Cloud Computing / Security Reference Model In Cloud Computing

Security Reference Model NIST’s ( National Institute of Standards and Technology Security Reference Architecture
NIST’s First Security Reference Model used by United States.
NIST’s services models SaaS, PaaS, or IaaS
NIST’s deployment models Public, Private, Hybrid, or Community
Focus on on specific standards for each service level.



The cloud computing reference model groups the cloud computing functions and activities into five logical layers and three cross-layer functions.

Cloud Computing Layers

Physical Layer Executes requests generated at its Layer entities are Compute, network devices and storage devices.
Virtual Layer It contains virtual resources (software, hardware)
Control Layer It is used to control / modify / maintain the configurations (resource configuration, pools and resource).
Service Orchestration Layer It executes automated tasks provided by workflows.
Service Layer It makes user to interact with cloud resources.


Cross-layer function

Business continuity It provides services availability and downtime.
Security It provides administrative mechanisms (security policies, personnel policies and standard procedures) and Technical mechanisms (firewall, IDPS, antivirus).
Service Management It provides portfolio management and service management.


NIST (National Institute of Standards and Technology) Security framework

It provides 5 things / tasks in it. They were

Identify Business, assests mgmt, risks(assessment and strategy)
Protect Control, train, security, maintenance and technology.
Detect Anomalies, security, detect and communicate
Respond Planning response, analysis, mitigation and improve.
recover Planning, improve and communicate.


Security Issues
S.No Security Issues Details
1 Data Breaches It is the release of confidential data to unsecure environment. So organization’s security measures are required to to protect data on cloud. Normally it is low.
2 Hijacking of Accounts Attackers login to employees’ account remotely to access/ manipulate data stored on the cloud. Hijacking methods include scripting bugs and reused.
3 Insider Threat He is a authorized person to access organization’s services and he can misuse it. Insider Threats difficult to detect.
4 Malware Injection These are scripts which are Injection into cloud services and eavesdrop, information compromise and steal data.
5 Cloud Services Abuse Unlimited hosting space can be easily used by the hackers and users to host the malware scripts.
6 Insecure APIs Application Programming Interfaces (API) are used by user some time if they are insecure then it has security risks.
7 Denial of Service Attacks It is a attack where the attempt to access a website/ servers unavailable to legitimate users by the hackers.
8 Insufficient Due Diligence It is organization security risk when cloud migration happens where anticipated services don’t match customer’s expectation.
9 Shared Vulnerabilities Client is only the responsible one for his data but not the provider in the shared environment.
10 Data Loss Provider is responsible for the backup and recovery related procedures in case of data loss.
11 Privacy identity management Provider is responsible for access control to information and computing resources using identity management system. Identity management system uses the concept of biometric / federation / login authentication.
12 Physical security Provider is responsible for securing the physical hardware (servers, routers, cables etc.) against unauthorized access, theft, fires, floods etc.
13 Personnel security Cloud services provider provides options to users in setting the security programs and training.
14 Privacy Provider is responsible for allows only authorized users have access to data.

Home     Back