Security and Privacy Issues in Cloud Computing

The idea of Cloud Computing (CC) provides dynamically scalable services that are delivered over the Internet as a service. The key driver of the cloud is economic benefits, as it aims to minimize capital expenditure as well as operating expenditure. There are still some problems to be overcome in order for this to become reality. One of the important issue is security and privacy concerns, which has been addressed by many researchers but still the problem persist. Security assurance is an important driver for cloud adoption and for increasing cloud deployment. To provide a detailed overview of existing cloud security challenges and mitigation strategies, this paper provides a comprehensive survey of underlying cloud security and privacy issues and concerns along with countermeasures. Further; as a contribution in research, we have provided a framework to address the security and privacy concerns in CC. Proposed framework uses hybrid authentication mechanism for the security of CC. The study provides a deeper insight to the researchers and practitioners about CC and underlying security and privacy concerns along with countermeasures and a novel solution.


Introduction
CC is an important instrument that reflects the digital computing paradigm and business models for both software and hardware resources. Its economic advantage is that it provides an efficient way to minimize operating expenditures and capital expenditure. Despite CC is providing solutions to the most problem faced by individuals and organizations, it has exposed many businesses to security and privacy threats and issues [1,2]. Various researches have been done on privacy and security in CC. Arjun et al in paper [3] stated that security issues are based on the cloud provider, service user, and instance. Another researcher in paper [4] argued that security issues are based on the delivery model, PaaS, IaaS, and SaaS. There exist four cloud deployment models namely: public cloud, private cloud, hybrid cloud, and community cloud and each has its own security and privacy concerns. To provide an overview of cloud security and privacy attacks, we briefly elaborate some key attacks and challenges faced in CC for better understandability of the area under study Accounts hijack: In this type of attack, hackers attacks a CSP web service or application by installing their malicious software [5] CC abuse: Cloud security architecture considers it most serious attack because attackers attacks on CC power [6] Channel attacks: Such attacks interrupt the availability of services and disrupts privacy of data in IaaS layer of cloud [7] XSS Attacks: In this kind of attack, Java script language is used and it is usually found in web application [8] Insider attack: An attack would be insider attack when employees access services from CSP without the proper knowledge of security concerns [13] SQL Injection attacks: SQL statements are used to deactivate the security of the web application [14] Shared network attack: When multiple users share the same CC infrastructure, there is a strong chance of data breaches. Furthermore, if there is any security concern in to customer's infrastructure, it will be considered as threat to the cloud [15] Sniffer attacks: When unencrypted data is transferred then attacker can attack the network by using any application, or a device by sniffing network traffic [16] Virtual machine (VM) attack: A rapidly increasing shared VM technology can be attacked because of existing vulnerabilities [17] Anonymous risk: When cloud services are provided without considering any security and privacy protocols, data breaches can happen easily [18] Zombie attacks: This attack occurs at the virtual machine or hypervisor layer. Due to this attack, provided services slows down and fake accounts appears [16] Besides above mentioned attacks, CC is also facing lot of challenges. Some common challenges faced by CC are as follows Network access: It is typically considered a big challenge by cloud service providers because attackers can take control of networks and data breaches usually occur because of it [19] Security Management among CSPs: In cloud data management, maintaining and managing security specifications and complying with SLA is indeed a huge challenge. In order to meet the security criteria, CSPs can cooperate with each other [20] Accounting: In order to achieve better network management, it is a challenging task for CSPs to estimate and analyse networks before deployment [21] Shared Access: A challenge for service providers is to give access to the users. CSPs and consumers are responsible for taking measures to increase cloud security. There are still no effective solutions available e.g. in private cloud, users should be able to access the resources in a traditional way. So, the resources can be easily shared among the users depending on their needs [12] Heterogeneous issue: Multiple technologies are used by the CSPs to deliver a large amount of services due to which heterogeneity occurs [5] Security policies: Cloud infrastructure requires a strong security framework and guidelines to be applied [22] Information loss: Losing gadgets or computers, such as phones or laptops, may allow an intruder to access personal information through theft [23] Web browser security: Web brewers are not secure for using banking solutions. Such information can be hacked [24] International  Figure 1: Common security challenges of CC Figure 1 provides a broad picture of key challenges faced by CC. The remaining part of the paper is organized as follows: Section 2 discusses literature review and relevant findings related to CC. Section 3 discusses existing cryptographic solutions for CC. In section 4, we proposed a conceptual framework to fix the challenges of CC. Section 5 analyse the proposed framework. Finally section 6 conclude the paper by providing directions for future research. Table 1 provides the list of acronyms and abbreviations used in this study for better understanding of the readers.

Literature review
In this section, we will discuss some latest researches to provide the current-state-of-the art regarding security concerns in CC based on key CC parameters which include availability, security, privacy, confidentiality and integrity. This study aims to address some key security dimensions including data availability, confidentiality, and integrity. It also highlights some common security threats such as hijacking, denial services, loss of control, invalid storage, and data boundaries. Researchers stated that to maintain the user confidential information, one has to avoid sharing or using the system with an unknown service provider or any public user. Information seizes to be confidential only when the user shares its credentials with the service provider or any other user. Increased data storage in the system may lead to overloading and thus cause to system failure that will ultimately leads to loss of integrity. Loss of control happens due to the client's information being owned by the provider and there always exist the risk of manipulation. Lack of storage to store data enforce clients to pay for secondary storage, that create the issue of privacy [25] Similarly, in another study [26], the essential factors of CC were discussed with main focus on security and privacy concerns. Service provider and vendors requests for service competency and user's security information. Issues arising in security management are reliability, privacy, access to data control, and legal problems. To manage privacy, the provider has considered encryption of data. However; the cloud service provider can experience insider or outsider attack compromising data security, confidentiality and integrity. To overcome these problems, CSPs have to take proper measures such as identity management and access control.
Paper [27] addresses the problems of consumer safety, attention is also given to the competitiveness of the proposed system. The authors propose that the client should get nothing into the database, and the server should not collect any information about the biometric relation. The property-based encryption method was proposed for the identification of sophisticated sharing of data. The fine-scale, high data consumer performance, and standard privacy of cloud data sharing still remain unclear.
A study in [28], state that various security models have been suggested for enhanced security, there is still no universal solution for coping with both safety and privacy issues. CC poses various threats to privacy and security; namely loss of data and accessibility, account hijacking, user, and service provider problems. Further, it emphasize that safety systems should be paid more attention. Besides, the technique for the classification of knowledge to be followed depends on whether you need to defend yourself from outsider attackers or even insiders. Current ways of dealing with insiders safely rely on protocols for location abnormality.
According to [29], security and privacy are the critical challenges of the computing application. This paper identifies several aspects of protection, including confidentiality, availability, and honesty. It also debates on protection and privacy issues. According to this paper, data encryption is the safest possible way to maintain confidentiality. However, essential control is a severe problem of encryption. The data owners can not presume to handle keys. Key management is expected from cloud service providers, and this is not a good option. The object of data integrity is to protect data from unlawful users being altered or deleted. In centralized structures, data confidentiality can be easily achieved. If unauthorized users deduce something from the cloud data, the privacy of the data is impaired. Misuse of data and the prevention of attacks are the most significant privacy risks to cloud storage. The attacker aim to misuse and destroy cloud data and will try to access it using the hash code. This causes the confidential data to be leaked. Different cloud services providers, including Microsoft Azure, Google Web Services, etc. provide cost-effective cloud access. They offer consumer and customer services on demand that pays what they get but security, privacy, and data protection are still significant concerns. It involves the production and distribution of replicas of shares among different providers of resources. For encrypting the shares, the AES algorithm is employed. The scheme and AES algorithms created shares are known as encapsulated shares. The technique is proposed to improve safety and reduce fraud. The technology offered is used to address the complex maintenance issue According to [30], static data protection guarantees the safety of static information on the cloud storage system, while dynamic storage security guarantees integrity and trust during the transmission of data. Encryption is an efficient tool for data security protection. Data encoding is necessary when translating the original data or plaintext file using specific algorithms in unreadable code strings, commonly referred to as ciphertext. In such case, if anyone intercepts the faded code, they cannot use the faded code to get the original information and ensure that it is confidentially preserved In paper [31], entity connections between cloud entities/players are highlighted for revealing protection areas in each cloud layer. This research work promotes the concept of compliance or corrective measures based on a security incident source or origin. This is an example of the unique security concerns of the public cloud. The facility is managed by a service provider where consumers access resources from an unreliable network. Public clouds are deemed financially viable. Special security issues unique to hybrid clouds in which the company and a third-party control and own a model infrastructures. Another simple opportunity is the potential to make any cloud agency more accountable by easily defining a source or origin of a safety incident, including enforcing disciplinary or remedial steps.
Paper [32] discuss a data-centric way for enhancing security , it provides a Computing Trust principle that offers trusted third-party technology to protect cloud providers' virtual machines. This idea gives the user many tools to track and analyse the data in a controlled way safely. It is evident that a partially trusted or trusted brand of cloud provides strong privacy, but the insecure server can depict clients with protected data. Still, it could be possible to exploit a legitimate user pattern in the same period as an untrusted cloud provider and provides a Computing Trust principle that offers trusted third-party technology to protect cloud providers' virtual machines. This idea gives the user many tools to track and analyse the data in a controlled way safely. It has been noted that the data provider establishes only the protection set by third parties. The big concern is that the user or the third party does not manage the solutions outside the user's domain. The danger is that any unknown persons will gain access to and exploit the data.
To resolve security concerns, researchers of paper [33] claims that there is need to define a range of attributes representing many aspects of cloud security and privacy. They analyse the availability of resources for cloud data retrieval and security in a disaster event and they further measure the robustness of the VM Manager (VMM) mechanism for safe operation. They encompass measurements, networking, and storage to identify protection against unauthorized usage by scrambling the content on its way from the user to the cloud, so that it is read-only by someone with a coding key to unscramble. Paper [34] discuss the CC Challenges in healthcare domain. According to this research, the present trend towards the design of cloud-hosted applications follows Microservices' approach, which splits the whole application into several logic and execution units and distributes application data between them for better protection and confidentiality. The use of microservices to architecture cloud service-oriented software adds to the imagined scenario's security and privacy problems due to the well-known issue of the sharking trend in the literature. An excellent hybrid-CC environment focused on the interactive health care system framework has been suggested by [35]. A peer-to-peer cloud system is divided into small blocks that are reliable and enhance data security storage. Presence of big data analytics that analyse data efficiently and offer the client needed results. Their approach assesses the design of an installed layered cloud and proposes a way to handle data storage. Consider potential threats and put countermeasures in place to protect the system and improve patient information privacy. Data storage is carried out separately, and storage facilities are connected by a series of operations to assign space and facilitate data requests, resulting in low chances of data loss.
The above discussion shows that cryptographic solutions provide a common way to secure CC environment. Cloud cryptography uses encryption methods to protect data that is used or stored in the cloud. It helps users to access shared cloud resources easily and safely, as all information hosted by cloud providers is secured by encryption. In section below, we provide existing cryptographic solutions and then based on these solutions we will provide a framework that will address the security and privacy concerns of CC Since there is no confirm solution exist for data confidentiality and protection, organizations usually fear about the loss of data in the cloud. Logically, certain ways of enhancing data storage and privacy may be enforced by SLA. Here, we are going to explore in detail some countermeasures relating to data protection and security. There are several cryptographic solutions currently available that are used to overcome security and privacy attacks. Some solutions are already discussed but further detail is added in this section.

Symmetric-key Encryption:
The use of Symmetric-key encryption is an easy and fast method of encrypting data in CC. Special key for data encryption and data decryption is used in this technique, and this key should be exchanged before data transfer between users. Common methodologies for symmetric encryption are AES and DES [36].

1) Data Encryption Standard(DES)
One of the most effective technique that utilizes fewer physical resources. A higher level of data security can also be provided by adding another cipher key to this technique.

2) Advanced Encryption Standard (AES)
This approach is used for block data encryption. Currently, there are several reliable AES based low cost solutions available that use less computational power

Asymmetric-key encryption:
AES is more secure and effective encryption technique, but it is slow and normally requires huge ciphers with complexed algorithms. RSA and DH are most common types of Asymmetric-key encryption [36].

1) Rivest, Shamir, and Adleman(RSA)
It is one of the practical solutions, developed before 2000. In this techniques, key-size requires to be same as of modulus and it is built on prime factors so, larger keys are used for better security.

2) Diffie-Hellman key
The purpose of this technique is to share keys over unsecure channel and 2048 bits are required for encrypted exchange.

3) Elliptic curve encryption (ECE)
ECE is a famous scheme because it requires less computational power and it was developed by Koblitz et al [37] The Asymmetric encryption algorithms is considered effective in case of security but complex implementations are required by using backend mathematical operational developments.

Secure Hash Algorithms
SHA is widely used technique for securing and authenticating data. In this method, values are created using hash functions. These values are further used to verify the reliability and integrity of data. The most common application for this type of algorithm is the digital document. Many secure hash algorithms are currently presented. Among all the available SHA hash functions, SHA2 and SHA3 are mostly used and reliable algorithms. SHA 2 comprises of six hash functions with various bit combinations using 224, 56, 384, or 512.It is not easy to implement this function. An advanced hash function that substituted the SHA 1 and SHA2 is SHA-3, but it is also complex to implement [38]. Many other cryptographic solutions are available for securing data. These solutions offer different cryptographic features. Some of the common encryption solutions are Homomorphic encryption, ABE, IBE, Multi-party secure computation, verifiable computation. Other than that, NIST has published a Format Preserving Encryption standard in 2016 which is useful for big data and complex application [39].

Proposed conceptual framework for CC security and privacy issues:
Security and privacy are the main issues of CC and to resolve these issues complex computational algorithms are implemented. Such algorithms gradually decrease the cloud performance, so, it is better to use more than one server for enhancing security features. Multiple servers can be used separately for authentication and encryption purposes. Web-based applications are usually protected from bot attacks by using CAPTCHA and multi-factor authentication. Two factor authentication technique is already used in CC systems. AES and RSA can be used together as a hybrid technique to enhance data security. In such technique, AES can encrypt and decrypt the data whereas the RSA can be used to encrypt and decrypts the symmetric key of AES. So, in this paper we have presented a conceptual framework that provides security and privacy model and using this framework, confidentiality, authentication, and integrity can be achieved as shown in figure 2.

Figure 2: Proposed framework for addressing security and privacy concerns in CC
Suitable security approaches are crucial for defining appropriate framework. Numerous techniques are already implemented to overcome the security and privacy issues. Such techniques include user and password authentication, verification, cryptography, and CAPTCHA etc. Many researchers have provided detailed frameworks to implement these solutions. Consequently, success of CC security totally depends on implementing appropriate methods.
In our framework, there are two servers; one for authentication and the other one for cryptography operation. In this way, the performance and speed will remain intact and time consumption to complete process will be improved as shown in our proposed framework. When the client wants to upload the data on the cloud, data verification request will be sent to the server 1and server 1 will verify the request in order to avoid zombie attack so that real client could upload his data safely. Server 1 uses two approaches to avoid zombie and bot attacks. First approach is to verify the client's identity using TFA and the second approach is to use CAPTCHA. Server 2 manages the encryption of data by using AES and RSA techniques. The user also creates encrypted data keys using SHA-256. That encrypted data will be stored on the cloud. In order to regain the uploaded cloud data, the same authentication process will be followed again which are use of TFA and CAPTCHA. After getting access to the data, the client again creates the key using SHA-256, and compares keys. Data will be accepted in case of similar keys. To decrypt the data, RSA approach will be applied to the AES key and then original data will be accessed.
Proposed framework is safe to use because it gives security against dictionary attack, brute-force, key logger and replay attacks by using CAPTCHA, TFA. Using two servers will resolve issues like security and server speed. Server performance will also be better. The other proposed systems face main challenges like resource allocations, time issue and security. The only solution is to use more than one server so that resources can be utilized effectively. In this way, availability, integrity and confidentiality will be achieved easily.

Discussion
There is no doubt in the efficiency and performance of CC services and application. This field is used to improve applications and services in numerous organizations. Storing data on the cloud is easy to access for users but at the same time, it creates issues like confidentiality, integrity and availability. Our proposed conceptual framework uses simple yet effective techniques to enhance security and privacy. Suggested techniques will prevent attacks and will provide security. In the proposed scheme, two factor authentication mechanism is used that protects the data from security breaches. Combining two security techniques namely RSA and AES enhances security and privacy. This framework can be further strengthened by using optimization techniques. Some commonly used techniques for optimization purposes are pollination technique, Bat method, Honey bee, Cuckoo search, Particle swarm and Flower algorithm. Further, CMA-ES is commonly used for resource allocation that provides effective solution for optimization. The main feature is to search cipher for symmetric encryption. CMA-ES is capable to generate multiple cipher texts by modifying the key [40,41]. As a result, this proves that optimization can easily enhance the performance and security. Lastly, optimization techniques are suggested for resource allocation, CMA-ES is a good example for optimization technique. To conclude the analysis of the proposed framework, our work uses multiple encryption techniques so that integrity, confidentiality and availability can be attained. The security and privacy are the major concerns in Cloud for cloud operations, as well as for the different applications which run with the cloud [42][43]. These issues deemed the performance of the Cloud and applications supported by them. The researchers presented several approaches related to load balancing [44], lightweight, etc. to indirectly support to the security issues.

Conclusion and future work
Cloud computing is the distribution of computing services over the Internet ("the cloud"), including servers , storage , databases, networking, applications, analytics and intelligence, to provide quicker innovation, versatile resources and economies of scale. Lot of organizations are shifted to clouds and remaining are thinking about it. However; some of the key challenges faced by cloud computing is that of privacy and security. Confidentiality, availability and integrity are also important for maintaining security and privacy of data. This paper provides a comprehensive survey to provide the state-of-the-art knowledge about CC privacy and security concerns, key attacks targeting clouds and challenges faced by CC. Further, it discuss commonly used cryptographic techniques. Based on all this, a hybrid