*3.3. Fog-Related Aspects*

Many businesses have transformed massively, especially with the fast growth in large data usage, due to Cloud computing [80]. Meanwhile, the quest for private services also began to grow hugely. A grea<sup>t</sup> number of well-centralized systems is offered by Cloud computing platforms [81,82], although with some shortcomings. Clouds and their endpoints show certain unwanted long and irregular delays and time-conscious services to some [83]. There is a pertinent high risk in a situation whereby there is a breakdown in the information building and between network interconnected systems. One potential breach here is possible privacy exposure. To mitigate this challenge, the Fog computing [84] model was introduced, and it assisted Cloud-Edge in improving computation, security, and privacy, which is now the leading and most recommended computing service.

Fog devices are considered to be separate and distributed pieces of equipment ranging from gateways, routers, switches, or professional installation of traditional servers [85]. Furthermore, with the current demand for huge emission reduction, Fog computing is highly viewed as a smart green platform with sustainability and grea<sup>t</sup> security benefits. Many fog Nodes (FNs) are seen as renewable constitute the Fog computing system. The geographical placing of FNs can be spread throughout several locations. A grea<sup>t</sup> level of pressure exerted in the information center during computation is vastly decreased due to the different FNs working independently but together through a well-calculated formula. Fog can separate or sifter the processing at the central layer found at the middle of the endpoint and Cloud [86], which may significantly enhance the QoS and brings down expenses [87]. Fog computing was highly considered in grea<sup>t</sup> demand to deal with the ever-growing IoT issues, as we shall see in the next sub-Section [88].

Fog computing was established as the most viable approach because of its ability to cross-connect every digital equipment, wireless endpoint, and local device. This interconnectivity is vulnerable to vital security and privacy violations such as disclosing clients' data location, leaking classified documents, and stealing private accounts. First considered by Cisco, Fog computing was brought to expand the Cloud activities to the system's Edge. The consideration of Fog computing surfaces as an option to local Cloud offering huge assistance in terms of QoS, latency, and location distribution [45]. Services such as networking, storage, and most importantly, computing between the customer and information center are rendered by Fog computing hugely considered a virtualized system [89], carrying the related vulnerabilities along the way.

According to the Edge system, every single unit in the Edge computing functions independently to see that information is not forwarded to the Cloud, and instead, it is locally handled. On the other hand, transferring to Cloud or processing the data from various information origins is always a decision made by Fog computing nodes, taking into account its assets. Fog computing can expand some Cloud services that are not assisted in Edge structure, such as Infrastructure as a service (IaaS), software as a service (SaaS), and platform as a service (PaaS). Fog computing is completely Edge inclined but can be supported by Fog computing while at the Edge of the network, expansion of communication assets and computation are performed [90].

### 3.3.1. Fog Data Security

Some attacks usually threaten private and governmen<sup>t</sup> entities since they function in Cloud, Edge, and Fog computing. To offer a level of protection to the architecture, a Threat Intelligence Platform (TIP) is important to be developed [91]. Data security is the most prioritized aspect in the industrial sector, especially as information must be safeguarded. Intelligent equipment and sensor devices are deployed to reduce threats and security attacks extensively. The feature about heterogeneity and geographical sharing impacts the implementation of Cloud security frameworks into Fog computing systems [5]. Some of the considered security challenges are confidentiality, authentication, availability, and information privacy. These mentioned frameworks assist in creating and monitoring accesses to persons and organizations.

Considering the medical field, we see that patients' health history involves classified information and the Fog architecture has several nodes that might present some vulnerabilities. These vulnerabilities can be unpermitted access to information when stored or at the time of transfer, untrustworthy insiders, and during system distribution of information. Fog system by means of cable or wireless network consistently receives information transferred from sensors of medical devices. Tampering with patients' personal data, integrity, and device availability is obvious and can occur when communication systems and sensors are targeted. Some through channels as Denial of Service (DoS) can easily be perpetrated due to the vulnerabilities found in wireless networks. On the other hand, the absence of proper frameworks to control access to the Fog nodes that process important information can compromise information through leakage because of account theft, unpermitted access, and possibly some unsafe passage. The mentioned problems can be mitigated through thorough analysis and stringent rules and regulations to establish standard control mechanisms such as personal systems, selective (limited) encryption, and reciprocated authentication [92].

Overall, Fog provides Edge-like challenges while bridging those even more towards the decentralized and distributed environment.

### 3.3.2. Fog Data Privacy

Protecting the privacy of individuals and enterprises is often a primary concern encountered by the Fog paradigm, especially with the Fog nodes positioned near the individuals and facilitates the gathering of vital information sometimes relating to geographical location, identity, social security numbers, and many. One grea<sup>t</sup> challenge is that it is quite hard to keep centralized monitoring due to the distributed nature of Fog nodes.

During transmission, attackers can easily gain access to steal essential information when the Fog nodes are not well secured. More practical studies are needed to understand privacy problems better and innovate current solutions to preserve data privacy [93]. Privacy leakage often happens, even though end-users are never in accordance to release their personal information. There are some main areas of clients' privacy: data privacy, location privacy, identity privacy, and usage privacy [94].

### **4. Main Security and Privacy Challenges**

This section briefly describes the major challenges per paradigm and provides a concise table highlighting the essential ones and the proposed countermeasures identified in the literature.

### *4.1. Cloud Paradigm Challenges*

Data loss, privacy leakage, multi-tenancy, unpermitted access to managemen<sup>t</sup> platforms, Internet protocol, injection attacks are some of the main challenges faced in Cloud [95,96]. Such challenges turn to make room for potential attacks, letting access control to cybercriminals, granting access to unauthorized services, therefore disclosing several classified data, if not all.

Cloud computing faces enormous threats when involved with these vulnerabilities and thus affects business too, either directly or indirectly. One of the most reliable ways to repel threats and attacks is to identify any found and analyze the behavior properly. This section explains the different Cloud computing issues [97].

• Multi-tenancy is used in providing services to different customers and organizations with a particular software operating on the SaaS provider's servers within the architectural design. Every user company can use an application that is virtually designed in dividing data and configuring it virtually with the help of specially designed software. In this SaaS model, there is a high risk of vulnerability because clients turn to work with applications of multi-tenancy manufactured by Cloud Service Providers (CSP). The maximum-security of customer's data is the direct responsibility of the Cloud provider since sensitive information such as financial and individual data are hosted in their Cloud system [55].

Managing resources and scheduling work are some methods used by certain Cloud providers [98], but hardware potential is fully attained through virtualization by CSPs providers. Sandboxed setups refer to Virtual Machines (VM)being completely separate. Hardware sharing with the clients is considered safe according to this mindset. On the other hand, cybercriminals can gain access to the host when the sandboxed system has security setbacks [99]. The virtualization software is strongly recommended since it is capable of showing recent vulnerabilities in Cloud security, such as retrieving data by targeting a VM on one machine through attacks through cross-Virtual Machine side channel [100].


It may be far easier for a person with malicious ideas to work for a CSP since no one is seen as a suspect [106]. This individual can quickly be involved in malicious events, especially if they have unhindered access to sensitive information, especially if the CSP cannot strictly monitor its workers.

• Identity Theft: Victims or organizations can suffer heavy impact due to weak passwords due to phishing attacks by some attackers who turn to disguise as authentic persons to steal the different important data of their victims. The sole reason for identity theft is to gain access to sensitive digital resources of individuals and companies by any malicious means. Every protected communication within the Cloud system happenswithaccesscontrol,andthisismadepossibleusinganencryptionkey[107].

• Man-in-the-Middle Attack: During the flow of data from one end to another or between different systems, cybercriminals can easily take advantage and gain access, therefore having control of classified data. This can easily occur when the secure socket layer (SSL) is insecure due to inadequate configuration. Specifically, in Cloud systems, hackers can attack the communication within the information centers. Effi-

cient SSL configuration and data analysis among accepted entities can go a long way to significantly lower the threat posed by a middle-man attacker [108].


### *4.2. Edge Paradigm Challenges*

The Edge paradigm is considered to offer huge benefits to Edge customers such as storage, data processing, just to name a few. However, unlike the Cloud paradigm, Edge computing still faces big security and privacy challenges, which we will explore despite these many gains in this subsection.


### *4.3. Fog Paradigm Challenges*

The Cloud paradigm has countermeasures for its security and privacy threats. Nevertheless, these countermeasures may not apply to the Fog paradigm due to the active presence at the network Edge of Fog entities. The immediate vicinity where Fog entities operate will confront various threats which may not constitute a good functioning Cloud. The security solutions in the Fog paradigm are improving and increasing as well. However, most of the published literature on Fog computing security and privacy does not provide insights with an extensive assessment of the various issues. Importantly, we elaborate on some security and privacy challenges encountered in the Fog paradigm.


### *4.4. Major Attacks and Countermeasures*

It is essential to note that vulnerabilities, threats, or security attacks can appear differently in different paradigms, and there exists no specific way of solving the various security issues. Thus, several designed models must be considered to safeguard a Cloud, Edge, or Fog computing system. This will help create a joint force of many reliable layer defense models [116].

Table 2 presents a detailed comparison of Cloud, Edge, and Fog paradigms based on a designated OSI model layer. Different attack examples were common to the three involved paradigms associated with the various layers. These identified security attacks and privacy leakages are matched to a specific proposed countermeasure. In some situations, the same

countermeasure of a particular paradigm can be applied to the other ones. However, due to the complexity of these paradigms or their ecosystem, this deployment of a single countermeasure is challenging.

**Table 2.** Attack specifics of paradigms and suggested countermeasures.



**Table 2.** *Cont.*

As of now, end devices do not involve any established security measures. For this reason, during data transmission, security vulnerabilities are likely to be present. Some vulnerability research is underway to understand the different ways an end device or layer can face an attack. It is of significance that vulnerability research projects must be carried out extensively and in-depth when studying attacks and their aspects [141]. At each layer, we can deduce that security vulnerabilities are safeguarded differently. This attains the basic security demands such as confidentiality, authenticity, integrity, and not the least, availability. Cryptography is suggested for data confidentiality in stopping data leakages to illegitimate persons. Although cryptography turns out to offer better data confidentiality, it does need additional computation power, therefore causing latency. Users and end-devices have proximity to each other. For example, FNs pose some level of reach to individuals' data, especially where the information is generated. Data processed in FNs are significant security-wise due to their sensitivity more than data being processed in Cloud servers, thus requiring enhanced protection.

Overall, Cloud, Edge, and Fog paradigms consist of applications, resources, and a massive quantity of end-devices within a given centralized or decentralized area, existing together and inter-communicating. Therefore, the huge potential for vulnerabilities in security and privacy does exist. One good way of screening systems for possible vulnerabilities is by auditing security standards.

Vulnerabilities in any system might expressly gran<sup>t</sup> attackers partial or full access to cause severe harm. If data are breached, it can expose critical information of individuals or organizations, and an attack can cause serious malfunctioning of an entire network and create disruptions. We found that the main target of gaining access to sensitive data is threats, seizures, or vulnerabilities of the examined paradigms, whether joint or apart.

Importantly, we found that these vulnerabilities can be properly discovered with the right tools and approaches. Despite the constant search for vulnerabilities in systems by attackers (hackers/cybercriminals), there are up-to-date, sophisticated countermeasures to mitigate such threats, internal or external. Most essentially, each vulnerability has a specific

mechanism to counter its threats and attacks. Moreover, another important aspect is that the vulnerabilities turn to undermine the security and privacy of the related paradigms, exposing them (data) to potential security attacks and privacy leakages.

### **5. Discussion and Conclusions**

The essential aim of this work was to execute a comprehensive article review on Cloud, Edge, and Fog paradigms, respectively, with a special focus on identifying similarities, differences, attacks, and countermeasures based on security and privacy aspects.

Cloud, Edge, and Fog paradigms create a substantial heterogeneous quantity of data capable of being managed over a centralized or distributed system. Looking at the discussions presented in this work, we deduced that the security and privacy issues on the heterogeneity of this ecosystem are a significant challenge. Data transfer from one end to another opens a way for many security and privacy vulnerabilities, even though some of these weaknesses can be detected and eliminated quickly. Solutions cannot be swiftly deployed to user devices simply because of the complexity of the ecosystem. However, IDS mechanisms are largely significant for different paradigms, as some are considered effective in countering DoS/DDoS attacks (Zero-day-attack). In certain scenarios, IDS mechanisms introduce gateway devices to provide higher processing power if needed.

Security and privacy are considered primary drawbacks, limiting several institutions and organizations to adopt computational offloading technology. As mentioned earlier, these paradigms face different security and privacy threats, but the most outstanding are DoS/DDoS attacks. For instance, Cloud customers can suffer heavily if Cloud services and resources are breached for a moment by attackers. Cloud systems encounter high latency and high costs in communication and data storage. These issues are present because of the centralized nature of the Cloud and its geographical distance from end-devices that produce data. To resolve these shortcomings in the Cloud, Edge Computing was introduced as a Cloud Computing extension.

As identified during the review, Edge provides much less latency than Cloud platform to end-devices; thus, there is a rapid drop in security when migrating from the Cloud platform to the Edge platform due to the Edge network being decentralized (distributed) in nature. Furthermore, observing the migration of data to end-devices from Cloud platform via Edge network, the storage capacity sharply reduces. There is also a rapid decrease in real-time operations as data moves from end-devices via the Edge platform to the Cloud platform. For longer storage needs, a Cloud platform is used. Storage or processing of data from the end-devices occurs in the Edge platform. Despite the emerging of Edge Computing, vulnerabilities and threats still exist, and this, therefore, calls for strict measures with enhanced security and privacy techniques. Fog paradigm was considered to ameliorate Cloud and Edge paradigms.

As with the Edge paradigm, Fog is rendering services (computation, networking, data storage, etc.) closer to the end-devices rather than moving data to the Cloud platform but in a distributed manner. However, the introduction of the Fog paradigm is seen to improve the infrastructural network to match the demands of large data quantity while enhancing the processing strength efficiently. Fog paradigm can improve mobility, complexity in a distribution environment, location identity, real-time response, as well as security and privacy. The fog paradigm does not depend on the Cloud data center but instead relies on end-devices to store and process its data. Broader availability of node access gives some level of flexibility to the applications. Like the Fog paradigm, the Edge paradigm also permits computation handling at the network edge, near where data are generated. What makes the Fog paradigm different from the Edge paradigm is its ability for Fog nodes to interconnect, while the Edge paradigm operates with separate Edge nodes.

Confidentiality, integrity, and availability are information systems' most significant security and privacy properties. The transfer and storage of data must be confidential, with integrity, and made available. Confidentiality grants data access only to individuals and organizations that own these data. During the transfer of data within the different user

layers, the main network, storing and processing data in Cloud, Edge, or Fog paradigm, its access is strongly restricted. Encrypting data is a way of achieving confidentiality. Data correctness and consistency is a model of integrity which avoids information being tampered with or modified. Some mechanisms can be used for verifying sent and received data integrity. Only authorized persons are granted access to available data. Thus, availability determines that data must be available anywhere based on established policies. To attain these expectations, various instruments, patterns, methodologies, and mechanisms such as cryptography, encryption, authentication, and others are deployed to the multiple platforms (layers) when data are being transferred and stored.

Overall, Cloud, Edge, and Fog paradigms exhibit the same view of providing QoS to customers, but they all have a separate set of features that makes them differ from one another, as we have explained in this work. Notably, the Fog paradigm is designated the most effective and reliable system to better handle the security and privacy challenges encountered.

To summarize, even though the Fog paradigm can offer better security and privacy services to end-devices in general, some features of the Fog paradigm, such as decentralization, constraints of resources, homogeneity, and virtualized systems, are vulnerable to security and privacy challenges in comparison to the Cloud paradigm, which is centralized. Due to the absence of standardization regarding countermeasures deployment, highly effective security and privacy mitigation in the Cloud paradigm cannot be implemented straight to the Fog paradigm because of the named features above. Therefore, Fog systems do need innovative countermeasures to address these challenges. Future research should also address new techniques and mechanisms that fit Fog paradigm features and possibly cross-platform countermeasure tools. Hence, they should be suggestions for effective and efficient solutions.

**Review Methodology:** The systematic literature review is based on PRISMA guidelines [10]. The publication date range was set from 2017 to 2021. We used the most popular ICT sector databases for research works, such as IEEE, Web of Science, Science Direct, Springer, and Scopus, while not considering pre-prints, duplicates, and gray literature. Later on, we analyzed the titles, abstracts, and keywords of the various academic publications to figure out specific journal articles and other important papers related to security and privacy in Cloud, Edge, and Fog paradigms. The following search query was formulated for reproducibility:

TITLE (((cloud OR Edge OR fog) AND computing) AND (security OR privacy)) AND (LIMIT-TO(PUBYEAR, 2021) AND LIMIT-FROM (PUBYEAR, 2017)) AND (LIMIT-TO(SUBJAREA,"COMP")ORLIMIT-TO(SUBJAREA,"ENGI"))AND

 (LIMIT-TO(LANGUAGE, "English")) AND (LIMIT-TO (PUBSTAGE, "final"))

Some exclusion criteria were set to narrow the search outcomes during the first screening stage from the paper's titles and abstracts:


After applying the exclusion criteria, the selected number of publications was lowered from 1390 to 447. Sixty-one duplicates were found and were taken off the list. The headings of the various articles, their abstracts, and important words of the retained 386 papers were screened, and 187 papers were dismissed since they did not match the exclusion criteria. The number of papers left was 199, and their whole content were thoroughly analyzed. After the additional screening, 122 papers were still rejected since they were unrelated to the topic.

**Author Contributions:** Conceptualization, A.O., J.N.; methodology, A.O.; validation, J.N.; formal analysis, J.N., M.K.; investigation, O.L.M., A.O.; writing, original draft preparation, O.L.M., A.O.; writing, review and editing, A.O., M.K., J.N.; visualization, A.O.; supervision, A.O., J.N.; project administration, A.O., J.N.; funding acquisition, J.N. All authors have read and agreed to the published version of the manuscript.

**Funding:** This project has received financial support from the Priority 2030 Federal Academic Leadership Program.

**Acknowledgments:** The work was executed as part of the second author's Master's thesis work titled "Security and Privacy Aspects of Cloud, Edge, and Fog Paradigms: A Systematic Review".

**Conflicts of Interest:** The authors declare no conflict of interest.
