A quantitative analysis of current security concerns and solutions for

Gonzalez et al Journal of Cloud Computing Advances Systems and Applications 2012 111httpwwwjournalofcloudcomputingcomcontent1111

RESEARCH Open Access

A quantitative analysis of current securityconcerns and solutions for cloud computingNelson Gonzalez1 Charles Miers14 Fernando Redıgolo1 Marcos Simplıcio1 Tereza Carvalho1Mats Naslund2 and Makan Pourzandi3

Abstract

The development of cloud computing services is speeding up the rate in which the organizations outsource theircomputational services or sell their idle computational resources Even though migrating to the cloud remains atempting trend from a financial perspective there are several other aspects that must be taken into account bycompanies before they decide to do so One of the most important aspect refers to security while some cloudcomputing security issues are inherited from the solutions adopted to create such services many new securityquestions that are particular to these solutions also arise including those related to how the services are organizedand which kind of servicedata can be placed in the cloud Aiming to give a better understanding of this complexscenario in this article we identify and classify the main security concerns and solutions in cloud computing andpropose a taxonomy of security in cloud computing giving an overview of the current status of security in thisemerging technology

IntroductionSecurity is considered a key requirement for cloud com-puting consolidation as a robust and feasible multi-purpose solution [1] This viewpoint is shared by manydistinct groups including academia researchers [23]business decision makers [4] and government organi-zations [56] The many similarities in these perspec-tives indicate a grave concern on crucial security andlegal obstacles for cloud computing including serviceavailability data confidentiality provider lock-in andreputation fate sharing [7] These concerns have theirorigin not only on existing problems directly inheritedfrom the adopted technologies but are also related tonew issues derived from the composition of essentialcloud computing features like scalability resource shar-ing and virtualization (eg data leakage and hypervisorvulnerabilities) [8] The distinction between these classesis more easily identifiable by analyzing the definition of theessential cloud computing characteristics proposed by theNIST (National Institute of Standards and Technology)in [9] which also introduces the SPI model for services

Correspondence nmimuralarcuspbr1Escola Politecnica at the University of Sao Paulo (EPUSP) Sao Paulo BrazilFull list of author information is available at the end of the article

(SaaS PaaS and IaaS) and deployment (private publiccommunity and hybrid)Due to the ever growing interest in cloud computing

there is an explicit and constant effort to evaluate thecurrent trends in security for such technology consider-ing both problems already identified and possible solu-tions [10] An authoritative reference in the area is therisk assessment developed by ENISA (European Networkand Information Security Agency) [5] Not only doesit list risks and vulnerabilities but it also offers a sur-vey of related works and research recommendations Asimilarly work is the security guidance provided by theCloud Security Alliance (CSA) [6] which defines securitydomains congregating specific functional aspects fromgovernance and compliance to virtualization and iden-tity management Both documents present a plethora ofsecurity concerns best practices and recommendationsregarding all types of services in NISTrsquos SPI model as wellas possible problems related to cloud computing encom-passing from data privacy to infrastructural configurationAlbeit valuable these studies do not focus on quantifyingtheir observations something important for developinga comprehensive understanding of the challenges stillundermining the potential of cloud computing

copy 2012 Gonzalez et al licensee Springer This is an Open Access article distributed under the terms of the Creative CommonsAttribution License (httpcreativecommonsorglicensesby20) which permits unrestricted use distribution and reproductionin any medium provided the original work is properly cited

Gonzalez et al Journal of Cloud Computing Advances Systems and Applications 2012 111 Page 2 of 18httpwwwjournalofcloudcomputingcomcontent1111

The main goal of this article is to identify classifyorganize and quantify the main security concerns andsolutions associated to cloud computing helping in thetask of pinpointing the concerns that remain unansweredAiming to organize this information into a useful toolfor comparing relating and classifying already identi-fied concerns and solutions as well as future ones wealso present a taxonomy proposal for cloud comput-ing security We focus on issues that are specific tocloud computing without losing sight of important issuesthat also exist in other distributed systems This articleextends our previous work presented in [11] providing anenhanced review of the cloud computing security taxon-omy previously presented as well as a deeper analysis ofthe related work by discussing the main security frame-works currently available in addition we discuss furtherthe security aspects related to virtualization in cloudcomputing a fundamental yet still underserved field ofresearch

Cloud computing securityKey references such as CSArsquos security guidance [6] andtop threats analysis [12] ENISArsquos security assessment [5]and the cloud computing definitions from NIST [9] high-light different security issues related to cloud computingthat require further studies for being appropriately han-dled and consequently for enhancing technology accep-tance and adoption Emphasis is given to the distinctionbetween services in the form of software (SaaS) platform(PaaS) and infrastructure (IaaS) which are commonlyused as the fundamental basis for cloud service classifica-tion However no other methods are standardized or evenemployed to organize cloud computing security aspectsapart from cloud deployment models service types ortraditional security modelsAiming to concentrate and organize information related

to cloud security and to facilitate future studies in thissection we identify the main problems in the area andgroup them into a model composed of seven categoriesbased on the aforementioned references Namely thecategories are network security interfaces data secu-rity virtualization governance compliance and legalissues Each category includes several potential securityproblems resulting in a classification with subdivisionsthat highlights the main issues identified in the basereferences

1 Network security Problems associated with networkcommunications and configurations regarding cloudcomputing infrastructures The ideal networksecurity solution is to have cloud services as anextension of customersrsquo existing internal networks[13] adopting the same protection measures andsecurity precautions that are locally implemented

and allowing them to extend local strategies to anyremote resource or process [14]

(a) Transfer security Distributed architecturesmassive resource sharing and virtual machine(VM) instances synchronization imply moredata in transit in the cloud thus requiringVPN mechanisms for protecting the systemagainst sniffing spoofing man-in-the-middleand side-channel attacks

(b) Firewalling Firewalls protect the providerrsquosinternal cloud infrastructure against insidersand outsiders [15] They also enable VMisolation fine-grained filtering for addressesand ports prevention of Denial-of-Service(DoS) and detection of external securityassessment procedures Efforts for developingconsistent firewall and similar securitymeasures specific for cloud environments[1617] reveal the urge for adapting existingsolutions for this new computing paradigm

(c) Security configuration Configuration ofprotocols systems and technologies toprovide the required levels of security andprivacy without compromising performanceor efficiency [18]

2 Interfaces Concentrates all issues related to useradministrative and programming interfaces for usingand controlling clouds

(a) API Programming interfaces (essential toIaaS and PaaS) for accessing virtualizedresources and systems must be protected inorder to prevent malicious use [19-23]

(b) Administrative interface Enables remotecontrol of resources in an IaaS (VMmanagement) development for PaaS (codingdeploying testing) and application tools forSaaS (user access control configurations)

(c) User interface End-user interface forexploring provided resources and tools (theservice itself) implying the need of adoptingmeasures for securing the environment[24-27]

(d) Authentication Mechanisms required toenable access to the cloud [28] Most servicesrely on regular accounts [202930]consequently being susceptible to a plethoraof attacks [31-35] whose consequences areboosted by multi-tenancy and resourcesharing

3 Data security Protection of data in terms ofconfidentiality availability and integrity (which can

be applied not only to cloud environments but anysolution requiring basic security levels) [36]

(a) Cryptography Most employed practice tosecure sensitive data [37] thoroughlyrequired by industry state and federalregulations [38]

(b) Redundancy Essential to avoid data lossMost business models rely on informationtechnology for its core functionalities andprocesses [3940] and thus mission-criticaldata integrity and availability must beensured

(c) Disposal Elementary data disposaltechniques are insufficient and commonlyreferred as deletion [41]In the cloud thecomplete destruction of data including logreferences and hidden backup registries is animportant requirement [42]

4 Virtualization Isolation between VMs hypervisorvulnerabilities and other problems associated to theuse of virtualization technologies [43]

(a) Isolation Although logically isolated all VMsshare the same hardware and consequentlythe same resources allowing maliciousentities to exploit data leaks and cross-VMattacks [44] The concept of isolation can alsobe applied to more fine-grained assets suchas computational resources storage andmemory

(b) Hypervisor vulnerabilities The hypervisor isthe main software component ofvirtualization Even though there are knownsecurity vulnerabilities for hypervisorssolutions are still scarce and oftenproprietary demanding further studies toharden these security aspects

(c) Data leakage Exploit hypervisorvulnerabilities and lack of isolation controlsin order to leak data from virtualizedinfrastructures obtaining sensitive customerdata and affecting confidentiality andintegrity

(d) VM identification Lack of controls foridentifying virtual machines that are beingused for executing a specific process or forstoring files

(e) Cross-VM attacks Includes attempts toestimate provider traffic rates in order tosteal cryptographic keys and increase chancesof VM placement attacks One exampleconsists in overlapping memory and storageregions initially dedicated to a single virtual

machine which also enables otherisolation-related attacks

5 Governance Issues related to (losing) administrativeand security controls in cloud computing solutions[4546]

(a) Data control Moving data to the cloud meanslosing control over redundancy location filesystems and other relevant configurations

(b) Security control Loss of governance oversecurity mechanisms and policies as terms ofuse prohibit customer-side vulnerabilityassessment and penetration tests whileinsufficient Service Level Agreements (SLA)lead to security gaps

(c) Lock-in User potential dependency on aparticular service provider due to lack ofwell-established standards (protocols anddata formats) consequently becomingparticularly vulnerable to migrations andservice termination

6 Compliance Includes requirements related to serviceavailability and audit capabilities [4748]

(a) Service Level Agreements (SLA)Mechanisms to ensure the required serviceavailability and the basic security proceduresto be adopted [49]

(b) Loss of service Service outages are notexclusive to cloud environments but aremore serious in this context due to theinterconnections between services (eg aSaaS using virtualized infrastructuresprovided by an IaaS) as shown in manyexamples [50-52] This leads to the need ofstrong disaster recovery policies and providerrecommendations to implementcustomer-side redundancy if applicable

(c) Audit Allows security and availabilityassessments to be performed by customersproviders and third-party participantsTransparent and efficient methodologies arenecessary for continuously analyzing serviceconditions [53] and are usually required bycontracts or legal regulations There aresolutions being developed to address thisproblem by offering a transparent API forautomated auditing and other usefulfunctionalities [54]

(d) Service conformity Related to howcontractual obligations and overall servicerequirements are respected and offered based

on the SLAs predefined and basic service andcustomer needs

7 Legal issues Aspects related to judicial requirementsand law such as multiple data locations and privilegemanagement

(a) Data location Customer data held inmultiple jurisdictions depending ongeographic location [55] are affected directlyor indirectly by subpoena law-enforcementmeasures

(b) E-discovery As a result of a law-enforcementmeasures hardware might be confiscated forinvestigations related to a particularcustomer affecting all customers whose datawere stored in the same hardware [56-58]Data disclosure is critical in this case

(c) Provider privilege Malicious activities ofprovider insiders are potential threats toconfidentiality availability and integrity ofcustomersrsquo data and processesrsquo information[5960]

(d) legislation Juridical concerns related to newconcepts introduced by cloud computing[61]

Cloud computing security taxonomyThe analysis of security concerns in the context of cloudcomputing solutions shows that each issue brings differ-ent impacts on distinct assets Aiming to create a securitymodel both for studying security aspects in this contextand for supporting decision making in this section weconsider the risks and vulnerabilities previously presentedand arrange them in hierarchical categories thus creatinga cloud security taxonomy The main structure of the pro-posed taxonomy along with its first classification levelsare depicted in Figure 1The three first groups correspond to fundamental (and

often related) security principles [7] (Chapters 3-8)The architecture dimension is subdivided into network

security interfaces and virtualization issues comprisingboth user and administrative interfaces to access the

cloud It also comprises security during transferences ofdata and virtual machines as well as other virtualizationrelated issues such as isolation and cross-VM attacksThis organization is depicted in Figure 2 The architec-ture group allows a clearer division of responsibilitiesbetween providers and customers and also an analysisof their security roles depending on the type of serviceoffered (Software Platform or Infrastructure) This sug-gests that the security mechanisms used must be clearlystated before the service is contracted defining whichrole is responsible for providing firewalling capabilitiesaccess control features and technology-specific require-ments (such as those related to virtualization)The compliance dimension introduces responsibilities

toward services and providers The former includes SLAconcerns loss of service based on outages and chain fail-ures and auditing capabilities as well as transparency andsecurity assessments The latter refers to loss of controlover data and security policies and configurations andalso lock-in issues resulting from lack of standards migra-tions and service terminations The complete scenario ispresented in Figure 3The privacy dimension includes data security itself

(from sensitive data regulations and data loss to dis-posal and redundancy) and legal issues (related tomultiplejurisdictions derived from different locations where dataand services are hosted) The expansion of this group isrepresented in Figure 4 We note that the concerns in thisdimension cover the complete information lifecycle (iegeneration use transfer transformation storage archiv-ing and destruction) inside the provider perimeter and inits immediate boundaries (or interfaces) to the usersA common point between all groups is the intrinsic con-

nection to data and service lifecycles Both privacy andcompliance must be ensured through all states of dataincluding application information or customer assetswhile security in this case is more oriented towards howthe underlying elements (eg infrastructural hardwareand software) are protected

Current status of cloud securityA clear perspective of the main security problems regard-ing cloud computing and on how they can be organized

Figure 1 Cloud computing security taxonomy Top level overview of the security taxonomy proposed highlighting the three main categoriessecurity related to privacy architecture and compliance

Figure 2 Security taxonomy - architecture Details from architecture category which is divided in network host application data (security andstorage) security management and identity and access controls ndash all these elements are directly connected to the infrastructure and architectureadopted to implement or use a cloud solution

to ease decision making is the primary step for havinga comprehensive overview of the current status of cloudsecurity In this section we analyze industry and academiaviewpoints focusing on strategic study areas that needto be further developed This study is based on morethan two hundred different references including whitepapers technical reports scientific papers and other rele-vant publications They were analyzed in terms of security

problems and solutions by evaluating the number of cita-tions for each case We used a quantitative approach toidentify the amount of references related to each categoryof concerns or solutions Our goal is not to determineif the presented solutions completely solve an identifiedconcern since most of the referenced authors agree thatthis is an involved task Nonetheless we identify the num-ber of references dealing with each concern providing

Figure 3 Security taxonomy - compliance Details from compliance category divided in lifecycle controls and governance risk and othercompliance related issues (such as continuous improvement policies)

Figure 4 Security taxonomy - privacy Details from privacy category initially divided in concerns and principles Concerns are related to thecomplete data lifecycle from generation use and transfer to transformation storage archival and destruction Principles are guidelines related toprivacy in the cloud

some useful insight on which are the concerns that havereceived more attention from the research communityand which have not been so extensively analyzed Someobservations about the analysis method

1 The references consulted came from differentresearch segments including academiaorganizations and companies Due to the articlersquoslength limitations we did not include all theconsulted references in the References section In thefollowing we present some of the main sources ofconsultation

(a) Academia conference papers and journalspublished by IEEE ACM SpringerWebscience and Scipress

(b) Organizations reports white papers andinterviews from SANS Institute CSA NISTENISA Gartner Group KVMorgOpenGrid OpenStack and OpenNebula

(c) Companies white papers manualsinterviews and web content fromERICSSON IBM XEROX Cisco VMWareXEN CITRIX EMC Microsoft andSalesforce

2 Each reference was analyzed aiming to identify all thementioned concerns covered and solutions provided

Therefore one reference can produce more than oneentry on each specified category

3 Some security perspectives were not covered in thispaper as each securityconcern category can besub-divided in finer-grained aspects such asauthentication integrity network communicationsetc

We present the security concerns and solutions usingpie charts in order to show the representativeness of eachcategorygroup in the total amount of references identi-fied The comparison between areas is presented usingradar graphs to identify how many solutions address eachconcern categorygroup

Security concernsThe results obtained for the number of citations on secu-rity issues is shown in Figure 5 The three major problemsidentified in these references are legal issues complianceand loss of control over data These legal- and governance-related concerns are followed by the first technical issueisolation with 7 of citations The least cited problemsare related to security configuration concerns loss of ser-vice (albeit this is also related to compliance which is amajor problem) firewalling and interfacesGrouping the concerns using the categories presented

in section ldquoCloud computing securityrdquo leads to the

Figure 5 Security problems Pie chart for security concerns

Figure 6 Security problems with grouped categories Pie chart for security concerns with grouped categories (seven altogether legal issuescompliance governance virtualization data security interfaces and network security)

Figure 7 Security solutions with grouped categories Pie chart for solutions with grouped categories showing a clear lack for virtualizationsecurity mechanisms in comparison to its importance in terms of concerns citations

construction of Figure 6 This figure shows that legal andgovernance issues represent a clear majority with 73 ofconcern citations showing a deep consideration of legalissues such as data location and e-discovery or gover-nance ones like loss of control over security and data Thetechnical issue more intensively evaluated (12) is virtual-ization followed by data security interfaces and networksecurityVirtualization is one of the main novelties employed by

cloud computing in terms of technologies employed con-sidering virtual infrastructures scalability and resourcesharing and its related problems represent the first majortechnical concern

Security solutionsWhen analyzing citations for solutions we used the sameapproach described in the beginning of this section Theresults are presented in Figure 7 which shows the percent-age of solutions in each category defined in section ldquoCloudcomputing securityrdquo and also in Figure 8 which highlightsthe contribution of each individual sub-categoryWhen we compare Figures 6 and 7 it is easy to observe

that the number of citations covering security problemsrelated to legal issues compliance and governance is high

(respectively 24 22 and 17) however the same alsohappens when we consider the number of referencesproposing solutions for those issues (which representrespectively 29 27 and 14 of the total number ofcitations) In other words these concerns are higly rele-vant but a large number solutions are already available fortackling themThe situation is completely different when we analyze

technical aspects such as virtualization isolation and dataleakage Indeed virtualization amounts for 12 of prob-lem references and only 3 for solutions Isolation is aperfect example of such discrepancy as the number ofcitations for such problems represents 7 in Figure 5while solutions correspond to only 1 of the graph fromFigure 8 We note that for this specific issue special carehas been taken when assessing the most popular virtualmachine solution providers (eg XEN VMWARE andKVM) aiming to verify their concerns and available solu-tions A conclusion that can be drawn from this situationis that such concerns are also significant but yet little isavailable in terms of solutions This indicates the need ofevaluating potential areas still to be developed in orderto provide better security conditions when migrating dataand processes in the cloud

Figure 8 Security solutions Pie chart for solutions citations

ComparisonThe differences between problem and solution citationspresented in the previous sections can be observed inFigure 9Axis values correspond to the number of citations found

among the references studied Blue areas represent con-cern citations and lighter red indicates solutions whiledarker red shows where those areas overlap In otherwords light red areas are problems with more citationsfor solutions than problems ndash they might be meaningfulproblems but there are many solutions already addressingthem ndash while blue areas represent potential subjects thathave received little attention so far indicating the need forfurther studiesFigure 9 clearly shows the lack of development regard-

ing data control mechanisms hypervisor vulnerabilitiesassessment and isolation solutions for virtualized envi-ronments On the other hand areas such as legal con-cerns SLAs compliance and audit policies have a quitesatisfactory coverage The results for grouped categories(presented in section 4) are depicted in Figure 10Figure 10 shows that virtualization problems represent

an area that requires studies for addressing issues such asisolation data leakage and cross-VM attacks on the otherhand areas such as compliance and network securityencompass concerns for which there are already a con-siderable number of solutions or that are not consideredhighly relevantFinally Considering virtualization as key element for

future studies Figure 11 presents a comparison focus-ing on five virtualization-related problems isolation (ofcomputational resources such as memory and storage

capabilities) hypervisor vulnerabilities data leakagecross-VM attacks and VM identification The contrastrelated to isolation and cross-VM attacks is more evidentthan for the other issues However the number of solutioncitations for all issues is notably low if compared to anyother security concern reaffirming the need for furtherresearches in those areas

Related workAn abundant number of related works and publicationsexist in the literature emphasizing the importance anddemand of security solutions for cloud computing How-ever we did not identify any full taxonomy that addressesdirectly the security aspects related to cloud comput-ing We only identified some simplified models thatwere developed to cover specific security aspects such asauthentication We were able to recognize two main typesof works (1) security frameworks which aim to aggregateinformation about security and also to offer sets of bestpractices and guidelines when using cloud solutions and(2) publications that identify future trends and proposesolutions or areas of interest for research Each categoryand corresponding references are further analyzed in thefollowing subsections

Security frameworksSecurity frameworks concentrate information on securityand privacy aiming to provide a compilation of risks vul-nerabilities and best practices to avoid or mitigate themThere are several entities that are constantly publishingmaterial related to cloud computing security includingENISA CSA NIST CPNI (Centre for the Protection of

Figure 9 Comparison between citations Radar chart comparing citations related to concerns and solutions showing the disparities for eachsecurity category adopted

Figure 10 Comparison between citations with grouped categories Radar chart grouping the categories showing the difference betweencitations about concerns and solutions regarding each category

National Infrastructure fromUK government) and ISACA(the Information Systems Audit and Control Association)In this paper we focus on the first three entities whichby themselves provide a quite comprehensive overview ofissues and solutions and thus allowing a broad under-standing of the current status of cloud security

ENISAENISA is an agency responsible for achieving high andeffective level of network and information security withinthe European Union [62] In the context of cloud comput-ing they published an extensive study covering benefits

and risks related to its use [5] In this study the securityrisks are divided in four categories

bull Policy and organizational issues related togovernance compliance and reputation

bull Technical issues derived from technologies used toimplement cloud services and infrastructures such asisolation data leakage and interception denial ofservice attacks encryption and disposal

bull Legal risks regarding jurisdictions subpoena ande-discovery

Figure 11 Comparison for virtualization Radar chart only for virtualization issues

bull Not cloud specific other risks that are not unique tocloud environments such as network managementprivilege escalation and logging

As a top recommendation for security in cloud com-puting ENISA suggests that providers must ensure somesecurity practices to customers and also a clear contract toavoid legal problems Key points to be developed includebreach reporting better logging mechanisms and engi-neering of large scale computer systems which encom-pass the isolation of virtual machines resources andinformation Their analysis is based not only on what iscurrently observed but also on what can be improvedthrough the adoption of existing best practices or bymeans of solutions that are already used in non-cloudenvironments This article aims at taking one step fur-ther by transforming these observations into numbers ndash aquantitative approach

CSACSA is an organization led by a coalition of industrypractitioners corporations associations and other stake-holders [63] such as Dell HP and eBay One of its maingoals is to promote the adoption of best practices forproviding security within cloud computing environmentsThree CSA documents are analyzed in this paper ndash the

security guidance [6] the top threats in cloud computing[12] and the Trusted Cloud Initiative (TCI) architecture[64] ndash as they comprise most of the concepts and guide-lines researched and published by CSAThe latest CSA security guidance (version 30 [65])

denotesmulti-tenancy as the essential cloud characteristicwhile virtualization can be avoided when implementingcloud infrastructures ndash multi-tenancy only implies theuse of shared resources by multiple consumers possiblyfrom different organizations or with different objectivesThey discuss that even if virtualization-related issuescan be circumvented segmentation and isolated policiesfor addressing proper management and privacy are stillrequired The document also establishes thirteen securitydomains

1 Governance and risk management ability to measurethe risk introduced by adopting cloud computingsolutions such as legal issues protection of sensitivedata and their relation to international boundaries

2 Legal issues disclosure laws shared infrastructuresand interference between different users

3 Compliance and audit the relationship betweencloud computing and internal security policies

4 Information management and data securityidentification and control of stored data loss ofphysical control of data and related policies tominimize risks and possible damages

5 Portability and interoperability ability to changeproviders services or bringing back data to localpremises without major impacts

6 Traditional security business continuity and disasterrecovery the influence of cloud solutions ontraditional processes applied for addressing securityneeds

7 Data center operations analyzing architecture andoperations from data centers and identifyingessential characteristics for ensuring stability

8 Incident response notification and remediationpolicies for handling incidents

9 Application security aims to identify the possiblesecurity issues raised from migrating a specificsolution to the cloud and which platform (among SPImodel) is more adequate

10 Encryption and key management how higherscalability via infrastructure sharing affectsencryption and other mechanisms used forprotecting resources and data

11 Identity and access management enablingauthentication for cloud solutions while maintainingsecurity levels and availability for customers andorganizations

12 Virtualization risks related to multi-tenancyisolation virtual machine co-residence andhypervisor vulnerabilities all introduced byvirtualization technologies

13 Security as a service third party securitymechanisms delegating security responsibilities to atrusted third party provider

CSA also published a document focusing on identify-ing top threats aiming to aid risk management strategieswhen cloud solutions are adopted [12] As a completelist of threats and pertinent issues is countless the doc-ument targets those that are specific or intensified byfundamental characteristics of the cloud such as sharedinfrastructures and greater flexibility As a result seventhreats were selected

1 Abuse and nefarious used of cloud computing whileproviding flexible and powerful resources and toolsIaaS and PaaS solutions also unveil criticalexploitation possibilities built on anonymity Thisleads to abuse and misuse of the providedinfrastructure for conducting distributed denial ofservice attacks hosting malicious data controllingbotnets or sending spam

2 Insecure application programming interfaces cloudservices provide APIs for management storagevirtual machine allocation and other service-specificoperations The interfaces provided must implementsecurity methods to identify authenticate and protect

against accidental or malicious use which canintroduce additional complexities to the system suchas the need for third-party authorities and services

3 Malicious insiders although not specific to cloudcomputing its effects are amplified by theconcentration and interaction of services andmanagement domains

4 Shared technology vulnerabilities scalabilityprovided by cloud solutions are based on hardwareand software components which are not originallydesigned to provide isolation Even thoughhypervisors offer an extra granularity layer they stillexhibit flaws which are exploited for privilegeescalation

5 Data loss and leakage insufficient controlsconcerning user access and data security (includingprivacy and integrity) as well as disposal and evenlegal issues

6 Account service and traffic hijacking phishing andrelated frauds are not a novelty to computingsecurity However not only an attacker is able tomanipulate data and transactions but also to usestolen credentials to perform other attacks thatcompromise customer and provider reputation

7 Unknown risk profile delegation of control over dataand infrastructure allows companies to betterconcentrate on their core business possiblymaximizing profit and efficiency On the other handthe consequent loss of governance leads to obscurity[66] information about other customers sharing thesame infrastructure or regarding patching andupdating policies is limited This situation createsuncertainty concerning the exact risk levels that areinherent to the cloud solution

It is interesting to notice the choice for cloud-specificissues as it allows the identification of central pointsfor further development Moreover this compilation ofthreats is closely related to CSA security guidance com-posing a solid framework for security and risk analysisassessments while providing recommendations and bestpractices to achieve acceptable security levelsAnother approach adopted by CSA for organizing infor-

mation related to cloud security and governance is theTCI Reference Architecture Model [64] This documentfocuses on defining guidelines for enabling trust in thecloud while establishing open standards and capabilitiesfor all cloud-based operations The architecture definesdifferent organization levels by combining frameworkslike the SPI model ISO 27002 COBIT PCI SOX andarchitectures such as SABSA TOGAF ITIL and Jeri-cho A wide range of aspects are then covered SABSAdefines business operation support services such as com-pliance data governance operational risk management

human resources security security monitoring serviceslegal services and internal investigations TOGAF definesthe types of services covered (presentation applicationinformation and infrastructure ITIL is used for informa-tion technology operation and support from IT oper-ation to service delivery support and management ofincidents changes and resources finally Jericho cov-ers security and risk management including informationsecurity management authorization threat and vulnera-bility management policies and standards The result is atri-dimensional relationship between cloud delivery trustand operation that aims to be easily consumed and appliedin a security-oriented design

NISTNIST has recently published a taxonomy for security incloud computing [67] that is comparable to the taxonomyintroduced in section ldquoCloud computing security taxon-omyrdquo This taxonomyrsquos first level encompass typical rolesin the cloud environment cloud service provider respon-sible for making the service itself available cloud serviceconsumer who uses the service and maintains a businessrelationship with the provider cloud carrier which pro-vides communication interfaces between providers andconsumers cloud broker that manages use performanceand delivery of services and intermediates negotiationsbetween providers and consumers and cloud auditorwhich performs assessment of services operations andsecurity Each role is associated to their respective activ-ities and decomposed on their components and subcom-ponents The clearest difference from our taxonomy is thehierarchy adopted as our proposal primarily focuses onsecurity principles in its higher level perspective whilethe cloud roles are explored in deeper levels The con-cepts presented here extend NISTrsquos initial definition forcloud computing [9] incorporating a division of roles andresponsibilities that can be directly applied to securityassessments On the other hand NISTrsquos taxonomy incor-porates concepts such as deployment models servicetypes and activities related to cloud management (porta-bility interoperability provisioning) most of them largelyemployed in publications related to cloud computing ndashincluding this one

Frameworks summaryTables 1 and 2 summarize the information about eachframework

Books papers and other publicationsRimal Choi and Lumb [3] present a cloud taxonomycreated from the perspective of the academia developersand researchers instead of the usual point of view relatedto vendors Whilst they do provide definitions and con-cepts such as cloud architecture (based on SPI model)

Table 1 Summary of CSA security frameworks

Framework Objectives Structure and comments

CSA Guidance

bull Recommendations for reducing risksbull No restrictions regarding specific

solutions or service typesbull Guidelines not necessarily applicable

for all deployment modelsbull Provide initial structure to divide efforts

for researches

bull One architectural domainbull Governance domains risk management legal concerns compliance

auditing information management interoperability and portabilitybull Operational domains traditional and business security disaster recovery

data center operations encryption application security identificationauthorization virtualization security outsourcing

bull Emphasis on the fact that cloud is not bound to virtualization technologiesthough cloud services heavily depend on virtualized infrastructures toprovide flexibility and scalability

CSA Top Threats

bull Provide context for risk managementdecisions and strategies

bull Focus on issues which are unique orhighly influenced by cloud computingcharacteristics

bull Seven main threats

ndash Abuse and malicious use of cloud resourcesndash Insecure APIsndash Malicious insidersndash Shared technology vulnerabilitiesndash Data loss and leakagendash Hijacking of accounts services and trafficndash Unknown risk profile (security obscurity)

bull Summarizes information on top threats and provide examples remediationguidelines impact caused and which service types (based on SPI model)are affected

CSA Architecture

bull Enable trust in the cloud based onwell-known standards and certificationsallied to security frameworks and otheropen references

bull Use widely adopted frameworks inorder to achieve standardization ofpolicies and best practices based onalready accepted security principles

bull Four sets of frameworks (security NIST SPI IT audit and legislative) and fourarchitectural domains (SABSA business architecture ITIL for servicesmanagement Jericho for security and TOGAF for IT reference)

bull Tridimensional structure based on premises of cloud delivery trust andoperations

bull Concentrates a plethora of concepts and information related to servicesoperation and security

Table summarizing information related to CSA security frameworks (guidance top threats and TCI architecture)

virtualization management service types fault tolerancepolicies and security no further studies are developedfocusing on cloud specific security aspects This charac-teristic is also observed in other cloud taxonomies [68-70]whose efforts converge to the definition of service modelsand types rather than to more technical aspects such assecurity privacy or compliance concerns ndash which are thefocus of this paperIn [7] Mather Kumaraswamy and Latif discuss the

current status of cloud security and what is predictedfor the future The result is a compilation of security-related subjects to be developed in topics like infras-tructure data security and storage identity and accessmanagement security management privacy audit andcompliance They also explore the unquestionable urge formore transparency regarding which party (customer orcloud provider) provides each security capability as wellas the need for standardization and for the creation oflegal agreements reflecting operational SLAs Other issues

discussed are the inadequate encryption and key manage-ment capabilities currently offered as well as the need formulti-entity key managementMany publications also state the need for better security

mechanisms for cloud environments Doelitzscher et al[71] emphasize security as a major research area in cloudcomputing They also highlight the lack of flexibility ofclassic intrusion detection mechanisms to handle virtual-ized environments suggesting the use of special securityaudit tools associated to business flow modeling throughsecurity SLAs In addition they identify abuse of cloudresources lack of security monitoring in cloud infrastruc-ture and defective isolation of shared resources as focalpoints to be managed Their analysis of top security con-cerns is also based on publications from CSA ENISA andothers but after a quick evaluation of issues their focusswitch to their security auditing solution without offer-ing a deeper quantitative compilation of security risks andareas of concern

Table 2 Summary of ENISA and NIST security frameworks

ENISA Report

bull Study on benefits and risks whenadopting cloud solutions for businessoperations

bull Provide information for securityassessments and decision making

bull Three main categories of cloud specific risks (policy and organizationaltechnical legal) plus one extra category for not specific ones

bull Offers basic guidelines and best practices for avoiding or mitigating theireffects

bull Presents recommendations for further studies related to trust building(certifications metrics and transparency) large scale data protection(privacy integrity incident handling and regulations) and technicalaspects (isolation portability and resilience)

bull Highlights the duality of scalability (fast flexible and accessible resourcesversus concentrations of data attracting attackers and also providinginfrastructure for aiding their operations)

bull Extensive study on risks considering their impact and probability

NIST Taxonomy

bull Define what cloud services shouldprovide rather than how to design andimplement solutions

bull Ease the understanding of cloudinternal operations and mechanisms

bull Taxonomy levels

ndash First level cloud roles (service provider consumer cloud brokercloud carrier and cloud auditor)

ndash Second level activities performed by each role (cloudmanagement service deployment cloud access and serviceconsumption)

ndash Third and following levels elements which compose each activity(deployment models service types and auditing elements)

bull Based on publication SP 500-292 highlighting the importance of securityprivacy and levels of confidence and trust to increase technologyacceptance

bull Concentrates many useful concepts such as models for deploying orclassifying services

Table summarizing information on ENISA and NIST security frameworks

Associations such as the Enterprise Strategy Group[72] emphasize the need for hypervisor security shrink-ing hypervisor footprints defining the security perimetervirtualization and linking security and VM provision-ing for better resource management Aiming to addressthese requirements they suggest the use of increasedautomation for security controls VM identity manage-ment (built on top of Public Key Infrastructure and OpenVirtualization Format) and data encryption (tightly con-nected to state-of-art key management practices)Wallomet al [73] emphasize the need of guaranteeing virtualmachinesrsquo trustworthiness (regarding origin and identity)to perform security-critical computations and to han-dle sensitive data therefore presenting a solution whichintegrates Trusted Computing technologies and avail-able cloud infrastructures Dabrowski and Mills [74] usedsimulation to demonstrate virtual machine leakage andresource exhaustion scenarios leading to degraded per-formance and crashes they also propose the additionof orphan controls to enable the virtualized cloud envi-ronment to offer higher availability levels while keepingoverhead costs under control Ristenpart et al [44] alsoexplore virtual machine exploitation focusing on informa-tion leakage specially sensitive data at rest or in transit

Finally Chadwick and Casenove [75] describe a securityAPI for federated access to cloud resources and authoritydelegation while setting fine-grained controls and guar-anteeing the required levels of assurance inside cloudenvironments These publications highlight the need ofsecurity improvements related to virtual machines andvirtualization techniques concern that this paper demon-strates to be valid and urgent

DiscussionConsidering the points raised in the previous section astraightforward conclusion is that cloud security includesold and well-known issues ndash such as network and otherinfrastructural vulnerabilities user access authenticationand privacy ndash and also novel concerns derived fromnew technologies adopted to offer the adequate resources(mainly virtualized ones) services and auxiliary toolsThese problems are summarized by isolation and hypervi-sor vulnerabilities (the main technical concerns accordingto the studies and graphics presented) data location ande-discovery (legal aspects) and loss of governance overdata security and even decision making (in which thecloud must be strategically and financially considered as adecisive factor)

Another point observed is that even though adopt-ing a cloud service or provider may be easy migratingto another is not [76] After moving local data and pro-cesses to the cloud the lack of standards for protocolsand formats directly affects attempts to migrate to a dif-ferent provider even if this is motivated by legitimate rea-sons such as non-fulfillment of SLAs outages or providerbankruptcy [77] Consequently the first choice must becarefully made as SLAs are not perfect and servicesoutages happen at the same pace that resource sharingmulti-tenancy and scalability are not fail proof After adecision is made future migrations between services canbe extremely onerous in terms of time and costs mostlikely this task will require an extensive work for bring-ing all data and resources to a local infrastructure beforeredeploying them into the cloudFinally the analysis of current trends for cloud comput-

ing reveals that there is a considerable number of well-studied security concerns for which plenty solutions andbest practices have been developed such as those relatedto legal and administrative concerns On the other handmany issues still require further research effort especiallythose related to secure virtualization

Considerations and future workSecurity is a crucial aspect for providing a reliable envi-ronment and then enable the use of applications in thecloud and for moving data and business processes tovirtualized infrastructures Many of the security issuesidentified are observed in other computing environmentsauthentication network security and legal requirementsfor example are not a novelty However the impact ofsuch issues is intensified in cloud computing due tocharacteristics such as multi-tenancy and resource shar-ing since actions from a single customer can affect allother users that inevitably share the same resources andinterfaces On the other hand efficient and secure vir-tualization represents a new challenge in such a contextwith high distribution of complex services and web-based applications thus requiring more sophisticatedapproaches At the same time our quantitative analysisindicates that virtualization remains an underserved arearegarding the number of solutions provided to identifiedconcernsIt is strategic to develop new mechanisms that pro-

vide the required security level by isolating virtualmachines and the associated resources while followingbest practices in terms of legal regulations and compli-ance to SLAs Among other requirements such solutionsshould employ virtual machine identification providean adequate separation of dedicated resources com-bined with a constant observation of shared ones andexamine any attempt of exploiting cross-VM and dataleakage

A secure cloud computing environment depends onseveral security solutions working harmoniously togetherHowever in our studies we did not identify any securitysolutions provider owning the facilities necessary to gethigh levels of security conformity for clouds Thus cloudproviders need to orchestrate harmonize security solu-tions from different places in order to achieve the desiredsecurity levelIn order to verify these conclusions in practice we

deployed testbeds using OpenNebula (based on KVM andXEN) and analyzed its security aspects we also analyzedvirtualized servers based on VMWARE using our testbednetworks This investigation lead to a wide research ofPaaS solutions and allowed us to verify that most of themuse virtual machines based on virtualization technolo-gies such as VMWARE XEN and KVM which often lacksecurity aspects We also learned that Amazon changedthe XEN source code in order to include security fea-tures but unfortunately the modified code is not publiclyavailable and there appears to be no article detailing thechanges introduced Given these limitations a deeperstudy on current security solutions to manage cloud com-puting virtual machines inside the cloud providers shouldbe a focus of future work in the area We are also workingon a testbed based on OpenStack for researches relatedto identity and credentials management in the cloud envi-ronment This work should address basic needs for bettersecurity mechanisms in virtualized and distributed archi-tectures guiding other future researches in the securityarea

Competing interestsThe authors declare that they have no competing interests

Authorrsquos contributionsNG carried out the security research including the prospecting for informationand references categorization results analysis taxonomy creation and analysisof related work CM participated in the drafting of the manuscript as well as inthe analysis of references creation of the taxonomy and revisions of the textMS FR MN and MP participated in the critical and technical revisions of thepaper including the final one also helping with the details for preparing thepaper to be published TC coordinated the project related to the paper andalso gave the final approval of the version to be published All authors readand approved the final manuscript

AcknowledgementsThis work was supported by the Innovation Center EricssonTelecomunicacoes SA Brazil

Author details1Escola Politecnica at the University of Sao Paulo (EPUSP) Sao Paulo Brazil2Ericsson Research Stockholm Sweden 3Ericsson Research Ville Mont-RoyalCanada 4State University of Santa Catarina Joinville Brazil

Received 30 January 2012 Accepted 5 June 2012Published 12 July 2012

References1 IDC (2009) Cloud Computing 2010 ndash An IDC Update

slidesharenetJorFigOrcloud-computing-2010-an-idc-update2 Armbrust M Fox A Griffith R Joseph AD Katz RH Konwinski A Lee G

Patterson DA Rabkin A Stoica I Zaharia M (2009) Above the Clouds

A Berkeley View of Cloud Computing Technical ReportUCBEECS-2009-28 University of California at BerkeleyeecsberkeleyeduPubsTechRpts2009EECS-2009-28html

3 Rimal BP Choi E Lumb I (2009) A Taxonomy and Survey of CloudComputing Systems In Fifth International Joint Conference on INC IMSand IDC NCM rsquo09 CPS pp 44ndash51

4 Shankland S (2009) HPrsquos Hurd dings cloud computing IBMCNET News

5 Catteddu D Hogben G (2009) Benefits risks and recommendations forinformation security Tech rep European Network and InformationSecurity Agency enisaeuropaeuactrmfilesdeliverablescloud-computing-risk-assessment

6 CSA (2009) Security Guidance for Critical Areas of Focus in CloudComputing Tech rep Cloud Security Alliance

7 Mather T Kumaraswamy S (2009) Cloud Security and privacy AnEnterprise Perspective on Risks and Compliance 1st edition OrsquoReillyMedia

8 Chen Y Paxson V Katz RH (2010) Whatrsquos New About Cloud ComputingSecurity Technical Report UCBEECS-2010-5 University of California atBerkeley eecsberkeleyeduPubsTechRpts2010EECS-2010-5html

9 Mell P Grance T (2009) The NIST Definition of Cloud ComputingTechnical Report 15 National Institute of Standards and Technologywwwnistgovitlclouduploadcloud-def-v15pdf

10 Ibrahim AS Hamlyn-Harris J Grundy J (2010) Emerging SecurityChallenges of Cloud Virtual Infrastructure In Proceedings of APSEC 2010Cloud Workshop APSEC rsquo10

11 Gonzalez N Miers C Redıgolo F Carvalho T Simplıcio M Naslund MPourzandi M (2011) A quantitative analysis of current security concernsand solutions for cloud computing In Proceedings of 3rd IEEECloudCom AthensGreece IEEE Computer Society

12 Hubbard D Jr LJH Sutton M (2010) Top Threats to Cloud ComputingTech rep Cloud Security Alliance cloudsecurityallianceorgresearchprojectstop-threats-to-cloud-computing

13 Tompkins D (2009) Security for Cloud-based Enterprise Applicationshttpblogdtorgindexphp200902security-for-cloud-based-enterprise-applications

14 Jensen M Schwenk J Gruschka N Iacono LL (2009) On Technical SecurityIssues in Cloud Computing In IEEE Internation Conference on CloudComputing pp 109ndash116

15 TrendMicro (2010) Cloud Computing Security - Making Virtual MachinesCloud-Ready Trend Micro White Paper

16 Genovese S (2009) Akamai Introduces Cloud-Based Firewall httpcloudcomputingsys-concomnode1219023

17 Hulme GV (2011) CloudPassage aims to ease cloud server securitymanagement httpwwwcsoonlinecomarticle658121cloudpassage-aims-to-ease-cloud-server-security-management

18 Oleshchuk VA Koslashien GM (2011) Security and Privacy in the Cloud - ALong-Term View In 2nd International Conference on WirelessCommunications Vehicular Technology Information Theory andAerospace and Electronic Systems Technology (Wireless VITAE) WIRELESSVITAE rsquo11 pp 1ndash5 httpdxdoiorg101109WIRELESSVITAE20115940876

19 Google (2011) Google App Engine codegooglecomappengine20 Google (2011) Google Query Language (GQL)

codegooglecomintlenappenginedocspythonoverviewhtml21 StackOverflow (2011) Does using non-SQL databases obviate the need

for guarding against SQL injectionstackoverflowcomquestions1823536does-using-non-sql-databases-obviate-the-need-for-guarding-against-sql-injection

22 Rose J (2011) Cloudy with a chance of zero day wwwowasporgimages112Cloudy with a chance of 0 day Jon Rose-Tom Leaveypdf

23 Balkan A (2011) Why Google App Engine is broken and what Googlemust do to fix it aralbalkancom1504

24 Salesforce (2011) Salesforce Security Statementsalesforcecomcompanyprivacysecurityjsp

25 Espiner T (2007) Salesforce tight-lipped after phishing attackzdnetcouknewssecurity-threats20071107salesforce-tight-lipped-after-phishing-attack-39290616

26 Yee A (2007) Implications of Salesforce Phishing Incidentebizqnetblogssecurity insider200711-implications of salesforce phiphp

27 Salesforce (2011) Security Implementation Guideloginsalesforcecomhelpdocensalesforce security impl guidepdf

28 Li H Dai Y Tian L Yang H (2009) Identity-Based Authentication for CloudComputing In Proceedings of the 1st International Conference on CloudComputing CloudCom rsquo09

29 Amazon (2011) Elastic Compute Cloud (EC2) awsamazoncomec230 Kaufman C Venkatapathy R (2010) Windows Azure Security Overview

gomicrosoftcomlinkid=9740388 [August]31 McMillan R (2010) Google Attack Part of Widespread Spying Effort

PCWorld32 Mills E (2010) Behind the China attacks on Google CNET News33 Arrington M (2010) Google Defends Against Large Scale Chinese Cyber

Attack May Cease Chinese Operations TechCrunch34 Bosch J (2009) Google Accounts Attacked by Phishing Scam BrickHouse

Security Blog35 Telegraph T (2009) Facebook Users Targeted By Phishing Attack The

Telegraph36 Pearson S (2009) Taking account of privacy when designing cloud

computing services In Proceedings of the 2009 ICSE Workshop onSoftware Engineering Challenges of Cloud Computing CLOUD rsquo09

37 Musthaler L (2009) Cost-effective data encryption in the cloud NetworkWorld

38 Yan L Rong C Zhao G (2009) Strengthen Cloud Computing Security withFederal Identity Management Using Hierarchical Identity-BasedCryptography In Proceedings of the 1st International Conference onCloud Computing CloudCom rsquo09

39 Tech C (2010) Examining Redundancy in the Data Center Powered by theCloud and Disaster Recovery Consonus Tech

40 Lyle M (2011) Redundancy in Data Storage Define the Cloud41 Dorion P (2010) Data destruction services When data deletion is not

enough SearchDataBackupcom42 Mogull R (2009) Cloud Data Security Archive and Delete (Rough Cut)

securosiscomblogcloud-data-security-archive-and-delete-rough-cut43 Messmer E (2011) Gartner New security demands arising for

virtualization cloud computing httpwwwnetworkworldcomnews2011062311-security-summithtml

44 Ristenpart T Tromer E Shacham H Savage S (2009) Hey you get off ofmy cloud exploring information leakage in third-party compute cloudsIn Proceedings of the 16th ACM conference on Computer andcommunications security CCS rsquo09 New York NY USA ACM pp 199ndash212doiacmorg10114516536621653687

45 Chow R Golle P Jakobsson M Shi E Staddon J Masuoka R Molina J(2009) Controlling data in the cloud outsourcing computation withoutoutsourcing control In Proceedings of the 2009 ACM workshop onCloud computing security CCSW rsquo09 New York NY USA ACM pp 85ndash90httpdoiacmorg10114516550081655020

46 Sadeghi AR Schneider T Winandy M (2010) Token-Based CloudComputing - Secure Outsourcing of Data and Arbitrary Computationswith Lower Latency In Proceedings of the 3rd international conferenceon Trust and trustworthy computing TRUST rsquo10

47 Brandic I Dustdar S Anstett T Schumm D Leymann F (2010) CompliantCloud Computing (C3) Architecture and Language Support forUser-driven Compliance Management in Clouds In 2010 IEEE 3rdInternational Conference on Cloud Computing pp 244ndash251 httpdxdoiorg101109CLOUD201042

48 Brodkin J (2008) Gartner Seven cloud computing security risks httpwwwinfoworldcomdsecurity-centralgartner-seven-cloud-computing-security-risks-853

49 Kandukuri BR Paturi R Rakshit A (2009) Cloud Security Issues InProceedings of the 2009 IEEE International Conference on ServicesComputing SCC rsquo09

50 Winterford B (2011) Amazon EC2 suffers huge outage httpwwwcrncomauNews255586amazon-ec2-suffers-huge-outageaspx

51 Clarke G (2011) Microsoft BPOS cloud outage burns Exchange convertshttpwwwtheregistercouk20110513

52 Shankland S (2011) Amazon cloud outage derails Reddit Quora53 Young E (2009) Cloud Computing - The role of internal audit54 CloudAudit (2011) A6 - The automated audit assertion assessment and

assurance API httpcloudauditorg55 Anand N (2010) The legal issues around cloud computing httpwww

labnolorginternetcloud-computing-legal-issues14120

56 Hunter S (2011) Ascending to the cloud creates negligible e-discoveryrisk httpediscoveryquarlescom201107articlesinformation-technologyascending-to-the-cloud-creates-negligible-ediscovery-risk

57 Sharon D Nelson JWS (2011) Virtualization and Cloud Computingbenefits and e-discovery implications httpwwwslawca20110719virtualization-and-cloud-computing-benefits-and-e-discovery-implications

58 Bentley L (2009) E-discovery in the cloud presents promise and problemshttpwwwitbusinessedgecomcmcommunityfeaturesinterviewsbloge-discovery-in-the-cloud-presents-promise-and-problemscs=31698

59 Zierick J (2011) The special case of privileged users in the sloud httpblogbeyondtrustcombid63894The-Special-Case-of-Privileged-Users-in-the-Cloud

60 Dinoor S (2010) Got Privilege Ten Steps to Securing a Cloud-BasedEnterprise httpcloudcomputingsys-concomnode1571649

61 Pavolotsky J (2010) Top five legal issues for the cloud httpwwwforbescom20100412cloud-computing-enterprise-technology-cio-network-legalhtml

62 ENISA (2011) About ENISA httpwwwenisaeuropaeuabout-enisa63 CSA (2011) About httpscloudsecurityallianceorgabout64 CSA (2011) CSA TCI Reference Architecture httpscloudsecurityalliance

orgwp-contentuploads201111TCI-Reference-Architecture-11pdf65 CSA (2011) Security Guidance for Critical Areas of Focus in Cloud

Computing V30 Tech rep Cloud Security Alliance [Httpwwwcloudsecurityallianceorgguidancecsaguidev30pdf]

66 Ramireddy S Chakraborthy R Raghu TS Rao HR (2010) Privacy andSecurity Practices in the Arena of Cloud Computing - A Research inProgress In AMCIS 2010 Proceedings AMCIS rsquo10 httpaiselaisnetorgamcis2010574

67 NIST (2011) NIST Cloud Computing Reference Architecture SP 500-292httpcollaboratenistgovtwiki-cloud-computingpubCloudComputingReferenceArchitectureTaxonomyNIST SP 500-292 -090611pdf

68 Youseff L Butrico M Silva DD (2008) Toward a Unified Ontology of CloudComputing In Grid Computing Environments Workshop 2008 GCE rsquo08pp 10 1 httpdxdoiorg101109GCE20084738443

69 Johnston S (2008) Sam Johnston taxonomy the 6 layer cloud computingstack httpsamjnet200809taxonomy-6-layer-cloud-computing-stackhtml]

70 Linthicum D (2009) Defining the cloud computing framework httpcloudcomputingsys-concomnode811519

71 Doelitzscher F Reich C Knahl M Clarke N (2011) An autonomous agentbased incident detection system for cloud environments In Third IEEEInternational Conference on Cloud Computing Technology and ScienceCloudCom 2011 CPS pp 197ndash204 httpdxdoiorg101109CloudCom201135

72 Oltsik J (2010) Information security virtualization and the journey to thecloud Tech rep Cloud Security Alliance

73 Wallom D Turilli M Taylor G Hargreaves N Martin A Raun A McMoran A(2011) myTrustedCloud Trusted Cloud Infrastructure for Security-criticalComputation and Data Managment In Third IEEE InternationalConference on Cloud Computing Technology and Science CloudCom2011 CPS pp 247ndash254

74 Dabrowski C Mills K (2011) VM Leakage and Orphan Control inOpen-Source Clouds In Third IEEE International Conference on CloudComputing Technology and Science CloudCom 2011 CPS pp 554ndash559

75 Chadwick DW Casenove M (2011) Security APIs for My Private Cloud InThird IEEE International Conference on Cloud Computing Technologyand Science CloudCom 2011 CPS pp 792ndash798

76 Claybrook B (2011) How providers affect cloud application migrationhttpsearchcloudcomputingtechtargetcomtutorialHow-providers-affect-cloud-application-migration

77 CSA (2011) Interoperability and portability

doi1011862192-113X-1-11Cite this article asGonzalez et alAquantitative analysis of current securityconcerns and solutions for cloud computing Journal of Cloud ComputingAdvances Systems and Applications 2012 111

Submit your manuscript to a journal and benefi t from

7 Convenient online submission

7 Rigorous peer review

7 Immediate publication on acceptance

7 Open access articles freely available online

7 High visibility within the fi eld

7 Retaining the copyright to your article

Submit your next manuscript at 7 springeropencom

Abstract

Introduction

Cloud computing security

Cloud computing security taxonomy

Current status of cloud security

Security concerns

Security solutions

Comparison

Related work

Security frameworks

ENISA

CSA

NIST

Frameworks summary

Books papers and other publications

Discussion

Considerations and future work

Competing interests

Authors contributions

Acknowledgements

Author details

References