Archives of Computational Methods in Engineering (2022) 29:223–246

https://doi.org/10.1007/s11831-021-09573-y

SURVEY ARTICLE

Security Threats, Defense Mechanisms, Challenges, and Future

Directions in Cloud Computing
Said El Kafhali1 · Iman El Mir2 · Mohamed Hanini1

Received: 25 August 2020 / Accepted: 13 March 2021 / Published online: 7 April 2021
© CIMNE, Barcelona, Spain 2021

Abstract
Several new technologies such as the smart cities, the Internet of Things (IoT), and 5G Internet need services offered by
cloud computing for processing and storing more information. Hence, the heterogeneity of the new companies that used the
above-mentioned technologies will add many vulnerabilities and security concerns for the cloud paradigm. Presently, cloud
computing involves every component such as end-user, networks, access management, and infrastructures. Without a lucid
vision of the cloud infrastructure, security communities struggle with problems ranging from duplicating data to failing to
identify security threats in a timely way, with loss of control about protection and data access to face regulatory compliance.
With cloud computing becoming part of our everyday life and our digital computer environment, we look forward to rapid
new development in the computational needs provided by cloud computing paradigms. In this paper, we first provide an
architecture tutorial on cloud computing technology, including their essential characteristics, services models, deployment
models, and cloud data center virtualization. Second, we provide the cloud computing security issues and frameworks, and
through a comprehensive survey, we characterize and summarize the efforts made in the literature to find solutions to these
security issues. Third, we categorize the various attacks in the cloud and privacy challenges. Fourth, we summarize the
efforts made in the literature to the defense mechanisms and mitigation solution for security assessment. Finally, we discuss
open issues in cloud security and propose some future directions.

1 Introduction solutions to many organizations and corporations. Many

approaches have been designed to improve the computa-
Cloud computing has recently appeared as a well-evolved tional domain, resource utilization, and exploitation. Among
computer technology area that enables cost-effective and these mechanisms, data grids, data clusters, and distributed
scalable growth of computing services. The total of money database management systems. Nowadays, Cloud is a form
in the cloud market is amazing, which can probably reach of Internet-based computing that provides a great level of
623.3 billion dollars by 2023 [1]. Many large scale IT pro- computation and enables omnipresent on-demand access to
viders such as Amazon, Microsoft, Google, IBM, and Oracle a big-shared pool of configurable computing resources [2].
have created and hosted cloud deployments to offer cloud Clouds allow clients to pay for whatever resources they
need, enabling customers to increase or decrease the num-
ber of resources requested as needed. Cloud servers are
* Said El Kafhali involved to initiate a business and facilitate its financial
said.elkafhali@uhp.ac.ma
charges in terms of Capital Expenditure and Operational
Iman El Mir Expenditure [3]. Cloud computing has been introduced
ielmir@uae.ac.ma
as the next-generation architecture of IT Enterprises. It
Mohamed Hanini gives great and potential capabilities that ensure improved
haninimohamed@gmail.com
productivity with minimal costs and offers a better level
1
Faculty of Sciences and Techniques, Computer, Networks, of scalability and flexibility in comparison to traditional
Mobility and Modeling Laboratory: IR2M, Hassan First IT systems. In the cloud environment, the application
University of Settat, 26000 Settat, Morocco software and databases are managed in large cloud data
2
Advanced Science and Technologies Laboratory, Computer centers, wherein the case of the traditional solutions the
Sciences Department, Polydisciplinary Faculty, Abdelmalek services are delivered according to proper physical and
Essaadi University, Larache, Morocco

13
Vol.:(0123456789)
224 S. El Kafhali et al.

personnel controls. Despite the benefits offered by cloud • We provide cloud security issues and frameworks based
in terms of data storage and software delivery, the cloud on the security state of cloud environments.
poses many challenges and issues, which attract attention • We categorize the various attacks in the cloud and pri-
in various research works, including security, quality of vacy challenges.
service, and cloud data center energy consumption. • We summarize the efforts made in the literature to the
Cloud users may be under different security threats that defense mechanisms and mitigation solution for security
can be external or internal. Therefore, the involved respon- assessment.
sible parts in the security of sensitive software and systems • We characterize and summarize the efforts made in the
configuration are the cloud users, the cloud vendors, and literature to find solutions to these security issues
the third-party vendor. The cloud user is security respon- • We discuss open issues in cloud security and propose
sible at the application level, where the responsibility of some future directions.
the provider consists of physical security and performing
the external firewall policies. On the other hand, inter- The rest of this paper is as follows: Sect. 2 represents an
mediate layers security of the software stack is shared overview of cloud computing including its essential charac-
responsibility between the client and the cloud operator teristics, different service models, and deployment models.
[4]. Moreover, the cloud is facing certain internal security In Sect. 3, we introduce the different technologies of cloud
issues, for which Cloud providers need to have counter- computing such as virtualization, cloud data center, virtual
measures and to block the malicious activities or denial of machine (VM) migration, and its different types. Section 4
service attacks launched by the intruders. Other security discusses the different security issues related to the cloud-
issues are in the cloud data center virtualization, which computing environment and reviews some countermeasures,
is implementing by many organizations. It provides them defense mechanisms, and mitigation techniques against
with an easier environment for systems and application attacks. Section 5 presents some cloud security classifica-
deployment within a single point of control over multiple tion and taxonomies. Finally, Sect. 6 presents some future
systems, role-based access, and special auditing and reg- directions.
istration abilities for large infrastructure. Virtualization
may open the door to potential threats and exploits and it
presents critical vulnerabilities that can be exploited by 2 Cloud Computing Overview
attackers. Indeed, the virtualized environment needs more
control, security architecture, policies, and management Cloud computing has successfully swung to build up itself
processes. Failure can happen for various reasons. First, as one of the fastest developing service models across the
due to hardware reason or malware in software or to the Internet. According to the National Institute of Standards
clients who can execute malicious codes and can also be and Technology (NIST) [5, 6], the cloud is based on five
owing to the breakdown of the client’s applications or a essential characteristics, four deployment models and three
third party overrunning a client’s application by introduc- service models, as shown in Fig. 1.
ing spurious data.
Todays and given the increasing need for storage and
computation resources by different organizations, many
novel technologies, including Internet of things, fog, and
edge computing, have decided to consider cloud comput-
ing as the principal storage or computing component. How-
ever, it is a vivid fact that this popular technology suffers
from many security threats, security vulnerabilities, and
challenges. Hence, cloud technology necessitates good and
proper knowledge and better new solutions to handle each
of these security and vulnerabilities threats. In this study,
we reviewed several works deal with security issues, threats,
and challenges in cloud computing.
The main contributions of this study can be summarized
as follows:

• We introduce the key concepts of cloud technology and

all essential entities related to the architecture of cloud
computing systems. Fig. 1  Cloud computing overview

13
Security Threats, Defense Mechanisms, Challenges, and Future Directions in Cloud Computing 225

Cloud computing provides several important features that • Infrastructure as a Service (IaaS): The consumer can
are different from traditional computing, which we summa- exploit many computing resources such as provisioning
rize below: processing, storage, and networks to deploy applica-
tions, which may include operating systems and other
• On-Demand Self-service: The computing resources are applications. The consumer can control over operat-
automatically provisioned as needed without involving ing systems, storage, applications deployment, and
human interaction with each provider of service (e.g. control specific networking components according to
network storage, server time). some defined requirements, but it does not have any
• Broad Network Access: Cloud resources are available via capability in terms of cloud infrastructure manage-
the network while applying standard mechanisms empha- ment and control. IaaS provides virtualized computing
sized by heterogeneous thick or thin clients (e.g. Laptop resources over the Internet such as Amazon Web Ser-
computers, Smartphones, and mobile phones). vices (AWS), Microsoft Azure, and Google Compute
• Resource Pooling: Using a multi-tenant model, multiple Engine (GCE) while all services delivered by the Cloud
consumers have been served by pooling the computing service provider (CSP) are implemented across the vir-
resources of the provider with different virtual and physi- tual machines.
cal resources in a dynamic manner (e.g. storage, process-
ing, memory, network bandwidth, and VMs). For any delivery model or service adopted (IaaS, PaaS, or
• Rapid Elasticity: Provides a rapid and elastic capabil- SaaS), cloud computing service deployment provides four
ity provisioning to scale out and in, which often may be basic models including public cloud, private cloud, com-
unlimited and can be purchased as needed. munity cloud, and hybrid cloud, depending on how they are
• Measured Service: Resource utilization is automatically managed [8, 9].
controlled, monitored, and optimized at a certain abstrac-
tion level. It corresponds to the service’s type used and • Public Cloud: Is the most popular type among end-users
provides the transparency between provider and client of thanks to its rapid setup time and low financial costs.
the used service. The public has access to the cloud infrastructure, which
is shared based on the demand and the form of pay-
All cloud resources are provided as a service to the user. ment. The customer exploits the cloud resources over
The cloud computing services have been offered according the Internet while the provider guarantees the economy
to three common service models including Software-as-a- of scale and manages the shared infrastructure. Within
Service (SaaS), Platform-as-a-Service (PaaS), and Infra- this deployment model, the clients can select the security
structure-as-a-Service (IaaS) [7]. level needed and negotiate for the service level (SLA).
Amazon Web Services EC2 is defined as the most popu-
• Software as a Service (SaaS): The consumer can use lar and the most used in this model. In this type of cloud,
the applications of the provider, which are running on the public cloud cannot be accessed or used by an organi-
a cloud infrastructure. Many client devices have access zation but it is accessible to the public.
to applications utilizing a thin client interface like a web • Private Cloud: In this type of cloud, an organization or
browser. However, the cloud provider hosts the software a third party manages the private cloud, which is there
on its servers and the consumers interact with a remote on-premise or off-premise. The cloud infrastructure is
server on the Internet by using a local client as a com- performed only for the organization. The public cannot
munication interface. Furthermore, the consumer is not access the private cloud while an organization cannot use
responsible for control or monitoring the infrastructure the public cloud.
(e.g. network, operating systems, storage, servers) on • Community Cloud: Enables to deliver cloud-computing
which the applications are running. Among the SaaS services. Multiple organizations share the cloud infra-
providers, there are salesforce.com, Oracle CRM. structure with the aim of compliance considerations
• Platform as a Service (PaaS): The consumer can use and security requirements. Hence, the community cloud
the programming languages and tools supported by the offers cloud services, which are accessible by the public
provider and the resources rented from the provider to and the organizations.
deploy onto the cloud infrastructure his own created or • Hybrid Cloud: Combines between two or more cloud
acquired applications or software. In this delivery model, models (private, community, or public). The public and
the client may control his application deployment and private infrastructures clouds are used by the organiza-
possibly application hosting environment configurations tion. This composed environment is suitable for organi-
but not the cloud infrastructure. Examples of PaaS ser- zations that have software or hardware compatibility
vices are Google Application Engine, force.com. issues with the external cloud providers, but look to take

13
226 S. El Kafhali et al.

advantage of the wide storage space and other cloud failure. The core routers manage traffic into and out of the
resources offered by public clouds. cloud data center.
Generally, the network infrastructure is built based on
Table 1 summarizes the advantages and disadvantages of Ethernet switches and routers. In different business solu-
the above-presented cloud deployment models to make the tions, the layered network infrastructure can be designed to
right decision before choosing a cloud solution [10]. face accurate business challenges. The conception of data
center network architecture should encounter the following
objectives [12, 13]:
3 Cloud Data Center
• Uniform High Capacity: The maximum rate of traffic
This section provides a brief presentation of the architectural flow transferring between servers is limited by the availa-
design of data centers. A data center is presented as home ble capacity on the network interface cards of the receiv-
to the computation power and resources managing. It is piv- ing and sending servers and allocating servers to ought to
otal to cloud computing and holds thousands of devices like be non-party of the network topology. An arbitrary data
servers, switches, and routers. This network architecture has center host should be able to communicate with any other
a heavy impact on the performances of applications, espe- host on the network over the full bandwidth of its local
cially in a distributed computing environment. Furthermore, network interface.
scalability and elasticity features need to be carefully well • Free VM Migration: The virtualization provides the pos-
respected and examined. sibility to migrate a VM from one physical machine (PM)
Nowadays, the network architecture is designed based on to another. A cloud hosting service can migrate VMs for
the layered approach, which is tested in the deployment of statistical multiplexing or dynamically changing com-
a great number of data centers. The architecture of the data munication models to achieve high bandwidth for tightly
center is formed on three principle layers named the access, coupled hosts or to obtain variable heat distribution and
aggregation, and core layers [11]. The access layer is where energy availability in the data center. Rapid VM migra-
the servers in racks physically connect to the network. There tion must be supported in the design of the communi-
are typically twenty to forty servers per rack; each one is cation topology. The communication topology must be
connected to an access switch with a one Gbps link. Access designed to support the rapid migration of VMs.
switches usually connect to two aggregation switches for • Resiliency: The network infrastructure must resist to vari-
redundancy with ten Gbps links. The aggregation layer gen- ous types of server failures, link outages, or server-rack
erally permits important functions such as location service, failures.
server load balancing, domain service, and more. The core • Scalability: The network infrastructure must be designed
layer renders connectivity to multiple aggregation switches to scale to a high number of servers and allow incremen-
and provides a flexible routed fabric with no single point of tal expansion depending on users’ requests.

Table 1  Advantages and disadvantages of cloud development models

Cloud deployment Pros Cons

Public cloud High scalability Less secure

More reliable and flexible depending on the needs of the client Lack of customization and closer support
Capability to select the security level needed and negotiate for the SLA
Less costly, the service payment follows the model, pay-as-you-go
Private cloud Specific to community and organization Their deployment is more costly
Flexibility in the form of cloud bursting and easy to deploy Demands Information Technology expertise
Safer and improved security
Considerable control over the server
Community cloud More secure Difficulty to manage the cost of controls
Cloud services are simply accessible
Hybrid cloud Highly scalable and flexible infrastructure Absence of visibility
Community’s workloads obtain on-premise computational effective- More challenges in application and data integration
ness
Facility to manage the cost of controls

13
Security Threats, Defense Mechanisms, Challenges, and Future Directions in Cloud Computing 227

• Backward Compatibility: The network infrastructure make easier sharing resources. There are many levels of
must be backward compatible with switches and routers virtualization such as system virtualization, network virtu-
running Ethernet and Internet Protocol (IP). They should alization, desktop virtualization, storage virtualization, and
be reused in the new architecture without major changes. application virtualization [21].
The system virtualization or server virtualization can run
3.1 Cloud Virtualization the entire VM [i.e. running the VM including its operating
system (Guest Operating System) on another operating sys-
In a data center, the hosted services frequently demand tem (Host Operating System)]. The VM is presented as an
less processing power compared with the total processing operational isolated duplicate of a real machine. The hyper-
power dedicated to one PM. This proves that virtualization visor or the Virtual Machine Monitor (VMM) is defined as
is an interesting approach to maximize effectiveness by run- the software’s layer, the emulator of the hardware interface
ning multiple services on the same PM. This will minimize visualized by the VM. It is the manager and the controller
the number of PMs used and enhance the yield of these of system resources [22]. Virtualization can provide signifi-
machines. Cloud computing has appeared as an intellectual cant benefits in cloud computing by enabling VM migra-
paradigm that allows computing resources on a pay-per-use tion to manage the load distribution across the data center.
way while these resources are dynamically configured to Indeed, VM migration permits robust and highly responsive
manage different workload needs. This is due to the virtual- provisioning in data centers. VM migration has developed
ization technology, which provides the creation of multiple gradually from process migration techniques [23]. Much
VMs that share the same physical resources [14, 15]. The virtualization software such as Xen [24] implements VM
VM can be presented as an operating system (OS) or soft- live migration and VMWare [25] that require very short
ware, which is based on virtualization enabling emulating downtimes that belongs to an interval time of tens of mil-
the computing system’s behavior according to predefined liseconds to a second. Virtualization allows having one or
resource characteristics, such as memory capacity and cen- more VMs with their own operating systems, existing at one
tral processing unit [16]. PM [26]. The PMs might be placed in the data center, which
The virtualization was developed gradually to perform can hold several hundred to several thousand PMs [27]. The
different capabilities. It allows us to execute many applica- VMs are created and performed by the hypervisor. This later
tions in parallel or onto heterogeneous systems and to move is responsible for computer hardware dispatching to virtual
the running applications to other physical servers [17]. machine monitors (VMMs). Each one-guest OS is controlled
Before the data center will be ready to be commercially and managed by each VMM. Each guest OS possessed its
used, the virtualization is a fundamental step to set because virtual platform to perform on [28].
it makes it easy to share the resources in data centers and
assures the high performance, reliability, confidentiality, 3.2 VM Migration and Its Types
and security for cloud infrastructure which is the result of
a big collection and management of bare-metal hardware. The VM migration concept helps to achieve different
Many researchers have been performed in the virtualization resource management objectives including power manage-
technology field to design and develop it step-by-step [18]. ment, system maintenance, load balancing, resource sharing,
It includes multiple layers [19]; instruction set architecture mobile computing, and fault tolerance. A detailed discussion
layer, hardware-assisted layer, operating system layer, and of the applications of VM migration is presented below:
programming language layer. Virtualization technology pro-
vides multiple users with the possibility to share resources • Power Management: To achieve energy efficiency within
based on the hardware abstraction. It conserves the operating a CDC, the VM migration process transfers the full work-
and financial costs and makes efficient isolation and intru- load from an underloaded server (for example when
sion detection for hardware resources, which can enhance resource usage is below a threshold) to an underused
the security of the system. server to deactivate the first one. Server consolidation
Virtualization is not a novel concept to computer science; and Dynamic Voltage and Frequency Scaling (DVFS)
it has appeared in the 1960s by IBM using the Time-Sharing enable VM migration methods to aggressively co-locate
concept approach [20]. Due to the expensive cost of comput- the VMs and decrease CPU clock rate, respectively, to
ers and hardware resources, interesting techniques were ena- achieve power efficiency within a CDC at the cost of
bled including multiprogramming and time-sharing. It offers application’s performance degradation [29, 30].
developers and organizations a powerful programming envi- • Resource Sharing: The application performance degrada-
ronment with minimized investment and operational costs. tion issues caused by sharing limited system resources
These techniques are developed based on the virtualization such as system memory, cache, or processor cycles
approach where the hardware resources are abstracted to can be resolved by moving the resource-hungry VM

13
228 S. El Kafhali et al.

to a resource-rich server [31, 32]. However, high sys- phase where the VM is stopped in the source and in any
tem resource sharing reduces cloud operational costs as newly modified pages, which are moved. When it has been
unnecessary servers can be switched off [33, 34]. confirmed that the VM has successfully been migrated to
• Fault Tolerance: A fault-tolerant system triggers the the destination physical machine, it is re-activated. In other
migration of VMs before the failure occurs. It migrates words, the live VM migration pattern allows the continuity
back VM to the original server after system maintenance and the non-interruption of the running applications services
endowment if necessary [35]. A fault-tolerant system during VM migration time. The live VM migration process
greatly improves the system available to improve the assures the optimization of the application performances
CDC reliability function [36]. [43], enhances the effectiveness of the bandwidth utiliza-
• System Maintenance: Provisioning the periodic/dynamic tion [44], and minimizes the downtime [45].
maintenance extends system lifetime [37, 38]. VM Live migration is a dynamic migration from the primary
migration concept shifts running application to another host to another host without disconnecting the client or the
host to continue servicing the application during system application. All features such as memory, network connec-
maintenance time [39]. tivity, and storage have been switched from source PM to
• Load Balancing: Assists cloud operators avoid a unique target PM.
point of failure by distributing the server workload across There are two techniques for moving the VM’s memory
divers PMs within a CDC. The server’s workload beyond state from the source to the destination; namely, pre-copy
its capacity degrades system performance. Thereby, load memory migration and post-copy memory migration. In
balancing reduces the possibility of application perfor- general, memory migration can be classified into three
mance degradation by eliminating hot spots within the phases:
CDC [40].
• Push Phase: The source VM continues to operate while
Mobile computing exploits the VM migration concept to certain pages are pushed over the network to the new
augment portable computing capabilities. Nowadays, users destination. To ensure consistency, pages changed during
do not prefer to work on desktop computers only rather, the transmission process should be returned.
they prefer to work on smartphones while they are on the • Stop-and-Copy Phase: The source VM is stopped, the
move. VM migration technology helps users migrate run- pages are copied to the destination VM, and then the new
ning applications along with OS states from a desktop server VM is started.
to a smartphone or vice versa [41]. There are many methods • Pull Phase: The new VM starts its execution and if it
to perform a VM migration, the most known are: accesses a page that has not yet been copied, the latter is
faulted on the network from the source VM.
• Cold Migration: Shuts down the VM on the source PM
and after restarting it on another destination PM. Two important VM migration systems are presented in
• Warm Migration: Suspends the VM on the source host, the literature for security concerns in the cloud environment.
copy across RAM and CPU registers, continues on the The integrated VM migration system based on Checkpoint
destination PM (some seconds later). / Recovery (CR) and Trace / Replay (TR) [36] deliberately
• Live Migration: Copies across RAM while VM continues reduced the memory size of the VM, the total migration time
to run while the "dirty" (changed) RAM pages are re- and the downtime of the service due to the transfer of the
copied. VM execution log rather than VM memory pages. During
pre-copy first round, CR/TR migrates the full system state
The most used is the live migration, which will be to the receiver server. For the next rounds, CR/TR iteratively
detailed below. The migration is a technique to move a run- migrates the system execution log that is replayed at the
ning VM from one physical server to another. During the receiver server to rebuild the original memory. The execu-
live migration process, the hypervisor is responsible for tion log of the system records the non-deterministic system
VM memory state transferring from its source to a targeted events at the source site. Furthermore, while capturing VM
physical machine. As long as the VM needs to be migrated memory snapshots, incorporating Copy-On-Write (COW)
in a running state, the main technique to accomplish this optimization minimizes the packet’s loss probability. The
is pre-copy which is defined in [26, 42]. The pre-copy VM on host a freeze, the minimal system state (CPU regis-
method consists of a copy of the memory pages of a VM ters, VM configuration information) is saved and transferred
in iterations. In the first round, all pages are copied and in to the destination host. After that, the VM is resumed and
the next nth rounds only modified pages, which are moved. continues to run and the main memory and device states
The hypervisor maintains and manages the dirty bitmap to are saved in a check-pointing buffer and then transferred
track the modified pages. Finally, there is a stop-and-copy to the target host in a COW manner. The COW mechanism

13
Security Threats, Defense Mechanisms, Challenges, and Future Directions in Cloud Computing 229

guarantees a negligible checkpointing downtime and the CC threats and their mitigation mechanisms. Among them,
services are continuously available to the remote clients. the most remarkable ones named NIST (National Institute
During iterative rounds, the VM migration controller sig- of Standards and Technology), CSA (Cloud Security Alli-
nals the final iterative round when the size of the execution ance) and ENISA (European Network and Information Secu-
log climbs above the pre-defined threshold. Over the last rity Agency) [47]. The industry experts have surveyed and
round, the migration controller transfers the execution log defined the top of threats and vulnerabilities in cloud com-
of the virtual machine (generated during the final round) puting. ENISA listed nine of the more important cloud com-
followed by the network redirection phase. However, the puting specific risks in their document. Similarly, NIST, in
CR / TR technique consumes sufficiently large CPU cycles their special publication [48] underlines the crucial aspects
while instantly re-reading dirty logs to keep pace with a rate of security. Considering these issues, the most critical ones
of dirty log generation. Besides, the CR / TR method only are identified and summarized as follows:
works effectively if the network transfer rate is higher than
the log growth rate. • Data Breaches: represent the security incident where the
The second VM migration technique is called Shrinker malicious and unauthorized users can copy, transmit,
as discussed in [46] leveraged the duplication optimization steal, or manipulate sensitive or confidential data.
model to efficiently migrate virtual clusters (VC) across the • Data Loss: The loss of the stored data can be induced by
CDC boundaries. Shrinker has implemented a service at many factors. The data can be dropped accidentally or
the sender cluster (server hosts the service) to log memory the encryption key can be lost, etc.
pages identifier before transferring them to the target server. • Account or Service Traffic Hijacking: The intruder can
Over the VM migration process, the hypervisor accesses take advantage of Phishing, fraud, and exploitation of
the service to gain the status of memory pages before trans- software vulnerabilities to get access to the user’s confi-
ferring them to the target server. The hypervisor transmits dential information and modify their activities and trans-
the memory page identifier if a memory page is previously actions. It can send wrong information and mislead the
transmitted by any of the VM. If the memory page has not clients with the unauthorized site.
previously been transmitted, the hypervisor registers (at the • Insecure Interfaces and APIs: By using the application
service server) and transmits the complete memory page to programming interfaces, CSP and third parties deliver
the receiver server. Otherwise, the receiver pattern exploits different services to clients. The risk increases and its
the distributed content addressing method to transmit mem- mitigation become more complex as long as the poli-
ory pages to the legitimate target host(s). Furthermore, on cies of access management and identity are not well con-
the receiver side, the index server records the IP address of trolled.
the legitimate target server or servers concerning the hash • Denial of Service: The attacker overloads the cloud
values of the memory pages before delivering the memory server by a massive amount of falsified requests, which
pages to the target server. Moreover, on receiving the hash consume more resources in terms of network bandwidth,
values, Shrinker pings the index server entity to locate the memory, and disk space. This kind of attack, block and
IP address of the host containing the similar memory page. prevent the legitimate costumers to be served and causes
The receiver pattern registers the target server against page system overload.
hash value at the index server once the required memory • Malicious Insiders: By dint of their access privileges
page is received from the target server. However, the pro- and system administrators, third-party service providers
posed technique enlarges total migration duration by visit- can be responsible for any misuse or intentional damage
ing, searching, and comparing memory pages at the service that can lead to serious results such as the availability,
server before transmitting the memory page to the receiver. integrity, and confidentiality of susceptible data can be
Further, being managed by a centralized server, the proposed affected.
scheme is a victim of a single point of failure. • Insufficient Due Diligence: Organizations must clearly
outline goals in mind and develop a detailed study of the
benefits and risks involved with cloud computing before
4 Cloud Computing Security making the cloud computing solution decision.
• Shared Technology Vulnerabilities: Multi-tenant architec-
4.1 Security Issues and Frameworks ture can be a cause of many potential threats in the cloud
environment. Among these threats, there are hypervisor
In the existing literature, an increasing amount of research vulnerabilities and cross VM side-channel attacks.
works addressed the security issues in cloud computing to • Loss of Governance: Transferring data to cloud comput-
find efficient security solutions. Besides, different research ing means transferring control to the service provider. On
groups have made several research publications concerning some issues, this may have security implications.

13
230 S. El Kafhali et al.

• Lock-in: Since the portability of data and service is not and hypervisor security, identity and access management,
well standardized, the need for a particular CSP fre- data and storage security, governance, and legal and compli-
quently makes it difficult for the client to move from one ance issues.
provider to another.
• Insecure or Incomplete Data Deletion: When data is 4.2.1 Network Security
deleted from cloud storage, nothing ensures that it could
not be accessible later. Data could be subsequently recon- We distinguish between two types of security issues in cloud
structed if the provider has not deleted it within a secured computing, one from traditional computing environment and
manner or the client has not encrypted the disk. other represents issues specific to cloud computing. Some
• Availability Chain: A CSP can assign some of its tasks security issues associated with network communications and
to a third party or even can involve the service of a new configurations will be presented.
service provider. Thereby, the service availability may be
affected by the potential for cascading failures. • XML Signature (Wrapping Attack): XML signatures
are extensively applied to ensure the authentication and
We categorize and describe the main security threats and integrity of SOAP (Simple Object Access Protocol) mes-
vulnerabilities in cloud computing [49]. Figure 2 highlights sages. In contrast, XML signature wrapping attack or
the cloud security, classification classes. simply wrapping attack [3] appeared as a well-known
attack that targets the protocols, which involve XML
4.2 Key Security Threats signatures. This is suitable for both Web Services and
Cloud Computing. For the validity of message integ-
As defined before, security is considered one of the most rity, a predefined part or parts of the SOAP message are
important obstacles for the prevalent adoption of cloud com- signed based on the XML signature. The message holds a
puting technology. Consequently, the important question to security header with a signature element, which refers to
answer is what are the primary security issues and threats one or more parts of the message that have been signed.
related to cloud computing to clearly understand how to The XML signature wrapping attack takes advantage of
secure cloud computing and propose efficient solutions for the fact that the signature element does not deliver any
mitigation and prevention against attacks. In this sub-sec- information concerning the referenced part of the mes-
tion, we discuss and define the key security threats and vul- sage. An attacker can easily change the body of a mes-
nerabilities related to cloud computing and we classify them sage and introduce malicious code without invalidating
into six categories named network Security, virtualization the signature. Hence, the attacker virtually rolls up the

Fig. 2  Cloud computing security classification classes

13
Security Threats, Defense Mechanisms, Challenges, and Future Directions in Cloud Computing 231

XML signature around the malicious code and transmit • The DoS attacks occurred at the OS level during the
it as an authentic message [50, 51]. implementation of protocols by the operating sys-
• Flooding Attacks: The Cloud must be available to serve tems. An example of the type of attack is the Ping
all clients. So, when the requests of companies increase, of Death attack [52]. The victim machine is com-
the allocation of VM instances should be made imme- promised by this type of attack and overloaded by
diately. However, this opens the door for malicious the Internet Control Message Protocol (ICMP) echo
adversaries to exploit this feature [3]. The attacker can requests whose data size surpass the maximum IP
benefit from the huge number of VMs to overload a cer- standard size.
tain server by sending to it a massive size of falsified • Application-based attacks seek to make a machine or
requests. In contrast, the server must control and filter a service unavailable by exploiting the specific bugs
each one of the incoming requests. Consequently, the in network applications that are running on the tar-
network becomes flooded with malicious requests, and get host or by using such applications to exhaust the
legitimate requests are dropped; it induces a distributed resources of their victim. The disposable resources
denial of service (DDoS) attack. In the case of Flood- on a remote host are completely consumed while the
ing attacks, the attacker sends a huge size of nonsense attacker tries to exploit the algorithmic complexity.
packets to a certain service, which enables multiple ser- The finger bomb is an example of the remote DoS
vices under the cloud. The service implementation pro- attacks [53]. A malicious user can drain the host’s
cesses each of these packets to determine its disability resources, which is responsible for the finger routine
involves an additional workload per attack packet. As a running recursively on the hostname.
result, a DoS occurred by request flooding to attack the • In data flooding attacks, the utilization of bandwidth
server hardware. The impact of flooding attacks in cloud allocated to a network, host, or device become higher
computing systems can be amplified completely due to because the attacker is sending massive data packets
the different types of attacks, which are surveyed next. to overload the system.
The computer network’s bandwidth and connectivity are • In DoS attacks based on protocol features, the IP
the first ones targeted by the DoS attacks. This kind of source addresses can be spoofed. There are many
attack overloads the network by sending a large size of DoS attack types where the objective is to attack
the packets. Hence, the legitimate users are prohibited, the DNS cache while the attacker uses a vulnerable
they cannot send their requests and their productivity is name server.
degraded due to the consumption of resources by mali-
cious activities. The second threat to computer connec- As minded by the expert on computer security, Bruce
tivity whose aim is to completely consume the available Schneier," the only secure computer is one that is turned off,
operating system resources by injecting a high volume locked safely, and buried 20 feet down in a secret location
of connection requests. As a result, the legitimate user and I’m not completely confident of that one either" [54].
requests are blocked and they cannot be processed. We DDoS attacks mainly profit from Internet architecture.
define five categories for the classification of the DoS Indeed, the Internet is designed to provide more function-
attacks using, as a basis, the attacked protocol level, as alities but are not well secured. Multiple security issues are
depicted in Fig. 3. vulnerable to an immense opportunity for attackers. Com-
paring with other attacks, DDoS attack is characterized by
• At the Network Device Level, DoS attacks might be its ability to propagate the attacks using multiple computers
propagated due to weaknesses or bugs in software in a distributed manner over the Internet to have a powerful
where the hardware resources of network devices are tool to launch a coordinated DoS attack against one or more
exhausted. targets.

Fig. 3  Classification of remote

denial of service attacks

13
232 S. El Kafhali et al.

• The real attacker. itself holds some WSDL repository functionality. Know-
• The handlers that are compromised hosts with a special ing that it is possible to get back a service’s WSDL file
program running on them, responsible for controlling and within a dynamic manner and widespread the malicious
monitoring multiple agents. WSDL file all over the network.
• The attack daemon agents or zombie hosts, who are com- • Insecure APIs: Cloud customers generally use a collec-
promised hosts that are running a special program and tion of Application Programming Interfaces (APIs) to
generate a stream of packets towards the target victim. operate and interact with cloud services. These APIs
These machines exist outside the victim’s network of interfaces represent an ensemble of routines, tools for
which the reason to face against the victim’s response services provisioning, protocols, application monitoring,
and prevent the victim to take countermeasure as an effi- and security functions performance. These APIs are cru-
cient response. cial to secure the cloud service and to enhance its avail-
• A victim or concerned host. ability. The APIs must be perfectly identified according
to strong access management policies. Otherwise, they
A DDoS Attack is composed of four components (see could offer good opportunities for the attacker to launch
Fig. 4). malicious activities.
Table 2 shows the benefits of cloud computing functional- • Cross-Site Scripting (XSS) Attack: XSS attacks are a
ity and the role of functionalities that a cloud attacker can kind of injection, which malicious scripts are injected
feat to launch a DDoS attack in the cloud system [55]. into other warm and reliable web sites. XSS attacks hap-
pen when an attacker tries to transmit malicious code
• Metadata Spoofing Attack: To establish web communi- to different users through a web application, usually in
cation, the client needs to recuperate the required infor- a browser side script form [56, 57]. XSS attacks can be
mation related to web service invocation such as Web caused by incorrect validation of the user input. Two con-
service address, message format, network location, and sequences have resulted: the user input cannot properly
security requirements. The web services provide the be neutralized by the web site or the web site incorrectly
described pieces of information stored in the metadata executes the validation. As a result, the attacker can eas-
documents. Web Service Definition Language (WSDL) ily exploit the vulnerabilities.
file and WS-Security-Policy are well known of metadata • SQL injection Attack: The SQL injection attack operates
documents. For the reason that the metadata documents common design faults of web applications to act as an
implement HTTP protocol or e-mail, the probability of efficient tool of cyber-attack. With this type of attack,
spoofing attacks increases. Metadata spoofing can be the malicious code is inserted into the data fields of a
unsafe in cloud computing because the cloud system standard SQL query. Thus, attackers obtain unauthorized

Fig. 4  DDoS attacks architec-

ture

13
Security Threats, Defense Mechanisms, Challenges, and Future Directions in Cloud Computing 233

access to databases [56]. When the attacker achieves a

successful exploit, he can access to the database, extract

Cloud attacker exploits shared computing resources and plants the attack code in

Cloud attackers exhaust the resources of a virtual machine to cause a DoS attack
Permit attackers to compromise heterogeneous user platforms from anywhere to
Cloud attacker exploits this feature to consume computing resources by DDoS
private and sensitive data, and corrupt the data.

Cloud attacker allocates computing resources via DDoS attack to use them
4.2.2 Virtualization and Hypervisor Security

Virtualization is one of the main components of cloud com-

puting that plays a vital role in security assessment [58]. It
allows the VMs monitoring and performance management of
cloud resources to launch a DDoS attack cloud infrastructure [59]. Hypervisor represents the abstrac-
tion layer that performs the elementary functions needed
for resource management to divide the hardware resources
between the VMs [60]. Although this technology provides
Role of feature in DDoS attacks

great benefits, it also presents additional security threats.

The principal security issues related to virtualization are as
launch DDoS attacks

follows.

• Hypervisor Vulnerabilities: A hypervisor is responsible

for running multiple guest VMs and applications con-
attack

currently on a single host machine and isolates the guest

VMs. Although hypervisors are designed to be robust
and secure, they are vulnerable to attacks. If an attacker
without support staff having to fulfill the computing resources request manually

It allows legitimate users to efficiently allocate and release additional space in the
On-demand self-service Legitimate uses can assign themselves additional computing resources as needed

It allows legitimate users to use IT resources without physically purchasing them

devices such as laptops, netbooks, personal digital assistants, tablet computers,

gets the hypervisor control, all the VMs and the data
Legitimate users can access the cloud system using heterogeneous thin or thick

Computing resources (processing, memory, storage, network bandwidth, and

accessed per it will be under their full control to exploit

[61]. Another reason why hackers regard the hypervisor
as a potential target is the greater control supported by
the lower layers in the virtualized environment. Compro-
mising a hypervisor facilitates the control of the underly-
ing physical and the hosted applications (Hyper jacking
is a well-known attack in this category).
• Single Point of Failure: The hypervisor is the basic tech-
VMs) are shared among diver’s legitimate users

nology that controls the overall system functioning in

cloud or other types of computing services

virtualized environments and manages the access of the

mobile phones, and so on from anywhere

VMs to physical resources. For that reason, the crash of

Table 2  Benefits of cloud features and their role in DDoS Attacks

the overall might be caused by the hypervisor’s failure

[58].
• VM Escape: VMs are enabled to sustain strong isola-
tion between the host and the VMs. The existing vulner-
abilities in the operating systems, which run inside the
VMs, can help the attackers inject malicious code into
it. Whenever that program is running, VM interrupts the
isolated boundaries and initiates the communication with
Benefits

the operating system directly bypassing the VMM layer.

Such an exploit provides the possibility for the attacker
to understand the network configuration to penetrate the
Broad network access

host machine and launch potential attacks [62].

• VM sprawling: Occurs when a high number of VMs exist
Resource pooling

Rapid elasticity

Pay-as-you-go

in the cloud environment without suitable management

Cloud feature

or control. Since they maintain the system resources over

this period, these resources cannot be assigned to other
VMs, and they are strongly lost [62]. The authors in [63]

13
234 S. El Kafhali et al.

discuss two conditions that can result in VM sprawling computing environment requires an important number
and participate in the creation of orphan VMs. VMs are of applications and devices, which increase the number
allocated to process the requests to users and the system of access points, therefore, the probability of data vio-
sends the acknowledgment messages as a response. The lation increases. The confidentiality of the data stored
problem arises when VM creation or termination is com- in a public cloud computing can be affected due to
pleted but the messages are lost in transit. Users generate many reasons such as the policies of access control,
requests that are more new until they will be successful encryption algorithms, encryption key definition, and
and this leads to an increase in the number of orphan the scheme of data protection.
VMs. Indeed, a collapse in the system performance is • Data Integrity: Ensuring data integrity in cloud com-
produced due to exhausting system resources. As a solu- puting has become the greatest concern of IT organiza-
tion, it is advisable to migrate the orphan VMs from their tions. The integrity concept refers to the accuracy and
PM to another PM which is considered lightly-loaded reliability of the information. It is related to the authen-
but guaranteeing a good quality of service, a high level ticity, which means the ability to check the content if it
of security configuration, and enforced privacy policies. is not changed in an illegitimate form, and the account-
This migration is always a big challenge [62]. ability to determine that for any action carried out by
• Cross VM Side-Channel Attack: To increase the utiliza- a system, its source can be monitored and associated
tion of resources in the cloud environment, multiple VMs with a user. In other words, the information cannot be
can be located on the same PM. Hence, this co-residence changed or distorted by any unauthorized party. Cloud
of VMs placement appears as potential damage to cross clients need to verify at a time the confidentiality and
VM side-channel attack. The attacker aims to place a the integrity of their data, which involves the manipula-
malicious VM among VMs and then gain entry to the tion of message authentication codes [71].
shared hardware and cache emplacements to violate the • Data Availability: In the cloud computing environment,
sensible information from the victim VM. the services and data must be accessible to the clients
and the architectures must be deployed with great ser-
4.2.3 Identity and Access Management vice reliability and availability. Availability can be
influenced for a short time or permanently, while data
Network cybersecurity is a serious business. The impact of can be lost partially or completely [48]. The availability
an identity management cybersecurity breach is loaded with can be hindered by many threats. These threats could
implications affecting staff productivity and morale, your IT be service outages where DoS attack is a network-based
network, and company reputation. Performing secure and attack, the availability of CSP or failures in the disk or
powerful access to large-scale outsourced data and control- sector, which can lead to permanent data loss [72].
ling identities have appeared as the first factor of cloud com- • Data Isolation: Multi-tenancy and sharing resources as
puting [64, 65], data security and privacy issues are consid- vital characteristics characterize the cloud computing
erable challenges that the IT industry is confronting today to system. The organizations share resources including
protect on-demand cloud computing services [48]. servers, storage that offers high flexibility, scalability,
and economies of scale. Many risks might be related
4.2.4 Data and Storage Security to the concentration of data and resources. These
threats can happen when we share the infrastructures
The concept of third-party data warehousing particularly with entrusted tenants and we consider the availabil-
data outsourcing has grown surprisingly [66]. Consequently, ity and security of the underlying infrastructure itself
the cloud users are dependent only on the CSPs regarding the [73]. Consequently, before transferring their data to the
availability, integrity, and confidentiality of their data [67]. cloud, the administrators must guarantee that all cloud
The storage of data requires integrity assurance because it data are secure and accessible solely by the authorized
may be that the CSP is not reliable then the stored data of party. Usually, in a cloud environment, a customer’s
consumers can be infected [68, 69]. Security issues that can request is processed by an application that runs with
occur due to data and storage outsourcing are discussed next. adequate privileges to access any tenant’s data at any
time. This application is in charge of authorizing and
• Data Confidentiality: means allowing the possibility authenticating the request. As the sole defense is at
solely for the authorized users or system to access to the application level, a single vulnerability at this
information. In other words, “need-to-know” or “least level menaces the data of all tenants that could lead to
privilege” is one of the basic principles of confidential- cross-tenant data leakage, making the cloud highly less
ity [70]. The sensible information is accessible only by secure than devoted physical resources [74].
authorized users according to their needs. The cloud-

13
Security Threats, Defense Mechanisms, Challenges, and Future Directions in Cloud Computing 235

4.2.5 Governance 4.3.1 DDoS Defense Deployment

Cloud clients renounce inspection to the CSP on several DDoS defenses for cloud services (Fig. 5) can be deployed
critical issues including policies, procedures, and security in four key locations, source end, access point, intermediate
mechanisms that have an impact on security [9, 47]. Due network, and distributed.
to loss of governance, the service provider cannot erase
securely data, and data could be reconstructed afterward • Source-End Deployment: It allows an efficient defense
from the disk. of network resources and bandwidth. For instance, the
defense strategies, which are elaborated to deal with a
potential attack generally, involve strangulation tool to
4.2.6 Legal and Compliance Issues
minimize the rate of outgoing packets in the presence of
DDoS attacks [75].
Legal and compliance aspects represent the responsibilities
• Access Point Deployment: Front-end, back-end, and VMs
of an organization that is fundamental to perform accord-
are three principal levels of access point deployment in
ing to predefined specifications, standards, and laws [48].
the cloud-computing environment. The front-end repre-
When data crosses borders, the governing, legal, compli-
sents an interface between the cloud consumer and the
ant, regulatory administrations can be ambiguous and raise a
diverse cloud-computing components. DDoS defenses
variety of other security concerns. Another issue is laws and
deployed at the access point differentiate normal traf-
regulations where different countries have different types of
fic from the malicious one before allowing access to the
security, privacy laws, and regulations at various levels (i.e.,
cloud resource and services. With the hypothesis that the
local, national, state, etc.) which makes legal and compli-
bandwidth might be saturated, the access deployment is
ance issues more complicated [48].
limited in terms of filtering and rate-limiting.
• Intermediate-Network Deployment: These are defenses
4.3 Countermeasures and Defense Mechanisms deployed on network nodes to minimize the impact of
Against Attacks DDoS attacks on the network before the attacks target
the victim. This is performed by imposing rate limits on
To block and trace computer attacks, many techniques for the traffic routed via the nodes after comparing the traffic
active defense have been deployed by studying the attacker’s against a normal profile pattern [75].
behavior and detecting the attacks early. In this subsection, • Distributed Defense: This deployment model combines
we are interested in the DDoS attack, especially its counter- the three predefined methods: source-end, access point,
measures and mitigation mechanisms. and the intermediate network deployment. It can be

Fig. 5  Cloud DDoS defenses

taxonomy

13
236 S. El Kafhali et al.

monitored and configured to attempt a high DDoS attack A Bayesian classifier is deployed for prediction of the
detection rate. probability with high precision that the network is under
threat or not. To carry out an experimental setup for test-
4.3.2 DDoS Detection ing, Eucalyptus is used at each node controller the IDS is
installed.
The DDoS detection techniques can be arranged in catego- • Traceback and IP Spoofing Detection: Traceback tech-
ries including signature-based, anomaly-based, and hybrid nique is an efficient tool for DDoS attack source localiza-
where the traffic is classified as normal or abnormal. tion where these attacks spoofed their addresses. Several
defense solutions have been proposed to tackle the prob-
• Signature-Based Detection: This technique employs an lem of spoofed IP addresses DDoS attacks in the cloud
ensemble of rules and defined signature attack patterns environment. For instance, Yang et al. [79] proposed a
saved in an information database. To detect malicious solution for defense against DDoS attack that targets
traffic, the existing signatures are used for monitoring the the cloud-computing services. They proposed a new
traffic patterns of which the database is always updated. approach named Service-Oriented Architecture (SOA)
The important inconvenience is the high false negatives Based Traceback Approach (SBTA) and a cloud filter
generated when these techniques of detection are unable deployed at routers as a control and filtering mechanism.
to detect unknown attacks and zero-day attacks. It collects cloud Traceback brands, source IP addresses
• Anomaly-Based Detection: Anomaly-based can be over the attack, and exploits a database to select the
defined as the behavioral classification approach that packets with a spoofed IP address. Jeyanthi et al. [80]
requires the collection of normal traffic behavioral profile proposed a technique for spoofed IP addresses in DDoS
patterns over a pre-determined period. An anomaly-based attacks identification. They have proposed an algorithm,
intrusion detection system is designed to detect the net- which is performed when the traffic’s size exceeds a pre-
work and computer intrusions and misuse. They control defined threshold. They have also defined an authentica-
and rank the system activity into legitimate or malicious. tion system for verification of the legitimate connection
To classify these system activities, the heuristics or rules coming to the cloud. They have used OPNET Modeler
are used instead of the patterns or signatures to detect to validate their proposed approach.
any type of misuse that can be confused with the normal
system operation. Figure 6 summarizes the defense methods of DDoS
• Hybrid-Based Detection: This approach involves the attacks in cloud computing [81].
use of both signature-based and anomaly-based tech- Table 3 demonstrates the presented attack detection
niques and employs many features of both techniques to mechanisms alongside their strong points and limitations.
reach a higher detection rate. The authors in [76] have
proposed a hybrid adaptive distributed Intrusion Detec- 4.3.3 Intrusion Prevention
tion System (IDS) that integrates anomaly-based and
knowledge-based techniques to mitigate the impact of The effective attack prevention is the better mitigation strat-
cloud-computing DDoS attacks. The proposed solution egy against any attack. The aim is to block the attack at its
establishes communication between different agents first phase. There are several DDoS defense techniques to
named the service agent, alert agent, and storage agent protect the systems from being attacked. To attenuate the
for analyzing the false alarm and malicious nodes. The impact of DDoS attack in the cloud environment, the authors
adaptive hybrid solution improves the detection rate to in [82] proposed to deploy Intrusion Prevention Systems
reduce false positives. The authors in [77] defined the (IPS) at different access points. Furthermore, a dynamic
monitoring stage which employs a rule-based system for allocation of resource policy based on the attacking potency
known DDoS attack patterns preprocessing, lightweight is implemented using queuing theory. They have mathemati-
anomaly detection stage for load prediction on each cus- cally estimated the number of IPS needed to promptly fil-
tomer interface of which the Bayesian technique is imple- ter out attack packet and to enhance the Quality of Service
mented for DDoS attack analysis. The monitoring stage (QoS) for legitimate users. They have carried out some
implements a concentrated anomaly for recognized and experiments to demonstrate the feasibility of DDoS attacks
non-recognized DDoS attack patterns detection using an defeat.
uncontrollable learning algorithm. Mordi et al. [78] have Guenane et al. [83] proposed a hybrid Cloud-Based Fire-
introduced a hybrid network-based intrusion detection walling architecture that combines the virtual and physical
of cloud DDoS attacks. The proposed solution including parts. The virtual part is constituted by virtual firewalls
two components. Snort as signature-based detection for installed by the VMs that perform the key functionalities
the storage of rules of the known DDoS attack patterns. of firewalls including supervision, analysis, and reporting

13
Security Threats, Defense Mechanisms, Challenges, and Future Directions in Cloud Computing 237

Fig. 6  Defense methods of DDoS attacks in cloud computing

taking into consideration provisioning of dynamic resources. identified as serious, it is dropped by the IDS. If the packet
The physical part represents the physical IT resource infra- is classified as moderate, the IDS carries out data clustering
structure of the organization that accepts to receive a secu- and threshold check to get rogues values, and therefore the
rity service delivered by the CSP. The aim is to perfectly alert level is updated. Finally, if the packet is designed as
tune the decision management and availability performance. inconsiderable, the alert is ignored by the system.
The prevention against cloud DDoS attacks based on a Ingress filtering is an approach for configuring a router in
Security-as-a-Service model (SecaaS) analyzes the incom- such a way that the incoming traffic with malicious source
ing traffic redirected to firewalls, which are managed by the addresses is refused [86]. It drops all traffic with a wrong IP
virtual part of the proposed architecture. To conceive the address, which does not correspond to domain prefix con-
network infrastructure, we need to consider the public nature nected to the ingress router. Egress filtering [87] mechanism
and the large scale of the cloud data center. These networks assures that only attributed or allocated IP address space
are under-provisioning from where the intruder can easily quits the network. Defined as an outbound filter, egress fil-
attack a subnet in the cloud data center with minimal effort. tering provides high protection of domains from possible
As a solution, a dynamic migration architecture was pro- attacks. Independently the placement point, both mecha-
posed in [84] using the dynamic provisioning capability of a nisms ingress, and egress filters have the same behavior.
cloud to maximum advantage to detect and keep away from Jia et al. [88] have suggested the moving target defense
attacks. The authors have estimated the bandwidth available approach especially the shuffling technique to defeat the
and needed to operate precisely and reliably in high-speed DDoS in the cloud environment. They have proposed to rep-
networks. Their solution is not for detecting or preventing licate the selected server and reassign the intelligent client to
the attack but it is designed for dynamically transferring the make the victim servers mobile targets of which the DDoS
VMs to different infrastructures to reach the desired QoS. attack will be isolated and classified separately.
The authors in [85], proposed a collaborative IDS for DoS Honeypots are other prevention systems against DDoS
where an IDS is deployed in each cloud-computing region. attacks [89]. They are designed with a certain security
The IDS gathers network packets and analyzes them. If the level of which the attacker is deceived, he thinks that
type’s packet does not correspond to any type defined in the he is attacking the system but in reality, he targets only
block table, then the IDS immediately drops the packet. Oth- the honeypot and not the actual system. Honeypots have
erwise, the packet is considered malicious and anomalous more benefits in terms of security, they are used not only
and the degree of its severity is defined. When the packet is to protect the systems, but they are able also to gather

13
238 S. El Kafhali et al.

Table 3  Attacks detection mechanisms strong points and limitations

Detection mechanism Strong points Limitations

Signature-based The rules that are desired for updating the signatures of Infeasible to detect unknown attacks and to update signa-
unknown attacks in the database are easy to reconfigure tures for all attacks
The cloud administrator can determine what the intrusion Unknown attacks or signatures of known attacks result in a
was, and how qualified the intruder is, and even when it high rate of false negatives
was perpetrated
Exactitude in detecting known attack signatures as long as
the database is constantly up to date
Anomaly-based Powerful to detects unknown threats and attacks The cost of computation for training is very high
Prevents DoS and DDoS attacks from legitimate traffic Prone to false positives and resource-intensive
patterns
It helps to identify and detect all possible attacks and Require statistical analysis of traffic features
threats
Hybrid detection Capable of gathering information from different Intrusion The number of combined detection methods has an impact
detection systems on detection performance
It can classify rules accurately with fewer false positives The cost of the calculation depends on the combined detec-
and better correlation tion methods
Allows storing alerts from different relatively varied
systems in a database
Source and spoof trace Significant for any detection techniques Always need support from many network sources
Can deploy traffic filtering to detect inconsistencies using Require a lot of effort between CSP
robust verification techniques
Count based filtering Efficient to detect spoofed IP addresses and workload Demands a customer database that has the actual hop count
traffic
Offer cloud administrators prompt control over the situa- Diversity of heterogeneous implementations of hop-count
tion in various systems
Its deployment is easy It is difficult to warrant the source IP addresses and their
corresponding hops from the victim
BotCloud detection The deployment of this detection mechanism is easy Incapable to detect all attack types, it is non-trivial to dif-
ferentiate legitimate from illegitimate activity
Infected VMs, which are possible security threats, can be This detection mechanism can merely work at the edge of
isolated from other VMs an attack originating cloud
Allows CSP the ability to monitor and control any incom- It can become heavy using massive cloud computing
ing anomaly traffic resources
Resource usage This detection mechanism designates the suspicion of the Difficult to detect anomalies in the dynamic behavior of
appearance of a DDoS attack cloud resource utilization
Important for anomalies detection in a distributed complex Cloud resource utilization depends on the sharp tuning of
system such as cloud computing the threshold values to detect attack traffic very effec-
tively
Throughput of incoming traffic cannot be exploited as the
only proof of an attack

information about attackers by recording their actions and tools and due to static and passive nature of honeypot,
classifying the kinds of attacks and determining the meth- which the attacker can easily detect.
ods and tools used by the attackers. Many research works Prevention approaches offer increased security but can
discuss the utilization of honeypots and their behavior as never completely remove the threat of DDoS attacks because
legitimate networks such as web servers, mail servers, they are always vulnerable to new attacks for which signa-
and clients to deal with potential attacks. The goal is to tures and patches do not exist in the database.
mislead the attacker, push him to run his attack strategy,
and set up a handler within the honeypot. This improves 4.3.4 Intrusion Tolerance and Mitigation
the network systems’ security and discovers the attacker’s
strategies to defend against potential DDoS. Nevertheless, The intrusion tolerance approach admits that it is unfea-
this defensive method is still limited because the attack sible to inhibit or completely block the potential attacks.
detection is performed using signature-based detection Indeed its key objective is to mitigate the attack impact

13
Security Threats, Defense Mechanisms, Challenges, and Future Directions in Cloud Computing 239

and perform a high quality of service. Intrusion tolerance 5 Cloud Security Classification
is categorized into two key parts named fault tolerance and Taxonomies
and QoS.
Cloud computing is an emerging paradigm that involves
• The fault-tolerance concept means the possibility that all the basic actors such as CSP, Cloud Service Consumer,
a system can continue functioning properly in the pres- Cloud Service Carrier, Cloud Service Broker, and Cloud
ence of faults or failure cases of some of its elements. Service Auditor. To classify the cloud security issues it is
it is based on the idea that it is necessary to duplicate necessary to consider the roles of each cloud actor. First,
the services with multiple access points, in such a way the researchers should understand the distinction between
the service is not interrupted and it is available even a traditional security issues and cloud-specific issues for
network link can be congested by flooding traffic. QoS a better classification. Second, the security attributes,
proves the possibility of a network to provide expected namely: confidentiality, integrity, and availability it is a
and predictable findings to discuss the performances popular class considered in most general classifications
of certain traffic or applications. Intrusion tolerance and taxonomies. Finally, the composition corresponded to
is analogous in philosophy to fault tolerance and it the different schemes considered to classify cloud security
is well developed to design secure software systems. concerns. Table 5 summarizes some important security
However, an intrusion tolerant system as a powerful taxonomies where we capture the general theme repre-
system demonstrates its ability to the detection of sented in each work.
attack tries to penetrate to the system or predicting
the defense failure or react with an effective response
to defeat the attack. There are several intrusion toler-
ant Techniques and intrusion tolerant systems such as 6 Open Issues and Future Directions
the SITAR system [90] that have been developed and
deployed for attack mitigation. Not only, it is impor- Based on the related works, various issues have not been
tant to prevent and/or tolerate security intrusions, sufficiently addressed the security in the cloud domain.
but also it is primordial to evaluate security as a QoS There is a lot of open issues are existent that is needed
attribute on par with other QoS parameters such as to be resolved as well as the gap in the currently pro-
availability and performance. vided solutions would show to be the future directions for
research. Future research can be conducted at instilling
the confidence back to the clients to warrant and ensure
4.3.5 Classes of Anomaly Detection Techniques that they are in the entire control of their data. However,
to trust cloud customers, the CSP ability must be improved
There are six classes of anomaly detection techniques and the data owner must have total control over who has
depending on the algorithms used in the attack detection the right to use their data and what they are allowed to do
operation, namely deep learning, machine learning, data with it once they have access [149]. In this section, we dis-
mining, classifiers, artificial intelligence, and statistical cuss open issues and future directions related to security
[91]. To avoid using manual models and rules to detect in the cloud computing environment.
the most important attacks, the deep/machine learning In the existing literature, every researcher concentrates
methods are involved to make advance detection models on a specific security issue and approaches the problems
[92]. Data mining is a sophisticated method to learn the in their way. However, we will find many security resolu-
attack behaviors based on record dataset, which implicates tions for a single security issue. In some situations, it is not
processes of knowledge extraction such as classification practical to implement many security resolutions for the
and clustering [93]. The classifiers’ methods are involved same issue. Hence, the first open issue is to design a typi-
to classify a test instance into a class from various labeled cal and more integrated and collaborated security solution,
data instances. While detection techniques based on arti- which may attain all primary security requirements in the
ficial neural networks classify behaviors as intrusive or cloud-computing environment. Since security and privacy
normal through generalized data from incomplete data in cloud computing are received a great deal of attention
[94]. In statistical-based methods, the normal traffic is from many researchers, they are still open issues that need
associated with high probability states whereas anoma- further achievements. Indeed, adapting to different known
lous traffic is associated with low probability states of the and unknown threats is still an issue. Moreover, another
detection process [95]. Table 4 exhibits a comparison of important problem is to provide the proper authorization
anomaly detection techniques alongside their advantages rules and policies to warrant that the sensitive data are
and disadvantages.

13
240 S. El Kafhali et al.

Table 4  Advantages and disadvantages of anomaly detection mechanisms

Class of anomaly detection Contributions Strengths Weaknesses

Machine learning- based [96–104] Detection of DDoS attacks is faster, accurate Significant IT resources are required during the
and with high efficiency training and testing phases
There is the possibility to change of the execu- It corresponds to training examples with unusual
tion strategy all along attack detection characteristics, particularly noisy data
It can manage either continuous and categorical It is vulnerable to outliers
values or missing data
Deep learning- based [105–112] Has the ability to detect several types of attack Impossible to implement it in real-time network
class including DDoS attacks traffic
Has the ability to classify attacks into normal or It requires more time for training and detection
DDoS attacks
It can continue the detection process without It necessitates a high processing time for large
any problem due to their parallel nature if an neural networks
element of the neural network fails
Multiple training algorithms are available and Prone to excessive adjustment and complex
require less formal statistical training computation
It can learn and does not require to be repro-
grammed
Significant for continuous data and has a high
tolerance to noisy data
Has the capacity to classify an unknown pattern
Data mining-based [113–117] Enhances the rate of detection processes and Inefficient with a high volume of incoming cloud
with low cost of computation workload
It can handle a massive database and requires A dataset with missing values can influence the
a little amount of training data to estimate detection processes
parameters
It helps cloud administrators to discriminate Uses large memory to do the detection processes
attacks workload from a legitimate workload and not well for high dimensional data
Shows great speed and accuracy when applied Miss available probability data and it is supposed
to big databases and with a low computation that the attributes of data are conditionally
complexity independent
It is simple to implement and can handle both Slow in classification testing data
discrete and continuous data
Based on simple computation and not sensitive
to irrelevant functionalities
Artificial intelligence-based [118–124] It can classify easily behaviors as intrusive or It does not have a constant optimization response
normal time
It can easily solve the problems with many It uses a complex method and has limited scal-
solutions ability
It has better efficiency to detect DDoS attacks Accuracy of detection depends a lot on the train-
ing profile
It can be used to select better features for the It presents a very high mutation rate
detection process
It can retrain easily the genetic algorithm-based
systems
Has the ability to add new rules and evolve
intrusion detection systems
Classifier-based [125–134] Presents a high adoption rate to readjust detec- Consumes high computing resources
tion strategies
Classifier models generated by this class easily To detect unknown attacks, it is necessary to use
interpreted adequate training
Detection rates depend on threshold settings

13
Security Threats, Defense Mechanisms, Challenges, and Future Directions in Cloud Computing 241

Table 4  (continued)
Class of anomaly detection Contributions Strengths Weaknesses

Statistical-based [135–140] It is very simple to implement this class It is difficult to set an optimal threshold and it is
sensitive to initialization
It can detect malicious activity accurately It needs to justify assumptions that are required to
define the classification rate
Has the ability to learn the expected behavior Not robust to outliers or noise and cannot meas-
according to observations without previous ure the quality of the clusters
knowledge of normal activities
Fast, simple, and good for large data

Table 5  Summary of cloud security taxonomies

Paper Security criteria Classification

Mollah et al. [141] Data security challenges Components: virtualization

Virtualization security challenges
Privacy challenges
Basu et al. [142] Virtualization and data security Attribute-based CIA triad
Tank et al. [143] Cryptography Categories
Cloud identity and access management
Trust assurance
Threats and network security
Akshaya et al. [144] Application-level Multi-tenancy
Data segregation, availability and center security Service models
Attack surface
Maroc et al. [145] Data storage and virtualization Service models
Compliance and governance Component
Privacy Stakeholders roles
Multi-tenancy problem Cloud-specific security issues
Accountability Security attributes
Composition
Singh et al. [146] Data security Attribute-based: CIA triad
Almutairy et al. [147] Data security issues Components: virtualization
Infrastructure issues
Security policies and rules
Control and monitoring
Hussain et al. [148] Attack on interfaces and SSH Service models: SaaS, PaaS, IaaS
Utility computing
SLA and data security

accessible only for authorized users. This is very crucial servers in a cloud datacenter. However, if DDoS attacks
to preserve users’ privacy when data integrity must be affect the environment of multi-tenancy and make comput-
promised. ing resources unavailable to further of the tenants. There-
Multi-tenancy is an important feature of cloud computing fore, the efficient use of multi-tenancy is a significant chal-
for the effective utilization of servers in the cloud datacenter. lenge, which requires much attention from the researcher
Inside a multitenancy environment, many clients share the on cloud security.
same application that running on the same operating system Cisco plans 50 billion connected objects, represent-
(OS), on the same material and with the same data-storage ing a market of 14.4 trillion dollars by 2022. Hence, the
technique. In the case where the multi-tenancy is not cor- increasing number of IoT devices will inevitably produce a
rectly implemented, it can lead to the underutilization of huge amount of data, which must be processed, stored, and

13
242 S. El Kafhali et al.

properly accessible in a transparent and pervasive manner adoption by organizations. However, how to seamlessly inte-
by end customers. IoT devices often have limited process- grate the different solutions remains an open challenge.
ing capacity and are unable to perform sophisticated pro-
cessing and store large amounts of data [150]. Therefore,
cloud computing seems to be the best alternative to meet the 7 Conclusion
requirements of IoT scenarios. The integration of IoT and
the cloud has led to a new, ubiquitous computing paradigm In this paper, we have addressed the challenges of security
called Cloud of Things (CoT). Therefore, securing the data problems in cloud computing. First, we have discussed and
and the access of multiple devices to the cloud data center gave the essential characteristics of cloud computing, its
is an important open issue that should be resolved for this service delivery, deployment models, data center virtual-
new important paradigm. ization, virtual machines migration, compelling reasons for
CoT is an IoT product management solution that allows adopting them, and the barriers that hinder its wide adop-
customers to connect any device to any data center. As the tion. Then, we presented a variety of security and privacy
Internet had done, this new CoT opens up a huge field of concerns associated with cloud computing, identified major
opportunity for both users and service providers. However, threats and vulnerabilities, and classified them. Security and
the cloud platform has obvious concerns and limitations privacy are the most critical issues that need to be addressed
in terms of responsiveness, latency, and overall perfor- in designing a computing environment that is reliable and
mance for processing and accessing IoT traffic data. It has trustworthy. Finally, we have presented the lines of research,
a long response time, especially for large data sets, to travel which deal with the various problems studied in cloud
between IoT client and cloud computing. To address the security.
limits of the CoT architecture, a promising new comput-
ing paradigm called fog computing has recently been advo-
cated. Many companies in the Telecom network have started Declarations
to build a fog computing system to respond to emerging
applications and to minimize operational cost and applica- Conflict of interest The authors declare that they have no conflict of
tion response time. However, this new computing paradigm interest.
necessitates security in the cloud by reducing the rate of data
loss via supporting latency-sensitive applications by protect-
ing data transported via the IoT devices [151]. References
In a healthcare monitoring system, cloud computing is
1. Hung YH (2019) Investigating how the cloud comput-
the preferred rig to store, aggregate, and analyze data col-
ing transforms the development of industries. IEEE Access
lected from medical devices used by medical facilities. Since 7:181505–181517
medical data is confidential, sensitive, and hosted on the 2. Wu C, Buyya R, Ramamohanarao K (2020) Modeling cloud
cloud this poses serious risks in terms of data confidential- business customers’ utility functions. Futur Gener Comput Syst
105:737–753
ity and security [152]. Some of the main future directions
3. Fatima S, Ahmad S (2019) An exhaustive review on secu-
in this field who should be resolved include (1) secure the rity issues in cloud computing. KSII Trans Internet Inf Syst
stored health data in the cloud, (2) implement the confiden- 13(6):3219–3237
tiality of health data storage, (3) construct an access control 4. Mthunzi SN, Benkhelifa E, Bosakowski T, Guegan CG, Bar-
hamgi M (2020) Cloud computing security taxonomy: From
mechanism more efficient for the secure transfer of health
an atomistic to a holistic view. Futur Gener Comput Syst
care data, (4) provide an efficient way to share the health 107:620–644
data against multiple healthcare providers, (5) maintain 5. Odun-Ayo I, Ananya M, Agono F, Goddy-Worlu R (2018) Cloud
the integrity of health care records, (6) secure the patient computing architecture: a critical analysis. In: Proceedings of
the 18th international conference on computational science and
data during the emergency, (7) determine the type of access
applications. IEEE, pp 1–7
that we can give to medical staff to compensate for internal 6. Mell P, Grance T (2011) The NIST definition of cloud comput-
attacks and so forth. ing: recommendations of the National Institute of Standards and
To identify who is the normal user and who is the mali- Technology. NIST Spec Publ 800–145:1–7
7. Gourisaria MK, Samanta A, Saha A, Patra SS, Khilar PM (2020)
cious user is another open issue in the cloud environment.
An extensive review on cloud computing. In: Data engineering
Most of the current studies have used artificial intelligence, and communication technology. Springer, Singapore, pp 53–78
deep learning, and machine learning to automate the identi- 8. Attaran M, Woods J (2019) Cloud computing technology:
fication of insider or outsider attack. Nevertheless, everyone improving small business performance using the Internet. J Small
Bus Entrep 31(6):495–519
will study this issue based on a particular dataset and it is
9. Liu Y, Sun YL, Ryoo J, Rizvi S, Vasilakos AV (2015) A survey
very difficult to implement him by many companies. The of security and privacy challenges in cloud computing: solutions
resolution of this issue will serve as the key to enable rapid and future directions. J Comput Sci Eng 9(3):119–133

13
Security Threats, Defense Mechanisms, Challenges, and Future Directions in Cloud Computing 243

10. Tabrizchi H, Rafsanjani MK (2020) A survey on security chal- 31. Shrivastava V, Zerfos P, Lee KW, Jamjoom H, Liu YH, Baner-
lenges in cloud computing: issues, threats, and solutions. J jee S (2011) Application-aware virtual machine migration in
Supercomput 76(12):9493–9532 data centers. In: Proceedings of IEEE INFOCOM. IEEE, pp
11. Zhang Q, Cheng L, Boutaba R (2010) Cloud computing: 66–70
state-of-the-art and research challenges. J Internet Serv Appl 32. Mishra M, Das A, Kulkarni P, Sahoo A (2012) Dynamic resource
1(1):7–18 management using virtual machine migrations. IEEE Commun
12. Nasirian S, Faghani F (2019) Crystal: a scalable and fault- Mag 50(9):34–40
tolerant Archimedean-based server-centric cloud data center 33. Dong J, Jin X, Wang H, Li Y, Zhang P, Cheng S (2013) Energy-
network architecture. Comput Commun 147:159–179 saving virtual machine placement in cloud data centers. In: Pro-
13. Li T, Santini S (2019) Energy-aware coflow and antenna sched- ceedings of the 13th IEEE/ACM international symposium on
uling for hybrid server-centric data center networks. IEEE cluster, cloud, and grid computing. IEEE, pp 618–624
Trans Green Commun Netw 3(2):356–365 34. Zheng J, Ng TSE, Sripanidkulchai K (2011) Workload-aware live
14. Al Asvija B, Eswari R, Bijoy MB (2019) Security in hardware storage migration for clouds. In: Proceedings of the 7th ACM
assisted virtualization for cloud computing—state of the art SIGPLAN/SIGOPS international conference on virtual execution
issues and challenges. Comput Netw 151:68–92 environments. ACM, pp 133–144
15. Mondesire SC, Angelopoulou A, Sirigampola S, Goldiez B 35. Sharma Y, Si W, Sun D, Javadi B (2019) Failure-aware energy-
(2019) Combining virtualization and containerization to sup- efficient VM consolidation in cloud computing systems. Futur
port interactive games and simulations on the cloud. Simul Gener Comput Syst 94:620–633
Model Pract Theory 93:233–244 36. Liu H, Jin H, Liao X, Yu C, Xu CZ (2011) Live virtual machine
16. Pietri I, Sakellariou R (2016) Mapping virtual machines onto migration via asynchronous replication and state synchroniza-
physical machines in cloud computing: a survey. ACM Comput tion. IEEE Trans Parallel Distrib Syst 22(12):1986–1999
Surv (CSUR) 49(3):1–30 37. Guo Z, Li J, Ramesh R (2019) Optimal management of virtual
17. El Kafhali S, Salah K (2018) Performance analysis of multi- infrastructures under flexible cloud service agreements. Inf Syst
core VMs hosting cloud SaaS applications. Comput Stand Res 30(4):1424–1446
Interfaces 55:126–135 38. Wu CM, Chang RS, Chan HY (2014) A green energy-efficient
18. El Kafhali S, Salah K (2017) Stochastic modelling and analysis scheduling algorithm using the DVFS technique for cloud data-
of cloud computing data center. In: Proceedings of 20th confer- centers. Futur Gener Comput Syst 37:141–147
ence on innovations in clouds, internet and networks. IEEE, pp 39. Zhou R, Liu F, Li C, Li T (2013) Optimizing virtual machine live
122–126 storage migration in heterogeneous storage environment. ACM
19. Adams K, Agesen O (2006) A comparison of software and SIGPLAN Not 48(7):73–84
hardware techniques for ×86 virtualization. ACM Sigplan Not 40. Liu S, Ren S, Quan G, Zhao M, Ren S (2013) Profit aware load
41(11):2–13 balancing for distributed cloud data centers. In: Proceedings of
20. Sukmana HT, Ichsani Y, Putra SJ (2016) Implementation of the 27th international symposium on parallel and distributed pro-
server consolidation method on a data center by using virtu- cessing. IEEE, pp. 611–622
alization technique: a case study. In: Proceedings of the inter- 41. Shiraz M, Gani A, Khokhar RH, Buyya R (2013) A review on
national conference on informatics and computing. IEEE, pp distributed application processing frameworks in smart mobile
277–282 devices for mobile cloud computing. IEEE Commun Surv Tutor
21. Rosenblum M (2004) The reincarnation of virtual machines. 15(3):1294–1313
Queue 2(5):34–40 42. Wu TY, Guizani N, Huang JS (2017) Live migration improve-
22. Hanini M, El Kafhali S, Salah K (2019) Dynamic VM alloca- ments by related dirty memory prediction in cloud computing. J
tion and traffic control to manage QoS and energy consumption Netw Comput Appl 90:83–89
in cloud computing environment. Int J Comput Appl Technol 43. Ibrahim KZ, Hofmeyr S, Iancu C, Roman E (2011) Optimized
60(4):307–316 pre-copy live migration for memory intensive applications. In:
23. Nashaat H, Ashry N, Rizk R (2019) Smart elastic scheduling Proceedings of 2011 international conference for high perfor-
algorithm for virtual machine migration in cloud computing. J mance computing, networking, storage and analysis. ACM, pp
Supercomput 5(7):3842–3865 1–11
24. Abeni L, Faggioli D (2020) Using Xen and KVM as real-time 44. Svärd P, Hudzia B, Tordsson J, Elmroth E (2011) Evaluation of
hypervisors. J Syst Architect 106:101709 delta compression techniques for efficient live migration of large
25. Huh JH, Seo K (2016) Design and test bed experiments of server virtual machines. In: Proceedings of the 7th ACM SIGPLAN/
operation system using virtualization technology. HCIS 6(1):1 SIGOPS international conference on virtual execution environ-
26. El Kafhali S, Salah K (2018) Modeling and analysis of perfor- ments. ACM, pp 111–120
mance and energy consumption in cloud data centers. Arab J Sci 45. Zhu L, Chen J, He Q, Huang D, Wu S (2013) ITC-LM: a smart
Eng 43(12):7789–7802 iteration-termination criterion based live virtual machine migra-
27. Alaluna M, Vial E, Neves N, Ramos FM (2019) Secure multi- tion. In: Proceedings of the IFIP international conference on net-
cloud network virtualization. Comput Netw 161:45–60 work and parallel computing. Springer, Berlin, pp 118–129
28. Bui B, Mvondo D, Teabe B, Jiokeng K, Wapet L, Tchana A, 46. Riteau P, Morin C, Priol T (2011) Shrinker: improving live
Depalma N (2019) When extended para-virtualization (XPV) migration of virtual clusters over wans with distributed data
meets NUMA. In: Proceedings of the 14th EuroSys conference, deduplication and content-based addressing. In: Proceedings of
pp 1–15 the European conference on parallel processing. Springer, Berlin,
29. Beloglazov A, Buyya R (2013) Managing overloaded hosts for pp 431–442
dynamic consolidation of virtual machines in cloud data centers 47. Gonzalez N, Miers C, Redigolo F, Simplicio M, Carvalho T, Näs-
under quality of service constraints. IEEE Trans Parallel Distrib lund M, Pourzandi M (2012) A quantitative analysis of current
Syst 24(7):1366–1379 security concerns and solutions for cloud computing. J Cloud
30. Saadi Y, El Kafhali S (2020) Energy efficient strategy for vir- Comput Adv Syst Appl 1(1):11
tual machines consolidation in cloud environment. Soft Comput 48. Jansen WA, Grance T (2011) Guidelines on security and privacy
24(19):14845–14859 in public cloud computing. NIST Spec Publ 800(144):10–11

13
244 S. El Kafhali et al.

49. Islam T, Manivannan D, Zeadally S (2016) A classification and 70. Wu J, Li Y, Wang T, Ding Y (2019) CPDA: a confidentiality-
characterization of security threats in cloud computing. Int J preserving deduplication cloud storage with public cloud audit-
Next Gener Comput 7(1):1071–1081 ing. IEEE Access 7:160482–160497
50. Wawrzyniak G, El Fray I (2020) New XML signature scheme 71. Pitchai R, Babu S, Supraja P, Anjanayya S (2019) Prediction
that is resistant to some attacks. IEEE Access 8:35815–35831 of availability and integrity of cloud data using soft computing
51. Hassija V, Chamola V, Saxena V, Jain D, Goyal P, Sik- technique. Soft Comput 23(18):8555–8562
dar B (2019) A survey on IoT security: application areas, 72. Chow R, Golle P, Jakobsson M, Shi E, Staddon J, Masuoka
security threats, and solution architectures. IEEE Access R, Molina J (2019) Controlling data in the cloud: outsourcing
7:82721–82743 computation without outsourcing control. In: Proceedings of the
52. Abdollahi A, Fathi M (2020) An intrusion detection system workshop on cloud computing security. ACM, pp 85–90
on ping of death attacks in IoT networks. Wirel Pers Commun 73. Del Piccolo V, Amamou A, Haddadou K, Pujolle G (2016) A
112(4):2057–2070 survey of network isolation solutions for multi-tenant data cent-
53. Bhandari A, Sangal AL, Kumar K (2016) Characterizing flash ers. IEEE Commun Surv Tutor 8(4):2787–2821
events and distributed denial-of-service attacks: an empirical 74. Factor M, Hadas D, Harnama A, Har’El N, Kolodner EK, Kur-
investigation. Secur Commun Netw 9(13):2222–2239 mus A, Sorniotti A (2013) Secure logical isolation for multi-
54. Liebeskind JP (1997) Keeping organizational secrets: protec- tenancy in cloud storage. In: Proceedings of the 29th symposium
tive institutional mechanisms and their costs. Ind Corp Chang on mass storage systems and technologies. IEEE, pp 1–5
6(3):623–663 75. Bhuyan MH, Kashyap HJ, Bhattacharyya DK, Kalita JK (2014)
55. Alarqan MA, Zaaba ZF, Almomani A (2019) Detection mecha- Detecting distributed denial of service attacks: methods, tools
nisms of DDoS attack in cloud computing environment: a survey. and future directions. Comput J 57(4):537–556
In: Proceedings of international conference on advances in cyber 76. Krishnan D, Chatterjee M (2012) An adaptive distributed intru-
security. Springer, Singapore, pp 138–152 sion detection system for cloud computing framework. In: Pro-
56. Bhadauria R, Sanyal S (2012) Survey on security issues in cloud ceedings of the international conference on security in computer
computing and associated mitigation techniques. Int J Comput networks and distributed systems. Springer, Berlin, pp 466–473
Appl 47(18):47–66 77. Cha B, Kim J (2011) Study of multistage anomaly detection
57. Hydara I, Sultan ABM, Zulzalil H, Admodisastro N (2015) Cur- for secured cloud computing resources in future internet. In:
rent state of research on cross-site scripting (XSS)—a systematic Proceedings of the 9th international conference on dependable,
literature review. Inf Softw Technol 58:170–186 autonomic and secure computing. IEEE, pp 1046–1050
58. Sabahi F (2012) Secure virtualization for cloud environment 78. Modi CN, Patel DR, Patel A, Muttukrishnan R (2012) Bayesian
using hypervisor-based technology. Int J Mach Learn Comput classifier and snort based network intrusion detection system in
2(1):39 cloud computing. In: Proceedings of the 3rd international confer-
59. Lombardi F, Di Pietro R (2011) Secure virtualization for cloud ence on computing, communication and networking technolo-
computing. J Netw Comput Appl 34(4):1113–1122 gies. IEEE, pp 1–7
60. Pearce M, Zeadally S, Hunt R (2013) Virtualization: issues, 79. Yang L, Zhang T, Song J, Wang JS, Chen P (2012) Defense of
security threats, and solutions. ACM Comput Surv (CSUR) DDoS attack for cloud computing. Proc Int Conf Comput Sci
45(2):1–39 Autom Eng IEEE 2:626–629
61. Win SS, Thwin MMS (2019) Handling the hypervisor hijacking 80. Jeyanthi N, Barde U, Sravani M, Tiwari V, Iyengar NCSN (2013)
attacks on virtual cloud environment. In: Advances in biometrics. Detection of distributed denial of service attacks in cloud com-
Springer, Cham, pp 25–50 puting by identifying spoofed IP. Int J Commun Netw Distrib
62. Luo S, Lin Z, Chen X, Yang Z, Chen J (2011) Virtualization Syst 11(3):262–279
security for cloud computing service. In: Proceedings of the 81. Kushwah GS, Ranga V (2020) Voting extreme learning machine
international conference on cloud and service computing. IEEE, based distributed denial of service attack detection in cloud com-
pp 174–179 puting. J Inf Secur Appl 53:102532
63. Dabrowsk C, Mills K (2011) VM leakage and orphan control 82. Gupta BB, Badve OP (2017) Taxonomy of DoS and DDoS
in open-source clouds. In: Proceedings of the 3rd international attacks and desirable defense mechanism in a cloud computing
conference on cloud computing technology and science. IEEE, environment. Neural Comput Appl 28(12):3655–3682
pp 554–559 83. Guenane F, Nogueira M, Pujolle G (2014) Reducing DDoS
64. Yang C, Ye J (2015) Secure and efficient fine-grained data attacks impact using a hybrid cloud-based firewalling architec-
access control scheme in cloud computing. J High Speed Netw ture. In: Proceedings of the global information infrastructure and
21(4):259–271 networking symposium. IEEE, pp 1–6
65. Yu S, Wang C, Ren K, Lou W (2010) Achieving secure, scal- 84. Liu H (2010) A new form of DOS attack in a cloud and its
able, and fine-grained data access control in cloud computing. avoidance mechanism. In: Proceedings of the ACM workshop
In: Proceedings of INFOCOM. IEEE, pp 1–9 on cloud computing security workshop, pp 65–76
66. Wang Y, Wu Q, Qin B, Shi W, Deng RH, Hu J (2016) Identity- 85. Wahab OA, Bentahar J, Otrok H, Mourad A (2015) A survey on
based data outsourcing with comprehensive auditing in clouds. trust and reputation models for Web services: Single, composite,
IEEE Trans Inf Forensics Secur 12(4):940–952 and communities. Decis Support Syst 74:121–134
67. Tchernykh A, Schwiegelsohn U, Talbi EG, Babenko M (2019) 86. Kaur Chahal J, Bhandari A, Behal S (2019) Distributed denial
Towards understanding uncertainty in cloud computing with of service attacks: a threat or challenge. New Rev Inf Netw
risks of confidentiality, integrity, and availability. J Comput Sci 24(1):31–103
36:100581 87. Douligeris C, Mitrokotsa A (2004) DDoS attacks and defense
68. Erway CC, Küpçü A, Papamanthou C, Tamassia R (2015) mechanisms: classification and state-of-the-art. Comput Netw
Dynamic provable data possession. ACM Trans Inf Syst Secur 44(5):643–666
(TISSEC) 17(4):1–29 88. Jia Q, Wang H, Fleck D, Li F, Stavrou A, Powell W (2014) Catch
69. Thokchom S, Saikia DK (2019) Privacy preserving and pub- me if you can: a cloud-enabled DDoS defense. In: Proceedings of
lic auditable integrity checking on dynamic cloud data. IJ Netw the 44th annual IEEE/IFIP international conference on depend-
Secur 21(2):221–229 able systems and networks. IEEE, pp 264–275

13
Security Threats, Defense Mechanisms, Challenges, and Future Directions in Cloud Computing 245

89. Modi C, Patel D, Borisaniya B, Patel H, Patel A, Rajarajan M 108. Nguyen KK, Hoang DT, Niyato D, Wang P, Nguyen D, Dutkie-
(2013) A survey of intrusion detection techniques in cloud. J wicz E (2018) Cyberattack detection in mobile cloud computing:
Netw Comput Appl 36(1):42–57 a deep learning approach. In: Proceedings of the wireless com-
90. Madan BB, Goševa-Popstojanova K, Vaidyanathan K, Trivedi munications and networking conference. IEEE, pp 1–6
KS (2004) A method for modeling and quantifying the secu- 109. Shaaban AR, Abd-Elwanis E, Hussein M (2019) DDoS attack
rity attributes of intrusion tolerant systems. Perform Eval detection and classification via convolutional neural network
56(1–4):167–186 (CNN). In: Proceedings of the 9th international conference
91. Osanaiye O, Choo K-KR, Dlodlo M (2016) Distributed denial of on intelligent computing and information systems. IEEE, pp
service (DDoS) resilience in cloud: review and conceptual cloud 233–238
DDoS mitigation framework. J Netw Comput Appl 67:147–165 110. Çalışır S, Atay R, Pehlivanoğlu MK, Duru N (2019) Intrusion
92. Zekri M, El Kafhali S, Aboutabit N, Saadi Y (2017) DDoS attack detection using machine learning and deep learning techniques.
detection using machine learning techniques in cloud computing In: Proceedings of the 4th international conference on computer
environments. In: Proceedings of the 3rd international conference science and engineering. IEEE, pp 656–660
on cloud computing technologies and applications. IEEE, pp 1–7 111. Sethi K, Kumar R, Prajapati N, Bera P (2020) Deep reinforce-
93. Idhammad M, Afdel K, Belouch M (2018) Distributed intrusion ment learning based intrusion detection system for cloud infra-
detection system for cloud environments based on data mining structure. In: Proceedings of the international conference on
techniques. Proc Comput Sci 127:35–41 communication systems and networks. IEEE, pp 1–6
94. Hajimirzaei B, Navimipour NJ (2019) Intrusion detection for 112. Catak FO, Mustacoglu AF (2019) Distributed denial of service
cloud computing using neural networks and artificial bee colony attack detection using autoencoder and deep neural networks. J
optimization algorithm. ICT Express 5(1):56–59 Intell Fuzzy Syst 37(3):3969–3979
95. Aldweesh A, Derhab A, Emam AZ (2020) Deep learning 113. Prasad KM, Siva VS, Nagamuneiah J, Nelaballi S (2020) An
approaches for anomaly-based intrusion detection systems: a sur- ensemble framework for flow-based application layer DDoS
vey, taxonomy, and open issues. Knowl-Based Syst 189:105124 attack detection using data mining techniques. In: ICT analysis
96. Aamir M, Zaidi SMA (2019) DDoS attack detection with feature and applications. Springer, Singapore, pp 9–19
engineering and machine learning: the framework and perfor- 114. Mehare V, Thakur RS (2018) Data mining models for anomaly
mance evaluation. Int J Inf Secur 18(6):761–785 detection using artificial immune system. In: Proceedings of the
97. Tuan TA, Long HV, Kumar R, Priyadarshini I, Son NTK (2020) international conference on recent advancement on computer and
Performance evaluation of Botnet DDoS attack detection using communication. Springer, Singapore, pp 425–432
machine learning. Evol Intel 13(2):283–294 115. Ashaba AA, Mirembe DP (2018) Data mining based algorithms
98. Wang M, Lu Y, Qin J (2020) A dynamic MLP-based DDoS attack for intrusion detection systems. Int J Technol Manag 3(2):1–10
detection method using feature selection and feedback. Comput 116. Lee W, Stolfo SJ, Mok KW (2000) Adaptive intrusion detection:
Secur 88:101645 a data mining approach. Artif Intell Rev 14(6):533–567
99. Hezavehi SM, Rahmani R (2020) An anomaly-based frame- 117. Pietraszek T, Tanner A (2005) Data mining and machine learn-
work for mitigating effects of DDoS attacks using a third ing-towards reducing false positives in intrusion detection. Inf
party auditor in cloud computing environments. Clust Comput Secur Tech Rep 10(3):169–183
23(4):2609–2627 118. Garg S, Kaur K, Batra S, Aujla GS, Morgan G, Kumar N, Ran-
100. Priyadarshini R, Barik RK (2019) A deep learning based intel- jan R (2020) En-ABC: an ensemble artificial bee colony based
ligent framework to mitigate DDoS attack in fog environment. J anomaly detection scheme for cloud environment. J Parallel Dis-
King Saud Univ Comput Inf Sci. https://d​ oi.o​ rg/1​ 0.1​ 016/j.j​ ksuci.​ trib Comput 135:219–233
2019.​04.​010 119. Kesavamoorthy R, Soundar KR (2019) Swarm intelligence based
101. Habib B, Khurshid F, Dar AH, Shah Z (2019) DDoS mitigation autonomous DDoS attack detection and defense using multi
in eucalyptus cloud platform using snort and packet filtering— agent system. Clust Comput 22(4):9469–9476
IP-tables. In: Proceedings of the 4th international conference on 120. Kalaivani S, Vikram A, Gopinath G (2019) An effective swarm
information systems and computer networks. IEEE, pp 546–550 optimization based intrusion detection classifier system for cloud
102. Kim H, Kim J, Kim Y, Kim I, Kim KJ (2019) Design of network computing. In: Proceedings of the 5th international conference
threat detection and classification based on machine learning on on advanced computing and communication systems. IEEE, pp
cloud computing. Clust Comput 22(1):2341–2350 185–188
103. Wu M, Song Z, Moon YB (2019) Detecting cyber-physical 121. Chiba Z, Abghour N, Moussaid K, El Omri A, Rida M (2018) A
attacks in cyber manufacturing systems with machine learning novel architecture combined with optimal parameters for back
methods. J Intell Manuf 30(3):1111–1123 propagation neural networks applied to anomaly network intru-
104. Abusitta A, Bellaiche M, Dagenais M (2018) An SVM-based sion detection. Comput Secur 75:36–58
framework for detecting DoS attacks in virtualized clouds under 122. Chiba Z, Abghour N, Moussaid K, El Omri A, Rida M (2019)
changing environment. J Cloud Comput 7(1):1–18 New anomaly network intrusion detection system in cloud envi-
105. Nahmias D, Cohen A, Nissim N, Elovici Y (2020) Deep fea- ronment based on optimized back propagation neural network
ture transfer learning for trusted and automated malware sig- using improved genetic algorithm. Int J Commun Netw Inf Secur
nature generation in private cloud environments. Neural Netw 11(1):61–84
124:243–257 123. Zeadally S, Adi E, Baig Z, Khan IA (2020) Harnessing artificial
106. Garg S, Kaur K, Kumar N, Kaddoum G, Zomaya AY, Ranjan R intelligence capabilities to improve cybersecurity. IEEE Access
(2019) A hybrid deep learning-based model for anomaly detec- 8:23817–23837
tion in cloud datacenter networks. IEEE Trans Netw Serv Manag 124. Selvaraj A, Patan R, Gandomi AH, Deverajan GG, Pushparaj
16(3):924–935 M (2019) Optimal virtual machine selection for anomaly detec-
107. Chiba Z, Abghour N, Moussaid K, Rida M (2019) Intelligent tion using a swarm intelligence approach. Appl Soft Comput
approach to build a deep neural network based IDS for cloud 84:105686
environment using combination of machine learning algorithms. 125. Chen Z, Jiang F, Cheng Y, Gu X, Liu W, Peng J (2018) XGBoost
Comput Secur 86:291–317 classifier for DDoS attack detection and analysis in SDN-based

13
246 S. El Kafhali et al.

cloud. In: Proceedings of the international conference on big data conference on network and system security. Springer, Cham, pp
and smart computing. IEEE, pp 251–256 531–543
126. Balamurugan V, Saravanan R (2019) Enhanced intrusion 140. Devi BK, Subbulakshmi T (2019) Cloud-based DDoS attack
detection and prevention system on cloud environment using detection and defence system using statistical approach. Int J Inf
hybrid classification and OTS generation. Clust Comput Comput Secur 11(4–5):447–475
22(6):13027–13039 141. Mollah MB, Azad MdAK, Vasliakos A (2017) Security and pri-
127. Rakotondravony N, Taubmann B, Mandarawi W, Weishäupl vacy challenges in mobile cloud computing: Survey and way
E, Xu P, Kolosnjaji B, Reiser HP (2017) Classifying malware ahead. J Netw Comput Appl 84:38–54
attacks in IaaS cloud environments. J Cloud Comput 6(1):26 142. Basu S, Bardhan A, Gupta K, Saha P, Pal M, Bose M, Sarkar P
128. Alsirhani A, Sampalli S, Bodorik P (2018) DDoS attack detection (2018) Cloud computing security challenges and solutions—a
system: utilizing classification algorithms with Apache spark. survey. In: Proceedings of the 8th annual computing and com-
In: Proceedings of the 9th IFIP international conference on new munication workshop and conference, pp 347–356
technologies, mobility and security. IEEE, pp 1–7 143. Tank D, Aggarwal A, Chaubey N (2019) Virtualization vul-
129. Jia B, Huang X, Liu R, Ma Y (2017) A DDoS attack detection nerabilities, security issues, and solutions: a critical study
method based on hybrid heterogeneous multiclassifier ensemble and comparison. Int J Inf Technol. https://​doi.​org/​10.​1007/​
learning. J Electr Comput Eng 2017:9 s41870-​019-​00294-x
130. Mahmood HA (2018) Network intrusion detection system 144. Akshaya JMS, Padmavathi G (2019) Taxonomy of security
(NIDS) in cloud environment based on hidden Naïve Bayes attacks and risk assessment of cloud computing. In: Advances
multiclass classifier. Al-Mustansiriyah J Sci 28(2):134–142 in big data and cloud computing. Springer, Singapore, pp 37–59
131. Garg S, Kaur K, Kumar N, Batra S, Obaidat MS (2018) HyClass: 145. Maroc S, Zhang J (2019) Comparative analysis of cloud security
hybrid classification model for anomaly detection in cloud envi- classifications, taxonomies, and ontologies. In: Proceedings of
ronment. In: Proceedings of the international conference on com- the international conference on artificial intelligence and com-
munications. IEEE, pp 1–7 puter science, pp 666–672
132. Rajendran R, Kumar SS, Palanichamy Y, Arputharaj K (2019) 146. Singh KP, Rishiwal V, Kumar P (2018) Classification of data
Detection of DoS attacks in cloud networks using intelligent rule to enhance data security in cloud computing. In: Proceedings
based classification system. Clust Comput 22(1):423–434 of the 3rd international conference on internet of things: smart
133. Alsirhani A, Sampalli S, Bodorik P (2019) DDoS detection sys- innovation and usages, pp 1–5
tem: using a set of classification algorithms controlled by fuzzy 147. Almutairy NM, Al-Shqeerat KHA, Al Hamad HA (2019) A
logic system in apache spark. IEEE Trans Netw Serv Manag taxonomy of virtualization security issues in cloud computing
16(3):936–949 environments. Indian J Sci Technol 12(3):1–19
134. Aldribi A, Traoré I, Moa B, Nwamuo O (2020) Hypervisor-based 148. Hussain SA, Fatima M, Saeed A, Raza I, Shahzad RK (2017)
cloud intrusion detection through online multivariate statistical Multilevel classification of security concerns in cloud computing.
change tracking. Comput Secur 88:101646 Appl Comput Inf 13(1):57–65
135. Aborujilah A, Musa S (2017) Cloud-based DDoS HTTP attack 149. Singh A, Chatterjee K (2017) Cloud security issues and chal-
detection using covariance matrix approach. J Comput Netw lenges: a survey. J Netw Comput Appl 79:88–115
Commun 2017:0140–3664 150. El Kafhali S, Salah K (2017) Efficient and dynamic scaling of
136. Al-Hawawreh MS (2017) SYN flood attack detection in cloud fog nodes for IoT devices. J Supercomput 73(12):5261–5284
environment based on TCP/IP header statistical features. In: 151. Zhang D, Haider F, St-Hilaire M, Makaya C (2019) Model and
Proceedings of the 8th international conference on information algorithms for the planning of fog computing networks. IEEE
technology. IEEE, pp 236–243 Internet Things J 6(2):3873–3884
137. Pandey VC, Peddoju SK, Deshpande PS (2018) A statistical and 152. Chenthara S, Ahmed K, Wang H, Whittaker F (2019) Security
distributed packet filter against DDoS attacks in Cloud environ- and privacy-preserving challenges of e-Health solutions in cloud
ment. Sādhanā 43(3):32 computing. IEEE access 7:74361–74382
138. Kholidy HA (2019) Correlation-based sequence alignment mod-
els for detecting masquerades in cloud computing. IET Inf Secur Publisher’s Note Springer Nature remains neutral with regard to
14(1):39–50 jurisdictional claims in published maps and institutional affiliations.
139. Ivannikova E, Zolotukhin M, Hämäläinen T (2017) Probabilistic
transition-based approach for detecting application-layer DDOS
attacks in encrypted software-defined networks. In: International

13