An analysis of security challenges and their perspective solutions for cloud computing and IoT

INTRODUCTION: With the on-going revolution in the Internet of Things and Cloud Computing has made the potential of every object that is connected through the Internet, to exchange and transfer data. Various users perceive this connection and interaction very helpful and serviceable in their daily routines. OBJECTIVES: The objective of this research to identify the complex configured network system is a soft target to security threats, therefore we need a security embedded framework for IoT and cloud communication models. Another objective is to provide protection of information from unauthorized access controls in IoT-cloud integrated framework and secure data from spying. METHODS: This paper has applied an integrated IoT-cloud theoretical solution, whose activities are mainly decided by a centralized controller to provide safeguard against data attacks. Our theoretical integrated IoT-cloud theoretical solution is able to achieve unauthorized access control and data breach. RESULTS: Internet of things and cloud computing has intensively used by several real-time applications. After the thercical analysis, the different vulnerabilities explained after detail literature review to prevent unauthorized access and unauthorized data breach. CONCLUSION: Internet of things have changed the shape of communication and centralized data controller is the main entity that is robust against eavesdroppers. In case, any eavesdropper tries to be a normal user and attempts to access a personal file then he has been entertained with a misleading file that he considers as an authentic file but in actual it is not. Desirable IoT proposed solutions need to be design and deploy, which can guarantee: anonymity, confidentiality, and integrity in heterogeneous environments.


Introduction
The model of the Internet of Things (IoT) is grounded on self-configuring nodes that are connected in a wide foundation network. Practically IoT is distinguished by small things, globally dispensed attached with limited storage along with limited processing volume. On the other side, the cloud with its immense storage and processing power, virtually played an important role to assist the IoT Ecosystem by providing significant application-specific services in various IoT application domains [1].
As the Internet of things (IoT) and cloud are being considered as the imperative topics researched globally, so the Internet of things (IoT) and cloud computing both are offering their imperative role in Information Technology and both technologies perform an emerging behavior in the future on the internet. Additionally, their emerging trends have increased the value in the Information Technology platform. After discussing a precise background it is easy to understand the foundation of the Internet of Things and Cloud, therefore, In Fig. 1 that shows the communication flow where the cloud is the main storage medium and various IoT devices data, sensors data, and applications records are connected and storing data with the centralized cloud via the Internet. On the cloud side, many other devices have also been connected and exchanging information about data records of medical machines and other electrical appliances.

Figure 1. IoT and Cloud integration
From a security perspective, the immense amount of data produced by IoT devices [2] and stored on cloud storage is flooding the world with security disasters. Moreover, independent IoT devices are not protected at all, thus easily exploited by various families of attacks. IoT devices used as lightweight devices are supported by the cloud as these devices store their collected and processed data on cloud servers. The huge amount of data sent towards the cloud makes IoT devices dependent on cloud storage. In this paper is to investigate and work on such a framework that can prevent unauthorized data breaches on both IoT and cloud sides.
IoT and cloud as two different entities, has changed the shape of computing wold and added their updated and well-structured security issues. The outcome of the related work summary explained how IoT and cloud usage has affected modern society. The main focus is to deal with unauthorized access controls in IoT-cloud integrated framework and prevent sensitive and confidential data to be accessed by a spy or attacker.The major focus is on the Internet of Things and cloud Integration that is genuinely a productive field on both industries as well as research platforms that show a promising attitude towards the diaphragm who are currently merchandising IoT and cloud.

IoT Being a Network of Networks
Currently, IoT consists of a loose collection of disparate, purpose-built networks. In Today's era, cars, for instance, have multiple systems or networks to control engine function, safety features, communications framework, and so on. Business and private structures additionally include several control systems for heating, venting, and air conditioning (HVAC); telephone utility; security; and lighting. As IoT evolves, these networks, and numerous others, will relate to added security, analytics, and Fig.2 management capabilities. This will enable IoT to turn into even more capable and powerful in what it can help individuals to accomplish [4,5].

Cloud computing
Cloud computing is a hosted service provided over the internet. It provides high performance The computing of millions of instructions per second. In today's era, the concept of cloud computing has grown up from a developing advanced architecture to one of the fastest-growing IT segments. As the advantages of Cloud computing enhanced many service providers, provide cloud service in numerous models. Cloud computing consists of a combination of technologies that are used to achieve any task like multiprocessors, network-based distributed computing systems, and space to store, retrieve data. It handles multiple task requests from many users or clients concurrently. It reduces resources, installation, and maintenance costs and you can access data

Paradigms of Cloud computing
There are four ways to develop a cloud computing environment and each one has its security concerns. Public cloud, Private cloud, community cloud, and hybrid cloud [6] 2.1.1. Public Cloud Public clouds are operated and maintained by cloud service providers. Any client can use these services through a web browser. Data is stored in the service provider's data center and the provider is accountable for the management and maintenance of data. An Analysis of security challenges and their perspective solutions for cloud computing and IoT 3

Private Cloud
Private clouds are maintained by a single organization and company. Only authenticated users can get access to data in these clouds. These data centers are protected as compared to public clouds.

Hybrid Cloud
Hybrid clouds used the infrastructure and services of public and private clouds. These clouds use secure services from private clouds and non-sensitive services from public clouds. As compared to public and private clouds hybrid cloud provides businesses with better elasticity and more deployment opportunities.

Community Cloud
Community cloud computing provides a shared cloud service environment that facilitates a limited set of organizations or employees. This cloud is managed by participating organizations or service providers to achieve specific goals and work in joint projects. It provides the ability to easily share and collaborate at a lower cost.

Cloud Service Models
Organizations develop or adopt any cloud environment according to their requirement. The following are the three basic cloud service model.

Infrastructure as a service
IaaS is the basic layer in cloud computing models that provide the infrastructure of the cloud. It is also known as a layer of computing and required changes when new requirements take place and have to re-design from bottom to top. Work on a hardware level and change according to their desired structure, and deal with network and storage resources considered as virtual resources but these changes are on temporary basics and designed for a specific task to perform.

Platform as a service
PaaS is a cloud service that offers a platform to develop software on which users can run code and check whether it's according to their needs or requirements. It could be interaction with programming languages used to achieve specific purposes dealing with databases, web servers, and file storage but without the management at a lower level.

Software as a service
SaaS is a service that provides software solutions to clients so they can use them according to their requirements. The client doesn't have access to either to do any kind of software change or to deal with its infrastructure, but only to use its services is the author to whom proofs of the paper will be sent.

Security Concerns of IoT
Even though IoT has made technological advances, it has been widely recognized that security has become a major concern that seriously has affected the successful deployment and development of an IoT infrastructure [8]. Now we have explained various security attacks that have a great concern in the IoT environment [9].

Physical Attacks
These attacks occur when an attacker is physically nearer to a network system. The few common classifications of these attacks are listed below:

Sleep Denial Attack
This attack mainly harms the battery power of a device by feeding false inputs to that device. it results in the shutting down of the device because of over-exhaustion.

Permanent Denial of Service
This attack launches a corrupted BIOS, on IoT devices with the help of malware.

Fake Node Injection
An attacker launches a fake node between two nodes to disrupt and lead the communication between two legitimate nodes.

Network Attacks
These attacks damage the IoT network system [11] and few classifications of these attacks are listed below:

Traffic Analysis Attack
Such attacks cause harm to gain information on IoT networks. An attacker tries to breach the confidential information that is flowing to and from devices and an attacker can try to breach this information without going closer to that particular network [12].

Selective Forwarding
In this attack, a malicious node becomes part of a network and sends, alters, or drops a message to another node within the network [13].

Distributed Denial of Service Attack
Multiple compromised nodes attack a particular node by over-flowing messages or connection requests and that will result in slow down or even crash a whole network [14].

Software Attacks
Attacks in which an attacker tries to take advantage of associated software or any other security vulnerability that is part of an IoT system and those attacks. Data of IoT devices are attacked by malware which can further contaminate the cloud. Cloud user unknowingly uses this software then it can alter or even steal information of IoT devices [15].

Data Attacks
Such attacks in which an attacker tries to breach and alter the data of an IoT device.

Unauthorized Access
Such attacks in which an attacker becomes an authorized member and gains ownership rights of sensitive data.

Data Breach
Data breach is a type of security incident, that can result in personal or business information is accessed without authorization. Data breaches can result in a great lose of personal and business in a variety of ways. They are a costly expense that can damage lives and reputations and take time to repair. Data breach attack can result in the leak of personal, sensitive, and confidential information.

Security Concerns in Cloud System
Security issues are the core issue of cloud computing as hackers, crackers, and security scientists, researchers, and investigators have shown that this prototype is ambiguous and is not 100% guaranteed. In a cloud environment, security is being shared between cloud providers and its users, and both are required to believe each other, wherever there must be a scope of improving security concerns. There are vast kind of security threats, that is the why providers have to ensure to their customers regarding transparency of the data, but in case if they fail in securing data this results in inside and outside threats or malicious attacks, data loss, software threats, multitenancy threats, Loss of control, Flood attacks, etc. [19].

Insider threats
It is a recognized fact that insider threats are the most vulnerable threats even with the most progressive firewalls and computer security available to your PC. If your employees are not trustworthy, neither can your general security. It is very significant for a company to keep a good sense of direction and management governance. Some external clienteles find it more secure to store their data which is subtle to their business at cloud hosting sites. In case, any member among your workforce manages to misapply this data, your cloud company will build a very immoral status about the level of security presented and surely slack existing and forthcoming customers [20].

Data loss
Some companies hand over their information to the cloud, they assume to have a similar level of integrity and protection of data as they would in their locations. Data injury and its outflow can root financial loss, bad repute, and buyer count damage to the organization. Erasure or modification of records lacking a backup of the novel content is a recognized example of data loss [21].

Software threats
Software is programs inscribed by all types of people and some software required to purchase for use and some are free. Freeware software is generally open-source software, so a developer or a hacker can enter its code, find bugs in it, and can harm the system by this software. These pinpoints are also known as soft targets. Soft targets usually found on those machines which have Public IP's to connect to the outside world and an eavesdropper can access their software and can harm them [22].

Multi-Tenancy Issues
Cloud is mainly intended to assist numerous users; it points towards diverse users within a cloud that share the applications and the physical hardware to run their Virtual Machines (VMs). In this scenario, users act as tenants for the provider. While this model looks to be very capable of the provider's perception, it encompasses some thoughtful restrictions in relationships of security. The application and hardware allocation can allow data outflow and misuse and it supports growing the attack surface [23].

Loss of control
When providers move data within the cloud, it becomes transparent to them but when organizations send data to the cloud, they don't know about its location so in that case, they may lose control of their data. Organizations may not be conscious of any security mechanism laid in place by the provider. So, these reasons create a sense of insecurity among clients [23].

Flood attacks
Flooding is the denial of service attack which affects the performance of the server and makes it unavailable for client requests. An attacker creates a wrong scenario and sends it to the server to make it busy in performing calculations to solve the query. The worst part of Flood attacks is they get nasty, it gets stronger because servers use computational power to solve the query thus making it stronger [24].

Data Protection
It is one of the major issues of the user while using cloud services. It is always on the top priority of the user and service provider. Data needs to be protected from unauthorized access and also secure the personal information of users [25].

Insecure APIs
Users mainly interact with the interface of the cloud environment. APIs are accessible from anywhere, so attackers can use interfaces to compromise the confidentiality of clients. Attackers use the same token which is given to the user and by using that token the attacker can access their data [26].

Service/Account Hijack
In account hijack, the intruder uses the stolen credentials to hijack cloud service and can insert false information and divert users to abuse websites. There is a watering hole attack through which attackers include the malicious code into a webpage to attack the users that visit the website. Attackers can also disrupt the service and make it inaccessible [27].

Data Security Issues
Data security can be measured in terms of management, migration, and virtualization. For the cloud, data is stored in several places in the back end, so this strategy makes the security difficult to manage. In turn, moving data across locations can also have security concerns. Data management security would be considerable in terms of how to deal with unreasonable data structure and the strategy to dig out non-functional data. Cloud provides a virtual environment to perform the task to get the desired results. Virtualization also makes the cloud environment more insecure because the network is complex, and this system has to be managed in a proper manner [28].

Impact of IoT Models on Society
In this section different IoT implemented systems will be discussed and that will tell how authors mentions reason for comfort for people and when people are at ease, the overall society will be at ease.
S. Pinto et al. [29] proposed an IoT We-Care system for elderly people's health. And their health can be monitored with the help of a wristband. It is a comfortable wristband that is ready to provide elderly living assistance and that can monitor and enroll patients along with their data. In case any tragedy occurs, this wristband is also capable of generating alarms (e.g. it can detect falls).
Kajal R.K Pandey et al. [30] proposed model works in medical emergencies when victims are in a kind of trauma and not able to properly deliver information regarding themselves. So, in that case, a dedicated device is used and that is an IoT based device and it provides virtual assistance to doctors to provide information regarding the identification of patients or patients along with the medical information of every victim. This dedicated device is a wearable identity which has a unique identification number.
Shilpa Mandke et al. [31] proposed a system that works for infant health monitoring. This system keeps track of important parameters like body temperature, movement of that infant as well as his pulse rate. This model is designed by keeping in mind mothers of 3 rd world countries, when they are away from their new-borns or out from home for the sake of work. This system is composed of Temperature sensors, pulse sensors, a voice sensor, a motion sensor, and these sensors give information to microcontrollers. This microcontroller is also attached to a power supply and a Wi-Fi module. And Wi-Fi modules with the help of the internet send information to a database of a mother's phone or laptop or any device which is part of this system. Asim Majeed et al. [32] works for making campus life smart with IoT help. They proposed the concept of "smart classrooms" where students can access their helping material anytime, anywhere. On the other side, lecturers can use smartphones and wearable devices to enhance their teaching skills as well as to engage students during lecture delivery. This smart classroom facilitates students and teachers with the help of sensors, controllers, and several physical objects.
J Arora et al. [33] proposed an IoT based smart home system in which multiple systems are part of the main system. Subsystems are monitoring the critical parameters like electricity appliances control system, home security system, energy-saving system, monitoring along with alert, etc. A smart application is used by an authenticated user which has his login id along with a password to check the status of every IoT device. It is a hardware- based system in which the sleep and wake mode of different devices is being used to increase the energy efficiency of the system. A Khan et al. [34] also proposed a smart home called as an IoT Smart Home System (IoTSHS) which consist of the remote control to a smart home with the help of mobile, microcontroller (Wi-Fi based), Infrared(IR) remote control along with PC/Laptop, temperature sensor (that will tell AC is required to be ON/OFF at this point of time), relays (that will act as ON/OFF switches and power distribution box. This type of model provides comfort to people who are not happy in using or cannot use mobile phone applications. BS Singh et al. [35] proposed a smart health system for people with disabilities. This paper proposes some components (RFID sensor which will give direction to blind people, camera, sensors for impaired people ear, wireless glove) to help and improve the lifestyle of handicapped people.
Y Zang et al. [36] worked on two-hop wireless communication for collecting IoT data under eavesdropper collusion in which researchers adopted physical layer security to prevent such attacks. Also, researchers worked on two cases: in the first case, eavesdropper worked independently and in the second case M observation of eavesdroppers are combined to conduct an eavesdropping attack. They indicated that eavesdropper collusion can increase secrecy outrage and can drop the security performance of IoT data collection. Additionally, authors have proposed that cooperative jamming schemes can help to improve data collection security either by increased noise generated threshold or by distributing more relays. Mhouti et al. [38] have discussed cloud computing services for e-learning systems which can benefit higher education institutions. These cloud computing services can be used anytime, anywhere as well as lower software and hardware requirements.
Basha et al. [39] discussed that cloud computing is a pillar of e-learning as it helps instructors and students to access new knowledge.
Tuli et al. [40] proposed a Robust Weibull model based on iterative weighting that has combined cloud computing and machine learning together to predict the epidemic growth of COVID-19.
MA Khasawneh et al. [41] discussed that cloud computing has a great impact on the growth of green supply chain management, for example, improved information availability, which is an important factor for energy saving, improved dealing speed with information, reduced cost of running, etc.
I Singh et al. [42] proposed an e-health administration framework in which patient data is supposed to be filled in the database. There is a web-empowered system on the cloud side which consists of specialists, radiologists, and research center staff. This proposed architecture data is also secured with biometric authentication agents and authenticating user access.  Table 2. Cloud Computing Based Models with their Impact on Society P Sing et al. [43] has worked on smart monitoring and controlling government policies with the help of cloud computing and social media. Authors have tested their approach on Goods and Services Tax by the Indian government and results showed that their proposed pragmatic approach is a feasible choice for efficient policymaking and its implementation. J Wei et al. [44] have proposed a theoretical integration model for cloud-based cultural platforms in china. This paper has also worked on improving the interaction between cloud-based cultural platforms, smart individual spaces, and physical cultural venues.
B EL Zoghbi et al. [45] discussed that traditional IT and related IT service provider roles are affected by Cloud computing technology in Lebanon. Authors have used a qualitative interpretive multiple case study approach and discussed CC value co-creation opportunity for IT service providers in Lebanon that identified their modern role in fixing the Cloud Computing roadmap from a servicedominant logic.
K Cheng et al. [46] have proposed a novel scheme for a secure k-NN queries on encrypted cloud data with multiple keys to provide confidentiality and privacy for data. In this scheme, DO and each QU all hold their different keys, and they do not share them. Meanwhile, the DO is responsible to encrypt and decrypt outsourced data with the help of his key. Also, researchers have constructed their scheme using a distributed two trapdoors: public-key cryptosystem (DT-PKC) and a set of protocols of secure two-party computation, which are responsible to preserve the data confidentiality, query privacy, and offline data owner. E Kabir et al. [47] presented a sorting framework for Statistical Disclosure Control (SDC) which helps to protect microdata in cloud computing. This framework of two stages: in the first stage, an algorithm sorted all records in a particular way which ensured that dissimilar observations do not enter in the same cluster, and the second stage a microaggregation method is used by authors to create k-anonymous clusters while reducing the information loss.
H Wang et al. [48] have combined cryptography with authorizations in their proposed work. Also, authors have assigned keys to data owners to roles that will enforce access via encryption. Additionally, a formal access model is designed which analyzes the translating an authorization policy into an equivalent encryption policy. The authors have also investigated the effect of role hierarchy structure in the authorization process. The role-based access management methods are implemented with XACML by using WSO Identity Server.

Suggested Integrated Solution of IoT-Cloud security Concerns
After detailed related work, Structure for the secure integration of an IoT computing devices with cloud systems is proposed. Interconnected cloud and IoT devices with a centralized controller as shown in Fig.3. to examine security controls that can be used to secure IoT system data and cloud data. Therefore, the ubiquitous access to different types of information would be allowed through proposed centralized controllers which will help in terms of the significant improvement in protecting data. Additionally, a sub-cloud layer is made part of a centralized cloud that is proficient enough to store aggregated data. Every node has assigned different keys to communicate with all nodes whose authenticity is checked by the controller.

Authors
Cloud  In this framework, the IoT network ( consisting of wired and wireless IoT nodes) and cloud systems are orchestrated by the main controller. This main controller is the main hub of the entire network because it has been set up to guarantee cybersecurity attacks prevention that can otherwise create a halt in the network. The selection of operating with a single controller is due to the reason that a single controller has better performance to manage the traffic of a set of medium-size IoT networks alongwith cloud systems.
The master controller is further connected to a router which is a core component in the proposed structure because it can flow traffic within the complete network as per instructions set by the controller. The router contains flow entries, flow rules, data entries, and data rules within its table as by instructions given and set up by the controller.
The following four scenarios can take place for communication: IoT-to-user communication service (when a userwants to check the status of IoT devices).
(ii) cloud-to-user communication service (when auser wants to access data of cloud storage) (iii) IoT-to-cloud communication service (when IoT devices want to send their data in cloud storage) (iv) cloud-to-IoT communication service (when cloud storage wants to synchronize data according to IoT devices) All of the above 4 stages are managed by the master controller and have the responsibility to decide traffic flow and data entries of the user, IoT devices, and cloud both main cloud and Fog cloud.

Figure 4. IoT-Cloud Secure model
Whenever a node wants to send traffic to any other network node then it has to first establish its connection with the master controller through IP address. Further, the controller asks for the key from the sender node and when the sender node sends back its key then the controller matches the IP address and key within its table. If both the IP address and the private key are within the table then the requested IP address is allowed to access and send its data towards the destination. When data reaches its destination than the destination node also verifies it through its private key and if the key matches then it can utilize the data packet as by instructions of the sender.
In this case, cloud systems contain bogus data files within its storage system. When an eavesdropper tries to access data and status of IoT and cloud systems then it first has to go through a controller. The controller matches the IP address and key of the eavesdropper system and when it does not match the controller asks the cloud to send the generated bogus file towards the attacker  On the other side, when an attacker wants to check the status of IoT devices then the controller sends a request to the controller to send a bogus status file to IoT nodes. Then these nodes send bogus status towards the attacker. In both these scenarios, an attacker thinks that he has successfully breached actual data but in actual he has been given a bogus file.

Conclusion
IoT and cloud computing have been intensively used by several real-time applications. To prevent unauthorized access and unauthorized data breach, an IoT-cloud communication model is proposed. Different cases with centralized controller that control the main entity that is robust against eavesdroppers. Any data breaches eavesdropper tries to be a normal user and attempts to access a personal data is identified through proposed model and can misleading the attack.