Content uploaded by Kamal Upreti
Author content
All content in this area was uploaded by Kamal Upreti on Dec 28, 2021
Content may be subject to copyright.
2021 IEEE Mysore Sub Section International Conference (MysuruCon)
978-0-7381-4662-1/21/$31.00 ©2021 IEEE
A Comparative analysis of security issues &
vulnerabilities of leading Cloud Service
Providers and in-house University Cloud
platform for hosting E-Educational
applications
Abhishek Sharma
Institute of Computer Sciences
Vikram University,
Ujjain, India
abhiujn9@gmail.com
Umesh Kumar Singh
Institute of Computer Sciences
Vikram University,
Ujjain, India
umeshsingh@rediffmail.com
Kamal Upreti
Department of IT,
Dr. Akhilesh Das Gupta IT & M,
Delhi, India
kamal.upreti@adgitmdelhi.ac.in
Nishant Kumar
Amity School of Business
Amity University,
Noida, India
nishantkumar00@gmail.com
Suyash Kumar Singh
University of Connecticut
Hartford,
CT, USA
singhsuyash007@gmail.com
Abstract-Cloud technology provides several
advantages to users, including quick and simple
deployment methods, lower costs, uninterrupted
resource availability, scalability and elasticity, and the
capacity to rapidly adapt to the needs of IT industries.
Students and teachers can benefit from the capabilities
provided by this kind of design since it permits them to
use the electronic environment in a dynamic and
interactive learning, teaching, and evaluation process.
Employee data is stored in the cloud by 48% of
educational institutes, and student data is stored in the
cloud by 30%. In 2020, the majority of educational
institutes (60%) and account compromise (33%) were
victims of phishing attempts. According to Gartner,
more than 95% security faults in the cloud are due to the
customers. He also discussed that security is an expensive
investment that not everyone can make. Data security,
specifically confidentiality, integrity, and availability, is
one of the most critical issues for cloud providers. If no
specific security measures are installed, more frequent
cyber-attacks might cause severe material damage. The
aim of this work is to deploy e-educational application on
cloud for automation of University academic activities
over leading cloud providers like GCP or AWS and using
in house cloud data center. Also, using the real-time
experimental setup, conduct a comparative analysis of
security concerns and vulnerabilities. Security is critical
to the successful migration and adoption of cloud
technology in the educational sector, according to the
research.
Keywords: Cloud Computing (CC) Platform, Security
Vulnerability, Cloud Service Providers (CSPs), University
Cloud, E-Education
I. INTRODUCTION
Education is the most significant factor in a
country's intellectual and economic development. One
can also evaluate a country's progress based on its
school and post-secondary educational systems, as
well as how its governments provide educational
services to its population. Unfortunately, due to the
epidemic, most countries around the world are unable
to provide their best in both domains. According to
Baytiyet [1,] interruptions in schooling can lead to an
increase in the danger of child labor, childhood
marriage, abuse, and armed military manning.
Keeping present pandemic situation in mind, the
academic automation in schooling & higher education
systems are mandatory. And the e-governance of
academics can be achieved by deploying e-educational
clouds for universities & schools. The administrative
and commercial departments' primary goal is to
establish e-Governance, which necessitates 24/7
infrastructure availability to minimize downtime.
Cloud computing will be the ideal answer for e-
governance that require an unlimited supply of Central
Processing power, data storage, and internet
connectivity during procedures [2].
The term "cloud computing" refers to the whole
infrastructure, platform, and applications offered as
services via the Internet, as well as the hardware and
software at the cloud datacenter provider level. NIST's
CC Reference Architecture identifies the major
players, their activities, and roles in the execution
model. The most significant difficulty that has arisen
as a result of the adoption of cloud-based
implementation in industries is in the field of security.
Managing an enterprise's security for their own
privately deployed cloud & monitoring actions of the
CSPs, may be a difficult task. When sharing corporate
essential data to geographically spread cloud
platforms, security is a big problem. Cybercriminals
have swiftly progressed and continue to employ
increasingly novel attack tactics against various
industries, including education, over time. The
researchers looked at over 3.5 million spear-phishing
assaults from diverse industries. Phishing attempts
aimed only at the education sector were among them.
According to a research published in the Hindu
business line in October 2020, spear phishing tactics
targeted around 1,000 schools, colleges, universities,
and the education sector between June and September
2020 [3].
As per one of the report published by Netwrix in
2021, Lack of IT workers (52%), a lack of budget
(47%), and a lack of cloud security experience (44%)
were the top data security challenges. Employee
irresponsibility was mentioned by 38% of
respondents, whereas malevolent insider acts were
mentioned by only 17%. Only 10% of firms reported
data theft by workers, therefore this conclusion
represents reality [4]. According to Emsisoft, thirty
one ransomware instances were detected in the
education sector in third quarter 2020. This is up 388
percent from the eight instances reported in the
preceding quarter. So, before hosting or deploying any
University cloud for e-educational product like LMS
and in order to provide secure environment to the stack
holders, the security issues & vulnerabilities should be
investigated and analyzed.
II. BACKGROUND & LITERATURE
REVIEW
The NIST cloud computing definition [5, 6] is
widely regarded as a useful tool for gaining a
comprehensive grasp of cloud computing technology
and services. It provides a clear and simple
classification of three cloud service models: cloud
Software as a service (SaaS), cloud platform as a
service (PaaS), and cloud infrastructure as a service
(IaaS). It also highlights four deployment models:
private cloud, community cloud, public cloud, and
hybrid cloud, which describe how the computing
infrastructure that delivers these services might be
shared. Finally, the NIST definition offers a unified
picture of five key characteristics shared by all cloud
services: Self-service on demand, broad network
access, resource pooling, and rapid elasticity and
measured service. The Cloud Computing Reference
model is as follows (Source – NIST, USA):
Fig. 1. Cloud Computing Reference Model
Cloud computing can be well-defined as network-
enabled services that deliver scalable, QoS-assured
services on demand via the Internet. Cloud computing
enables resource sharing through the Internet. A cloud
service provider's infrastructure is used to distribute
these resources. The cloud consumer has access to
scalable and omnipresent resources on an as per usage
and pay as you go model. The required computational
resource can also be separated from the underlying
infrastructure, such as storage, network, and services,
using cloud computing.
In [7], authors present the Modeling and
implementation of an online educational solution
using the cloud computing architecture. It focuses on
how to create and install a fully managed LMS
utilizing open-source on a cloud computing platform,
as well as how all stakeholders can participate in the
teaching-learning process. In [8], the authors examines
cloud computing's use in educational information
generalization in China by reviewing the fundamental
ideas of cloud computing expertise, core technology,
and system architecture.
In [9], the authors create performance measures to
assess and compare the scalability of virtualization
resources in cloud data centers. In [10, 11, 19], the
authors suggested framework was tested in the
computing environment of one of the University in
Ujjain, India, and the results demonstrated that the
suggested framework improves the security of the
university's campus network. This method can be used
by university risk analysts and security managers to
undertake realistic and cost-effective risk assessments
that are dependable and repeatable.
Security best practices and security knowledge
documentation are discussed by the authors of [12],
which SaaS developers can utilize as a guideline when
designing Cloud SaaS programs from the ground up.
It also present a case study on AWS and Azure security
trends and solutions. In [13], the authors discuss about
the proposed framework, according to the authors, can
be implemented to any higher educational institute or
university's IT assets. It permits universities to keep
forward of security threats while getting additional
value out of their security budget by concentrating on
critical resources which are actually at risk. Data
security & privacy considerations are crucial for cloud
architecture h/w & apps, according to the author of
[14]. Encryption and decryption are used by the
algorithm to keep secret data safe in the cloud. This
approach could be utilized in the results evaluation to
improve data secrecy. According to [15], while
auditing a provider's privacy laws and security, it's
critical to make sure the main issue, compliance, is
addressed. Regardless of where the data is housed,
organizations must enforce compliance with standards
and rules.
As per author of [16] for better aid allocation in a
load balancing scheme, presents and implements a
modified honey bee inspired technique. Based on
experimental performance study of task load
balancing using honey bee inspiration, this research
presents an effective technique for resource allocation
in a cloud context. The authors of [17] analyze the
information security of the academic cloud platform
organization in Shenzhen City, and alter big risk
security concerns after assessing the security matters.
The e-education cloud environment’s security
vulnerabilities are able to be resolved. They talked on
universal security procedures and prerequisites for
achieving secure virtualized implementations in [18].
Finally, they discuss how to determine which roles
CSPs and cloud customers play in cloud security using
shared responsibility paradigm. The goal was to
provide scholars, teachers, and commercial with an
improved understanding of current cloud security
assaults and defense techniques. The authors describe
a study that looks at the effects of cloud security
challenges on education in [20].It is necessary to
investigate security risks and challenges of the
experimental configuration before hosting the E-
governance application or requirement-specific
applications in the cloud. Through reviews, the inquiry
is carried out using the SPI model. Various concerns
and security challenges are discovered throughout the
inquiry, which aids in the formation of various types
of taxonomies connected to security issues, which aid
in the study of vulnerabilities, threats, and attacks [21-
27].
The author of [28] goes into great detail regarding
previous green computing successes, present green
computing principles, and future research difficulties.
This thorough green cloud analysis study aids naive
green research fellows in learning about green cloud
issues and comprehending upcoming research
difficulties in the field. The author of [29] examines
the most popular cloud computing solutions, as well as
the vulnerabilities that have been found for these
systems, and calculates the impact of these
vulnerabilities using NVD scores. For each cloud
computing paradigm, the scores for each solution. For
each cloud computing paradigm, the effect of the
vulnerabilities discovered thus far. It also examines
the amount of vulnerabilities discovered from 2007 to
2019. This research depicts the era during which cloud
computing solutions piqued the curiosity of consumers
and those looking to hack them. In [30], the authors
provide a survivability framework for modelling and
analyzing the survivability and vulnerability of cloud
RAID storage systems, taking into account both
reliability and security concerns. Following that, the
quantitative assessment techniques are provided. The
CTMC-based approach is used to assess disc level
survivability and invulnerability in particular. In the
case of homogeneous and heterogeneous discs, the
combinatorial binomial coefficients-based and MDD-
based techniques are employed to assess system level
survivability and invulnerability, respectively.
Through a numerical study of an example cloud RAID
5 system, the effects of various attack and recovery
parameters (especially gv, rvg, and rfg) on disc and
system survivability and invulnerability are studied.
Beyond survival, the invulnerability of a system
are associated with the system's capacity to perform
effectively while residing in a state that is resistant to
malicious attacks, according to [31]. Impact of cyber-
attacks have presented substantial dangers to current
technical networks such as the Internet of Things and
cloud computing platforms, in relation to personal
performance degradation caused by causes such as age
and flaws. A researcher's contribution to cloud service
users is the identification of risk categories and risk
components in cloud migration, as well as the potential
for their formation, as detailed in the study's findings.
With attractive service offers from Cloud Service
Providers (CSPs), more and more businesses are
deciding to migrate to the cloud, but consumers of
cloud services face dangers as well. Information
security risk, which is the most common sort of risk
associated with cloud migration. Information security
risk, danger of losing data access, risk of utilizing
virtual machines, mistakes in choosing CSPs, risk of
compliance with numerous laws and regulations,
financial risk, and management failure are all
identified as risks in cloud migration [32]. The authors
of [33] present a Lattice-based privacy-preserving and
forward-secure cloud storage public auditing method
and argue that it is critical to handle user data integrity
and security problems after migrating to a cloud
server. The most significant issue in the cloud is
security risk, according to a validation of security
determinants model for cloud adoption in the context
of Saudi companies [34].
Cloud is an umbrella term for a collection of
technology, procedures, labor, and business models.
Cloud technology, like every other technology, has
flaws. Vulnerability refers to the possibility that a
resource will be unable to withstand a threat agency's
actions. Vulnerability emerges when there is a
mismatch between the threat agent's power and the
entity's ability to withstand it. Cloud Computing (CC)
specific vulnerabilities are discussed in table 2.
TABLE I. CC SPECIFIC VULNERABILITIES
Vulnerability
Details
Core Cloud
Technology
Vulnerabilities
Web applications services, virtualization,
and cryptography are all essential cloud
computing technologies that have flaws &
are either inherent expertise or prevalent
in present implementations. Examples:
Virtual machine escape, Session
hijacking & riding, Deficient or outdated
cryptography.
Cloud Storage
misconfiguration
For cybercriminals, cloud storage is a
gold mine of stolen data. In spite of high
stakes, firms extend to commit fault of
misconfiguring distributed storage, which
resulted in severe losses for many
enterprises. The root reason is
misconfigured security groups and a lack
of access controls.
Insecure
Application
Programming
Interfaces
To smooth out computational measures,
user interfaces are recommended.
Regardless, Application Programming
Interfaces can offer means of
communication for attacker to misuse
assets if they are left unprotected.
Insecurity in APIs are primarily caused by
insufficient authorization and
authentication.
IP Loss or Theft
Intellectual properties (IP) are certainly
very important asset for an enterprise. But
at the same time is vulnerable to security
risks, particularly when content is kept
over internet. General causes of IP loss or
theft include data tampering, data deletion,
and loss of access.
Compliance
Violations &
Regulatory
Actions
Cloud provides convenience but also
create a security threats. The reason
behind is the difficulty to control whom
are permitted to use cloud data. It is
censorious for an enterprise to understand
the insights into their information
stockpiling & access control to comply
with consistency or industry norms.
Loss of Control
over End User
Activities
When companies don't know in what
manner their employees use cloud
computing governance, they risk losing
control over data & becoming subject to
attacks and security threats from insiders.
Deficient
Management of
user Access
The most prevalent security concern is
probably improper access management.
For many years, attackers have misused
illegally obtained credentials as a
common approach in online application
or breach attacks.
Breaches with
Clients or
business
Associates
beyond SLA
Cloud SLAs are a little trickier. It
typically places restrictions on who has
access to information who, where & in
what manner it may be used or stored.
Employees who transfer critical data
in cloud without permission may be in
breach of corporate contracts, resulting in
legal action.
Defects in
Known Security
Controls
When cloud innovations directly cause
challenges in applying the controls,
vulnerabilities in unified security controls
must be examine. Control challenges are
another term for such vulnerabilities.
Essential Cloud
Characteristic
Vulnerabilities
The root reasons are unapproved
admittance to the administration
interface, protocol (IP) vulnerabilities,
data recovery vulnerabilities, and
metering and billing evasion.
Multi-tenancy
Failures
Exploiting system & s/w vulnerabilities in
a CSP's assets, computing environment or
applications which support multi-tenancy
might result in failure of keeping tenants
separately. An attacker can take benefit of
this failure & gain access to assets or data
belonging to another user or organization.
Cloud migration
vulnerabilities
When an enterprise think through moving
its assets/operations among CSPs, vendor
lock-in come to be an issue. Due to the
following parameters company realizes
that the price, effort, schedule time
required for the changeover is
substantially more from previously
estimated:
(i) Non-standard data formats.
(ii) Non-standard APIs.
(iii) Dependency on CSP's proprietary
tools.
(iv) Uniqueness in APIs.
Compromised
CSP supply
chain
If CSPs outsource the external agents for
their infrastructural operational
maintenance than, they may or may not be
able to meet the standards that the CSPs
have promised to provide to an enterprise.
An enterprise must assess how CSP
enforces compliance and whether CSPs
allows mediators to operate under their
own standards. If the parameters are not
applied on the supply chain, the threat
escalates.
Because each type of public, private, or hybrid
cloud offers a configurable architecture for
streamlined management and cost efficiency, data
privacy and software security are becoming
increasingly important issues. According to the CSA,
the following are the top cloud threats that require
immediate attention:
a) Breach of personal information
b) APIs and interfaces that aren't secure
c) Vulnerabilities in the system
d) Theft of an account
e) Insiders with nefarious motives
f) Cloud service abuse and malicious use
g) Loss of data
h) Inadequate due diligence
i) Advanced Persistent Threats (APTs)
j) Service interruption (DoS/DDos)
k) Vulnerabilities in shared technology
l) Inadequate management of identity, credentials,
and access.
III. PROPOSED METHODOLOGY
The proposed experimental setup is a combination
of private and public cloud computing environment.
The private cloud is hosted within the premises of the
university using existing data center where as the
public cloud is deployed by using amazon web
Services (AWS) and Google cloud platform (GCP).
So, the experimental setup will become a hybrid cloud
as show in figure 2.Proposed methodology consist of
experimental setup followed by the vulnerability
scanning and penetration testing. The methodology is
as follows:
Step 1: Deploy E-Educational University Cloud
(LMS) using GCP
1a. Create a Google account and login with
respective account’s credentials at GCP cloud
console.
1b. Move to VM instances under Compute Engine.
1c. Create a project here by using name of project:
ICS E-Educational Cloud
1d. Configure & verify the payment details.
1e. Search for LMS of type Marketplace solution.
1f. Choose the appropriate LMS distribution like
moodle and then start installation through creation
of a VM with suitable configuration with respect
to the requirements & budget.
1g. Setup ip address (if required) for project access
and define security certificate requirements.
1h. Now, access the project using static ip address
/ URL and use the pre-defined credentials for
setting up LMS.
Step 2: Deploy E-Educational University Cloud
(LMS) using AWS
2a. Create an AWS free tier account at
aws.amazon.com.
2b. Login with respective root account’s
credentials at AWS amazon.
2c. Search for appropriate LMS distribution and
select.
2d. Launch for LMS with suitable configuration
details of Amazon Machine image (AMI).
2e. After successful launching, configure action as
website, t2.small as EC2 instance type, also
configure the VPC & Subnet Setting.
2f. Now create a key pair to make LMS secure &
use to verify identity whenever linking to an
instance.
2g. Verify the Configuration instance summary &
get public-ip address of LMS cloud Application.
2h. Now, check & verify following actions:
(i) Configure Load balancer with http
& https details.
(ii) Create & configure routing table.
(iii) Configure security setting.
(iv) Install Ec2 instance for LMS.
(v) Get access using SSH with CLI.
(vi) Install LAMP server with AMI.
(vii) Create & configure database for LMS.
(viii) Install & configure LMS over
LAMP server using GitHub.
Fig. 2. Cloud Computing Architecture
Step 3: Deploy E-Educational University Cloud
(LMS) using in-house datacenter
3a. In first step the experimental setup for cloud
computing environment (virtualized data center) is
established for SPI models. Multiple servers with
VTX enabled technology is used to setup
hypervisor type 1& 2.
3b. After virtual machines installation, cloud
computing experimental setup will be establish
using OSS like Openstack, Oracle VM virtualbox
or Owncloud.
3c. Using cloud hosting server, open source LMS
like moodle are configure.
Step 4: Using in-house datacenter deploy scanners like
Nessus, Nmap, IBM QRadar or InsiteVM (Nexpose)
and Acunetix can be used for getting vulnerability of
all the three cloud system GCP, AWS and in-house
one. And kali Linux & burp suite can be used for
Penetration testing of cloud platform. Here Nessus
(Tenable) is used & configured for getting the
vulnerabilities.
Step 5: Now, collect the result data from scanner &
pen testers for investigation & analysis of the results
after getting the vulnerabilities based on multiple
parameters like CVSS Score, no. of open ports,
Severity etc.
On the basis of the experimental setup & the
deployed application it will be useful to record the
various parameters related to the performance &
security. Following Cloud scanning tools are
recommended for performing penetration testing &
scanning for vulnerabilities on SPI model:
(i) Nessus (ii) Burp Suite
(ii) Acunetix (iv) IBM Security QRadar
(v) AlienVault USM (vi) InsightVM (Nexpose)
(vii) Intruder (viii) Orca Security
(ix) Detectify (x) Kiuwan
(xi) OpenVAS
IV. RESULTS & DISCUSSION
A security risk assessment in terms of
vulnerabilities must be done before adopting e-
educational university cloud & CC based academic
apps. The SPI model is used by IT experts to develop
certain business processes in order to meet business
needs. According to the proposed technique, a real-
time experiment was conducted to determine the
vulnerabilities of the ICS E-Educational University
cloud on three different platforms: GCP, AWS, and
the University's own datacenter. According to the
NVD/CVE database, 18325 vulnerabilities were
discovered in 2020, with 8350 discovered in the first
week of June 2021. Aside from those, NIST-NVD has
released 34740 cloud-specific vulnerabilities to date.
Google (6034), AWS (112), and IBM (5142) are
among the leading CSPs that have disclosed their
vulnerabilities. Based on the three dimensional real
time experimental setup, the investigation of the
security risk in terms of vulnerabilities was performed
below as the result:
(a)
(b)
(c)
Fig. 3. (a) E-educational University Cloud using AWS
(b) E-educational University Cloud using AWS
(c) E-educational University Cloud In-house datacenter
As per the findings, in case of AWS based cloud
deployment 20 Vulnerabilities, in case of GCP based
cloud deployment 37 Vulnerabilities & 71
vulnerabilities found in case of In-house datacenter.
The major identified vulnerabilities are classified as
per three severity level critical, high & medium on the
basis of cvssv2.0 base score.
Fig. 4. Comparison of Vulnerabilities % among AWS, GCP,
In-house deployment of E-Educational University
Cloud
Following table describe the comparison of
Vulnerabilities found in AWS, GCP & in-house
datacenter based deployment of E-Educational
University Cloud platform:
TABLE II. GCP, AWS, IN-HOUSE DATACENTER
BASED E-EDUCATIONAL UNIVERSITY CLOUD
VULNERABILITIES & THEIR RESPECTIVE
SEVERITY
In-House (Critical)
Vulnerability
CVSS Score
Ranking
Vulnerability
CVSS Score
Ranking
CVE-2019-9517
7.8
1
CVE-2019-10098
5.8
6
CVE-2017-3167
7.5
2
CVE-2017-9789
5.0
7
CVE-2017-3169
7.5
2
CVE-2019-10081
5.0
7
CVE-2017-7668
7.5
2
CVE-2017-7659
5.0
7
CVE-2017-7679
7.5
2
CVE-2019-17567
5.0
7
CVE-2021-
26691
7.5
2
CVE-2020-13950
5.0
7
CVE-2020-
35452
6.8
3
CVE-2021-26690
5.0
7
CVE-2020-
35452
6.8
3
CVE-2021-30641
5.0
7
CVE-2017-9788
6.4
4
CVE-2019-10092
4.3
8
CVE-2019-
10082
6.4
4
CVE-2020-13938
2.1
9
CVE-2019-
10097
6.0
5
In-House (High)
CVE-2016-6515
7.8
1
CVE-2018-8011
5.0
6
CVE-2015-8325
7.2
2
CVE-2019-0190
5.0
6
CVE-2017-3141
7.2
2
CVE-2020-8616
5.0
6
CVE-2019-0211
7.2
2
CVE-2021-25215
5.0
6
CVE-2020-8625
6.8
3
CVE-2021-31618
5.0
6
CVE-2016-9444
6.0
4
CVE-2016-0736
5.0
6
CVE-2018-
16860
6.0
4
CVE-2016-2161
5.0
6
CVE-2019-0215
6.0
4
CVE-2016-8740
5.0
6
CVE-2019-0217
6.0
4
CVE-2016-8743
5.0
6
CVE-2016-5387
5.1
5
CVE-2019-0196
5.0
6
CVE-2006-0987
5.0
6
CVE-2019-0220
5.0
6
CVE-2016-2183
5.0
6
CVE-2021-20254
4.9
7
CVE-2017-3145
5.0
6
CVE-2019-0197
4.9
7
CVE-2016-4979
5.0
6
CVE-2018-5743
4.3
8
CVE-2016-9131
5.0
6
CVE-2020-8623
4.3
8
CVE-2016-9147
5.0
6
CVE-2016-6329
4.3
8
CVE-2017-3137
5.0
6
CVE-2016-9778
4.3
8
CVE-2017-3145
5.0
6
CVE-2017-3136
4.3
8
CVE-2017-9798
5.0
6
CVE-2016-4975
4.3
8
CVE-2018-1333
5.0
6
CVE-2020-11985
4.3
8
CVE-2018-
17189
5.0
6
CVE-2016-6210
4.3
8
CVE-2018-
17199
5.0
6
CVE-2017-3140
4.3
8
CVE-2018-5740
5.0
6
CVE-2017-3138
3.5
9
In-House (High)
CVE-1999-0511
7.5
1
CVE-2018-11763
4.3
6
CVE-2019-
14870
6.4
2
CVE-2019-6465
4.3
6
CVE-2020-1927
5.8
3
CVE-2018-5741
4.0
7
CVE-2019-
14902
5.5
4
CVE-2019-14847
4.0
7
CVE-2015-2808
5.0
5
CVE-2019-19344
4.0
7
CVE-2017-
15906
5.0
5
CVE-2020-14318
4.0
7
CVE-2020-1934
5.0
5
CVE-2020-14383
4.0
7
CVE-2011-3389
4.3
6
CVE-2020-8622
4.0
7
CVE-2013-2566
4.3
6
CVE-2021-25214
4.0
7
CVE-2016-1546
4.3
6
CVE-2021-25214
4.0
7
CVE-2016-2775
4.3
6
CVE-2019-14861
3.5
8
CVE-2017-3135
4.3
6
CVE-2019-14907
2.6
9
CVE-2017-3142
4.3
6
CVE-2020-14323
2.1
10
CVE-2017-3143
4.3
6
AWS (Medium)
AWS (Low)
CVE-2017-
15906
5.0
1
CVE-2008-5161
2.6
2
CVE-2013-2566
4.3
2
CVE-2015-4000
4.3
1
CVE-2015-2808
5.0
1
GCP (High)
GCP (Medium)
CVE-2004-2761
5.0
2
CVE-2019-1551
5.0
1
CVE-2020-1967
5.0
2
CVE-2020-1971
4.3
2
CVE-2021-
23840
5.0
2
CVE-2021-
23841
4.3
3
CVE-2021-3449
4.3
3
CVE-2021-3450
5.8
1
The ranking is done throughout the study of
findings in terms of vulnerabilities by assigning pool
vice priority to all of them. Each pool's priority is
determined by the CVSS Scores assigned to it. The
following security criteria are used to prioritize or rank
vulnerabilities:
a) Attack vector
b) Complexity of Attack
c) Required Privileges
d) User Interaction
e) Scope
f) Confidentiality Impact
g) Integrity impact
h) Availability Impact
V. FUTURE WORK
Based on the foregoing findings, it can be stated
that the number of vulnerabilities discovered and
probed must be prioritized based on the identified
factors and the cloud consumer's advice. All of the
vulnerabilities discovered are nearly hard to mitigate
prior to the deployment of an application in the cloud
for any customer. As a result, vulnerability assessment
and analysis are also required. As a result, in the
future, an adaptive, responsive, and dynamic risk
assessment & analysis Framework or technique should
be developed, which assists cloud customers and cloud
providers in identifying vulnerabilities, mitigating
them, and improving security levels.
VI. CONCLUSION
The cloud computing paradigm is one of the most
promising models for computational services for cloud
actors such as CSPs and cloud customers. Based on the
findings, it is apparent that investigating security
vulnerabilities is the most critical duty and should be
given top attention. The technologies being deployed,
like as virtualization and SOA, are causing some of the
security vulnerabilities. In the paper comparative
analysis & investigation of major security issues/
challenges among public cloud computing
environment like AWS & GCP and in-house
datacenter based deployment platforms are detailed.
As per the results, findings and discussion, one thing
is clear that leading public cloud platforms are better
in comparison of in-house cloud datacenter with
respect to the implementation & security aspects. The
cloud specific vulnerabilities & threats are also
explained with their causes which further provide
assistance for identification and analyzing security
risk. As a future work the assessment & analysis of
risk can be performed using vulnerabilities so as to
protect cloud for intruders.
REFERENCES
[1] Baytiyeh H., Disaster Prevention and Management, An
International Journal, Online learning during post-earthquake
school closures (2018) 27(2) 215–227. doi: 10.1108/DPM-07-
2017-0173
[2] IIIT Hyderabad, January 2010. Cloud Computing for E-
Governance, https://cdn.iiit.ac.in
/cdn/irel.iiit.ac.in/uploads/CloudComputingForEGovernance.
pdf (accessed March 08, 2018)
[3] Hemani Sheth, Over 1,000 Cyber Attacks in education sector
amid Covid: Report, October 30, 2020,
https://www.thehindubusinessline.com/news/education/over-
1000-cyber-attacks-in-education-sector-amid-covid-
report/article32980879.ece (accessed December 18, 2020)
[4] Netwrix, 2021 Cloud Data Security Report, 2021,
https://www.netwrix.com/2021_cloud_data_security_report.h
tml (accessed June 21, 2021)
[5] Bohn, R. & Messina, John & Liu, Fang & Tong, Jin & Mao,
Jian. (2011). NIST Cloud Computing Reference Architecture.
594-596, doi: 10.1109/SERVICES.2011.105.
[6] NIST U.S. Department of Commerce, 2010. NIST Cloud
Computing Program – NCCP, https://
www.nist.gov/programs-projects /nist-cloud-computing-
program-nccp (accessed March 10, 2018)
[7] Abhishek Sharma & Dr. Umesh Kumar Singh (2021).
Deployment model of e-educational cloud for departmental
academics automation using open source. HTL Journal,
Volume 27, issue 5, 36, ISSN 1006-6748, doi:
10.37896/HTL27.5/3535
[8] Bo Wang and HongYu Xing, "The application of cloud
computing in education informatization," 2011 International
Conference on Computer Science and Service System (CSSS),
2011, pp. 2673-2676, doi: 10.1109/CSSS.2011.5973921.
[9] Alhamad, Mohammed & Dillon, Tharam & wu, Chen &
Chang, Elizabeth, Response time for cloud computing
providers, Proceedings of the 12th International Conference
on Information Integration and Web-based Applications &
Services (2010) 603-606, doi: 10. 1145/1967486 .1967579.
[10] Joshi, Chanchala & Singh, Umesh. (2016). Quantitative
Information Security Risk Assessment Model for University
Computing Environment. 69-74. doi: 10.1109/ICIT.2016.026.
[11] Joshi, Chanchala & Singh, Umesh. (2017). Information
Security Risk Management Framework for University
Computing Environment. International Journal of Network
Security. doi: 19. 10.6633/IJNS.201709.19(5).12.
[12] Rath, Annanda & Spasic, Bojan & Boucart, Nick & Thiran,
Philippe. (2019). Security Pattern for Cloud SaaS: From
System and Data Security to Privacy Case Study in AWS and
Azure. Computers. 8. 34. doi: 10.3390/computers8020034.
[13] Singh, Umesh & Joshi, Chanchala & Gaud, Neha. (2016).
Measurement of Security Dangers in University Network.
International Journal of Computer Applications. doi:155. 975-
8887.
[14] K. Upreti, B. K. Vargis, R. Jain and M. Upadhyaya,
"Analytical Study on Performance of Cloud Computing with
Respect to Data Security," 2021 5th International Conference
on Intelligent Computing and Control Systems (ICICCS),
2021, pp. 96-101, doi: 10.1109/ICICCS51141.2021.9432268.
[15] Z. Tari, "Security and Privacy in Cloud Computing" in IEEE
Cloud Computing, vol. 1, no. 01, pp. 54-57, 2014. doi:
10.1109/MCC.2014.20
[16] A.K. Sharma, Kamal Upreti, Binu Vargis, Experimental
performance analysis of load balancing of tasks using honey
bee inspired algorithm for resource allocation in cloud
environment, Materials Today: Proceedings, 2020, ISSN
2214-7853,https://doi.org/10.1016/j.matpr.2020.09.359.
[17] W. Nie, X. Xiao, Z. Wu, Y. Wu, F. Shen and X. Luo, "The
Research of Information Security for The Education Cloud
Platform Based on AppScan Technology," 2018 5th IEEE
International Conference on Cyber Security and Cloud
Computing (CSCloud)/2018 4th IEEE International
Conference on Edge Computing and Scalable Cloud
(EdgeCom), 2018, pp. 185-189, doi:
10.1109/CSCloud/EdgeCom.2018.00040.
[18] Tank, D., Aggarwal, A. & Chaubey, N. Virtualization
vulnerabilities, security issues, and solutions: a critical study
and comparison. Int. j. inf. tecnol. (2019). Doi:
10.1007/s41870-019-00294-x
[19] C Joshi, UK Singh, Information security risks management
framework – A step towards mitigating security risks in
university network, Journal of Information Security and
Applications 35, 128–137, ISSN 2214-2126, doi:
10.1016/j.jisa.2017.06.006
[20] Onyema, Edeh & Nwafor, & Ugwugbo, & Afriyie, Rockson
& Ogbonnaya, Uchenna. (2020). Cloud Security Challenges:
Implications on Education. 9. 56-73.
[21] Singh, Saurabh & Jeong, Young-Sik & park, Jong. (2016). A
Survey on Cloud Computing Security: Issues, Threats, and
Solutions. Journal of Network and Computer Applications. 75.
https://doi.org/10.1016/j.jnca.2016.09.002.
[22] T. Mather, S. Kumaraswamy, and S. Latif, “Cloud security and
privacy: an enterprise perspective on risks and compliance,”
O‘Reilly Media, Inc., 2009.
[23] R. Barona and E. A. M. Anita, "A survey on data breach
challenges in cloud computing security: Issues and threats,"
2017 International Conference on Circuit, Power and
Computing Technologies (ICCPCT), 2017, pp. 1-8,
https://doi.org/10.1109/ICCPCT.2017.8074287.
[24] Ahmed Aliyu, Abdul Hanan Abdullah, Omprakash Kaiwartya,
Yue Cao, Mohammed Joda Usman, Sushil Kumar, D. K.
Lobiyal & Ram Shringar Raw, “Cloud Computing in
VANETs: Architecture, Taxonomy, and Challenges,” IETE
Technical Review, 2018, 35:5, 523-547.
https://doi.org/10.1080/02564602.2017.1342572
[25] Jose Moura, David Hutchison, “Review and Analysis of
Networking Challenges in Cloud Computing, Journal of
Network and Computer Applications,” vol. 60, pp. 113-129,
2016, https://doi.org/10.1016/j.jnca.2015 .11.015
[26] Mohd Talmizie Amron, Roslina Ibrahim, Suriayati Chuprat,
“A Review on Cloud Computing Acceptance Factors,”
Procedia Computer Science, Volume 124, 2017, Pages 639-
646, ISSN 1877-0509, https://doi.org/10.
1016/j.procs.2017.12.200.
[27] K. Karthiban and S. Smys, “Privacy preserving approaches in
cloud computing,” 2nd International Conference on Inventive
Systems and Control (ICISC), 2018, pp. 462–467
[28] Patil, Archana and Patil, Dr. Rekha, An Analysis Report on
Green Cloud Computing Current Trends and Future Research
Challenges (March 19, 2019). Proceedings of International
Conference on Sustainable Computing in Science,
Technology and Management (SUSCOM), Amity University
Rajasthan, Jaipur - India, February 26-28, 2019, Available at
SSRN:https://ssrn.com/abstract=3355151
or http://dx.doi.org/10.2139/ssrn.3355151
[29] Alin Zamfiroiu, Ionut Petre, and Radu Boncea. 2019. Cloud
Computing Vulnerabilities Analysis. In Proceedings of the
2019 4th International Conference on Cloud Computing and
Internet of Things, CCIOT 2019. Association for Computing
Machinery, New York, NY, USA, 48–53.
DOI:https://doi.org/10.1145/ 3361821.3361830
[30] Qisi Liu, Liudong Xing, Survivability and Vulnerability
Analysis of Cloud RAID Systems under Disk Faults and
Attacks, International Journal of Mathematical, Engineering
and Management Sciences Vol. 6, No. 1, 15-29, 2021
https://doi.org/10.33889/ IJMEMS.2021. 6.1.003
[31] L Xing, Reliability in Internet of Things: current status and
future perspectives. 2020, IEEE Internet of Things Journal, in
press, doi: 10.1109/JIOT.2020.2993216.
[32] Maniah, Benfano Soewito, Ford Lumban Gaol, Edi
Abdurachman, A systematic literature Review: Risk analysis
in cloud migration, Journal of King Saud University -
Computer and Information Sciences, 2021, ISSN 1319-1578,
https://doi.org/10.1016/j. jksuci .2021.01.008.
[33] S.S. Gill, R. Buyya Failure management for reliable cloud
computing: A taxonomy, model, and future directions,
Comput. Sci. Eng., 22 (3) (2020), pp. 52-63
[34] R. Patil, H. Dudeja, C. Modi Designing in-VM-assisted
lightweight agent-based malware detection framework for
securing virtual machines in cloud computing Int. J. Inf.
Secur., 19 (2) (2020), pp. 147-162
