Nowadays, the use of cloud technology for various needs has expanded considerably. Data, servers and applications serving companies and individuals can be accessed from remote locations, which lead to concerns regarding privacy and security of information. In this paper we will discuss the threats, challenges and guidelines in the cloud computing environment facing security and privacy issues. In terms of security, the handling of these issues will be discussed in: infrastructure, data and storage. In other hand, privacy will be treated according to the right of individuals to “know what is known to them” to be aware of the information stored about them, to control the way this information is communicated and to prevent misuse of it.
The Internet is the most commonly used technology today. This has made day-to-day increase of user requests for different services. Cloud computing is a general term for the delivery of hosted services over the internet. Cloud computing enables companies or users to use a resource, such as a virtual machine, storage or an application, as a utility rather than having to build and maintain computing infrastructures in house. This paper treats security and privacy issues regarding to data and infrastructure in three service models of cloud computing: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). As well, it treats the same issues in four deployment models: Private, Public, Hybrid and Community.
Despite the great use and benefits offered, there are concerns over security and privacy issues in the cloud. In this paper we will try to answer the questions: “How secure is cloud computing environment?”.
1. SECURITY ISSUES IN CLOUD SERVICE MODELS
There are three cloud computing service models: SaaS, PaaS and IaaS, which provides software as a service, platform as a services and infrastructure as a service to end users or customers. Fig. 1 shows these three service models are built on top of each other.
There is a number of security issues associated with cloud computing but these issues fall into two broad categories: Security issues faced by cloud providers (organizations providing software, platform, or infrastructure-as-a-service via the cloud) and security issues faced by their customers .
In this part of this paper clearly indicates major security issues based on these service models and what needs to be addressed by implementing appropriate countermeasures.
A. SECURITY ISSUES IN SaaS
Software as a service (SaaS) is a software distribution model in which a third-party provider hosts applications and makes them available to customers over the Internet. The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a client interface, such as a web browser (web-based email), or a program interface. It is well cited by the NIST that “The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user speciﬁc application conﬁguration settings “.
In term of SaaS, a consumer needs to depend on the service providers for data security and service providers have to be responsible for providing proper security mechanism to protect data and applications. In this model data is being stored in cloud along with others companies or individuals data. The cloud service providers may replicate data in various places for data availability and efficiency. As a result, there arise some security issues such as: how is being data stored and where, what types of security are being provided for data manipulation and storage. There are some key security basics needed to be considered during SaaS deployment and development. The basic properties of information security are CIAAN (Confidentiality, Integrity, Availability, Authenticity and Non-repudiation) . Some of them are explained below:
- · Data Security: Data stands out as one of the most important assets in today’s technology and it is must be kept secure. In SaaS scenario, data resides in the database which is outside the boundary of the enterprise because and depends on the provider for proper security measures. SaaS applications deal with security challenges, because they are hosted on third-party infrastructure and they operate running third-party application code . SaaS consumers have no idea “how strong the access control system is?” to prevent unauthorized access. The transmission channel between SaaS providers and users is not considered always secure. Some providers only use SSL during login session, leaving user data unprotected in following sessions. In addition, data backup and recovery should be taken into consideration by SaaS provider to minimize the impact of accidents.
- · Data Confidentiality: Privacy and confidentiality issues are taken placed when data shares between various users, devices and applications. Here multi-tenancy and multitasking (resource sharing and sharing processing resources: CPU – Central Processing Unit) presents a number of confidentiality threats and risks. Data confidentiality in cloud environment is often related to user authentication. Users often expect providers to be the ones who protect their data from unauthorized access, and sensitive data will therefore remain private. They also assume that third parties like governments will not be interested in their data and hope the activities are not monitored . For overall system security software and data confidentiality is also important to prevent unauthorized use of data.
- · Data Integrity: Data integrity ensures that data are being integral and modified by only authorized entities. Due to increasing number of entities and access points in cloud, authorization becomes crucial that only authorized entities interact with data. Two very important dimensions of integrity are completeness and correctness . If cloud system resources are not properly segregated among clients then some security issues arise for data integrity. Inadequate encryption and week key management scheme can also lead to security breach.
- · Availability: It refers to reliable and timely access to information . Tupper states that “The essence of a Software-as-a-Service (“SaaS”) or hosted-services agreement is availability.”, and by no means the customer only wants to reach to its application through internet and then it is the output of the application that makes the difference on whether it fulfills the requirements of the customer . Cloud services access on demand by authorized parties even if some authorized entities misbehave or any security breaches. To test availability of the SaaS vendors need to consider authentication process and session management weakness issues. There are other issues that need to be considered such as: data and information service lock in, bandwidth and connectivity speed over the network in cloud services.
As identified throughout this paper and according to Intel, SaaS security controls fall into three main categories: Identity and access management control, Application and data control, Logging and monitoring controls . Regarding this the main focus should be concentrated around these concerns and potential risks should be monitored in order to provide best efficiency.
The basic properties of information security are CIAAN
(Confidentiality, Integrity, Availability, Authenticity and Non-repudiation).
B. SECURITY AND PRIVACY ISSUES IN PaaS
Platform as a service (PaaS) is a cloud computing model in which a third-party provider delivers hardware and software tools. Relieving users from the tensions of participating in hardware, operating systems, web servers and other components  gives the customers the opportunity to take care more of the essential needs that they operate with and with the part of development and deployment of application. The PaaS provider hosts the hardware and software on its own infrastructure. PaaS is a collection of related services for creating and deploying software on cloud, so it is not a single technology. PaaS offerings manage user subscriptions, security, resource metering, role-based security and other share services. Attributes that characterize PaaS have been shown in Table 1 along with their functionalities.
Efficient use in cloud environments is usually followed by heterogeneous hardware and software resources . This often leads to high-level system homogeneity, causing difficulties as the same infrastructure is used to support different tenants , each with specific requirements in system and protection.
Elements that characterize PaaS security platform are as follows:
- · Information processing: This is the stage where one is creating data and rest of the web uses it. Creation of data may happen live on remote server. So the document can be intercepted. PaaS provides security when this data is in stored format, which clearly states that the problem is during processing stage.
- · Information interactivity: This is the process of sharing data across the board. Interaction can go with personal computers, networks, devices like phone and so on. This interaction connects confidential data in local network with the web where most of them can access and hence security issue comes in.
- · Data Storage: This specifies the hosting aspect of Cloud. Several mechanisms in PaaS allow multiple applications to be encrypted to prevent data leakage. Verification is hard as data is in shared servers.
While PaaS Security Issues that can be considered are:
- · Interoperability
- · Host Vulnerability
- · Object Vulnerability
- · Access Control
- · Privacy-Aware Authentication
In the online world, privacy issues are increasingly important. This represents a huge challenge for all stakeholders since this includes legal and commercial issues.
Standards development organizations (SDOs) are working to mitigate privacy risks in the cloud, including the role of privacy-enhancing technologies (PETs) . This increase user confidence and economic development.
Privacy is the ability for the user to control the information that he offers about himself to the service provider. He should be able to regulate access to his information  i.e. to determine who can use that information. Personal data should be protected from risks such as use, loss, destruction, modification, disclosure and unauthorized access to the data. Since PaaS provides tools supported by a cloud provider to enable developers to set up apps, developers don’t have knowledge of the physical location of the server or how the processing of personal data is configured. So they use the services without knowing about processes that they are involved. Is easily to manipulate and lost control of data in the cloud, so storing personal data on a server somewhere in cyberspace could pose a major threat to individual privacy .
A great responsibility falls on developers to use the best privacy practices. On the other hand they have to rely on PaaS’s credibility.
Let suppose that some developers have developed a cloud application that creates all the data before being saved within the new space provided by PaaS. In this case, developers should believe that the platform is not compromised otherwise the attackers may have access to the clear text (before encryption happens)  because it can control the execution environment. For this reason encryption is recommended before the data is sent to the PaaS cloud providers. Although PaaS can be inherently secure, the risk is slow system performance.
Generally, more user-specific information than necessary is requested during conventional authentication. Users should not leave more trace than necessary to protect their privacy where the resources are spread over several hosts. Proxy certificates can help to reduce the risk of revealing excess attributes. Two requirements must be met during privacy-aware authentication with proxy certificates. First, hosts and objects should not request more attributes than the required amount. This depends on how access control policies are defined. Policies for the hosts and objects are defined by the service providers and the users , respectively. If more attributes than required is requested, the only practical solution is negotiating the service terms. Second requirement is easily configurable trustworthy credentials that reveal as much data as the identity owners permit. This can be achieved with the help of a trusted third party. Proxy certificate authorities (PCAs) can handle dynamic generation of attribute-based credentials based on genuine certificates and witness that a user holds the required attributes.
C. SECURITY AND PRIVACY ISSUES IN IaaS
Infrastructure as a service (IaaS) is a form of cloud computing that provides virtualized computing resources over the internet. The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software. The resources to prearrange can include operating systems and applications . The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g. host ﬁrewalls).
Characteristics and components of IaaS include:
- · Utility computing service and billing model.
- · Automation of administrative tasks.
- · Dynamic scaling.
- · Desktop virtualization.
- · Policy-based services.
- · Internet connective
Security Model for IaaS (SMI) as a guide for assessing and enhancing security in each layer of IaaS delivery model is shown in Fig.3.
Cloud providers try to do their best when it comes to guarantee the security and reliability of the infrastructure offered. Providers generally keep a properly configured and well patched infrastructure , but often this is a quite difficult task to keep up with. That is why they often limit their services in order to standard the security measures .
Security threats in IaaS can come both from inside and outside of the organization.
Some of the aspects of IAAS security will be discussed below:
- · Insider threats: Considering that employees of the cloud service provider have direct access to networks and hardware, those insiders are a potential threat. A malicious employee can cause damage by stealing, changing or deleting data from the platform , as well as causing other intentional hardware damage to the servers itself.
- · Networking issues: In IaaS, cloud service providers are responsible to monitor networking in order to maintain adequate level of Quality of Service. Due to complexity of cloud computing architecture networking is often exposed to possible attacks like: intrusion backdoor, session hijacking, authentication etc. The article  has thoroughly explained Intrusion detection and protection in cloud.
- · Encrypted communication channels to cloud storage: Cryptographic algorithms allow cloud storage customers to encrypt data before insertion to cloud and decrypt them after moving these data back to their systems. However, such algorithms are not effective enough  when customers intent to use these data within the cloud. That is because simply encrypting the data does not mean that information cannot be inferred from careful observation of the data stream, or of the storage devices under the cloud provider’s control.
- · Resource sharing: In  is assumed that “The cloud provides an environment in which competitors may find themselves relying on the virtualization layer’s ability to ensure isolation to ensure that their competitors cannot access their data or influence their operations”. However, this does not stand well when we are accessing resources provided in IaaS. Considering that resources that are allocated to a corporate, instantiated in some physical infrastructure may contain resources that are allocated to another corporate user. In such a case, it is quite possible that two competitors may be allocated resources on the same physical infrastructure.
- · Data leakage protection and usage monitoring: Data stored in an IaaS infrastructure in both public and private clouds needs to be closely monitored . Data loss and leakage due to malicious acts or accidents at the providers end are very critical. This is especially true when you’re deploying IaaS in a public cloud. It is important to know who is accessing the information, how the information was accessed (from what type of device), the location from which it was accessed (source IP address), and what happened to that information after it was accessed. Furthermore, extensive observation should be considered during daily backups . These problems are often solved by using modern Rights Management services and applying restrictions to all information that is considered business critical.
Cloud providers and customers share different responsibilities when it comes to the different cloud hosting models.
II. DEPLOYMENT MODELS OF CLOUD COMPUTING
Cloud computing services can be offered in a variety of models. It is the nature of the services, data that is released and sensitivity of the system which leads to the rights decision on what is the most appropriate deployment model for a particular individual or organization. Therefore, it is important to discuss these models as per security and privacy issues.
Public Cloud is the most widely known model, which offers services over the public internet. The services are available to anyone who wants to use or purchase them . The user does not have control over where the cloud infrastructure is hosted  that is why all users share the same infrastructure.
Private Cloud does not provide access to all users. It is mainly used to serve internal purposes of the organizations. This approach is suggested for high-security and critical systems. Private cloud can be both of on-premises and off-premises , depending on whether it is established and managed by the customer (organization) itself or it is outsourced to another vendor.
Community Cloud is the deployment model which is shared by different organizations and supports concerns belong to a specific community . It is a very promising model because it combines public cloud and private cloud, making an advantageous model to security and privacy of data.
Hybrid Cloud makes a combination of public and private cloud as well, where some data resides on the private cloud environment and some other in the public cloud environment. Hybrid cloud makes a good model to help businesses store critical applications and data .
Below is given a comparison table with main issues of cloud computing on cloud deployment models.
-  MiCoreSolutions, “Cloud Computing Service Models”,” [Online]. Available: https://micoresolutions.com/moving-database-to-cloud/. [Accessed 1 December 2018].
-  S. Bhowmik, “Cloud Security”,” in Cloud Computing, Cambridge University Press, 2017, pp. 270-290.
-  ” NIST SP 800-145″. 2011.
-  F. Y. Y. Y. S. Pushpinder Kaur Chouhan, “Software as a Service: Analyzing Security Issues”,” in International Conference on Big Data and Analytics for Business, 2015.
-  E. B. E. G. L. J. N. Shachaf Levi, “SaaS Security Best Practices: Minimizing Risk in the Cloud”,” Intel, 2015.
-  D. H. Martinez, “Privacy and Confidentiality Issues in Cloud Computing Architectures”,” Polytechnic University of Catalonia, Barcelona, 2013.
-  A. S. K. Mayuri R. Gawande, “Analysis of Data Confidentiality Techniques”,” IJCSMC, 2014.
-  S. Tupper, “Availability is the Essence of SaaS IT Agreements”,” 2016.
-  G. R. Devi T, “Platform-as-a-Service (PaaS): Model and Security”,” Indonesian Journal of Electrical Engineering, 2015.
-  A. E. H. Mehmet Tahir Sandıkkaya, “Security Problems of Platform-as-a-Service (PaaS)”,” in International Symposium on Reliable Distributed Systems, 2012.
-  J. J. G.-J. A. Hassan Takabi, “Security and Privacy Challenges in Cloud Computing Environments”,” IEEE, pp. 26-29, 2010.
-  M. Azure, “Public Cloud – Definition”,” [Online]. Available: https://azu re.microsoft.com/en-gb/overview/what-is-a-public-cloud/. [Accessed 3 Dec 2018].
-  O. A. A. A. O. T. O. O. Awodele O, “Security and Privacy Issues in Cloud Computing”,” in Communications in Applied Electronics, 2017.
-  I.-T. Technology, “Privacy in Cloud Computing”,” 2012.
-  N. A. Harshpreet Singh, “Cloud Computing Security and Privacy Issues- A Systematic Review”,” International Journal of Control Theory and Applications, 2016.
-  B. Kleyman, “Data Center Knowledge”,” 13 October 2014. [Online]. Available: https://www.datacenterknowledge.com/archives/2014/10/13/explaining-community-cloud. [Accessed 12 January 2019].
-  J. B. A. G. Rajkumar Buyya, Cloud Computing Principles and Paradigms, Wiley, 2011, pp. 123-.
-  “esecurityplanet”,” 16 March 2017. [Online]. Available: https://www.esecurityplanet.com/network-security/iaas-security-threats-and-protection-methodologies.html. [Accessed 20 January 2019].
-  “Secure Shell”,” [Online]. Available: https://www.ssh.com/cloud/iaas/. [Accessed 26 January 2019].
-  K. Narayan, “Dark Reading”,” 24 February 2017. [Online]. Available: https://www.darkreading.com/cloud/iaas-the-next-chapter-in-cloud-security/a/d-id/1328202. [Accessed 26 January 2019].
-  M. L. M. K. B. D. M. H. K. M. K. K. K.-K. R. C. Salman Iqbal, “On Cloud Security Attacks: A Taxonomy and Intrusion Detection and Prevention as a Service”,” Journal of Network and Computer Applications, 2016.
-  A. A. T. Z. El Bawmany Chawki, “IaaS Cloud Model Security Issues on Behalf Cloud Provider and User Security Behaviours”,” in The 2nd International Workshop on Big Data and Networks Technologies, 2018.
-  P. P. G. K. R. S. S. B. Pragati Chavan, “IaaS Cloud Security”,” in International Conference on Machine Intelligence Research and Advancement, 2013.
-  K. N. M. B. Brian Hay, “Storm Clouds Rising:”,” in Hawaii International Conference on System Sciences, 2011.
-  iCoreSolutions, “Cloud Computing Service Models”,” [Online]. Available: https://micoresolutions.com/moving-database-to-cloud/. [Accessed 1 December 2018].
-  S. Bhowmik, “Cloud Computing”, Cambridge University Press, 2017, pp. 270-290.
-  ” NIST SP 800-145″. 2011.
-  F. Y. Y. Y. S. Pushpinder Kaur Chouhan, “Software as a Service: Analyzing Security Issues”, International Conference on Big Data and Analytics for Business, 2015.
-  E. B. E. G. L. J. N. Shachaf Levi, “SaaS Security Best Practices: Minimizing Risk in the Cloud”, Intel, 2015.
-  D. H. Martinez, “Privacy and Confidentiality Issues in Cloud Computing Architectures”, Polytechnic University of Catalonia, Barcelona, 2013.
-  A. S. K. Mayuri R. Gawande, “Analysis of Data Confidentiality Techniques”, IJCSMC, 2014.
-  S. Tupper, “Availability is the Essence of SaaS IT Agreements”, 2016.
-  G. R. Devi T, “Platform-as-a-Service (PaaS): Model and Security” Indonesian Journal of Electrical Engineering, 2015.
-  A. E. H. Mehmet Tahir Sandıkkaya, “Security Problems of Platform-as-a-Service (PaaS)”, International Symposium on Reliable Distributed Systems, 2012.
-  J. J. G.-J. A. Hassan Takabi, “Security and Privacy Challenges in Cloud Computing Environments”, IEEE, pp. 26-29, 2010.
-  M. Azure, “Public Cloud – Definition” [Online]. Available: https://azu re.microsoft.com/en-gb/overview/what-is-a-public-cloud/. [Accessed 3 Dec 2018].
-  O. A. A. A. O. T. O. O. Awodele O, “Security and Privacy Issues in Cloud Computing”, Communications in Applied Electronics, 2017.
-  I.-T. Technology, “Privacy in Cloud Computing” 2012.
-  N. A. Harshpreet Singh, “Cloud Computing Security and Privacy Issues- A Systematic Review”, International Journal of Control Theory and Applications, 2016.