Jump to content

Cloud computing security

From Wikipedia, the free encyclopedia
(Redirected from Shared responsibility model)
For cloud-hosted security software, see Security as a service.
Part of a series on
Computer hacking
History
Hacker culture and ethic
Conferences
Computer crime
Hacking tools
Practice sites
Malware
Computer security
Groups
Publications

Cloud computing security or cloud security refers to a broad set of policies, technologies, applications, and controls used to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security and, more broadly, information security.

Security issues associated with the cloud

[edit]

Cloud computing and storage provide users with the capability to store and process their data in third-party data centers.[1] Organizations use the cloud in a variety of service models (e.g., SaaS, PaaS, IaaS) and deployment models (private, public, hybrid, and community).[2]

Security concerns associated with cloud computing are typically divided into issues faced by cloud providers and those faced by their customers.[3] The responsibility is shared and is often described in a vendor’s "shared responsibility model".[4][5][6] The provider must secure its infrastructure, while customers must secure their applications, identities, and configuration settings.[5][6]

Analyses of large-scale cloud incidents indicate that many breaches result from misconfigurations and long-unremediated exposures rather than solely from zero-day vulnerabilities.[7]

When an organization stores data or hosts applications on the public cloud, it loses physical access to the hardware. As a result, potentially sensitive data may be at risk from insider attacks. According to a 2010 Cloud Security Alliance report, insider attacks rank among the top threats in cloud computing.[8] Cloud service providers must ensure that thorough background checks are conducted for employees with physical access to data centers.

To conserve resources and reduce cost, cloud providers often store multiple customers’ data on the same server. As a result, one user’s private data might be viewable by another without proper isolation.[2] Providers implement data isolation and logical segregation to mitigate these risks.

The extensive use of virtualization in cloud infrastructure brings unique security concerns.[9] Virtualization introduces an additional layer—the hypervisor—that must be secured and correctly configured.[10] A compromise of the hypervisor management system can impact an entire data center.[11]

Cloud security controls

[edit]

Cloud security architecture is effective only if the correct defensive implementations are in place. An efficient cloud security architecture should recognize the issues that will arise with security management and follow all the best practices, procedures, and guidelines to ensure a secure cloud environment. Security management addresses these issues with security controls. These controls protect cloud environments and are put in place to safeguard any weaknesses in the system and reduce the effect of an attack.

Deterrent controls
Administrative mechanisms intended to reduce attacks by informing attackers of consequences.[12]
Preventive controls
Controls designed to reduce vulnerabilities and prevent unauthorized access.[13]
Detective controls
Controls that detect and respond to security events. Includes monitoring, SIEM, IDS/IPS, malware detection.[14]
Corrective controls
Controls that reduce the impact of an incident and restore systems.[15]

Dimensions of cloud security

[edit]

Cloud security engineering is characterized by the security layers, plan, design, programming, and best practices that exist inside a cloud security arrangement. Cloud security engineering requires the composed and visual model (design and UI) to be characterized by the tasks inside the Cloud. This cloud security engineering process includes such things as access to the executives, techniques, and controls to ensure applications and information. It also includes ways to deal with and keep up with permeability, consistency, danger stance, and by and large security. Processes for imparting security standards into cloud administrations and activities assume an approach that fulfills consistent guidelines and essential foundation security parts.[16]

Though the idea of cloud computing is not new, organizations are increasingly adopting it because of its flexible scalability, relative trustability, and cost-effectiveness of services. However, despite its rapid adoption in some sectors and disciplines, research and statistics indicate that security-related pitfalls remain a major barrier to its full adoption.[17]

It is generally recommended that information security controls be selected and implemented in proportion to the risks, typically by assessing the threats, vulnerabilities and impacts. Cloud security concerns can be grouped in various ways; Gartner identified seven, while the Cloud Security Alliance identified twelve areas of concern.[18][19] Cloud access security brokers (CASBs) are software that sits between cloud users and cloud applications to provide visibility into cloud application usage, data protection and governance to monitor all activity and enforce security policies.[20]

Supply Chain Attacks in the Cloud

[edit]

When someone breaches a third party's systems via one of its external partners or services, it's known as a supply chain attack. Rather than going straight after the primary system, the attacker enters through a reliable source, like an open-source tool, cloud provider, or software vendor. The attack may remain undetected for a considerable amount of time because these tools are already trusted. As more businesses rely on external technology and cloud services, supply chain attacks have grown more damaging and difficult to identify. Before code written in widely used languages, such as JavaScript, reaches end users, it is frequently altered in contemporary attacks. What is a supply chain attack highlights the attacks that take place and states, “In a supply chain attack, an attacker might target a cybersecurity vendor and add malicious code (or ‘malware’) to their software, which is then sent out in a system update to that vendor’s clients. ...When the clients download the update, believing it to be from a trusted source, the malware grants attackers access to those clients’ systems and information”(Cloudflare, 2020). This emphasizes the dangers of depending on outside software or vendors. It demonstrates how hackers can covertly enter a company's systems through legitimate channels, such as system updates.[21]

Software dependencies

Software dependencies are the external tools or components a program relies on, like third-party libraries, frameworks, or pre-built modules. While these can speed up development, they can also pose risks. Security issues in the libraries, attacks targeting the supply chain, or outdated and poorly maintained code can all create vulnerabilities. Keeping dependencies up to date and carefully managing them is key to maintaining software secure and reliable.[22]

The specific software dependencies include:

Cover third-party libraries

The third-party libraries and tools that a program depends on are known as software dependencies. These external packages may lead to supply chain assaults, coding defects, or difficulties resulting from the use of out-of-date or poorly maintained software. Maintaining the security and functionality of systems requires managing these dependencies.[23]

What are the benefits and risks?

Software dependencies have a number of benefits. By offering reusable code, which eliminates the need for developers to create each feature from scratch, they expedite development. Additionally, they facilitate the addition of sophisticated or complicated features, such as analytics or interface elements, which would require a lot more time to develop independently. Utilizing reputable and well-maintained libraries can also raise the general caliber and dependability of your code. [24]Using third-party tools and libraries increases the risks associated with software dependencies. These pieces can be challenging to maintain and update because they are derived from external sources. Additionally, they could lead to dependency chains, where a single update impacts numerous system components, security flaws, and attack opportunities.[25]

CI/CD

Continuous delivery (CD) and continuous integration (CI) are terms used in software development. While CD ensures that those updates can be released swiftly and smoothly, CI focuses on routinely merging and testing code changes.[26]

Now let's get specific:

The practice of developers routinely merging their code into a shared repository is known as Continuous Integration (CI). An automated build and several tests, including unit and integration tests, are triggered by every merge. CI's primary goal is to identify bugs early on and correct mistakes that could result in security flaws. [27]The process of automatically preparing code changes so they can be released to production at any time is known as continuous delivery, or CD. By ensuring that every test runs properly and that the code passes every check, it expands on continuous integration. The update can be delivered without the need for manual steps once everything has been confirmed.[28]

CI/CD pipelines

The processes used to build, test, and deliver software through continuous integration and continuous delivery platforms. The structure of a pipeline can change depending on what the project needs. According to articleWhat Is CI/CD? Continuous Integration & Continuous Delivery Explained states, “Properly setting up a CI/CD pipeline is the key to benefiting from all the advantages offered by CI/CD. One pipeline might have a multi-stage deployment strategy that delivers software as containers to a multi-cloud Kubernetes cluster, and another may be a simple pipeline that builds, tests, and deploys the application as a serverless function”(Raza & Wickramasinghe, 2021). This shows how pipelines can look very different depending on the development goals. [29]

Security and privacy

[edit]

Any service without a “hardened” environment is considered a “soft” target. Virtual servers should be protected just like a physical server against data leakage, malware, and exploited vulnerabilities. “Data loss or leakage represents 24.6 % and cloud-related malware 3.4 % of threats causing cloud outages”.[30]

Identity management

[edit]

Every enterprise will have its own identity management system to control access to information and computing resources. Cloud providers either integrate the customer’s identity management system into their own infrastructure, using federation or SSO technology or a biometric-based identification system,[1] or provide an identity management system of their own.

Physical security

[edit]

Cloud service providers physically secure the IT hardware (servers, routers, cables etc.) against unauthorized access, interference, theft, fire, flood etc., and ensure that essential supplies (such as electricity) are sufficiently robust to minimise the possibility of disruption.

Personnel security

[edit]

Various information security concerns relating to personnel involved in cloud services are typically handled through screening, security-awareness training, and role-based access controls.

Privacy

[edit]

Providers ensure that all critical data (credit-card numbers, for example) are masked or encrypted and that only authorised users have access to data in its entirety. Moreover, digital identities and credentials must be protected as must any data that the provider collects or produces about customer activity in the cloud.

Penetration testing

[edit]

Penetration testing is the process of performing offensive security tests on a system, service, or computer network to find security weaknesses in it. Since the cloud is a shared environment with other customers or tenants, following penetration-testing rules of engagement step-by-step is a mandatory requirement. Scanning and penetration-testing from inside or outside the cloud should be authorised by the cloud provider.[31]

Cloud vulnerability and penetration testing

[edit]

Scanning the cloud from outside and inside using free or commercial tools is crucial. Without a hardened environment, your service is considered a soft target. Virtual servers should be hardened just like a physical server against data leakage, malware, and exploited vulnerabilities. “Data loss or leakage represents 24.6 % and cloud-related malware 3.4 % of threats causing cloud outages”.

[edit]

Privacy legislation often varies by country. By having information stored via the cloud it is difficult to determine under which jurisdiction the data falls. Trans-border clouds are popular given that the largest companies transcend several countries. Legal dilemmas from the ambiguity of the cloud refer to how there is a difference in data-sharing law between and inside organisations.[32]

Unauthorized Access to Management Interface

[edit]

Due to the autonomous nature of the cloud, consumers are often given management interfaces to monitor their databases. By having controls in one central location and by having the interface be easily accessible for user convenience, there is a possibility that a single actor could gain access to the cloud's management interface; giving them control over much of the system.[33]

Data Recovery Vulnerabilities

[edit]

The cloud’s use of resource pooling means memory or storage resources may be recycled to another user. It is possible for current users to access information left by previous ones.[33]

Internet Vulnerabilities

[edit]

Cloud services require internet connectivity and use internet protocols, making them subject to attacks such as man-in-the-middle attacks. Furthermore, heavy reliance on internet connectivity means service disruptions or outages can cut off users entirely.[33]

Encryption Vulnerabilities

[edit]

As encryption algorithms age, vulnerabilities arise. Cloud providers must stay current with encryption standards and transition older systems before they become compromised.[34]

Misconfiguration Risks

[edit]

Cloud environments are extremely vulnerable, particularly when it comes to hackers and attackers, due to cloud misconfigurations, which are one of the most prevalent and dangerous security flaws. Cloud platforms are complicated; even a minor configuration error, like excessively permissive access or inappropriate storage, can provide attackers with entry points. Cloud breaches are frequently caused by misconfigurations because attackers can obtain unauthorized access by taking advantage of incorrectly configured settings. [35]

Security misconfigurations occur when security settings are not fully implemented or are set up incorrectly. Weak passwords, misconfigured databases, unprotected cloud storage, incorrectly configured firewalls or network settings, and out-of-date software or firmware are just a few of the many possible causes. These errors frequently result from system design flaws, human error, or gaps in knowledge regarding security procedures. As the article Security Misconfiguration Vulnerabilities: Risks, Impacts, and Prevention explains, “Security misconfigurations are errors that occur when security settings are not configured or implemented properly. Misconfigurations can arise from a range of sources, including weak passwords, improperly configured databases, unsecured cloud storage, misconfigured firewalls or network settings, and outdated software or firmware. They can happen due to various reasons, including poor design, lack of understanding of security concepts, and human error”(Kiteworks, 2025). [36]This quote highlights the variety of ways misconfigurations can occur and emphasizes why organizations must identify and correct them to protect against potential security breaches.

Most common misconfigurations include unrestricted outbound access, disabled logging, missing alerts, exposed access keys, excessive account permissions, ineffective identity architecture, inadequate network segmentation, improper public access, public snapshots and images, open databases or storage buckets, and neglected cloud infrastructure. The article The Common Cloud Misconfigurations That Lead to Cloud Data Breaches explains: “Cloud misconfigurations — the gaps, errors and vulnerabilities that occur when security settings are poorly chosen or neglected entirely — provide adversaries with an easy path to infiltrate the cloud. Multi-cloud environments are complex, and it can be difficult to tell when excessive account permissions are granted, improper public access is configured or other mistakes are made”(Ashwood, 2024).[37]  The article also emphasizes that “cloud security posture management should be a key component of your security strategy if you want to avoid becoming the next victim of a cloud data breach”(Ashwood, 2024). [38], showing why strong security measures and backups are essential.

Additionally, another article, 8 Common Cloud Misconfiguration Types (and How to Avoid Them), offers practical solutions: “Access to storage buckets should be granted only within the organization… Security teams should enable strong encryption by default for crucial data in storage buckets, monitor all storage nodes labeled as public, and eliminate unnecessary permissions or exposed access”(Lee, 2025c). [39] This highlights how businesses can lower the risk of misconfiguration by implementing simple, doable measures like restricting access, encrypting private information, keeping an eye on public resources, and eliminating superfluous permissions. To safeguard data and stop breaches, cloud settings must be actively managed.[40]

Encryption

[edit]

Some advanced encryption algorithms applied to cloud computing increase the protection of privacy. In a practice called crypto-shredding, encryption keys can be deleted when data is no longer used.

Attribute-based encryption (ABE)

[edit]

Attribute-based encryption is a form of public-key encryption in which the user’s secret key and the ciphertext depend on attributes (e.g., the country the user lives in, or their subscription type). In such systems, access to decryption depends not simply on identity but on attributes.

Some of the strengths of ABE are that it bypasses the need for explicit key sharing (as in traditional PKI) and identity-based encryption (IBE). However, ABE suffers from key-redistribution complexity: since decryption keys depend on attributes rather than identities, malicious users might leak attribute information, enabling unauthorized access.[41]

Ciphertext-policy ABE (CP-ABE)

[edit]

In CP-ABE, the encryptor controls the access policy for the ciphertext. The process includes Setup, Encrypt, KeyGen, and Decrypt algorithms; the encryptor defines an access structure that must match a user’s attributes before decryption is allowed.[42]

Key-policy ABE (KP-ABE)

[edit]

In KP-ABE, the sender encrypts under a set of attributes, and the user’s private key is issued to match a policy describing which ciphertexts they may decrypt. KP-ABE shifts access-control responsibility partially to the key-issuer rather than the encryptor. While it provides flexibility, the policy disclosure may weaken privacy guarantees.[43]

Fully Homomorphic Encryption (FHE)

[edit]

Fully Homomorphic Encryption allows arbitrary computation on ciphertext without decryption. It is emerging as a high-security option for cloud environments, including voting systems. While promising, it remains largely experimental.[44]

Searchable Encryption (SE)

[edit]

Searchable encryption enables secure search on encrypted data. It has symmetric and public-key variants. While it supports functionality over encrypted data, it introduces extra attack surfaces, especially when attribute indexing is involved.[45]

Data Lifecycle Security - Data Security

[edit]

Similar to a computer's motherboard or heart, Data is the foundation of life and operation. Basic memory holds extremely important data to enable the user and computer to pick up where they left off.[46]

When delving into the details of the data lifecycle and security, it's critical to strengthen security protocols and make sure that security strategies are strong enough to reduce the likelihood of access or decryption. The Harvard University data lifecycle essay made it apparent that "the best time to secure information in your project is before you even collect it." This statement reinforces the notion that data should be stored and safeguarded before a user or computer even acts.[47]

Numerous factors influence data security and data life-cycle security, beginning with:[48]

Data creation

It is the initial output that the user provides in these forms, such as software or hardware, and it creates a space where information is found and finally kept. From there, it can be altered and safeguarded once both the user and the software have validated it. The creation of new data is beneficial because it enhances performance over time on various security alternatives and allows for innovation to You can continue to add to it once it has been stored and secured, etc. We have a better framework for how it is carried out, thanks to Why Accurate Data is Important for Business Operations. Let's utilize the safe data business lens of security as an example, which lowers risk and facilitates consistent outcomes. The knowledge is currently available and preserved; you can simply return to it and continue working on it, which increases engagement and boosts productivity. In any format where an audience may review it, the quality of the data simply improves over time. This is true not just when data is imported but also when new sources of information are created to enhance certain regions. It reduces risk, increases worker productivity, and promotes more consistent results. Accurate and well-managed data improves business operations. Properly saved and updated data makes it easier to review, expand upon, and enhance, improving performance and creating more space for fresh concepts and superior solutions.[49]

Data Storage

Data storage is the output that the computer produces from the input that the user provides. Depending on the model of the computer, this will determine how the information is presented. If the RAM is full, it means that the data is being disseminated because the computer is overheated or overloaded with data, which requires a lot of power from the computer, particularly from its hardware. The requirements for data storage are broken down in the IBM article What is Data Storage? Examining the benefits and drawbacks of data storage and its significance. [50]

Data Storage's Importance

keeps information accessible and well-organized when needed. enables consumers or businesses to monitor progress and make more informed decisions. prevents the loss or damage of crucial data. facilitates long-term initiatives by centralizing records.[51]

Pros of Data Storage:

Facilitate the access and reuse of information Since everything is kept in one system, productivity can be increased. Enables data backup for security. Supports updates, expansion, and new ideas over time. [52]

Cons of Data Storage:

Requires extra storage as data quantities grow, can take up space, and requires security measures to prevent unauthorized access. Maintaining accuracy and organization requires regular updating. Misunderstandings or outdated information could be the outcome of poor management. [53]

The users' directory contains files and folders that store data. Alternatively, if you're using a personal computer, you can locate storage or extra storage on the hard drive as a stand-in if your computer isn't big enough. [54]Another type of object storage that divides data into metadata and particular identifiers. It's fantastic because it can be this type of storage and used in public cloud servers, which gives some of these providers, like AWS (Amazon Web Services), emails, social media content, etc., scalability and flexibility. It also works well with APIs (application programming interfaces).[55]

Data transmission

Due to its connection to the communication component of syncing devices, this has a significant impact on data lifecycle security. Cables, wireless, wifi, and channels can all be used to transfer these types of communication. Some excellent illustrations of how digital data transmissions operate are message commands. Both synchronous and asynchronous use are possible. Additionally, bandwidth and latency are important aspects of these data transmission methods, which offer effective accuracy in terms of speed and overall accuracy.[56]

HTTPS (Hypertext Transfer Protocol Secure) is a security protocol that is used during data transmission. This works by encrypting the data being transferred between websites, which makes it an excellent example. As a sign that it is being watched over or managed by a human, it will transmit the TLS version and a cipher of random values behind the scenes to guarantee authenticity from the recipient's end. Because the data is actively shielded from vulnerable attacks, this is beneficial. [57]

Data processing

It serves as the fundamental basis for data collection and is essentially a substantial amount of analysis that, if the device has enough storage, may be processed all at once; otherwise, it must be divided, which is where hard drives come into play. Additionally, it offers a range of sources that offer feedback, which is the analytical component. [58]

However, how is the cycle's operation protected? According to the article How to Ensure Secure Data Processing, utilizing a data virtualization platform reduces risk and data breaches even with multiple collaborators by providing a data architecture, basically a template that doesn't change the user's data storage option, and then creating a layout or an analytics report in custom datasets.[59]

Archival & deletion (secure deletion is often overlooked)[60]

In essence, archival data is information that is not regularly used but is kept in file storage so that it can be found and used at a later time if necessary. Deletion is when the data is no longer needed, so it's permanently deleted from the server/ storage. [61]This is critical because it not only creates space due to the removal of data. However, it's important to know that when deleting, it's good to make sure that it's securely deleted because it can still be traceable and recoverable. How to properly ensure that your deletion is properly secured by using cryptographic measures or physically destroying the storage media, the best one is erasing, which basically wipes out which make the data completely unrecoverable/no longer traceable.[60]

Compliance

[edit]

Numerous laws and regulations govern the storage and use of data. In the US these include privacy and data-protection laws, the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, the Federal Information Security Management Act of 2002 (FISMA), and the Children’s Online Privacy Protection Act of 1998. Similar standards exist in other jurisdictions (e.g., Singapore’s Multi-Tier Cloud Security Standard).

Similar laws may apply in different legal jurisdictions and may differ markedly from those in the US. Cloud service users must often understand the legal and regulatory differences between the jurisdictions. For example, data stored by a cloud service provider (CSP) may be located in, say, Singapore and mirrored in the US.[62]

Business continuity and data recovery
Cloud providers have business continuity and data recovery plans in place to ensure service continuity and data protection.[63]
Log and audit trail
In addition to producing logs and audit trails, cloud providers work with their customers to secure these logs and ensure they’re accessible for forensic investigation (e.g., eDiscovery).
Unique compliance requirements
In addition to the requirements on customers, data centers used by cloud providers may be subject to additional compliance obligations. Using a cloud service provider (CSP) can lead to extra security concerns around data jurisdiction since customer or tenant data may not remain in the same location or provider’s cloud.[64]
[edit]
Cloud providers’ security and privacy agreements must align to customer requirements and regulation

Aside from the security and compliance issues already discussed, cloud providers and their customers negotiate terms around liability (stipulating how incidents involving data loss or compromise will be resolved, for example), intellectual property, and end-of-service (when data and applications are ultimately returned to the customer). These issues are typically addressed in service-level agreements (SLAs).[65]

Public records

[edit]

Legal issues may also include records-keeping requirements in the public sector, where agencies must retain and make available electronic records in a specific fashion.

See also

[edit]

References

[edit]
  1. ^ a b Haghighat, Mohammad; Zonouz, Saman; Abdel-Mottaleb, Mohamed (November 2015). "CloudID: Trustworthy cloud-based and cross-enterprise biometric identification". Expert Systems with Applications. 42 (21): 7905–7916. doi:10.1016/j.eswa.2015.06.025. S2CID 30476498.
  2. ^ a b Srinivasan, Madhan Kumar; Sarukesi, K.; Rodrigues, Paul; Manoj, M. Sai; Revathy, P. (2012). "State-of-the-art cloud computing security taxonomies". Proceedings of the International Conference on Advances in Computing, Communications and Informatics - ICACCI '12. pp. 470–476. doi:10.1145/2345396.2345474. ISBN 978-1-4503-1196-0. S2CID 18507025.
  3. ^ "Swamp Computing a.k.a. Cloud Computing". Web Security Journal. 2009-12-28. Archived from the original on 2019-08-31. Retrieved 2010-01-25.
  4. ^ "Cloud Controls Matrix v4" (xlsx). Cloud Security Alliance. 15 March 2021. Retrieved 21 May 2021.
  5. ^ a b "Shared Security Responsibility Model". Navigating GDPR Compliance on AWS. AWS. December 2020. Retrieved 21 May 2021.
  6. ^ a b C. Tozzi (24 September 2020). "Avoiding the Pitfalls of the Shared Responsibility Model for Cloud Security". Palo Alto Networks Blog. Retrieved 21 May 2021.
  7. ^ "Cloud Security Programs: What You Need to Know". Varonis. Retrieved 2025-02-15.
  8. ^ "Top Threats to Cloud Computing v1.0" (PDF). Cloud Security Alliance. March 2010. Retrieved 2020-09-19.
  9. ^ Winkler, Vic. "Cloud Computing: Virtual Cloud Security Concerns". Technet Magazine, Microsoft. Retrieved 12 February 2012.
  10. ^ Hickey, Kathleen (18 March 2010). "Dark Cloud: Study finds security risks in virtualization". Government Security News. Archived from the original on 30 January 2012. Retrieved 12 February 2012.
  11. ^ Winkler, Joachim R. (2011). Securing the Cloud: Cloud Computer Security Techniques and Tactics. Elsevier. p. 59. ISBN 978-1-59749-592-9.
  12. ^ Andress, Jason (2014). "Physical Security". The Basics of Information Security. pp. 131–149. doi:10.1016/B978-0-12-800744-0.00009-9. ISBN 978-0-12-800744-0.
  13. ^ Virtue, Timothy; Rainey, Justin (2015). "Information Risk Assessment". HCISPP Study Guide. pp. 131–166. doi:10.1016/B978-0-12-802043-2.00006-9. ISBN 978-0-12-802043-2.
  14. ^ "Detective Security Controls". 2020-12-04. Retrieved 7 December 2023.
  15. ^ "What are Security Controls?". 2019-08-22. Retrieved 7 December 2023.
  16. ^ "Cloud Security Architecture". GuidePoint Security LLC. 2023. Retrieved 6 December 2023.
  17. ^ [citation needed]
  18. ^ "Gartner: Seven cloud-computing security risks". InfoWorld. 2008-07-02. Retrieved 2010-01-25.
  19. ^ "Top Threats to Cloud Computing Plus: Industry Insights". Cloud Security Alliance. 2017-10-20. Retrieved 2018-10-20.
  20. ^ "What is a CASB (Cloud Access Security Broker)?". CipherCloud. Archived from the original on 2018-08-31. Retrieved 2018-08-30.
  21. ^ "What is a supply chain attack?". www.cloudflare.com. Retrieved 2025-11-30.
  22. ^ "Known vulnerabilities in dependencies | Tutorial and examples". Snyk Learn. Retrieved 2025-11-30.
  23. ^ Scheider (he/they), Dana (2021-07-23). "Choosing a Third-Party Library". Medium. Retrieved 2025-11-30.
  24. ^ Mulkey, Daniel (2024-02-07), "Third-Party Optics Libraries", Optics Using Python, SPIE, ISBN 978-1-5106-7179-9, retrieved 2025-11-30
  25. ^ "Best Practices for Managing Third-Party Dependencies in Web Development | Opinov8". opinov8.com. 2024-10-23. Retrieved 2025-11-30.
  26. ^ "What Is CI/CD? Continuous Integration & Continuous Delivery Explained". BMC Blogs. Retrieved 2025-11-30.
  27. ^ "What Are CI/CD And The CI/CD Pipeline? | IBM". www.ibm.com. 2024-09-24. Retrieved 2025-11-30.
  28. ^ Sharma, Vandana (2019-10-05). "Continuous Integration and Continuous Delivery (CI/CD): A Comprehensive Overview". International Journal of Science and Research (IJSR). 8 (10): 1835–1839. doi:10.21275/sr24115221653. ISSN 2319-7064.
  29. ^ "User:AmbarVal/Cloud computing security", Wikipedia, 2025-11-30, retrieved 2025-11-30
  30. ^ Ahmad Dahari Bin Jarno; Shahrin Bin Baharom; Maryam Shahpasand (2017). "Limitations and challenges on Security Cloud Testing" (PDF). Journal of Applied Technology and Innovation. 1 (2): 89–90.
  31. ^ Guarda, Teresa; Orozco, Walter; Augusto, Maria Fernanda; Morillo, Giovanna; Navarrete, Silvia Arévalo; Pinto, Filipe Mota (2016). "Penetration Testing on Virtual Environments". Proceedings of the 4th International Conference on Information and Network Security – ICINS ’16. pp. 9–12. doi:10.1145/3026724.3026728. ISBN 978-1-4503-4796-9. S2CID 14414621.
  32. ^ Svantesson, Dan; Clarke, Roger (July 2010). "Privacy and consumer risks in cloud computing". Computer Law & Security Review. 26 (4): 391–397. doi:10.1016/j.clsr.2010.05.005. hdl:1885/57037. S2CID 62515390.
  33. ^ a b c Grobauer, Bernd; Walloschek, Tobias; Stocker, Elmar (March 2011). "Understanding Cloud Computing Vulnerabilities". IEEE Security & Privacy. 9 (2): 50–57. doi:10.1109/MSP.2010.115. S2CID 1156866.
  34. ^ Rukavitsyn, Andrey N.; Borisenko, Konstantin A.; Holod, Ivan I.; Shorov, Andrey V. (2017). "A cloud computing security solution based on fully homomorphic encryption". 2017 XX IEEE International Conference on Soft Computing and Measurements (SCM). pp. 272–274. doi:10.1109/SCM.2017.7970558. ISBN 978-1-5386-1810-3. S2CID 40593182.
  35. ^ "Top 11 Cloud Security Vulnerabilities and How to Fix Them | Wiz". wiz.io. 2025-08-12. Retrieved 2025-11-30.
  36. ^ "Security Misconfiguration Vulnerabilities: Risks, Impacts, and Prevention". Kiteworks | Your Private Data Network. Retrieved 2025-11-30.
  37. ^ Ashwood, Paul. "The Common Cloud Misconfigurations That Lead to Cloud Data Breaches". CrowdStrike.com. Retrieved 2025-11-30.
  38. ^ Ashwood, Paul. "The Common Cloud Misconfigurations That Lead to Cloud Data Breaches". CrowdStrike.com. Retrieved 2025-11-30.
  39. ^ "8 Common Cloud Misconfiguration Types | CSA". vulcan.io. Retrieved 2025-11-30.
  40. ^ "8 Common Cloud Misconfiguration Types | CSA". vulcan.io. Retrieved 2025-11-30.
  41. ^ Xu, Shengmin; Yuan, Jiaming; Xu, Guowen; Li, Yingjiu; Liu, Ximeng; Zhang, Yinghui; Ying, Zuobin (October 2020). "Efficient ciphertext-policy attribute-based encryption with black-box traceability". Information Sciences. 538: 19–38. doi:10.1016/j.ins.2020.05.115. S2CID 224845384.
  42. ^ Bethencourt, John; Sahai, Amit; Waters, Brent (May 2007). "Ciphertext-Policy Attribute-Based Encryption" (PDF). 2007 IEEE Symposium on Security and Privacy (SP ’07). pp. 321–334. doi:10.1109/SP.2007.11. ISBN 978-0-7695-2848-9. S2CID 6282684.
  43. ^ Wang, Chang-Ji; Luo, Jian-Fa (November 2012). "A Key-Policy Attribute-Based Encryption Scheme with Constant Size Ciphertext". 2012 Eighth International Conference on Computational Intelligence and Security. pp. 447–451. doi:10.1109/CIS.2012.106. ISBN 978-1-4673-4725-9. S2CID 1116590.
  44. ^ Armknecht, Frederik; Katzenbeisser, Stefan; Peter, Andreas (2012). "Shift-Type Homomorphic Encryption and Its Application to Fully Homomorphic Encryption" (PDF). Progress in Cryptology – AFRICACRYPT 2012. Lecture Notes in Computer Science. Vol. 7374. pp. 234–251. doi:10.1007/978-3-642-31410-0_15. ISBN 978-3-642-31409-4.
  45. ^ Naveed, Muhammad; Prabhakaran, Manoj; Gunter, Carl A. (2014). "Dynamic Searchable Encryption via Blind Storage". 2014 IEEE Symposium on Security and Privacy. pp. 639–654. doi:10.1109/SP.2014.47. S2CID 10910918.
  46. ^ "Privacy and Data Mining", Advances in Information Security, Springer US, pp. 1–5, ISBN 978-0-387-25886-7, retrieved 2025-11-30
  47. ^ "Privacy and Data Mining", Advances in Information Security, Springer US, pp. 1–5, ISBN 978-0-387-25886-7, retrieved 2025-11-30
  48. ^ Singh, Prakash J. (2008-05-28), "What is Operations Management and Why is it Important?", Operations Management, Cambridge University Press, pp. 3–36, ISBN 978-0-521-70077-1, retrieved 2025-11-30
  49. ^ Singh, Prakash J. (2008-05-28), "What is Operations Management and Why is it Important?", Operations Management, Cambridge University Press, pp. 3–36, ISBN 978-0-521-70077-1, retrieved 2025-11-30
  50. ^ "Intelligent controllers for IBM storage". Data Processing: 52. doi:10.1016/0011-684x(85)90076-0. ISSN 0011-684X.
  51. ^ "Intelligent controllers for IBM storage". Data Processing (4): 52. doi:10.1016/0011-684x(85)90076-0. ISSN 0011-684X.
  52. ^ "Intelligent controllers for IBM storage". Data Processing. 27 (4): 52. doi:10.1016/0011-684x(85)90076-0. ISSN 0011-684X.
  53. ^ Identification cards. Integrated circuit card programming interfaces, BSI British Standards, retrieved 2025-11-30
  54. ^ Nutanix (2022-10-24). "What is Data Storage? Definition and Types | Nutanix". www.nutanix.com. Retrieved 2025-11-30.
  55. ^ "What is an API? - Application Programming Interface Explained - AWS". Amazon Web Services, Inc. Retrieved 2025-11-30.
  56. ^ "What is data transmission?". PubNub. Retrieved 2025-11-30.
  57. ^ "NATO and Intermediate Force Capabilities: Why Human Effects Matter". Connections: The Quarterly Journal. 21 (2): 123–134. 2022. doi:10.11610/connections.21.2.09. ISSN 1812-1098.
  58. ^ Rahul (2025-01-24). "Steps Involved in Business Data Processing". Outsource Data Entry Services to India. Retrieved 2025-11-30.
  59. ^ Intertrust, Team (2023-05-03). "How to ensure secure data processing". www.intertrust.com. Retrieved 2025-11-30.
  60. ^ a b "Electronic Data Removal Procedures | UVA Information Security". security.virginia.edu. Retrieved 2025-11-30.
  61. ^ "What Is Data Erasure? Secure Deletion Explained | Fortra's Data Classification". dataclassification.fortra.com. Retrieved 2025-11-30.
  62. ^ "Managing legal risks arising from cloud computing". DLA Piper. 29 August 2014. Retrieved 2014-11-22.
  63. ^ "It's Time to Explore the Benefits of Cloud-Based Disaster Recovery". Dell.com. Archived from the original on 2012-05-15. Retrieved 2012-03-26.
  64. ^ Winkler, Joachim R. (2011). Securing the Cloud: Cloud Computer Security Techniques and Tactics. Elsevier. pp. 65, 68, 72, 81, 218–219, 231, 240. ISBN 978-1-59749-592-9.
  65. ^ Adams, Richard (2013). "The emergence of cloud storage and the need for a new digital forensic process model" (PDF). In Ruan, Keyun (ed.). Cybercrime and Cloud Forensics: Applications for Investigation Processes. Information Science Reference. pp. 79–104. ISBN 978-1-4666-2662-1.

Further reading

[edit]
[edit]

Archive

[edit]
Retrieved from "https://en.wikipedia.org/w/index.php?title=Cloud_computing_security&oldid=1325028879#Security_issues_associated_with_the_cloud"