Data security is a major concern in cloud computing environments as they provide much scope for intruders to attack. Data centres in cloud environments hold valid information that end-users would conventionally have stored on their computers. Moving information towards centralised services may have an adverse effect on the security of users’ interactions with files kept in cloud cupboard spaces[1], for example accidental or deliberate alterations or deletions of information from the cloud server by the Cloud Service Provider (CSP). This necessitates the deployment of some sort of mechanism to ensure the safety of information integrity[2]. Public sector organisations have much to gain by adopting a cloud computing approach to service delivery in their ICT environments. However, these benefits must be reaped without compromising core requirements and institutional values.
This paper focuses on the security issues that may arise when public sector organisations consider transitioning to an Open Source Software (OSS) Infrastructure as a Service (IaaS) Cloud Infrastructure (OpenStack), although the same issues are likely to be found in other OSS cloud computing software like Apache CloudStack[3], Eucalyptus[4], and OpenNebula[5]. We examine legal implications, regulatory and standards compliance, new attack vectors resulting from vulnerabilities coming from virtualisation technologies, data integrity issues such as encryption and access controls, and security checks to be performed on the services prior to their movement to the cloud. In addition, some of the most important security threats in cloud computing are presented, followed by key recommendations on how to address them, namely security standards and certifications, service provider auditing, secure APIs, transport layer protection, authentication and encryption key management, and cloud service agreements.

Wang C, Wang Q, Ren K, et al. 2009, Privacy-preserving public auditing for data storage security in cloud computing, Cryptology ePrint Archive, viewed February 1, 2016,

Zhu Y, Wang H, Hu Z, et al. 2010, Efficient provable data possession for hybrid clouds, Cryptology ePrint Archive, viewed February 1, 2016,

Apache CloudStack, n.d., viewed January 28, 2016,

Eucalyptus, n.d., viewed January 24, 2016,

OpenNebula, n.d., viewed January 25, 2016,

European Commission, 2013, What does the Commission mean by secure cloud computing services in Europe?, viewed January 12, 2016,

Raju R,V, Vasanth V and Udaykumar P, 2013, Data integrity using encryption in cloud computing, Journal of Global Research in Computer Science, vol.4(5): 40–43, viewed January 14, 2016,

Ali M, 2014, What is cloud computing stack (SaaS, PaaS, IaaS), Maizkglobal Global IT Solutions, viewed January 18, 2016,

Brenton C, 2012, Delineation of cloud responsibility, SANS Information Security Training, viewed October 17, 2015,

Lukan D, 2014, Addressing the most critical cloud security threats, TechTarget SearchCloudSecurity, viewed January 21, 2016,

Choosing a Cloud Provider with Confidence, n.d., viewed January 4, 2015,

Cloud Standards Customer Council, 2015, Security for cloud computing – 10 steps to ensure success, version 2.0, viewed May 14, 2015,

Rouse M, 2011, Definition of cloud services, TechTarget SearchCloudProvider, viewed January 29, 2016,

Cloud Security Alliance, n.d., Virtualization Working Group, viewed January 30, 2016,

Adams D, 2010, Top 7 threats to cloud computing — part 1, Patriot Technologies Inc., viewed December 3, 2015,

Linthicum D, 2015, Minimize threats through public cloud security testing, TechTarget SearchCloudComputing, viewed January 20, 2016,

FedRAMP, n.d., viewed September 21, 2015,

U.K. Government Digital Service, 2013, The G-cloud framework on the Digital Marketplace, viewed September 21, 2015,

Cloud Security Alliance, n.d., viewed September 13, 2015,

Horrigan B L, 2015, Securing your cloud deployment, Information Security — Insider Edition, viewed September 30, 2015,

Cloud Security Alliance, n.d., STAR Certification, viewed October 12, 2015,

Cloud Security Alliance, STAR Attestation, viewed Oc-tober 12, 2015,

SSAE-16, n.d., SSAE SOC 2 report — Trust Services Principles, viewed November 12, 2015,

Cloud Security Alliance, 2015, Consensus Assessments Initiative Questionnaire v3.0.1 Info Sheet, viewed November 15, 2015,

OpenStack, n.d., Heat, viewed May 12, 2015,

Brenton C, 2012, Virtual firewall appliances — trust misplaced?, Cloud Security Alliance, viewed December 1, 2015,

Brenton C, 2011, Hypervisor versus host based security, Cloud Security Alliance, viewed November 16, 2015,

Lukan D, 2014, How to limit security risks during cloud computing virtualization, TechTarget SearchCloudSecuri-ty, viewed December 2, 2015,

OWASP Open Software Security Community, 2015, Defense in depth, viewed November 10, 2015,

OpenStack, n.d., Security Groups, viewed August 10, 2015,

OpenStack, n.d., Configure access and security for instances, viewed May 12, 2015,

Shackleford D, 2014, Assessing cloud security controls key in repelling cloud attacks, TechTarget Search-CloudSecurity, viewed November 20, 2015,

OWASP Open Software Security Community, n.d., Zed Attack Proxy Project, viewed March 8, 2016,

OpenVAS, n.d., viewed March 8, 2015,

SQL Inject Me 0.4.5 end-user license agreement, n.d., viewed March 8, 2015,

AutoSec Tools, 2016, HTTP directory traversal scanner, viewed March 10, 2016,

PostWigger Web Security, n.d., Burp Suite, viewed March 8, 2016,

Qualys SSL Labs, n.d., SSL server test, viewed March 8, 2015,

Samurai Web Testing Framework, n.d., viewed March 8, 2015,

Subgraph, n.d., Vega vulnerability scanner, viewed March 8, 2015,

OpenStack, n.d., Openstack Security Guide, viewed February 5, 2016,

Sidana H S, 2012, Cloud computing: managing security. Infosys Labs Briefings, vol.10(1).

Chandramouli R, Iorga M and Chokhani S, 2013, Cryptographic key management issues & challenges in cloud services, National Institute of Standards and Technology, viewed January 27, 2016,