Software as a Service: Analysing Security Issues

Software-as-a-service (SaaS) is a type of software service delivery model which encompasses a broad range of business opportunities and challenges. Users and service providers are reluctant to integrate their business into SaaS due to its security concerns while at the same time they are attracted by its benefits. This article highlights SaaS utility and applicability in different environments like cloud computing, mobile cloud computing, software defined networking and Internet of things. It then embarks on the analysis of SaaS security challenges spanning across data security, application security and SaaS deployment security. A detailed review of the existing mainstream solutions to tackle the respective security issues mapping into different SaaS security challenges is presented. Finally, possible solutions or techniques which can be applied in tandem are presented for a secure SaaS platform.

[1]  Kevin Ashton,et al.  That ‘Internet of Things’ Thing , 1999 .

[2]  David A. Wagner,et al.  Secure verification of location claims , 2003, WiSe '03.

[3]  Michael McIntosh,et al.  XML signature element wrapping attacks and countermeasures , 2005, SWS '05.

[4]  Andreas Schaad,et al.  Towards secure SOAP message exchange in a SOA , 2006, SWS '06.

[5]  Steven Furnell,et al.  Authenticating mobile phone users using keystroke analysis , 2006, International Journal of Information Security.

[6]  Jason Flinn,et al.  Virtualized in-cloud security services for mobile devices , 2008, MobiVirt '08.

[7]  Farnam Jahanian,et al.  CloudAV: N-Version Antivirus in the Network Cloud , 2008, USENIX Security Symposium.

[8]  Maria Luisa Damiani,et al.  Towards movement-aware access control , 2008, SPRINGL '08.

[9]  Jacob Beal,et al.  Cognitive security for personal devices , 2008, AISec '08.

[10]  Nathan Clarke,et al.  Deployment of Keystroke Analysis on a Smartphone , 2008 .

[11]  Kang G. Shin,et al.  Behavioral detection of malware on mobile handsets , 2008, MobiSys '08.

[12]  Nils Gruschka,et al.  Vulnerable Cloud: SOAP Message Security Validation Revisited , 2009, 2009 IEEE International Conference on Web Services.

[13]  Markus Jakobsson,et al.  Implicit authentication for mobile devices , 2009 .

[14]  Markus Jakobsson,et al.  Server-side detection of malware infection , 2009, NSPW '09.

[15]  Ari Juels,et al.  HAIL: a high-availability and integrity layer for cloud storage , 2009, CCS.

[16]  S. Kotani,et al.  TrustCube: An Infrastructure that Builds Trust in Client , 2009 .

[17]  Nils Gruschka,et al.  A survey of attacks on web services , 2009, Computer Science - Research and Development.

[18]  Sheikh Iqbal Ahamed,et al.  ePet: when cellular phone learns to recognize its owner , 2009, SafeConfig '09.

[19]  Mahmood Doroodchi,et al.  An investigation on integrating XML-based security into Web services , 2009, 2009 5th IEEE GCC Conference & Exhibition.

[20]  Yi Ding,et al.  Network security for virtual machine in cloud computing , 2010, 5th International Conference on Computer Sciences and Convergence Information Technology.

[21]  Markus Jakobsson,et al.  Authentication in the clouds: a framework and its application to mobile users , 2010, CCSW '10.

[22]  Markus Jakobsson,et al.  Implicit Authentication through Learning User Behavior , 2010, ISC.

[23]  Herbert Bos,et al.  Paranoid Android: versatile protection for smartphones , 2010, ACSAC '10.

[24]  Hyotaek Lim,et al.  A Strong User Authentication Framework for Cloud Computing , 2011, 2011 IEEE Asia-Pacific Services Computing Conference.

[25]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[26]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[27]  Ahmad Faraahi,et al.  An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks , 2011 .

[28]  Wanlei Zhou,et al.  Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks , 2011, J. Netw. Comput. Appl..

[29]  Gabriel Antoniu,et al.  Managing Data Access on Clouds: A Generic Framework for Enforcing Security Policies , 2011, 2011 IEEE International Conference on Advanced Information Networking and Applications.

[30]  Sugata Sanyal,et al.  A Survey on Security Issues in Cloud Computing , 2011, 1109.5388.

[31]  Bernd Grobauer,et al.  Understanding Cloud Computing Vulnerabilities , 2011, IEEE Security & Privacy.

[32]  Saman A. Zonouz,et al.  A cloud-based intrusion detection and response system for mobile phones , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W).

[33]  Cntral Ffice Agentless Backup is Not a Myth , 2011 .

[34]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[35]  Bruno Crispo,et al.  Enforcing Multi-user Access Policies to Encrypted Cloud Databases , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[36]  Sahin Albayrak,et al.  Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications , 2011, 2011 6th International Conference on Malicious and Unwanted Software.

[37]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[38]  Sawan Kumar,et al.  Ensuring data storage security in Cloud Computing , 2009, 2009 17th International Workshop on Quality of Service.

[39]  Latifur Khan,et al.  A Machine Learning Approach to Android Malware Detection , 2012, 2012 European Intelligence and Security Informatics Conference.

[40]  Dimitrios Zissis,et al.  Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[41]  Sandeep K. Sood,et al.  A combined approach to ensure data security in cloud computing , 2012, J. Netw. Comput. Appl..

[42]  Hong Zhao,et al.  Data Security and Privacy Protection Issues in Cloud Computing , 2012, 2012 International Conference on Computer Science and Electronics Engineering.

[43]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[44]  A. Volokyta,et al.  Secure virtualization in cloud computing , 2012, Proceedings of International Conference on Modern Problem of Radio Engineering, Telecommunications and Computer Science.

[45]  Jianxin Li,et al.  CyberGuarder: A virtualization security assurance architecture for green cloud computing , 2012, Future Gener. Comput. Syst..

[46]  Sherali Zeadally,et al.  Virtualization: Issues, security threats, and solutions , 2013, CSUR.

[47]  Sakir Sezer,et al.  Queen ' s University Belfast-Research Portal Are We Ready for SDN ? Implementation Challenges for Software-Defined Networks , 2016 .

[48]  Mário M. Freire,et al.  Security issues in cloud environments: a survey , 2014, International Journal of Information Security.

[49]  S. K. Dubey,et al.  Security and Privacy in Cloud Computing: A Survey , 2013 .

[50]  Roberto Di Pietro,et al.  CloRExPa: Cloud resilience via execution path analysis , 2014, Future Gener. Comput. Syst..

[51]  Emmanuel S. Pilli,et al.  Improved Technique for Data Confidentiality in Cloud Environment , 2014 .

[52]  Sakir Sezer,et al.  Network Based Malware Detection within Virtualised Environments , 2014, Euro-Par Workshops.