cloud

1. 2012 45th Hawaii International Conference on System Sciences
Cloud Computing Security: From Single to Multi-Clouds
Mohammed A. AlZain #, Eric Pardede #, Ben Soh #, James A. Thom*
# Department of Computer Science and Computer Engineering,
La Trobe University, Bundoora 3086, Australia.
Email: [maalzain@students., E.Pardede@, B.soh@]latrobe.edu.au
* School of Computer Science and Information Technology
RMIT University, GPO Box 2476, Melbourne 3001, Australia.
Email: [james.thom@rmit.edu.au]
Abstract Cloud providers should address privacy and
The use of cloud computing has increased rapidly security issues as a matter of high and urgent priority.
in many organizations. Cloud computing provides Dealing with “single cloud” providers is becoming
many benefits in terms of low cost and accessibility of less popular with customers due to potential problems
data. Ensuring the security of cloud computing is a such as service availability failure and the possibility
major factor in the cloud computing environment, as that there are malicious insiders in the single cloud. In
users often store sensitive information with cloud recent years, there has been a move towards “multi-
storage providers but these providers may be clouds”, “intercloud” or “cloud-of-clouds”.
untrusted. Dealing with “single cloud” providers is This paper focuses on the issues related to the data
predicted to become less popular with customers due security aspect of cloud computing. As data and
to risks of service availability failure and the information will be shared with a third party, cloud
possibility of malicious insiders in the single cloud. A computing users want to avoid an untrusted cloud
movement towards “multi-clouds”, or in other words, provider. Protecting private and important information,
“interclouds” or “cloud-of-clouds” has emerged such as credit card details or a patient’s medical
recently. records from attackers or malicious insiders is of
This paper surveys recent research related to single critical importance. In addition, the potential for
and multi-cloud security and addresses possible migration from a single cloud to a multi-cloud
solutions. It is found that the research into the use of environment is examined and research related to
multi-cloud providers to maintain security has received security issues in single and multi-clouds in cloud
less attention from the research community than has computing are surveyed.
the use of single clouds. This work aims to promote the The remainder of this paper is organized as follows.
use of multi-clouds due to its ability to reduce security Section 2 describes the beginning of cloud computing
risks that affect the cloud computing user. and its components. In addition, it presents examples
of cloud providers and the benefits of using their
services. Section 3 discusses security risks in cloud
General Terms
computing. Section 4 analyses the new generation of
Security
cloud computing, that is, multi-clouds and recent
solutions to address the security of cloud computing, as
Keywords well as examining their limitations. Section 5 presents
Cloud computing, single cloud, multi-clouds, cloud suggestions for future work. Section 6 will conclude
storage, data integrity, data intrusion, service the paper.
availability.
2. Background
1. Introduction
NIST [1] describes cloud computing as “a model for
The use of cloud computing has increased rapidly in enabling convenient, on-demand network access to a
many organizations. Subashini and Kavitha [49] argue shared pool of configurable computing resources (e.g.,
that small and medium companies use cloud computing networks, servers, storage, applications, and services)
services for various reasons, including because these that can be rapidly provisioned and released with
services provide fast access to their applications and minimal management effort or service provider
reduce their infrastructure costs. interaction”.
978-0-7695-4525-7/12 $26.00 © 2012 IEEE 5490
DOI 10.1109/HICSS.2012.153

2. 2.1 Cloud Computing Components available for a particular group, while a community
cloud is modified for a specific group of customers.
The cloud computing model consists of five Hybrid cloud infrastructure is a composition of two or
characteristics, three delivery models, and four more clouds (private, community, or public cloud)
deployment models [1]. The five key characteristics of [51]. This model represents the third layer in the cloud
cloud computing are: location-independent resource environment architecture.
pooling, on-demand self-service, rapid elasticity, broad Kamara and Lauter [25] present two types of cloud
network access, and measured service [51]. These five infrastructure only, namely private and public clouds.
characteristics represent the first layer in the cloud The infrastructure that is owned and managed by users
environment architecture (see Figure1). is in the private cloud. Data that is accessed and
controlled by trusted users is in a safe and secure
private cloud, whereas the infrastructure that is
Layer Cloud Computing Components
managed and controlled by the cloud service provider
On-demand
is in a public cloud. In particular, this data is out of the
self-service user’s control, and is managed and shared with unsafe
and untrusted servers [25].
Broad network
Five access 2.2 Cloud Service Providers Examples
Characteristics Resource Rapid In the commercial world, various computing needs
pooling elasticity
are provided as a service. The service providers take
Measured care of the customer's needs by, for example,
Service maintaining software or purchasing expensive
hardware. For instance, the service EC2, created by
Three Delivery Amazon, provides customers with scalable servers. As
IaaS PaaS SaaS
models another example, under the CLuE program, NSF joined
with Google and IBM to offer academic institutions
Four Private access to a large-scale distributed infrastructure [4].
Public
There are many features of cloud computing. First,
Deployment
Community
cloud storages, such as Amazon S3, Microsoft
Hybrid
models SkyDrive, or NirvanixCLoudNAS, permit consumers
to access online data. Second, it provides computation
resources for users such as Amazon EC2. Third,
Figure 1: Cloud Environment Architecture.
Google Apps or versioning repositories for source code
are examples of online collaboration tools [12].
The three key cloud delivery models are
Cloud service providers should ensure the security
infrastructure as a service (IaaS), platform as a service
of their customers’ data and should be responsible if
(PaaS), and software as a service (SaaS). In IaaS, the
any security risk affects their customers’ service
user can benefit from networking infrastructure
infrastructure. A cloud provider offers many services
facilities, data storage and computing services. In other
that can benefit its customers, such as fast access to
words, it is the delivery of computer infrastructure as a
their data from any location, scalability, pay-for-use,
service. An example of IaaS is the Amazon web
data storage, data recovery, protection against hackers,
service [25]. In PaaS, the user runs custom applications
on-demand security controls, and use of the network
using the service provider’s resources. It is the delivery
and infrastructure facilities [49].
of a computing platform and solution as a service. An
Reliability and availability are other benefits of the
example of PaaS is GoogleApps. Running software on
public cloud, in addition to low cost [25]. However,
the provider’s infrastructure and providing licensed
there are also concerning issues for public cloud
applications to users to use services is known as SaaS.
computing, most notably, issues surrounding data
An example of SaaS is the Salesforce.com CRM
integrity and data confidentiality. Any customer will be
application [25],[49],[51]. This model represents the
worried about the security of sensitive information
second layer in the cloud environment architecture.
such as medical records or financial information[25].
Cloud deployment models include public, private,
community, and hybrid clouds. A cloud environment
that is accessible for multi-tenants and is available to
the public is called a public cloud. A private cloud is
5491

3. 3. Security Risks in Cloud Computing addition, the path for the transmitted data can be also
affected, especially when the data is transmitted to
Although cloud service providers can offer benefits many third-party infrastructure devices[41].
to users, security risks play a major role in the cloud As the cloud services have been built over the
computing environment [53]. Users of online data Internet, any issue that is related to internet security
sharing or network facilities are aware of the potential will also affect cloud services. Resources in the cloud
loss of privacy [12]. According to a recent IDC survey are accessed through the Internet; consequently even if
[16], the top challenge for 74% of CIOs in relation to the cloud provider focuses on security in the cloud
cloud computing is security. Protecting private and infrastructure, the data is still transmitted to the users
important information such as credit card details or through networks which may be insecure. As a result,
patients’ medical records from attackers or malicious internet security problems will affect the cloud, with
insiders is of critical importance [34]. Moving greater risks due to valuable resources stored within
databases to a large data centre involves many security the cloud and cloud vulnerability. The technology used
challenges [55] such as virtualization vulnerability, in the cloud is similar to the technology used in the
accessibility vulnerability, privacy and control issues Internet. Encryption techniques and secure protocols
related to data accessed from a third party, integrity, are not sufficient to protect data transmission in the
confidentiality, and data loss or theft. Subashini and cloud. Data intrusion of the cloud through the Internet
Kavitha [49] present some fundamental security by hackers and cybercriminals needs to be addressed
challenges, which are data storage security, application and the cloud environment needs to be secure and
security, data transmission security, and security private for clients [49].
related to third-party resources. We will address three security factors that
In different cloud service models, the security particularly affect single clouds, namely data integrity,
responsibility between users and providers is different. data intrusion, and service availability.
According to Amazon [46], their EC2 addresses
security control in relation to physical, environmental, 3.1 Data Integrity
and virtualization security, whereas, the users remain
responsible for addressing security control of the IT One of the most important issues related to cloud
system including the operating systems, applications security risks is data integrity. The data stored in the
and data. cloud may suffer from damage during transition
According to Tabakiet al. [51], the way the operations from or to the cloud storage provider.
responsibility for privacy and security in a cloud Cachinet al.[12] give examples of the risk of attacks
computing environment is shared between consumers from both inside and outside the cloud provider, such
and cloud service providers differs between delivery as the recently attacked Red Hat Linux’s distribution
models. In SaaS, cloud providers are more responsible servers [40]. Another example of breached data
for the security and privacy of application services than occurred in 2009 in Google Docs, which triggered the
the users. This responsibility is more relevant to the Electronic Privacy Information Centre for the Federal
public than the private cloud environment because the Trade Commission to open an investigation into
clients need more strict security requirements in the Google’s Cloud Computing Services [12]. Another
public cloud. In PaaS, users are responsible for taking example of a risk to data integrity recently occurred in
care of the applications that they build and run on the Amazon S3 where users suffered from data corruption
platform, while cloud providers are responsible for [50]. Further examples giving details of attacks can be
protecting one user’s applications from others. In IaaS, read in [12],[40],[50].
users are responsible for protecting operating systems Cachinet al.[12]argue that when multiple clients
and applications, whereas cloud providers must use cloud storage or when multiple devices are
provide protection for the users’ data [51]. synchronized by one user, it is difficult to address the
Ristenpartet al. [41] claim that the levels of security data corruption issue. One of the solutions that they
issues in IaaS are different. The impact of security [12] propose is to use a Byzantine fault-tolerant
issues in the public cloud is greater than the impact in replication protocol within the cloud. Hendricks et al.
the private cloud. For instance, any damage which [23] state that this solution can avoid data corruption
occurs to the security of the physical infrastructure or caused by some components in the cloud. However,
any failure in relation to the management of the Cachinet al. [12] claim that using the Byzantine fault-
security of the infrastructure will cause many tolerant replication protocol within the cloud is
problems. In the cloud environment, the physical unsuitable due to the fact that the servers belonging to
infrastructure that is responsible for data processing cloud providers use the same system installations and
and data storage can be affected by a security risk. In are physically located in the same place.
5492

4. Although this protocol solves the problem from a modified by Amazon S3. These technologies protect
cloud storage perspective, Cachinet al. [12] argue that users from Amazon data modification and from
they remain concerned about the users’ view, due to hackers who may have obtained access to their email
the fact that users trust the cloud as a single reliable or stolen their password [19].
domain or as a private cloud without being aware of
the protection protocols used in the cloud provider’s
servers. As a solution, Cachinet al. [12] suggest that 4. Multi-Clouds Computing Security
using Byzantine fault-tolerant protocols across multiple
clouds from different providers is a beneficial solution. This section will discuss the migration of cloud
computing from single to multi-clouds to ensure the
3.2 Data Intrusion security of the user’s data.
According to Garfinkel[19], another security risk 4.1 Multi-Clouds: Preliminary
that may occur with a cloud provider, such as the
Amazon cloud service, is a hacked password or data The term “multi-clouds” is similar to the terms
intrusion. If someone gains access to an Amazon “interclouds” or “cloud-of-clouds” that were
account password, they will be able to access all of the introduced by Vukolic [54]. These terms suggest that
account’s instances and resources. Thus the stolen cloud computing should not end with a single cloud.
password allows the hacker to erase all the information Using their illustration, a cloudy sky incorporates
inside any virtual machine instance for the stolen user different colors and shapes of clouds which leads to
account, modify it, or even disable its services. different implementations and administrative domains.
Furthermore, there is a possibility for the user’s Recent research has focused on the multi-cloud
email(Amazon user name) to be hacked (see [18] for a environment [3],[8],[10],[11] which control several
discussion of the potential risks of email), and since clouds and avoids dependency on any one individual
Amazon allows a lost password to be reset by email, cloud.
the hacker may still be able to log in to the account Cachin et al. [11] identify two layers in the multi-
after receiving the new reset password. cloud environment: the bottom layer is the inner-cloud,
while the second layer is the inter-cloud. In the inter-
3.3 Service Availability cloud, the Byzantine fault tolerance finds its place. We
will first summarize the previous Byzantine protocols
Another major concern in cloud services is service over the last three decades.
availability. Amazon [6] mentions in its licensing
agreement that it is possible that the service might be 4.2 Introduction of Byzantine Protocols
unavailable from time to time. The user’s web service
may terminate for any reason at any time if any user’s In cloud computing, any faults in software or
files break the cloud storage policy. In addition, if any hardware are known as Byzantine faults that usually
damage occurs to any Amazon web service and the relate to inappropriate behavior and intrusion tolerance.
service fails, in this case there will be no charge to the In addition, it also includes arbitrary and crash faults
Amazon Company for this failure. Companies seeking [54]. Much research has been dedicated to Byzantine
to protect services from such failure need measures fault tolerance (BFT) since its first introduction [28],
such as backups or use of multiple providers [19]. Both [38]. Although BFT research has received a great deal
Google Mail and Hotmail experienced service down- of attention, it still suffers from the limitations of
time recently [12]. If a delay affects payments from practical adoption [27] and remains peripheral in
users for cloud storage, the users may not be able to distributed systems [54].
access their data. Due to a system administrator error, The relationship between BFT and cloud
45% of stored client data was lost in LinkUp computing has been investigated, and many argue that
(MediaMax) as a cloud storage provider [12]. in the last few years, it has been considered one of the
Garfinkel[19] argues that information privacy is not major roles of the distributed system agenda.
guaranteed in Amazon S3. Data authentication which Furthermore, many describe BFT as being of only
assures that the returned data is the same as the stored “purely academic interest” for a cloud service [9]. This
data is extremely important. Garfinkel claims that lack of interest in BFT is quite different to the level of
instead of following Amazon’s advice that interest shown in the mechanisms for tolerating crash
organizations encrypt data before storing them in faults that are used in large-scale systems. Reasons that
Amazon S3, organizations should use HMAC [26] reduce the adoption of BFT are, for example,
technology or a digital signature to ensure data is not
5493

5. difficulties in design, implementation, or understanding cloud. The DepSky data model consists of three
of BFT protocols [54]. abstraction levels: the conceptual data unit, a generic
As mentioned earlier, BFT protocols are not data unit, and the data unit implementation.
suitable for single clouds. Vukolic [54] argues that one
of the limitations of BFT for the inner-cloud is that DepSKy System model. The DepSky system model
BFT requires a high level of failure independence, as contains three parts: readers, writers, and four cloud
do all fault-tolerant protocols [45]. If Byzantine failure storage providers, where readers and writers are the
occurs to a particular node in the cloud, it is reasonable client’s tasks. Bessani et al. [8] explain the difference
to have a different operating system, different between readers and writers for cloud storage. Readers
implementation, and different hardware to ensure such can fail arbitrarily (for example, they can fail by
failure does not spread to other nodes in the same crashing, they can fail from time to time and then
cloud. In addition, if an attack happens to a particular display any behavior) whereas, writers only fail by
cloud, this may allow the attacker to hijack the crashing.
particular inner-cloud infrastructure [54].
Cloud storage providers in the DepSky system
4.3 DepSky System: Multi-Clouds Model model. The Byzantine protocols involve a set of
storage clouds (n) where n = 3 f +1, and f is maximum
This section will explain the recent work that has number of clouds which could be faulty. In addition,
been done in the area of multi-clouds. Bessani et al. [8] any subset of (n – f) storage cloud creates byzantine
present a virtual storage cloud system called DepSky quorum protocols [8].
which consists of a combination of different clouds to
build a cloud-of-clouds. The DepSky system addresses 4.4 Analysis of Multi-Cloud Research
the availability and the confidentiality of data in their
storage system by using multi-cloud providers, Moving from single clouds or inner-clouds to multi-
combining Byzantine quorum system protocols, clouds is reasonable and important for many reasons.
cryptographic secret sharing and erasure codes [8]. According to Cachinet al. [12] “Services of single
clouds are still subject to outage”. In addition, Bowers
4.3.1 DepSky Architecture et al. [10] showed that over 80% of company
management “fear security threats and loss of control
The DepSky architecture [8] consists of four clouds of data and systems”. Vukolic [54] assumes that the
and each cloud uses its own particular interface. The main purpose of moving to interclouds is to improve
DepSky algorithm exists in the clients’ machines as a what was offered in single clouds by distributing
software library to communicate with each cloud reliability, trust, and security among multiple cloud
(Figure 2). These four clouds are storage clouds, so providers. In addition, reliable distributed storage [15]
there are no codes to be executed. The DepSky library which utilizes a subset of BFT techniques was
permits reading and writing operations with the storage suggested by Vukolic [54] to be used in multi-clouds.
clouds. A number of recent studies in this area have built
protocols for interclouds. RACS (Redundant Array of
Cloud Storage) [3] for instance, utilizes RAID-like
techniques that are normally used by disks and file
systems, but for multiple cloud storage. Abu-Libdeh et
al. [3] assume that to avoid “vender lock-in”,
distributing a user’s data among multiple clouds is a
helpful solution. This replication also decreases the
cost of switching providers and offers better fault
tolerance. Therefore, the storage load will be spread
among several providers as a result of the RACS proxy
[3].
HAIL (High Availability and Integrity Layer) [10]
Figure 2:DepSky Architecture [8]. is another example of a protocol that controls multiple
clouds. HAIL is a distributed cryptographic system that
DepSky Data model. As the DepSky system deals permits a set of servers to ensure that the client’s stored
with different cloud providers, the DepSky library data is retrievable and integral. HAIL provides a
deals with different cloud interface providers and software layer to address availability and integrity of
consequently, the data format is accepted by each the stored data in an intercloud [10].
5494

6. Cachin et al. [11] present a design for intercloud that this is an active area in research on cryptographic
storage (ICStore), which is a step closer than RACS methods for stored data authentication. Cachinet al.
and HAIL as a dependable service in multiple clouds. [12] argue that although the previous methods allow
Cachin et al. [11] develop theories and protocols to consumers to ensure the integrity of their data which
address the CIRC attributes (confidentiality, integrity, has been returned by servers, they do not guarantee
reliability and consistency) of the data stored in clouds. that the server will answer a query without knowing
As mentioned before, Bessani et al. [8] present a what that query is and whether the data is stored
virtual storage cloud system called DepSky consisting correctly in the server or not. Proofs of Retrievability
of a combination of different clouds to build a cloud- (PORs) and Proofs of Data Possession (PDP) are
of-clouds. Bessani et al. [8] discuss some limitations of protocols introduced by Juels and Kaliski [24] and
the HAIL protocol and RACS system when compared Ateniese et al. [7] to ensure high probability for the
with DepSky. HAIL does not guarantee data retrieval of the user’s data. Cachinet al. [12] suggest
confidentiality, it needs code execution in their servers, using multiple cloud providers to ensure data integrity
and it does not deal with multiple versions of data. in cloud storage and running Byzantine-fault-tolerant
None of these limitations are found in DepSky [8], protocols on them where each cloud maintains a single
whereas the RACS system differs from the DepSky replica [14],[23]. Computing resources are required in
system in that it deals with “economic failures” and this approach and not only storage in the cloud, such a
vendor lock-in and does not address the issue of cloud service provided in Amazon EC2, whereas if only
storage security problems. In addition, it also does not storage service is available, Cachin et al. [12] suggest
provide any mechanism to ensure data confidentiality working with Byzantine Quorum Systems [32] by
or to provide updates of the stored data. Finally, the using Byzantine Disk Paxos[2] and using at least four
DepSky system presents an experimental evaluation different clouds in order to ensure users’ atomicity
with several clouds, which is different from other operations and to avoid the risk of one cloud failure.
previous work on multi-clouds [8]. As mentioned earlier, the loss of availability of
There are a number of studies on gaining constancy service is considered one of the main limitations in
from untrusted clouds. For instance, similar to DepSky, cloud computing and it has been addressed by storing
Depot improves the flexibility of cloud storage, as the data on several clouds. The loss of customer data
Mahajan et al. believe that cloud storages face many has caused many problems for many users such as the
risks [30]. However, Depot provides a solution that is problem that occurred in October 2009 when the
cheaper due to using single clouds, but it does not contacts, photos, etc. of many users of the Sidekick
tolerate losses of data and its service availability service in Microsoft were lost for several days [44].
depends on cloud availability [8]. Other work which Bessani et al. [8] use Byzantine fault-tolerant
implements services on top of untrusted clouds are replication to store data on several cloud servers, so if
studies such as SPORC [17] and Venus [48]. These one of the cloud providers is damaged, they are still
studies are different from the DepSky system because able to retrieve data correctly. Data encryption is
they consider a single cloud (not a cloud-of-clouds). In considered the solution by Bessani et al. [8] to address
addition, they need code execution in their servers. the problem of the loss of privacy. They argue that to
Furthermore, they offer limited support for the protect the stored data from a malicious insider, users
unavailability of cloud services in contrast to DepSky should encrypt data before it is stored in the cloud. As
[8]. the data will be accessed by distributed applications,
the DepSky system stores the cryptographic keys in the
4.5 Current Solutions of Security Risks cloud by using the secret sharing algorithm to hide the
value of the keys from a malicious insider.
In order to reduce the risk in cloud storage, In the DepSky system, data is replicated in four
customers can use cryptographic methods to protect the commercial storage clouds (Amazon S3,Windows
stored data in the cloud [12]. Using a hash function Azure, Nirvanix and Rackspace); it is not relayed on a
[35] is a good solution for data integrity by keeping a single cloud, therefore, this avoids the problem of the
short hash in local memory. In this way, authentication dominant cloud causing the so-called vendor lock-in
of the server responses is done by recalculating the issue [3]. In addition, storing half the amount of data in
hash of the received data which is compared with the each cloud in the DepSky system is achieved by the
local stored data [12]. If the amount of data is large, use of erasure codes. Consequently, exchanging data
then a hash tree is the solution [35]. Many storage between one provider to another will result in a smaller
system prototypes have implemented hash tree cost. The DepSky system aims to reduce the cost of
functions, such as SiRiUS [20] and TDB [31]. using four clouds(which is four times the overhead) to
Mykletun et al. [36] and Papamanthou et al. [37] claim
5495

7. twice the cost of using a single cloud, which is a Rocha and Correia [42] classified four types of
significant advantage [8]. attacks that can affect the confidentiality of the user’s
DepSky uses a set of Byzantine quorum system data in the cloud. These four types of attacks could
protocols in order to implement the read and write occur when the malignant insider can determine text
operations in the system, so it needs only two passwords in the memory of a VM, cryptographic keys
communication round trips for each operation to deal in the memory of VM files, and other confidential data.
with several clouds. The use of several clouds needs a In addition, they argue that the recent research
variety of locations, administration, design and mechanisms are not good enough to consider the issue
implementation, which are the requirements of the of data confidentiality and to protect data from these
Byzantine quorum systems protocols [54]. Executing attacks. This does not mean that these mechanisms are
codes in servers is not required in the DepSky system not useful; rather that they do not focus on solving the
(storage clouds) in contrast to other Byzantine problems that Rocha and Correia [42] address in their
protocols that need some code execution [13],[21], research. Some of the solutions [39] are mechanisms
[32],[33]. After using these protocols, the DepSky and are used as part of cloud computing solutions,
system aims to deal with data confidentiality by while different types of solutions focus on solving the
decreasing the stored amount of data in each cloud [8]. whole data confidentiality issue intrinsic to cloud
computing [8],[43]. Rocha and Correia [42] suggest
4.6 Limitation of Current Solutions trusted computing and distributing trust among several
cloud providers as a novel solution to solving security
The problem of the malicious insider in the cloud problems and challenges in cloud computing. The idea
infrastructure which is the base of cloud computing is of replicating data among different clouds has been
considered by Rocha and Correia [42]. IaaS cloud applied in the single system DepSky [8]. Rocha and
providers provide the users with a set of virtual Correia [42] present the limitations of this work which
machines from which the user can benefit by running occurs due to the fact that DepSky is only a storage
software on them. The traditional solution to ensure service like Amazon S3, and does not offer the IaaS
data confidentiality by data encryption is not sufficient cloud model. On the other hand, this system provides a
due to the fact that the user’s data needs to be secure storage cloud, but does not provide security of
manipulated in the virtual machines of cloud providers data in the IaaS cloud model. This is because it uses
which cannot happen if the data has been encrypted data encryption and stores the encrypted key in the
[42]. Administrators manage the infrastructure and as clouds by using a secret sharing technique, which is
they have remote access to servers, if the administrator inappropriate for the IaaS cloud model [42].
isa malicious insider, then he can gain access to the Table 1 details the security risks addressed in the
user’s data [29]. Van Dijk and Juels [52] present some previous research and the mechanisms that have been
negative aspects of data encryption in cloud proposed as a solution for these security risks in the
computing. In addition, they assume that if the data is cloud computing environment. Security risk issues in
processed from different clients, data encryption cloud computing have attracted much research interest
cannot ensure privacy in the cloud. in recent years.
Although cloud providers are aware of the It is clear from the table that in the past more
malicious insider danger, they assume that they have research has been conducted into single clouds than
critical solutions to alleviate the problem [22]. Rocha into multi-clouds. Multi–clouds can address the
and Correia [42] determine possible attackers for IaaS security issues that relate to data integrity, data
cloud providers. For example, Grosse et al. [22] intrusion, and service availability in multi-clouds. In
propose one solution is to prevent any physical access addition, most of the research has focused on providing
to the servers. However, Rocha and Correia [42] argue secure “cloud storage” such as in DepSky. Therefore,
that the attackers outlined in their work have remote providing a cloud database system, instead of normal
access and do not need any physical access to the cloud storage, is a significant goal in order to run
servers. Grosse et al. [22] propose another solution is queries and deal with databases; in other words, to
to monitor all access to the servers in a cloud where the profit from a database-as-a-service facility in a cloud
user’s data is stored. However, Rocha and Correia [42] computing-environment.
claim that this mechanism is beneficial for monitoring Table 1 illustrates that in 2009, 67% of the research
employee’s behavior in terms of whether they are on security in cloud computing addressed the issue of a
following the privacy policy of the company or not, but single cloud, whereas 33% of the research in the same
it is not effective because it detects the problem after it year addressed the issue of multi-clouds. In 2010, 80%
has happened. of research focused on single clouds while only 20% or
research was directed in the area of multi-clouds.
5496

8. Addressed
Security Risks
Type of cloud Type of service
Mechanism
availability
intrusion
integrity
Security
Security
Privacy/
Service
Cloud
Year
Data
Data
Ref
Single Multi Cloud Cloud
cloud clouds storage database
Multi shares+ secret
[5] 2011 √ √
sharing algorithm
DepSky,(Byzantine + √ √
[8] 2011 √ √ √ √ secret sharing +
cryptography)
√ √ √
[42] 2011 √
survey
RAID-like √ √
[3] 2010 √ techniques+
introduced RACS
ICStore ,(client- √ √
[11] 2010 √ √ centric distributed
protocols)
[17] 2010 √ √ SPORC, (fork) √
[22] 2010 √
[25] 2010 √ cryptography √ √
[30] 2010 Depot, (FJC) √ √
[48] 2010 √ √ Venus √ √
√ √ √
[49] 2010 √ √
survey
[51] 2010 √ √ √
[52] 2010 √ √ √ √
HAIL (Proofs + √ √
[10] 2009 √ √ √
cryptography)
√ √ √
[12] 2009 √
survey
[16] 2009 √ √ encrypted cloud VPN √ √
[41] 2009 √ √ √
[43] 2009 √ √ √ TCCP √ √
homomorphic token + √ √
[55] 2009 √ √
erasure-coded
[7] 2007 √ PDP schemes
[19] 2007 √ √ √
Table 1. Related Work on Cloud Computing Security.
5. Future Work secret sharing algorithm with a polynomial function
technique which claims that even with full knowledge
For future work, we aim to provide a framework to of (k – 1) clouds, the service provider will not have any
supply a secure cloud database that will guarantee to knowledge of vs (vs is the secret value) [47]. We have
prevent security risks facing the cloud computing used this technique in previous databases-as-a-serves
community. This framework will apply multi-clouds research [5]. In other words, hackers need to retrieve
and the secret sharing algorithm to reduce the risk of all the information from the cloud providers to know
data intrusion and the loss of service availability in the the real value of the data in the cloud. Therefore, if the
cloud and ensure data integrity. attacker hacked one cloud provider’s password or even
In relation to data intrusion and data integrity, two cloud provider’s passwords, they still need to hack
assume we want to distribute the data into three the third cloud provider (in the case where k = 3) to
different cloud providers, and we apply the secret know the secret which is the worst case scenario.
sharing algorithm on the stored data in the cloud Hence, replicating data into multi-clouds by using a
provider. An intruder needs to retrieve at least three multi-share technique [5] may reduce the risk of data
values to be able to find out the real value that we want intrusion and increase data integrity. In other words, it
to hide from the intruder. This depends on Shamir’s will decrease the risk of the Hyper-Visor being hacked
5497

9. and Byzantine fault-tolerant data being stolen from the Conf. on Computer and communications security,
cloud provider. 2007, pp. 598-609.
Regarding service availability risk or loss of data, if [8] A. Bessani, M. Correia, B. Quaresma, F. André and
P. Sousa, "DepSky: dependable and secure storage
we replicate the data into different cloud providers, we
in a cloud-of-clouds", EuroSys'11:Proc. 6thConf. on
could argue that the data loss risk will be reduced. If Computer systems, 2011, pp. 31-46.
one cloud provider fails, we can still access our data [9] K. Birman, G. Chockler and R. van
live in other cloud providers. This fact has been Renesse,"Toward a cloud computing research
discovered from this survey and we will explore agenda", SIGACT News, 40, 2009, pp. 68-80.
dealing with different cloud provider interfaces and the [10] K.D. Bowers, A. Juels and A. Oprea, "HAIL: A
network traffic between cloud providers. high-availability and integrity layer for cloud
storage", CCS'09: Proc. 16th ACM Conf. on
Computer and communications security, 2009, pp.
6. Conclusion 187-198.
[11] C. Cachin, R. Haas and M. Vukolic, "Dependable
It is clear that although the use of cloud computing storage in the Intercloud", Research Report RZ,
has rapidly increased, cloud computing security is still 3783, 2010.
considered the major issue in the cloud computing [12] C. Cachin, I. Keidar and A. Shraer, "Trusting the
environment. Customers do not want to lose their cloud", ACM SIGACT News, 40, 2009, pp. 81-86.
private information as a result of malicious insiders in [13] C. Cachin and S. Tessaro, "Optimal resilience for
the cloud. In addition, the loss of service availability erasure-coded Byzantine distributed storage",
DISC:Proc. 19thIntl.Conf. on Distributed
has caused many problems for a large number of
Computing, 2005, pp. 497-498.
customers recently. Furthermore, data intrusion leads [14] M. Castro and B. Liskov, "Practical Byzantine fault
to many problems for the users of cloud computing. tolerance", Operating Systems Review, 33, 1998,
The purpose of this work is to survey the recent pp. 173-186.
research on single clouds and multi-clouds to address [15] G. Chockler, R. Guerraoui, I. Keidar and M.
the security risks and solutions. We have found that Vukolic, "Reliable distributed storage", Computer,
much research has been done to ensure the security of 42, 2009, pp. 60-67.
the single cloud and cloud storage whereas multi- [16] Clavister, "Security in the cloud", Clavister White
clouds have received less attention in the area of Paper, 2008.
[17] A.J. Feldman, W.P. Zeller, M.J. Freedman and
security. We support the migration to multi-clouds due
E.W. Felten, "SPORC: Group collaboration using
to its ability to decrease security risks that affect the untrusted cloud resources", OSDI, October2010,
cloud computing user. pp. 1-14.
[18] S.L. Garfinkel, "Email-based identification and
7. References authentication: An alternative to PKI?", IEEE
Security and Privacy, 1(6), 2003, pp. 20-26.
[1] (NIST), http://www.nist.gov/itl/cloud/. [19] S.L. Garfinkel, "An evaluation of amazon’s grid
[2] I. Abraham, G. Chockler, I. Keidar and D. Malkhi, computing services: EC2, S3, and SQS", Technical
"Byzantine disk paxos: optimal resilience with Report TR-08-07, Computer Science Group,
Byzantine shared memory", Distributed Harvard University, Citeseer, 2007, pp. 1-15.
Computing, 18(5), 2006, pp. 387-408. [20] E. . Goh, H. Shacham, N. Modadugu and D.
[3] H. Abu-Libdeh, L. Princehouse and H. Boneh, "SiRiUS: Securing remote untrusted
Weatherspoon, "RACS: a case for cloud storage storage",NDSS: Proc. Network and Distributed
diversity", SoCC'10:Proc. 1st ACM symposium on System Security Symposium, 2003, pp. 131–145.
Cloud computing, 2010, pp. 229-240. [21] G.R. Goodson, J.J. Wylie, G.R. Ganger and M.K.
[4] D. Agrawal, A. El Abbadi, F. Emekci and A. Reiter, "Efficient Byzantine-tolerant erasure-coded
Metwally, "Database Management as a Service: storage",DSN'04: Proc.Intl. Conf. on Dependable
Challenges and Opportunities", Systems and Networks,2004, pp.1-22.
ICDE'09:Proc.25thIntl. Conf. on Data Engineering, [22] E. Grosse, J. Howie, J. Ransome, J. Reavis and S.
2009, pp. 1709-1716. Schmidt, "Cloud computing roundtable", IEEE
[5] M.A. AlZain and E. Pardede, "Using Multi Shares Security & Privacy, 8(6), 2010, pp. 17-23.
for Ensuring Privacy in Database-as-a-Service", [23] J. Hendricks, G.R. Ganger and M.K. Reiter, "Low-
44th Hawaii Intl. Conf. on System Sciences overhead byzantine fault-tolerant storage",
(HICSS), 2011, pp. 1-9. SOSP'07: Proc. 21st ACM SIGOPS symposium on
[6] Amazon, Amazon Web Services. Web services Operating systems principles, 2007, pp. 73-86.
licensing agreement, October3,2006. [24] A. Juels and B.S. Kaliski Jr, "PORs: Proofs of
[7] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. retrievability for large files", CCS '07: Proc. 14th
Kissner, Z. Peterson and D. Song, "Provable data ACM Conf. on Computer and communications
possession at untrusted stores", Proc. 14th ACM security, 2007, pp. 584-597.
5498

10. [25] S. Kamara and K. Lauter, "Cryptographic cloud [41] T. Ristenpart, E. Tromer, H. Shacham and S.
storage", FC'10: Proc. 14thIntl.Conf. on Financial Savage, "Hey, you, get off of my cloud: exploring
cryptograpy and data security,2010, pp. 136-149. information leakage in third-party compute
[26] H. Krawczyk, M. Bellare and R. Canetti, "HMAC: clouds", CCS'09: Proc. 16thACM Conf. on
Keyed-hashing for message authentication", Computer and communications security, 2009, pp.
Citeseer, 1997, pp. 1-11. 199-212.
[27] P. Kuznetsov and R. Rodrigues, "BFTW 3: why? [42] F. Rocha and M. Correia, "Lucy in the Sky without
when? where? workshop on the theory and practice Diamonds: Stealing Confidential Data in the
of byzantine fault tolerance", ACM SIGACT Cloud", Proc. 1stIntl. Workshop of Dependability
News, 40(4),2009, pp. 82-86. of Clouds, Data Centers and Virtual Computing
[28] L. Lamport, R. Shostak and M. Pease, "The Environments, 2011, pp. 1-6.
Byzantine generals problem", ACM Transactions [43] N. Santos, K.P. Gummadi and R. Rodrigues,
on Programming Languages and Systems, 4(3), "Towards trusted cloud computing", USENIX
1982, pp. 382-401. Association, 2009, pp. 3-3.
[29] P.A. Loscocco, S.D. Smalley, P.A. Muckelbauer, [44] D. Sarno, "Microsoft says lost sidekick data will be
R.C. Taylor, S.J. Turner and J.F. Farrell, "The restored to users", Los Angeles Times, October
inevitability of failure: The flawed assumption of 2009.
security in modern computing environments", [45] F. Schneider and L. Zhou, "Implementing
Citeseer, 1998, pp. 303-314. trustworthy services using replicated state
[30] P. Mahajan, S. Setty, S. Lee, A. Clement, L. Alvisi, machines", IEEE Security and Privacy, 3(5),2010,
M. Dahlin and M. Walfish, "Depot: Cloud storage pp. 151-167.
with minimal trust", OSDI'10: Proc. of the 9th [46] G. Brunette and R. Mogull (eds), "Security
USENIX Conf. on Operating systems design and guidance for critical areas of focus in cloud
implementation, 2010, pp. 1-16. computing", CloudSecurityAlliance, 2009.
[31] U. Maheshwari, R. Vingralek and W. Shapiro, [47] A. Shamir, "How to share a secret",
"How to build a trusted database system on Communications of the ACM, 22(11), 1979, pp.
untrusted storage", OSDI'00: Proc. 4thConf. on 612-613.
Symposium on Operating System Design & [48] A. Shraer, C. Cachin, A. Cidon, I. Keidar, Y.
Implementation, 2000, p. 10. Michalevsky and D. Shaket, "Venus: Verification
[32] D. Malkhi and M. Reiter, "Byzantine quorum for untrusted cloud storage", CCSW'10: Proc.
systems", Distributed Computing, 11(4),1998, pp. ACM workshop on Cloud computing security
203-213. workshop, 2010, pp. 19-30.
[33] J.-P. Martin, L. Alvisi and M. Dahlin, "Minimal [49] S. Subashini and V. Kavitha, "A survey on security
byzantine storage", DISC '02: Proc. of the 16thIntl. issues in service delivery models of cloud
Conf. on Distributed Computing, 2002, pp. 311- computing", Journal of Network and Computer
325. Applications, 34(1), 2011, pp 1-11.
[34] H.Mei, J. Dawei, L. Guoliang and Z. Yuan, [50] Sun, http://blogs.sun.com /gbrunett/entry/ amazon_
"Supporting Database Applications as a Service", s3_silent_data_corruption.
ICDE'09:Proc. 25thIntl.Conf. on Data Engineering, [51] H. Takabi, J.B.D. Joshi and G.-J. Ahn, "Security
2009, pp. 832-843. and Privacy Challenges in Cloud Computing
[35] R.C. Merkle, "Protocols for public key Environments", IEEE Security & Privacy, 8(6),
cryptosystems", IEEE Symposium on Security and 2010, pp. 24-31.
Privacy, 1980, pp. 122-134. [52] M. Van Dijk and A. Juels, "On the impossibility of
[36] E. Mykletun, M. Narasimha and G. Tsudik, cryptography alone for privacy-preserving cloud
"Authentication and integrity in outsourced computing", HotSec'10: Proc. 5thUSENIX Conf. on
databases", ACM Transactions on Storage (TOS), Hot topics in security, 2010, pp.1-8.
2,2006, pp. 107-138. [53] J. Viega, "Cloud computing and the common man",
[37] C. Papamanthou, R. Tamassia and N. Computer, 42, 2009, pp. 106-108.
Triandopoulos, "Authenticated hash tables", CCS [54] M. Vukolic,"The Byzantine empire in the
'08: Proc. 15th ACM Conf. on Computer and intercloud", ACM SIGACT News, 41,2010, pp.
communications security, 2008, pp. 437-448. 105-111.
[38] M. Pease, R. Shostak and L. Lamport, "Reaching [55] C. Wang, Q. Wang, K. Ren and W. Lou, "Ensuring
agreement in the presence of faults", Journal of the data storage security in cloud computing",
ACM, 27(2), 1980, pp. 228-234. ARTCOM'10: Proc. Intl. Conf. on Advances in
[39] R. Perez, R. Sailer and L. van Doorn, "vTPM: Recent Technologies in Communication and
virtualizing the trusted platform module", Proc. Computing, 2010, pp. 1-9.
15th Conf. on USENIX Security Symposium,2006,
pp. 305-320.
[40] RedHat, https://rhn.redhat.com/errata/RHSA-2008-
0855.html.
5499