6.1 Introduction

In recent years, there has been increasing interest in cloud computing. However, cloud providers and their customers have several security concerns about their assets. Security reports show that risks in the Cloud have increased dramatically, and the Cloud has become a major target for criminals. Recent evidence confirms the possibility of attacks such as data breaches, distributed denial of service (DDoS), man in the middle, and malware injection in the cloud environment. In addition, abuse of cloud resources by attackers is one of the top threats to the cloud environment.

Virtualization is a key technology in cloud computing that enables dynamic allocation of resources to cloud users. However, this technology introduces new threats to the cloud infrastructure. In addition to the virtualization threat, general features of cloud computing, such as multitenancy and using shared resources, enable attackers to penetrate the cloud infrastructure. Because users are managing their business, computation, and storage in the Cloud, they are concerned with the level of security the cloud infrastructure can provide. The purpose of this chapter is to provide perspective on current threats to the cloud environment and proposed countermeasures.

Based on (Stallings and Brawn 2008), we define a countermeasure as “An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.” Traditional countermeasures can disable part of an attack, while other parts of the attack require specific countermeasures. Although physical security is important in the overall security of the Cloud, we don't discuss it in this chapter. We assume that physical security is maintained by experienced experts.

The chapter is organized as follows. Background on cloud security issues is discussed in Section 6.2. We explore cloud security risks and threats in Section 6.3, and Section 6.4 discusses countermeasures. Section 6.5 presents real attacks in the Cloud, Section 6.6 predicts the future of the Cloud, and finally Section 6.7 concludes the chapter.

6.2 Background

The Cloud is an Internet‐based environment consists of computing, storage, and networking resources that provide servers, platforms, and applications that can be accessed by any individual or business with Internet connectivity. Customers get a piece of the Cloud that contains what they need to run their business, and they pay based on their usage. The National Institute of Standards and Technology (NIST) divides cloud services into three categories: Software‐as‐a‐Service (SaaS), Platform‐as‐a‐Service (PaaS), and Infrastructure‐as‐a‐Service (IaaS).

Both cloud providers and consumers are responsible for establishing security in the Cloud. They must defend against advanced attacks, since the Cloud is a bigger target for hackers than any single machine and the rewards are higher for the attackers. Their responsibilities are different based on the type of cloud service. In IaaS, the cloud provider is responsible for security in the hypervisor and everything in the cloud backend; however, customers are responsible for hardening operating systems (OSs), applications, and data. In PaaS, the cloud provider should isolate the customers' applications and data from each other and establish security in the OS and hypervisor. On the other hand, customers are responsible for the security of their developed applications. In the SaaS service model, the cloud provider must provide security in the applications, data, and virtualized infrastructure. In all of the cloud service models, the cloud provider is in charge of physical security, which is maintained by experienced experts. Physical attacks will not happen often, but when they do occur, they can be very damaging (Szefer et al. 2014).

Increase in the acceptance of cloud computing in enterprise IT will force cloud providers to establish a greater level of security than traditional data centers. To meet this requirement, cloud providers must recognize the threats targeting cloud environments and study security solutions that can prevent attacks effectively. A superior understanding of the threats will guide further reactions at the operational level, including updating policies and making organizational changes (Juliadotter and Choo 2015).

(Ardagna et al. 2015) classified vulnerabilities, threats, and attacks based on attack surfaces and classified security threats in three groups: application level, tenant on tenant, and provider on tenant/tenant on provider. The first group mainly applies to the SaaS service model and threatens interactions between users and services. In other words, they focus on services and data at the highest level of a cloud stack. The second group consists of scenarios where a malicious tenant tries to attack other tenants in the same physical machine by exploiting misconfiguration or vulnerabilities on the virtualization infrastructure. The last group contains two types of attack: a malicious cloud provider that attacks its tenants, or compromised tenants attacking the cloud infrastructure by organizing a botnet.

6.3 Cloud Security Threats

According to a Gartner report (Columbus 2013), cloud computing is evolving rapidly as part of the economy. The report estimated that public cloud services would grow to $210 billion by 2016. However, this is leading to increased sharing of resources among more businesses and, at the same time, attracting more cybercriminals. Many factors make cloud computing less secure; in this section, we list the top seven.

6.4 Cloud Security Countermeasures

Cloud providers are responsible for preventing attacks in the cloud infrastructure. (Okubo et al. 2014) divided security functions for which cloud providers are responsible as follows:

• Protection of internal servers
• Ruggedization of servers for disclosure
• User authentication
• Log acquisition
• Role‐based access control (RBAC)
• Account lockouts
• Multifactor authentication
• Port scans

However, these countermeasures are not enough to defend against all threat types in the Cloud. In this section, we explain different countermeasures in detail.

(Datta and Goyal 2014) used annotated attack graphs to show security vulnerabilities in the cloud environment. They proposed a framework to share information about vulnerabilities with tenants so they can adopt their own security protection policies according to their business needs. An attack‐mitigation framework for the Cloud that could facilitate the collection and utilization of security intelligence gathered from the cloud environment could secure tenants' resources from potential attacks.

Szefer et al. (2014) proposed a real‐time cloud intrusion‐prevention model. Their goal was protecting VMs from insider attacks in the network. Based on the time an initial sign of a potential attack is detected in the network, two kinds of mechanisms are employed: prevention and detection. Implementing each mechanism has its own cost and execution overhead, so the model suggested the best response mechanism that was effective and rapid in the cloud context.

Attackers exploit known and unknown vulnerabilities to initiate sophisticated attacks. The dynamic nature of the attacks allows attackers to stay stealthy and avoid intrusion detection systems (IDSs) and makes mitigation a challenging task. A fast‐reacting adaptive system is presented in (Emami‐Taba et al. 2014): it is capable of detecting and mitigating threats by engineering self‐protecting software (SPS) that incorporates an attacker's possible strategies when selecting countermeasures. They utilized game theory to model the competition between the adaptation manager in the SPS and the attacker.

In addition to these countermeasures for attacks in the Cloud, each attack can be prevented by a specific mechanism. In the following section, we present specific countermeasures for each attack type.

The best approach to prevent a resource exhaustion or DoS attack is to limit resource allocation by using the proper configuration of the hypervisor. Performance isolation also avoids this type of attack; however, it reduces cloud efficiency.

Attacks on the cloud interface affect the IaaS, PaaS, and SaaS cloud service models and can be avoided by establishing strong authentication and access‐control mechanisms in the cloud provider's interface. Moreover, all transmitted data must be encrypted securely. Cloud APIs should support all key agreement protocols specified in the WS‐Security standards, since the resulting keys must be stored in the user's browser. WS‐Security uses XML Signature and XML Encryption to protect against man‐in‐the‐middle attacks, such as interception, manipulation, and transmission (Kim and Vouk 2014).

An important security issue in the Cloud is malware propagation. By checking the integrity of cloud services and VM images in the hypervisor, any changes can be detected by the cloud provider. Infrastructure, hypervisor, and storage attacks in the Cloud may threaten the security of VM images. Therefore, VM images must be secured in cloud storage to protect sensitive user data, maintaining the integrity of disk images and ensuring confidentiality of images through encryption (Muhammad et al. 2013). Allocation of malicious VMs to the physical host has an effect on the speed of malware propagation in the Cloud (Abazari and Analoui 2014).

Malicious insiders can affect SaaS, PaaS, and IaaS cloud service models. To avoid this threat, cloud providers should offer more transparency in security and management processes, including compliance reporting and breach notification. (Khorshed et al. 2012) investigated and compared performances of several machine learning techniques to monitor insider activities in the Cloud. They detected malicious activity by monitoring VM performance.

Using authentication, authorization, audit control, and identity and access management (IAM) helps prevent malicious and intrusive actions by attackers. Applying strong encryption algorithms, disaster recovery, using reliable data centers, and effective data‐backup strategies can reduce data breaches and the threat of loss. Deploying IAM solutions across cloud‐based applications and monitoring user activities can manage multiple user login under a single AWS account without interference. Amazon S3 supports IAM policies that let an organization manage multiple users. In SaaS, access‐control components are responsible for resource access.

(Tangwongsan and Itthisombat 2014) proposed a working model for preserving file privacy in cloud storage. The model first encrypts the file and then executes the following steps: (i) assign a privacy map that shows what group names have access to each file, and (ii) notify privilege members by email. The model also preserves privacy in retrieving data.

Several approaches have been proposed to detect malware in cloud infrastructure (Marnerides et al. 2013; Watson et al. 2014) and prevent abuse of cloud resources. However, malware creators try to make it undetectable by using polymorphic techniques. Cloud providers should work to minimize malware active time and also limit malware propagation in their cloud networks (Shahin 2014). The best approach to prevent DDoS attacks is to limit resource allocation using proper configuration.

To minimize the threat of a VM escape attack, communication channels between the hypervisor and VMs such as clipboard sharing, memory management, device management, and specific vendor channels should be minimized (Ros 2012). Patching vulnerabilities, using strong authentication, and access‐control mechanisms are some of the solutions to address this issue.

Cross‐VM side‐channel attacks make it clear that the Cloud should support hypervisor security mechanisms to ensure process isolation (avoid VM escape), mediated information sharing, and secure communication. (Han et al. 2015) presented a method that applied VM allocation policies to defend against co‐resident attacks in cloud computing. We also present a method to respond to co‐resident threats (Abazari et al. 2017).

Patching VM vulnerabilities periodically prevents malicious port scanning in the cloud network. Additionally, using security mechanisms such as IDS and firewalls can mitigate attacks.

Self‐defended VMs that are capable of monitoring outbound and inbound traffic to detect malicious traffic can mitigate VM communication threats (Abazari et al. 2016). Isolating customer networks from each other and from management networks is another solution. Cloud providers can employ virtual appliances such as firewalls, IDSs, and intrusion prevention systems (IPSs) can provide powerful security between networks. Providers must ensure that no traffic is routed between networks.

The following section discusses the most serious attacks against the cloud environment.

6.5 Hacking the Cloud: Reality Check

Hackers are increasingly taking aim at cloud resources when they launch attacks. They also attack cloud tenants and access their secure information. Consider the following examples of recent cloud attacks:

• Man‐in‐the‐cloud attack (2015)—Attackers used SaaS service synchronization to steal users' enterprise data. Once attackers gained control of the user token, they were free to perform manipulations that resulted in data loss or outright breaches. Attackers could take control of a victim's cloud synchronization key and use this information to exploit the organization (Imperva 2015).
• DoS attack by Sony (2014)—Sony misused AWS cloud servers to launch DoS attacks against websites that contained leaked company information (Butler 2014).
• VM escape in VirtualBox (2014)—Attackers escaped a guest VM and gained access to the host server. CVE‐2014‐0983 is an example of a guest‐to‐host breakout vulnerability for the VirtualBox hypervisor. The attacker can execute arbitrary code on the host OS (MITRE 2014a).
• VM escape in many virtualization platforms (2015)—CVE‐2015‐3456 (VENOM) is a vulnerability in the virtual floppy drive code used by many hypervisors. This vulnerability allows an attacker to escape from the guest VM and potentially obtain code‐execution access to the host. This VM escape leads to access to the host and all other VMs running on that host (MITRE 2015).
• Remote access to data (2014)—CVE‐2014‐9047 consists of multiple unspecified vulnerabilities in the preview system in Cloud 6.x before 6.0.6 and 7.x before 7.0.3 that allows remote attackers to read arbitrary files via unknown vectors (MITRE 2014b).
• DDoS attack on the Rackspace DNS (December 2014)—This attack affected Rackspace's domain name system (DNS) setup and caused problems accessing Rackspace cloud services for 11 hours (O'Connor 2014).
• Attack on Amazon EC2 server (late‐2014)—Attackers hijacked cloud servers for Bitcoin‐mining purposes. In that case, a GitHub user discovered a bot scanning for Amazon API keys. The hacker used the keys to grab Amazon cloud‐based computing resources (Leopold 2017).
• DDoS attack on Microsoft's Hyper‐V (2011)—Microsoft reported that malicious code run by an authenticated user in a VM caused a DDoS attacks (SecureAuth Labs 2011).
• DoS attack against Amazon (2009)—A code‐hosting site caused an outage of over 19 hours of downtime during an apparent DoS attack on the Amazon cloud infrastructure (Metz 2009).
• Cloudburst VM escape attack (2009)—Attackers exploit a flaw in VMware Workstation and enabled a VM to attack its host (MITRE 2009).
• Data loss in Amazon EC2 (2011)—Small amounts of data were lost for some AWS customers when its EC2 cloud suffered a “remirroring storm” due to human operator error on Easter weekend in 2011 (Jennings 2011).

These examples support the facts that cloud computing is already at risk. Table 6.1 shows the mapping between the types of threats and real attacks that have been reported.

Some of the threats haven't been reported yet as real attacks. In the future, we will see more reported attacks on the cloud infrastructure.

6.6 Future of Cloud Security

The following cloud security issues need to be addressed in order to provide more secure cloud services in the future. Attackers continue to enhance their strategies, and at the same time security professionals predict and prepare for these attacks. The future of cloud security falls under four headings (Mogull 2014):

• Cloud providers should consider incident response in the cloud‐distributed enterprise.
• Cloud providers should ensure security via auditing and penetration testing.
• Secure programming leads to automated security across cloud, mobile, and internal security tools.
• Security architects should measure and implement security controls internally for applications and across cloud providers.

(Kumari and Nath 2015) noted that migration of data from one cloud to another introduced new threats. They also mentioned that research on the mobile platform with respect to cloud computing is another open research issue.

Recently, (Ardagna et al. 2015) surveyed the interface between cloud security and cloud security assurance. Cloud security assurance refers to a way to gain justifiable confidence that infrastructure will consistently exhibit one or more security properties and operate as expected despite failures and attacks. Assurance is a much wider notion than security, because it includes methodologies for collecting and validating evidence supporting security properties. They recommended the design of next‐generation cloud security and assurance solutions.

6.7 Conclusions

The cloud environment consists of virtualized data centers. VMs in these data centers, similar to physical machines, are under security risks. Some features of cloud service models can inhibit certain virtualization vulnerabilities. Due to abuse and nefarious use of cloud resources, cloud providers must enhance the security of the Cloud to prevent attackers from penetrating.

In this chapter, we have discussed cloud security issues and possible countermeasures. We studied a number of cyber‐defense strategies that can be activated when an attack is detected, some of which can even take effect before the actual attack occurs. We hope this study can help cloud providers and cloud users to understand cloud‐specific security issues and design appropriate countermeasures.

References

1. Abazari, F. and Analoui, M. (2014). Exploring the effects of virtual machine placement on the transmission of infections in cloud. In: Proceedings of the 7th International Symposium on Telecommunications (IST), 278–282. IEEE.
2. Abazari, F., Analoui, M., and Takabi, H. (2016). Effect of anti‐malware software on infectious nodes in cloud environment. Computers & Security 58: 139–148.
3. Abazari, F., Analoui, M., and Takabi, H. (2017). Multi‐objective response to co‐resident attacks in cloud environment. International Journal of Information & Communication Technology Research 9: 25–36.
4. Ali, M., Khan, S.U., and Vasilakos, A.V. (2015). Security in cloud computing: opportunities and challenges. Information Sciences 305: 357–383.
5. Ardagna, A., Claudio, R.A., Damiani, E., and Quang Hieu, V. (2015). From security to assurance in the Cloud: a survey. ACM Computing Surveys 48: 2.
6. Biedermann, S. and Katzenbeisser, S. (2012). Detecting computer worms in the cloud. In: Open Problems in Network Security, 43–54. Springer.
7. Brandon Butler . (2014). Sony may have used Amazon's cloud to launch a counter DoS attack. https://www.networkworld.com/article/2858874/cloud‐computing/sony‐may‐have‐used‐amazon‐s‐cloud‐to‐launch‐a‐counter‐dos‐attack‐after‐its‐breach.html (accessed 24 October 2018).
8. Balduzzi, M., Zaddach, J., Balzarotti, D. et al. (2012). A security analysis of Amazon's elastic compute cloud service. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing, 1427–1434. ACM.
9. Chung, C.‐J., Khatkar, P., Xing, T. et al. (2013). NICE: network intrusion detection and countermeasure selection in virtual network systems. IEEE Transactions on Dependable and Secure Computing 10 (4): 198–211.
10. Cloud Security Alliance. (2010). Top threats to cloud computing v1.0. http://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf.
11. Columbus, Louis. (2013). Gartner predicts infrastructure services will accelerate cloud computing growth. http://www.forbes.com/sites/louiscolumbus/2013/02/19/gartner‐predicts‐infrastructure‐services‐will‐accelerate‐cloud‐computing‐growth.
12. Datta, E. and Goyal, N. (2014). Security attack mitigation framework for the cloud. In: Proceedings of the 2014 Annual Reliability and Maintainability Symposium (RAMS), 1–6. IEEE.
13. Emami‐Taba, M., Amoui, M., and Tahvildari, L. (2014). Mitigating dynamic attacks using multi‐agent game‐theoretic techniques. In: Proceedings of 24th Annual International Conference on Computer Science and Software Engineering, 375–378. ACM.
14. Ezhilchelvan, P. and Mitrani, I. (2015). Evaluating the probability of malicious co‐residency in public clouds. IEEE Transactions on Cloud Computing.
15. Han, Y., Chan, J., Alpcan, T., and Leckie, C. (2015). Using virtual machine allocation policies to defend against co‐resident attacks in cloud computing. IEEE Transactions on Dependable and Secure Computing.
16. Imperva. (2015). Man in the cloud (MITC) attacks. https://www.imperva.com/docs/HII_Man_In_The_Cloud_Attacks.pdf (accessed 24 October 2018).
17. Jansen, Wayne. (2011). Cloud hooks: security and privacy issues in cloud computing. 44th Hawaii International Conference on System Sciences (HICSS).
18. Jennings, Richi. 2011. Amazon Web Services EC2 cloud lost data. https://www.computerworld.com/article/2471227/network‐software/oops‐‐amazon‐web‐services‐ec2‐cloud‐lost‐data.html ((accessed 24 October 2018).
19. Juliadotter, N.V. and Choo, K.‐K.R. (2015). Cloud attack and risk assessment taxonomy. IEEE Cloud Computing 2 (1): 14–20.
20. Khorshed, M.T., Shawkat, A.A.B.M., and Wasimi, S.A. (2012). A survey on gaps, threat remediation challenges and some thoughts for proactive attack detection in cloud computing. Future Generation Computer Systems 28 (6): 833–851.
21. Kim, D. and Vouk, M.A. (2014). A survey of common security vulnerabilities and corresponding countermeasures for SaaS. In: Globecom Workshops (GC Wkshps), 59–63. IEEE.
22. Kumari, M. and Nath, R. (2015). Security concerns and countermeasures in cloud computing paradigm. In: 2015 Fifth International Conference on Advanced Computing Communication Technologies (ACCT), 534–540. IEEE.
23. Latanicki, Joseph, Massonet, Philippe, Naqvi, Syed et al. (2010). Scalable cloud defenses for detection, analysis and mitigation of DDoS attacks. In: Proceeds of Future Internet Assembly, 127–137.
24. Leopold, George. (2017). AWS cloud hacked by bitcoin miners. https://www.enterprisetech.com/2017/10/09/aws‐cloud‐hacked‐bitcoin‐miners (accessed 24 October 2018).
25. Marnerides, A.K., Watson, M.R., Shirazi, N. et al. (2013). Malware analysis in cloud computing: network and system characteristics. In: Globecom Workshops (GC Wkshps), 482–487. IEEE.
26. Metz, Cade. (2009). DDoS attack rains down on Amazon cloud. https://www.theregister.co.uk/2009/10/05/amazon_bitbucket_outage (accessed 24 October 2018).
27. Miller, Mark, and Wei, Lu. (2015). Detecting botnets in the cloud. ASEE Northeast Section Conference.
28. MITRE. (2009). CVE‐2009‐1244. https://cve.mitre.org/cgi‐bin/cvename.cgi?name=cve‐2009‐1244 (accessed 24 October 2018).
29. MITRE. (2014a). CVE‐2014‐0983. https://cve.mitre.org/cgi‐bin/cvename.cgi?name=cve‐2014‐0983 (accessed 24 October 2018).
30. MITRE. (2014b). CVE‐2014‐9047. https://cve.mitre.org/cgi‐bin/cvename.cgi?name=2014‐9047 (accessed 24 October 2018).
31. MITRE. (2015). CVE‐2015‐3456. https://cve.mitre.org/cgi‐bin/cvename.cgi?name=cve‐2015‐3456 (accessed 24 October 2018).
32. Modi, C., Patel, D., Borisaniya, B. et al. (2013). A survey on security issues and solutions at different layers of cloud computing. The Journal of Supercomputing 63: 561–592.
33. Mogull, Rich. (2014). The future of security. Securosis.
34. Muhammad, Kazim, Rahat, Masood, and Awais, Shibli Muhammad. (2013). Securing the virtual machine images in cloud computing. 6th International Conference on Security of Information and Networks (SIN 2013). Aksaray‐Turkey: ACM‐SIGSAC.
35. Murphy, Grant. (2014). OpenStack security. Red Hat product security. https://www.youtube.com/watch?v=VrXup6wr7EQ.
36. O'Connor, Fred. (2014). Rackspace DNS recovers after DDoS brings system down. https://www.computerworld.com/article/2862982/rackspace‐dns‐recovers‐after‐ddos‐brings‐system‐down.html (accessed 24 October 2018).
37. Okubo, T., Wataguchi, Y., and Kanaya, N. (2014). Threat and countermeasure patterns for cloud computing. In: Proceedings of 2014 IEEE 4th International Workshop on Requirements Patterns (RePa), 43–46. IEEE.
38. Ristenpart, Thomas, Tromer, Eran, Shacham, Hovav et al. (2009). Hey, you, get off of my cloud: exploring information leakage in third‐party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, 199–212. ACM.
39. Ros, J. (2012). Security in the Cloud: The Threat of Coexist with an Unknown Tenant on a Public Environment. Royal Holloway University of London.
40. SecureAuth Labs. (2011). MS HyperV persistent DoS vulnerability. https://www.secureauth.com/labs/advisories/hyperv‐vmbus‐persistent‐dos‐vulnerability (accessed 24 October 2018).
41. Shahin, A.A. (2014). Polymorphic worms collection in cloud computing. International Journal of Computer Science and Mobile Computing 3 (8): 645–652.
42. Shoaib, Yasir and Olivia, Das. (2014). Pouring cloud virtualization security inside out. arXiv preprint arXiv:1411.3771.
43. Stallings, W. and Brawn, L. (2008). Computer Security: Principles and Practice. Pearson Education.
44. Szefer, Jakub, Jamkhedkar, Pramod, Perez‐Botero, Diego et al. (2014). Cyber defenses for physical attacks and insider threats in cloud computing. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, 519–524. ACM.
45. Tangwongsan, S. and Itthisombat, V. (2014). A highly effective security model for privacy preserving on cloud storage. In: Proceedings of the 2014 IEEE 3rd International Conference on Cloud Computing and Intelligence Systems (CCIS), 505–509. IEEE.
46. Tsai, H.‐Y., Siebenhaar, M., Miede, A. et al. (2011). Threat as a service?: virtualization's impact on cloud security. IT Professional 14: 32–37.
47. Watson, M.R., Marnerides, A.K., Mauthe, A. et al. (2014). Towards a distributed, self‐organising approach to malware detection in cloud computing. In: Self‐Organizing Systems (ed. M. Hirsch, T. Dunkelberger and C. Snyder), 182–185. Springer.
48. Wu, Hanqian, Ding, Yi, Winer, Chucket al. (2010). Network security for virtual machine in cloud computing. In: Proceedings of the 5th International Conference on Computer Sciences and Convergence Information Technology (ICCIT), 18–21. IEEE.
49. Wueest, Candid. (2014). Threats to virtual environments. Symantec.