Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Cloud Security and Security Challenges Revisited

Fabian Süß, Marco Freimuth, Andreas Aßmuth, George R. S. Weir, Bob Duncan

TL;DR

The paper revisits cloud security threats by organizing them into cloud infrastructure, data transport, and client-end vectors, and assesses their severity using the CVSS framework. It provides base and temporal CVSS scores for each attack class, and presents a ranking of the top security challenges, with malware infection at the cloud infrastructure as the highest risk (8.12), followed by unauthorized access (7.73) and Man-in-the-Middle attacks (7.54). The analysis includes concrete examples (e.g., memcached-driven DDoS on GitHub, Exactis/MEGA incidents, GitLab data losses) and practical mitigations such as patch management, MFA, encryption, end-to-end TLS/HSTS, redundant backups, and sandboxing. The work highlights the importance of considering not only cloud-provider controls but also data in transit and client-endpoints, and it suggests using environmental metrics and CVSS calculators to tailor risk assessments to specific deployments.

Abstract

In recent years, Cloud Computing has transformed local businesses and created new business models on the Internet- and Cloud services are still flourishing. But after the emphatic hype in the early years, a more realistic perception of Cloud services has emerged. One reason for this surely is that today, Cloud Computing is considered as an established and well-accepted technology and no longer as a technical novelty. But the second reason for this assessment might also be numerous security issues that Cloud Computing in general or specific Cloud services have experienced since then. In this paper, we revisit attacks on Cloud services and Cloud-related attack vectors that have been published in recent years. We then consider successful or proposed solutions to cope with these challenges. Based on these findings, we apply a security metric in order to rank all these Cloud-related security challenges concerning their severity. This should assist security professionals to prioritize their efforts toward addressing these issues.

Cloud Security and Security Challenges Revisited

TL;DR

The paper revisits cloud security threats by organizing them into cloud infrastructure, data transport, and client-end vectors, and assesses their severity using the CVSS framework. It provides base and temporal CVSS scores for each attack class, and presents a ranking of the top security challenges, with malware infection at the cloud infrastructure as the highest risk (8.12), followed by unauthorized access (7.73) and Man-in-the-Middle attacks (7.54). The analysis includes concrete examples (e.g., memcached-driven DDoS on GitHub, Exactis/MEGA incidents, GitLab data losses) and practical mitigations such as patch management, MFA, encryption, end-to-end TLS/HSTS, redundant backups, and sandboxing. The work highlights the importance of considering not only cloud-provider controls but also data in transit and client-endpoints, and it suggests using environmental metrics and CVSS calculators to tailor risk assessments to specific deployments.

Abstract

In recent years, Cloud Computing has transformed local businesses and created new business models on the Internet- and Cloud services are still flourishing. But after the emphatic hype in the early years, a more realistic perception of Cloud services has emerged. One reason for this surely is that today, Cloud Computing is considered as an established and well-accepted technology and no longer as a technical novelty. But the second reason for this assessment might also be numerous security issues that Cloud Computing in general or specific Cloud services have experienced since then. In this paper, we revisit attacks on Cloud services and Cloud-related attack vectors that have been published in recent years. We then consider successful or proposed solutions to cope with these challenges. Based on these findings, we apply a security metric in order to rank all these Cloud-related security challenges concerning their severity. This should assist security professionals to prioritize their efforts toward addressing these issues.
Paper Structure (14 sections, 11 tables)

This paper contains 14 sections, 11 tables.

Table of Contents

  1. Introduction
  2. Common Vulnerability Scoring System
  3. Attacks against the Cloud infrastructure
  4. Denial of Service
  5. Malware infection
  6. Unauthorized access
  7. Data loss
  8. Attacks on the transportation side
  9. Sniffing / Man in the Middle attacks
  10. Rerouting
  11. Attacks against the client
  12. Malware infection
  13. Unauthorised data access
  14. Conclusion