

Cloud computing is based on service models. Combining the three types of clouds with the
delivery models we get a holistic cloud illustration as seen in Figure, surrounded by
connectivity devices coupled with information security themes. Virtualized physical resources,
virtualized infrastructure, as well as virtualized middleware platforms and business applications
are being provided and consumed as services in the Cloud. Cloud vendors and clients‟ need to
maintain Cloud computing.

These are categorized into three basic service models which are
• Infrastructure-as–a-Service (IaaS)
• Platform-as-a-Service (PaaS)
The infrastructure-as-a-Service (IaaS) is the most basic level of service. Each of the service
models inherit the security and management mechanism from the underlying model, as shown
in the following diagram:16

16
https://www.ibm.com/cloud/learn/hybrid-cloud

10
 Figure 6: Cloud services

• Infrastructure-as-a-Service (IaaS)
• Infrastructure-as-a-Service (IaaS)
• IaaS provides access to fundamental resources such as physical machines, virtual machines,
virtual storage, etc.
• Platform-as-a-Service (PaaS)
• PaaS provides the runtime environment for applications, development and deployment
tools, etc.
• Software-as-a-Service (SaaS)
SaaS model allows to use software applications as a service to end-users. 17

Section One: Infrastructure as a Services (IaaS)

IaaS facilitates availability of the IT resources such as server, processing power, data
storage and networks as an on-demand service. Here user of this service can dynamically
choose a CPU, memory storage configuration according to needs. A cloud user buys these
virtualized and standardized services as and when required. 18

For example, a cloud customer can rent server time, working memory and data storage
and have an operating system run on top with applications of their own choice. A model in
which an organization outsources the equipment used to support operations including storage,
hardware, virtual servers, databases, and networking components. The service provider owns
the equipment and is responsible for housing, running, and maintain in.

Sub-Section One: Platform as a Services (PaaS)

A PaaS is typically is a programming platform for developers. This platform facilitates
the ecosystem for the programmers/developers to create, test, run and manage the
applications. It thus provides the access to the runtime environment for application
development and deployment tools. Here developer does not have any access to
underlying layers of OS and Hardware, but simply can run and deploy their own
applications.
Microsoft Azure, Salesforce and Google App Engine are some of the typical examples
of PaaS. The two components of PaaS are the place on which software can be launched
(platform), and the services being provided (solution stack). Resources being delivered via PaaS

17
https://www.ibm.com/cloud/learn/hybrid-cloud
18
https://www.tutorialspoint.com/cloud_computing/cloud_computing_platform_as_a_service.htm

11
typically include infrastructure and applications. In many cases the data being used is also
stored in the cloud and the end user’s terminal may contain only an operating system and Web
browser. In addition, end users can write their own code and the PaaS provider then uploads
that code and presents it on the Web. 19
Sub-Section Two: Software as a Services (SaaS)
In this model, various applications are hosted by a cloud service provider and
publicized to the customers over internet, wherein end user can access the software using
thin client through web browsers. Here all the software and relevant data are hosted
centrally on the cloud server.

CRM, Office Suite, Email, Games, Contact Data Management, Financial Accounting,
Text Processing etc. Are typically falls under this category? The capability offered to the
consumer is to use the provider’s commercially available applications running on a cloud
infrastructure. The applications are accessible from various client devices through a thin client
interface such as a Web Browser One of the most common uses for SaaS is for Web-based
email services. SaaS enables enterprises to obtain the use of such commercially available
software on demand without the need to invest in IT resources knowledgeable in its support. 20

Section Two: Advantages of IaaS, PaaS, SaaS

A. Benefits of IaaS
IaaS allows the cloud provider to freely locate the infrastructure over the Internet in a cost-
effective manner. Some of the key benefits of IaaS are listed below: Full control of the
computing resources through administrative access to VMs. Flexible and efficient renting of
computer hardware. Portability, interoperability with legacy applications Full control over
computing resources through administrative access to VMs IaaS allows the customer to access
computing resources through administrative access to virtual machines in the following
manner: Customer issues administrative command to cloud provider to run the virtual machine
or to save data on cloud server. Customer issues administrative command to virtual machines
they owned to start web server or to install new applications.

Flexible and efficient renting of computer hardware: IaaS resources such as virtual machines,
storage devices, bandwidth, IP addresses, monitoring services, firewalls, etc. are made available
to the customers on rent. The payment is based upon the amount of time the customer retains a
resource. Also with administrative access to virtual machines, the customer can run any
software, even a custom operating system. 21

B. Benefits of SaaS
Modest software tools: The SaaS application deployment requires a little or no client side
software installation, which results in the following benefits:
• No requirement for complex software packages at client side.
• Little or no risk of configuration at client side.

19
https://www.ibm.com/cloud/learn/hybrid-cloud
20
https://www.tutorialspoint.com/cloud_computing/cloud_computing_platform_as_a_service.htm
21
https://www.tutorialspoint.com/cloud_computing/cloud_computing_platform_as_a_service.htm

12
• Low distribution cost.
• Efficient use of software licenses: The customer can have single license for multiple
computers running at different locations which reduces the licensing cost. Also, there is no
requirement for license servers because the software runs in the provider's infrastructure.
• Centralized management and data: The cloud provider stores data centrally. However, the
cloud providers may store data in a decentralized manner for the sake of redundancy and
reliability.
• Platform responsibilities managed by providers: All platform responsibilities such as
backups, system maintenance, security, hardware refresh, power management, etc. are
performed by the cloud provider. The customer does not need to bother about them. 22

Sub-Section One: Disadvantages of IaaS, PaaS, SaaS

A. Disadvantages of IaaS.
IaaS shares issues with PaaS and SaaS, such as Network dependence and browser-based risks.
It also has some specific issues, which are mentioned in the following diagram:
• Lack of portability between PaaS clouds: Although standard languages are used, yet the
implementations of platform services may vary. For example, file, queue, or hash table
interfaces of one platform may differ from another, making it difficult to transfer the
workloads from one platform to another.
• Event based processor scheduling The PaaS applications are event-oriented which poses
resource constraints on applications, i.e., they have to answer a request in a given interval
of time.
B. Disadvantages of SaaS
There are several issues associated with SaaS, some of them are listed below:
Browser based risks, Network dependence, Lack of portability between SaaS clouds.
• Browser based risks: If the customer visits malicious website and browser becomes
infected, the subsequent access to SaaS application might compromise the customer's data.
To avoid such risks, the customer can use multiple browsers and dedicate a specific browser
to access SaaS applications or can use virtual desktop while accessing the SaaS
applications.23

Figure 7: PaaS Issues

22
Ronald L. Krutz,Russell Dean Vines “A Comprehensive Guide to Secure Cloud Computing”.
23
https://www.bigcommerce.com/blog/saas-vs-paas-vs-iaas/

13
• Browser based risks: If the customer visits malicious website and browser becomes
infected, the subsequent access to SaaS application might compromise the customer's data.
To avoid such risks, the customer can use multiple browsers and dedicate a specific browser
to access SaaS applications or can use virtual desktop while accessing the SaaS applications.
• Network dependence: The SaaS application can be delivered only when network is
continuously available. Also network should be reliable but the network reliability cannot
be guaranteed either by cloud provider or by the customer.
• Lack of portability between SaaS clouds: Transferring workloads from one SaaS cloud to
another is not so easy because work flow, business logics, user interfaces, support scripts
can be provider specific.24

Sub-Section Two: Services providers

Various Cloud Computing platforms are available today that Providing the services to cloud
computing users. The following table are containing the popular Cloud Computing platforms
services:

Table 1: Services providers

SN Platform Description

1 Salesforce.com

This is a Force.com development platform. This provides a simple user interface and lets
users log in, build an app, and push it in the cloud.

2 Appistry

The Appistry's Cloud IQ platform is efficient in delivering a runtime application. This

platform is very useful to create scalable and service oriented applications.

3 AppScale

The AppScale is an open source platform for App Engine of Google applications.

4 AT&T

The AT&T allows access to virtual servers and manages the virtualization infrastructure.
This virtualization infrastructure includes network, server and storage.

5 Engine Yard

24
https://www.tutorialspoint.com/cloud_computing/cloud_computing_platform_as_a_service.htm

14
 The Engine Yard is a rails application on cloud computing platform.

6 Enomaly

Enomaly provides the Infrastructure-as-a-Service platform.25

7 FlexiScale

The FlexiScale offers a cloud computing platform that allows flexible, scalable and
automated cloud infrastructure.

8 GCloud3

The GCloud3 offers private cloud solution in its platform.

9 Gizmox

The Gizmox Visual WebGUI platform is best suited for developing new web apps and
modernize the legacy apps based on ASP.net, DHTML, etc.

10 GoGrid

The GoGrid platform allows the users to deploy web and database cloud services.

11 Google

The Google's App Engine lets the users build, run and maintain their applications on Google
infrastructure.

12 LongJump

The LongJump offers a business application platform, a Platform-as-a-Service (PaaS).

13 Microsoft

The Microsoft Windows Azure is a cloud computing platform offering an environment to

create cloud apps and services.

25
https://www.tutorialspoint.com/cloud_computing/cloud_computing_platform_as_a_service.htm

15
16
 Chapter Two
Data Analysis and Finding
Topic One: Cloud Computing Security
The protective goals are often the basis of security requirements which must be done by IT
systems as general and cloud computing systems as specific. This security purposes are
generally performed due to the user needs from service providers. There are 3 basic goals which
include protection or confidentiality, integrity and data accuracy. These include the components
of security. As these are used in cloud-based computing, the user data are almost out of reach
and these 3 components must provide relative security for the final user, Some believe that data
inside the organization has more security than outside, but the others believe that the external
companies are more motivated in keeping and attracting clients. However, whether the data is
external or internal, these 3 components are still having virtual importance. These are described
as follow.
A. Confidentiality
Confidentiality of a system is to ensure the gathering of confidential data and must be defined
in data security system as the confidentiality characteristics such as reviewing to make sure that
data can't be available by inconsistencies. Of course, it must be considered that there are
differences between access the data which allowed by the user and those which communicate
through network. And, it means that confidential data must be kept secure not only in storage
but also exchanging along network. Anyways, it must be possible to recognize and take the
data which are completely accurate for its data processing and also running review process (the
purpose is to send info in network besides security issues. It must be exchanged real and
accurate data which is inevitable. 26
Generally, for protecting confidentiality of data, encryption and control techniques are used
based on strong authentication on data. Data are often moving along dynamic systems (such as
hocnetworks) and systems which are open essentially (such as systems which are in the platform
of internet) A cloud service provider or server must be able to store data on its server. It must
also be allowed to rewrite and copy of data to optimize infrastructure capacities and ensure
from necessary efficiency. The processes are usually out of reach of clients and this can be
resulted in confidentiality issues and problems. For example, if information were available in
different places or stored in domains with security rate, it must be applied suitable security
overhead to reach them resulted in improving confidentiality condition. 27

B. Integrity
As system guaranteed the integrity of data, it doesn't manipulate without permission or by using
unauthorized method. In another word, an integrated system defines as trusted data and
messages which are not revealed by a potential interfere A cloud computing system should be
protected from variability by a third party which pose a risk to the integrity If integrity is
determined as a good for cloud services, not only the cloud system appearance which is

26
https://www.compuquip.com/blog/cloud-security-challenges-and-risks
27
R. K. Balachandra, P. V. Ramakrishna and A. Rakshit. “Cloud Security Issues.” In PROC ‘09 IEEE International Conference
on Services Computing, 2009, pp 517-520.

19
accessible by final users but also the internal part must follow it. In a complicated system such
as cloud computing system, integrity can be considered a heavy burden for severs who are
responsible for meeting the needs of users.
C. Accuracy
The accuracy of a subject is perceived by tools which determined assurance and validation. It
can be considered assurance and validation based on a single identification characteristic. The
info is valid in the case that can be identified secure by sender and also can be approved that
the changes were impossible as the information are created and distributed. Using security
techniques to determine the communication patterns and mechanisms to assure the accuracy of
cloud computing are among the basic components of this system.
These mechanisms must be able to accept or reject the accuracy of the protected information.
None of these shared systems can create or distribute message or data beyond the objects. As
the economical agency begins to use cloud services, it must be assured from final users'
credibility which is one of the basic and important needs. The issues related to different
identification management, is a public issue which must be considered. 28
Section One: cloud computing security methods
There are many methods for developing code. Any of them can be used to develop a secure
cloud application. Every development model must have both requirements and testing. In some
models, the requirements may emerge over time. It is very important that security requirements
are established early in the development process. Security in a cloud application tends to be
subtle and invisible.
Security is prominent at only two times in the development life cycle: requirements definition
and testing. At other times, deadlines, capabilities, performance, the look and feel, and dozens
of other issues tend to push security to the back. This is why it is important to ensure that
security requirements are prominent at the beginning of the software development life cycle. In
many respects, the tools and techniques used to design and develop clean, efficient cloud
applications will support the development of secure code as well. Special. attention, however,
should be shown in the following areas: 29
Handling data: -Some data is more sensitive and requires special handling.
Code practices: -Care must be taken not to expose too much information to a would-be attacker.
Language options: - Consider the strengths and weakness of the language used.
Input validation and content injection: -Data (content) entered by a user should never have
direct access to a command or a query.
A. Handling Data
As the Internet continues to be a driving force in most of our everyday lives, more and more
personal and sensitive information will be put on cloud servers. Requirements for handling this
private information did not exist years ago, while other data, such as passwords, has always
required special handling. Following are some special cases for the handling of sensitive or
critical data:
• Passwords should never be transmitted in the clear. They should always be encrypted.

28
https://www.datapine.com/blog/cloud-computing-risks-and-challenges/
29
R. K. Balachandra, P. V. Ramakrishna and A. Rakshit. “Cloud Security Issues.” In PROC ‘09 IEEE International
Conference on Services Computing, 2009, pp 517-520.

19
• Passwords should never be viewable on the user’s screen as they are entered into the
computer. Even though asterisks (*) are being displayed, care must be taken to ensure that
it is not just because the font is all asterisks. If that is the case, someone could steal the
password by copying and pasting the password from the screen.
• If possible, passwords should always be encrypted with one-way hashes. This will ensure
that no one (not even a system administrator) can extract the password from the server. The
only way to break the password would be through brute-force cracking. With one-way
hashing, the actual passwords are not compared to authenticate the user; rather, the hashed
value is stored on the server and is compared with the hashed value sent by the user. If the
passwords cannot be decrypted, users cannot be provided their passwords when they forget
them. In such cases, the system administrator must enter a new password for the user, which
the user can change upon. 30
• Re-entering the application.
• Credit card and other financial information should never be sent in the clear.
• Cloud servers should minimize the transmissions and printing of credit card information.
This includes all reports that may be used for internal use, such as troubleshooting, status,
and progress reports.
Sensitive data should not be passed to the cloud server as part of the query string, as the query
string may be recorded in logs and accessed by persons not authorized to see the credit card
information. For example, the following query string includes a credit card number.
B. Language Options
One of the most frequently discovered vulnerabilities in cloud server applications is a direct
result of the use of C and C++. The C language is unable to detect and prevent improper memory
allocation, which can result in buffer overflows. Because the C language cannot prevent buffer
overflows, it is left to the programmer to implement safe programming techniques. Good coding
practices will check for boundary limits and ensure that functions are properly called. This
requires a great deal of discipline from the programmer;
and in practice even the most experienced developers can overlook these checks occasionally.
One of the reasons Java is so popular is because of its intrinsic security mechanisms. Malicious
language constructs should not be possible in Java. The Java Virtual Machine (JVM) is
responsible for stopping buffer overflows, the use of uninitialized variables, and the use of
invalid opcodes.
C. Input Validation and Content Injection
All user input that cannot be trusted must be verified and validated. Content injection occurs
when the cloud server takes input from the user and applies the content of that input into
commands or SQL statements. Essentially, the user’s input is injected into a command that is
executed by the server. Content injection can occur when the server does not have a clear
distinction and separation between the data input and the commands executed. 31

30
https://en.wikipedia.org/wiki/Cloud_computing_issues
31
Grobauer, T. Walloschek and E. Stöcker, "Understanding Cloud Computing Vulnerabilities," IEEE Security and
Privacy, vol. 99, 2010.

19
Sub-Section One: Physical security method
The physical security of the system of any cloud server is vulnerable to an attacker with
unlimited time and physical access to the server. Additionally, physical problems could cause
the server to have down time. This would be a loss of availability, which you may recall is one
of the key principles of the security triad confidentiality, integrity, and availability (CIA). The
following items should be provided to ensure server availability:
• Provide an uninterruptible power supply (UPS) unit with surge protection.
• Provide fire protection to minimize the loss of personnel and equipment.
• Provide adequate cooling and ventilation.
• Provide adequate lighting and workspace for maintaining and upgrading the system.
Restrict physical access to the server. Unauthorized persons should not get near the server. Even
casual contact can lead to outages. The server space should be locked and alarmed. Any access
to the space should be recorded for later evaluation should a problem occur. Inventory should
be tightly controlled and monitored.
The physical protections listed here should extend to the network cables and other devices (such
as routers) that are critical to the cloud server’s operation.32
Sub-Section Two: cloud security services
Additional factors that directly affect cloud software assurance include authentication,
authorization, auditing, and accountability, as summarized in the following sections.
A. Authentication
Authentications the testing or reconciliation of evidence of a user’s identity. It establishes the
user’s identity and ensures that users are who they claim to be. For example, a user presents an
identity (user ID) to a computer login screen and then has to provide a password. The computer
system authenticates the user by verifying that the password corresponds to the individual
presenting the ID.
B. Authorization
Authorization refers to rights and privileges granted to an individual or process that enable
access to computer resources and information assets. Once a user’s identity and authentication
are established, authorization levels determine the extent of system rights a user can hold.
C. Auditing
To maintain operational assurance, organizations use two basic methods: system audits and
monitoring. These methods can be employed by the cloud customer, the cloud provider, or both,
depending on asset architecture and deployment. A system audits a one-time or periodic event
to evaluate security. 33
D. Monitoring
Refers to an ongoing activity that examines either the system or the users, such as intrusion
detection. Information technology (IT) auditors are often divided into two types: internal and
external. Internal auditors typically work for a given organization, whereas external auditors do
not. External auditors are often certified public accountants (CPAs) or other audit professionals

32
Grobauer, T. Walloschek and E. Stöcker, “Understanding Cloud Computing Vulnerabilities," IEEE Security and Privacy,
vol. 99, 2010.
33
https://en.wikipedia.org/wiki/Cloud_computing_issues

19
who are hired to perform an independent audit of an organization’s financial statements.
Internal auditors usually have a much broader mandate than external auditors, such as checking
for compliance and standards of due care, auditing operational cost efficiencies, and
recommending the appropriate controls.IT auditors typically audit the following functions.
• System and transaction controls.
• Systems development standards.
• Backup controls.
• Data library procedures.
• Data center security.
• Contingency plans.
In addition, IT auditors might recommend improvements to controls, and they often participate
in a system’s development process to help an organization avoid costly reengineering after the
system’s implementation. An audit trail or loges a set of records that collectively provide
documentary evidence of processing, used to aid in tracing from original transactions forward
to related records and reports, and/or backward from records and reports to their component
source transactions. Audit trails may be limited to specific events or they may encompass all of
the activities on a system. Audit logs should record the following.
• The transaction’s date and time.
• Who processed the transaction.
• At which terminal the transaction was processed.
• Various security events relating to the transaction.
• In addition, an auditor should examine the audit logs for the following:
• Amendments to production jobs.
• Production job reruns.
• Computer operator practices.
• All commands directly initiated by the user.
• All identification and authentication attempts.
• Files and resources accessed.
E. Accountability
Accountability is the ability to determine the actions and behaviors of a single individual within
a cloud system and to identify that particular individual. Audit trails and logs support
accountability and can be used to conduct postmortem studies in order to analyze historical
events and the individuals or processes associated with those events. Accountability is related
to the concept of nonrepudiation, wherein an individual cannot successfully deny the
performance of an action. 34
Section Two: Security and Privacy of cloud computing
You can have security and not have privacy, but you cannot have privacy without security. Tim
Mather. A common misconception is that data privacy is a subset of information security the
two are indeed interrelated, but privacy brings a host of concerns all its own. The concept of
privacy varies widely among (and sometimes within) countries, cultures, and Jurisdictions. It

34
https://securityboulevard.com/2020/12/6-significant-cloud-security-threats/

19
is shaped by public expectations and legal interpretations; as such, concise Definition is elusive
if not impossible. Privacy rights or obligations are related to the collection, Use, disclosure,
storage, and destruction of personal data (or personally identifiable information—PII). At the
end of the day, privacy is about the accountability of organizations to data subjects, as well as
the transparency to an organization’s practice around personal information. Likewise, there is
no universal consensus about what constitutes personal data.

For the purposes of this discussion, we will use the definition adopted by the Organization for
Economic Cooperation and Development (OECD): any information relating to an identified or
identifiable individual (data subject).Another definition gaining popularity is the one provided
by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute
of Chartered Accountants (CICA) in the Generally Accepted Privacy Principles (GAPP)
standard: “The rights and obligations of individuals and organizations with respect to the
collection, use, retention, and disclosure of personal information.35

Sub-Section One: The key privacy concerns in the cloud

Privacy advocates have raised many concerns about cloud computing. These concerns typically
mix security and privacy. Here are some additional considerations to be aware of
A. Access Data
subjects have a right to know what personal information is held and, in some cases, can make
a request to stop processing it. This is especially important with regard to marketing activities;
in some jurisdictions, marketing activities are subject to additional regulations and are almost
always addressed in the end user privacy policy for applicable organizations. In the cloud, the
main concern is the organization’s ability to provide the individual with access to all personal
information, and to comply with stated requests. If a data subject exercises this right to ask the
organization to delete his data, will it be possible to ensure that all of his information has been
deleted in the cloud.
B. Compliance
What are the privacy compliance requirements in the cloud? What are the applicable laws,
regulations, standards, and contractual commitments that govern this information, and who is
responsible for maintaining the compliance? How are existing privacy compliance
requirements impacted by the move to the cloud? Clouds can cross multiple jurisdictions; for
example, data may be stored in multiple countries, or in multiple states within the United States.
What is the relevant jurisdiction that governs an entity’s data in the cloud and how is it
determined.36
Where is the data in the cloud stored? Was it transferred to another data center in another
country? Is it commingled with information from other organizations that use the same CSP?
Privacy laws in various countries place limitations on the ability of organizations to transfer
some types of personal information to other countries. When the data is stored in the cloud,
such a transfer may occur without the knowledge of the organization, resulting in a potential
violation of the local law.

35
Grobauer, T. Walloschek and E. Stöcker, "Understanding Cloud Computing Vulnerabilities," IEEE Security and
Privacy, vol. 99, 2010.
36
https://www.salesforce.com/in/products/platform/best-practices/benefits-of-cloud-computing/

19
C. Retention
How long is personal information (that is transferred to the cloud) retained? Which retention
policy governs the data? Does the organization own the data, or the CSP? Who enforces the
retention policy in the cloud, and how are exceptions to this policy (such as litigation holds)
managed.
D. Destruction
How does the cloud provider destroy PII at the end of the retention period? How do
organizations ensure that their PII is destroyed by the CSP at the right point and is not available
to other cloud users? How do they know that the CSP didn’t retain additional copies? Cloud
storage providers usually replicate the data across multiple systems and sites—increased
availability is one of the benefits they provide. This benefit turns into a challenge when the
organization tries to destroy the data—can you truly destroy information once it is in the cloud?
Did the CSP really destroy the data, or just make it inaccessible to the organization? Is the CSP
keeping the information longer than necessary so that it can mine the data for its own use.
E. Audit and monitoring
How can organizations monitor their CSP and provide assurance to relevant stakeholders that
privacy requirements are met when their PII is in the cloud?
F. Privacy breaches
How do you know that a breach has occurred, how do you ensure that the CSP notifies you
when a breach occurs, and who is responsible for managing the breach notification process (and
costs associated with the process)? If contracts include liability for breaches resulting from
negligence of the CSP, how is the contract enforced and how is it determined who is at fault.
Sub-Section Two: Responsible for Protecting Privacy
There are conflicting opinions regarding who is responsible for security and privacy. Some
publications assign it to providers; but although it may be possible to transfer liability via
contractual agreements, it is never possible to transfer accountability.37 Ultimately, in the eyes
of the public and the law, the onus for data security and privacy falls on the organization that
collected the information in the first place—the user organization. This is true even if the user
organization has no technical capability to ensure that the contractual requirements with the
CSP are met. History and experience have proven that data breaches have a cascading effect.
When an organization loses control of users’ personal information, the users are responsible
(directly or indirectly) for subsequent damages resulting from the loss.

Identity theft is only one of the possible effects; others may include invasion of privacy or
unwelcome solicitation. When an affected individual is dealing with the fallout, he will likely
blame the one who made the decision to use the service, as opposed to the provider of the
service. Full reliance on a third party to protect personal data is irresponsible and will inevitably
lead to negative consequences. Responsible data stewardship requires an in-depth
understanding of the technology underlying cloud computing and the legal requirements and
implications. As such, a cross functional team is critical to adequately maintain security and

37
Parkhill, D.F. (1966) The Challenge of the Computer Utility, Addison-Wesley.

19
privacy. The accountability model (discussed earlier in this chapter) is similar to discussions
around privacy in outsourcing or subcontracting relationships, and the conclusion is similar: 38

• Organizations can transfer liability, but not accountability.

• Risk assessment and mitigation throughout the data life cycle is critical.
• Knowledge about legal obligations and contractual agreements or commitments is
imperative.
There are, however, many new risks and unknowns; thus, the overall complexity of privacy
protection in the cloud represents a bigger challenge.

Topic Two: cloud computing threats

A threat can cause damage to a system and create a loss of confidentiality, availability or
integrity. Threats can be malicious such as the intentional modification of sensitive information.
Threats Cloud computing faces just as much security threats that are currently found in the
existing computing platforms, networks, intranets, internets in enterprises. These threats, risk
vulnerabilities come in various forms. Cloud computing provides cost savings and operational
efficiencies to the users and organization’s it also leads to new security risks and uncertainties.
The increased attack surface in a Cloud environment allows for other vulnerabilities to be
exploited, thereby increasing the organization’s risk.

The risk is defined as a given threat that exploits vulnerabilities of an asset or group of assets
and thereby cause harm to the organization. The increased attacks in cloud environment are
virtual switches and hypervisor that are not present in the traditional data center, allows for
other vulnerabilities to be exploited, thereby increasing the organization’s risk. The CSA (Cloud
Security Alliance) conducted a survey in 2013 and reported nine major security threats of cloud
computing. According to the industry experts, these are ranked as the greatest vulnerabilities
within cloud computing. Below are the nine critical threats to cloud security. 39

• Data Breaches: - The consumers lost the encryption key the data will be lost as well.
• Data Loss: -Data Loss will occur due to less security, accidental or physical crisis.
• Account or Service Hijacking: - It includes attacks like phishing, fraud and exploitation of
software.
• Insecure Interfaces: - The interfaces or APIs used to interact with the service providers are
prone to risks by attackers.
• Denial of Service: -The attackers prevent the consumers to access their data and services.
• Malicious Insider: - The attackers get through the security wall and access all the sensitive
data.
• Abuse of Cloud Services: - Services provision by cloud providers are misused by the
attackers
• Insufficient Due Diligence: - Many organizations adopt cloud without complete knowledge
of CSP which brings unknown level of risks.

38
https://www.compuquip.com/blog/cloud-security-challenges-and-risks

39
https://www.compuquip.com/blog/cloud-security-challenges-and-risks

19
• Shared Technology Vulnerabilities: - In multi-tenant model, individual customers do not
Impact other tenants.

Section One: most cloud computing threats

Cloud Security Alliance) conducted a survey in 2013 and reported nine most threats of cloud
computing. According to the industry experts, these are ranked as the greatest vulnerabilities
within cloud computing. Below are the nine critical threats to cloud security.
A. Data Breaches
The CIOs of every organization has the hallucination of losing their sensitive internal data to
their competitors. In November 2012, researchers from the University of North Carolina, the
University of Wisconsin and RSA Corporation released a paper describing the fact that if
multiple virtual machines are running on a single physical server, than it may be possible to
extract the private cryptographic keys used on one virtual machine by sitting on other virtual
machine using side channel timing information.
In a multitenant environment, if a flaw exists in a single tenant’s application cloud allow an
intruder to access the application of all the clients present in the environment. The impact of
data breaches can be reduced by encrypting the data, but if you lose your encryption key, your
data will be lost automatically. Multiple copies of data are prepared to reduce the impact of
data loss but it will increase your exposure to data breaches.
B. Data Loss
For cloud consumers, data loss is one of the most concerning issues. A person lost all his
personal files due to lack of data security by the service provider. Of course, data stored in the
cloud can be lost due to other reasons also. An accidental or physical crisis like fire and
earthquake are also responsible for the loss of data. Furthermore, if a customer uploads its data
to the cloud after encrypting it and loses the encryption key due to any reason, the data will be
lost as well.
C. Account or Service Traffic Hijacking
Account or Service hijacking includes attacks like phishing, fraud, and exploitation of software.
This security threat arises due to loss of credentials. If the attackers gain access to your
credentials and passwords, they can easily get access to your confidential data and accounting
information. Also they can manipulate or delete your data, return falsified information, and
redirect your client to some illegitimate site. To avoid this, the organizations or individuals
should protect their passwords and credentials from being shared between users and services.
Also proper authentication technique should be used.
D. Insecure Interfaces and APIs
Sometimes customers have to interact with the service providers. For this the providers expose
a set of software interfaces or APIs. Management, controlling are done using these interfaces.
The security of these APIs is very important. Authentication and encryption is used to make
them secure. Also, they must be designed to protect against both accidental and malicious
attackers. 40

40
https://www.compuquip.com/blog/cloud-security-challenges-and-risks

19
E. Denial of Service
DoS attack won’t let the users of cloud services to access their data or applications. The attacker
(or attackers as is the case in Distributed Denial of Service (DDoS) attack) creates a system
slowdown by consuming system resources such processor power, memory, disk space,
bandwidth. This creates confusion among the users and they get annoyed over the late response
for their requests. DoS attack leaves the users into an unending loop in which they are not able
to do anything except to sit and wait.
Sub-Section One: Other Threats
The scope of cloud computing is rising. In consequence, that brought more fears about the
threats that could affect the cloud. Updated list for the other important threats that could affect
cloud users and providers as explained below.
A. weak Identity and Access Management
This threat happens if the identity system or the access management system of the cloud
computing is not efficient and weak. This can lead to steal the identity of users easily by the
malicious attackers and use it illegally. Since the users depend on their identities to get the
cloud services and access their resources, the main impact of this threat is that the identity of
the users may be stolen and used by unauthorized users. This can lead to occur other threats
like the account or service hijacking which in turn can lead to other threats like data breach,
spoofing…etc. The identity system of the cloud must have the ability to handle the identity of
millions of users and prevent accessing cloud resources immediately when personal changes
like job termination. 41
B. System and Application Vulnerabilities
The attackers can take advantage from any hole that can exist in the applications and the systems
of the cloud computing. These holes can be used as a road to attack the cloud stakeholders to
access their sensitive data, steal it, or to control the cloud operations. The vulnerabilities that
exist in the internal system of the cloud and its applications may put the cloud services and the
customer’s data in a critical situation. These vulnerabilities and holes called bugs and these
bugs are not new and it came with the computers. Example of these bugs that can be exploited
by the attackers including when several organizations and users access the same memory
without taking the appropriate mechanism by the cloud service providers to isolate them.
C. Advanced Persistent Threats (APTs)
This threat refers to a group of people or organizations that target the Business organizations
and companies through the network. The attackers in this threat attack the infrastructure of the
companies and set up their own codes to monitor their objectives for a long period of time.
These attackers have specific targets, they may want to steal secret files, fabricate files…etc.
A good example of this threat is the attack that happens on the companies that are responsible
for the intellectual properties to produce fake patents. Some of the means that can be used by
APT attackers to get access to the network of the target companies are: unsecured links or files,
Spear-Phishing (it is an email-spoofing attack), through the USB devices that have the attacker
code, or any other means that can help to distribute and transfer the attack code. So the staff
should be careful when they want to open files or links that exist on the network.

41
of the 44th Hawaii International Conference on System Sciences, Koloa, HI, 4-7 January 2011

19
The usual defense means like the anti-viruses and the firewalls cannot face and detect this kind
of threats.42
D. Backdoor Channel attacks
This kind of attack happens in IaaS, when it gives an effective user’s high permeation on the
VM’s or the Hypervisor level. This may affect the service availability and data Privacy.
E. Cross site scripting attacks
It is also called XSS. It is one of the most powerful attacks of security weakness found through
the web applications. One of the widest range scripting is the Java script language commonly
used in such attack.
F. cloud malware injection attack
This is one of the top cloud computing security list attaches, where its purpose is to inject a
malware, macules application or virtual machine to the cloud infrastructure.
G. Man in the middle attacks
In this type of attack, the hacker makes an autonomous connection between the customer and
the service provider to observe the data and information for the service without their knowledge.
H. Metadata spoofing attack
In this type, the web services providers send the service metadata document to the client system
that has all the information about the service invocation, such as security requirements, message
format and network location. In this case, the attacker’s objective is to reengineer the web
service metadata descriptions, demanding to modify the network references and endpoints to
the security policies
I. Phishing attack
It is about affecting the user privacy and the exposure of its data and information by allowing
users to access fake web link installed in their PCs: Malicious codes expose that data
J. Sniffer attacks
For this type attack, attacker intends to read the content of the network packet, although there
are no encrypted methods have been applied during the sending of the data. Sniffer could be a
script, an application or a device.
K. Security concern with the virtual machine Manager
The concern of type of security is that the service providers have to be very careful on the
services provided by the VM technology to the users because this type of technology suffers
from some security levels in some cases.
L. Unknown risk profile
This kind of security threat happens as a result of making attention on the functionalities and
the features gained from implementing cloud services without making any consideration for the
security technologies and producers that are going to be developed. The concern is on which
the features may have access to the data from third-party and this data may be disclosed for any
reasons.

42
https://www.datapine.com/blog/cloud-computing-risks-and-challenges/

19
M. Zombie attack (DoS/DDoS)
It happens at the indirect/direct flooding to host in the Hypervisor, Network, or VM level. It
may affect the service availability and create a user account for false service usage.43
Sub-Section Two: Virtual threats.
Some threats to virtualized systems are general in nature, as they are inherent threats to all
computerized systems (such as denial-of-service, or DoS, attacks). Other threats and
vulnerabilities, however, are unique to virtual machines. Many VM vulnerabilities stem from
the fact that a vulnerability in one VM system can be exploited to attack other VM systems or
the host systems, as multiple virtual machines share the same physical hardware, Virtualization
is yet another important technology for the realization of CC but the services offered by
Virtualization may also introduce some forms of risks to its applications as explained below. 44
A. Isolation Failure
One of the primary benefits of Virtualization is known as Isolation. This benefit, if not deployed
properly will generate a threat to the environment. Poor isolation or inappropriate access control
policy will cause the inter-attack between two VMs or between VMs and its associated VMM.
For instance, VM Escape is one of the worst cases happening if the Isolation between the host
and the VMs is compromised. In case of VM Escape, the program running in a VM is able to
bypass the VMM layer and get access to the host machine. Since the host machine is the root
of security of a virtual system, the program which gains access to the host machine can also
gains the root privileges.
B. Service Disruption
This threat may occur when an attacker gains access to an organization's login credentials which
may lead to further vulnerable activities such as Denial-of-Service (DoS) or Distributed Denial-
of-Service (DDoS) attacks where a DoS attack is an attempt to make a computer resource
unavailable to its intended users. One common method of this type of attack involves saturating
the target machine with bogus requests such that it cannot respond to the legitimate requests in
a timely manner an attacker typically uses multiple computers to launch an assault.
Eradication of the DoS attacks using IDS (Intrusion Detection Systems) over the cloud will
solve most of these problems. Another excellent approach is to limit the resource allocation
using proper configurations. On the other hand, a DDoS attack aims to make services or
resources unavailable for indefinite amount of time by flooding it with useless traffic. The two
main objectives of these attacks are to exhaust computer resources (CPU time and Network
bandwidth) so that it makes services unavailable to legitimate users. The second objective is,
imitating pragmatic web service traffic, in order to create a large group of agents to launch an
attack. Thus, DDoS attack is a major threat to Availability. The solution for this event is to
increase number of such critical resources. 45
C. Multi-tenancy
During execution of multiple VMs on the same host, different users can share both the
application and physical hardware. This may lead to information leakage and other
exploitations. For instance, in a virtual system, in appropriate VM management policy will

43
https://www.datapine.com/blog/cloud-computing-risks-and-challenges/
44
of the 44th Hawaii International Conference on System Sciences, Koloa, HI, 4-7 January 2011
45
https://www.datapine.com/blog/cloud-computing-risks-and-challenges/

19
cause VM sprawling a case where number of VMs rapidly growing while most of them are idle
or never be back from sleep, which may cause resource of host machine being largely wasted.
Section Two: Cloud Computing Common Challenges
The following are some of the latest notable challenges associated with cloud computing, and
although some of these may cause a slowdown when delivering more services in the cloud,
most also can provide opportunities, if resolved with due care and attention in the planning
stages.
A. Data Security and Privacy
Data security is a major concern when working with Cloud environments. It is one of the
major challenges in cloud computing as users have to take accountability for their data, and
not all Cloud providers can assure 100% data privacy. According to Statista, 64% of
respondents in a survey conducted in 2021 said data loss or leakage is their biggest challenge
with cloud computing. Similarly, 62% said data privacy was their second most challenge. The
problem with cloud computing is that the user cannot view where their data is being processed
or stored. And if it is not handled correctly during cloud management or implementation, risks
can happen such as data theft, leaks, breaches, compromised credentials, hacked APIs,
authentication breaches, account hijacking etc.
B. Multi Cloud Environments
Common cloud computing issues and challenges with multi-cloud environments are -
configuration errors, lack of security patches, data governance, and no granularity. It is
difficult to track the security requirements of multi-clouds and apply data management
policies across various boards.
C. Performance Challenges
The performance of Cloud computing solutions depends on the vendors who offer these
services to clients, and if a Cloud vendor goes down, the business gets affected too. It is one
of the major challenges associated with cloud computing.46
D. Interoperability and Flexibility
Interoperability is a challenge when you try to move applications between two or multiple
Cloud ecosystems. It is one of the challenges faced in cloud computing. Some common
issues faced are:
• Rebuilding application stacks to match the target cloud environment's specifications.
• Handling data encryption during migration.
• Setting up networks in the target cloud for operations.
• Managing apps and services in the target cloud ecosystem.
E. High Dependence on Network
Lack of sufficient internet bandwidth is a common problem when transferring large volumes
of information to and from Cloud data servers. It is one of the various challenges in cloud
computing. Data is highly vulnerable, and there is a risk of sudden outages. Enterprises that
want to lower hardware costs without sacrificing performance need to ensure there is high
bandwidth, which will help prevent business losses from sudden outages.

46
https://www.datapine.com/blog/cloud-computing-risks-and-challenges/

19
F. Lack of Knowledge and Expertise
Cloud technologies are rapidly advancing, and more and more services and applications are
being released to cater to different needs. However, it’s also becoming difficult for
organizations to find skilled professionals to maintain the cloud systems. It’s also costly for
small and medium-sized businesses to hire expert cloud professionals. The reason is the cloud
is a new concept for many, and it’s still not mainstream. Not everyone in your team will be
familiar with cloud technologies. And hence, your IT staff must also be trained how to use the
cloud technologies efficiently by themselves. It again incurs a high cost, which is a burden for
organizations with a limited budget.
They will have to pay for the instructor and invest in recruiting and onboarding cloud
professionals. Organizations are finding it tough to find and hire the right Cloud talent, which
is another common challenge in cloud computing. There is a shortage of professionals with
the required qualifications in the industry. Workloads are increasing, and the number of tools
launched in the market is increasing. Enterprises need good expertise in order to use these
tools and find out which ones are ideal for them.
G. Reliability and Availability
High unavailability of Cloud services and a lack of reliability are two major concerns in
these ecosystems. Organizations are forced to seek additional computing resources in order
to keep up with changing business requirements. If a Cloud vendor gets hacked or affected,
the data of organizations using their services gets compromised. It is another one of the many
cloud security risks and challenges faced by the industry.
H. Password Security
Account managers use the same passwords to manage all their Cloud accounts. Password
management is a critical problem, and it is often found that users resort to using reused and
weak passwords.
I. Cost Management
Even though Cloud Service Providers (CSPs) offer a pay-as-you-go subscription for services,
the costs can add up. Hidden costs appear in the form of underutilized resources in
enterprises.
J. Reduced Visibility and Control
Cloud computing offers the benefit of not having to manage the infrastructure and resources
like servers to keep the systems working. Although it saves time, expenses, and effort, the users
end up having reduced control and visibility into their software, systems, applications, and
computing assets. As a result, organizations find it challenging to verify how efficient the
security systems are due to no access to the data and security tools on the cloud platform. They
also can’t implement incident response because they don’t have complete control over their
cloud-based assets. In addition, organizations can’t have complete insight into their services,
data, and users to identify abnormal patterns that can lead to a breach.47

47
https://www.salesforce.com/in/products/platform/best-practices/benefits-of-cloud-computing/

19
Sub-Section One: Other Challenges
There are also many challenges involved in cloud computing, and if you’re not prepared to deal
with them, you won’t realize the benefits. Here are some other challenges you must consider
before implementing cloud computing technology.
A. Vendor lock-in
Entering a cloud computing agreement is easier than leaving it. “Vendor lock-in” happens when
altering providers is either excessively expensive or just not possible. It could be that the service
is nonstandard or that there is no viable vendor substitute.
It comes down to buyer carefulness. Guarantee the services you involve are typical and
transportable to other providers, and above all, understand the requirements.
B. Data privacy
Sensitive and personal information that is kept in the cloud should be defined as being for
internal use only, not to be shared with third parties. Businesses must have a plan to securely
and efficiently manage the data they gather. 48
C. Building a private cloud
Although building a private ecosystem isn’t a top priority for many organizations, for those
who are likely to implement such a solution, it quickly becomes one of the main challenges
facing cloud computing – private solutions should be carefully addressed. Creating an internal
or private cloud will cause a significant benefit: having all the data in-house. But IT managers
and departments will need to face building and gluing it all together by themselves, which can
cause one of the challenges of moving to cloud computing extremely difficult.
D. Segmented usage and adoption
Most organizations did not have a robust cloud adoption strategy in place when they started to
move to the cloud. Instead, ad-hoc strategies sprouted, fueled by several components. One of
them was the speed of adoption. Another one was the staggered expiration of data center
contracts/equipment, which led to intermittent cloud migration. Finally, there also were
individual development teams using the public cloud for specific applications or projects. These
bootstrap environments have fostered full integration and maturation issues including:
• Isolated projects lacking shared standards.
• Ad hoc security configurations.
• Lack of cross-team shared resources and learnings.
E. Improper Access Controls and Management
Improper or inadequate cloud access controls and management can lead to various risks for an
organization. Cybercriminals leverage web apps, steal credentials, perform data breaches, and
whatnot. They may face access management issues if they have a large or distributed workforce.
In addition, organizations can also face password fatigue and other issues such as inactive users
signed for long terms, poorly protected credentials, weak passwords, multiple admin accounts,
mismanagement of passwords, certificates, and keys, and more. As a result of poor access
controls and management, organizations can be vulnerable to attacks. And their business
information and user data can be exposed. Ultimately, it can cause reputation damage and
increase unnecessary expenses.

48
Carpenter, M., Liston, T. and Skoudis, E. (2007) ‘Hiding virtualization from attackers and malware’, Security & Privacy,
IEEE, Vol. 5, No. 3, pp.62–65

19
F. Service Quality
It is an important factor when considering cloud-based solutions. It has to provide availability
and scalability to sustain the demands of the user for a longer time. Cloud service providers
should allow parallel processing as a single service could be demanded by multiple users at the
same time. Ensuring concurrency is a must task.
G. Computing Performance
In cloud computing, low bandwidth does not meet the desired computing performance.
However, high network bandwidth is needed for data-intensive applications on the cloud, and
this results in high costs. 49
H. Identity management (IDM)
It is a key aspect in cloud computing security that has the goals to perform verification and
validation process among heterogeneous clouds services. However, it still has some issues
associated with interoperability among the latest security technologies.
I. Integration
When customers or organization need to implement multiple service providers for several
reasons, they have to implement and integrate software and data in several clouds. In some
cases, this issue can be solved by using hybrid clouds.
J. Policies
Cloud computing needs a well-written policy for the security procedures and guidelines that
will be implemented in the solutions.
K. Security in the web browser
The security requirements in the web browser is not enough to handle the user’s needs in terms
of complex and sophisticated banking and critical environments for a shared solution, such as
cloud solutions.

Sub-Section Two: Solution of Challenges

A. Data Security and Privacy challenges solution
To ensure your data remains safe, find out if your cloud service provider has safe and secure
identity authentication, management, and access controls. Ask them what sort of security they
provide and against what factors. Do they have enough resources and expertise to handle the
issues if something goes wrong? If you have a satisfactory answer to these questions, choose
the cloud service provider and Configure network hardware and install the latest software
updates to prevent security vulnerabilities. Using firewalls, antivirus, and increasing
bandwidth for Cloud data availability are some ways to prevent data security risks.
B. Multi-Cloud Environments solution
Using a multi-cloud data management solution is a good start for enterprises. Not all tools
will offer specific security functionalities, and multi-cloud environments grow highly
sophisticated and complex. Open-source products like Terraform provide a great deal of
control over multi-cloud architectures.

49
https://www.salesforce.com/in/products/platform/best-practices/benefits-of-cloud-computing/

19
C. Performance Challenges solution
Sign up with Cloud Service Providers who have real-time SaaS monitoring policies.
The Cloud Solution Certification (CSAC)training addresses all Cloud performance issues
and teaches learners how to mitigate them. Do necessary homework on your cloud service
provider’s infrastructure and ask detailed questions to make sure that your apps’ performance
does not suffer in the long run. Determine which applications can be safely moved to the cloud,
and monitor them regularly to ensure optimal performance. Test early and often – when your
enterprise applications begin communicating with other applications in the cloud, you are
embarking on a new integration scenario and therefore ensuring end-to-end performance testing
is critical. Do your research! Find ways in which you can improve application development to
ensure the best performance.50
D. Interoperability and Flexibility solution
The solution is to setting Cloud interoperability and portability standards in organizations
before getting to work on projects can help solve this problem. The use of multi-layer
authentication and authorization tools is also encouraged for account verifications in public,
private, and hybrid cloud ecosystems.
E. High Dependence on Network solution
The solution is to pay more for higher bandwidth and focus on improving operational
efficiency to address network dependencies.
F. Lack of Knowledge and Expertise solution
The solution of lack of knowledge and expertise is to hire Cloud professionals with
specializations in DevOps and automation.
G. Reliability and Availability solution
Implementing the NIST Framework standards in Cloud environments can greatly improve
both aspects. Supervise usage, SLAs, performance, robustness, and the business dependency
of these services, and ensure around-the-clock availability of your apps in the cloud. Verify the
level of protection you’re receiving from your cloud storage provider and make sure it adheres
to your business requirements.
H. Cost Management
Auditing systems regularly and implementing resource utilization monitoring tools are some
ways organizations can fix this. It's one of the most effective ways to manage budgets and
deal with major challenges in cloud computing.
I. Lack of expertise:
Organizations adopting new cloud technologies must ensure they are using technologies that
are easy to use, implement, and deploy, with not so steep learning curves. You must also run
in-house training where your senior cloud professionals can train the new or other staff for
cloud technologies. Companies should retrain their existing IT staff and help them in
upskilling their careers by investing in Cloud training programs.
J. Control or Governance
Traditional IT processes should be adopted in ways to accommodate Cloud migrations.

50
https://www.salesforce.com/in/products/platform/best-practices/benefits-of-cloud-computing/

19
K. Compliance challenge solution
Choose the vendors that are compliant with the standards applicable in your state or country.
Many cloud service providers can offer certified compliance, while for others, you may have to
dig deeper and understand how and what regulations they are compliant with. This will ensure
that whatever cloud service you choose; you will be compliant with the laws applicable in your
area. It not only saves you during audits and from penalties but also maintains customer trust.
The General Data Protection Regulation (GDPR) Act is expected to expedite compliance
issues in the future for CSPs.

19
Findings
1. I found cloud Computing is used on the demand services .Cloud computing is one of the
emerging technologies in the world. It is a computing technology that provides sharable
computing resources like software, platform, storage, applications etc. As a service to the
customers on demand over the internet, its advantages include cost savings, scalability, high
availability, resilience, flexibility, efficiency and outsourcing non-core activities, There are
also several disadvantages of cloud like Expenses can be quickly reduced, Flexible capacity,
Downtime.
2. I found the latest threats and challenges in cloud computing. Cloud computing being a
modern technology offers numerous advantages. In order to harness all these benefits, one
has to scrupulously investigate as many cloud security measures as possible. These concerns
may vary from vulnerability to malicious code penetration to hijacked accounts to full-scale
data breaches, some of the major cloud threats and challenges were identified which one
must consider before making decision to migrate to cloud for opting the services challenges.
Common threats and challenges associated with cloud computing are Data breaches threat,
Data lose threat, Account hijacking threat, Insecure API threats, Virtual threat, multi cloud
challenges, Performance challenges, Downtime challenges, Lack of knowledge challenges.
3. I found some solution for cloud challenges to adopt necessary standards in cloud computing
to ensure interoperability. Do necessary homework on your cloud service provider’s
infrastructure and ask detailed questions to make sure that your apps’ performance does not
suffer in the long run. Supervise usage, SLAs, performance, robustness, and the business
dependency of these services, and ensure around the clock availability, Configure network
hardware and install the latest software updates to prevent security vulnerabilities. Using
firewalls, antivirus, and increasing bandwidth for Cloud data availability are some ways
to prevent data security. Using a multi-cloud data management, Traditional IT processes
should be adopted in ways to accommodate Cloud migrations.

19
Conclusion
To summarize, cloud is new buzzword and evolving at a phenomenal speed, even in the context
of the fast-moving IT sector and becoming increasingly in demand around the world, the cloud
provides many options for the everyday computer user as well as large and small businesses. It
opens up the world of computing to a broader range of uses and increases the ease of use by
giving access through any internet connection. However, with this increased ease also come
drawbacks. You have less control over who has access to your information and little to no
knowledge of where it is stored. You also must be aware of the security risks of having data
stored on the cloud. The cloud is a big target for malicious individuals and may have
disadvantages because it can be accessed through an unsecured internet connection. In this
thesis, the most critical threats and challenges that exist in cloud computing with their side
effects and its suggested solutions have been presented. The level of the impact of these threats
depends on the power of the attackers, and their purposes. Some of these threats may be a cause
for other threats like the insecure APIs may increase the probability of the account or service
hijacking threat. Another example is the account hijacking threat may increase the probability
of the data lose beach threats. Confronting these threats does not depend only on the cloud
service provider and the brokers, but also depends on the cloud customers. For example, in the
Insufficient Due Diligence threat, the users must be ready to work on the cloud architecture and
they must be aware of its threats and risks. There is no complete solution that can prevent the
cloud challenges and give its customers a full security. These solutions can reduce the level of
the impact of these challenges and give its customers some kind of protection. Cloud is a
double-edge sword and clearly there are both threats and challenges with the cloud.

19
Recommendation
It is evident from the results that concentrating only on speed and cost rather than protection
of cloud resources may open to security breaches.
1. I recommend to organization before going to migrate any of the cloud services it is
important to confirm the service provider capabilities including present consumer feedback,
reputation. Details of audits and incident reports can be standing the best provider among
from others.
2. I recommend to organization users should verify their cloud provider qualities before going
for their service as following All round coverage and protection: Coverage and protection
deal with data, infrastructure, and application, inside and outside security. Provider must
put in to practice strong industry level security standards, implement security measures,
meet compliance regulatory requirements, and satisfy customer requirements to build
confidence.
3. I recommend to organization that 24/7 customer service: Just as their services and
applications availability all time, provider should also provider 24/7 customer’s support.
And further operate incident response teams for any emergence incident Multilayer security
protection: expert provider can understand the value of multilayer protection how it protects
client private information and resources. Sagacious provider must follow complete life
cycle procedure to implement security from start to end stage of service.
4. I recommend toll all organization the better solution is that cloud user and providers should
come to an understanding, discuss about the significance of security and work together to
make strong secure cloud computing environment.

19
References
Books:
1) Dinesh G. Harkut
2) Prof. Ram Meghe College of Engineering and Management, Sant Gadge Baba Amravati
University, India
3) Ms. Pranita P. Khairnar has completed her B.E(Electronics) & currently
appear to M.E(Electronics) at Amrutvahini College of
4) Engineering, Sangamner. Dist.- Ahmednagar, Maharashtra, India
5) Dinesh G.Harkut “cloud computing challenge”.
6) Pranita P khaimer “Cloud Computing Security Issues and Challenges”
7) Daniela Oliveira, Anna Squicciarini “Cloud Computing Security Foundations and
Challenges “
8) Kiran Bharath Kumar Damarla “Security Issues in Cloud Computing Technology and
the attributes and concerns towards it

Ronald L.Krutz,Russell Dean Vines “A Comprehensive Guide to Secure Cloud

Computing”.
Websites
9) https://www.tutorialspoint.com/cloud_computing/cloud_computing_public_cloud_mo
del.htm#
10) https://www.tutorialspoint.com/cloud_computing/cloud_computing_private_cloud_m
odel.htm
11) https://www.tutorialspoint.com/cloud_computing/cloud_computing_platform_as_a_se
rvice.htm
12) https://www.tutorialspoint.com/cloud_computing/cloud_computing_software_as_a_se
rvice.htm
13) https://en.wikipedia.org/wiki/Cloud_computing
14) https://en.wikipedia.org/wiki/Cloud_computing#Deployment_models
15) https://www.investopedia.com/terms/c/cloud-computing.asp
16) https://www.investopedia.com/terms/c/cloud-computing.asp#advantages-of-cloud-
computing
17) https://www.bigcommerce.com/blog/saas-vs-paas-vs-iaas/
18) https://www.akamai.com/us/en/resources/data-security-in-cloud-computing.jsp
19) https://www.geeksforgeeks.org/threats-to-information-security/
20) https://www.infoworld.com/article/3226386/what-is-saas-software-as-a-service-
defined.html

19