This reflective annotated bibliography synthesizes six peer-reviewed articles examining security challenges in cloud computing environments. The sources address virtualization vulnerabilities and hypervisor risks, data protection and privacy concerns in public cloud services, security issues in SaaS platforms, current research directions through systematic mapping studies, realistic security expectations across service models (SaaS, PaaS, IaaS), and adoption barriers in developing regions. The annotations evaluate each source's contribution, writing quality, research methodology, and relevance to understanding the gap between cloud computing's operational benefits and persistent security concerns that inhibit broader enterprise adoption.
This article focuses on cloud-based services and the security measures built into them. The authors examine how cloud-based service providers are working toward proprietary software and management techniques for achieving stronger isolation and security guarantees while maintaining performance and features. The article explains the difficulty customers face in determining whether a specific service will fulfill their needs, then delves into the technical details of virtualized environments and hypervisors—the foundation that makes them possible. Security issues are presented section by section, describing how each component could be attacked to compromise the system as a whole. The authors conclude that cloud providers need to be more transparent about the techniques and software they use so consumers can make informed decisions about the services' full advantages and risks.
Cloud Computing, Hypervisor, OS Kernel, Software Stack, Sandbox, Trusted Computing Base (TCB), Virtualization, Utilization
This source provided a substantial leap in understanding cloud services and virtualized environments. The authors explain in great detail the individual components of virtual platforms and the Trusted Computing Base, which can include the hypervisor, host OS, VM, administration tools, virtualized drivers, and device emulation. The student agrees that with so many moving parts in cloud services, it would be difficult for non-experts to intelligently assess potential security issues or determine whether a product will achieve desired outcomes. The article's structure is noteworthy: it first describes the amazing benefits of cloud computing, then systematically details scenario after scenario of potential security compromises. This creates ambiguity about whether the authors are promoting or warning readers about cloud services. The quotation about shared infrastructure opening questions about defense against new attack vectors is particularly relevant to understanding why comprehensive security remains elusive in cloud environments.
"Shared infrastructure opens questions as to the best defenses to use against new and poorly understood attack vectors." (Nanavati, Colp, Aillo, & Warfield, 2014, p. 70)
"However, such convenience [of cloud services] comes at a price, as users must now trust the provider to 'get it right' and are largely helpless in the face of provider failures." (Nanavati, Colp, Aillo, & Warfield, 2014, p. 71)
"Virtualization is at the forefront of this shift to cloud-hosted services, a technique for machine consolidation that helps co-locate multiple application servers on the same physical machine." (Nanavati, Colp, Aillo, & Warfield, 2014, p. 71)
"The trust customers place in the security and stability of hosting platforms is, to a large degree, trust in the correctness of the virtualization platform itself." (Nanavati, Colp, Aillo, & Warfield, 2014, p. 72)
"Worse, virtualization exposes users to the types of attacks typically absent in non-virtualized environments. Even without a compromise of the virtualization platform, shared hardware could store sensitive state that is inadvertently revealed during side-channel attacks." (Nanavati, Colp, Aillo, & Warfield, 2014, p. 72)
"While providers have no incentive to undermine their users' operations (their business indeed depends on maintaining user satisfaction), the carelessness or maliciousness of a single, well-placed administrator could compromise the security of an entire system." (Nanavati, Colp, Aillo, & Warfield, 2014, p. 77)
The author describes how public clouds benefit corporations through flexibility to deliver the exact amount of resources dynamically at vastly reduced cost. Public cloud services are offered free or on a pay-per-usage structure. Key benefits include ease of use, inexpensive startup costs, scalable structure, and paying only for resources consumed. The term "public cloud" was created to differentiate the standard model from the private cloud, which is a proprietary network or data center using cloud-computing technologies such as virtualization. Despite these advantages, the infrastructure has significant faults. With customers unaware of where their data is stored over the internet, the primary concern is the security and storage of client data. The article describes security concerns and proposes multiple potential solutions.
DDoS, Private Cloud, Public Cloud, SaaS, SQL Injection
The journal reads as though it were edited by a non-native English speaker. Word flow is confusing, with missing proper uses of plurals, conjunctions, and other grammatical rules, making an already difficult technical article even harder to follow. However, the authors' introduction effectively explains the multiple benefits of cloud computing while simultaneously noting it is not suitable for everyone. The article establishes a good baseline description of cloud computing and its infrastructure, then explains why this platform is so difficult to secure from both external and internal threats to privacy. The third section reports findings from security testing via computer simulation. The use of charts helps readers quickly grasp the data results presented.
"In spite of all the possible security and privacy risks, Cloud Computing is believed to be beneficial for the public and private IT organizations." (Waleed, Chunlin, & Naji, 2014, p. 3313)
"Basically, there exist three kinds of cloud computing: service platform, infrastructure as a service and software service. The information flow is usually provided within the network and by means of central and remote servers." (Waleed, Chunlin, & Naji, 2014, p. 3315)
"Cloud computing is favorable in terms of ability to achieve economies of scale. It allows increasing production output with fewer people. Respectively, the cost of projects is also slightly reduced because of that." (Waleed, Chunlin, & Naji, 2014, p. 3315)
"[The cloud] is easy to use and there is no need for personnel training. Minimizing licensing of software through cloud computing improves company flexibility." (Waleed, Chunlin, & Naji, 2014, p. 3316)
"There is a great chance of choosing an ineffective cloud computing vendor who will offer inflexible packages." (Waleed, Chunlin, & Naji, 2014, p. 3316)
"Indisputably, every particular organization is prone to threats, because competing companies are targeted to drive their rivals out of the market, gaining competitive advantage over them. Generally, network security threats can combine various risks, problems and attacks, which are very frequently called security vulnerabilities." (Waleed, Chunlin, & Naji, 2014, p. 3317)
All emerging technologies bring issues and challenges; cloud computing is no exception. The characteristics discussed include scalability, elasticity, self-service, ubiquitous access, complete virtualization, relative consistency, and commodity. Security issues in cloud computing include reliability, accessibility, and multi-tenancy. Consumers of cloud services identify loss of physical control and resource sharing as the highest risk factors; this paper identifies those issues and describes potential mitigation strategies. Security practices, assessments, training, and policies are described in relation to SaaS environments. Identity Access Management (IAM) functions are reviewed in relation to data security, privacy, and governance.
Elasticity, Encryption, IaaS (Infrastructure as a Service), IAM (Identity Access Management), PaaS (Platform as a Service), Privileged User Access, SaaS (Software as a Service), Ubiquitous
This document appears either directly translated to English or insufficiently edited by native English speakers. The article explains and describes security issues in the cloud without providing real information on how to combat them. It functions more as a general informational research paper, giving readers a better grasp of security issues that may arise, mainly in SaaS products. This would be a good read for managers and executives in companies considering expansion into cloud computing, as it provides a solid overview of main points. The article addresses all major security and data concerns and briefly describes how the most popular cloud service, SaaS, works.
"With cloud, the person will lose control over physical security of data. With public cloud, an enterprise or person is sharing computing resources with other enterprises, where we don't know about the location or place where our resources are being accessed or shared." (Meva & Kumbharana, 2014, p. 108)
"SaaS is dominating cloud service requirements now and will remain dominant in the future. This is the area where it is required to provide more insight on security." (Meva & Kumbharana, 2014, p. 108)
"One of the most important actions is to prepare a complete agreement for security organization and program. This will introduce a vision in a team about what security leadership is driving towards and expects." (Meva & Kumbharana, 2014, p. 109)
"Secure SDLC incorporates identification of threats and risks, followed by design and implementation aspects relevant to threats and risks." (Meva & Kumbharana, 2014, p. 109)
"Lack of proper management and governance results in potential security risks left unaddressed." (Meva & Kumbharana, 2014, p. 109)
"Identity and access management are important functions for any organization." (Meva & Kumbharana, 2014, p. 110)
Cloud computing applications are widely used, though growth has slowed recently due to security issues. This paper reviews research to assess the current state of cloud security research and practice. The authors conducted a systematic mapping study to analyze existing research about security in cloud computing, identify the state of the art, and suggest future directions. A total of 344 papers were chosen and categorized by security goal, research type, and contribution type. Different security issues investigated include data protection, access management, software isolation, availability, trust, and governance. Cloud computing has substantial potential for additional security-focused research.
Cryptographic, CC (Cloud Computing), DDoS (Distributed Denial of Service), Encryption Protocols, NIST (National Institute of Standards and Technology), Shared Pool, Software Isolation
The main purpose of this paper was to compile a massive number of existing research documents, analyze them, and organize them into a database to identify future directions for cloud security research. The first half of the article describes in exhaustive detail how the authors researched the subject and categorized the papers, while covering very little content on the actual subject matter. As suggested by the title, they mapped this data across numerous tables, graphs, and charts to highlight main points from previous research. This paper excels at providing a broad view of current security advances and shortfalls the industry has made in recent years. The authors write similarly to how an "I Research" paper would be structured, telegraphing the flow of their research process. This paper will be invaluable for finding additional sources by reviewing the vast number of references cited.
"Despite the research that has been carried out in the field of CC security, it is necessary to assess the current state of research and practice in order to provide practitioners with evidence that will enable them to focus on its further development." (Zapata B, Fernández-Alemán J, & A., 2015, p. 162)
"There are different approaches for classification of security aspects in cloud computing. Fernandes et al. propose a taxonomy that covers eight categories: software, storage and computing, virtualization, Internet and services, network, access, trust, and compliance and legality." (Zapata B, Fernández-Alemán J, & A., 2015, p. 166)
"Data protection is related to privacy, integrity and confidentiality topics. To achieve data protection authors address privacy managers, encryption schemes (34 papers), audit practices (16 papers), noise generation strategies (5 papers) or storage methodologies (4 papers)." (Zapata B, Fernández-Alemán J, & A., 2015, p. 170)
"Identity management is covered most by access control architectures, even so, alternative issues can be found such as watermarking methods, authentication frameworks or encryption schemes. Software isolation is done by virtualization techniques." (Zapata B, Fernández-Alemán J, & A., 2015, p. 170)
"96 out of 344 papers propose methods (27.91%). The methods are secure communication protocols, cryptographic algorithms with which to encrypt data and measures to detect problems in system integrity or to measure the trustworthiness of the cloud resources." (Zapata B, Fernández-Alemán J, & A., 2015, p. 171)
Cloud computing is becoming an attractive option for businesses to scale their IT departments. As a concept, cloud computing is well received because of the benefits it offers, but many users are unclear about the scope of security in cloud computing. Multiple surveys reveal that businesses still see security as their main concern despite cost advantages. Information from over 50 research articles and technical white papers over the past five years was integrated into this article. The main focus is to discuss the justification for expecting adequate security features in cloud services. The three types of cloud services—SaaS, PaaS, and IaaS—are described in detail. The article concludes with relevant legal information related to cloud computing.
Cloud Computing, CSA (Cloud Security Alliance), SaaS (Software as a Service), PaaS (Platform as a Service), IaaS (Infrastructure as a Service)
The journal reads similar to an "I Research" paper. The author reviewed a large number of articles, with almost every other line ending with a reference. This is a well-researched document that expressed more security concerns than one might initially consider. The author's trend is to portray the vast fragmentation in the level of security strength throughout different vendors. It describes the differences in security vulnerabilities across the three types of cloud services. The author presumes that cloud computing is not mature based on the lack of established case law for dealing with it, then cites cases where defendants used the cloud to harm plaintiffs. This again demonstrates that more than just security risks are involved for cloud computing customers. However, the types of cases listed would still have been presented in court if defendants had used their own servers instead. The final half displays multiple graphs and charts showing various metrics for testing cloud efficiency. More work could have been done to ensure all charts display the same degree of clarity and understanding.
"Today's cloud computing has three basic types: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). In the simplest of terms, 'cloud computing' has come to embody SaaS." (Srinivasan, 2013, p. 48)
"The four cloud deployment models are public cloud, private cloud, hybrid cloud, and community cloud. The most common cloud deployment model is the public cloud." (Srinivasan, 2013, p. 49)
"One of the challenges for any new technology is the availability of global standards. Cloud computing is evolving rapidly but there are not many commonly accepted standards yet." (Srinivasan, 2013, p. 51)
"This feature provides the business a cost-effective solution to store as much data as necessary and at the same time provide related data backup, recovery and business continuity benefits. However, it also introduces the risk of not having full control over the data storage as it is physically outside the control of the business." (Srinivasan, 2013, p. 51)
"These customers' data could be accidentally or maliciously disclosed by systems administrators on these cloud systems where they are privy to large volumes of data." (Srinivasan, 2013, p. 52)
"In the traditional model, the end user had control over the creation, maintenance and deletion of a document. In the cloud environment, the end user is spared the trouble of maintaining the computing system and reaps the benefits of the application software." (Srinivasan, 2013, p. 56)
"We expect more and more customers are going to be sensitive to the potential of data leakage from the cloud, which is not a problem if they had their own computing resources. The customer must hold the encryption key in their system at their place of business and not place it on the cloud, even if it is in their virtual server." (Srinivasan, 2013, p. 60)
"Regional adoption challenges and shared security responsibility"
You’re 81% through this paper. Sign up to read the remaining 1 section.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.