Proceedings of the Sixth International Conference on Inventive Computation Technologies [ICICT 2021]

IEEE Xplore Part Number: CFP21F70-ART; ISBN: 978-1-7281-8501-9

Cloud Computing Security Challenges, Threats

and Vulnerabilities
M anoj Kumar Sasubilli Venkateswarlu R
GITAM Institute of Management GITAM Institute of Management
GITAM (Deemed to be University) GITAM (Deemed to be University)
Gandhi Nagar, Rushikonda, Gandhi Nagar, Rushikonda,
Visakhapatnam, India. Visakhapatnam, India.
Abstract—Cloud computing has grown to become an to benefit the consumer but it has its own disadvantages like
integral part of present as well as future information issues related to the isolation of the data and communication
technologies. This technology has been designed to be used among the viral machines. Through cloud computing, cyber-
with internet by providing features such as information attacks are more likely to happen. Lot of these cyber-crime
storage, remote access, etc. Cloud computing has been proved belongs to the most common as well as potential encounters
as an effective tool for all the provided services but it also which has taken place in the wider internet like malicious
comes with various types of threats. Over the years of its
insider, DDOS attack, nefarious use and abuse of cloud
2021 6th International Conference on Inventive Computation Technologies (ICICT) | 978-1-7281-8501-9/21/$31.00 ©2021 IEEE | DOI: 10.1109/ICICT50816.2021.9358709

development, different fire attacks and data theft has been

computing, programming interface of insecure application,
reported as a crucial factor since the data stored in the cloud
etc. It is important for the service providers who deal in the
by an organization or an individual user is basically
confidential and sensitive. These data are illegally accessed by field of cloud computing to enhance their cyber security and
many hackers and further it will be used to fire attack the user. access control system to their resources in order to keep a
This paper mainly aims to highlight such attacks and provide record of who dealt with them. This paper presents the list of
suggestions for sorting the data breaching issues. the problems related to challenges which falls over the
security of the information. This paper also presents the three
Keywords—Cloud computing, secu rity challenges, different categories which are threats, attacks and other
vulnerabilities in cloud computing, cyber attacks. challenges over the security.
Currently, the data shows the involvement of cloud
I. INT RODUCT ION computing in approximately everyone’s life. It is because of
Data storage has always been a place for useful the little or no cost services delivery for the storage spaces
information shortage. Even with large scale data storage and the application. Most of the users uses these services on
devices, the space will not be adequate to store the existing a regular basis. It can be easily exp lained with the examp le
huge amount of information. Cloud computing is basically of email system which is used for exchanging information in
considered as an internet-centric open standard model. This forms of text, images videos, etc.; on demand subscription
model is full of different types of services which include services; various social networking sites and collaboration
both hardware and software. The service providers do not tools for working along with the people in real t ime and over
require any high management efforts for provision and same document. The involvement of services of cloud
maintenance of these services. The term “cloud computing” computing does not end here as it is also brought in
aims to enhance the capabilit ies of high power computing application within the various types of businesses and it also
systems. It also aims to reduce the price by hiking its provides these services on rent to prevent a one-time
efficiency as well as performance. Though the benefits and investment of the companies. Undoubtedly, these services
facilities provided are very much effective, the available have changed our lives on a great extent but the issues of
technical barriers might stop cloud computing from being a security which co mes along with it makes the user
ubiquitous service. One of the main constituents of the cloud vulnerable to many types of available cyber-crimes that can
computing is security and it also remains as the most be heard and seen on daily basis. There are many techniques
significant concern of the system. It usually suffers fro m and methods used by the hackers for accessing cloud without
various types of security concerns and attacks like malicious being legally authorized and these criminals also create
codes. In addition, various new concerns like storage and disruption the services associated with the cloud for attaining
moving of data through the cloud is a big problem for the their targeted objectives. There is possibility that the services
user. The possibility of locating in a different place with of cloud computing gets tricked by the hackers as they make
different regulations adds a lot to this problem. It is also very their unauthorized entrance to the data as a valid entrance
much important for a cloud service provider to confirm the and thus gains control over access of the data stored in the
usability and availability of their services. There are various cloud.
reasons that could affect the availability and the accessibility After gaining the access to enter illegally to the data, the
of the computing resources like service denial or hackers locate the place where the data is stored and then
natural/unnatural disasters. Data privacy is one of the prime steal those data which might be very sensitive. As per the
concerns associated with the security of cloud computing as data which were provided by the Data Loss DB, 1047 data
the data must be protected from any third party, which is theft has been reported in just 1st 9 months of the year 2012.
frequently reported by the users. Since, cloud computing is This number was 1041 in the year 2011. The 2 victims who
used for sharing data, data theft is remain ing as very suffered from this criminal activity were Stratfor and
common and big risk, which is available for both users and Eplison. In this data theft, accidently Eplison exposed
service providers. millions of name of the customer with their emails fro m the
Cloud computing uses different ways to meet the database. A similar case happened with Stratfor where he
requirements of the consumer and one of these ways is was cyber-robbed with 860000 user names with passwords
virtualization. Though virtualizat ion is brought in application and 75000 credit card nu mbers. It is also possible that after

978-1-7281-8501-9/21/$31.00 ©2021 IEEE 476

Authorized licensed use limited to: Western Sydney University. Downloaded on June 14,2021 at 14:40:28 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Sixth International Conference on Inventive Computation Technologies [ICICT 2021]
IEEE Xplore Part Number: CFP21F70-ART; ISBN: 978-1-7281-8501-9

hacking the data, the data could be misused for fire attacking alert and scrutinize the security programs of the provider of
against the same/different network user. In a recent incident, cloud computation.
a server was bought on rent via EC2 service of A mazon and
Top 10 security issues of applications of cloud which are
was used to fire attack the network of Sony Play Station.
This is evident of the need of a proper understanding of the faced with SaaS are mentioned below:
threats linked with the use of cloud security for providing i. The applications of cloud do not provide a clear
additional security services to the user. visible picture about what data is within it.
There are various advantages of the cloud such as cloud ii. Data theft from a cloud application through
as well as online storage, remotely accessing the documents, malicious actor
etc. There are various models for providing services which
are by the cloud computing. These models are mentioned iii. The control in respect the accessibility of the
below: sensitive data is incomplete

1. Software-As-Service: This model enables the user iv. Inability in reference of monitoring the data in
to remotely or directly accessing the software of the transferring from/to cloud applications.
application and the database. v. Cloud applications being provisioned outside of IT
2. Platform-As-Service: In this computing model, the visibility (e.g., shadow IT)
user is provided with different features in order to access the vi. For managing the issues and development of
OS, web servers and the execution environment of the security of the applications of cloud, the available staffs are
programming language. not sufficient or skilled.
3. Infrastructure-As-Service: This model is providing vii. Inability in reference of preventing malicious inside
the user with virtual or physical machine. misuse of data or data theft.
It is evident because of many incidents that almost all the viii. High tech fire attacks and threats against providers.
technologies have their loopholes which must be sorted for
ensuring an error free communication with high efficiency. ix. Inability in reference of assessing the operation’s
There are various types of security loopholes that are security of the cloud application
associated with the cloud computing in relation to cyber- x. Inability in reference of maintaining regulatory
attacks and storage of data. This paper presents few of the compliance.
major problems which might hamper the cloud’s services.
Section III exp lains Security issues based on their categories. 2. Infrastructure-as-a-service(IaaS)
In the last section conclusion is presented. As businesses are IaaS is a way of providing the user with virtual or
moving on to the cloud, enormous amount of critical data are physical machines like Hyper-V or virtual bo x which operate
storing into the cloud data centers, as a result, many queries virtual machine. Protection is data is not an easy task in IaaS.
on security, privacy, reliability are coming up by cloud users As the responsibilities of the user increases to OS, network
and business organizations. traffic as well as applications, more and more threats sums
up. Organizations should not delay in considering the
II. SECURITY ISSUES IN CLOUD COMPUTING evolutions in attacks that has extended beyond the data
which is the center of the risk associated with the IaaS.
1. Software-as-a-service (SaaS) Lately, many malicious actors has conducted computing
resources’ hostile takeover for mining crypto currency.
Through this model, the service provider of cloud These resources are then further used as an virtual weapon to
provides database and application software access. SaaS is a attack vector against other elements of the infrastructure of
software with high demands. The problems wh ich are faced the enterprise and also against the third party.
with this application is with its security which are naturally When an infrastructure is built in the cloud, assessing
centered revolving around the access and the stored your abilities is important in order for preventing the data
information as almost all the models which are responsible theft and accessing of control. Hardening and securing
for the data sharing security issues leave these 2 issues over orchestration tool, tracking the modification of the resources
the costumers of the SaaS. It is very much important and also for identifying abnormal behaviors, addition of network
the responsibility of every user to know the type of analysing of both east – west and north to south traffic as a
information they share with the cloud and who else is potential signal and to determine who is permitted to enter
authorized to use that information. The users must know the data into it are the ways which enhancing as standard
level of protection they are provided with by the service measures to protect the infrastructure of cloud deployments
provider. at scale.
Considering the provider of the SaaS’s role is very “Below are the Top 10 cloud security issues experienced
significant in relat ion to the access of the information and the with infrastructure-as-a-service (IaaS)
processes of the organization. Advancement like rising of
golden eye ransom ware and Xcode ghost highlights that the i. Cloud workloads and accounts being created
attackers knows the cloud and software provider’s value and outside of IT visibility (e.g., shadow IT)
consider them as a vector through which they can fire attack ii. Incomplete control over who can access sensitive
over the larger assets. This is resulting in increase of the data
focus of these attackers over this type of potential
vulnerability. To protect the information, the user must be

978-1-7281-8501-9/21/$31.00 ©2021 IEEE 477

Authorized licensed use limited to: Western Sydney University. Downloaded on June 14,2021 at 14:40:28 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Sixth International Conference on Inventive Computation Technologies [ICICT 2021]
IEEE Xplore Part Number: CFP21F70-ART; ISBN: 978-1-7281-8501-9

iii. Data theft hosted in cloud infrastructure by termed as a threat. The data is stored in the node and this
malicious actor node provides the user with a platform for using the
application in services form. Significant numbers of
iv. Lack of staff with the skills to secure cloud
intrusions or attacks are available occurring within the
infrastructure applications of the cloud.
v. Lack of visibility into what data is in the cloud
The 3 service models of the cloud provides various
vi. Inability to prevent malicious insider theft or misuse services to the user and also discloses data‘s issue of security
of information as well as risks which are availab le within the systems of
cloud.
vii. Lack of consistent security controls over multi-
cloud and on-premises environments 1. SQL Injection Attack.
viii. Advanced threats and attacks against cloud This is a virtual attack made to a computer and it mostly
infrastructure damages the SaaS. This attack damages SaaS the most
because of the poor design of application. It also completes
ix. Inability to monitor cloud workload systems and the execution of the commands of SQL (unauthorized)
applications for vulnerabilities through taking benefits of insecure interface. These types are
x. Lateral spread of an attack from one cloud attacks are programmed for accessing unauthorized data
workload to another” which is under protection and not allowed to access
publically.
3. Platform-as-a-service (PaaS)
2. Abuse And Nefarious Use of Cloud Computing
The provider of this model avails the user with features
for accessing the OS, web servers and execution The hackers gain advantage of shortcomings in the
environment of programming language. This model acts as process of authentic registrations of cloud. Further, they are
bridge between IaaS and SaaS. provided with services of SaaS, PaaS, IaaS. It is possible for
hackers to make their move with suspectible activities like
As per the NIST, the model of the cloud comprises of 4 Phishing and/or spamming. These threats are available in all
core deployment models such as hybrid cloud, private cloud , the 3 layers.
community cloud and public cloud.
3. Net Sniffers
Fine-tuned control which is available with the
environment of the private cloud is considered as important It is also threat associated with SaaS. Through this type
factor for the process of decision making for allocating of threat, the hacker gains the access via applications. This
resources to private vs public cloud. Additional level enables them in capturing packets which flows within a
available for controlling and supplemental protection in network and also the data if they are transited through the
private clouds can compensate for other foundation and it captured packets unencrypted. If this happens, the data
might make contributions to a practical transition. become available to everyone.
With all these factors, the organizations should keep in 4. Session Hijacking
consideration that the maintenance of fine-tuned control Over a protected network, it is an attack on the security
creates difficulty. Presently, much of the efforts are taken by of a user session. When a website is logged in by a user, a
the service providers upon themselves. Simplification of the new session starts in that server. The new session comprises
management of security can be made by the users which can of all the data and the information of the user which the
decrease the difficulty by abstracting the controls. This server uses so that password won’t be needed every time the
amalgamates private and public cloud platforms across and user enters a new page. With all the needed knowledge, the
above hybrid, virtual as well as physical environment. hackers can enter a running sess ion and succeeds in gaining
Below are the Top 5 cloud security issues experienced access of that session identifier via HTTP. Session identifier
with private cloud: is used by the server in order to identify the user for that
particular session. This session hijacking is used by the
i. Consistent spanning of control in relation to the hacker for gaining the control over the session identifier
security is lacking in the virtualized and traditional server which further enables them in gaining unauthorized control
private cloud infrastructure. over the user’s information. Cross site scripting, session
ii. Hike in the infrastructure’s complexity results in fixat ion, session side-jacking and session prediction are the
more effort/time of maintenance and implementation. most commonly known session hijacking attacks.

iii. Skilled staff is available as per the requirement for 5. Man In The Middle Attack
managing the software defined data centre’s security. MITM attack is another kind of session hijacking in
iv. Visibility is not complete over the software defined which a sniffer is used by the hackers to hack the
data centre’s security. communication among the devices through which data
collection is done and hacker further transmits the data. An
v. Newly developed advance level attacks and threats. independent connection is es tablished by the hackers with
the user’s device and the user is convinced that the
III. SECURITY THREATS IN CLOUD COMPUTING connection is direct and private. But in reality, the hackers
control the session completely. It is a big threat to the SaaS
A force which act from outside through which the nodes model.
which existed in one state gets transferred to another is

978-1-7281-8501-9/21/$31.00 ©2021 IEEE 478

Authorized licensed use limited to: Western Sydney University. Downloaded on June 14,2021 at 14:40:28 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Sixth International Conference on Inventive Computation Technologies [ICICT 2021]
IEEE Xplore Part Number: CFP21F70-ART; ISBN: 978-1-7281-8501-9

6. Denial of Services This is an attack in the layer of SaaS and through this
attack; the hackers make the services and the network
resources unavailable for the user virtually. This unified management decreases the difficulty to great extent
interruption may be both temporary and permanent. by combining the parts and restructuring the flow of the
work.
7. Flooding Attacks
This is a type of “denial of service attack” which is used V. CONCLUSION AND FUTURE WORK
for increasing the conjunction of the network through
flooding the network with various types of traffic in a large This paper aims to exh ibit the challenges which are faced
amount. This type of attack happens when the hackers by the users of cloud computing over the securities issue and
overweight the services or the network with packets it also shows the most threatening factors which are a real
containing data. The server is attacked by it with connections matter of concern. There are various issues and challenges in
which will remain incomplete and as a result it end with relation to the security of the cloud computing. These issues
filling the buffer memory of the host with redundant and have been recognized as high impacts over the
unused data. At the end when buffer is left with no space, the confidentiality and trust of the users. All the security risks as
server won’t be able to make any type of connections. This well privacy risks with the advancing efficiency and
will result as the “denial of service”. This attack occurs in impactful solutions are difficult tasks to understand.
IaaS and PaaS layers of the model of cloud. Availability, reliability, integrity and confidentiality are
extensively are the factors which are extensively brought in
8. Privacy Breach applications for the security related issues. As the
enhancement in the cloud computing is growing, future will
Organizat ion as well as users stores their data and
be full of risk and threats over its security. The providers as
information in the cloud. Therefore, any type of breach in the
well as users must be aware of the potential risks over the
cloud will hack the informat ion available of those users who
security and must prepare themselves with solutions to face
are authorized. This will enable the unauthorized users in
these issues for protecting their informat ion fro m any type of
accessing the private information of the users which further
attack. Valuable suggestions and issues of main open
might lead to unauthorized and unethical activities with the
research are also provided through this paper in order to
stored information. This will mostly affect the users of the
understand the issues of cloud. This paper also aims over
SaaS model.
providing new direction to this field of study and help the
researcher in finding out possible solutions for such threats
IV. COUNTER MEASURES and risks.
The infrastructure of the cloud computing comprises of a
provider of the services which is responsible for providing REFERENCES
resources for computing for the end user. For assuring the
best possible services, it is important for the service
[1] Jensen, M. Schwenk, J. Gruschka, N. Iacono, “On technical security
providers to ensure the users regarding the security safety of issues in Cloud” IEEE International Conference on Cloud Computing,
the cloud. Through applying methods of advanced security pp 109-16, 2009.
as well as defining stringent security policies, this may be [2] Mather, T., Kumaraswamy, S., & Latif, S, Cloud Security and Privacy.
done. New York: O’Reilly, 2009
[3] B. Reddy, R.Paturi, “Cloud Security Issues”, IEEE International
1. DevSecOps processes — DevSecOps and DevOps Conference on Services Computing, 2009
are continuously been observed in order to decrease the [4] J.Viega, “Cloud Computing and the Common Man”, IEEE Computer
options of vulnerability and explo itations, enhance the Society, Vol 42, no.8, pp 106-108, 2009.
quality of the codes, deployment of features and hiking the [5] A.Singh, M.Sharivastava, “Overview of Attacks on Cloud
Computing”,International Journal of Engineering and Innovative
application’s speed. Including security procedures, T echnology (IJEIT), Vol 1, no.4, 2012
advancement and QA in the units of the [6] G.Kulkarni, J.GambhirAmruta, “ Security in Cloud Computing”
business/applications team rather than depending upon a International journal of Computer Engineering & Technology
single security verification team is important for the (IJCET ), Vol3, no.1, pp 258 – 265, 2012
operations as per the demands of the today’s businesses. [7] Habib, S. M., Hauke, S., Ries, S., & Mühlhäuser, M, “Trust as a
facilitator in cloud computing: a survey”, Journal of Cloud
2. Automated application deployment and Computing, Vol 1, no.1, pp 1-18,2012.
management tools —Hike in the speed and amount of [8] Zissis, D., & Lekkas, D,. “Addressing cloud computing security
issues”. Future Generation Computer Systems, Vol.28, no.3, pp 583-
security threats in combination with the insufficient skills in 592, 2012.
relations to the security leads to the fact that even the [9] Cloud computing Environment against DDoS Attacks”, IEEE, , pp. 1 -
professional with highest experience of security cannot keep Bansidhar Joshi, A. Santhana Vijayan, Bineet Kumar Joshi, “ Securing
up. With the help of automation, ordinary tasks can be 5,2011.
removed and it also supplement the human work benefits [10] Haoyong Lv and Yin Hu, “Analysis and Research about Cloud
with that of machines which a basic element of advanced Computing Security Protect Policy”, IEEE, pp. 214-216, 2011.
operations of IT. [11] M.Rajendra Prasad, R. Lakshman Naik, V.Bapuji,” Cloud Computing
:Research Issues and Implications ”, International Journal of Cloud
3. Unified security with centralized management Computing and Services Science (IJ-CLOSER) Vol.2, no.2, pp. 134-
across all services and providers — It is not possible for a 140, 2013.
single vendor, service or product to deliver all the things but [12] Mladen A. Vouch, ”Cloud Computing Issues, Research and
this can be delivered through multip le management tool Implementations”, Journal of Computing and Information
T echnology, Vol. 4,pp 235–246, 2008.
which reduces the difficulty so that something can slip by. In
combination with an open integration fabric, the system of [13] Devki Gaurav Pal, Ravi Krishna, Prashant Srivastava, Sushil Kumar,
Monark Bag, Vrijendra Singh,” A Novel Open Security Framework

978-1-7281-8501-9/21/$31.00 ©2021 IEEE 479

Authorized licensed use limited to: Western Sydney University. Downloaded on June 14,2021 at 14:40:28 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Sixth International Conference on Inventive Computation Technologies [ICICT 2021]
IEEE Xplore Part Number: CFP21F70-ART; ISBN: 978-1-7281-8501-9

for Cloud Computing ”, International Journal of Cloud Computing

and Services Science (IJ-CLOSER) Vol.1, no.2, pp. 45-52, 2012.
[14] Ashish Kumar,” World of Cloud Computing & Security ”,
International Journal of Cloud Computing and Services Science (IJ-
CLOSER) Vol.1, no.2, pp. 53~58 , 2012.
[15] Hemraj Saini, T. C. Panda, Minaketan Panda, “Prediction of
Malicious Objects in Computer Network and Defense”, International
Journal of Network Security & Its Applications (IJNSA), Vol.3, no.6,
pp.161-171, 2011.
[16] C. Modi, D. Patel, B. Borisaniya, A. Patel, M. Rajaajan, “A
survey on security issues and solutions at different layers of Cloud
computing”, The journal of supercomputing, Vol. 63, no. 2, pp. 561-
592, 2013.
[17] L.M. Vaquero, L. Rodero-Merino, D. Moran, “Locking the sky:
survey on IaaS cloud security”, Computing, Vol. 91, no. 1, pp. 93-
118, 2011.
[18] Pankaj Patidar and Arpit Bhardwaj, “Network Security through
SSL in Cloud Computing Environment”, International Journal of
Computer Science and Information Technologies, Vol. 2, no.6, 2011.
[19] Insider Threats Related to Cloud Computing, CERT, July 2012.
http://www.cert.org/
[20] P. P. Ramgonda and R. R. Mudholkar, “Cloud Market Cogitation
and T echniques to Averting SQL Injection for University Cloud,”
International Journal of Computer Technology and Applications, Vol.
3, .no. 3, pp. 1217-1224, 2012.
[21] S. Subashini and V. Kavitha, “A survey on security issues in
service delivery models of cloud computing,” J. Netw. Comput.
Appl., vol. 34, no. 1, pp. 1–11, 2011.
[22] Z. Wang, “Security and Privacy Issues within the Cloud
Computing,” in 2011 International Conference on Computational and
InformationSciences,pp.175–178,2011.

978-1-7281-8501-9/21/$31.00 ©2021 IEEE 480

Authorized licensed use limited to: Western Sydney University. Downloaded on June 14,2021 at 14:40:28 UTC from IEEE Xplore. Restrictions apply.