security in cloud computing research papers

A Systematic Literature Review on Cloud Computing Security: Threats and Mitigation Strategies

Ieee account.

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

Advances, Systems and Applications

• Open access
• Published: 23 October 2022

Serverless computing: a security perspective

• Eduard Marin 1 ,
• Diego Perino 1 &
• Roberto Di Pietro 2  

Journal of Cloud Computing volume  11 , Article number:  69 ( 2022 ) Cite this article

7363 Accesses

15 Citations

Metrics details

In this article we review the current serverless architectures, abstract and categorize their founding principles, and provide an in-depth security analysis. In particular, we: show the security shortcomings of the analyzed serverless architectural paradigms; point to possible countermeasures; and, highlight several research directions for practitioners, Industry, and Academia.

Introduction

Virtualization technologies have played a crucial role for the wide adoption and success of cloud computing [ 1 ]. They allowed cloud providers to simultaneously share their resources with many users by placing their monolithic applications inside virtual machines (VMs), offering strong isolation guarantees while providing users with an (apparently) infinite amount of resources, readily available when their applications needed them. The cited features, together with a pay-per-use business model that has contributed to lower the total cost of ownership for cloud users, have made cloud computing the most successful computing paradigm of the last decade. However, this success also came with some drawbacks, the major one being the need for the users to directly manage the VMs [ 2 ].

In response to the above issue, we have witnessed the emergence of new programming models that drastically changed the way software developers develop and manage applications for the cloud. One such programming model relies on decomposing an application into multiple, autonomous, limited scope and loosely coupled components—also known as microservices —that can communicate with each other via standard APIs. Unfortunately, due to their long startup time and high resource usage, VMs were proven to be inefficient for running microservices. This led to the proposal of several container technologies (e.g., Docker) as a lighter alternative. Containers offer increased portability, lower start up time, and greater resource utilization than VMs, simplifying the development and management of large-scale applications in the cloud. These advantages have led cloud providers to adopt container technologies and to use them in combination with orchestration platforms (e.g., Kubernetes or Docker Swarm) to fully automate the deployment, scaling, and management of microservice-based applications in the cloud. However, similarly to when VMs are used, the microservices paradigm still requires users to configure and manage the underlying containers (e.g., related libraries and software dependencies), and relies on a static billing model where users pay a fixed amount for the allocated resources and not for the resources actually consumed. The cited points render microservices unsuitable for certain types of applications.

Serverless computing is emerging as a new computing paradigm for the deployment of applications in the cloud Footnote 1 . It has two important advantages over its predecessors. Firstly, it allows software developers to outsource all infrastructure management and operational tasks to cloud providers, which makes it possible for them to focus only on the business logic of their applications [ 3 , 4 ]. Secondly, it follows a pure pay-per-use model, where users are only charged based on the resources they consume. Currently, serverless computing comes in two different flavors, known as backend as a service (BaaS) and function as a service (FaaS). The core idea behind BaaS is to provide software developers a set of services and tools (e.g., databases, APIs, file storage or push notifications) to ease and speed up the development of mobile and web applications. As per FaaS, it focuses on allowing software developers to deploy and execute their own functions on the cloud (note that the functions can also utilize additional services as those offered in BaaS). To date, FaaS is considered as the most dominant serverless model. In the rest of this article, we will use the term “serverless” to refer to FaaS.

Due to its simplicity and economical advantages, serverless computing is gaining significant attention in the industry as a compelling paradigm to deploy applications and services in the cloud. Cloud providers, such as Amazon [ 5 ], Microsoft [ 6 ], Google [ 7 ], IBM [ 8 ] or Alibaba [ 9 ] are already offering serverless computing services to their customers. Similarly, many enterprises, such as Netflix, T-Mobile and Realtor, are already reaping the benefits of serverless computing [ 10 ]. According to recent market surveys, the serverless computing market is expected to grow at a CAGR of 26% during the period 2020-2029 [ 11 ]. However, with the increase in volume and diversity of attacks against the cloud, it becomes apparent that security and privacy will be a key factor which, if not addressed, could hamper the widespread adoption of serverless computing.

In particular, as per serverless security, at first glance one could argue that serverless computing is intrinsically more secure than its predecessors because of its characteristics (e.g., the short duration of functions), or due to the fact that it could inherit security features already developed for other virtualization solutions. Yet, as we will show in the following, serverless brings many new, idiosyncratic security challenges that open the door for new types of security attacks. Further, implementing serverless applications requires a major change in mindset from software developers [ 12 ], not only in the way applications are written but also in the way they are protected from security attacks [ 13 ]. These latter requirements are rarely met, hence introducing new vulnerabilities.

Contribution. This work is, to the best of our knowledge, the first structured and principled attempt to shed light on the security of serverless computing. In particular, in this paper, we first review and categorize state of the art serverless solutions; later, we analyze pros and cons of the introduced architectural categories; further, we assess, from a security perspective, the fundamental principles of the main revised architectural choices. Finally, starting from the highlighted weaknesses, we sketch a few solutions and provide several research directions, appealing to practitioners, Industry, and Academia, to further enhance the security of the serverless ecosystem as a whole.

Roadmap. The sequel of this paper is structured as follows: In Section  2 we provide the necessary background for the reader to understand the main motivation behind serverless computing, its advantages, the components any serverless platform is composed of and the security mechanisms that are commonly employed to thwart attacks. Section  3 defines the threat model. Section  4 discusses some inherent properties of serverless that are beneficial security-wise while in Section  5 we cover aspects of serverless that could negatively affect security. In Section  6 we devise a list of possible application-level and infrastructure-level attacks which we believe deserve further attention. This is followed by possible countermeasures to alleviate them. Finally, Section  7 provides concluding remarks.

In this section, we revise the current serverless ecosystem. More concretely, we first briefly introduce serverless computing, then analyze the five main elements any serverless platform is composed of, and finally discuss the currently available security solutions.

• Serverless computing

In serverless computing, the application logic is divided into a set of small, short-lived and stateless functions, each one running within a separate execution environment (e.g., a container), that communicate with each other and with various cloud services (e.g., storage services) to carry out their tasks. By using stateless functions, serverless computing decouples storage from computation, making it possible to provision, manage, and price these two elements separately. Furthermore, in this context the cloud provider is now responsible for automatically and transparently spawning and managing function instances in worker nodes as well as performing all operational tasks (e.g., server and OS maintenance, patching, logging, load balancing or auto-scaling). Finally, serverless computing also significantly reduces application deployment cost via a pure pay-per-use model where users are only billed based on the resources (e.g., CPU, network or memory) they consume.

Besides the clear advantages serverless offers to software developers (in terms of flexibility, scalability, performance and costs), it is worth noting that cloud providers can benefit from using it too. As functions are invoked only occasionally and are executed for a very short period of time, cloud providers can achieve a higher degree of co-location in their servers and further optimize the usage of their resources. These two latter points, when carefully planned and orchestrated, can result in an even more profitable model for cloud providers.

Serverless ecosystem

As shown in Figure  1 , a serverless platform is comprised of (at least) five elements: i. functions; ii. API gateways; iii. (shared) cloud services; iv. security tools; and, v. control plane.

Serverless platform

1) Functions. Functions are the core component of serverless platforms. They can be written in many different programming languages (e.g., JavaScript, Python, and Go). Software developers can either write them by themselves, rely on open-source third-party functions (e.g., [ 14 ]), or use proprietary functions for which they must pay licensing fees. Functions are typically run inside a newly-generated, isolated execution environment (e.g., a container) within a worker node. The cited functions are executed in response to external and/or internal events specified by application owners (e.g., HTTP requests, modification to objects in storage, table updates, or function transitions). It is worth noting that not all defined functions must necessarily communicate directly with the outside world (it may be the case that there are functions that can only communicate with other functions and cloud services and that are not directly accessible from the outside).

2) Cloud services. Current serverless platforms integrate a wide range of cloud services used to extend the functions’ capabilities, e.g., to collect various types of data (e.g., using Amazon Kinesis), to quickly react to events (e.g., using Google cloud pub/sub message bus system or API Gateways), to manage the entire application lifecycle and enable DevOps capabilities (e.g., using Microsoft Azure DevOps) or to achieve long- and short-term storage (e.g., using Amazon S3 and DynamoDB).

3) Security tools. Cloud providers make available to software developers a set of tools and services to ease workflows security management. Some of these tools and services are also used in the context of microservices; however, the task of configuring them correctly becomes much more challenging in serverless. For example, the Identity and Access Management (IAM) service, which allows the configuration of fine-grained access controls to authenticate and restrict the resources functions have access to. Another widely used security service is the so called Virtual Private Cloud (VPC), which allows the creation of private, isolated networks for secure communications between applications that belong to the same organization. In addition to the cited services, we believe that other services and tools, such as those used for Runtime Application Self-Protection (RASP), Infrastructure as Code (IaC) scanning, and source code composition analysis, can play an important role in protecting serverless applications and serverless platforms against attacks.

4) Control plane functionalities. Serverless platforms typically comprise multiple control plane functionalities for cloud providers to operate, manage, and monitor their infrastructures. For example, there is an orchestrator component that handles the process of assigning functions to worker nodes. Similarly, a monitoring component is used to periodically check the status of worker nodes, the software they execute, as well as the execution environments that run on them. To this end, the monitoring component gathers metering data, logs, and a few metrics emitted by the worker nodes. This way, if a failure is detected, the affected functions can be quickly instantiated in other worker nodes. While the functionalities can vary slightly across several serverless platforms, all of them have in common the fact that the data plane needs to receive periodic configuration updates from the control plane, and the control plane needs to frequently receive (or collect) operational state from the data plane. Thus, it is fundamental for the control plane to stay in sync with the data plane.

Existing infrastructure-level security controls

Today’s serverless platforms typically run functions inside containers (or similar execution environments) that are protected by various open-source security mechanisms and services (some of which are built into the Linux kernel) in combination with security mechanisms developed by the cloud providers themselves. In the following, we focus solely on open-source, widely used security mechanisms (as the mechanisms developed by cloud providers are typically adhoc, and are often not public or well documented). Note that these security mechanisms play an important role in the security of execution environments used in today’s production environments like g-Visor and Firecracker; g-Visor is essentially an additional security layer that is developed atop the Linux security mechanisms, whereas the Firecracker sandboxes (run in user space) are also restricted by Linux security mechanisms like seccomp, cgroup, and namespaces.

These security mechanisms can be clustered into the following four categories: (i) host hardening; (ii) isolation of processes; (iii) network security; and, (iv) access control. For an overview of security mechanisms in the first three categories, we refer the reader to [ 15 ] (as these mechanisms are generally applicable to containers regardless of what is executed inside them). As for access control, cloud providers typically offer several mechanisms built-in in the API gateway to throttle, cache, authenticate, and authorize external API calls before passing the requests to the corresponding functions, e.g., relying on external identity providers or specifying a range of IP addresses from which legitimate requests can originate.

Security of current mechanisms. Over the last few years, researchers have investigated in depth the real security guarantees provided by the existing mechanisms used to protect container-based infrastructures. This resulted in the identification of serious weaknesses in the security mechanisms used for process isolation [ 16 ] and network security [ 17 ]. In addition, previous work pointed out that host hardening mechanisms, such as seccomp, AppArmor and SELinux, require cloud operators to manually configure them, which is a laborious task that is prone to errors.

Threat Model

Serverless platforms are complex and dynamic ecosystems with many distinct components. To design a secure serverless ecosystem, one must consider the security provided by each of its components and their interplay. Further, to properly frame the serverless security ecosystem, as it will be done in the sequel, we first need to define the corresponding threat model. To this aim, we mainly distinguish between two types of adversaries: i. external ; and, ii. internal , discussed in the following.

External adversaries typically carry out their attacks from outside the cloud by leveraging user-controlled input fields in any of the existing APIs that are offered to handle events. The same is true for serverless platforms. These attacks can enable adversaries to run arbitrary commands inside the function in order to retrieve sensitive data (e.g., session tokens stored in environment tables) or tamper with the execution of any function (or cloud service that receives maliciously-crafted input data and does not apply proper input data sanitation techniques). While some injection attacks are well-known because they are applicable to standard web applications (e.g., those ones that exploit cross-site scripting or the ones based on code/command injection), serverless functions can instead be triggered from many different event sources—this latter feature broadening significantly their attack surface [ 18 , 19 ].

Internal adversaries refer to adversaries who have full control of one (or more) functions and conduct attacks from inside the cloud. In the case of public clouds, it is relatively easy for such adversaries to deploy malicious functions in order to attempt to perform attacks from the inside. These adversaries can attempt to: i. create covert channels [ 20 , 21 ]; ii. conduct privilege escalation attacks (e.g., to compromise other co-resident functions or worker nodes) [ 22 ]; iii. retrieve or tamper with sensitive data (e.g., data in storage services) [ 23 ]; iv. gather knowledge about runtime environments and infrastructure [ 21 ]; or, v. conduct various types of Denial-of-Service (DoS) attacks [ 24 ] (including so called Denial-of-Wallet attacks) [ 21 , 25 , 26 ]. In a separate line of work, researchers have also shown that if registry services exist where serverless functions developed by other software developers can be found, adversaries with access to the registry can carry out so called typosquatting attacks [ 27 ]. The goal of such attacks is to distribute malicious container images by exploiting the potential typos made by container users. Similarly, there exist attacks whereby the goal of adversaries is to influence the scheduler to co-locate the attacker’s application with a targeted victim applications [ 28 , 29 ]. It is worth mentioning that co-location is an important prerequisite to perform certain attacks like Rowhammer [ 30 ], Spectre [ 31 ] or Meltdown [ 32 ].

Though privacy concerns are out of the scope of this paper, it is also worth mentioning that from a privacy standpoint there is an increasing concern that cloud providers can inadvertently or deliberately reveal sensitive data to third-parties (e.g., through malicious insiders). Due to this latter threat, within the research community it is common to model cloud providers as honest-but-curious entities. Under this model, cloud providers are assumed to run their customers functions as intended but, at the same time, they may try to learn as much information as possible about the ongoing computations and hosted data.

In the next sections we analyze the impact of serverless computing on security, discussing the pros and cons of the paradigm in relationship with its contribution to the security posture of the supported ecosystem.

Serverless as a Security Enabler

In this section, we discuss some principles and use cases related to the inherent advantages of serverless from a security point of view.

Increased difficulty in performing attacks

The fact that serverless functions have small code footprints, are stateless, and short-lived, significantly raises the bar for adversaries to successfully execute their attacks. Indeed, serverless imposes strict limits on the time available to adversaries for retrieving sensitive data from functions or for performing lateral movements in order to carry out more sophisticated attacks. The highlighted features are important because experience has shown that adversaries who compromise servers often remain undetected for very long periods, carrying out malicious activities at a very slow pace, not to generate signals that could lead to detection—this is commonly known as advanced persistent threats (APTs).

The consequences of such long-lasting attacks can be severe, ranging from intellectual property theft (e.g., trade secrets or patents), compromised sensitive information (e.g., employees and users private data) to total site takeovers. With serverless, long-standing servers do not exist, thus adversaries must carry out their attacks—including the reconnaissance phase—again and again, increasing both the attack costs and the risks of being detected. Additionally, by using small, single-purpose functions to realize applications, serverless allows not only the definition of more fine-grained security policies, but also a significant reduction of the impact of attacks. Adversaries who compromise a function can now only exploit the “capabilities” of such a function. Finally, due to the way applications are designed when using the serverless paradigm, not all serverless functions need to send results back to the Internet, hence hampering adversaries from conducting some types of attacks (e.g., those ones that aim to exfiltrate sensitive data).

Less security responsibilities for software developers

Unlike prior cloud programming models, where software developers play an important role in the security of their applications, serverless security is a shared responsibility between software developers and cloud providers. While the cited model alleviates some security concerns (mainly those caused by infrastructure management), it still requires software developers to be heavily involved in security matters.

When it comes to serverless security, it is common to distinguish between “security of the cloud” and “security in the cloud” , as below detailed.

“Security of the cloud” is the responsibility of cloud providers and encompasses all measures in place to keep the underlying infrastructure and cloud services (e.g., the execution environments on which functions run or the virtualization layer) secure from adversaries. Although software developers have less control and require trust in the chosen cloud provider, delegating all infrastructure-related security tasks to cloud providers is considered to be an effective mechanism to eliminate a wide number of attacks. Providing, maintaining and operating an infrastructure that is secure by design is the core business model of cloud providers offering serverless and hence one of their main focuses.

“Security in the cloud”, instead, is the responsibility of software developers. It refers to the security mechanisms employed to: i. prevent vulnerabilities in the functions; ii. protect the application’s data (stored in cloud services); and, iii. secure the entire workflows (e.g., ensuring that all functions are executed with the minimum privileges required). The introduced objectives can be achieved by leveraging cloud services and tools that cloud providers make available to software developers. This gives software developers the ability to control and manage access to resources, monitor components, log information, verify network configurations, protect against DDoS attacks, implement firewalls, inspect traffic or secure access control and key management (among others). The cited concepts are critical ones for the security of the serverless functions and their workflows, and need to be fully seized by software developers, the alternative being the developers ignoring the consideration of security for their applications, or to make unrealistic assumptions about the security measures put in place by cloud providers—in both cases, a dreadful scenario.

Resistance to Denial-of-Service attacks

Serverless, by construction, enjoys elasticity—it can adapt to workload changes by provisioning and de-provisioning resources—thanks to its efficient and automatic auto-scaling. As such, serverless platforms provide increased resistance against many different types of DoS/DDoS attacks that aim to overwhelm network bandwidth, trigger many compute-heavy actions in parallel, or exploit flaws in the application, for instance to cause infinite loops. While auto-scaling has already been used in previous computing paradigms (e.g., microservices), before serverless the cited technique required the usage of an external service which was complex to use and had to be configured manually by software developers. In serverless, auto-scaling is considerably simpler, more effective and less costly, making it a fundamental feature for any serverless-based application.

Serverless as a Security Risk

In this section, we detail several aspects of serverless that can negatively affect security. Table  1 compares the level of security offered by the serverless paradigm against the competing ones for a few interesting dimensions.

Larger attack surface

Serverless computing exposes a significantly larger attack surface compared to its predecessors for three main reasons:

First, as functions are stateless and are only intended to perform a single task, they are required to constantly interact with other functions and (shared) cloud services. However, the definition and enforcement of security policies—specifying which functions and cloud services can be accessed by each function—in such dynamic and complex environments is very complex and thus prone to errors [ 33 , 34 ].

Second, functions can be triggered by many external and internal events (e.g., 47 event types in Amazon Lambda, 11 event types in Azure and more than 90 event types in Google) with multiple formats and encoding. To further complicate matters, the trend is that the number of events supported will increase even more to allow other applications to also benefit from serverless offered advantages. What above creates many possible entry-points for adversaries to gain control of functions; even more than when using microservices due to the fact that serverless applications are stateless and event-driven.

Third, serverless platforms include a number of new components and cloud services, many of which are shared across users. Again, the fact that serverless functions are stateless, simple, and event-driven, together with the fact that cloud providers want to provide greater application performance with reduced costs and achieve a much more optimal use of their resources, means that serverless platforms include many more components that are shared between users with respect to previous computing paradigms. Such shared components can enable new forms of side or covert channels that can allow adversaries to leak sensitive data or to violate the specified security policies.

The combination of these factors together opens new doors for adversaries to mount attacks and makes it harder for cloud providers to defend against them.

Proprietary cloud provider infrastructures

Cloud providers are now the ones responsible for conducting all operational and infrastructure tasks, including those aimed to protect their infrastructures and the hosted applications from internal and external threats. Unfortunately, cloud providers typically keep most information about their infrastructures confidential, making it difficult for security experts to scrutinize the security of serverless platforms. Within the security research community, it is widely known that relying on security-through-obscurity alone is a dangerous approach that may conceal insecure designs. Motivated by the above rationales, researchers have devoted significant efforts into reverse-engineering and documenting how the serverless platforms of the main cloud providers were developed in an attempt to understand their core design decisions (e.g., [ 21 ]). Yet, there are still many components within serverless platforms that remain unexplored to date and hence whose security level is unknown.

Security vs. performance vs. cost.

Ideally, cloud providers would like to develop serverless platforms that jointly maximize the security and performance of their infrastructures while maximizing their revenue and keeping the incurred cost as low as possible. However, the cited dimensions are conflicting with each other. Therefore, it is important to find a balance between them. Experience has shown that cloud providers, when it comes to which dimension to curb in order to keep cost under control, do not have security at the top of their priority list of features to preserve. Next, we show how the selection and usage of execution environments as well as the chosen function placement strategy can influence the security, performance and cost of serverless platforms and the applications they host.

Execution environments

The selection of the execution environment in which functions are executed is crucial for cloud providers since it strongly impacts the security and performance of their serverless platforms (see Table  2 for more details). For example, containers entail less overhead and provide greater resource utilization than VMs but this also results in weaker isolation guarantees. A possible solution would have been to combine traditional VMs and containers together (e.g., by placing all containers of a user inside a VM). However, this would have prevented reaping the isolation benefits VMs offer and the performance advantages containers provide. The synthesis was provided by cloud providers: they have opted for developing their own execution environments and open-sourcing their code. Without loss of generality we focus on the execution environments proposed by Amazon and Google. However, the conclusions we reach are also applicable to other well-known execution environments like Microsoft’s Hyper-V Technology [ 36 ], IBM’s Nabla Containers [ 37 ] and Kata [ 38 ].

Amazon designed Firecracker Footnote 2 , a new execution environment that builds upon the KVM hypervisor to create and manage so called microVMs through a new virtual machine monitor and a new API. Following this trend, Google has developed g-Visor Footnote 3 , a user-space application kernel that sits between the containerized application and the host OS and hence provides an additional layer of isolation per container. Although Firecracker and g-Visor approaches are promising, neither their attack surface nor their security mechanisms have yet been properly evaluated by security experts. Thus, research should focus on understanding their weaknesses and limitations.

Cold containers vs. warm containers

Repeatedly booting a function from scratch inside a newly-generated container (i.e., a cold container) can be an expensive operation latency-wise. It is worth reminding that most serverless functions are executed only for a very short period of time and hence the container’s booting latency would be similar to the function’s execution time. Another reason why the use of cold containers is an issue (from the point of view of the cloud provider) is that customers are not billed for the time it takes for their containers to boot.

Warm containers (i.e., containers that are reused to run multiple instances of the same function) reduce the functions’ startup times and improve efficiency, e.g., by keeping and reusing local caches or maintaining long-lived connections between invocations. However, the advantages offered by warm containers come at the expense of providing fewer security guarantees. To prevent such attacks, application owners can disable the possibility of reusing the same execution environment to run the same function multiple times. Yet, disabling warm containers is not always be a viable option since this can degrade the application’s performance.

Deterministic vs. random scheduling

Let us consider the process adopted by cloud providers to assign functions to worker nodes. From a security point of view, randomized scheduling algorithms are preferred over deterministic ones because they offer stronger protection against attacks that could exploit co-location. However, randomized scheduling algorithms do not consider functional aspects such as worker nodes’ resource utilization or the existence of warm containers when choosing the worker nodes that will execute the functions. This leads to a non-optimal allocation of functions that can negatively affect the overall performance of both the applications and the underlying serverless infrastructure. In practice, to prevent the latter issue, cloud providers typically opt for deterministic scheduling algorithms that lead to a more optimal use of the available resources and less latency overhead. Nevertheless, this approach can be vulnerable to attacks by adversaries that can obtain information about (or tamper with) the scheduling algorithms internals. Thus, research is required to first understand all possible attack vectors within this context, and then to develop scheduling algorithms that are resistant to attacks.

Security Attacks and Countermeasures

In this section, we present the main types of attacks against serverless. We group them into two main categories: (i) application-level attacks that exploit vulnerabilities in the functions’ code; and, (ii) infrastructure-level attacks that take advantage of the way the serverless architectures are designed and operated. As application-level attacks have already been covered in a report by OWASP [ 13 ], in this section we mainly focus on infrastructure-level attacks and briefly mention the most important security issues at the application level.

Application-level attacks

In serverless computing, software developers are still responsible for guaranteeing the security of their applications, i.e., the security in the cloud. Hence, if software developers do not adhere to standard secure coding practices and write their functions’ code in an insecure manner, their functions could contain vulnerabilities that can make them vulnerable to traditional application-level attacks such as Cross-Site Scripting (XSS), Command/SQL Injection, Denial of Service (DoS), and many more. With serverless computing, the cited attacks (or variants of them) remain possible; the only difference is that sometimes they are carried out in a slightly different way (or with a slightly different goal in mind). OWASP has released a report detailing the serverless attack surface as well as the feasibility and impact of a variety of well-known application-level attacks when launched against serverless applications [ 13 ]. Inspired by this report, next we briefly describe the most important application-level security risks and attacks for serverless functions.

Adversaries can send maliciously-crafted packets to functions in order to exploit weaknesses in the way they parse the input data. Serverless functions can be vulnerable not only to traditional injection attacks (e.g., based on SQL/NoSQL or OS commands), but also to new types of such attacks caused by the fact that there exist many function entry points that can be fully controlled by adversaries. Injection attacks could be launched, for example, to retrieve the functions’ source code or secrets stored within the execution environment. To mitigate this concern, each function should always carefully validate and sanitize all received input data before using it (even if the data originates from another function and the said function is considered to be trusted). In principle, validating and sanitizing event data should be no different than validating and sanitizing user data. In practice, however, the former is much more complex due to the large number of events supported and the fact that there are still no widely-available and generic security tools capable of performing this task automatically in order to protect a given application from the described attacks.

Bypass authentication

Serverless functions by themselves lack the necessary information and context to know about other functions and cloud services that are part of the application they belong to. In addition to this, applications typically comprise a plethora of ephemeral functions that can be triggered by many event sources and can make use of a variety of (shared) cloud services. The previous points make it very hard for application owners to apply proper security controls in order to restrict access to their functions at all times. Knowing the difficulty of properly managing security in such complex and dynamic environments, adversaries will try to find ways to trigger functions (or pass malicious data to them)—exploiting both the program logic or resorting to external invocations— while skipping authentication. By doing this, adversaries could exfiltrate private data or tamper with the function’s execution flow. A robust access control mechanism is essential in the serverless platforms to determine if a function invocation request is legitimate and has the required permissions to access a function or a piece of data. Currently, cloud providers typically offer access control techniques as part of their cloud service portfolio, with Identity and Access Management (IAM) being the most well-known method which in turn often incorporates traditional role-based access control (RBAC) [ 39 , 40 ] and attribute-based access control (ABAC) [ 41 ]. Moreover, several tools and services (e.g., [ 42 , 43 ]) have recently been proposed to ease and automate the creation of credentials and identities that help authenticate the API calls made by users or other workloads.

Privilege misconfiguration

It is widely known that the process of granting permissions to serverless functions is a complex task that often results in functions getting more permissions than the ones they need. There are several reasons why attacks that exploit these weaknesses exist (and will continue to exist at least in the near future). First, software developers often do not have sufficient knowledge to define fine-grained security controls to limit their functions’ capabilities. Second, following the tight deadlines to bring their applications to production environments, software developers often do not perform enough testing to verify the set of permissions assigned to their functions. Finally, and most importantly, there is a lack of mechanisms to dynamically and automatically identify and configure the minimum set of permissions needed by applications.

De-serialization and usage of third-party libraries

Serverless functions are written in a number of programming languages, some of which are scripting-based (e.g., Python and NodeJS) that often use serialized data types such as JSON. All these programming languages have their own quirks which can lead to unexpected evaluations of untrusted data. This originates not only from the programming language itself, but from frameworks incorporated into the application—typically, to enable faster code development. Due to the difficulty of protecting against deserialization vulnerabilities, it is strongly recommended to avoid user input deserialization unless absolutely necessary. If the latter is not possible, then software developers must consider and incorporate robust measures that (at least) guarantee that the data has not been tampered with (e.g., through the usage of digital signatures).

In addition, functions often rely on many (potentially insecure) third-party libraries to handle many critical tasks. The problem is that, because of the complexity of the applications, software developers are typically not fully aware of the third-party components used and consequently they do not keep them up-to-date. As a result, functions can contain weaknesses that could allow adversaries to run arbitrary code, leak data, or even worse, gain full control of the functions. To alleviate this concern, software developers should keep good track of the third-party libraries they use, and should apply the necessary measures to ensure that every function builds its own security perimeter. In this regards, it is commendable the initiative related to the SW bill of materials initiative [ 44 ].

Infrastructure-level attacks

In the following, we outline possible infrastructure-level attacks within the serverless ecosystem that, to a large extent, remain relatively unexplored. Therefore, we urge the scientific community to investigate them before the full adoption of serverless technology.

Side channel attacks

Adversaries can attempt to exploit the way serverless platforms are designed and implemented in order to conduct new forms of side channel attacks. For example, they could leverage weaknesses in the execution environments where functions are run in order to obtain host-system state information (e.g., power consumption or performance data) or individual process execution information (e.g., process scheduling, cgroups or process running status). This information can help adversaries to uniquely identify a worker node or a function instance, and ultimately to conduct more effective and efficient attacks. Equally, as shown by Figure  2 , the sequence of functions traversed in response to external events triggered by users can also reveal information to adversaries (e.g., the role of the person triggering the request). As functions are triggered reactively in response to an action performed by a user, adversaries could gain insights about the users by looking at the functions’ metadata (e.g., when or how often functions are called).

This figure illustrates an application composed by various functions chained together. Let us assume that Function 1 is responsible for authenticating the application’s administrators as well as end-users before their requests are passed to other functions. Imagine that the request is passed to Function 2 and Function 3 if the request originates from administrators, while if the request comes from end-users this is handled by Function 4 and Function 5. In such a case, the application’s control flow can easily leak the role of the person issuing the request or the times at which the application is accessed by administrators and end-users

More sophisticated side channels can also be devised, based on the fact that there exist many components and cloud services shared across users. In particular, adversaries are interested in any shared component subject to a change in its state based on the processed data—since these components could leak sensitive data about users and functions through a side channel. Note that side channel attacks in the context of serverless computing have not yet been investigated by the scientific community. Thus, an in-depth evaluation is needed to identify new serverless-specific attacks, then analyze their feasibility, extent and consequences, and finally to propose effective countermeasures in order to defend against them.

Race conditions

Serverless platforms can be vulnerable to attacks caused by inconsistencies in any component whose functionality is distributed across several nodes or that contains multiple replicas. For example, let us assume that software developers decide to modify the code of a given function while several replicas of this function are running. In such a case, there can be a (small) time window where the serverless platform is in an inconsistent state where some incoming requests are handled by an old version of the function and some others by the new version [ 21 ]. Such inconsistencies could be caused, for example, by cloud providers reusing execution environments with the old version of the function for a certain period of time. Adversaries could abuse such undesirable behavior to conduct security attacks with the goal of accessing or modifying data that otherwise would no longer be available to them.

Similar attacks could also be carried out when other parameters are modified (e.g., IAM roles, memory sizes, or environment variables) while multiple replicas of the same function are executed. Modifying these parameters at runtime can lead to race conditions that adversaries can exploit to lower the overall security of the serverless platform. While race conditions can also happen in a microservices architecture, the smaller granularity offered by serverless platforms increases the risk of inconsistencies across function versions. Overall, we believe that this research area deserves more attention from the scientific community, both to understand the security threats and to design effective countermeasures against them.

Long-lasting attacks

As explained in Section  4 , traditional long-lasting attacks that target servers are not applicable in the context of serverless computing. However, researchers have reported that it is possible for adversaries to execute a new class of long-lasting attacks by placing malicious code in the (writable) /tmp/ disk space used by warm containers to store temporary information across invocations [ 45 , 46 ]. The main challenge to perform such attacks is that, as /tmp/ is intended to be used only for maintaining temporary state, their size is relatively small (e.g., 512MB in Amazon Lambda). This poses some restrictions on the type and size of the code adversaries can place inside them. One way for adversaries to overcome this limitation would be to run code that communicates with external endpoints controlled by them. However, most serverless platforms give application owners access to security tools that could preclude such disallowed external communication. Despite this, there is still the need for investigating which attacks could be run from the /tmp/ disk space or any other directory within a given execution environment that is kept intact across multiple invocations of the same function. These attacks are likely to become a more important threat in the near future as serverless platforms evolve to fit the needs of stateful functions (e.g., [ 47 ]), since this will require placing more storage closer to the functions. As for countermeasures, in case the usage of warm containers is required to meet the application performance requirements, one possible way to mitigate the exposed issue would be for cloud providers to reduce the size of the /tmp/ folder to the minimum extent possible and to carefully monitor its contents after every function invocation. Here the challenge is how to distinguish between the legitimate data stored in the /tmp/ directory (the ones that come from the application) and the malicious code that adversaries could store therein.

Billing attacks

Though serverless offers increased protection against traditional DoS/DDoS attacks, these attacks can be engineered to lead to new, serverless-specific attacks that take advantage of the fact that application owners are billed based on the amount of resources their functions consume. By sending many requests to functions, adversaries can now perform the so called Denial-of-Wallet (DoW) attacks [ 25 ] with the purpose of significantly increasing the cost for application owners. Although some mitigating countermeasures already exist against DoW attacks (e.g., setting an upper limit on invocations concurrency and instances quota on function creation or creating a billing alert to notify application owners if they exceed a predefined spending limit), these attacks are not easy to defend against and require additional control measures: first, to detect abnormal behavior; and, later to discriminate which legitimate invocations to allow, and which ones to drop.

The uniqueness of serverless in this context, is the fact that invocation and billing happen at a very small granularity, i.e., the function. Hence, an adversary can perform these attacks by invoking a function many times, while in other auto-scaling constructions adversaries would require the generation of a high load on a full container or VM to succeed. As such, the consequences of successfully launching such attacks can be more severe when targeting serverless platforms. Moreover, given the fact that computation can evolve only via function calls, blocking legitimate function invocations would represent a more serious threat than that experienced by the cited auto-scaling twins of serverless.

Conclusions

In this paper we have shown that, on the one hand, serverless computing provides additional security features while, on the other hand, it also introduces unique security threats and challenges—clearly differentiating itself from current virtualization technologies. In particular, we have reviewed current serverless architectures, categorized the current security threats, shown actionable hints to improve the current security posture, and highlighted security research directions to make serverless the paradigm of choice when looking for virtualization solutions where security is at a premium. We believe that our contribution, other than being valuable on its own, also paves the way for further research in this domain, a challenging and relevant one for practitioners, Industry, and Academia.

Availability of data and materials

Not applicable.

It is worth noting that the term “serverless” does not mean that there are no servers, but rather that software developers do not need to worry about configuring and managing them.

https://firecracker-microvm.github.io/

https://gvisor.dev/

Armbrust M, Fox A, Griffith R, Joseph AD, Katz R, Konwinski A, Lee G, Patterson D, Rabkin A, Stoica I, Zaharia M (2009) Above the clouds: A berkeley view of cloud computing. Tech Rep, University of California at Berkeley. http://berkeleyclouds.blogspot.com/2009/02/above-clouds-released.html

Lombardi F, Di Pietro R (2015) Security for Cloud Computing. Artech House, Norwood

Google Scholar  

Castro P, Ishakian V, Muthusamy V, Slominski A (2019) The Rise of Serverless Computing. Commun ACM 62(12):44–54

Article   Google Scholar  

Jonas E, Schleier-Smith J, Sreekanti V, Tsai C, Khandelwal A, Pu Q, Shankar V, Carreira J, Krauth K, Yadwadkar NJ, Gonzalez JE, Popa RA, Stoica I, Patterson DA (2019) Cloud Programming Simplified: A Berkeley View on Serverless Computing. CoRR. 1902:03383

(2021) AWS Lambda. https://aws.amazon.com/lambda/ . Accessed 21 Oct 2022

(2021) Azure Serverless | Microsoft Azure. https://azure.microsoft.com/solutions/serverless/ . Accessed 21 Oct 2022

(2021) Serverless Computing Solutions—Google Cloud. https://cloud.google.com/serverless . Accessed 21 Oct 2022

(2021) IBM Cloud Functions. https://www.ibm.com/cloud/functions . Accessed 21 Oct 2022

(2021) Alibaba Cloud Function Compute. https://www.alibabacloud.com/products/function-compute . Accessed 21 Oct 2022

(2021a) AWS Lambda Customer Case Studies. https://aws.amazon.com/lambda/resources/customer-case-studies/ . Accessed 21 Oct 2022

(2021b) Serverless Computing Market Insights. https://www.digitaljournal.com/pr/serverless-computing-market-insights-2022-business-opportunities-current-trends-and-restraints-forecast-2026#ixzz7W67yDNi4 . Accessed 21 Oct 2022

Hong S, Srivastava A, Shambrook W, Dumitras T (2018) Go Serverless: Securing Cloud via Serverless Design Patterns. In: USENIX Workshop on Hot Topics in Cloud Computing (HotCloud). USENIX Association, Boston

(2021) OWASP Serverless Top 10. https://owasp.org/www-project-serverless-top-10/ . Accessed 21 Oct 2022

(2021) AWS Serverless Application Repository. https://aws.amazon.com/en/serverless/serverlessrepo/ . Accessed 21 Oct 2022

Combe T, Martin A, Di Pietro R (2016) To Docker or Not to Docker: A Security Perspective. IEEE Cloud Comput 3(5):54–62

Gao X, Gu Z, Li Z, Jamjoom H, Wang C (2019) Houdini’s Escape: Breaking the Resource Rein of Linux Control Groups. In: ACM SIGSAC Conference on Computer and Communications Security (CCS). pp 1073–1086. Association for Computing Machinery, New York

Nam J, Lee S, Seo H, Porras P, Yegneswaran V, Shin S (2020) BASTION: A Security Enforcement Network Stack for Container Networks. In: USENIX Annual Technical Conference (USENIX ATC). pp 81–95. USENIX Association

(2021a) Ory Segal: Serverless Security // Serverless Days TLV. https://www.youtube.com/watch?v=M7wUanfWs1c &t=743s . Accessed 21 Oct 2022

(2021b) Event Injection: Protecting your Serverless Applications. https://www.jeremydaly.com/event-injection-protecting-your-serverless-applications/ . Accessed 21 Oct 2022

Yelam A, Subbareddy S, Ganesan K, Savage S, Mirian A (2021) CoResident Evil: Covert Communication In The Cloud With Lambdas. In: the Web Conference (WWW). pp 1005–1016. Association for Computing Machinery, New York

Wang L, Li M, Zhang Y, Ristenpart T, Swift M (2018) Peeking behind the Curtains of Serverless Platforms. In: USENIX Conference on Usenix Annual Technical Conference (USENIX ATC). pp 133–145. USENIX Association, Boston

(2022) CVE-2022-0185: Kubernetes Container Escape Using Linux Kernel Exploit. https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/ . Accessed Oct 21 2022

(2019) Hacking serverless runtimes: Profiling AWS Lambda, Azure Functions, And more. https://www.blackhat.com/us-17/briefings/schedule/#hacking-serverless-runtimes-profiling-aws-lambda-azure-functions-and-more-6434

Xiong J, Wei M, Lu Z, Liu Y (2021) Warmonger: Inflicting Denial-of-Service via Serverless Functions in the Cloud. In: ACM SIGSAC Conference on Computer and Communications Security (CCS). pp 955–969. Association for Computing Machinery, New York

Kelly D, Glavin FG, Barrett E (2021) Denial of wallet–Defining a looming threat to serverless computing. Journal of Information Security and Applications (60):2214–2126

(2021) Many-faced threats to Serverless security. https://hackernoon.com/many-faced-threats-to-serverless-security-519e94d19dba . Accessed 21 Oct 2022

Liu G, Gao X, Wang H, Sun K (2022) Exploring the Unchartered Space of Container Registry Typosquatting. In: USENIX Security Symposium (USENIX Security). pp 35–51. USENIX Association, Boston

Makrani HM, Sayadi H, Nazari N, Khasawneh KN, Sasan A, Rafatirad S, Homayoun H (2021) Cloak & Co-locate: Adversarial Railroading of Resource Sharing-based Attacks on the Cloud. In: International Symposium on Secure and Private Execution Environment Design (SEED). pp 1–13

Fang C, Wang H, Nazari N, Omidi B, Sasan A, Khasawneh KN, Rafatirad S, Homayoun H (2022) Repttack: Exploiting Cloud Schedulers to Guide Co-Location Attacks. In: Network and Distributed System Security Symposium (NDSS)

Razavi K, Gras B, Bosman E, Preneel B, Giuffrida C, Bos H (2016) Flip Feng Shui: Hammering a Needle in the Software Stack. In: USENIX Security Symposium (USENIX Security). pp 1–18. USENIX Association, Austin

Kocher P, Horn J, Fogh A, Genkin D, Gruss D, Haas W, Hamburg M, Lipp M, Mangard S, Prescher T, Schwarz M, Yarom Y (2019) Spectre Attacks: Exploiting Speculative Execution. In: IEEE Symposium on Security and Privacy (S&P). pp 1–19

Lipp M, Schwarz M, Gruss D, Prescher T, Haas W, Fogh A, Horn J, Mangard S, Kocher P, Genkin D, Yarom Y, Hamburg M (2018) Meltdown: Reading Kernel Memory from User Space. In: USENIX Security Symposium (USENIX Security). pp 973–990. USENIX Association, Baltimore

Datta P, Kumar P, Morris T, Grace M, Rahmati A, Bates A (2020) Valve: Securing Function Workflows on Serverless Computing Platforms. In: The Web Conference (WWW). pp 939–950. Association for Computing Machinery, New York

Sankaran A, Datta P, Bates A (2020) Workflow Integration Alleviates Identity and Access Management in Serverless Computing. In: Annual Computer Security Applications Conference (ACSAC). pp 496–509. Association for Computing Machinery, New York

Anjali, Caraza-Harter T, Swift MM (2020) Blending Containers and Virtual Machines: A Study of Firecracker and GVisor. In: ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE). pp 101–113. Association for Computing Machinery, New York

(2021) Hyper-V Technology Overview. https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-technology-overview . Accessed 21 Oct 2022

(2021) Nabla containers: a new approach to container isolation. https://nabla-containers.github.io/ . Accessed 21 Oct 2022

(2021) Kata containers. https://katacontainers.io/ . Accessed 21 Oct 2022

Ferraiolo DF, Kuhn DR (2009) Role-Based Access Controls. https://doi.org/10.48550/ARXIV.0903.2171

Colantonio A, Di Pietro R, Ocello A (2012) Role Mining in Business: Taming Role-Based Access Control Administration. World Scientific, Singapore

Book   Google Scholar  

Hu VC, Kuhn DR, Ferraiolo DF, Voas J (2015) Attribute-Based Access Control. Computer 48(2):85–88. https://doi.org/10.1109/MC.2015.33

(2021) Spiffe: Secure Production Identity Framework for Everyone. https://spiffe.io/ . Accessed 21 Oct 2022

(2021) Corsha: API Identity & Access Management. https://corsha.com/ . Accessed 21 Oct 2022

(2021) The Minimum Elements For a Software Bill of Materials (SBOM). https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom . Accessed 21 Oct 2022

(2021) Gone in 60 Milliseconds: Intrusion and Exfiltration in Serverless Architectures. https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds . Accessed 21 Oct 2022

(2021) How AWS Lambda reuses containers (and how it affects you). https://pfisterer.dev/posts/aws-lambda-container-reuse . Accessed 21 Oct 2022

Savi M, Banfi A, Tundo A, Ciavotta M (2022) Serverless Computing for NFV: Is it Worth it? A Performance Comparison Analysis. In: IEEE International Conference on Pervasive Computing and Communications Workshops and other Affiliated Events (PerCom Workshops). pp 680–685

Download references

Acknowledgements

The authors would like to thank the anonymous reviewers for their comments, which helped to improve the quality of the manuscript.

The research leading to these results have received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreements No 871793 (Accordion), No 101016509 (Charity), No 101070473 (FLUIDOS) and No 101070516 (Nebulous). This publication was also partially supported by the award NPRP-S-11-0109-180242 from the QNRF-Qatar National Research Fund, a member of The Qatar Foundation. The findings reported herein are solely responsibility of the authors.

Author information

Authors and affiliations.

Telefonica Research, Barcelona, Spain

Eduard Marin & Diego Perino

Hamad Bin Khalifa University (HBKU), College of Science and Engineering (CSE), Information and Computing Technology (ICT), Doha, Qatar

Roberto Di Pietro

You can also search for this author in PubMed   Google Scholar

Contributions

Eduard Marin wrote this paper. Eduard Marin, Diego Perino, and Roberto di Pietro contributed to the discussions and reviewed and edited the manuscript. Eduard Marin, Diego Perino and Roberto di Pietro approve the final manuscript.

Authors’ information

Eduard Marin, Dr., is a Research Scientist at Telefónica Research, Spain. His main research interests fall in the intersection between Security and Privacy, Networks and Cloud Computing. He received his PhD degree from KU Leuven, Belgium. After obtaining his PhD, he was a visiting researcher at the University of Padua (Italy) and a postdoctoral researcher at the University of Birmingham (UK). Diego Perino, Dr., is the director of Telefónica Research, Spain. Prior to Telefónica, he worked at Bell Labs, NICTA, Orange Labs. He received his Ph.D. in Computer Science from the Paris Diderot-Paris 7, M.S. in Networking engineering at Politecnico di Torino and Eurecom Institute of Sophia Antipolis. Roberto di Pietro, Prof., ACM Distinguished Scientist, is a Full Professor of Cybersecurity at HBKU-CSE. His main research interests include Security and Privacy for Distributed Systems, AI for cybersecurity, Virtualization, and Applied Cryptography. In 2020 he received the Jean-Claude Laprie Award for having significantly influenced the theory and practice of Dependable Computing.

Corresponding author

Correspondence to Eduard Marin .

Ethics declarations

Ethics approval and consent to participate, competing interests.

The authors declare that they have no competing interests.

Additional information

Publisher’s note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Cite this article.

Marin, E., Perino, D. & Di Pietro, R. Serverless computing: a security perspective. J Cloud Comp 11 , 69 (2022). https://doi.org/10.1186/s13677-022-00347-w

Download citation

Received : 20 July 2022

Accepted : 29 September 2022

Published : 23 October 2022

DOI : https://doi.org/10.1186/s13677-022-00347-w

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Cloud computing
• Threat models
• Vulnerabilities
• Architectures

Advertisement

A literature survey of security issues in Cloud, Fog, and Edge IT infrastructure

• Published: 18 October 2022

Cite this article

• Patricia Akello 1 , 2 ,
• Nicole Lang Beebe 1 , 2 &
• Kim-Kwang Raymond Choo   ORCID: orcid.org/0000-0001-9208-5336 1 , 2  

612 Accesses

Explore all metrics

Increasing complexity in and interconnectivity between technologies and systems (e.g., cloud computing, Internet of Things (IoT), fog and edge computing) can complicate data processing and security requirements. Thus, in this paper we review existing literature survey articles focusing on cloud, fog and edge computing platforms and infrastructures. We then present the result of a systematic survey of existing literature surveys. Our research uses the PRISMA methodology and grounded theory to guide the review process, along with grounded theory for the classification of identified issues. The issues together with research trends and future research recommendations are then discussed, with the objective of informing future research agenda.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price includes VAT (Russian Federation)

Instant access to the full article PDF.

Rent this article via DeepDyve

Institutional subscriptions

Similar content being viewed by others

RETRACTED ARTICLE: A Review and State of Art of Internet of Things (IoT)

Asif Ali Laghari, Kaishan Wu, … Abdullah Ayub Khan

Internet of Things (IoT), Applications and Challenges: A Comprehensive Review

Abhishek Khanna & Sanmeet Kaur

A survey on security challenges in cloud computing: issues, threats, and solutions

Hamed Tabrizchi & Marjan Kuchaki Rafsanjani

Mell, P., & Grance, T. (2011). “The NIST definition of cloud computing,”

Ramachandra, G., Iftikhar, M., & Khan, F. A. (Jan. 2017). A Comprehensive Survey on Security in Cloud Computing. Procedia Comput Sci , 110 , 465–472. doi: https://doi.org/10.1016/j.procs.2017.06.124

Biswas, A. R., & Giaffreda, R. (2014). “IoT and cloud convergence: Opportunities and challenges,” in 2014 IEEE World Forum on Internet of Things (WF-IoT), Mar. pp. 375–376. doi: https://doi.org/10.1109/WF-IoT.2014.6803194

Bonomi, F., Milito, R., Zhu, J., & Addepalli, S. (2012). “Fog Computing and Its Role in the Internet of Things,” in Proceedings of the First Edition of the MCC Workshop on Mobile Cloud Computing, New York, NY, USA, pp. 13–16. doi: https://doi.org/10.1145/2342509.2342513

Khan, S., Parkinson, S., & Qin, Y. (Aug. 2017). Fog computing security: a review of current applications and security solutions. J Cloud Comput , 6 (1), 19. doi: https://doi.org/10.1186/s13677-017-0090-3

Rodero-Merino, L., Vaquero, L. M., Caron, E., Muresan, A., & Desprez, F. (Feb. 2012). Building Safe PaaS Clouds: A Survey on Security in Multitenant Software Platforms. Comput Secur , 31 (1), 96–108. doi: https://doi.org/10.1016/j.cose.2011.10.006

Pearce, M., Zeadally, S., Hunt, R., “Virtualization: Issues, Security Threats, and, & Solutions (2013). ” ACM Comput Surv, vol. 45, no. 2, p. 17:1–17:39, Mar. doi: https://doi.org/10.1145/2431211.2431216

Pande, V. K., Marlecha, C., & Kayte, S. (2016). “A Review-Fog Computing and Its Role in the Internet of Things,”

Moher, D., Liberati, A., Tetzlaff, J., Altman, D. G., & Group, T. P. (2009). “Preferred Reporting Items for Systematic Reviews and Meta-Analyses: The PRISMA Statement,” PLOS Med., vol. 6, no. 7, p. e1000097, Jul. doi: https://doi.org/10.1371/journal.pmed.1000097

Corbin, J. M., & Strauss, A. (1990). “Grounded theory research: Procedures, canons, and evaluative criteria,” Qual. Sociol., vol. 13, no. 1, pp. 3–21, Mar. doi: https://doi.org/10.1007/BF00988593

Chukwu, E., & Garg, L. (2020). A Systematic Review of Blockchain in Healthcare: Frameworks, Prototypes, and Implementations. Ieee Access : Practical Innovations, Open Solutions , 8 , 21196–21214. doi: https://doi.org/10.1109/ACCESS.2020.2969881

Article   Google Scholar  

Maphosa, M., Doorsamy, W., & Paul, B. S. (2022). Factors Influencing Students’ Choice of and Success in STEM: A Bibliometric Analysis and Topic Modeling Approach. Ieee Transactions On Education , 1–13. doi: https://doi.org/10.1109/TE.2022.3160935

Wilson, M., Sampson, M., Barrowman, N., & Doja, A. (Apr. 2021). Bibliometric Analysis of Neurology Articles Published in General Medicine Journals. JAMA Netw Open , 4 (4), e215840. doi: https://doi.org/10.1001/jamanetworkopen.2021.5840

Hashizume, K., Rosado, D. G., Fernández-Medina, E., & Fernandez, E. B. (Feb. 2013). An analysis of security issues for cloud computing. J Internet Serv Appl , 4 (1, p. 5,), doi: https://doi.org/10.1186/1869-0238-4-5

Jouini, M., & Rabai, L. B. A. (2014). “Surveying and Analyzing Security Problems in Cloud Computing Environments,” in 2014 Tenth International Conference on Computational Intelligence and Security, Nov. pp. 689–693. doi: https://doi.org/10.1109/CIS.2014.169

Patel, A., Taghavi, M., Bakhtiyari, K., Celestino, J., & Júnior (Jan. 2013). An intrusion detection and prevention system in cloud computing: A systematic review. J Netw Comput Appl , 36 (1), 25–41. doi: https://doi.org/10.1016/j.jnca.2012.08.007

Rebollo, O., Mellado, D., & Fernández-Medina, E., “A Systematic Review of Information Security Governance Frameworks in the Cloud Computing Environment,” p.18

Wolfswinkel, J. F., Furtmueller, E., & Wilderom, C. P. M. (2013). “Using grounded theory as a method for rigorously reviewing literature,” Eur. J. Inf. Syst., vol. 22, no. 1, pp. 45–55, Jan. doi: https://doi.org/10.1057/ejis.2011.51

Birkmeier, D., & Overhage, S. (2009). “On Component Identification Approaches – Classification, State of the Art, and Comparison,”in Component-Based Software Engineering, pp.1–18

Osanaiye, O., Choo, K. K. R., & Dlodlo, M. (2016). “Distributed Denial of Service (DDoS) Resilience in Cloud,” J Netw Comput Appl, vol. 67, no. C, pp. 147–165, May doi: https://doi.org/10.1016/j.jnca.2016.01.001

Stojmenovic, I., & Wen, S. (2014). “The Fog computing paradigm: Scenarios and security issues,” in 2014 Federated Conference on Computer Science and Information Systems, Sep. pp. 1–8. doi: https://doi.org/10.15439/2014F503

Hong, J. B., Nhlabatsi, A., Kim, D. S., Hussein, A., Fetais, N., & Khan, K. M. (Feb. 2019). Systematic identification of threats in the cloud: A survey. Computer Networks , 150 , 46–69. doi: https://doi.org/10.1016/j.comnet.2018.12.009

Patil, R., & Modi, C. (2019). “An Exhaustive Survey on Security Concerns and Solutions at Different Components of Virtualization,” ACM Comput. Surv. CSUR, vol. 52, no. 1, p. 12:1–12:38, Feb. doi: https://doi.org/10.1145/3287306

Kumar, R., & Goyal, R. (Aug. 2019). On cloud security requirements, threats, vulnerabilities and countermeasures: A survey. Comput Sci Rev , 33 , 1–48. doi: https://doi.org/10.1016/j.cosrev.2019.05.002

Subramanian, N., & Jeyaraj, A. (Oct. 2018). Recent security challenges in cloud computing. Computers & Electrical Engineering , 71 , 28–42. doi: https://doi.org/10.1016/j.compeleceng.2018.06.006

Singh, A., & Chatterjee, K. (Feb. 2017). Cloud security issues and challenges: A survey. J Netw Comput Appl , 79 , 88–115. doi: https://doi.org/10.1016/j.jnca.2016.11.027

Coppolino, L., D’Antonio, S., Mazzeo, G., & Romano, L. (Apr. 2017). Cloud security: Emerging threats and current solutions. Computers & Electrical Engineering , 59 , 126–140. doi: https://doi.org/10.1016/j.compeleceng.2016.03.004

Tari, Z., Yi, X., Premarathne, U. S., Bertok, P., & Khalil, I. (2015). “Security and Privacy in Cloud Computing: Vision, Trends, and Challenges,” IEEE Cloud Comput., vol. 2, no. 2, pp. 30–38, Mar. doi: https://doi.org/10.1109/MCC.2015.45

Ali, M., Khan, S. U., & Vasilakos, A. V. (Jun. 2015). Security in cloud computing: Opportunities and challenges. Information Sciences , 305 , 357–383. doi: https://doi.org/10.1016/j.ins.2015.01.025

Singh, S., Jeong, Y. S., & Park, J. H. (Nov. 2016). A survey on cloud computing security: Issues, threats, and solutions. J Netw Comput Appl , 75 , 200–222. doi: https://doi.org/10.1016/j.jnca.2016.09.002

Fernandes, D. A. B., Soares, L. F. B., Gomes, J. V., Freire, M. M., & Inácio, P. R. M. (2014). “Security issues in cloud environments: a survey,” Int. J. Inf. Secur., vol. 13, no. 2, pp. 113–170, Apr. doi: https://doi.org/10.1007/s10207-013-0208-7

Abbas, A., & Khan, S. U. (2014). “A Review on the State-of-the-Art Privacy-Preserving Approaches in the e-Health Clouds,” IEEE J. Biomed. Health Inform., vol. 18, no. 4, pp. 1431–1441, Jul. doi: https://doi.org/10.1109/JBHI.2014.2300846

Aguiar, E., Zhang, Y., & Blanton, M. (2014). “An Overview of Issues and Recent Developments in Cloud Computing and Storage Security,”. In K. J. Han, B. Y. Choi, & S. Song (Eds.), High Performance Cloud Auditing and Applications (pp. 3–33). New York, NY: Springer. doi: https://doi.org/10.1007/978-1-4614-3296-8_1

Chapter   Google Scholar  

Oktay, U., & Sahingoz, O. K. (2013). “Proxy Network Intrusion Detection System for cloud computing,” in 2013 The International Conference on Technological Advances in Electrical, Electronics and Computer Engineering (TAEECE), May pp. 98–104. doi: https://doi.org/10.1109/TAEECE.2013.6557203

Modi, C., Patel, D., Borisaniya, B., Patel, A., & Rajarajan, M. (Feb. 2013). A Survey on Security Issues and Solutions at Different Layers of Cloud Computing. J Supercomput , 63 (2), 561–592. doi: https://doi.org/10.1007/s11227-012-0831-5

Rong, C., Nguyen, S. T., & Jaatun, M. G. (Jan. 2013). Beyond lightning: A survey on security challenges in cloud computing. Computers & Electrical Engineering , 39 (1), 47–54. doi: https://doi.org/10.1016/j.compeleceng.2012.04.015

Pearson, S. (2013). “Privacy, Security and Trust in Cloud Computing. In S. Pearson, & G. Yee (Eds.), ” in Privacy and Security for Cloud Computing (pp. 3–42). London: Springer London. doi: https://doi.org/10.1007/978-1-4471-4189-1_1

Xiao, Z., & Xiao, Y. (Second 2013). Security and Privacy in Cloud Computing. Ieee Communication Surveys And Tutorials , 15 (2), 843–859. doi: https://doi.org/10.1109/SURV.2012.060912.00182

Perez-Botero, D., Szefer, J., & Lee, R. B. (2013). “Characterizing Hypervisor Vulnerabilities in Cloud Computing Servers,” in Proceedings of the 2013 International Workshop on Security in Cloud Computing, New York, NY, USA, pp. 3–10. doi: https://doi.org/10.1145/2484402.2484406

Kulkarni, G., Gambhir, J., Patil, T., & Dongare, A. (2012). “A security aspects in cloud computing,” in IEEE International Conference on Computer Science and Automation Engineering, Jun. 2012, pp. 547–550. doi: https://doi.org/10.1109/ICSESS.2012.6269525

Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Gener Comput Syst , 28 (3), 583–592

Vaquero, L. M., Rodero-Merino, L., & Morán, D. (Jan. 2011). Locking the Sky: A Survey on IaaS Cloud Security. Computing , 91 (1), 93–118. doi: https://doi.org/10.1007/s00607-010-0140-x

Che, J., Duan, Y., Zhang, T., & Fan, J. (Jan. 2011). Study on the Security Models and Strategies of Cloud Computing. Procedia Engineering , 23 , 586–593. doi: https://doi.org/10.1016/j.proeng.2011.11.2551

Behl, A., & Behl, K. (2012). “An analysis of cloud computing security issues,” in 2012 World Congress on Information and Communication Technologies, Oct. pp. 109–114. doi: https://doi.org/10.1109/WICT.2012.6409059

Grobauer, B., Walloschek, T., & Stocker, E. (2011). “Understanding Cloud Computing Vulnerabilities,” IEEE Secur. Priv., vol. 9, no. 2, pp. 50–57, Mar. doi: https://doi.org/10.1109/MSP.2010.115

Subashini, S., & Kavitha, V. (Jan. 2011). A survey on security issues in service delivery models of cloud computing. J Netw Comput Appl , 34 (1), 1–11. doi: https://doi.org/10.1016/j.jnca.2010.07.006

Zhou, M., Zhang, R., Xie, W., Qian, W., & Zhou, A. (2010). “Security and Privacy in Cloud Computing: A Survey,” in 2010 Sixth International Conference on Semantics, Knowledge and Grids, Nov. pp. 105–112. doi: https://doi.org/10.1109/SKG.2010.19

Takabi, H., Joshi, J. B. D., & Ahn, G. J. (2010). “Security and Privacy Challenges in Cloud Computing Environments,” IEEE Secur. Priv., vol. 8, no. 6, pp. 24–31, Nov. doi: https://doi.org/10.1109/MSP.2010.186

Zhang, P., Zhou, M., & Fortino, G. (Nov. 2018). Security and trust issues in Fog computing: A survey. Future Gener Comput Syst , 88 , 16–27. doi: https://doi.org/10.1016/j.future.2018.05.008

Roman, R., Lopez, J., Mambo, M., et al. (Jan. 2018). : A survey and analysis of security threats and challenges,” Future Gener. Comput. Syst., vol. 78, pp. 680–698, doi: https://doi.org/10.1016/j.future.2016.11.009

Mukherjee, M., et al. (2017). Security and Privacy in Fog Computing: Challenges. Ieee Access : Practical Innovations, Open Solutions , 5 , 19293–19304. doi: https://doi.org/10.1109/ACCESS.2017.2749422

Alrawais, A., Alhothaily, A., Hu, C., & Cheng, X. (2017). “Fog Computing for the Internet of Things: Security and Privacy Issues,” IEEE Internet Comput., vol. 21, no. 2, pp. 34–42, Mar. doi: https://doi.org/10.1109/MIC.2017.37

Stojmenovic, I., Wen, S., Huang, X., & Luan, H. (2016). An overview of Fog computing and its security issues. Concurr Comput Pract Exp , 28 (10), 2991–3005. doi: https://doi.org/10.1002/cpe.3485

Yi, S., Qin, Z., & Li, Q. (2015). “Security and Privacy Issues of Fog Computing: A Survey,” in Wireless Algorithms, Systems, and Applications, pp. 685–695

Yi, S., Li, C., & Li, Q. (2015). “A Survey of Fog Computing: Concepts, Applications and Issues,” in Proceedings of the 2015 Workshop on Mobile Big Data, New York, NY, USA, pp. 37–42. doi: https://doi.org/10.1145/2757384.2757397

Lee, K., Kim, D., Ha, D., Rajput, U., & Oh, H. (2015). “On security and privacy issues of fog computing supported Internet of Things environment,” in 2015 6th International Conference on the Network of the Future (NOF), Sep. pp. 1–3. doi: https://doi.org/10.1109/NOF.2015.7333287

Wang, Y., Uehara, T., & Sasaki, R. (2015). “Fog Computing: Issues and Challenges in Security and Forensics,” in 2015 IEEE 39th Annual Computer Software and Applications Conference, Jul. vol. 3, pp. 53–59. doi: https://doi.org/10.1109/COMPSAC.2015.173

Kolhar, M., Abu-Alhaj, M. M., & Abd El-atty, S. M. (Jan. 2017). Cloud Data Auditing Techniques with a Focus on Privacy and Security. Ieee Security And Privacy , 15 (1), 42–51. doi: https://doi.org/10.1109/MSP.2017.16

“NVD - CVE (2020). -2018-18808.” https://nvd.nist.gov/vuln/detail/CVE-2018-18808 (accessed Feb. 14,

Fazzini, K., “A Technical Slip-up Exposes Cloud Collaboration Risks,” Wall Street Journal, Jun. 13, 2017. Accessed: Feb. 04, 2020. [Online]. Available: https://www.wsj.com/articles/a-technical-slip-up-exposes-cloud-collaboration-risks-1497353313

Sgandurra, D., & Lupu, E. (2016). Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems. ACM Comput Surv , 48 (3), 1. doi: https://doi.org/10.1145/2856126 . 46:38, Feb

Chaudhary, D., Bhushan, K., & Gupta, B. B. (2018). “Survey on DDoS Attacks and Defense Mechanisms in Cloud and Fog Computing,” Int. J. E-Serv. Mob. Appl. IJESMA, vol. 10, no. 3, pp. 61–83, Jul. doi: https://doi.org/10.4018/IJESMA.2018070104

Gupta, B. B., & Badve, O. P. (2017). “Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a Cloud computing environment,” Neural Comput. Appl., vol. 28, no. 12, pp. 3655–3682, Dec. doi: https://doi.org/10.1007/s00521-016-2317-5

“Vulnerability and Threat Trends Research Report,” Skybox Security, Jul. 11 (2019). https://www.skyboxsecurity.com/trends-report (accessed Feb. 14, 2020)

Muncaster, P. (2019). “Over a Third of Firms Have Suffered a Cloud Attack,” Infosecurity Magazine, Aug. 22, https://www.infosecurity-magazine.com:443/news/over-third-firms-have-suffered/ (accessed Feb. 14, 2020)

d Silva, C. M. R., d Silva, J. L. C., Rodrigues, R. B., Campos, G. M. M., Nascimento, L. M., & Garcia, V. C. (2013). “Security Threats in Cloud Computing Models: Domains and Proposals,” in IEEE Sixth International Conference on Cloud Computing, Jun. 2013, pp. 383–389. doi: https://doi.org/10.1109/CLOUD.2013.125

“Top Threats to Cloud Computing (2019). : Egregious,” Cloud Security Alliance. https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-egregious-eleven/ (accessed Sep.13,

“Top Threats to Cloud Computing Plus: (accessed Apr. 01, 2019). ” Cloud Security Alliance. https://cloudsecurityalliance.org/artifacts/top-threats-cloud-computing-plus-industry-insights/

Akello, P., Beebe, N. L., & Raymond, K. K. C., “Volitional non-malicious insider threats: At the intersection of COVID-19, WFH and cloud-facilitated shadow-apps,” 27th Annu. Am. Conf. Inf. Syst. AMCIS 2021, 2021, Accessed: May 27, 2022. [Online]. Available: https://pesquisa.bvsalud.org/global-literature-on-novel-coronavirus-2019-ncov/resource/pt/covidwho-1513605

Silic, M., & Back, A. (Sep. 2014). Shadow IT – A view from behind the curtain. Comput Secur , 45 , 274–283. doi: https://doi.org/10.1016/j.cose.2014.06.007

Mallmann, G. L., Maçada, A. C. G., & Oliveira, M. (2018). “The influence of shadow IT usage on knowledge sharing: An exploratory study with IT users,” Bus. Inf. Rev., vol. 35, no. 1, pp. 17–28, Mar. doi: https://doi.org/10.1177/0266382118760143

Shaikh, A., “Shadow-IT System and Insider Threat: An Assessment of an Opportunity Dimension for the Identity Theft,” in HCI International 2018 – Posters’ Extended Abstracts, Cham, 2018, pp. 314–317. doi: https://doi.org/10.1007/978-3-319-92285-0_44

Silic, M., Barlow, J. B., & Back, A. (2017). “A new perspective on neutralization and deterrence: Predicting shadow IT usage,” Inf. Manage., vol. 54, no. 8, pp. 1023–1037, Dec. doi: https://doi.org/10.1016/j.im.2017.02.007

Walterbusch, M., Fietz, A., & Teuteberg, F. (2017). Missing cloud security awareness: investigating risk exposure in shadow IT. J Enterp Inf Manag Jul . doi: https://doi.org/10.1108/JEIM-07-2015-0066

Cappelli, D. M., Moore, A. P., & Trzeciak, R. F. (2012). The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) . Addison-Wesley

Barona, R., & Anita, E. A. M. (2017). “A survey on data breach challenges in cloud computing security: Issues and threats,” in 2017 International Conference on Circuit,Power and Computing Technologies (ICCPCT), Apr. pp. 1–8. doi: https://doi.org/10.1109/ICCPCT.2017.8074287

“Study Finds (2020). ‘Lurking Malice’ in Cloud Hosting Services.” https://www.news.gatech.edu/2016/10/19/study-finds-lurking-malice-cloud-hosting-services (accessed Feb. 14,

Korolov, M. (2016). “Ransomware prevalent in cloud-based malware,” CSO Online, Sep. 08, https://www.csoonline.com/article/3117751/ransomware-prevalent-in-cloud-based-malware.html (accessed Feb. 04, 2020)

Pearson, S., & Benameur, A. (2010). “Privacy, Security and Trust Issues Arising from Cloud Computing,” in 2010 IEEE Second International Conference on Cloud Computing Technology and Science, Nov. pp. 693–702. doi: https://doi.org/10.1109/CloudCom.2010.66

Ranger, S. (2020). “GitHub hit with the largest DDoS attack ever seen,” ZDNet. https://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/ (accessed Feb.15,

“Web attack knocks BBC websites offline - BBC News (2020). ” https://www.bbc.com/news/technology-35204915 (accessed Feb. 15,

Luo, S., Lin, Z., Chen, X., Yang, Z., & Chen, J. (2011). “Virtualization security for cloud computing service,” in 2011 International Conference on Cloud and Service Computing, Dec. pp. 174–179. doi: https://doi.org/10.1109/CSC.2011.6138516

ssd-researcher (2018). “SSD Advisory – Oracle VirtualBox Multiple Guest to Host Escape Vulnerabilities,” SSD Secure Disclosure, Jan. 24, https://ssd-disclosure.com/archives/3649/ssd-advisory-oracle-virtualbox-multiple-guest-to-host-escape-vulnerabilities (accessed Feb. 06, 2020)

Ahmed, U., Raza, I., & Hussain, S. A. (2019). “Trust Evaluation in Cross-Cloud Federation: Survey and Requirement Analysis,” ACM Comput Surv, vol. 52, no. 1, p. 19:1–19:37, Feb. doi: https://doi.org/10.1145/3292499

“Top 6 Cloud Security Issues in Cloud Computing (2020). ” https://www.skyhighnetworks.com/cloud-security-blog/6-cloud-security-issues-that-businesses-experience/ (accessed Feb.15,

Huang, J., & Nicol, D. M. (Apr. 2013). Trust mechanisms for cloud computing. J Cloud Comput Adv Syst Appl , 2 (1, p. 9,), doi: https://doi.org/10.1186/2192-113X-2-9

vurukonda, N., Rao, B. T., & “A Study on Data Storage Security Issues in Cloud Computing. (Jan. 2016).” Procedia Comput. Sci., 92,128–135, doi: https://doi.org/10.1016/j.procs.2016.07.335 .

Rao, R. V., & Selvamani, K. (Jan. 2015). Data Security Challenges and Its Solutions in Cloud Computing. Procedia Comput Sci , 48 , 204–209. doi: https://doi.org/10.1016/j.procs.2015.04.171

“2019 Data Breaches (2020). : 4 Billion Records Breached So Far | Norton.” https://us.norton.com/internetsecurity-emerging-threats-2019-data-breaches.html (accessed Feb. 15,

B. G. Rama and 11/21/2017, “Uber Discloses Year-Old AWS Data Breach, Exposing Millions of Users -,” AWSInsider. https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx

Chang, V., & Ramachandran, M. (Jan. 2016). “Towards Achieving Data Security with the Cloud Computing Adoption Framework,” IEEE Trans. Serv. Comput., 9, 1,138–151, doi: https://doi.org/10.1109/TSC.2015.2491281 .

Kandias, M., Stavrou, V., Bozovic, N., & Gritzalis, D. (2013). “Proactive Insider Threat Detection Through Social Media: The YouTube Case,” in Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society, New York, NY, USA, pp. 261–266. doi: https://doi.org/10.1145/2517840.2517865

Rundle, J., “Human Error Often the Culprit in Cloud Data Breaches,” Wall Street Journal, Aug. 27, 2019. Accessed: Feb. 15, 2020. [Online]. Available: https://www.wsj.com/articles/human-error-often-the-culprit-in-cloud-data-breaches-11566898203

Duncan, A. J., Creese, S., & Goldsmith, M. (2012). “Insider Attacks in Cloud Computing,” in IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, Jun. 2012, pp. 857–862. doi: https://doi.org/10.1109/TrustCom.2012.188

Esposito, C., Santis, A. D., Tortora, G., Chang, H., & Choo, K. R. (Jan. 2018). “Blockchain: A Panacea for Healthcare Cloud-Based Data Security and Privacy?,” IEEE Cloud Comput., 5, 1,31–37, doi: https://doi.org/10.1109/MCC.2018.011791712 .

“Security Update - About Facebook (2020). ” https://about.fb.com/news/2018/09/security-update/ (accessed Feb. 15,

“Expect, A. P. I. (accessed Feb. 15, 2020). Breaches to Accelerate.” https://www.darkreading.com/application-security/expect-api-breaches-to-accelerate/d/d-id/1332504

“Why Cloud Computing Cyber Security Risks Are On The Rise (2020). :Report.” https://www.forbes.com/sites/jeanbaptiste/2019/07/25/why-cloud-computing-cyber-security-risks-are-on-the-rise-report/#71c281ea5621 (accessed Feb. 15,

de Carvalho, C. A. B., de Andrade, R. M., de Castro, M. F., Coutinho, E. F., & Agoulmine, N. (Apr. 2017). State of the art and challenges of security SLA for cloud computing. Computers & Electrical Engineering , 59 , 141–152. doi: https://doi.org/10.1016/j.compeleceng.2016.12.030

“Resource Library | McAfee (2020). ” https://www.mcafee.com/enterprise/en-us/resource-library.html (accessed Feb.15,

TerryLanfear (accessed Nov. 21, 2019). “Shared responsibility in the cloud - Microsoft Azure.” https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

Aluvalu, R., & Muddana, L., “A Survey on Access Control Models in Cloud Computing,” in Emerging ICT for Bridging the Future - Proceedings of the 49th Annual Convention of the Computer Society of India (CSI) Volume 1, Cham, 2015, pp. 653–664. doi: https://doi.org/10.1007/978-3-319-13728-5_73

L. H et al., “Risk based access control in cloud computing,” in 2015 International Conference on Green Computing and Internet of Things (ICGCIoT), pp. 1502–1505. doi: https://doi.org/10.1109/ICGCIoT.2015.7380704

Tsidulko, J. (2017). “AWS Warns Users To Secure Storage Buckets,” CRN, Jul. 19, https://www.crn.com/news/cloud/300089076/aws-warns-users-to-secure-storage-buckets.htm (accessed Feb. 15, 2020)

“Latest Cloud Security Trends Report From RedLock CSI Team Highlights Serious Growth in Cryptojacking (accessed Feb. 15, 2020). Continuing Lack of Compliance with Industry Standards.” https://redlock.io/news/redlock-cloud-security-trends-report-highlights-lack-of-compliance-with-industry-standards

Hong, J. I., & Landay, J. A. (2004). “An architecture for privacy-sensitive ubiquitous computing,” in Proceedings of the 2nd international conference on Mobile systems, applications, and services, Boston, MA, USA, Jun. pp. 177–189. doi: https://doi.org/10.1145/990064.990087

Aloraini, A., & Hammoudeh, M. (2017). “A Survey on Data Confidentiality and Privacy in Cloud Computing,” in Proceedings of the International Conference on Future Networks and Distributed Systems, New York, NY, USA, p. 10:1–10:7. doi: https://doi.org/10.1145/3102304.3102314

Rocha, F., “Insider threat: memory confidentiality and integrity in the cloud,” Ph.D., University of Newcastle Upon Tyne (United Kingdom), England, 2015. Accessed: Sep. 22, 2018. [Online]. Available: https://search.proquest.com/docview/1827514860/?pq-origsite=primo

Sicari, S., Rizzardi, A., Grieco, L. A., & Coen-Porisini, A. (Jan. 2015). Security, privacy and trust in Internet of Things: The road ahead. Computer Networks , 76 , 146–164. doi: https://doi.org/10.1016/j.comnet.2014.11.008

“Exploring container (2019). security: the shared responsibility model in GKE,”Google Cloud Blog. https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-the-shared-responsibility-model-in-gke-container-security-shared-responsibility-model-gke/ (accessed Nov. 21,

Zhang, G., Li, T., Li, Y., Hui, P., & Jin, D. (2018). “Blockchain-Based Data Sharing System for AI-Powered Network Operations,” J. Commun. Inf. Netw., vol. 3, no. 3, pp. 1–8, Sep. doi: https://doi.org/10.1007/s41650-018-0024-3

Bakshi, A., & Dujodwala, Y. B. (2010). “Securing Cloud from DDOS Attacks Using Intrusion Detection System in Virtual Machine,” in 2010 Second International Conference on Communication Software and Networks, Feb. pp. 260–264. doi: https://doi.org/10.1109/ICCSN.2010.56

Chonka, A., Xiang, Y., Zhou, W., & Bonti, A. (2011). “Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks,” J. Netw. Comput. Appl., vol. 34, no. 4, pp. 1097–1107, Jul. doi: https://doi.org/10.1016/j.jnca.2010.06.004

Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., & Rajarajan, M. (Jan. 2013). A survey of intrusion detection techniques in Cloud. J Netw Comput Appl , 36 (1), 42–57. doi: https://doi.org/10.1016/j.jnca.2012.05.003

Patel, A., Taghavi, M., Bakhtiyari, K., & Júnior, J. C. (2012). “Taxonomy and Proposed Architecture of Intrusion Detection and Prevention Systems for Cloud Computing,” in Proceedings of the 4th International Conference on Cyberspace Safety and Security, Berlin, Heidelberg, pp. 441–458. doi: https://doi.org/10.1007/978-3-642-35362-8_33

Wang, J., Wu, L., Choo, K. K. R., & He, D. (2020). “Blockchain-Based Anonymous Authentication With Key Management for Smart Grid Edge Computing Infrastructure,” IEEE Trans. Ind. Inform., vol. 16, no. 3, pp. 1984–1992, Mar. doi: https://doi.org/10.1109/TII.2019.2936278

Ahmed, M., & Litchfield, A. T. (Jan. 2018). Taxonomy for Identification of Security Issues in Cloud Computing Environments. J Comput Inf Syst , 58 (1), 79–88. doi: https://doi.org/10.1080/08874417.2016.1192520

Hassan, B. M., Fouad, K. M., & Hassan, M. F. (2015). “Keystroke Dynamics Authentication in Cloud Computing: A Survey,” Int J Enterp Inf Syst, vol. 11, no. 4, pp. 99–120, Oct. doi: https://doi.org/10.4018/IJEIS.2015100105

Khan, M. A. (Aug. 2016). A survey of security issues for cloud computing. J Netw Comput Appl , 71 , 11–29. doi: https://doi.org/10.1016/j.jnca.2016.05.010

Li, H., Lu, R., Misic, J., & Mahmoud, M. (May 2018). Security and Privacy of Connected Vehicular Cloud Computing. IEEE Netw , 32 (3), 4–6. doi: https://doi.org/10.1109/MNET.2018.8370870

Mollah, M. B., Azad, M. A. K., & Vasilakos, A. (Apr. 2017). Security and privacy challenges in mobile cloud computing: Survey and way ahead. J Netw Comput Appl , 84 , 38–54. doi: https://doi.org/10.1016/j.jnca.2017.02.001

Jayasinghe, U., Lee, G. M., MacDermott, Á., & Rhee, W. S. (2019). “TrustChain: A Privacy Preserving Blockchain with Edge Computing,” Wireless Communications and Mobile Computing, https://www.hindawi.com/journals/wcmc/2019/2014697/ (accessed Feb. 14, 2020)

Bhatia, T., & Verma, A. K. (Jun. 2017). Data Security in Mobile Cloud Computing Paradigm: A Survey, Taxonomy and Open Research Issues. J Supercomput , 73 (6), 2558–2631. doi: https://doi.org/10.1007/s11227-016-1945-y

Shin, Y., Koo, D., & Hur, J. (2017). “A Survey of Secure Data Deduplication Schemes for Cloud Storage Systems,” ACM Comput Surv, vol. 49, no. 4, p. 74:1–74:38, Jan. doi: https://doi.org/10.1145/3017428

Sookhak, M., et al., “Remote Data Auditing in Cloud Computing Environments: A Survey, Taxonomy, and Open Issues,”ACM Comput. Surv., vol. 47, no. 4, p. 65:1–65:34, May 2015, doi: https://doi.org/10.1145/2764465

Stolfo, S. J., Salem, M. B., & Keromytis, A. D. (2012). “Fog computing: Mitigating insider data theft attacks in the cloud,” in Security and Privacy Workshops (SPW), 2012 IEEE Symposium on, pp. 125–128. Accessed: Feb. 21, 2017. [Online]. Available: http://ieeexplore.ieee.org/abstract/document/6227695/

Tang, J., Cui, Y., Li, Q., Ren, K., Liu, J., & Buyya, R. (2016). “Ensuring Security and Privacy Preservation for Cloud Data Services,”ACM Comput Surv, 49, 1,p. 13:1–13:39, Jun. doi: https://doi.org/10.1145/2906153 .

Faniyi, F., & Bahsoon, R. (2016). A Systematic Review of Service Level Management in the Cloud. ACM Comput Surv , 48 (3), 1. doi: https://doi.org/10.1145/2843890 . 43:27, Feb

Chen, L., Lee, W. K., Chang, C. C., Choo, K. K. R., & Zhang, N. (2019). “Blockchain based searchable encryption for electronic health record sharing,” Future Gener. Comput. Syst., vol. 95, pp. 420–429, Jun. doi: https://doi.org/10.1016/j.future.2019.01.018

Zhen, P., Zhao, G., Min, L., & Li, X. (2014). “A Survey of Chaos-Based Cryptography,” in Proceedings of the 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, Washington, DC, USA, pp. 237–244. doi: https://doi.org/10.1109/3PGCIC.2014.69

Bishop, M., & Gates, C. (2008). Defining the insider threat . ACM

Li, X., Zhao, X., International Conference on Cloud Computing and, & Data, B. (“Survey on Access Control Model in Cloud Computing Environment,” in Proceedings of the 2013). Washington, DC, USA, 2013, pp. 340–345. doi: https://doi.org/10.1109/CLOUDCOM-ASIA.2013.103

Liang, X., Zhao, J., Shetty, S., Liu, J., & Li, D. (2017). “Integrating blockchain for data sharing and collaboration in mobile healthcare applications,” in 2017 IEEE 28th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC), Oct. pp. 1–5. doi: https://doi.org/10.1109/PIMRC.2017.8292361

Hammi, M. T., Hammi, B., Bellot, P., & Serhrouchni, A. (Sep. 2018). Bubbles of Trust: A decentralized blockchain-based authentication system for IoT. Comput Secur , 78 , 126–142. doi: https://doi.org/10.1016/j.cose.2018.06.004

Nguyen, T. D. T., Pham, H. A., & Thai, M. T. (2018). “Leveraging Blockchain to Enhance Data Privacy in IoT-Based Applications,” in Computational Data and Social Networks, Cham, pp.211–221. doi: https://doi.org/10.1007/978-3-030-04648-4_18

Sohal, A. S., Sandhu, R., Sood, S. K., & Chang, V. (May 2018). A cybersecurity framework to identify malicious edge device in fog computing and cloud-of-things environments. Comput Secur , 74 , 340–354. doi: https://doi.org/10.1016/j.cose.2017.08.016

Wang, Y. L., & Yang, S. C. (2014). “A Method of Evaluation for Insider Threat,” in 2014 International Symposium on Computer, Consumer and Control, Jun. pp. 438–441. doi: https://doi.org/10.1109/IS3C.2014.121

Sharma, P. K., Singh, S., Jeong, Y. S., & Park, J. H. (2017). “DistBlockNet: A Distributed Blockchains-Based Secure SDN Architecture for IoT Networks,” IEEE Commun. Mag., vol. 55, no. 9, pp. 78–85, Sep. doi: https://doi.org/10.1109/MCOM.2017.1700041

Dorri, A., Kanhere, S. S., & Jurdak, R. (2017). “Towards an Optimized BlockChain for IoT,” in 2017 IEEE/ACM Second International Conference on Internet-of-Things Design and Implementation (IoTDI), Apr. pp. 173–178

“BlockPro | Proceedings of the 1st Workshop on Blockchain-enabled Networked Sensor Systems (accessed Feb. 15, 2020). ” https://dl.acm.org/doi/abs/10.1145/3282278.3282281

“Healthcare Data Gateways (accessed Feb. 16, 2020). : Found Healthcare Intelligence on Blockchain with Novel Privacy Risk Control | SpringerLink.” https://link.springer.com/article/10.1007 /s10916-016-0574-6

Download references

Acknowledgements

This work is partially supported by NSF CREST Grant HRD-1736209.

Author information

Authors and affiliations.

Department of Management Information Systems, University of Montana, 59812, Missoula, MT, USA

Patricia Akello, Nicole Lang Beebe & Kim-Kwang Raymond Choo

Department of Information Systems and Cyber Security, University of Texas,, San Antonio, 78249, TX, USA

You can also search for this author in PubMed   Google Scholar

Corresponding author

Correspondence to Patricia Akello .

Additional information

Publisher’s note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary Material 1

Rights and permissions.

Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Akello, P., Beebe, N.L. & Choo, KK.R. A literature survey of security issues in Cloud, Fog, and Edge IT infrastructure. Electron Commer Res (2022). https://doi.org/10.1007/s10660-022-09615-y

Download citation

Published : 18 October 2022

DOI : https://doi.org/10.1007/s10660-022-09615-y

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Cloud computing security
• Fog Computing Security
• Edge Computing Security
• Systematic review
• Literature Survey
• Find a journal
• Publish with us
• Track your research

• Reference Manager
• Simple TEXT file

People also looked at

Systematic review article, securing machine learning in the cloud: a systematic review of cloud machine learning security.

• 1 Information Technology University (ITU), Lahore, Pakistan
• 2 AI4Networks Research Center, University of Oklahoma, Norman, OK, United States
• 3 Social Data Science (SDS) Lab, Queen Mary University of London, London, United Kingdom
• 4 School of Computing and Communications, Lancaster University, Lancaster, United Kingdom
• 5 Hamad Bin Khalifa University (HBKU), Doha, Qatar

With the advances in machine learning (ML) and deep learning (DL) techniques, and the potency of cloud computing in offering services efficiently and cost-effectively, Machine Learning as a Service (MLaaS) cloud platforms have become popular. In addition, there is increasing adoption of third-party cloud services for outsourcing training of DL models, which requires substantial costly computational resources (e.g., high-performance graphics processing units (GPUs)). Such widespread usage of cloud-hosted ML/DL services opens a wide range of attack surfaces for adversaries to exploit the ML/DL system to achieve malicious goals. In this article, we conduct a systematic evaluation of literature of cloud-hosted ML/DL models along both the important dimensions— attacks and defenses —related to their security. Our systematic review identified a total of 31 related articles out of which 19 focused on attack, six focused on defense, and six focused on both attack and defense. Our evaluation reveals that there is an increasing interest from the research community on the perspective of attacking and defending different attacks on Machine Learning as a Service platforms. In addition, we identify the limitations and pitfalls of the analyzed articles and highlight open research issues that require further investigation.

1 Introduction

In recent years, machine learning (ML) techniques have been successfully applied to a wide range of applications, significantly outperforming previous state-of-the-art methods in various domains: for example, image classification, face recognition, and object detection. These ML techniques—in particular deep learning (DL)–based ML techniques—are resource intensive and require a large amount of training data to accomplish a specific task with good performance. Training DL models on large-scale datasets is usually performed using high-performance graphics processing units (GPUs) and tensor processing units. However, keeping in mind the cost of GPUs/Tensor Processing Units and the fact that small businesses and individuals cannot afford such computational resources, the training of deep models is typically outsourced to clouds, which is referred to in the literature as “Machine Learning as a Service” (MLaaS).

MLaaS refers to different ML services that are offered as a component of a cloud computing services, for example, predictive analytics, face recognition, natural language services, and data modeling APIs. MLaaS allows users to upload their data and model for training at the cloud. In addition to training, cloud-hosted ML services can also be used for inference purposes, that is, models can be deployed on the cloud environments; the system architecture of a typical MLaaS is shown in Figure 1 .

FIGURE 1 . Taxonomy of different defenses proposed for defending attacks on the third-party cloud-hosted machine learning (ML) or deep learning (DL) models.

MLaaS 1 can help reduce the entry barrier to the use of ML and DL through access to managed services of wide hardware heterogeneity and incredible horizontal scale. MLaaS is currently provided by several major organizations such as Google, Microsoft, and Amazon. For example, Google offers Cloud ML Engine 2 that allows developers and data scientists to upload training data and model which is trained on the cloud in the Tensorflow 3 environment. Similarly, Microsoft offers Azure Batch AI 4 —a cloud-based service for training DL models using different frameworks supported by both Linux and Windows operating systems and Amazon offers a cloud service named Deep Learning AMI (DLAMI) 5 that provides several pre-built DL frameworks (e.g., MXNet, Caffe, Theano, and Tensorflow) that are available in Amazon’s EC2 cloud computing infrastructure. Such cloud services are popular among researchers as evidenced by the price lifting of Amazon’s p2.16x large instance to the maximum possible—two days before the deadline of NeurIPS 2017 (the largest research venue on ML)—indicating that a large number of users request to reserve instances.

In addition to MLaaS services that allow users to upload their model and data for training on the cloud, transfer learning is another strategy to reduce computational cost in which a pretrained model is fine-tuned for a new task (using a new dataset). Transfer learning is widely applied for image recognition tasks using a convolutional neural network (CNN). A CNN model learns and encodes features like edges and other patterns. The learned weights and convolutional filters are useful for image recognition tasks in other domains and state-of-the-art results can be obtained with a minimal amount of training even on a single GPU. Moreover, various popular pretrained models such as AlexNet ( Krizhevsky et al., 2012 ), VGG ( Simonyan and Zisserman, 2015 ), and Inception ( Szegedy et al., 2016 ) are available for download and fine-tuning online. Both of the aforementioned outsourcing strategies come with new security concerns. In addition, the literature suggests that different types of attacks can be realized on different components of the communication network as well ( Usama et al., 2020a ), for example, intrusion detection ( Han et al., 2020 ; Usama et al., 2020b ), network traffic classification ( Usama et al., 2019 ), and malware detection systems ( Chen et al., 2018 ). Moreover, adversarial ML attacks have also been devised for client-side ML classifiers, that is, Google’s phishing pages filter ( Liang et al., 2016 ).

Contributions of the article: In this article, we analyze the security of MLaaS and other cloud-hosted ML/DL models and provide a systematic review of associated security challenges and solutions. To the best of our knowledge, this article is the first effort on providing a systematic review of the security of cloud-hosted ML models and services. The following are the major contributions of this article:

(1) We conducted a systematic evaluation of 31 articles related to MLaaS attacks and defenses.

(2) We investigated five themes of approaches aiming to attack MLaaS and cloud-hosted ML services.

(3) We examined five themes of defense methods for securing MLaaS and cloud-hosted ML services.

(4) We identified the pitfalls and limitations of the examined articles. Finally, we have highlighted open research issues that require further investigation.

Organization of the article: The rest of the article is organized as follows. The methodology adopted for the systematic review is presented in Section 2. The results of the systematic review are presented in Section 3. Section 4 presents various security challenges associated with cloud-hosted ML models and potential solutions for securing cloud-hosted ML models are presented in Section 5. The pitfalls and limitations of the reviewed approaches are discussed in Section 6. We briefly reflect on our methodology to identify any threats to the validity in Section 8 and various open research issues that require further investigation are highlighted in Section 7. Finally, we conclude the article in Section 9.

2 Review Methodology

In this section, we present the research objectives and the adopted methodology for the systematic review. The purpose of this article is to identify and systematically review the state-of-the art research related to the security of the cloud-based ML/DL techniques. The methodology followed for this study is depicted in Figure 2 .

FIGURE 2 . An illustration of a typical cloud-based ML or machine learning as a service (MLaaS) architecture.

2.1 Research Objectives

The following are the key objectives of this article.

O1: To build upon the existing work around the security of cloud-based ML/DL methods and present a broad overview of the existing state-of-the-art literature related to MLaaS and cloud-hosted ML services.

O2: To identify and present a taxonomy of different attack and defense strategies for cloud-hosted ML/DL models.

O3: To identify the pitfalls and limitations of the existing approaches in terms of research challenges and opportunities.

2.2 Research Questions

To achieve our objectives, we consider answering two important questions that are described below and conducted a systematic analysis of 31 articles.

Q1: What are the well-known attacks on cloud-hosted/third-party ML/DL models?

Q2: What are the countermeasures and defenses against such attacks?

2.3 Review Protocol

We developed a review protocol to conduct the systematic review; the details are described below.

2.3.1 Search Strategy and Searching Phase

To build a knowledge base and extract the relevant articles, eight major publishers and online repositories were queried that include ACM Digital Library, IEEE Xplore, ScienceDirect, international conference on machine learning, international conference on learning representations, journal of machine learning research, neural information processing systems, USENIX, and arXiv. As we added non-peer–reviewed articles from electric preprint archive (arXiv), we (AQ and AI) performed the critical appraisal using AACODS checklist; it is designed to enable evaluation and appraisal of gray literature ( Tyndall, 2010 ), which is designed for the critical evaluation of gray literature.

In the initial phase, we queried main libraries using a set of different search terms that evolved using an iterative process to maximize the number of relevant articles. To achieve optimal sensitivity, we used a combination of words: attack, poisoning, Trojan attack, contamination, model inversion, evasion, backdoor, model stealing, black box, ML, neural networks, MLaaS, cloud computing, outsource, third party, secure, robust, and defense. The combinations of search keywords used are depicted in Figure 3 . We then created search strategies with controlled or index terms given in Figure 3 . Please note that no lower limit for the publication date was applied; the last search date was June 2020. The researchers (WI and AI) searched additional articles through citations and by snowballing on Google Scholar. Any disagreement was adjudicated by the third reviewer (AQ). Finally, articles focusing on the attack/defense for cloud-based ML models were retrieved.

FIGURE 3 . The methodology for systematic review.

2.3.2 Inclusion and Exclusion Criteria

The inclusion and exclusion criteria followed for this systematic review are defined below.

2.3.2.1 Inclusion Criteria

The following are the key points that we considered for screening retrieved articles as relevant for conducting a systematic review.

• We included all articles relevant to the research questions and published in the English language that discusses the attacks on cloud-based ML services, for example, offered by cloud computing service providers.

• We then assessed the eligibility of the relevant articles by identifying whether they discussed either attack or defense for cloud-based ML/DL models.

• Comparative studies that compare the attacks and robustness against different well-known attacks on cloud-hosted ML services (poisoning attacks, black box attacks, Trojan attacks, backdoor attacks, contamination attacks, inversion, stealing, and invasion attacks).

• Finally, we categorized the selected articles into three categories, that is, articles on attacks, articles on defenses, and articles on attacks and defenses.

2.3.2.2 Exclusion Criteria

The exclusion criteria are outlined below.

• Articles that are written in a language other than English.

• Articles not available in full text.

• Secondary studies (e.g., systematic literature reviews, surveys, editorials, and abstracts or short papers) are not included.

• Articles that do not discuss attacks and defenses for cloud-based/third-party ML services, that is, we only consider those articles which have proposed an attack or defense for a cloud-hosted ML or MLaaS service.

2.3.3 Screening Phase

For the screening of articles, we employ two phases based on the content of the retrieved articles: 1) title and abstract screening and 2) full text of the publication. Please note that to avoid bias and to ensure that the judgment about the relevancy of articles is entirely based on the content of the publications, we intentionally do not consider authors, publication type (e.g., conference and journal), and publisher (e.g., IEEE and ACM). Titles and abstracts might not be true reflectors of the articles’ contents; however, we concluded that our review protocol is sufficient to avoid provenance-based bias.

It is very common that the same work got published in multiple venues, for example, conference papers are usually extended to journals. In such cases, we only consider the original article. In the screening phase, every article was screened by at least two authors of this article that were tasked to annotate the articles as either relevant, not relevant, or need further investigation, which was finalized by the discussion between the authors until any such article is either marked relevant or not relevant. Only original technical articles are selected, while survey and review articles are ignored. Finally, all selected publications were thoroughly read by the authors for categorization and thematic analysis.

3 Review Results

3.1 overview of the search and selection process outcome.

The search using the aforementioned strategy identified a total of 4,384 articles. After removing duplicate articles, title, and abstract screening, the overall number of articles reduced to 384. A total of 230 articles did not meet the inclusion criteria and were therefore excluded. From the remaining 154 articles, 123 articles did not discuss attack/defense for third-party cloud-hosted ML models and were excluded as well. Of the remaining articles, a total of 31 articles are identified as relevant. Reasons for excluding articles were documented and reported in a PRISMA flow diagram, depicted in Figure 4 . These articles were categorized into three classes, that is, articles that are specifically focused on attacks, articles that are specifically focused on defenses, and articles that considered both attacks and defenses containing 19, 6, and 6 articles each, respectively.

FIGURE 4 . Search queries used to identify publications to include in the systematic review.

3.2 Overview of the Selected Studies

The systematic review eventually identified a set of 31 articles related to cloud-based ML/DL models and MLaaS, which we categorized into three classes as mentioned above and shown in Figure 4 . As shown in Figure 5 , a significant portion of the selected articles were published in conferences (41.94%); comparatively, a very smaller proportion of these articles were published in journals or transactions (19.35%). The percentage of gray literature (i.e., non-peer–reviewed articles) is 25.81%. Yet, a very small proportion of publications are published in symposia (6.45%), and this percentage is the same for workshop papers. The distribution of selected publications by their types over the years is shown in Figure 6 . The figure depicts that the interest in the security of cloud-hosted ML/DL models increased in the year 2017 and was at a peak in the year 2018 and was slightly lower in the year 2019 as compared to 2018. Also, the majority of the articles during these years were published in conferences. The distribution of selected publications by their publishers over the years is depicted in Figure 7 , the figure shows that the majority of the publications have been published at IEEE, ACM, and arXiv. There is a similar trend in the number of articles in the year 2017, 2018, and 2019 as discussed previously.

FIGURE 5 . Flowchart of systematic review and categorization.

FIGURE 6 . Distribution of selected publications according to their types.

FIGURE 7 . Distribution of selected publications by types over years.

3.3 Some Partially Related Non-Selected Studies: A Discussion

We have described our inclusion and exclusion criteria that help us to identify relevant articles. We note, however, that some seemingly relevant articles failed to meet the inclusion criteria. Here, we briefly describe few such articles for giving a rationale why they were not included.

• Liang et al. (2016) investigated the security challenges for the client-side classifiers via a case study on the Google’s phishing pages filter, a very widely used classifier for automatically detecting unknown phishing pages. They devised an attack that is not relevant to the cloud-based service.

• Demetrio et al. (2020) presented WAF-A-MoLE, a tool that models the presence of an adversary. This tool leverages a set of mutation operators that alter the syntax of a payload without affecting the original semantics. Using the results, the authors demonstrated that ML-based WAFs are exposed to a concrete risk of being bypassed. However, this attack is not associated with any cloud-based services.

• Authors in Apruzzese et al. (2019) discussed adversarial attacks where the machine learning model is compromised to induce an output favorable to the attacker. These attacks are realized in a different setting as compared to the scope of this systematic review, as we only included the articles which discuss the attack or defense when the cloud is outsourcing its services as MLaaS.

• Han et al. (2020) conducted the first systematic study of the practical traffic space evasion attack on learning-based network intrusion detection systems; again it is out of the inclusion criteria of our work.

• Chen et al. (2018) designed and evaluated three types of attackers targeting the training phases to poison our detection. To address this threat, the authors proposed the detection system, KuafuDet, and showed it significantly reduces false negatives and boosts the detection accuracy.

• Song et al. (2020) presented a federated defense approach for mitigating the effect of adversarial perturbations in a federated learning environment. This article can be potentially relevant for our study as they address the problem of defending cloud-hosted ML models; however, instead of using a third-party service, the authors conducted the experiments on a single computer system in a simulated environment; therefore, this study is not included in the analysis of this article.

• In a similar study, Zhang et al. (2019) presented a defense mechanism for defending adversarial attacks on cloud-aided automatic speech recognition (ASR); however, it is not explicitly stated that the cloud is outsourcing ML services and also which ML/DL model or MLaaS was used in experiments.

4 Attacks on Cloud-Hosted Machine Learning Models (Q1)

In this section, we present the findings from the systematically selected articles that aim at attacking cloud-hosted/third-party ML/DL models.

4.1 Attacks on Cloud-Hosted Machine Learning Models: Thematic Analysis

In ML practice, it is very common to outsource the training of ML/DL models to third-party services that provide high computational resources on the cloud. Such services enable ML practitioners to upload their models along with training data which is then trained on the cloud. Although such services have clear benefits for reducing the training and inference time; however, these services can easily be compromised and to this end, different types of attacks against these services have been proposed in the literature. In this section, we present the thematic analysis of 19 articles that are focused on attacking cloud-hosted ML/DL models. These articles are classified into five major themes: 1) attack type, 2) threat model, 3) attack method, 4) target model(s), and 5) dataset.

Attack type: A wide variety of attacks have been proposed in the literature. These are listed below with their descriptions provided in the next section.

• Adversarial attacks ( Brendel et al., 2017 );

• Backdoor attacks 6 ( Chen et al., 2017 ; Gu et al., 2019 );

• Cyber kill chain–based attack ( Nguyen, 2017 );

• Data manipulation attacks ( Liao et al., 2018 );

• Evasion attacks ( Hitaj et al., 2019 );

• Exploration attacks ( Sethi and Kantardzic, 2018 );

• Model extraction attacks ( Correia-Silva et al., 2018 ; Kesarwani et al., 2018 ; Joshi and Tammana, 2019 ; Reith et al., 2019 );

• Model inversion attacks ( Yang et al., 2019 );

• Model-reuse attacks ( Ji et al., 2018 );

• Trojan attacks ( Liu et al., 2018 ).

black box attacks (no knowledge) ( Brendel et al., 2017 ; Chen et al., 2017 ; Hosseini et al., 2017 ; Correia-Silva et al., 2018 ; Sethi and Kantardzic, 2018 ; Hitaj et al., 2019 );

white box attacks (full knowledge) ( Liao et al., 2018 ; Liu et al., 2018 ; Gu et al., 2019 ; Reith et al., 2019 );

gray box attacks (partial knowledge) ( Ji et al., 2018 ; Kesarwani et al., 2018 ).

Attack method: In each article, a different type of method is proposed for attacking cloud-hosted ML/DL models; a brief description of these methods is presented in Table 1 and is discussed in detail in the next section.

TABLE 1 . Summary of the state-of-the art attack types for cloud-based/third-party ML/DL models.

Target model(s): Considered studies have used different MLaaS services (e.g., Google Cloud ML Services ( Hosseini et al., 2017 ; Salem et al., 2018 ; Sethi and Kantardzic, 2018 ), ML models of BigML Platform ( Kesarwani et al., 2018 ), IBM’s visual recognition ( Nguyen, 2017 ), and Amazon Prediction APIs ( Reith et al., 2019 ; Yang et al., 2019 )).

Dataset: These attacks have been realized using different datasets ranging from small size datasets (e.g., MNIST ( Gu et al., 2019 ) and Fashion-MNIST ( Liu et al., 2018 )) to large size datasets (e.g., YouTube Aligned Face Dataset ( Chen et al., 2017 ), Project Wolf Eye ( Nguyen, 2017 ), and Iris dataset ( Joshi and Tammana, 2019 )). Other datasets include California Housing, Boston House Prices, UJIIndoorLoc, and IPIN 2016 Tutorial ( Reith et al., 2019 ), FaceScrub, CelebA, and CIFAR-10 ( Yang et al., 2019 ). A summary of thematic analyses of these attacks is presented in Table 1 and briefly described in the next section.

4.2 Taxonomy of Attacks on Cloud-Hosted Machine Learning Models

In this section, we present a taxonomy and description of different attacks described above in thematic analysis. A taxonomy of attacks on cloud-hosted ML/DL models is depicted in Figure 8 and is described next.

FIGURE 8 . Distribution of selected publications by publishers over years.

4.2.1 Adversarial Attacks

In recent years, DL models have been found vulnerable to carefully crafted imperceptible adversarial examples ( Goodfellow et al., 2014 ). For instance, a decision-based adversarial attack namely the boundary attack against two black box ML models trained for brand and celebrity recognition hosted at Clarifai.com are proposed in ( Brendel et al., 2017 ). The first model identifies brand names from natural images for 500 distinct brands and the second model recognizes over 10,000 celebrities. To date, a variety of adversarial examples generation methods have been proposed in the literature so far, the interesting readers are referred to recent surveys articles for detailed taxonomy of different types of adversarial attacks (i.e., Akhtar and Mian, 2018 ; Yuan et al., 2019 ; Qayyum et al., 2020b ; Demetrio et al., 2020 ).

4.2.2 Exploratory Attacks

These attacks are inference time attacks in which adversary attempts to evade the underlying ML/DL model, for example, by forcing the classifier (i.e., ML/DL model) to misclassify a positive sample as a negative one. Exploratory attacks do not harm the training data and only affects the model at test time. A data-driven exploratory attack using the Seed – Explore – Exploit strategy for evading Google’s cloud prediction API considering black box settings is presented in ( Sethi and Kantardzic, 2018 ). The performance evaluation of the proposed framework was performed using 10 real-world datasets.

4.2.3 Model Extraction Attacks

In model extraction attacks, adversaries can query the deployed ML model and can use query–response pair for compromising future predictions and also, they can potentially realize privacy breaches of the training data and can steal the model by learning extraction queries. In Kesarwani et al. (2018) , the authors presented a novel method for quantifying the extraction status of models for users with an increasing number of queries, which aims to measure model learning rate using information gain observed by query and response streams of users. The key objective of the authors was to design a cloud-based system for monitoring model extraction status and warnings. The performance evaluation of the proposed method was performed using a decision tree model deployed on the BigML MLaaS platform for different adversarial attack scenarios. Similarly, a model extraction/stealing strategy is presented by Correia-Silva et al. (2018) . The authors queried the cloud-hosted DL model with random unlabeled samples and used their predictions for creating a fake dataset. Then they used the fake dataset for building a fake model by training an oracle (copycat) model in an attempt to achieve similar performance as of the target model.

4.2.4 Backdooring Attacks

In backdooring attacks, an adversary maliciously creates the trained model which performs as good as expected on the users’ training and validation data, but it performs badly on attacker input samples. The backdooring attacks on deep neural networks (DNNs) are explored and evaluated in ( Gu et al., 2019 ). The authors first explored the properties of backdooring for a toy example and created a backdoor model for handwritten digit classifier and then demonstrated that backdoors are powerful for DNN by creating a backdoor model for a United States street sign classifier. Where, two scenarios were considered, that is, outsourced training of the model and transfer learning where an attacker can acquire a backdoor pretrained model online. In another similar study ( Chen et al., 2017 ), a targeted backdoor attack for two state-of-the art face recognition models, that is, DeepID ( Sun et al., 2014 ) and VGG-Face ( Parkhi et al., 2015 ) is presented. The authors proposed two categories of backdooring poisoning attacks, that is, input–instance–key attacks and pattern–key attacks using two different data poising strategies, that is, input–instance–key strategies and pattern–key strategies, respectively.

4.2.5 Trojan Attacks

In Trojan attacks, the attacker inserts malicious content into the system that looks legitimate but can take over the control of the system. However, the purpose of Trojan insertion can be varied, for example, stealing, disruption, misbehaving, or getting intended behavior. In Liu et al. (2018) , the authors proposed a stealth infection on neural networks, namely, SIN2 to realize a practical supply chain triggered neural Trojan attacks. Also, they proposed a variety of Trojan insertion strategies for agile and practical Trojan attacks. The proof of the concept is demonstrated by developing a prototype of the proposed neural Trojan attack (i.e., SIN2) in Linux sandbox and used Torch ( Collobert et al., 2011 ) ML/DL framework for building visual recognition models using the Fashion-MNIST dataset.

4.2.6 Model-Reuse Attacks

In model-reuse attacks, an adversary creates a malicious model (i.e., adversarial model) that influences the host model to misbehave on targeted inputs (i.e., triggers) in extremely predictable fashion, that is, getting a sample classified into specific (intended class). For instance, experimental evaluation of model-reuse attacks for four pretrained primitive DL models (i.e., speech recognition, autonomous steering, face verification, and skin cancer screening) is evaluated by Ji et al. (2018) .

4.2.7 Data Manipulation Attacks

Those attacks in which training data are manipulated to get intended behavior by the ML/DL model are known as data manipulation attacks. Data manipulation attacks for stealthily manipulating traditional supervised ML techniques and logistic regression (LR) and CNN models are studied by Liao et al. (2018) . In the attack strategy, the authors added a new constraint on fully connected layers of the models and used gradient descent for retraining them, and other layers were frozen (i.e., were made non-trainable).

4.2.8 Cyber Kill Chain–Based Attacks

Kill chain is a term used to define steps for attacking a target usually used in the military. In cyber kill chain–based attacks, the cloud-hosted ML/DL models are attacked, for example, a high-level threat model targeting ML cyber kill chain is presented by Nguyen (2017) . Also, the authors provided proof of concept by providing a case study using IBM visual recognition MLaaS (i.e., cognitive classifier for classification cats and female lions) and provided recommendations for ensuring secure and robust ML.

4.2.9 Membership Inference Attacks

In a typical membership inference attack, for given input data and black box access to the ML model, an attacker attempts to figure out if the given input sample was the part of the training set or not. To realize a membership inference attack against a target model, a classification model is trained for distinguishing between the predictions of the target model against the inputs on which it was trained and that those on which it was not trained ( Shokri et al., 2017 ).

4.2.10 Evasion Attacks

Evasion attacks are inference time attacks in which an adversary attempts to modify the test data for getting the intended outcome from the ML/DL model. Two evasion attacks against watermarking techniques for DL models hosted as MLaaS have been presented by Hitaj et al. (2019) . The authors used five publicly available models and trained them for distinguishing between watermarked and clean (non-watermarked) images, that is, binary image classification tasks.

4.2.11 Model Inversion Attacks

In model inversion attacks, an attacker tries to learn about training data using the model’s outcomes. Two model inversion techniques have been proposed by Yang et al. (2019) , that is, training an inversion model using auxiliary set composed by utilizing adversary’s background knowledge and truncation-based method for aligning the inversion model. The authors evaluated their proposed methods on a commercial prediction MLaaS named Amazon Rekognition.

5 Toward Securing Cloud-Hosted Machine Learning Models (Q2)

In this section, we present the insights from the systematically selected articles that provide tailored defense against specific attacks and report the articles that along with creating attacks propose countermeasure for the attacks for cloud-hosted/third-party ML/DL models.

5.1 Defenses for Attacks on Cloud-Hosted Machine Learning Models: Thematic Analysis

Leveraging cloud-based ML services for computational offloading and minimizing the communication overhead is accepted as a promising trend. While cloud-based prediction services have significant benefits, however, by sharing the model and the training data raises many privacy and security challenges. Several attacks that can compromise the model and data integrity, as described in the previous section. To avoid such issues, users can download the model and make inferences locally. However, this approach has certain drawbacks, including, confidentiality issues, service providers cannot update the models, adversaries can use the model to develop evading strategies, and privacy of the user data is compromised. To outline the countermeasures against these attacks, we present the thematic analysis of six articles that are focused on defense against the tailored attacks for cloud-hosted ML/DL models or data. In addition, we also provide the thematic analysis of those six articles that propose defense against specific attacks. These articles are classified into five major themes: 1) attack type, 2) defense, 3) target model(s), 4) dataset, and 5) measured outcomes. The thematic analysis of these systematically reviewed articles that are focused on developing defense strategies against attacks is given below.

Considered attacks for developing defenses: The defenses proposed in the reviewed articles are developed against the following specific attacks.

• Extraction attacks ( Tramèr et al., 2016 ; Liu et al., 2017 );

• Inversion attacks ( Liu et al., 2017 ; Sharma and Chen, 2018 );

• Adversarial attacks ( Hosseini et al., 2017 ; Wang et al., 2018b ; Rouhani et al., 2018 );

• Evasion attacks ( Lei et al., 2020 );

• GAN attacks ( Sharma and Chen, 2018 );

• Privacy threat attacks ( Hesamifard et al., 2017 );

• ide channel and cache-timing attacks ( Jiang et al., 2018 );

• Membership inference attacks ( Shokri et al., 2017 ; Salem et al., 2018 ).

Most of the aforementioned attacks are elaborated in previous sections. However, in the selected articles that are identified as either defense or attack and defense articles, some attacks are specifically created, for instance, GAN attacks, side channel, cache-timing attack, privacy threats, etc. Therefore, the attacks are worth mentioning in this section to explain the specific countermeasures proposed against them in the defense articles.

Defenses against different attacks: To provide resilience against these attacks, the authors of selected articles proposed different defense algorithms, which are listed below against each type of attack.

• Extraction attacks: MiniONN ( Liu et al., 2017 ), rounding confidence, differential, and ensemble methods ( Tramèr et al., 2016 );

• Adversarial attacks: ReDCrypt ( Rouhani et al., 2018 ) and Arden ( Wang et al., 2018b );

• Inversion attacks: MiniONN ( Liu et al., 2017 ) and image disguising techniques ( Sharma and Chen, 2018 );

• Privacy attacks: encryption-based defense ( Hesamifard et al., 2017 ; Jiang et al., 2018 );

• Side channel and cache-timing attacks: encryption-based defense ( Hesamifard et al., 2017 ; Jiang et al., 2018 );

• Membership inference attack: dropout and model stacking ( Salem et al., 2018 ).

Target model(s): Different cloud-hosted ML/DL models have been used for the evaluation of the proposed defenses, as shown in Table 2 .

TABLE 2 . Summary of attack types and corresponding defenses for cloud-based/third-party ML/DL models.

Dataset(s) used: The robustness of these defenses have been evaluated using various datasets ranging from small size datasets (e.g., MNIST ( Liu et al., 2017 ; Wang et al., 2018b ; Rouhani et al., 2018 ; Sharma and Chen, 2018 )) and CIFAR-10 ( Liu et al., 2017 ; Wang et al., 2018b ; Sharma and Chen, 2018 )), to large size datasets (e.g., Iris dataset ( Tramèr et al., 2016 ), fertility and climate dataset ( Hesamifard et al., 2017 ), and breast cancer ( Jiang et al., 2018 )). Other datasets include Crab dataset ( Hesamifard et al., 2017 ), Face dataset, Traffic signs dataset, Traffic signs dataset ( Tramèr et al., 2016 ), SVHN ( Wang et al., 2018b ), Edinburgh MI, Edinburgh MI, WI-Breast Cancerband MONKs Prob ( Jiang et al., 2018 ), crab dataset, fertility dataset, and climate dataset ( Hesamifard et al., 2017 ). Each of the defense techniques discussed above is mapped in Table 2 to the specific attack for which it was developed.

Measured outcomes: The measured outcomes based on which the defenses are evaluated are response latency and message sizes ( Liu et al., 2017 ; Wang et al., 2018b ), throughput comparison ( Rouhani et al., 2018 ), average on the cache miss rates per second ( Sharma and Chen, 2018 ), AUC, space complexity to demonstrate approximated storage costs ( Jiang et al., 2018 ), classification accuracy of the model as well as running time ( Hesamifard et al., 2017 ; Sharma and Chen, 2018 ), similarity index ( Lei et al., 2020 ), and training time ( Hesamifard et al., 2017 ; Jiang et al., 2018 ).

5.2 Taxonomy of Defenses on Cloud-Hosted Machine Learning Model Attacks

In this section, we present a taxonomy and summary of different defensive strategies against attacks on cloud-hosted ML/DL models as described above in thematic analysis. A taxonomy of these defenses strategies is presented in Figure 9 and is described next.

FIGURE 9 . Taxonomy of different attacks realized on the third-party cloud-hosted machine learning (ML) or deep learning (DL) models.

5.2.1 MiniONN

DNNs are vulnerable to model inversion and extraction attacks. Liu et al. (2017) proposed that without making any changes to the training phase of the model it is possible to change the model into an oblivious neural network. They make the nonlinear function such as tanh and sigmoid function more flexible, and by training the models on several datasets, the authors demonstrated significant results with minimal loss in the accuracy. In addition, they also implemented the offline precomputation phase to perform encryption incremental operations along with the SIMD batch processing technique.

5.2.2 ReDCrypt

A reconfigurable hardware-accelerated framework is proposed by Rouhani et al. (2018) , for protecting the privacy of deep neural models in cloud networks. The authors perform an innovative and power-efficient implementation of Yao’s Garbled Circuit (GC) protocol on FPGAs for preserving privacy. The proposed framework is evaluated for different DL applications, and it has achieved up to 57-fold throughput gain per core.

5.2.3 Arden

To offload the large portion of DNNs from the mobile devices to the clouds and to make the framework secure, a privacy-preserving mechanism Arden is proposed by Wang et al. (2018b) . While uploading the data to the mobile-cloud perturbation, noisy samples are included to make the data secure. To verify the robustness, the authors perform rigorous analysis based on three image datasets and demonstrated that this defense is capable to preserve the user privacy along with inference performance.

5.2.4 Image Disguising Techniques

While leveraging services from the cloud GPU server, the adversary can realize an attack by introducing malicious created training data, perform model inversion, and use the model for getting desirable incentives and outcomes. To protect from such attacks and to preserve the data as well as the model, Sharma and Chen (2018) proposed an image disguising mechanism. They developed a toolkit that can be leveraged to calibrate certain parameter settings. They claim that the disguised images with block-wise permutation and transformations are resilient to GAN-based attack and model inversion attacks.

5.2.5 Homomorphic Encryption

For making the cloud services of outsourced MLaaS secure, Hesamifard et al. (2017) proposed a privacy-preserving framework using homomorphic encryption. They trained the neural network using the encrypted data and then performed the encrypted predictions. The authors demonstrated that by carefully choosing the polynomials of the activation functions to adopt neural networks, it is possible to achieve the desired accuracy along with privacy-preserving training and classification.

In a similar study, to preserve the privacy of outsourced biomedical data and computation on public cloud servers, Jiang et al. (2018) built a homomorphically encrypted model that reinforces the hardware security through Software Guard Extensions. They combined homomorphic encryption and Software Guard Extensions to devise a hybrid model for the security of the most commonly used model for biomedical applications, that is, LR. The robustness of the Secure LR framework is evaluated on various datasets, and the authors also compared its performance with state-of-the-art secure LR solutions and demonstrated its superior efficiency.

5.2.6 Pelican

Lei et al. (2020) proposed three mutation-based evasion attacks and a sample-based collision attack in white-, gray-, and black box scenarios. They evaluated the attacks and demonstrated a 100% success rate of attack on Google’s phishing page filter classifier, while a success rate of up to 81% for the transferability on Bitdefender TrafficLight. To deal with such attacks and to increase the robustness of classifiers, they proposed a defense method known as Pelican.

5.2.7 Rounding Confidences and Differential Privacy

Tramèr et al. (2016) presented the model extraction attacks against the online services of BigML and Amazon ML. The attacks are capable of model evasion, monetization, and can compromise the privacy of training data. The authors also proposed and evaluated countermeasures such as rounding confidences against equation-solving and decision tree pathfinding attacks; however, this defense has no impact on the regression tree model attack. For the preservation of training data, differential privacy is proposed; this defense reduces the ability of an attacker to learn insights about the training dataset. The impact of both defenses is evaluated on the attacks for different models, while the authors also proposed ensemble models to mitigate the impact of attacks; however, their resilience is not evaluated.

5.2.8 Increasing Entropy and Reducing Precision

The training of attack using shadow training techniques against black box models in the cloud-based Google Prediction API and Amazon ML models are studied by Shokri et al. (2017) . The attack does not require prior knowledge of training data distribution. The authors emphasize that in order to protect the privacy of medical-related datasets or other public-related data, countermeasures should be designed. For instance, restriction of prediction vector to top k classes, which will prevent the leakage of important information or rounding down or up the classification probabilities in the prediction. They show that regularization can be effective to cope with overfitting and increasing the randomness of the prediction vector.

5.2.9 Dropout and Model Stacking

In the study by Salem et al. (2018) , the authors created three diverse attacks and tested the applicability of these attacks on eight datasets from which six are similar as used by Shokri et al. (2017) , whereas in this work, news dataset and face dataset is included. In the threat model, the authors considered black box access to the target model which is a supervised ML classifier with binary classes that was trained for binary classification. To mitigate the privacy threats, the authors proposed a dropout-based method which reduces the impact of an attack by randomly deleting a proportion of edges in each training iteration in a fully connected neural network. The second defense strategy is model stacking, which hierarchically organizes multiple ML models to avoid overfitting. After extensive evaluation, these defense techniques showed the potential to mitigate the performance of the membership inference attack.

5.2.10 Randomness to Video Analysis Algorithms

Hosseini et al. designed two attacks specifically to analyze the robustness of video classification and shot detection ( Hosseini et al., 2017 ). The attack can subtly manipulate the content of the video in such a way that it is undetected by humans, while the output from the automatic video analysis method is altered. Depending on the fact that the video and shot labels are generated by API by processing only the first video frame of every second, the attack can successfully deceive API. To deal with the shot removal and generation attacks, the authors proposed the inclusion of randomness for enhancing the robustness of algorithms. However, in this article, the authors thoroughly evaluated the applicability of these attacks in different video setting, but the purposed defense is not rigorously evaluated.

5.2.11 Neuron Distance Threshold and Obfuscation

Transfer learning is an effective technique for quickly building DL student models in which knowledge from a Teacher model is transferred to a Student model. However, Wang et al. (2018a) discussed that due to the centralization of model training, the vulnerability against misclassification attacks for image recognition on black box Student models increases. The authors proposed several defenses to mitigate the impact of such an attack, such as changing the internal representation of the Student model from the Teacher model. Other defense methods include increasing dropout randomization which alters the student model training process, modification in input data before classification, adding redundancy, and using orthogonal model against transfer learning attack. The authors analyzed the robustness of these attacks and demonstrated that the neuron distance threshold is the most effective in obfuscating the identity of the Teacher model.

6 Pitfalls and Limitations

6.1 lack of attack diversity.

The attacks presented in the selected articles have limited scope and lack diversity, that is, they are limited to a specific setting, and the variability of attacks is limited as well. However, the diversity of attacks is an important consideration for developing robust attacks from the perspective of adversaries, and it ensures the detection and prevention of the attacks to be difficult. The diversity of attacks ultimately helps in the development of robust defense strategies. Moreover, the empirical evaluation of attack variabilities can identify the potential vulnerabilities of cybersecurity systems. Therefore, to make a more robust defense solution, it is important to test the model robustness under a diverse set of attacks.

6.2 Lack of Consideration for Adaptable Adversaries

Most of the defenses in the systematically reviewed articles are proposed for a specific attack and did not consider the adaptable adversaries. On the other hand, in practice, the adversarial attacks are an arms race between attackers and defenders. That is, the attackers continuously evolve and enhance their knowledge and attacking strategies to evade the underlying defensive system. Therefore, the consideration of adaptable adversaries is crucial for developing a robust and long-lasting defense mechanism. If we do not consider this, the adversary will adapt to our defensive system over time and will bypass it to get the intended behavior or outcomes.

6.3 Limited Progress in Developing Defenses

From the systematically selected articles that are collected from different databases, only 12 articles have presented defense methods for the proposed attack as compared to the articles that are focused on attacks, that is, 19. In these 12 articles, six have only discussed/presented a defense strategy and six have developed a defense against a particular attack. This indicates that there is limited activity from the research community in developing defense strategies for already proposed attacks in the literature. In addition, the proposed defenses only mitigate or detect those attacks for which they have been developed, and therefore, they are not generalizable. On the contrary, the increasing interest in developing different attacks and the popularity of cloud-hosted/third-party services demand a proportionate amount of interest in developing defense systems as well.

7 Open Research Issues

7.1 adversarially robust machine learning models.

In recent years, adversarial ML attacks have emerged as a major panacea for ML/DL models and the systematically selected articles have highlighted the threat of these attacks for cloud-hosted Ml/DL models as well. Moreover, the diversity of these attacks is drastically increasing as compared with the defensive strategies that can pose serious challenges and consequences for the security of cloud-hosted ML/DL models. Each defense method presented in the literature so far has been shown resilient to a particular attack which is realized in specific, settings and it fails to withstand for yet stronger and unseen attacks. Therefore, the development of adversarially robust ML/DL models remains an open research problem, while the literature suggests that worst-case robustness analysis should be performed while considering adversarial ML settings ( Qayyum et al., 2020a ; Qayyum et al., 2020b ; Ilahi et al., 2020 ). In addition, it has been argued in the literature that most of ML developers and security incident responders are unequipped with the required tools for securing industry-grade ML systems against adversarial ML attacks Kumar et al. (2020) . This indicates the increasing need for the development of defense strategies for securing ML/DL models against adversarial ML attacks.

7.2 Privacy-Preserving Machine Learning Models

In cloud-hosted ML services, preserving user privacy is fundamentally important and is a matter of high concern. Also, it is desirable that ML models built using users’ data should not learn information that can compromise the privacy of the individuals. However, the literature on developing privacy-preserving ML/DL models or MLaaS is limited. On the other hand, one of the privacy-preserving techniques that have been used for privacy protection for building a defense system for cloud-hosted ML/DL models, that is, the homomorphic encryption-based protocol ( Jiang et al., 2018 ), has been shown vulnerable to model extraction attack ( Reith et al., 2019 ). Therefore, the development of privacy-preserving ML models for cloud computing platforms is another open research problem.

7.3 Proxy Metrics for Evaluating Security and Robustness

From systematically reviewed literature on the security of cloud-hosted ML/DL models, we orchestrate that the interest from the research community in the development of novel security-centric proxy metrics for the evaluation of security threats and model robustness of cloud-hosted models is very limited. However, with the increasing proliferation of cloud-hosted ML services (i.e., MLaaS) and with the development/advancements of different attacks (e.g., adversarial ML attacks), the development of effective and scalable metrics for evaluating the robustness ML/DL models toward different attacks and defense strategies is required.

8 Threats to Validity

We now briefly reflect on our methodology in order to identify any threats to the validity of our findings. First, internal validity is maintained as the research questions we pose in Section 2.2 capture the objectives of the study. Construct validity relies on a sound understanding of the literature and how it represents the state of the field. A detailed study of the reviewed articles along with deep discussions between the members of the research team helped ensure the quality of this understanding. Note that the research team is of diverse skills and expertise in ML, DL, cloud computing, ML/DL security, and analytics. Also, the inclusion and exclusion criteria (Section 2.3) help define the remit of our survey. Data extraction is prone to human error as is always the case. This was mitigated by having different members of the research team review each reviewed article. However, we did not attempt to evaluate the quality of the reviewed studies or validate their content due to time constraints. In order to minimize selection bias, we cast a wide net in order to capture articles from different communities publishing in the area of MLaaS via a comprehensive set of bibliographical databases without discriminating based on the venue/source.

9 Conclusion

In this article, we presented a systematic review of literature that is focused on the security of cloud-hosted ML/DL models, also named as MLaaS. The relevant articles were collected from eight major publishers that include ACM Digital Library, IEEE Xplore, ScienceDirect, international conference on machine learning, international conference on learning representations, journal of machine learning research, USENIX, neural information processing systems, and arXiv. For the selection of articles, we developed a review protocol that includes inclusion and exclusion formulas and analyzed the selected articles that fulfill these criteria across two dimensions (i.e., attacks and defenses) on MLaaS and provide a thematic analysis of these articles across five attack and five defense themes, respectively. We also identified the limitations and pitfalls from the reviewed literature, and finally, we have highlighted various open research issues that require further investigation.

Data Availability Statement

The original contributions presented in the study are included in the article/supplementary material, further inquiries can be directed to the corresponding author/s.

Author Contributions

AQ led the work in writing the manuscript and performed the annotation of the data and analysis as well. AI performed data acquisition, annotation, and analysis from four venues, and contributed to the paper write-up. MU contributed to writing a few sections, did annotations of papers, and helped in analysis. WI performed data scrapping, annotation, and analysis from four venues, and helped in developing graphics. All the first four authors validated the data, analysis, and contributed to the interpretation of the results. AQ and AI helped in developing and refining the methodology for this systematic review. JQ conceived the idea and supervises the overall work. JQ, YEK, and AF provided critical feedback and helped shape the research, analysis, and manuscript. All authors contributed to the final version of the manuscript.

Conflict of Interest

The authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

1 We use MLaaS to cover both ML and DL as a Service cloud provisions.

2 https://cloud.google.com/ml-engine/ .

3 A popular Python library for DL.

4 https://azure.microsoft.com/en-us/services/machine-learning-service/ .

5 https://docs.aws.amazon.com/dlami/latest/devguide/AML2_0.html .

6 Backdoor attacks on cloud-hosted models can be further categorized into three categories ( Chen et al., 2020 ): 1) complete model–based attacks, 2) partial model–based attacks, and 3) model-free attacks).

Akhtar, N., and Mian, A. (2018). Threat of adversarial attacks on deep learning in computer vision: a survey. IEEE Access 6, 14410–14430. doi:10.1109/access.2018.2807385

CrossRef Full Text | Google Scholar

Apruzzese, G., Colajanni, M., Ferretti, L., and Marchetti, M. (2019). “Addressing adversarial attacks against security systems based on machine learning,” in 2019 11th International conference on cyber conflict (CyCon) , Tallinn, Estonia , May 28–31, 2019 ( IEEE ), 900, 1–18

Google Scholar

Brendel, W., Rauber, J., and Bethge, M. (2017). “Decision-based adversarial attacks: reliable attacks against black-box machine learning models,” in International Conference on Learning Representations (ICLR)

Chen, S., Xue, M., Fan, L., Hao, S., Xu, L., Zhu, H., et al. (2018). Automated poisoning attacks and defenses in malware detection systems: an adversarial machine learning approach. Comput. Secur. 73, 326–344. doi:10.1016/j.cose.2017.11.007

Chen, X., Liu, C., Li, B., Lu, K., and Song, D. (2017). Targeted backdoor attacks on deep learning systems using data poisoning. arXiv

Chen, Y., Gong, X., Wang, Q., Di, X., and Huang, H. (2020). Backdoor attacks and defenses for deep neural networks in outsourced cloud environments. IEEE Network 34 (5), 141–147. doi:10.1109/MNET.011.1900577

Collobert, R., Kavukcuoglu, K., and Farabet, C. (2011). “Torch7: a Matlab-like environment for machine learning,” in BigLearn, NIPS workshop .

Correia-Silva, J. R., Berriel, R. F., Badue, C., de Souza, A. F., and Oliveira-Santos, T. (2018). “Copycat CNN: stealing knowledge by persuading confession with random non-labeled data,” in 2018 International joint conference on neural networks (IJCNN) , Rio de Janeiro, Brazil , July 8–13, 2018 ( IEEE ), 1–8

Demetrio, L., Valenza, A., Costa, G., and Lagorio, G. (2020). “Waf-a-mole: evading web application firewalls through adversarial machine learning,” in Proceedings of the 35th annual ACM symposium on applied computing , Brno, Czech Republic , March 2020 , 1745–1752

Gong, Y., Li, B., Poellabauer, C., and Shi, Y. (2019). “Real-time adversarial attacks,” in Proceedings of the 28th International Joint Conference on Artificial Intelligence (IJCAI) , Macao, China , August 2019

Goodfellow, I. J., Shlens, J., and Szegedy, C. (2014). Explaining and harnessing adversarial examples. arXiv

Gu, T., Liu, K., Dolan-Gavitt, B., and Garg, S. (2019). BadNets: evaluating backdooring attacks on deep neural networks. IEEE Access 7, 47230–47244. doi:10.1109/access.2019.2909068

Han, D., Wang, Z., Zhong, Y., Chen, W., Yang, J., Lu, S., et al. (2020). Practical traffic-space adversarial attacks on learning-based nidss. arXiv

Hesamifard, E., Takabi, H., Ghasemi, M., and Jones, C. (2017). “Privacy-preserving machine learning in cloud,” in Proceedings of the 2017 on cloud computing security workshop , 39–43

Hilprecht, B., Härterich, M., and Bernau, D. (2019). “Monte Carlo and reconstruction membership inference attacks against generative models,” in Proceedings on Privacy Enhancing Technologies , Stockholm, Sweden , July 2019 , 2019, 232–249

Hitaj, D., Hitaj, B., and Mancini, L. V. (2019). “Evasion attacks against watermarking techniques found in MLaaS systems,” in 2019 sixth international conference on software defined systems (SDS) , Rome, Italy , June 10–13, 2019 ( IEEE )

Hosseini, H., Xiao, B., Clark, A., and Poovendran, R. (2017). “Attacking automatic video analysis algorithms: a case study of google cloud video intelligence API,” in Proceedings of the 2017 conference on multimedia Privacy and security (ACM) , 21–32

Ilahi, I., Usama, M., Qadir, J., Janjua, M. U., Al-Fuqaha, A., Hoang, D. T., et al. (2020). Challenges and countermeasures for adversarial attacks on deep reinforcement learning. arXiv

Ji, Y., Zhang, X., Ji, S., Luo, X., and Wang, T. (2018). “Model-reuse attacks on deep learning systems, “in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (New York, NY: ACM) , December 2018 , 349–363

Jiang, Y., Hamer, J., Wang, C., Jiang, X., Kim, M., Song, Y., et al. (2018). Securelr: secure logistic regression model via a hybrid cryptographic protocol. IEEE ACM Trans. Comput. Biol. Bioinf 16, 113–123. doi:10.1109/TCBB.2018.2833463

Joshi, N., and Tammana, R. (2019). “GDALR: an efficient model duplication attack on black box machine learning models,” in 2019 IEEE international Conference on system, computation, Automation and networking (ICSCAN) , Pondicherry, India , March 29–30, 2019 ( IEEE ), 1–6

Kesarwani, M., Mukhoty, B., Arya, V., and Mehta, S. (2018). Model extraction warning in MLaaS paradigm. In Proceedings of the 34th Annual Computer Security Applications Conference (ACM) , 371–380

Krizhevsky, A., Sutskever, I., and Hinton, G. E. (2012). “Imagenet classification with deep convolutional neural networks,” in Advances in neural information processing systems , 1097–1105 Available at: http://papers.nips.cc/paper/4824-imagenet-classification-with-deep-convolutional-neural-networks.pdf

Kumar, R. S. S., Nyström, M., Lambert, J., Marshall, A., Goertzel, M., Comissoneru, A., et al. (2020). Adversarial machine learning–industry perspectives. arXiv . Available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3532474

Lei, Y., Chen, S., Fan, L., Song, F., and Liu, Y. (2020). Advanced evasion attacks and mitigations on practical ml-based phishing website classifiers. arXiv

Liang, B., Su, M., You, W., Shi, W., and Yang, G. (2016). “Cracking classifiers for evasion: a case study on the google’s phishing pages filter,” in Proceedings of the 25th international conference on world wide web Montréal, Québec, Canada , 345–356

Liao, C., Zhong, H., Zhu, S., and Squicciarini, A. (2018). “Server-based manipulation attacks against machine learning models,” in Proceedings of the eighth ACM conference on data and application security and privacy (ACM) , New York, NY , March 2018 , 24–34

Liu, J., Juuti, M., Lu, Y., and Asokan, N.. (2017). “Oblivious neural network predictions via minionn transformations,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security , October 2017 , 619–631

Liu, T., Wen, W., and Jin, Y. (2018). “SIN 2: stealth infection on neural network—a low-cost agile neural Trojan attack methodology,” in 2018 IEEE international symposium on hardware oriented security and trust (HOST) , Washington, DC , April 30–4 May, 2018 ( IEEE ), 227–230

Nguyen, T. N. (2017). Attacking machine learning models as part of a cyber kill chain. arXiv

Parkhi, O. M., Vedaldi, A., Zisserman, A., et al. (2015). Deep face recognition. Bmvc 1, 6. doi:10.5244/C.29.41

Qayyum, A., Qadir, J., Bilal, M., and Al-Fuqaha, A. (2020a). Secure and robust machine learning for healthcare: a survey. IEEE Rev. Biomed. Eng. , 1. doi:10.1109/RBME.2020.3013489

Qayyum, A., Usama, M., Qadir, J., and Al-Fuqaha, A. (2020b). Securing connected & autonomous vehicles: challenges posed by adversarial machine learning and the way forward. IEEE Commun. Surv. Tutorials 22, 998–1026. doi:10.1109/comst.2020.2975048

Reith, R. N., Schneider, T., and Tkachenko, O. (2019). “Efficiently stealing your machine learning models,” in Proceedings of the 18th ACM workshop on privacy in the electronic society , November 2019 , 198–210

Rouhani, B. D., Hussain, S. U., Lauter, K., and Koushanfar, F. (2018). Redcrypt: real-time privacy-preserving deep learning inference in clouds using fpgas. ACM Trans. Reconfigurable Technol. Syst. 11, 1–21. doi:10.1145/3242899

Saadatpanah, P., Shafahi, A., and Goldstein, T. (2019). Adversarial attacks on copyright detection systems. arXiv .

Salem, A., Zhang, Y., Humbert, M., Berrang, P., Fritz, M., and Backes, M. (2018). ML-leaks: model and data independent membership inference attacks and defenses on machine learning models. arXiv .

Sehwag, V., Bhagoji, A. N., Song, L., Sitawarin, C., Cullina, D., Chiang, M., et al. (2019). Better the devil you know: an analysis of evasion attacks using out-of-distribution adversarial examples. arXiv .

Sethi, T. S., and Kantardzic, M. (2018). Data driven exploratory attacks on black box classifiers in adversarial domains. Neurocomputing 289, 129–143. doi:10.1016/j.neucom.2018.02.007

Sharma, S., and Chen, K.. (2018). “Image disguising for privacy-preserving deep learning,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security , ( ACM, Toronto, Canada ), 2291–2293

Shokri, R., Stronati, M., Song, C., and Shmatikov, V. (2017). “Membership inference attacks against machine learning models,” in 2017 IEEE Symposium on Security and privacy (SP) , San Jose, CA , May 22–26, 2017 ( IEEE ), 3–18

Simonyan, K., and Zisserman, A. (2015). “Very deep convolutional networks for large-scale image recognition,”in International Conference on Learning Representations (ICLR)

Song, Y., Liu, T., Wei, T., Wang, X., Tao, Z., and Chen, M. (2020). Fda3: federated defense against adversarial attacks for cloud-based iiot applications. IEEE Trans. Industr. Inform. , 1. doi:10.1109/TII.2020.3005969

Sun, Y., Wang, X., and Tang, X. (2014). “Deep learning face representation from predicting 10,000 classes,” in Proceedings of the IEEE conference on computer vision and pattern recognition , Columbus, OH , June 23–28, 2014 , ( IEEE ).

Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., and Wojna, Z. “(2016). Rethinking the inception architecture for computer vision,” in Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR) , Las Vegas, NV , June 27–30, 2016 ( IEEE ), 2818–2826

Tramèr, F., Zhang, F., Juels, A., Reiter, M. K., and Ristenpart, T. (2016). “Stealing machine learning models via prediction APIs,” in 25th USENIX security symposium (USENIX Security 16) , 601–618

Tyndall, J. (2010). AACODS checklist . Adelaide, Australia: Adelaide Flinders University

Usama, M., Mitra, R. N., Ilahi, I., Qadir, J., and Marina, M. K. (2020a). Examining machine learning for 5g and beyond through an adversarial lens. arXiv . Available at: https://arxiv.org/abs/2009.02473 .

Usama, M., Qadir, J., Al-Fuqaha, A., and Hamdi, M. (2020b). The adversarial machine learning conundrum: can the insecurity of ML become the achilles' heel of cognitive networks? IEEE Network 34, 196–203. doi:10.1109/mnet.001.1900197

Usama, M., Qayyum, A., Qadir, J., and Al-Fuqaha, A. (2019). “Black-box adversarial machine learning attack on network traffic classification, “in 2019 15th international wireless communications and mobile computing conference (IWCMC) , Tangier, Morocco , June 24–28, 2019

Wang, B., Yao, Y., Viswanath, B., Zheng, H., and Zhao, B. Y. (2018a). “With great training comes great vulnerability: practical attacks against transfer learning,” in 27th USENIX security symposium (USENIX Security 18) , Baltimore, MD , August 2018 , 1281–1297

Wang, J., Zhang, J., Bao, W., Zhu, X., Cao, B., and Yu, P. S. (2018b). “Not just privacy: improving performance of private deep learning in mobile cloud,” in Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining London, United Kingdom , January 2018 , 2407–2416

Yang, Z., Zhang, J., Chang, E.-C., and Liang, Z. (2019). “Neural network inversion in adversarial setting via background knowledge alignment,” in Proceedings of the 2019 ACM SIGSAC conference on computer and communications security , London, UK , November 2019 , 225–240

Yuan, X., He, P., Zhu, Q., and Li, X. (2019). Adversarial examples: attacks and defenses for deep learning. IEEE Trans. Neural. Netw. Learn. Syst. 30 (9), 2805–2824. doi:10.1109/TNNLS.2018.2886017

Zhang, J., Zhang, B., and Zhang, B. (2019). “Defending adversarial attacks on cloud-aided automatic speech recognition systems, “in Proceedings of the seventh international workshop on security in cloud computing , New York , 23–31. Available at: https://dl.acm.org/doi/proceedings/10.1145/3327962

Keywords: Machine Learning as a Service, cloud-hosted machine learning models, machine learning security, cloud machine learning security, systematic review, attacks, defenses

Citation: Qayyum A, Ijaz A, Usama M, Iqbal W, Qadir J, Elkhatib Y and Al-Fuqaha A (2020) Securing Machine Learning in the Cloud: A Systematic Review of Cloud Machine Learning Security. Front. Big Data 3:587139. doi: 10.3389/fdata.2020.587139

Received: 24 July 2020; Accepted: 08 October 2020; Published: 12 November 2020.

Reviewed by:

Copyright © 2020 Qayyum, Ijaz, Usama, Iqbal, Qadir, Elkhatib and Al-Fuqaha. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) and the copyright owner(s) are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.

*Correspondence: Adnan Qayyum, [email protected]

This article is part of the Research Topic

Safe and Trustworthy Machine Learning

cloud security Recently Published Documents

Total documents.

• Latest Documents
• Most Cited Documents
• Contributed Authors
• Related Sources
• Related Keywords

A Review on AWS - Cloud Computing Technology

Abstract: Cloud computing is something simple we can define as maintaining data centers and data servers and also u can access technology services by computing power, storage, and database using cloud computing technology AWS(Amazon Web Services). It is an emerged model which is already popular among almost all enterprises. It provides us the concept of ondemand services where we are using and scaling cloud resources on demand and as per demand respectively. AWS Cloud computing is a cost-effective model. The major concern in this model is Security and Storage in the cloud. This is one of the major reasons many enterprises of choosing AWS cloud computing. This paper provides a review of security research in the field of cloud security and storage services of the AWS cloud platform. After security and storage, we have presented the working of AWS (Amazon Web Service) cloud computing. AWS is the most trusted provider of cloud computing which not only provides excellent cloud security but also provides excellent cloud storage services. The main aim of this paper is to make cloud computing storage and security a core operation and not an add-on operation. As per the increase in the Service provider and related companies, this AWS Cloud Platform plays a vital role in service industries by giving its best web services, so, therefore, choosing the cloud service providers wisely is the basic need of the industry. Therefore we are going to see how AWS fulfills all these specific needs. Keywords: Trusted Computing, AWS, Information-Centric Security, Cloud Storage, S3, EC2, Cloud Computing

Deep Learning Approaches to Cloud Security

Genetic algorithm-based pseudo random number generation for cloud security, cloud security service for identifying unauthorized user behaviour, qos based cloud security evaluation using neuro fuzzy model, azure cloud security for absolute beginners, mitigating theft-of-service attack - ensuring cloud security on virtual machines, cloud computing security requirements: a review.

Abstract Cloud computing is a new technology that is undergoing tremendous development today. People who use it are not able to separate the reasonable from the unreasonable arguments that come with the security requirements in the cloud. The claim that cloud computing is hereditarily insecure is as absurd as the claim that cloud computing does not create new security problems. Cloud computing is a way to dynamically increase resources without the need for in-depth knowledge of a brand new infrastructure, without training new workers or designing new software solutions. The article aims to analyse the different cloud security issues and models of cloud architectures. Some of the main problems with security in virtualization, concerns about storing data in the cloud and the assessment of risk tolerance in cloud computing are presented. Legal and regulatory issues for the protection of personal data are addressed.

The Vulnerabilities of Cloud Computing : A Review

A Cloud is a type of analogous and scattered system consisting of a collection of inter-connected and virtualized computers that are dynamically provisioned and presented as one or more unified computing resources “ . cloud computing is the dynamic provisioning of IT capabilities (hardware, software, or services) from third parties over a network. However this technology is still in its initial stages of development, as it suffers from threats and vulnerabilities that prevent the users from trusting it. Various malicious activities from illegal users have threatened this technology such as data misuse, inflexible access control and limited monitoring. The occurrence of these threats may result into damaging or illegal access of critical and confidential data of users. This article is in order to describe the impact of those vulnerabilities and threats to create awareness among organisations and users so that they can Adopt this technology with trust And form a trusted provider Who has trusted security policies. Here we have defined cloud-specific vulnerabilities, cloud feature vulnerabilities and propose a reference vulnerabilities architecture of cloud computing and threats related cloud computing. Cloud security and privacy plays an important role to avoid cloud threats .Cloud Privacy Concerns the expression of or devotion to various legal and non- legal norms regarding the right to private life. Cloud Security Concerns the confidentiality, ease of use and reliability of data or information. As the development of cloud computing, issue of security has become a top priority. In this article we are going to discuss about the Characteristics of vulnerabilities , cloud vulnerabilities and cloud threats , Also how we can overcome or avoid them and keep our data safe.

Security and Privacy in Cloud Computing: Technical Review

Advances in the usage of information and communication technologies (ICT) has given rise to the popularity and success of cloud computing. Cloud computing offers advantages and opportunities for business users to migrate and leverage the scalability of the pay-as-you-go price model. However, outsourcing information and business applications to the cloud or a third party raises security and privacy concerns, which have become critical in adopting cloud implementation and services. Researchers and affected organisations have proposed different security approaches in the literature to tackle the present security flaws. The literature also provides an extensive review of security and privacy issues in cloud computing. Unfortunately, the works provided in the literature lack the flexibility in mitigating multiple threats without conflicting with cloud security objectives. The literature has further focused on only highlighting security and privacy issues without providing adequate technical approaches to mitigate such security and privacy threats. Conversely, studies that offer technical solutions to security threats have failed to explain how such security threats exist. This paper aims to introduce security and privacy issues that demand an adaptive solution approach without conflicting with existing or future cloud security. This paper reviews different works in the literature, taking into account its adaptiveness in mitigating against future reoccurring threats and showing how cloud security conflicts have invalidated their proposed models. The article further presents the security threats surrounding cloud computing from a user perspective using the STRIDE approach. Additionally, it provides an analysis of different inefficient solutions in the literature and offers recommendations in terms of implementing a secure, adaptive cloud environment.

Export Citation Format

Share document.

New advances promise secure quantum computing at home

T he full power of next-generation quantum computing could soon be harnessed by millions of individuals and companies, thanks to a breakthrough by scientists at Oxford University Physics guaranteeing security and privacy. This advance promises to unlock the transformative potential of cloud-based quantum computing and is detailed in a new study published in Physical Review Letters . The paper is titled "Verifiable blind quantum computing with trapped ions and single photons."

Quantum computing is developing rapidly, paving the way for new applications that could transform services in many areas like health care and financial services. It works in a fundamentally different way than conventional computing and is potentially far more powerful. However, it currently requires controlled conditions to remain stable and there are concerns around data authenticity and the effectiveness of current security and encryption systems.

Several leading providers of cloud-based services, like Google, Amazon, and IBM, already separately offer some elements of quantum computing. Safeguarding the privacy and security of customer data is a vital precursor to scaling up and expanding its use, and for the development of new applications as the technology advances. The new study by researchers at Oxford University Physics addresses these challenges.

"We have shown for the first time that quantum computing in the cloud can be accessed in a scalable, practical way which will also give people complete security and privacy of data, plus the ability to verify its authenticity," said Professor David Lucas, who co-heads the Oxford University Physics research team and is lead scientist at the UK Quantum Computing and Simulation Hub, led from Oxford University Physics.

In the new study, the researchers use an approach dubbed "blind quantum computing," which connects two totally separate quantum computing entities—potentially an individual at home or in an office accessing a cloud server—in a completely secure way. Importantly, their new methods could be scaled up to large quantum computations.

"Using blind quantum computing, clients can access remote quantum computers to process confidential data with secret algorithms and even verify the results are correct, without revealing any useful information. Realizing this concept is a big step forward in both quantum computing and keeping our information safe online," said study lead Dr. Peter Drmota, of Oxford University Physics.

The researchers created a system comprising a fiber network link between a quantum computing server and a simple device detecting photons, or particles of light, at an independent computer remotely accessing its cloud services. This allows so-called blind quantum computing over a network.

Every computation incurs a correction that must be applied to all that follow and needs real-time information to comply with the algorithm. The researchers used a unique combination of quantum memory and photons to achieve this.

"Never in history have the issues surrounding privacy of data and code been more urgently debated than in the present era of cloud computing and artificial intelligence," said Professor David Lucas. "As quantum computers become more capable, people will seek to use them with complete security and privacy over networks, and our new results mark a step change in capability in this respect."

The results could ultimately lead to commercial development of devices to plug into laptops, to safeguard data when people are using quantum cloud computing services.

Researchers exploring quantum computing and technologies at Oxford University Physics have access to the state-of-the-art Beecroft laboratory facility, specially constructed to create stable and secure conditions including eliminating vibration.

More information: P. Drmota et al, Verifiable Blind Quantum Computing with Trapped Ions and Single Photons, Physical Review Letters (2024). DOI: 10.1103/PhysRevLett.132.150604

Provided by University of Oxford

Need cloud computing? Get started now

Cloud Computing

Content Delivery

• All Products and Trials

Global Services

Build, release, and scale faster with VMs for every workload

Secure your network, balance traffic, control your infrastructure

Efficiently orchestrate containerized applications

Developer Tools

Get the most out of your applications with advanced management tools

Deploy dependable, easily accessible storage and management

Scale easily with simple and reliable managed databases

App and API Security

Api security.

Discover and monitor API behavior to respond to threats and abuse

App & API Protector

Protect web apps and APIs from DDoS, bots, and OWASP Top 10 exploits

Client-Side Protection & Compliance

Assist with PCI compliance and protect against client-side attacks

Zero Trust Security

Akamai guardicore segmentation.

Mitigate risk in your network with granular, flexible segmentation

Secure Internet Access

Proactively protect against zero-day malware and phishing

Stop the most evasive threats with proactive threat hunting

Enterprise Application Access

Granular application access based on identity and context

Harden against account takeovers and data breaches with phish-proof MFA

Abuse and fraud protection

Account protector.

Mitigate account abuse and grow your digital business

Content Protector

Stop scrapers, protect intellectual property, and increase conversion

Brand Protector

Detect and mitigate fraudulent representations of your brand

Bot Manager

Welcome the bots you want and mitigate those you don’t

Identity Cloud

Add secure, cloud-based identity management to your websites or apps

Audience Hijacking Protector

Retain site visitors, maximize conversions, and reduce affiliate fraud

INFRASTRUCTURE SECURITY

External authoritative solution for your DNS infrastructure

Protect your infrastructure from distributed denial-of-service attacks

APPLICATION PERFORMANCE

Improve the performance and reliability of your website at scale

API Acceleration

Improve the performance and reliability of your APIs at scale

MEDIA DELIVERY

Adaptive media delivery.

High-quality video delivery for any screen to global audiences

Download Delivery

Deliver large file downloads flawlessly, every time, at global scale

Dedicated Delivery

Deliver broadcast-quality video while maximizing network efficiency

EDGE APPLICATIONS

Edgeworkers.

Execute custom JavaScript at the edge, near users, to optimize UX

Distributed key-value store database at the edge

Image & Video Manager

Automatically optimize images and video for every user, on any device

Media Services Live

Reliably ingest and deliver low-latency live video at global scale

Predefined apps that run at the edge for specific business needs

Cloud Wrapper

Use an efficient caching layer to improve origin offload

Global Traffic Management

Optimize performance with intelligent load balancing

MONITORING, REPORTING, AND TESTING

Low-latency data feed for visibility and ingest into third-party tools

Measure the business impact of real user experiences in real time

Site and application load testing at global scale

Industry Solutions

Cloud computing.

Deliver an engaging, interactive video experience

Build with portability, performance, and efficiency from cloud to client

Improve the gamer experience with low latency and high availability

Apps and APIs

Protect your brand by securing apps and APIs from persistent threats

Deploy one platform for comprehensive coverage and deep visibility

DDoS Protection

Protect your infrastructure from DDoS and DNS attacks

Abuse and Fraud Protection

Stop account abuse, sophisticated bot attacks, and brand impersonation

CONTENT DELIVERY

App and api performance.

Improve user engagement through app & API optimization

Media Delivery

Deliver seamless streaming and download experiences to any device

Edge Compute

Build and deploy on the world’s most distributed edge platform

Media and Entertainment

Retail, travel, and hospitality, financial services, healthcare and life sciences, public sector, igaming and sports betting, network operator.

Discover how we power and protect life online

Our Platform

Explore Akamai Connected Cloud

• Security Research
• Developer Resources

Product Briefs

Reference architectures, customer stories, white papers, learning hub.

Educational resources and training for Akamai products and services

Key concepts in security, cloud computing, and content delivery

Akamai Security Research

Insights and intelligence from the Akamai Security Intelligence Group

State of the Internet Reports

In-depth analysis of the latest cybersecurity research and trends

Find a Partner

Become a partner.

• Cloud Computing Marketplace

Why Choose an Akamai Partner

Learn about our industry-leading ecosystem of partners

Channel Partners

Unlock more profit, focus on what matters, and deliver with confidence

Technology Partners

Create more value for joint customers with seamless integrations

Contact Sales

Have questions? We can help.

Customer Support

Need technical support? We are here 24/7.

Akamai’s Perspective on April’s Patch Tuesday 2024

Akamai Security Intelligence Group

April 12, 2024

Happy Eid-al-Fitr, Happy Easter, and Happy Passover. April is traditionally the month of holidays — and if CVEs are gifts, Microsoft is in the holiday spirit. April 2024’s Patch Tuesday has a total of 147 CVEs, and three of them are critical in Microsoft Defender for IoT . There was also an in-the-wild CVE : a Microsoft certificate being used to sign malicious payloads.

In this blog post, we’ll assess how critical the vulnerabilities are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.

This is an ongoing report and we’ll add more information to it as our research progresses — stay tuned!

This month, we’re focusing on the following areas in which bugs were patched

Proxy driver

Microsoft defender for iot, windows routing and remote access service (rras), windows authentication.

Sophos X-Ops detected a malicious payload being signed with a Microsoft Windows Hardware Compatibility Publisher signature in an attempt to masquerade as legitimate. They reported their findings to Microsoft, and CVE-2024-26234 is the revocation of the certificate involved, so it would no longer pass as trusted.

It is possible to hunt for payloads signed with the affected signature using Insight. Concerned customers can run the following query to see if there are any running process signed with the revoked certificate:

Microsoft Defender for IoT is a security platform that helps defend industrial network components, such Internet of Things (IoT) devices, industrial control systems, and operational technology. There are three critical remote code execution (RCE) vulnerabilities patched this month, and three important elevation of privilege (EoP) vulnerabilities.

The vulnerabilities themselves affect different components of the Defender for IoT stack. CVE-2024-21322  is an RCE that is exploited through the portal web application, while CVE-2024-21323 is an RCE that is exploited through a sensor update package. Regardless of component, all vulnerabilities are exploitable over the network, so it might be possible to detect or mitigate part of the risk using network segmentation .

The Routing and Remote Access service (RRAS) is a Windows service that allows the operating system to behave as a router, allowing for site-to-site connections using VPNs or dial-ups. There are three critical vulnerabilities in the service this month, all with a CVSS score of 8.8. The patch notes don’t tell us much, except that the RCE vulnerabilities are triggered by a malicious server on an unsuspecting client. As such, it is possible to mitigate some of the risks posed by these vulnerabilities through Zero Trust and segmentation .

RRAS isn’t available on all Windows servers; it comes as part of the Remote Access role and has to be specifically installed. In our observations, we’ve seen that approximately 12% of monitored environments have Windows servers with the Remote Access role installed.

In addition to RRAS, this month’s patch contains multiple CVEs in the Remote Access Connection Manager . The two services are related, as the Connection Manager is used to organize connection profiles to the RRAS (among others).

Windows Authentication is a rather broad term, as there are multiple authentication methods, protocols, and providers supported by Windows. The two CVEs in Windows Authentication are for two completely different components.

CVE-2024-21447 is an EoP vulnerability in the User Manager service, possibly due to improper directory restrictions. It’s a bypass of CVE-2023-36047 , as it was apparently a partial fix.

CVE-2024-29056 , however, appears to be an issue in the implementation of Kerberos PAC validation, according to the FAQ section and related Knowledge Base article . It is also possibly related to the other Kerberos CVEs.

Previously covered services

Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.

This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X , formerly known as Twitter, for real-time updates.

• Cyber Security
• Threat Intelligence

Related Blog Posts

CreateRCE — Yet Another Vulnerability in CreateUri

Xz utils backdoor — everything you need to know, and what you can do, honey, i lost my credentials finding plaintext credentials on the internet.

All products and trials

Facts and Figures

Board of Directors

Investor Relations

Environmental, Social, and Governance

Working at Akamai

Students and Recent Grads

Workplace Diversity

Search Jobs

Culture Blog

Press Releases

In the News

Media Resources

Legal & compliance

Information Security Compliance

Privacy Trust Center

Cookie Settings

What Is Zero Trust?

What Is a CDN?

What Is Cloud Computing?

What Is Cybersecurity?

What Is a DDoS attack?

EMEA Legal Notice

Service Status

©2024 Akamai Technologies