nach oben

International Journal of Information Security

Erschienen in:

01.04.2014 | SPECIAL ISSUE PAPER

Security issues in cloud environments: a survey

verfasst von: Diogo A. B. Fernandes, Liliana F. B. Soares, João V. Gomes, Mário M. Freire, Pedro R. M. Inácio

Erschienen in: International Journal of Information Security | Ausgabe 2/2014

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In the last few years, the appealing features of cloud computing have been fueling the integration of cloud environments in the industry, which has been consequently motivating the research on related technologies by both the industry and the academia. The possibility of paying-as-you-go mixed with an on-demand elastic operation is changing the enterprise computing model, shifting on-premises infrastructures to off-premises data centers, accessed over the Internet and managed by cloud hosting providers. Regardless of its advantages, the transition to this computing paradigm raises security concerns, which are the subject of several studies. Besides of the issues derived from Web technologies and the Internet, clouds introduce new issues that should be cleared out first in order to further allow the number of cloud deployments to increase. This paper surveys the works on cloud security issues, making a comprehensive review of the literature on the subject. It addresses several key topics, namely vulnerabilities, threats, and attacks, proposing a taxonomy for their classification. It also contains a thorough review of the main concepts concerning the security state of cloud environments and discusses several open research topics.

Vorheriger Artikel Security policy verification for multi-domains in cloud systems

Nächster Artikel On detecting co-resident cloud instances using network flow watermarking techniques

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

General studies comprise studies not related with cloud security, such as mobile, scientific and green cloud computing, eGovernment, and optimization on cloud networks.

OpenFlow is an innovative routing technology that separates the data plane from the forwarding plane and is an enabler toward Software-Defined Networking (SDN).

Anti-* stands for anti-spam, anti-virus, anti-spyware and anti-phishing.

57un Blog: A BIG Password Cracking Wordlist. https://57un.wordpress.com/2013/03/09/a-big-password-cracking-wordlist/. Accessed May 2013 (2013)

Aguiar, E., Zhang, Y., Blanton, M.: An Overview of Issues and Recent Developments in Cloud Computing and Storage Security, pp. 1–31. Springer, Berlin (2013)

Ahuja, S.P., Komathukattil, D.: A survey of the state of cloud security. Netw. Commun. Technol. 1(2), 66–75 (2012). doi:10.5539/nct.v1n2p66

Aihkisalo, T., Paaso, T.: Latencies of service invocation and processing of the REST and SOAP web service interfaces. In: IEEE 8th World Congress on Services (SERVICES), pp. 100–107. Honolulu, HI, USA (2012). doi:10.1109/SERVICES.2012.55

Al-Aqrabi, H., Liu, L., Xu, J., Hill, R., Antonopoulos, N., Zhan, Y.: Investigation of IT security and compliance challenges in security-as-a-service for cloud computing. In: 15th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing Workshops (ISORCW), pp. 124–129. Shenzhen, Guangdong, China (2012). doi:10.1109/ISORCW.2012.31

Alert Logic: State of Cloud Security Report: Targeted Attacks and Opportunistic Hacks. http://www.alertlogic.com/resources/security-intelligence-newsletter/download-cloud-security-report-spring2013/ (2013). Accessed Apr. 2013

AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., Schuldt, J.: On the Security of RC4 in TLS. http://www.isg.rhul.ac.uk/tls/index.html (2013). Accessed Apr. 2013

AlienVault: OSSIM Website. https://aws.amazon.com/marketplace/pp/B00BIUQRGC/ (2013). Accessed May 2013

Amazon: Amazon Web Services: Overview of Security Processes. http://s3.amazonaws.com/aws_blog/AWS_Security_Whitepaper_2008_09.pdf (2011). White Paper. Accessed Sept. 2012

10.

Amazon: Amazon Elastic Compute Cloud (Amazon EC2). https://aws.amazon.com/ec2/ (2012). Accessed Apr. 2013

11.

Amazon: Amazon Virtual Private Cloud (Amazon VPC). http://aws.amazon.com/vpc/ (2012). Accessed Sept. 2012

12.

Amazon Web Services Discussion Forums: Low Entropy on EC2 Instances— Problem for Anything Related to Security. https://forums.aws.amazon.com/thread.jspa?messageID=249079 (2011). Accessed Apr. 2013

13.

Amoroso, E.: From the enterprise perimeter to a mobility-enabled secure cloud. IEEE Secur. Priv. 11(1), 23–31 (2013). doi:10.1109/MSP.2013.8

14.

Anstee, D.: Q1 Key Findings from ATLAS. http://www.arbornetworks.com/corporate/blog/4855-q1-key-findings-from-atlas (2013). Accessed Apr. 2013

15.

Apache: CloudStack Website. https://cloudstack.apache.org/ (2013). Accessed May 2013

16.

Apprenda: Apprenda Website. http://apprenda.com (2013). Accessed Apr. 2013

17.

Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., Zaharia, M.: A view of cloud computing. Commun. ACM 53(4), 50–58 (2010). doi:10.1145/1721654.1721672 CrossRef

18.

Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R.H., Konwinski, A., Lee, G., Patterson, D.A., Rabkin, A., Zaharia, M.: Above the Clouds: A Berkeley View of Cloud Computing. Technical Report UCB/EECS-2009-28. Electrical Engineering and Computer Sciences University of California (2009)

19.

Ateniese, G., Di Pietro, R., Mancini, L.V., Tsudik, G.: Scalable and efficient provable data possession. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Networks, pp. 9:1–9:10. ACM, New York, NY, USA (2008)

20.

Aviram, A., Hu, S., Ford, B., Gummadi, R.: Determinating timing channels in compute clouds. In: Proceedings of the ACM Workshop on Cloud computing, Security, pp. 103–108 (2010). doi:10.1145/1866835.1866854

21.

Azmandian, F., Moffie, M., Alshawabkeh, M., Dy, J., Aslam, J., Kaeli, D.: Virtual machine monitor-based lightweight intrusion detection. SIGOPS Oper. Syst. Rev. 45(2), 38–53 (2011). doi:10.1145/2007183.2007189 CrossRef

22.

Back, G., Hsieh, W.C.: The KaffeOS Java runtime system. ACM Trans. Program. Lang. Syst. 27(4), 583–630 (2005). doi:10.1145/1075382.1075383 CrossRef

23.

Backstrom, L., Dwork, C., Kleinberg, J.: Wherefore art thou R3579X?: anonymized social networks, hidden patterns, and structural steganography. In: Proceedings of the 16th International Conference on World Wide Web, pp. 181–190. ACM, New York, NY, USA (2007). doi:10.1145/1242572.1242598

24.

Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: 29th IEEE Symposium on Reliable Distributed Systems, pp. 82–91. IEEE Computer Society, Washington, DC, USA (2010). doi:10.1109/SRDS.2010.39

25.

Banerjee, P., Friedrich, R., Bash, C., Goldsack, P., Huberman, B., Manley, J., Patel, C., Ranganathan, P., Veitch, A.: Everything as a service: powering the new information economy. Computer 44(3), 36–43 (2011). doi:10.1109/MC.2011.67 CrossRef

26.

Basak, D., Toshniwal, R., Maskalik, S., Sequeira, A.: Virtualizing networking and security in the cloud. SIGOPS Oper. Syst. Rev. 44(4), 86–94 (2010). doi:10.1145/1899928.1899939 CrossRef

27.

Begum, S., Khan, M.: Potential of cloud computing architecture. In: International Conference on Information and Communication Technologies, pp. 1–5. IEEE (2011). doi:10.1109/ICICT.2011.5983572

28.

Behl, A.: Emerging security challenges in cloud computing: an insight to cloud security challenges and their mitigation. In: World Congress on Information and Communication Technologies, pp. 217–222. IEEE (2011). doi:10.1109/WICT.2011.6141247

29.

Behl, A., Behl, K.: Security paradigms for cloud computing. In: 4th International Conference on Computational Intelligence, Communication Systems and Networks, pp. 200–205. IEEE (2012). doi:10.1109/CICSyN.2012.45

30.

Belqasmi, F., Singh, J., Glitho, R.: SOAP-based vs. RESTful web services: a case study for multimedia. IEEE Internet Comput. 16(4), 54–63 (2012). doi:10.1109/MIC.2012.62 CrossRef

31.

Bentounsi, M., Benbernou, S., Atallah, M.: Privacy-preserving business process outsourcing. In: IEEE 19th International Conference on Web Services, pp. 662–663. IEEE (2012). doi:10.1109/ICWS.2012.34

32.

Bernstein, D., Vij, D.: Intercloud security considerations. In: IEEE 2nd International Conference on Cloud Computing Technology and Science, pp. 537–544. IEEE Computer Society, Washington, DC, USA (2010)

33.

Bin Mat Nor, F., Jalil, K., Manan, J.L.: An enhanced remote authentication scheme to mitigate man-in-the-browser attacks. In: International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), pp. 271–276. Kuala Lumpur, Malaysia (2012). doi:10.1109/CyberSec.2012.6246086

34.

Boampong, P.A., Wahsheh, L.A.: Different facets of security in the cloud. In: Proceedings of the 15th Communications and Networking Simulation Symposium, pp. 5:1–5:7. Society for Computer Simulation International, San Diego, CA, USA (2012)

35.

Bowers, K.D., Juels, A., Oprea, A.: HAIL: a high-availability and integrity layer for cloud storage. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 187–198. ACM, New York, NY, USA (2009). doi:10.1145/1653662.1653686

36.

Box: Box Website. https://www.box.com/ (2013). Accessed Apr. 2013

37.

Bradbury, D.: Shadows in the cloud: Chinese involvement in advanced persistent threats. Netw. Secur. 2010(5), 16–19 (2010). doi:10.1016/S1353-4858(10)70058-1 CrossRef

38.

Brito, H.: Pentagon Creating “Rules of Engagement” for Responding to Advanced Attackers. Mandiant M-Unition (2013)

39.

Bugiel, S., Nürnberger, S., Pöppelmann, T., Sadeghi, A.R., Schneider, T.: AmazonIA: when elasticity snaps back. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 389–400. ACM, New York, NY, USA (2011). doi:10.1145/2046707.2046753

40.

Carriço, P.: Low entropy on VMs\(\ldots \) http://blog.pedrocarrico.net/post/17026199379/low-entropy-on-vms (2012). Accessed May 2013

41.

Carroll, M., Kotzé, P., Van der Merwe, A. (2011). Secure virtualization—benefits, risks and controls. In: Leymann, F., Ivanov, I., van Sinderen, M., Shishkov, B. (eds.) CLOSER, pp. 15–23. SciTePress

42.

Casale, A.: The Dangers of Recycling in the Cloud. TheMakegood (2013)

43.

Chen, C.C., Yuan, L., Greenberg, A., Chuah, C.N., Mohapatra, P.: Routing-as-a-Service (RaaS): a framework for tenant-directed route control in data center. In: Proceedings of the 30th IEEE International Conference on Computer Communications (INFOCOM), pp. 1386–1394 (2011) doi:10.1109/INFCOM.2011.5934924

44.

Chen, D., Zhao, H.: Data security and privacy protection issues in cloud computing. In: International Conference on Computer Science and Electronics Engineering, vol. 1, pp. 647–651. IEEE (2012). doi:10.1109/ICCSEE.2012.193

45.

Chen, T.H., lien Yeh, H., Shih, W.K.: An advanced ECC dynamic ID-based remote mutual authentication scheme for cloud computing. In: 5th FTRA International Conference on Multimedia and Ubiquitous Engineering (MUE), pp. 155–159. Crete, Greece (2011). doi:10.1109/MUE.2011.69

46.

Chen, X., Andersen, J., Mao, Z., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: IEEE International Conference on Dependable Systems and Networks (DNS) With FCTS and DCC, pp. 177–186. Anchorage, AK, USA (2008). doi:10.1109/DSN.2008.4630086

47.

Chen, Y., Paxson, V., Katz, R.H.: What’s New About Cloud Computing Security? Technical Report UCB/EECS-2010-5. EECS Department, University of California, Berkeley (2010). http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.html

48.

Chonka, A., Xiang, Y., Zhou, W., Bonti, A.: Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks. J. Netw. Comput. Appli. 34(4), 1097–1107 (2011). doi:10.1016/j.jnca.2010.06.004 CrossRef

49.

Choudhary, V.: Software as a service: implications for investment in software development. In: 40th Annual Hawaii International Conference on System Sciences, p. 209a. IEEE Computer Society, Washington, DC, USA (2007). doi:10.1109/HICSS.2007.493

50.

Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., Molina, J.: Controlling data in the cloud: outsourcing computation without outsourcing control. In: Proceedings of the ACM Workshop on Cloud Computing Security, pp. 85–90. ACM, New York, NY, USA (2009). doi:10.1145/1655008.1655020

51.

Christodorescu, M., Sailer, R., Schales, D.L., Sgandurra, D., Zamboni, D.: Cloud security is not (just) virtualization security: a short paper. In: Proceedings of the ACM Workshop on Cloud Computing Security (CCSW), pp. 97–102. ACM, Chicago, IL, USA (2009). doi:10.1145/1655008.1655022

52.

Chung, H., Park, J., Lee, S., Kang, C.: Digital forensic investigation of cloud storage services. Digit. Investig. (2012). doi:10.1016/j.diin.2012.05.015. Available online on 23 Jun. 2012

53.

Cisco: Cisco Data Center Infrastructure 2.5 Design Guide. http://www.cisco.com/univercd/cc/td/doc/solution/dcidg21.pdf (2007). Accessed Oct. 2012

54.

Cisco: Data Center Power and Cooling. http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns944/white_paper_c11-680202.pdf (2011). White Paper. Accessed Sept. 2012

55.

Cisco: Cisco Global Cloud Index: Forecast and Methodology, 2011–2016. http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns1175/Cloud_Index_White_Paper.pdf (2012). White Paper. Accessed Apr. 2013

56.

Cisco: 2013 Cisco Annual Security Report. http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html (2013). Accessed Apr. 2013

57.

Cisco: Cisco Cloud Services Router 1000V Series. http://www.cisco.com/en/US/products/ps12559/index.html (2013). Accessed Jul. 2013

58.

Citrix: Citrix Website. https://www.citrix.com/products.html?ntref=hp_nav_us (2013). Accessed Jun. 2013

59.

CloudBees: CloudBees Website. http://www.cloudbees.com/ (2013). Accessed Apr. 2013

60.

Corbató, F.J., Vyssotsky, V.A.: Introduction and overview of the Multics system. In: Proceedings of the Fall Joint Computer Conference, pp. 185–196. ACM, New York, NY, USA (1965)

61.

Coronado, C.: Blackhole Exploit Kit Leverages Margaret Thatcher’s Death. Trend Micro (2013)

62.

CSA: Top Threats to Cloud Computing. https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf (2010). Accessed Sept. 2012

63.

CSA: Security Guidance for Critical Areas of Focus in Cloud Computing v3.0. https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf (2011). Accessed Sept. 2012

64.

CSA: The Notorious Nine Cloud Computing Top Threats in 2013. https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf (2013). Accessed Jul. 2013

65.

Cuckoo Website: Cuckoo. http://www.cuckoosandbox.org/ (2013). Accessed Apr. 2013

66.

Curran, K., Dougan, T.: Man in the browser attacks. Int. J. Ambient Comput. Intell. 4(1), 29–39 (2012). doi:10.4018/jaci.2012010103 CrossRef

67.

Czajkowski, G., Daynàs, L.: Multitasking without compromise: a virtual machine evolution. ACM SIGPLAN Not. 47(4a), 60–73 (2012). doi:10.1145/2442776.2442785 CrossRef

68.

Dacosta, I., Chakradeo, S., Ahamad, M., Traynor, P.: One-time cookies: preventing session hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. 12(1), 1:1–1:24 (2012). doi:10.1145/2220352.2220353 CrossRef

69.

Dahbur, K., Mohammad, B., Tarakji, A.B.: A survey of risks, threats and vulnerabilities in cloud computing. In: Proceedings of the International Conference on Intelligent Semantic Web-Services and Applications, pp. 12:1–12:6. ACM, New York, NY, USA (2011)

70.

Darrow, B., Higginbothamm, S.: What We’ll See in 2013 in Cloud Computing. GigaOM (2012)

71.

de Borja, F.: Nebula One Seeks To Reinvent Cloud Computing. CloudTimes (2013)

72.

Dhage, S.N., Meshram, B.B., Rawat, R., Padawe, S., Paingaokar, M., Misra, A.: Intrusion detection system in cloud computing environment. In: Proceedings of the International Conference & Workshop on Emerging Trends in Technology, pp. 235–239. ACM, New York, NY, USA (2011). doi:10.1145/1980022.1980076

73.

Dinesha, H., Agrawal, V.: Multi-level authentication technique for accessing cloud services. In: International Conference on Computing, Communication and Applications, pp. 1–4. IEEE (2012). doi:10.1109/ICCCA.2012.6179130

74.

Ding, X., Zhang, L., Wan, Z., Gu, M.: De-anonymizing dynamic social networks. In: IEEE Global Telecommunications Conference, pp. 1–6. IEEE (2011). doi:10.1109/GLOCOM.2011.6133607

75.

Doel, K.: Scary Logins: Worst Passwords of 2012 and How to Fix Them. SplashData (2012)

76.

Dong, T.: Android. Dropdialer. https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909--0726-99 (2012). Accessed Apr. 2013

77.

Doroodchi, M., Iranmehr, A., Pouriyeh, S.: An investigation on integrating XML-based security into Web services. In: 5th IEEE GCC Conference Exhibition, pp. 1–5. IEEE (2009)

78.

Ducklin, P.: HElib. SOPHOS Nakedsecurity (2013)

79.

Duncan, A., Creese, S., Goldsmith, M.: Insider attacks in cloud computing. In: IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 857–862. IEEE Computer Society, Washington, DC, USA (2012). doi:10.1109/TrustCom.2012.188

80.

Dykstra, J., Sherman, A.T.: Acquiring forensic evidence from infrastructure-as-a-service cloud computing: exploring and evaluating tools, trust, and techniques. Digit. Investig. 9, Supplement(0), S90–S98 (2012). doi:10.1016/j.diin.2012.05.001

81.

Electronic Frontier Foundation: HTTPS Everywhere Website. https://www.eff.org/https-everywhere (2013). Accessed Apr. 2013

82.

ENISA: Cloud Computing: Benefits, Risks and Recommendations for Infomarion Security. http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment (2009). Accessed Sept. 2012

83.

Firdhous, M., Ghazali, O., Hassan, S.: A trust computing mechanism for cloud computing with multilevel thresholding. In: 6th IEEE International Conference on Industrial and Information Systems, pp. 457–461. IEEE (2011). doi:10.1109/ICIINFS.2011.6038113

84.

FireEye: FireEye Advanced Threat Report—2H 2012. http://www2.fireeye.com/rs/fireye/images/fireeye-advanced-threat-report-2h2012.pdf (2013). Accessed Apr. 2013

85.

Foster, I., Zhao, Y., Raicu, I., Lu, S.: Cloud computing and grid computing 360-degree compared. In: Grid Computing Environments Workshop, pp. 1–10. IEEE (2008). doi:10.1109/GCE.2008.4738445

86.

Garfinkel, T., Rosenblum, M.: When virtual is harder than real: security challenges in virtual machine based computing environments. In: Proceedings of the 10th Conference on Hot Topics in Operating Systems, vol. 10, pp. 20–20. USENIX Association, Berkeley, CA, USA (2005)

87.

Gartner: Assessing the Security Risks of Cloud Computing. http://cloud.ctrls.in/files/assessing-the-security-risks.pdf (2008). White Paper. Accessed Sept. 2012

88.

Gens, F.: IT Cloud Services User Survey, pt.2: Top Benefits & Challenges. IDC (2008)

89.

Gens, F.: New IDC IT Cloud Services Survey: Top Benefits and Challenges. IDC (2009)

90.

Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC), STOC ’09, pp. 169–178. ACM, Bethesda, MD, USA (2009). doi:10.1145/1536414.1536440

91.

Geoffray, N., Thomas, G., Muller, G., Parrend, P., Frenot, S., Folliot, B.: I-JVM: a Java virtual machine for component isolation in OSGi. In: IEEE/IFIP Int. Conf. on Dependable Systems Networks (DSN), pp. 544–553. Estoril, Lisbon, Portugal (2009). doi:10.1109/DSN.2009.5270296

92.

Gomathisankaran, M., Tyagi, A., Namuduri, K.: HORNS: a homomorphic encryption scheme for cloud computing using Residue number system. In: 45th Annual Conference on Information Sciences and Systems (CISS), pp. 1–5. Baltimore, MD, USA (2011). doi:10.1109/CISS.2011.5766176

93.

Gong, C., Liu, J., Zhang, Q., Chen, H., Gong, Z.: The characteristics of cloud computing. In: 39th International Conference on Parallel Processing Workshop, pp. 275–279. IEEE Computer Society, Washington, DC, USA (2010). doi:10.1109/ICPPW.2010.45

94.

Gonzalez, N., Miers, C., Redigolo, F., Carvalho, T., Simplicio, M., Naslund, M., Pourzandi, M.: A quantitative analysis of current security concerns and solutions for cloud computing. In: IEEE 3rd International Conference on Cloud Computing Technology and Science, pp. 231–238. IEEE Computer Society, Washington, DC, USA (2011).

95.

Goodin, D.: Why Passwords have Never been Weaker—and Crackers have Never been Stronger. Ars Technica (2012)

96.

Goodrich, R.: What Is Doxing? TechNewsDaily (2013)

97.

Google: Google App Engine. https://developers.google.com/appengine/ (2013). Accessed Apr. 2013

98.

Green, M.: The threat in the cloud. IEEE Secur. Priv. 11(1), 86–89 (2013). doi:10.1109/MSP.2013.20

99.

Grispos, G., Glisson, W.B., Storer, T.: Using smartphones as a proxy for forensic evidence contained in cloud storage services. In: 46th Hawaii International Conference on System Sciences (HICSS), pp. 4910–4919. Maui, HI, USA (2013). doi:10.1109/HICSS.2013.592

100.

Grobauer, B., Walloschek, T., Stocker, E.: Understanding cloud computing vulnerabilities. IEEE Secur. Priv. 9(2), 50–57 (2011). doi:10.1109/MSP.2010.115 CrossRef

101.

Grosse, E., Upadhyay, M.: Authentication at scale. IEEE Secur. Priv. 11(1), 15–22 (2013). doi:10.1109/MSP.2012.162

102.

Gruschka, N., Iacono, L.: Vulnerable cloud: SOAP message security validation revisited. In: IEEE International Conference on Web Services, pp. 625–631. IEEE Computer Society, Washington, DC, USA (2009). doi:10.1109/ICWS.2009.70

103.

Gul, I., Rehman, A., Islam, M.: Cloud computing security auditing. In: The 2nd International Conference on Next Generation Information Technology, pp. 143–148. IEEE (2011)

104.

Habib, S., Ries, S., Muhlhauser, M.: Towards a trust management system for cloud computing. In: IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 933–939. IEEE Computer Society, Washington, DC, USA (2011). doi:10.1109/TrustCom.2011.129

105.

Hale, C.: bcrypt. http://codahale.com/how-to-safely-store-a-password/ (2010). Accessed May 2013

106.

Hamada, J.: Japanese One-Click Fraud Campaign Comes to Google Play. Symantec Blog (2013)

107.

Hart, J.: Remote working: managing the balancing act between network access and data security. Comput. Fraud Secur. 2009(11), 14–17 (2009). doi:10.1016/S1361-3723(09)70141-1 CrossRef

108.

Hayes, B.: Cloud computing. Commun. ACM 51(7), 9–11 (2008). doi:10.1145/1364782.1364786 CrossRef

109.

Helland, P.: Condos and clouds. Commun. ACM 56(1), 50–59 (2013). doi:10.1145/2398356.2398374 CrossRef

110.

Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Minding your Ps and Qs: detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium, pp. 205–220. USENIX, Bellevue, WA, USA (2012). doi:10.1109/ICCIAutom.2011.6183990

111.

Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security (HSTS). RFC 6797 (Proposed Standard) (2012). https://www.ietf.org/rfc/rfc6797.txt

112.

Honan, M.: How Apple and Amazon Security Flaws Led to My Epic Hacking. Wired (2012)

113.

HP: HP 2012 Cyber Risk Report. http://www.hpenterprisesecurity.com/collateral/whitepaper/HP2012CyberRiskReport_0213.pdf (2013). Accessed Apr. 2013

114.

HP: HP ArcSight. http://www8.hp.com/us/en/software-solutions/software.html?compURI=1340477 (2013). Accessed Apr. 2013

115.

Hua, J., Sakurai, K.: Barrier: a lightweight hypervisor for protecting kernel integrity via memory isolation. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing (SAC), pp. 1470–1477. ACM, Trento, Italy (2012). doi:10.1145/2231936.2232011

116.

Hunt, T.: 5 Ways to Implement HTTPS in an Insufficient Manner (and leak sensitive data). http://www.troyhunt.com/2013/04/5-ways-to-implement-https-in.html (2013). Accessed Apr. 2013

117.

Idziorek, J., Tannian, M.: Exploiting cloud utility models for profit and ruin. In: IEEE International Conference on Cloud Computing, pp. 33–40. IEEE Computer Society, Washington, DC, USA (2011)

118.

Idziorek, J., Tannian, M., Jacobson, D.: Detecting fraudulent use of cloud resources. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security, pp. 61–72. ACM, New York, NY, USA (2011). doi:10.1145/2046660.2046676

119.

Infosecurity: Recycled phones retain their previous owners’ data. Infosecurity Magazine (2013)

120.

Intel: Intel Digital Random Number Generator (DRNG): Software Implementation Guide. http://software.intel.com/sites/default/files/m/d/4/1/d/8/441_Intel_R_DRNG_Software_Implementation_Guide_final_Aug7.pdf (2012). Accessed May 2013

121.

Jackson, C.: 8 Cloud Security Concepts You Should Know. Network World (2010)

122.

Jackson, C., Barth, A.: ForceHTTPS: protecting high-security web sites from network attacks. In: Proceedings of the 17th International Conference on World Wide Web (WWW), pp. 525–534. ACM, Beijing, China (2008). doi:10.1145/1367497.1367569

123.

Jasti, A., Shah, P., Nagaraj, R., Pendse, R.: Security in multi-tenancy cloud. In: IEEE International Carnahan Conference on Security Technology, pp. 35–41. IEEE (2010). doi:10.1109/CCST.2010.5678682

124.

Jenkins, Q.: Spamhaus: DDoS Update—March 2013. Spamhaus (2013)

125.

Jensen, M., Gruschka, N., Herkenhöner, R.: A survey of attacks on web services. Comput. Sci. Res. Dev. 24, 185–197 (2009). doi:10.1007/s00450-009-0092-6 CrossRef

126.

Jensen, M., Gruschka, N., Luttenberger, N.: The impact of flooding attacks on network-based services. In: 3rd International Conference on Availability, Reliability and Security, pp. 509–513. IEEE Computer Society, Washington, DC, USA (2008)

127.

Jensen, M., Meyer, C.: Expressiveness considerations of XML signatures. In: IEEE 35th Annual Computer Software and Applications Conf. Workshop, pp. 392–397. IEEE Computer Society, Washington, DC, USA (2011)

128.

Jensen, M., Schäge, S., Schwenk, J.: Towards an anonymous access control and accountability scheme for cloud computing. In: IEEE 3rd International Conference on Cloud Computing, pp. 540–541. IEEE Computer Society, Washington, DC, USA (2010). doi:10.1109/CLOUD.2010.61

129.

Jensen, M., Schwenk, J.: The accountability problem of flooding attacks in service-oriented architectures. In: International Conference on Availability, Reliability and Security, pp. 25–32. IEEE (2009)

130.

Jensen, M., Schwenk, J., Gruschka, N., Iacono, L.: On Technical security issues in cloud computing. In: IEEE International Conference on Cloud Computing, pp. 109–116. IEEE Computer Society, Washington, DC, USA (2009). doi:10.1109/CLOUD.2009.60

131.

Jin, B., Wang, Y., Liu, Z., Xue, J.: A trust model based on cloud model and Bayesian networks. Procedia Environ. Sci. 11, Part A, 452–459 (2011). doi:10.1016/j.proenv.2011.12.072 CrossRef

132.

Kandukuri, B., Paturi, V., Rakshit, A.: Cloud security issues. In: IEEE International Conference on Services Computing, pp. 517–520. IEEE (2009). doi:10.1109/SCC.2009.84

133.

Kant, K.: Data center evolution: a tutorial on state of the art, issues, and challenges. Comput. Netw. 53(17), 2939–2965 (2009). doi:10.1016/j.comnet.2009.10.004 CrossRef

134.

Katsuki, T.: Crisis for Windows Sneaks onto Virtual Machines. Symantec Blog (2012)

135.

Kaufman, L.: Data security in the world of cloud computing. IEEE Secur. Priv. 7(4), 61–64 (2009)CrossRef

136.

Kerrigan, B., Chen, Y.: A study of entropy sources in cloud computers: random number generation on cloud hosts. In: Proceedings of the 6th International Conference on Mathematical Methods, Models and Architectures for Computer Network Security (MMM-ACNS), pp. 286–298. Springer, St. Petersburg, Russia (2012). doi:10.1007/978-3-642-33704-8_24

137.

Khan, K., Malluhi, Q.: Establishing trust in cloud computing. IT Prof. 12(5), 20–27 (2010). doi:10.1109/MITP.2010.128 CrossRef

138.

Khorshed, M.T., Ali, A.S., Wasimi, S.A.: A survey on gaps, threat remediation challenges and some thoughts for proactive attack detection in cloud computing. Future Gener. Comput. Syst. 28(6), 833–851 (2012). doi:10.1016/j.future.2012.01.006 CrossRef

139.

King, C.I.: Intel Rdrand Instruction Revisited. http://smackerelofopinion.blogspot.co.uk/2012/10/intel-rdrand-instruction-revisited.html (2012). Accessed May 2013

140.

King, S., Chen, P.: SubVirt: implementing malware with virtual machines. In: IEEE Symposium on Security and Privacy, pp. 14 pp.-327. IEEE Computer Society, Washington, DC, USA (2006). doi:10.1109/SP.2006.38

141.

Kirkland, D.: Entropy (or rather the lack thereof) in OpenStack instances... and how to improve that. http://www.openstack.org/summit/san-diego-2012/openstack-summit-sessions/presentation/entropy-or-lack-thereof-in-openstack-instances (2012). Accessed May 2013

142.

Kufel, L.: Security event monitoring in a distributed systems environment. IEEE Secur. Priv. 11(1), 36–43 (2013). doi:10.1109/MSP.2012.61

143.

Leder, F., Werner, T.: Know Your Enemy: Containing Conficker. http://www.honeynet.org/files/KYE-Conficker.pdf (2010). White Paper. Accessed May 2013

144.

Leder, F., Werner, T.: Containing Conficker. http://net.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ (2011). Accessed May 2013

145.

Lee, J.H., Park, M.W., Eom, J.H., Chung, T.M.: Multi-level intrusion detection system and log management in cloud computing. In: 13th International Conference on Advanced Communication Technology, pp. 552–555. IEEE (2011)

146.

Lemos, R.: Blue Security Folds Under Spammer’s Wrath. SecurityFocus (2013)

147.

Lenk, A., Klems, M., Nimis, J., Tai, S., Sandholm, T.: What’s inside the cloud? An architectural map of the cloud landscape. In: Proceedings of the ICSE Workshop on Software Engineering Challenges of Cloud Computing, pp. 23–31. IEEE Computer Society, Washington, DC, USA (2009). doi:10.1109/CLOUD.2009.5071529

148.

Leopando, J.: World Backup Day: The 3–2–1 Rule. Trend Micro TrendLabs (2013)

149.

Li, F., Lai, A., Ddl, D.: Evidence of advanced persistent threat: a case study of malware for political espionage. In: 6th International Conference on Malicious and Unwanted Software (MALWARE), pp. 102–109. Fajardo, PR, USA (2011). doi:10.1109/MALWARE.2011.6112333

150.

Li, H.C., Liang, P.H., Yang, J.M., Chen, S.J.: Analysis on cloud-based security vulnerability assessment. In: IEEE 7th International Conference on e-Business Engineering, pp. 490–494. IEEE (2010). doi:10.1109/ICEBE.2010.77

151.

Li, Q., Clark, G.: Mobile security: a look ahead. IEEE Secur. Priv. 11(1), 78–81 (2013). doi:10.1109/MSP.2013.15

152.

Li, X., Loh, P., Tan, F.: Mechanisms of polymorphic and metamorphic viruses. In: European Intelligence and Security Informatics Conference (EISIC), pp. 149–154. Berkeley/Oakland, CA, USA (2011). doi:10.1109/EISIC.2011.77

153.

Liu, F., Su, X., Liu, W., Shi, M.: The design and application of Xen-based host system firewall and its extension. In: International Conference on Electronic Computer Technology, pp. 392–395. Macau, China (2009). doi:10.1109/ICECT.2009.83

154.

Liu, H.: A new form of DoS attack in a cloud and its avoidance mechanism. In: Proceedings of the ACM Workshop on Cloud Computing Security, pp. 65–76. ACM, New York, NY, USA (2010). doi:10.1145/1866835.1866849

155.

LivingSocial: LivingSocial Security Notice. https://livingsocial.com/createpassword (2013). Accessed May 2013

156.

Luo, S., Lin, Z., Chen, X., Yang, Z., Chen, J.: Virtualization security for cloud computing service. In: International Conference on Cloud and Service Computing, pp. 174–179. IEEE Computer Society, Washington, DC, USA (2011)

157.

Mandiant: APT1: Exposing One of China’s Cyber Espionage Units. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf (2013). Accessed Apr. 2013

158.

Mansfield-Devine, S.: Danger in the clouds. Netw. Secur. 2008(12), 9–11 (2008). doi:10.1016/S1353-4858(08)70140-5 CrossRef

159.

Marlinspike, M.: New tricks for defeating SSL in practice. https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf (2009). Accessed Apr. 2013

160.

Marlinspike, M.: sslstrip. http://www.thoughtcrime.org/software/sslstrip/ (2009). Accessed Apr. 2013

161.

Martin, D.: Implementing effective controls in a mobile, agile, cloud-enabled enterprise. IEEE Secur. Priv. 11(1), 13–14 (2013). doi:10.1109/MSP.2013.1

162.

Mathisen, E.: Security challenges and solutions in cloud computing. In: Proceedings of the 5th IEEE International Conference on Digital Ecosystems and Technologies, pp. 208–212. IEEE (2011). doi:10.1109/DEST.2011.5936627

163.

McAfee: McAfee Threats Report—Fourth Quarter 2012. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2012.pdf (2013). Accessed Apr. 2013

164.

McCune, J., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: TrustVisor: efficient TCB reduction and attestation. In: IEEE Symposium on Security and Privacy (SP), pp. 143–158. Oakland, CA, USA (2010). doi:10.1109/SP.2010.17

165.

McGraw, G.: Software security. IEEE Secur. Priv. 2(2), 80–83 (2004). doi:10.1109/MSECP.2004.1281254 CrossRef

166.

McIntosh, M., Austel, P.: XML signature element wrapping attacks and countermeasures. In: Proceedings of the Workshop on Secure Web Services, pp. 20–27. ACM, New York, NY, USA (2005). doi:10.1145/1103022.1103026

167.

McKendrick, J.: 7 Predictions for Cloud Computing in 2013 That Make Perfect Sense. Forbes (2012)

168.

MEGA: The MEGA API. https://mega.co.nz/#developers (2013). Accessed Apr. 2013

169.

Microsoft: Microsoft Hyper-V Server 2012 Website. https://www.microsoft.com/en-us/server-cloud/hyper-v-server/ (2013). Accessed Jun. 2013

170.

Microsoft: Microsoft Security Intelligence Report: Volume 14. http://www.microsoft.com/security/sir/default.aspx (2013). Accessed Apr. 2013

171.

Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appli. (2012). doi:10.1016/j.jnca.2012.05.003. Available online 2 June 2012

172.

Mohamed, E., Abdelkader, H., El-Etriby, S.: Enhanced data security model for cloud computing. In: 8th International Conference on Informatics and Systems, pp. CC-12–CC-17. IEEE (2012)

173.

Mohan, V., Hamlen, K.W.: Frankenstein: stitching malware from benign binaries. In: Proceedings of the 6th USENIX Conference on Offensive Technologies, pp. 8–8. USENIX Association, Bellevue, WA, USA (2012)

174.

Monfared, A., Jaatun, M.: Monitoring intrusions and security breaches in highly distributed cloud environments. In: IEEE 3rd International Conference on Cloud Computing Technology and Science, pp. 772–777. IEEE Computer Society, Washington, DC, USA (2011). doi:10.1109/CloudCom.2011.119

175.

Morsy, M.A., Grundy, J., Müller, I.: An analysis of the cloud computing security problem. In: Proceedings of Asia Pacific Software Engineering Conference Cloud Workshop, pp. 1–6. IEEE Computer Society, Washington, DC, USA (2010)

176.

Moser, S.: Change I7d8c1f9b: add ’random _seed’ entry to instance metadata. https://review.openstack.org/#c/14550/ (2012). Accessed May 2013

177.

MPICH: MPICH Website. http://www.mpich.org/ (2013). Accessed Apr. 2013

178.

Musthaler, L.: DDoS-as-a-Service? You Betcha! It’s Cheap, It’s Easy, and It’s Available to Anyone. Security Bistro (2012)

179.

Narayanan, A., Shmatikov, V.: De-anonymizing social networks. In: 30th IEEE Symposium on Security and Privacy, pp. 173–187. IEEE Computer Society, Washington, DC, USA (2009). doi:10.1109/SP.2009.22

180.

Nathoo, N.: Cloud Wars—The Fall of Cloud Storage. CloudTimes (2013). Accessed Apr. 2013

181.

Nebula: Introducing Nebula One. https://www.nebula.com/nebula-one (2013). Accessed Apr. 2013

182.

Network-Tools: Network-Tools Website. http://network-tools.com/ (2013). Accessed Apr. 2013

183.

Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: IEEE Symposium on Security and Privacy, pp. 226–241. Athens, Greece (2005). doi:10.1109/SP.2005.15

184.

NIST: NIST Cloud Computing Reference Architecture. http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505 (2011). Accessed Jul. 2013

185.

NIST: The NIST Definition of Cloud Computing. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf (2011). Accessed Sept. 2012

186.

NIST: NIST Cloud Computing Program. http://www.nist.gov/itl/cloud/ (2012). Accessed Sept. 2012

187.

NIST: NIST Cloud Computing Security Reference Architecture. http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Reference_Architecture_2013.05.15_v1.0.pdf (2013). Accessed Jul. 2013

188.

Oberheide, J., Cooke, E., Jahanian, F.: Empirical exploitation of live virtual machine migration. In: Proceedings of the Black Hat Convention (2008). doi:10.1109/ICCIAutom.2011.6183990

189.

OCCI: OCCI Website. http://occi-wg.org/ (2013). Accessed Apr. 2013

190.

Okamura, K., Oyama, Y.: Load-based covert channels between Xen virtual machines. In: Proceedings of the ACM Symposium on Applied Computing, pp. 173–180. ACM, New York, NY, USA (2010). doi:10.1145/1774088.1774125

191.

O’Kane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Priv. 9(5), 41–47 (2011). doi:10.1109/MSP.2011.98 CrossRef

192.

O’Neill, M.: Cloud APIs—the Next Battleground for Denial-of-Service Attacks. CSA Blog (2013)

193.

Open Cloud Initiative (OCI): OCI Website. http://www.opencloudinitiative.org/ (2013). Accessed May 2013

194.

OpenNebula: OpenNebula Website. http://opennebula.org/ (2013). Accessed Apr. 2013

195.

OpenStack: OpenStack Website. http://www.openstack.org/ (2013). Accessed Apr. 2013

196.

Oracle: Oracle Java SE Critical Patch Update Advisory—April 2013. http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html (2013). Accessed Apr. 2013

197.

Oracle: VirtualBox Website. https://www.virtualbox.org/ (2013). Accessed Jun. 2013

198.

Ortega, A.: Your Malware Shall Not Fool Us With Those Anti Analysis Tricks. AlienVault Labs (2012)

199.

OSVDB: The Open Source Vulnerability Database Website. http://www.osvdb.org/ (2013). Accessed Apr. 2013

200.

OWASP: The Then Most Critical Web Application Security Risks. http://owasptop10.googlecode.com/files/OWASP (2010). Accessed Oct. 2012

201.

OWASP: The Then Most Critical Web Application Security Risks. https://www.owasp.org/index.php/Top_10_2013 (2013). Accessed Apr. 2013

202.

Oyama, Y., Giang, T.T.D., Chubachi, Y., Shinagawa, T., Kato, K.: Detecting malware signatures in a thin hypervisor. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing (SAC), pp. 1807–1814. ACM, Trento, Italy (2012). doi:10.1145/2231936.2232070

203.

Panah, A., Panah, A., Panah, O., Fallahpour, S.: Challenges of security issues in cloud computing layers. Rep. Opin. 4(10), 25–29 (2012)

204.

Parallels: Oracle VM Server Website. http://www.oracle.com/us/technologies/virtualization/oraclevm/ (2013). Accessed Jun. 2013

205.

Parallels: Parallels Website. http://www.parallels.com/eu/products/ (2013). Accessed Jun. 2013

206.

Patel, A., Taghavi, M., Bakhtiyari, K., Júnior, J.C.: An intrusion detection and prevention system in cloud computing: a systematic review. J. Netw. Comput. Appli. (2012). doi:10.1016/j.jnca.2012.08.007. Available online 31 Aug. 2012

207.

Patel, P.: Solution: FUTEX \_WAIT hangs Java on Linux / Ubuntu in vmware or virtual box. http://www.springone2gx.com/blog/pratik_patel/2010/01/solution_futex_wait_hangs_java_on_linux_ubuntu_in_vmware_or_virtual_box(2010). Accessed May 2013

208.

Patidar, S., Rane, D., Jain, P.: A survey paper on cloud computing. In: 2nd International Conference on Advanced Computing Communication Technologies, pp. 394–398. IEEE (2012). doi:10.1109/ACCT.2012.15

209.

PCI Security Standards: PCI SSC Data Security Standards Overview. https://www.pcisecuritystandards.org/security_standards/index.php (2012). Accessed Oct. 2012

210.

Pearce, M., Zeadally, S., Hunt, R.: Virtualization: issues, security threats, and solutions. ACM Comput. Surv. 45(2), 1:71–1:739 (2013). doi:10.1145/2431211.2431216 CrossRef

211.

Pearson, S.: Privacy, security and trust in cloud computing. In: Pearson, S., Yee, G. (eds.) Privacy and Security for Cloud Computing, pp. 3–42. Springer London (2013). doi:10.1007/978-1-4471-4189-1_1

212.

Perez-Botero, D., Szefer, J., Lee, R.B.: Characterizing hypervisor vulnerabilities in cloud computing servers. In: Proceedings of the 2013 International Workshop on Security in Cloud Computing (SCC), pp. 3–10. ACM, New York, NY, USA (2013). doi:10.1145/2484402.2484406

213.

Pfaff, B., Pettit, J., Koponen, T., Amidon, K., Casado, M., Shenker, S.: Extending networking into the virtualization layer. In: Proceedings of the 8th ACM Workshop on Hot Topics in Networks. ACM SIGCOMM (2009)

214.

Prandini, M., Ramilli, M., Cerroni, W., Callegati, F.: Splitting the HTTPS stream to attack secure web connections. IEEE Secur. Priv. 8(6), 80–84 (2010). doi:10.1109/MSP.2010.190 CrossRef

215.

Prince, M.: The DDoS That Almost Broke the Internet. CloudFlare (2013)

216.

Prince, M.: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It). CloudFlare (2013)

217.

Prolexic: Prolexic Quarterly Global DDoS Attack Report Q1 2013. https://www.prolexic.com/knowledge-center-ddos-attack-report-2013-q1.html (2013). Accessed Apr. 2013

218.

Rahaman, M.A., Schaad, A., Rits, M.: Towards secure SOAP message exchange in a SOA. In: Proceedings of the 3rd ACM Workshop on Secure Web Services, pp. 77–84. ACM, New York, NY, USA (2006). doi:10.1145/1180367.1180382

219.

Ramgovind, S., Eloff, M., Smith, E.: The management of security in cloud computing. In: Information Security for South Africa, pp. 1–7. IEEE (2010). doi:10.1109/ISSA.2010.5588290

220.

Rasmusson, L., Aslam, M.: Protecting private data in the cloud. In: Proceedings of the 2nd International Conference on Cloud Computing and Services Science (CLOSER), pp. 5–12. Porto, Portugal (2012)

221.

Rauti, S., Leppänen, V.: Browser extension-based man-in-the-browser attacks against Ajax applications with countermeasures. In: Proceedings of the 13th International Conference on Computer Systems and Technologies (CompSysTech), pp. 251–258. ACM, Ruse, Bulgaria (2012) doi:10.1145/2383276.2383314

222.

RedHat: KVM Website. http://www.linux-kvm.org/ (2013). Accessed Jun. 2013

223.

RepoCERT: Botnet Using Plesk Vulnerability and Takedown. Seclists Website (2013)

224.

Rimal, B.P., Jukan, A., Katsaros, D., Goeleven, Y.: Architectural requirements for cloud computing systems: an enterprise cloud approach. J. Grid Comput. 9(1), 3–26 (2011). doi:10.1007/s10723-010-9171-y CrossRef

225.

Ripe, NCC: Database Query. http://apps.db.ripe.net/search/query.html (2013). Accessed Apr. 2013

226.

Riquet, D., Grimaud, G., Hauspie, M.: Large-scale coordinated attacks: impact on the cloud security. In: 6th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, pp. 558–563. IEEE (2012). doi:10.1109/IMIS.2012.76

227.

Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 199–212. ACM, New York, NY, USA (2009)

228.

Ristenpart, T., Yilek, S.: When good randomness goes bad: virtual machine reset vulnerabilities and hedging deployed cryptography. In: Proceedings of Network and Distributed Security Symposium (NDSS), pp. 1–18. The Internet Society, San Diego, CA, USA (2010)

229.

Roberts II, J.C., Al-Hamdani, W.: Who can you trust in the cloud?: a review of security issues within cloud computing. In: Proceedings of the Information Security Curriculum Development Conference, pp. 15–19. ACM, New York, NY, USA (2011). doi:10.1145/2047456.2047458

230.

Rocha, F., Abreu, S., Correia, M.: The final Frontier: confidentiality and privacy in the cloud. Computer 44(9), 44–50 (2011). doi:10.1109/MC.2011.223 CrossRef

231.

Rocha, F., Correia, M.: Lucy in the sky without diamonds: stealing confidential data in the cloud. In: IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops, pp. 129–134. IEEE (2011). doi:10.1109/DSNW.2011.5958798

232.

Rodero-Merino, L., Vaquero, L.M., Caron, E., Desprez, F., Muresan, A.: Building safe PaaS clouds: a survey on security in multitenant software platforms. Comput. Secur. 31(1), 96–108 (2012). doi:10.1016/j.cose.2011.10.006 CrossRef

233.

Rong, C., Nguyen, S.T., Jaatun, M.G.: Beyond lightning: a survey on security challenges in cloud computing. Comput. Electr. Eng. (2012). doi:10.1016/j.compeleceng.2012.04.015 Available online 19 May 2012

234.

Roy, I., Setty, S.T.V., Kilzer, A., Shmatikov, V., Witchel, E.: Airavat: security and privacy for MapReduce. In: Proceedings of the 7th USENIX Symposium on Networked Systems Design and Implementation, pp. 20–20. USENIX Association, Berkeley, CA, USA (2010)

235.

RSA: RSA SecurID Website. http://sweden.emc.com/security/rsa-securid.htm (2013). Accessed Jun. 2013

236.

RSA FirstWatch: Tales from the Darkside: Another Mule Recruitment Site. RSA Blog (2013)

237.

Rutkowska, J.: Subverting VistaTM Kernel for fun and profit. Black Hat Conv. (2008)

238.

Sabahi, F.: Cloud computing security threats and responses. In: IEEE 3rd International Conference on Communication Software and Networks, pp. 245–249. IEEE (2011). doi:10.1109/ICCSN.2011.6014715

239.

Sadashiv, N., Kumar, S.: Cluster, grid and cloud computing: a detailed comparison. In: 6th International Conference on Computer Science Education, pp. 477–482. IEEE (2011). doi:10.1109/ICCSE.2011.6028683

240.

Salah, K., Alcaraz, Calero J.: Using cloud computing to implement a security overlay network. IEEE Secur. Priv. 11(1), 44–53 (2013). doi:10.1109/MSP.2012.88

241.

SAML v2.0: OASIS Website. https://www.oasis-open.org/standards#samlv2.0 (2005). Accessed Apr. 2013

242.

Santos, N., Gummadi, K.P., Rodrigues, R.: Towards trusted cloud computing. In: Proceedings of the Conference on Hot Topics in Cloud Computing. USENIX Association, Berkeley, CA, USA (2009)

243.

Schloesser, M., Guarnieri, C.: Vaccinating Systems Against VM-aware Malware. Rapid7 Labs (2013)

244.

Schloesser, M., Guarnieri, C.: Vaccinating Systems Against VM-aware Malware. https://github.com/rapid7/vaccination (2013). Accessed May 2013

245.

Schneier, B.: Homomorphic Encryption Breakthrough. https://www.schneier.com/blog/archives/2009/07/homomorphic_enc.html (2009). Accessed May 2013

246.

SecurityFocus: Xen CVE-2013-1920 Local Memory Corruption Vulnerability. SecurityFocus (2013)

247.

Sekar, V., Maniatis, P.: Verifiable resource accounting for cloud computing services. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security, pp. 21–26. ACM, New York, NY, USA (2011). doi:10.1145/2046660.2046666

248.

Sengupta, S., Kaulgud, V., Sharma, V.: Cloud computing security—trends and research directions. In: IEEE World Congress on Services, pp. 524–531. IEEE Computer Society, Washington, DC, USA (2011). doi:10.1109/SERVICES.2011.20

249.

Shin, S., Gu, G.: CloudWatcher: network security monitoring using OpenFlow in dynamic cloud networks (or: how to provide security monitoring as a service in clouds?). In: 20th IEEE International Conference on Network Protocols (ICNP), pp. 1–6. Austin, TX, USA (2012).doi:10.1109/ICNP.2012.6459946

250.

Shinotsuka, H.: Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems. Symantec Blog (2012)

251.

Singh, A.: Don’t Click the Left Mouse Button: Introducing Trojan UpClicker. FireEye Blog (2012)

252.

Sloan, K.: Security in a virtualised world. Netw. Secur. 2009(8), 15–18 (2009). doi:10.1016/S1353-4858(09)70077-7 CrossRef

253.

SNIA: Cloud Data Management Interface (CDMI). http://www.snia.org/cdmi (2013). Accessed Apr. 2013

254.

Somorovsky, J., Mayer, A., Schwenk, J., Kampmann, M., Jensen, M.: On breaking SAML: be whoever you want to be. In: Proceedings of the 21st USENIX Security Symposium, pp. 21–21. USENIX Association, Bellevue, WA, USA (2012)

255.

Songjie, Yao, J., Wu, C.: Cloud computing and its key techniques. In: International Conference on Electronic and Mechanical Engineering and Information Technology, vol. 1, pp. 320–324. IEEE (2011). doi:10.1109/EMEIT.2011.6022935

256.

Sood, A., Enbody, R.: Targeted cyberattacks: a superset of advanced persistent threats. IEEE Secur. Priv. 11(1), 54–61 (2013). doi:10.1109/MSP.2012.90

257.

Sood, S.K.: A combined approach to ensure data security in cloud computing. J. Netw. Comput. Appli. 35(6), 1831–1838 (2012). doi:10.1016/j.jnca.2012.07.007 CrossRef

258.

Spoon Website: Browser Sandbox. http://spoon.net/browsers (2013). Accessed Apr. 2013

259.

Stamos, A., Becherer, A., Wilcox, N.: Cloud Computing Security: Raining on the Trendy New Parade. https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html (2009)

260.

Staten, J.: 2013 Cloud Predictions: We’ll Finally Get Real About Cloud. Forrester Blog (2012)

261.

Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appli. 34(1), 1–11 (2011). doi:10.1016/j.jnca.2010.07.006 CrossRef

262.

Sun, D., Chang, G., Sun, L., Wang, X.: Surveying and analyzing security, privacy and trust issues in cloud computing environments. Procedia Eng. 15, 2852–2856 (2011). doi:10.1016/j.proeng.2011.08.537 CrossRef

263.

Sun, K., Li, Y., Hogstrom, M., Chen, Y.: Sizing multi-space in heap for application isolation. In: Companion to the 21st ACM SIGPLAN Symposium on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA), pp. 647–648. ACM, Portland, OR, USA (2006). doi:10.1145/1176617.1176654

264.

Sun, M.K., Lin, M.J., Chang, M., Laih, C.S., Lin, H.T.: Malware virtualization-resistant behavior detection. In: IEEE 17th International Conference on Parallel and Distributed Systems (ICPADS), pp. 912–917. Tainan, Taiwan (2011). doi:10.1109/ICPADS.2011.78

265.

Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Memory deduplication as a threat to the guest OS. In: Proceedings of the 4th European Workshop on System Security, pp. 1:1–1:6. ACM, Salzburg, Austria (2011). doi:10.1145/1972551.1972552

266.

Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Software side channel attack on memory deduplication. In: 23rd ACM Symposium on Operating Systems Principles. ACM, Cascais, Portugal (2011). Poster

267.

Symantec: Internet Security Threat Report 2013. https://www.symantec.com/security_response/publications/threatreport.jsp (2013). Accessed Apr. 2013

268.

Symantec Security Response: Internet Explorer Zero-Day Used in Watering Hole Attack: Q &A. Symantec Blog (2012)

269.

Szefer, J., Keller, E., Lee, R.B., Rexford, J.: Eliminating the hypervisor attack surface for a more secure cloud. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 401–412. ACM, Chicago, IL, USA (2011). doi:10.1145/2046707.2046754

270.

Takabi, H., Joshi, J., Ahn, G.: Security and privacy challenges in cloud computing environments. IEEE Secur. Priv. 8(6), 24–31 (2010)CrossRef

271.

Tang, M., Lv, Q., Lu, Z., Zhao, Q., Song, Y.: Dynamic virtual switch protocol using Openflow. In: 13th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel Distributed Computing (SNPD), pp. 603–608. Kyoto, Japan (2012). doi:10.1109/SNPD.2012.129

272.

Tanvi: Mixed Content Blocking Enabled in Firefox 23! Firefox Blog (2013)

273.

Taylor, G., Cox, G.: Digital randomness. IEEE Spectr. 48(9), 32–58 (2011). doi:10.1109/MSPEC.2011.5995897 CrossRef

274.

Taylor, M., Haggerty, J., Gresty, D., Lamb, D.: Forensic investigation of cloud computing systems. Netw. Secur. 2011(3), 4–10 (2011). doi:10.1016/S1353-4858(11)70024-1 CrossRef

275.

The Linux Foundation: Xen Website. http://http://www.xenproject.org/ (2013). Accessed Jun. 2013

276.

Thompson, H.: The human element of information security. IEEE Secur. Priv. 11(1), 32–35 (2013). doi:10.1109/MSP.2012.161

277.

Thorsheim, P.: The Final Word on the LinkedIn Leak. http://securitynirvana.blogspot.pt/2012/06/final-word-on-linkedin-leak.html (2012). Accessed May 2013

278.

Toubiana, V., Nissenbaum, H.: Analysis of Google logs retention policies. J. Priv. Confid. 3(1), 3–26 (2011)

279.

Townsend, M.: Managing a security program in a cloud computing environment. In: Information Security Curriculum Development Conference, pp. 128–133. ACM, New York, NY, USA (2009). doi:10.1145/1940976.1941001

280.

Trader, T.: GPU Monster Shreds Password Hashes. HPCwire (2012)

281.

Tripathi, A., Mishra, A.: Cloud computing security considerations. In: IEEE International Conference on Signal Processing, Communications and Computing, pp. 1–5. IEEE (2011). doi:10.1109/ICSPCC.2011.6061557

282.

Tsai, H.Y., Siebenhaar, M., Miede, A., Huang, Y., Steinmetz, R.: Threat as a service?: virtualization’s impact on cloud security. IT Prof. 14(1), 32–37 (2012). doi:10.1109/MITP.2011.117 CrossRef

283.

Tseng, H.M., Lee, H.L., Hu, J.W., Liu, T.L., Chang, J.G., Huang, W.C.: Network virtualization with cloud virtual switch. In: IEEE 17th International Conference on Parallel and Distributed Systems (ICPADS), pp. 998–1003. Tainan, Taiwan (2011). doi:10.1109/ICPADS.2011.159

284.

Vaquero, L.M., Rodero-Merino, L., Morán, D.: Locking the sky: a survey on IaaS cloud security. Computing 91(1), 93–118 (2011). doi:10.1007/s00607-010-0140-x CrossRefMATH

285.

Viega, J.: Cloud computing and the common man. Computer 42(8), 106–108 (2009). doi:10.1109/MC.2009.252 CrossRef

286.

VMware: VMware vSphere. https://www.vmware.com/support/product-support/vsphere/ (2013). Accessed Apr. 2013

287.

VMware: VMware Website. https://www.vmware.com/products/ (2013). Accessed Jun. 2013

288.

VMware: What is OVF? https://www.vmware.com/technical-resources/virtualization-topics/virtual-appliances/ovf.html (2013). Accessed Apr. 2013

289.

VMware Community Forums: Low/proc/sys/kernel/random/entr opy_avail causes exim to stop sending mail. http://communities.vmware.com/message/530909 (2006). Accessed May 2013

290.

Vu, Q.H., Pham, T.V., Truong, H.L., Dustdar, S., Asal, R.: DEMODS: a description model for data-as-a-service. In: IEEE 26th International Conference on Advanced Information Networking and Applications (AINA), pp. 605–612. Fukuoka, Japan (2012). doi:10.1109/AINA.2012.91

291.

Wang, C., Ren, K., Lou, W., Li, J.: Toward publicly auditable secure cloud data storage services. IEEE Netw. 24(4), 19–24 (2010). doi:10.1109/MNET.2010.5510914 CrossRef

292.

Wang, C., Wang, Q., Ren, K., Lou, W.: Ensuring data storage security in cloud computing. In: 17th International Workshop on Quality of Service, pp. 1–9. IEEE (2009). doi:10.1109/IWQoS.2009.5201385

293.

Wang, G., Ng, T.: The impact of virtualization on network performance of Amazon EC2 data center. In: Proceedings of the IEEE INFOCOM, pp. 1–9. Sand Diego, CA, USA (2010). doi:10.1109/INFCOM.2010.5461931

294.

Ward, M.: Facebook Users Suffer Viral Surge. BBC News (2009)

295.

Websense: 2013 Threat Report. https://www.websense.com/content/websense-2013-threat-report.aspx (2013). Accessed Apr. 2013

296.

Wei, J., Zhang, X., Ammons, G., Bala, V., Ning, P.: Managing security of virtual machine images in a cloud environment. In: Proceedings of the ACM Workshop on Cloud Computing Security, pp. 91–96. ACM, New York, NY, USA (2009). doi:10.1145/1655008.1655021

297.

Wu, H., Ding, Y., Winer, C., Yao, L.: Network security for virtual machine in cloud computing. In: 5th International Conference on Computer Sciences and Convergence Information Technology (ICCIT), pp. 18–21. Seoul, South Korea (2010). doi:10.1109/ICCIT.2010.5711022

298.

Wu, H., Ding, Y., Winer, C., Yao, L.: Network security for virtual machine in cloud computing. In: 5th International Conference on Computer Sciences and Convergence Information Technology, pp. 18–21. IEEE (2010). doi:10.1109/ICCIT.2010.5711022

299.

Wueest, C.: Mobile Scam: Winning Without Playing. Symantec Blog (2013)

300.

Xiao, Z., Xiao, Y.: Security and privacy in cloud computing. IEEE Commun. Surv. Tuts. 15(2), 843–859 (2013). doi:10.1109/SURV.2012.060912.00182

301.

Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security, pp. 29–40. ACM, New York, NY, USA (2011). doi:10.1145/2046660.2046670

302.

Yang, J., Chen, Z.: Cloud computing research and security issues. In: International Conference on Computational Intelligence and Software Engineering, pp. 1–3. IEEE (2010). doi:10.1109/CISE.2010.5677076

303.

Yasinsac, A., Irvine, C.: Help! Is There a Trustworthy-Systems Doctor in the House? IEEE Secur. Priv. 11(1), 73–77 (2013). doi:10.1109/MSP.2013.10

304.

Yilek, S.: Resettable public-key encryption: how to encrypt on a virtual machine. In: Proceedings of the International Conference on Topics in Cryptology, CT-RSA’10, pp. 41–56. Springer-Verlag, San Francisco, CA, USA (2010). doi:10.1007/978-3-642-11925-5_4

305.

Yu, A., Sathanur, A., Jandhyala, V.: A partial homomorphic encryption scheme for secure design automation on public clouds. In: IEEE 21st Conference on Electrical Performance of Electronic Packaging and Systems (EPEPS), pp. 177–180. Tempe, AZ, USA (2012). doi:10.1109/EPEPS.2012.6457871

306.

Yu, H., Powell, N., Stembridge, D., Yuan, X.: Cloud computing and security challenges. In: Proceedings of the 50th Annual Southeast Regional Conference, pp. 298–302. ACM, New York, NY, USA (2012). doi:10.1145/2184512.2184581

307.

Zabidi, M., Maarof, M., Zainal, A.: Malware analysis with multiple features. In: UKSim 14th International Conference on Computer Modelling and Simulation, pp. 231–235. Cambridge, London (2012). doi:10.1109/UKSim.2012.40

308.

Zhang, F., Huang, Y., Wang, H., Chen, H., Zang, B.: PALM: security preserving VM live migration for systems with VMM-enforced protection. In: 3rd Asia-Pacific Trusted Infrastructure Technologies Conference, pp. 9–18. IEEE Computer Society, Washington, DC, USA (2008). doi:10.1109/APTC.2008.15

309.

Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), pp. 305–316. ACM, Raleigh, NC, USA (2012). doi:10.1145/2382196.2382230

310.

Zhou, M., Zhang, R., Xie, W., Qian, W., Zhou, A.: Security and privacy in cloud computing: a survey. In: 6th International Conference on Semantics Knowledge and Grid, pp. 105–112. IEEE Computer Society, Washington, DC, USA (2010)

311.

Zieg, M.: Separating fact from fiction in cloud computing. Data Center J. (2012)

312.

Zissis, D., Lekkas, D.: Addressing cloud computing security issues. Future Gener. Comput. Syst. 28(3), 583–592 (2010). doi:10.1016/j.future.2010.12.006 CrossRef

313.

Zou, B., Zhang, H.: Toward enhancing trust in cloud computing environment. In: 2nd International Conference on Control, Instrumentation and Automation, pp. 364–366 (2011). doi:10.1109/ICCIAutom.2011.6183990

Titel: Security issues in cloud environments: a survey
verfasst von: Diogo A. B. Fernandes
Liliana F. B. Soares
João V. Gomes
Mário M. Freire
Pedro R. M. Inácio
Publikationsdatum: 01.04.2014
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 2/2014
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-013-0208-7

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2014

Security policy verification for multi-domains in cloud systems

On detecting co-resident cloud instances using network flow watermarking techniques

Enhanced GeoProof: improved geographic assurance for data in the cloud

BlindIdM: A privacy-preserving approach for identity management as a service

Security in cloud computing