Abstract
The incredible growth in the cloud applications and services reflects a positive swing in the thought processes of the business decision makers for cloud adoption. However, ever-evolving security and privacy issues continue to influence the decision makers to delay the cloud adoption. In this integrationist exposition, the previous publications are enriched and enhanced to holistically analyze different threats to cloud computing to conceptualize a three-dimensional model of cloud security assurance. These three dimensions, namely Security Solution, Security Operation, and Security Compliance, are interwoven to address the top threats to cloud computing, which are identified and reported by the cloud security alliance (CSA) research group in their latest and previous reports. The model will help practitioners to design and implement a security assurance system for a cloud ecosystem to strengthen trust in the cloud and accelerate its adoption to bring agility and velocity in cloud applications and services delivery in a cost-effective way.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
- Cloud security model
- Cloud security requirements
- Cloud security threats
- Cloud security vulnerabilities
- Cloud security solution
1 Introduction
In the last ten years, the observed exponential growth in cloud business model is attributed to cloud unique characteristics, extraordinary features, and evolved technologies. Figure 1 provides a snapshot of the cloud computing paradigm [29, 30]. The cloud service providers (CSPs) manage a pool of shared computing resources (storage, CPU, memory, software, hardware, network devices, etc.) to offer different services, mostly over the Internet, in the form of three service models—software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (Iaas). The cloud business model enables its consumers to allocate and deallocate the computing resources, as per their business requirements, using the self-service interfaces with pay-per-use model. There are five prime actors in the cloud environment as depicted in Fig. 1—Cloud Provider, Cloud Consumer, Cloud Broker, Cloud Auditor, and Cloud Carrier. These actors interact with each other and the deployed cloud environment as per their roles and responsibilities in the given business context.
The cloud computing environment can logically be expressed as seven layers of architectural components [29]. The user access level to these layers is determined by the service model and the deployment model used by the CSPs. Public cloud, Private cloud, Community cloud, and Hybrid cloud are the four models available for a cloud deployment (Fig. 1). These four deployment models blended with the three service models (SaaS, PaaS, and IaaS) enable the CSPs to provide a wide spectrum of service offering to fulfill the different business needs of the cloud consumers.
The distinctive characteristics of the cloud [30], like common resources pool, broad network accessibility, on request expeditious scalability, tailored self-service, service usage measurement, and others, have accelerated the growth trajectory of the cloud business models. Further, the amazing features of the cloud ecosystem, like modest initial capital investment, manageable operating cost, pay-as-you-go model, wide service accessibility, rapid deployment, provisioning, and scalability, low-cost disaster management, service continuity assurance, etc., have expedited the cloud adoption. Gartner [14] have forecasted worldwide revenue for the public cloud service will grow to 354.6 billion dollars by 2022.
However, this accelerated growth of cloud can continue to achieve the projections if the user’s confidence and trust in cloud services do not lose its momentum. The lack of necessary assurance of a user’s data security and privacy requirements is a significant deterrent for strengthening and maintaining the confidence and trust in cloud systems [17, 19, 37]. Table 1 highlights the fundamental security requirements—Authentication, Integrity, Accountability, Confidentiality, Privacy, Availability, and Authorization—of a cloud system and associated STRIDE threat category. The STRIDE security analysis technique considers—Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege—as the threat categories to analyze the impact on the security requirements of an information processing system for a given threat spectrum [26, 36]. The CSA have identified and published the top threats to cloud computing [6,7,8,9]. These threats impact fulfillment of the cloud security requirements and affecting the level of confidence and trust in cloud services [28]. The cloud service providers and consumers should analyze together the possible cause and impact of these threats and investigate its relevance for their business context. The outcome of the threat analysis will provide them an insight to identify the vulnerabilities in the cloud architectural components (Fig. 1). These identified vulnerabilities form the attack vectors and collectively the attack surface. The threat agents exploit these attack vectors to execute different attacks. Further, based on the threat analysis and identified vulnerabilities, the cloud service provider and the consumer shall design and deploy appropriate security controls as per their business context and security recommendations of the standardization organizations [4, 24, 31, 32].
The proposed work is an extension of our previous publications [27, 28] to analyze the CSA’s latest and previous reports, published in last ten years [6,7,8,9], on top threats to cloud computing for impact on cloud security requirements, to devise a three-dimensional model to minimize the cause and impact of these threats. The first research work [28] has analyzed the CSA’s last published report [8] on twelve treacherous threats to cloud security and used STRIDE threat analysis for interrelated mapping of the threats, impacted security requirements, associated vulnerabilities, and suggested security solutions. The proposed research work is enhanced by including latest [9] and all previous reports [6,7,8] of CSA on top threats to cloud computing for a holistic impact analysis of different threats on cloud security requirements (Sect. 3 and Table 3). Our other work [27] provides a three-dimensional approach for cloud security assurance—deploying security solutions at cloud architectural layers, maturing the deployed solutions with the security operation, and ensuring the required security compliance. The proposed research work enriches the three-dimensional perspective to three-dimensional model by enriching the dimensions with different security elements (Sect. 4 and Fig. 2). This work has conceptualized a three-dimensional model that comprises of adaptive, proactive, and reactive approaches. The first dimension, security solution focuses on eliminating or minimizing the vulnerabilities for the cloud architectural layered components by deploying the required security measures. Security operation, the second dimension, implements the continuous security event monitoring and security incident response system for the deployed cloud environment with continuous improvement program governed through a governing body. The third dimension, security compliance, focuses on providing the legal and regulatory compliance and following the recommendations of the standardization organizations. It has been believed that this three-dimensional model can be used by the practitioners as a checklist for deploying the continuous security assurance measures for the cloud business model to enhance agility and velocity of the service delivery with security.
Elements of the three-dimensional model for the cloud security assurance
In the rest of this paper, a comparative view of related works is provided in Sect. 2. CSA’s top threats are analyzed in Sect. 3. Section 4 provides a three-dimensional model to minimize the impact of the top threats to cloud computing. Section 5 provides conclusion and future work in the related areas.
2 Related Work
Table 2 provides a comparative overview of published work in the related area of cloud computing security threats, requirements, challenges, and countermeasures. Most of the research works have discussed the cloud security challenges analysis and associated solutions [2, 3, 5, 12, 17, 28, 37, 40, 43]. However, in very few research works, the cloud security threat analysis is observed [5, 17, 19, 28, 37, 40, 41, 43] from the impact on the security requirements [2, 3, 12, 28, 41, 43] perspective and measures to address the same.
The proposed work provides an integrated three-dimensional conceptual model for addressing the impact on security requirements arising from CSA identified top threats to cloud computing [6,7,8,9]. This research work has outlined the integrated security elements for cloud security assurance along these three dimensions, namely security solution, security operations, and security compliance (Fig. 2). Security solution emphasizes on assurance of security measures implementation at all the layers of cloud architectural components during cloud adoption phase. Security operation enforces logging, monitoring, incident response, SLA performance, governance, continuous improvement, etc., mechanisms for security assurance. Security compliance practices aim to fulfill the legal and regulatory requirements for building trust and confidence in users. This three-dimensional approach is devised based on the CSA top threat analysis.
3 Analyzing CSA’s Top Threats to Cloud Computing for Impact on the Security Requirements
Table 3 provides analytical mapping of CSA’s top cloud threats and their impact on security requirements. This mapping is based on the STRIDE threat analysis model [6,7,8,9, 26, 28, 36]. A close look at Table 3 reveals five new threats misconfiguration and inadequate change control, lack of cloud security architecture and strategy, weak control plane, metastructure and applistructure failures, and limited cloud usage visibility are mentioned in 2019 report [9] as compared to the previous reports. In 2016 report [8], three new threats appeared, namely weak identity, credential and access management, system and application vulnerabilities, and advanced persistent threats (APTs). Denial of service and insufficient due diligence were two new entrant in the 2013 report [7] as compared to the very first report of 2010 [6]. The gradual appearances of the new threats in CSA’s reports on top threats to cloud computing assert the evolving spectrum of the threats.
In Table 3, the fundamental security practices mentioned along with the mapping can be used by the practitioners to minimize the impact. These fundamental practices are extended to address the vulnerabilities arising from the cloud unique characteristics, layered architecture components, enabling technologies, and evolutionary business model. The cloud security assurance is a continuous journey that begins with the design and implementation of adaptive security solutions and continues with proactive and reactive security operations along with security compliance fulfillment. It requires an integrated three-dimensional approach, consisting of security solution, security operation, and security compliance, for minimizing the cause and impact of CSA’s identified threats on cloud security requirements.
4 Minimizing the Cause and Impact of the Threats: A Three-Dimensional Model of Cloud Security Assurance
The objective of cloud security measures is to minimize or eliminate the vulnerabilities in the cloud computing environment to reduce the attack surface and fulfill the different security requirements (Table 1). The vulnerabilities in cloud computing environment are due to the inherent vulnerabilities in cloud computing underlying technologies (like, OS, communication protocol, APIs, etc.), vulnerabilities in its architectural components (like, virtual machine, hypervisor, virtual network, etc.), vulnerabilities arising from cloud specific characteristics (like, resource sharing, multi-tenancy, etc.), and evolving business delivery model (like, multi-cloud, inter-cloud, federated cloud, etc.) [28]. The proposed research work has conceptualized a three-dimensional model that comprises of adaptive, proactive, and reactive approaches for minimizing or eliminating the different vulnerabilities.
4.1 Security Solution: The First Dimension
The security solution dimension focuses on the design and implementation of different security measures to eliminate or reduce the vulnerabilities in the architectural components for reducing the attack surface and attack probability. Figure 1 presents the cloud computing environment as layered architectural components forming the attack vector. Table 4 outlines different security solutions to implement at corresponding architectural layered components for addressing their inherent vulnerabilities and minimizing the attack vector [4, 24, 28, 31, 32].
The implemented solutions are not static in nature. The solution shall be reviewed in regular governance for its relevance and needs to be adapted with the evolving attack surfaces and the threat spectrum. With the deployment of the security solutions, security operation takes over for continuous security assurance as second dimension.
4.2 Security Operation: The Second Dimension
Security operation is backbone for data security and privacy assurance in the cloud computing environment. The security operation begins with deployment of the offered services, with required security solution measures. In cloud security operations, the implemented security solutions are continuously monitored, measured, and assessed for its effectiveness and relevance for the continuous security assurance. Based on observation and findings, necessary preventive, corrective, and improvement actions shall be initiated for continuous data security and privacy assurance.
-
Logging, Monitoring, and Incident Response: Logging of resource usage, user activities, data processing, system changes, etc., shall be enabled and monitored. The monitoring identifies the uncontrolled and unauthorized usage of resources and system changes, deviations from the expected system and user behavior, malicious access and data traffic, etc. These deviations are captured as security events and monitored to trigger the security incident response system as per defined criteria. The objective of security incident response team is to bring the system back to normalcy and initiate the root cause analysis of the incident to take proactive measures to avoid such incidents in the future. The resource usage monitoring provides insight into service delivery performance levels and identify any deviation from the service level agreement (SLA). For example, observed high CPU utilization may lead to slower response time to users requests causing SLA deviation. Such SLA deviations shall be captured and initiate necessary improvement actions. Monitoring also identifies fraudulent use of resources. The CSPs shall use the appropriate tools for integrated logging, monitoring, analysis, and alerting for deviations [1, 11, 39]. The effectiveness of such tools is in granularity and accuracy in capturing relevant data, evaluating the metrics, determining the performance level and deviation, analyzing them to retrieve valuable information, and presenting them from different perspectives. The cross-domain (inter-cloud, federated-cloud, multi-cloud), cross-layers, containerization and evolving cloud services put demand on state-of-the-art high-performing monitoring tools with built-in capabilities of autoscaling and autorecovery.
-
SLA, Measurements, and Governance: SLA is a legal contract between the cloud service provider and the user with financial implications. It specifies the different terms and conditions of service delivery, including the prescribed level of service delivery performance. The unique characteristics of the cloud computing environment require a different set of SLAs as compared to traditional IT services. Time to scaling or descaling the number of VMs, auto scaling, pay-per-use (time-based or resource-based), number of concurrent user sessions, service resource availability, loss of data, data access response time, regulatory compliance, investigative support, data and service recovery, etc., are some of the parameters to consider when defining the SLA for the cloud service delivery. The SLA document contains the measurable key security control performance parameters, methods to measure them, and ranges of measured values for the expected and accepted performance level of service delivery. It is recommended to use automation tools for data collection, performance value calculation, analysis, report generation, and distribution to the stakeholders. This will facilitate the transparency, common understanding, and quick actions on deviations and improvements.
Further, a structured governance shall be in place to regulate security policies and strategies, service offerings, and assess service delivery and security performance against the SLA along with the effectiveness of change control and patch management processes. For an effective governance, the governing body shall constitute with the representatives from all the relevant cloud actors and empowered to take decisions. The governance team plays a pivotal role in defining and improving end-to-end security of the cloud by analyzing the cloud service delivery performance, service usage experiences of end users, and initiating continuous improvement activities. The governance team shall evaluate evolving state-of-the-art cloud technologies and adopting some of them to stay relevant in the competition. This group shall, also, review and adapt the changing requirements for legal compliance, certifications, and audits.
-
Facility Maintenance: The data centers host the cloud physical infrastructure to deliver the cloud service offerings. So, the CSPs to ensure the facility that house these data centers have appropriate levels of cooling, routine electrical maintenance, and physical security controls like badges, gates, and fences in place. The regular preventive maintenance of facility can limit the damages to physical systems and network resources to improve the service availability.
-
Pre- and Post-Deployment Testing: Most of the time, time-to-market get precedence over testing, especially the security testing. Lack of necessary testing has the cascading impacts, like disruption in offered services due to cyber-attacks caused from the untested vulnerabilities, penalty for loss of user data privacy, etc. This can be addressed through automation of testing activities aligned with change control and patch management processes. All the software applications and components in use to deliver the services must be tested for fulfillment of the security requirements. Specific security testing, including static application security testing (SAST), dynamic application security testing (DAST), and interactive application security testing (IAST), abuse cases, penetration, and injection cases, should be performed at respective phases of application development, delivery, and operation.
-
Continuous Improvement: The outcomes of the root cause analysis of the security incidents, observed monitoring deviations, trend analysis of the performance measurements, governance reviews, etc., provide opportunities for continuous improvement in security measures implemented by the CSPs. The continuous security awareness and training sessions for stakeholders to improve effectiveness of the deployed security measures.
4.3 Security Compliance: The Third Dimension
The third dimension focuses on being transparent to legal and regulatory compliance authorities, open to audits, and following the security recommendations of the standards organizations. The CSPs must transparently share the implemented measures for data security and privacy assurance to their users and compliance authorities. The legal compliance, certification audit, and implementation of security measures, as per the recommendations of standardization organizations reflect, the level of effectiveness and sufficiency of implemented security measures.
-
Legal and Regulatory Compliance: Cloud computing unique characteristics, like resource sharing, multi-tenancy, virtualization, multi-location outsourcing, etc., require cloud providers to ensure legal and regulatory compliance to prevailing laws of the cloud infrastructure hosting country [13]. Geographically distributed multi-location data storage, to support redundancy and business continuity, causes ambiguity in deciding the jurisdictions for data privacy compliance and data lifecycle management [18]. Digital forensic requirements may conflict with the legal and privacy requirements of the cloud infrastructure hosting country. It becomes more complex to provide compliance when user data falls under different jurisdictions. Forensic-as-a-service (FaaS), security logging-as-a-service (SLaaS), and forensic-by-design (FbD) are some of the suggested solution for providing compliance data [25, 35]. For every individual in European Union and European Economic Area, general data protection regulation (GDPR) enforces data protection and privacy for them. Businesses and organizations, including cloud service providers, managing the personal data of users must comply to GDPR or face financial penalties [15]. The inappropriate metering and billing of resource usage arising due to on-demand and pay-per-use flexibility may lead to financial non-compliance and associated legal implications [34].
-
Standards and Frameworks: Security standards and frameworks by the standardization organizations provide a structured approach for fulfilling the security requirements [4, 24, 31, 32]. It is not mandatory to follow the recommendations, however, being compliant to such recommendations provide a common language for understanding the best practices followed by a CSP. A CSP being compliant of such standards and frameworks raises users confidence. Using the recommended guidelines, it enhances the interoperability and portability of the service offerings and enables the CSPs to adopt inter-cloud, multi-cloud, or federated-cloud kinds of collaboration for widening their service offerings.
-
Audit and Certification: Cloud providers shall seek for audits and certification from the third-party to assess whether required security measures are in place and are working as per expected behavior. It brings visibility and transparency on CSP’s commitment for providing secured services by implementing necessary and sufficient security measures. The certification auditor performs artifact collection, verification, and validation to certify the same. The audit process shall ensure confidentiality and privacy of user data under audit. It is desirable to perform security certification and audits continuously, enabled through automation, considering dynamism in resource allocation and service requests in a cloud computing environment. Integrity check of the remotely stored data can be performed with the remote data audit (RDA) technique [38]. In RDA, a small fragment of data from the whole data is spot-checked for deterministic or probabilistic assurance of data intactness. Replication-based, erasure-coding-based, and network-coding-based are the widely used techniques of remote data auditing [38]. ISO/IEC 27001:2013 [20], ISO/IEC 27002:2013 [21], ISO/IEC 27017:2015 [23], ISO/IEC 27018:2014 [22], CSA security trust assurance and risk (STAR) [10], National Institute of Standards and Technology (NIST) 800-53 [33], are some of the recognized standards certifications for information security and data privacy assurance.
4.4 Inferences
In comparison to other works or models (Sect. 2), the proposed conceptual model provides a holistic approach for cloud security assurance against the top threats to cloud computing. In most of the works or models, the generic cloud security challenges and associated solutions are provided [2, 3, 5, 12, 17, 28, 37, 40, 43]. Some of the previous works or models have as well discussed about the cloud security threat analysis [5, 17, 19, 28, 37, 40, 41, 43] and its impact on the security requirements. However, the proposed model provides an integrated and inter-working approach for implementation of security solution based on cloud top threats analysis, measuring the effectiveness and sufficiency of the implemented solution during security operation, and ensuring the security compliance as per the legal and regulatory requirements and standards recommendations.
The conceptual model depicted in Fig. 2 may be used as a quick reference sheet while planning and designing a security management system by cloud security practitioners. In Tables 3 and 4, the list of suggested security solutions for the different cloud architectural layers can be used as a reference checklist during due diligence for selecting a suitable cloud provider. The different aspects of cloud security operations described in the second dimension can be used for continuous security assurance and avoiding the security incidents. The fulfillment of legal compliance, certification, and audit requirements and following the security recommendations of standards organizations further strengthen the CSPs commitment to deliver security enabled services to the cloud users. Collectively, these three dimension works in tandem to boost the confidence and trust of the users for transition of their business processes to the cloud. The proposed model can measure the security assurance level that could be achieved through the proposed model by defining and measuring the applicable security metrics for a given business context. The audit and compliance reports from the third-party can also be used for determining the security assurance level provided through this model.
5 Conclusion and Future Work
In this decade, cloud business models have unleashed and capitalized the cloud potentials to a large extent and forecasted to grow further for coming years. However, the security and privacy threats remain a consistent factor to address. The adoption of the proposed integrated three-dimensional model, encompassing security solutions, security monitoring, and security compliance, will help practitioners in limiting the attack vectors. The evolution in cloud technology, business model, threat spectrum, and compliance requirements will require a regular integrated approach to review, assess, and plan continuous improvement in security control and measures to adapt. This can be done through the lens of the described three-dimensional model. With a focus on effective automation of the activities along these three dimensions, using artificial intelligence and data analytic enabled tools, is expected to address many of the CSA’s identified threats to cloud computing. Further, the evolution of technologies and business delivery models will require a more comprehensive adaptive approach for managing the dynamism of cloud resources, user data, and most importantly, the user behavior. The evolving user behavior may become a dominant factor for evolved complex systems. Consequently, future research work could explore the dynamism in user behavior as the fourth dimension, focusing on analysis of user behavior using data analytic and machine learning techniques to identify and implement required level of adaptation mechanism in cloud security controls and measures, for strengthening trust in cloud solutions.
References
Alhamazani K, Ranjan R, Mitra K, Rabhi F, Jayaraman PP, Khan SU, Guabtni A, Bhatnagar V (2015) An overview of the commercial cloud monitoring tools: research dimensions, design issues, and state-of-the-art. Computing 97(4):357–377. https://doi.org/10.1007/s00607-014-0398-5
Ali M, Khan SU, Vasilakos AV (2015) Security in cloud computing: opportunities and challenges. Inf Sci 305:357–383. https://doi.org/10.1016/j.ins.2015.01.025
Ardagna CA, Asal R, Damiani E, Vu QH (2015) From security to assurance in the cloud: a survey. ACM Comput Sur 48(1):1–50. https://doi.org/10.1145/2767005
CISA (2018) Cloud security guidance v0.2. Homeland Security, USA
Coppolino L, D’Antonio S, Mazzeo G, Romano L (2017) Cloud security: emerging threats and current solutions. Comput Electr Eng 59:126–140. https://doi.org/10.1016/j.compeleceng.2016.03.004
CSA (2010) Top threats to cloud computing. Tech. rep. V1.0, Cloud Security Alliance
CSA (2013) The notorious nine: cloud computing top threats in 2013. Tech. rep., Cloud Security Alliance
CSA (2016) The treacherous 12–cloud computing top threats in 2016. Tech. rep., Cloud Security Alliance
CSA (2019) Top threats to cloud computing: the egregious eleven. Tech. rep., Cloud Security Alliance
CSA (2020) Security Trust Assurance and Risk (STAR). https://cloudsecurityalliance.org/star/
Dobran B (2018) 23 cloud monitoring tools: the definitive guide for 2020. https://phoenixnap.com/blog/cloud-monitoring-tools
Fernandes DAB, Soares LFB, Gomes JV, Freire MM, Inácio PRM (2014) Security issues in cloud environments: a survey. Int J Inf Secur 13(2):113–170. https://doi.org/10.1007/s10207-013-0208-7
FISMA: Federal Information Security Modernization Act (2020). https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
Gartner (2019) Gartner forecasts worldwide public cloud revenue to grow 17. https://www.gartner.com/en/newsroom/press-releases/2019-11-13-gartner-forecasts-worldwide-public-cloud-revenue-to-grow-17-percent-in-2020
GDPR (2018) EU data protection rules. https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules_en
Grobauer B, Walloschek T, Stocker E (2011) Understanding cloud computing vulnerabilities. IEEE Secur Privacy 9(2):50–57. https://doi.org/10.1109/MSP.2010.115
Hashizume K, Rosado DG, Fernández-Medina E, Fernandez EB (2013) An analysis of security issues for cloud computing. J Internet Serv Appl 4(1):1–13. https://doi.org/10.1186/1869-0238-4-5
HIPAA: Health Information Privacy (1996). https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
Hong JB, Nhlabatsi A, Kim DS, Hussein A, Fetais N, Khan KM (2019) Systematic identification of threats in the cloud: a survey. Comput Netw 150:46–69. https://doi.org/10.1016/j.comnet.2018.12.009
ISO: ISO/IEC 27001:2013—information security management systems requirements (2013). https://www.iso.org/standard/54534.html
ISO: ISO/IEC 27002:2013—code of practice for information security controls (2013). https://www.iso.org/standard/54533.html
ISO: ISO/IEC 27018:2014—code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (2014). https://www.iso.org/standard/61498.html
ISO: ISO/IEC 27017:2015—code of practice for information security controls based on ISO/IEC 27002 for cloud services (2015). https://www.iso.org/standard/43757.html
Jansen W, Grance T (2011) Guidelines on security and privacy in public cloud computing (SP 800-144). National Institute of Standards & Technology, Gaithersburg, MD, USA. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf
Khan S, Gani A, Wahab AWA, Bagiwa MA, Shiraz M, Khan SU, Buyya R, Zomaya AY (2016) Cloud log forensics: foundations, state of the art, and future directions. ACM Comput Surv 49(1):1–42. https://doi.org/10.1145/2906149
Krishnan S (2017) A hybrid approach to threat modelling. https://blogs.sans.org/appsecstreetfighter/files/2017/03/A-Hybrid-Approach-to-Threat-Modelling.pdf
Kumar R, Goyal R (2019) Assurance of data security and privacy in the cloud: a three-dimensional perspective. Softw Qual Prof 21
Kumar R, Goyal R (2019) On cloud security requirements, threats, vulnerabilities and countermeasures: a survey. Comput Sci Rev 33:1–48. https://doi.org/10.1016/j.cosrev.2019.05.002
Liu F, Tong J, Mao J, Bohn R, Messina J, Badger L, Leaf D (2011) NIST cloud computing reference architecture (SP 500-292). National Institute of Standards & Technology, Gaithersburg, USA. http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=909505
Mell PM, Grance T (2011) The NIST definition of cloud computing (SP 800-145). Tech. rep., National Institute of Standards & Technology, Gaithersburg, USA. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
Mogull R, Arlen J, Gilbert F, Lane A, Mortman D, Peterson G, Rothman M (2017) Security guidance for critical areas of focus in cloud computing v4.0. CSA
NCSC (2018) Cloud security guidance v1.0. https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles
NIST (2013) Security and privacy controls for federal information systems and organizations (SP 800-253). National Institute of Standards & Technology, Gaithersburg, USA. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
PCI-DSS (2018) Requirements and security assessment procedures. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
Rahman NHA, Glisson WB, Yang Y, Choo KKR (2016) Forensic-by-design framework for cyber-physical cloud systems. IEEE Cloud Comput 3(1):50–59. https://doi.org/10.1109/MCC.2016.5
Scandariato R, Wuyts K, Joosen W (2015) A descriptive study of Microsoft’s threat modeling technique. Requir Eng 20(2):163–180. https://doi.org/10.1007/s00766-013-0195-2
Sgandurra D, Lupu E (2016) Evolution of attacks, threat models, and solutions for virtualized systems. ACM Comput Surv 48(3). https://doi.org/10.1145/2856126
Sookhak M, Gani A, Talebian H, Akhunzada A, Khan SU, Buyya R, Zomaya AY (2015) Remote data auditing in cloud computing environments: a survey, taxonomy, and open issues. ACM Comput Surv 47(4):1–34. https://doi.org/10.1145/2764465
Stackify (2017) Best log management tools: 51 useful tools for log management, monitoring, analytics, and more. https://stackify.com/best-log-management-tools/
Subramanian N, Jeyaraj A (2018) Recent security challenges in cloud computing. Comput Electr Eng 71:28–42. https://doi.org/10.1016/j.compeleceng.2018.06.006
Tabrizchi H, Kuchaki Rafsanjani M (2020) A survey on security challenges in cloud computing: issues, threats, and solutions. J Supercomput. https://doi.org/10.1007/s11227-020-03213-1
Zhang Q, Cheng L, Boutaba R (2010) Cloud computing: state-of-the-art and research challenges. J Internet Serv Appl 1(1):7–18. https://doi.org/10.1007/s13174-010-0007-6
Zissis D, Lekkas D (2012) Addressing cloud computing security issues. Future Gen Comput Syst 28(3):583–592. https://doi.org/10.1016/j.future.2010.12.006
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Kumar, R., Goyal, R. (2021). Top Threats to Cloud: A Three-Dimensional Model of Cloud Security Assurance. In: Smys, S., Palanisamy, R., Rocha, Á., Beligiannis, G.N. (eds) Computer Networks and Inventive Communication Technologies. Lecture Notes on Data Engineering and Communications Technologies, vol 58. Springer, Singapore. https://doi.org/10.1007/978-981-15-9647-6_53
Download citation
DOI: https://doi.org/10.1007/978-981-15-9647-6_53
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-9646-9
Online ISBN: 978-981-15-9647-6
eBook Packages: EngineeringEngineering (R0)