Cloud Networking Security Threats

Damilola Yusuph
0817125
University of Bedfordshire
Department Of Computer Science and Technology.
Luton, United Kingdom
Damilola.yusuph@study.beds.ac.uk

Abstract Cloud computing is an emerging technology paradigm

that has turned the technology world on its head and is becoming
increasingly one of the most attractive technologies areas due to
at least in part, to its flexibility, efficiency, data availability and
cost-savings. Conversely, despite the surge in activity and
interest, there is little focus on the networking aspects for
distributed clouds and its relevance is often undervalued. Cloud
networking is the management of computing and vital
connectivity capabilities in the network between distributed
cloud resources. This paper is aimed at developing an
understanding on cloud networking security and discusses the
multifarious security challenges involved for ensuring legitimate
usage of cloud networking resources and for preventing abuse
and nefarious use.
Keywords - cloud computing; network virtualisation; security;
cloud networking.

I.

INTRODUCTION

Cloud computing is a major computing trend in the present day

scenario with large scale adoption across many enterprises.
This is primarily due to its simplification of quick provisioning
and deployment of IT applications, influencing economy of
scale and multi-tenancy. Running applications in the cloud
offers a number of benefits such as lower cost through shared
computing resources, accessibility around the globe, flexibility,
no upfront infrastructure requirement and highly automated
process, thus applications with a highly variable workload are
well matched for the cloud. Virtualization has played a key role
to the notion of the cloud. Indeed, as the main enabler of data
center optimization allowing dynamically provisioning of
computing resources on demand to become a reality.
Cloud computing solutions typically necessitate adequate
access network solutions to be in place and rich interactive
applications are good examples of applications that rely heavily
on automatic network bandwidth provisioning since these
solutions involves getting more from less hardware which
requires more data transfers between database, storage and
application servers. Networking aspects for distributed clouds
is becoming a priority for the reason that, as the movement of
these applications into cloud becomes prevalent, more will be
demanded from existing networks in terms of capacity,
availability and quality therefore any limitations to the network
infrastructure will directly affect the application leading to
latency issues and poor performance due to speed. Hence,
efficient networks that can be expeditiously reconfigured and

optimized will empower the full advantage of the cloud

environment and is the envisioned concept of cloud
networking.
This article presents the vulnerabilities, challenges and security
threats of providing a cloud network system. Also, the research
challenges of the project SAIL (Scalable Adaptive Internet
Solutions) will be explored, along with their advantages and
shortcomings. The European project SAIL[1] whose
consortium comprises 25 operators from industry, academia
and institutions aims at designing technology to enhance the
limitations of the current internet architecture. For cloud
networking, the objective in SAIL is to develop scalable and
adaptive networking functions for applications with highly
variable demands that will facilitate on-demand management
and security of computing, storage and connectivity resources
in the network.
Besides cloud networking security challenges, more vital
security aspects of cloud computing would be considered.
Because cloud computing is founded on a virtual environment,
new exploits and threats avenue are introduced that can enable
criminals/attackers to steal confidential data from cloud user,
impersonate a legitimate cloud user after stealing their
credentials, interrupt services, penetrate the cloud network
infrastructure or obtain computing services. Example of these
attacks exploiting the vulnerabilities of accessibility,
virtualization and web applications includes drive by
downloads, SQL injections, data-stealing malware, VoIP free
calls and DDos attacks[2]. Cloud networking will not change
the continuity of unwitting security vulnerabilities and the
exploitation of it by attackers.
II.

FROM CLOUD COMPUTING TO CLOUD NETWORKING

Since its inception, cloud computing has now become the

current paradigm gaining considerable attention across the
computing, academia and communication industries but the
history of cloud computing still remains as intricate and fuzzy
as ever. The underlying concept of cloud computing dates back
to 1961, when computing pioneer Prof John McCarthy first
publicly proposed the idea of a computer time-sharing
technology whereby computing power and specific
applications would be sold through the utility business model
i.e water or electricity[3]. The key factors that have enabled the
current realization of the cloud computing vision includes the
introduction of infrastructure virtualization, existence of

internet/webs technologies and the development of universal

high-speed bandwidth. Separation of duties between software
service providers and infrastructure service providers makes it
easier generating services online and facilitates the scalability
of the services rapidly as demand dictates. This helps reduce
financial risks, operational expenditure and capital expenditure
for service providers since they pay for the services used on an
as needed basis. On the other hand, it gives infrastructure
services providers the opportunity to build large infrastructure
that benefits from economies of scale, efficiency and improved
productivity [4].
A. Virtualisation Technology Supporting Cloud Computing
Current Infrastructure as a service (Iaas) delivers
computing resources as a service using virtual machine
hypervisors and server virtualization such as VMware[5],
Xen[6], and network storage virtualization which is
implemented in networking equipment (switches and routers)
e.g Hyper-V[7]. The interconnection between data centers
owned by enterprises is typically implemented using leased
lines to interconnect routers for a point-point virtual network
providing guaranteed, but scalable, flexible and static quality of
service while the connectivity to the data center by the Iaas
user is mainly handled by the internet or virtual private
networks. This elucidates that the cloud provider lacks control
over the quality of an end-users network experience which is
based on access to a shared medium. Batch processing
applications such as image rendering, transactional web
services and hosted IT systems are examples of currently
deployed applications in the cloud infrastructure that is well
suited for the Iaas architecture. Despite network latency and
performance issues like content delivery[8], service providers
will still enter into, and comply with obligations and conditions
of contractual terms with infrastructure providers because the
network components and topology of these services are still
largely static[9].
B. Virtualization Technology Supporting Cloud Networking
Network virtualization promotes innovation and reliability
by displacing proprietary networking hardware, specifying and
instantiating networks on demand in useful time. This is seen
as the missing link to attaining the maximum benefits of
virtualization and the broad traction of cloud computing. In the
literature, pioneering initiatives have proposed several network
virtualization frameworks and architectures such as Global
Environments For Network Innovation GENI[10], Federal Einfrastructure dedicated to European Researchers Innovating in
Computing Network Architecture FREDERICA[11], and
Concurrent Architectures are Better than One CABO[12] that
will enable the facilitation of customized virtual end-end
control and data planes.
Network virtualization offers a simpler technology that
enables the configuring of overlay networks without losing
service continuity, changing of physical path and migration of
virtual machines from one or more place to another [13]. Cloud
networking plays a key role in extending network virtualization
beyond data centers by bringing two new remarkable features
to cloud computing; it allows the interconnection of
geographically dispersed services across cloud infrastructures

and connects users and devices to the services in the cloud.

This provides cloud networking users the facility to specify
their desired virtual infrastructure, network properties to access
these resources and how their infrastructure should be
distributed and interconnected. Deploying storage and process
functions across a network that is close to the end-user as
possible is more appropriate as it helps achieve optimal
performance of applications and services as oppose to
centralizing processing and storage functions in a single
location which can lead to poor network conditions like
latency; this severely impacts the real time execution of certain
cloud applications in a centralized infrastructure. A
geographically dispersed cloud enables better control over the
end-users experience although more servers may be needed
depending on the needs and usage patterns. Examples of
applications that are deployed on geographically distributed
clouds are content distribution and virtual desktop services.
III.

SECURTITY THREATS

Security is a leading barrier affecting the broad traction of

cloud computing in practical application domains; most
especially when information technology governance
necessitates robust information security governance and
control concerning the accountability of cloud services and
sensitive information that is brought to the cloud [14]. From
an end-users viewpoint, the security issues in cloud
distinguish cloud infrastructure security, compliance issues,
management processes security, governance, application and
platform security [14]. These security topics amass a great
deal of confidentiality, integrity and availability problems
areas that covers how content and system components are
protected, who a user is and what the user is allowed to do i.e.
authentication and authorization, how can cloud service
providers prevent abuse and how can the fulfillment of
system properties be verified and audited.
Cloud networking introduces new categories of threats and
risks to cloud computing security issues as a result of its
associated networking capabilities. Although, there is also
evidence of the prospect of cloud networking improving the
productivity and control over the cloud computing
deployment; thus solving the security issues that most
influence the adoption of cloud computing. The security
challenges involved are explained below A. Information Security Threats
Information security refers to the confidentiality, integrity and
availability of data (CIA TRAID). These are the key basic
principles of information. All information threat, risk,
vulnerabilities, security processes; security controls and
measures for all organizations rely on the CIA Traid to
empower their security strategy [15]
1.

Confidentiality of information and processes; this

refers to preventing the disclosure of information to
unauthorized users. To enhance confidentiality in
information necessitates encryption; this is used to

prevent data processing. Other security controls that

ensure confidentiality by restricting access to
sensitive information includes cryptography, security
controls, network authentication, and network
authentication service. A Homomorphc cryptography
scheme in [16] meets the encryption challenge by
proving that sending sensitive encrypted data to cloud
providers for processing is not sufficient instead it
ensures that operations performed on an encrypted
data results in an encrypted version of the processed
data. This indicates that when cloud user sends code
and data to an arbitrary cloud, they will not have a
cryptography mechanism solution that enables users
to be sure of the confidentiality of the information
sent.
2.

3.

Integrity: refers to the guarantee of data nonalteration. Integrity is compromised when

information sent is willfully or accidentally modified
in transit. Firewalls, intrusion detection, digital
signatures and communication security are
mechanisms used to provide data integrity. Cloud
users must be indisputable certain that the data
retrieved is consistent and correct with the one stored.
Though, it may be difficult to determine integrity
where data and application are stored over volumes
of hardware and the check sum mechanisms in place
prevents us to ascertain that the data hasnt been
altered.
Availability: For any information to serve its
purpose, the information must be readily accessible
to authorized users. It means cloud infrastructure,
software, networks connecting clients to the service
provider, data and security controls should always be
available. Availability is an important and necessary
component of information security therefore poses a
high threat. Attacks against the availability of
information are denial of service attacks(DDos).
Authentication, fault tolerance through redundancy
and network security ensures information reliability
and robustness. Cloud systems are business oriented
in which sharing of resources and exchange of data is
central, therefore the risk of data breach through
denial of service attacks will increase substantially.

B. Virtualization Environment Threats

Virtualization provides the ability to run multiple operating
systems and applications concurrently on the same physical
board and the sharing of their underlying hardware resources.
Cloud virtualization environment threats are elucidated below
[15]
1.

Dormant virtual machines: Inactive virtual machines

poses viable threat as they dont have up to date
security patches, leaving them vulnerable to attack

when brought back online. It is also possible for

dormant VM to store sensitive data such as
encryption keys, authentication credentials e.t.c
Furthermore, because dormant VM are not actively
used, monitoring access to data is impossible and this
creates a security risk through the loss of or access to
the virtual machine.
2.

Unsecure Network Transfer: Migration of virtual

machines from one physical node to another node
using tradition or new protocols through the network
can be exploited to attack the system.

3.

Privilege Escalation: A hacker can acquire the virtual

system rights of another user and then attempt to
elevate his/her level of access rights in order to attack
another virtual system with a higher level of access
rights using the hypervisor.

4.

Poor Access Controls: The hypervisor is the

backbone of virtualized infrastructure and mediates
hardware resources to virtual machines. This creates
an attack surface for the hypervisor as it provides a
single point of access to the virtual environment and
may expose any trusted network through poorly
designed access controls system, poor monitoring
tools and poor patching allowing attackers to gain
access to individual virtual machines.

5.

Configuration flaw: The convergence of multiple

technologies and accumulation of several layers of
networks and systems in the virtual system introduces
a considerable amount of complexity for virtualized
configuration. This increased complexity can lead to
accidentally creating security vulnerabilities and
threats through improper configuration of virtual
machines. In addition, the presence of these
vulnerabilities in a virtualized environment impacts
significantly on the security of other replicated virtual
components and consequently affects the entire cloud
environment.

C. Communication Threats
It is paramount to secure all network communication between
virtual machines and distribution of virtual infrastructures as it
can potentially be exposed to malicious users and network
traffic. Due to the integration and combined access to physical
and virtual network infrastructure, new attacks arise and will
need to be handled. One significant challenge is to define rules
that manage the cloud networking access to the physical
infrastructure, network properties and also enforcing these
rules will prove difficult due to the complexities of these
environments.
In addition, policy based control should be distributed to
virtual infrastructures moving within the virtual environment.

In doing so, it reduces risk as virtual infrastructures can be

moved between physical host based on assigned policies e.g a
policy might specify which legal space a virtual infrastructure
is allowed to be placed or migrated, as legal restrictions on
movement applies [17]

access to information or services that the user is

entitled to and also carry out a wide range of
malicious activity.
2.

Eavesdropping Attack: This threat poses a major

threat to cloud infrastructure and data as
communication channel between service provider
and cloud user may be monitored, intercepted or
modified by unauthorized parties. Example of
network transmission method vulnerable to eavesdropping attacks includes mobile and wireless
communication.

3.

Denial of Service Attack (DDos): The risk is that

an external attacker may launch a DDos attack by
flooding the cloud service providers network with
thousands of requests with the aim of exhausting
network resources and interrupting services which
as a result will make both cloud providers and
individual users to become handicap to provide or
receive services.

4.

Network Intrusion Attack: The risk associated

with network intrusion is that an attacker may
penetrate and damage or steal the users data by
remotely exploiting vulnerabilities in the cloud
service providers system or applications.

5.

Malware Injection Attack: This is a type of

security threat where an attacker creates a
malicious virtual machine instance and adds it to
the cloud system in order to redirect valid cloud
users request to the malicious instance. Such
attack could solve any particular purpose the
attacker is interested in e.g exploit privileged
access capabilities, gain access to resources or
make data modifications.

D. Abuse and Nefarious use of Cloud Networking

Capabilities
The great amount of computational and communication
resources made effortlessly available by cloud networking and
cloud computing can be exploited and misused e.g for denial
of service attacks, spamming, large scale hacking, providing
illegal content and brute force password cracking. Auditing
can help detect and remediate this kind of malicious attacks by
looking in the DNS traffic for domain names being served by
a fast flux service. However, distinguishing legitimate usage
from misuse during the automated detection of these attacks is
in itself a challenge.
Cloud network hackers may take advantage of vulnerabilities
that result of these threats by using well known techniques.
For example, an external attacker can mount an attack on the
cloud infrastructure in order to gain access to resources by
eavesdropping on incoming and outgoing communication
using existing vulnerabilities on the system. However for a
malicious insider, their impact on the cloud system is
considerable given their level of access; could gain total
control of the cloud services, harvest confidential data, or even
attack other cloud users with little or no detection.
When analyzing cloud computing, insider and external
attackers are often used interchangeably however in the case
of cloud networking, legal aspects and lawful intercepts
applies. The legal space is to be taken into consideration when
distributing virtual components because they may pass legal
restrictions when moving to arbitrary physical cloud
networking infrastructures. While lawful intercepts are not
examples of traditional malicious attacks, it is a violation of
the cloud networking customer security goals.
IV.

THREATS TO INFRASTRUCTURE AND DATA

A threat is any circumstance or event with the potential to

adversely affect a system by exploiting security vulnerabilities
in the system. A threat to cloud networking and computing can
either be intentional (deliberate and malicious) or accidental
(human error) which can result in a partial loss of
confidentiality, integrity and availability. The threats to the
cloud network infrastructure and computing are summarized
and listed below [[15]18[19]
1.

TCP Session Hijacking Attack: This is a method

whereby an attacker takes over a web session by
stealing a session id between a trusted client and
network server and then masquerades as the
legitimate user. Once the attacker has managed to
gain control of the session, he or she can do
anything on the network e.g. gain unauthorized

CONCLUSION
Cloud networking surpasses traditional networks to redefine
scalability of resources, management processes and
administration. It promises to provide a flexible network
infrastructure, guaranteed delivery, reduced latency, selfhealing resilience and extensible management. Although the
benefits associated with cloud networking are numerous, it
still struggles in gaining recognition for its merits due to the
security deficiencies that exists. Organizations will not only
need to have an accurate understanding of cloud computing
and cloud networking security risks but also understand the
applicable rules, practices, laws and regulations governing the
cloud environment to ensure that they choose a suitable cloud
service provider in order to effectively safeguard security of
customers information.
The cloud environment abounds with sensitive information
therefore cloud service providers and organizations both have
a role to play in the security responsibilities in cloud
networking as responsibility for the delivery of security
service cannot be entirely outsourced to the cloud provider
alone. As cloud networking becomes more complex, dynamic

and distributed, gaining comprehensive network security and

visibility will be challenging. This security challenges can be
grouped into virtualization security, cloud data protection,
cloud control with distribution transparency and secure
operations. With the continuous growth of cloud computing,
one can expect to see security incidents and new
vulnerabilities that will make cloud networking susceptible to
attack. Threats to the network may become sophisticated,
stealth and targeted however, cloud networking can mitigate
its security threats and misuse by adapting the security
management tools and countermeasures in cloud computing.
REFERENCES
[1]
[2]

[3]

[4]

[5]
[6]

[7]

[8]

[9]

[10]

[11]
[12]
[13]

[14]

[15]

[16]

SAIL project website (2010). URL http://www.sail-project.eu/

S. Subashini and V. Kavitha, A survey on security issues in service
delivery models of cloud computing, Journal of Network and Computer
Applications, Vol. 34 , Issue 1, 2011, pp. 1-11
McCarthy, J.: MIT Centennial Speech of 1961 cited in Architects of the
Information Society: Thirty-five Years of the Laboratory for Computer
Science at MIT. SL Garfinkel Ed (1999)
Fox. A., Joseph, Konwinski, Armbrust, Katz, R.H, A., Grith, R., Lee, G.,
Patterson, D.A., Rabkin, A., Stoica, I, Zaharia, M.: Above the clouds: A
berke- ley view of cloud computing. Tech. Rep. UCB/EECS-2009-28,
EECS Department, University of California, Berkeley (2009)
VMware (2010). URL http://www.vmware.com
Tejas P. Bhatt, Pinall.J.Patel Survey on Vitulization with Xen
Hypervior. International journal of Engineering Research &
Technology, Vol. 1, Issue 8, 2012.
Ram, Kaushik Kumar, Jose Renato Santos, Yoshio Turner, Alan L.
Cox, and Scott Rixner. "Achieving 10 Gb/s using safe and transparent
network interface virtualization.; International conference on Virtual
execution environments, pp. 61-70. March 2009.
Suman. Srinivasan Lee, Jae Woo Batni, Dhruva L, Henning Chulvrinne.
ActiveCDN: Cloud Computing meets Content Delivery Networks,
Computer Science Department, Colombia, 2011.
Schoo, Peter, Volker Fusenig, Victor Souza, Mrcio Melo, Paul Murray,
Herv Debar, Houssem Medhioub, and Djamal Zeghlache. "Challenges
for Cloud Networking Security." 2011.
Bannazadeh, Hadi, Albert Leon-Garcia, K. Redmond, G. Tam, A. Khan,
M. Ma, S. Dani, and P. Chow. "Virtualized Application Networking
Infrastructure." In Proc. of the 6th International Conference on Testbeds
and Research Infrastructures for the Development of Networks and
Communities, 2010.
Chowdhury, M. K., and Boutaba, R. A Survey of Network
Virtualization. Elsevier Computer Networks 54, Vol. 5 (2010).
N. Feamster, L. Gao, and J. Rexford, \How to lease the internet in your
spare time," SIGCOMM ,Vol 31, Issue 1, pp. 61-64. 2008
F. Hao, T.V. Lakshman, S. Mukherjee, and H. Song, Enhancing
Dynamic Cloud-based Services using Network Virtualization,
SIGCOMM Comput. Commun. Rev. 40, 1 pp, 6774. (2010).
Cloud Security Alliance Security Guidance For Critical Arees of Focus
in
Cloud
Computing
V2.1.
(Dec
2009)
URL
.https://mail.google.com/mail/?ui=2&view=bsp&v,
R.L.Krutz and R.D.Vines, Cloud Computing Software Security
Fundamentals in Cloud Security: A Comprehensive Guide to Secure
Cloud Computing, New York City, NY, Wiley, 2010
Van Dijk, Marten, Craig Gentry, Shai Halevi, and Vinod
Vaikuntanathan. "Fully homomorphic encryption over the integers."
Advances in CryptologyEUROCRYPT . pp. 24-43. 2010

[17] C. Basescu, A. Carpen-Amarie, C. Leordeanu, A. Costan, and G.

Antoniu,Managing data access on clouds: A generic framework for
enforcing security policies, in AINA. IEEE Computer Society, 2011,
pp. 459466.
[18] Sara Qalsar, Kausar FiazK hawaja.Cloud Computing: Network security
threats and countermeasures Interdisplinary Journal of Contempoary
Research in Business , Vol. 3, No 9, January 2012
[19] M.Yildiz, J.Abawajy, T.Ercan and A.Bernoth, A Layered Security
Approach for Cloud Computing Infrastructure 10th International
Symposium on Pervasive Systems, Algorithms, and Networks, pp.763767, doi: 10.1109/I-SPAN.2009.157 .