Next Article in Journal
Mapping the Past: Unlocking Historical Explorer Narratives with AI and Geospatial Tools
Next Article in Special Issue
Investigating De-Identification Methodologies in Dutch Medical Texts: A Replication Study of Deduce and Deidentify
Previous Article in Journal
Influence of Environmental Factors on the Accuracy of the Ultrasonic Rangefinder in a Mobile Robotic Technical Vision System
Previous Article in Special Issue
Navigating the CISO’s Mind by Integrating GenAI for Strategic Cyber Resilience
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 14
Issue 7
10.3390/electronics14071394
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

IoT–Cloud Integration Security: A Survey of Challenges, Solutions, and Directions

by
Mohammed Almutairi
1,2,* and
Frederick T. Sheldon
1
1
Department of Computer Science, University of Idaho, Moscow, ID 83844, USA
2
Department of Computer Science and Engineering, University of Hafr Al Batin, Hafar Al Batin 39524, Saudi Arabia
*
Author to whom correspondence should be addressed.
Electronics 2025, 14(7), 1394; https://doi.org/10.3390/electronics14071394
Submission received: 16 February 2025 / Revised: 24 March 2025 / Accepted: 27 March 2025 / Published: 30 March 2025
(This article belongs to the Special Issue Digital Security and Privacy Protection: Trends and Applications, 2nd Edition)
Browse Figures
Review Reports Versions Notes

Abstract

:
The confluence of the Internet of Things (IoT) and cloud computing heralds a paradigm shift in data-driven applications, promising unprecedented insights and automation across critical sectors like healthcare, smart cities, and industrial automation. However, this transformative synergy introduces a complex tapestry of security vulnerabilities stemming from the intrinsic resource limitations of IoT devices and the inherent complexities of cloud infrastructures. This survey delves into the escalating threats—from conventional data breaches and Application programming interface (API) exploits to emerging vectors such as adversarial artificial intelligence (AI), quantum-resistant attacks, and sophisticated insider threats—that imperil the integrity and resilience of IoT–cloud ecosystems. We critically evaluated existing security paradigms, including encryption, access control, and service-level agreements, juxtaposed with cutting-edge approaches like AI-driven anomaly detection, blockchain-secured frameworks, and lightweight cryptographic solutions. By systematically mapping the landscape of security challenges and mitigation strategies, this work identified the following critical research imperatives: the development of standardized, end-to-end security architectures, the integration of post-quantum cryptography for resource-constrained IoT devices, and the fortification of resource isolation in multi-tenant cloud environments. A comprehensive comparative analysis of prior research, coupled with an in-depth case study on IoT–cloud security within the healthcare domain, illuminates the practical challenges and innovative solutions crucial for real-world deployment. Ultimately, this survey advocates for the development of scalable, adaptive security frameworks that leverage the synergistic power of AI and blockchain, ensuring the secure and efficient evolution of IoT–cloud ecosystems in the face of evolving cyber threats.

1. Introduction

The intersection of the Internet of Things (IoT) and cloud computing has revolutionized how we interact with technology and manage data. The IoT refers to the network of physical objects embedded with sensors, software, and other technologies that enables them to connect and exchange data with other devices over the internet. These “smart” devices extend a wide range of applications from household devices and fitness trackers to industrial machines and city infrastructure. The IoT enhances our ability to monitor, control, and optimize various aspects of our daily lives and operational processes by providing real-time data and actionable insights [1].
On the other hand, cloud computing is a technology that allows users to access and manage computing resources such as servers, storages, databases, and applications over the internet. Therefore, cloud computing provides a scalable and flexible environment where resources can be easily managed rather than relying on local hardware and software. It offers several benefits, including cost savings, increased flexibility, and the ability to handle large volumes of data.
When the IoT and cloud computing are combined, they create powerful software. Accordingly, IoT devices generate large amounts of data, which can be collected, stored, and processed in the cloud. This integration facilitates advanced analytics, real-time monitoring, and improved decision-making. For instance, in a smart city context, sensors might track traffic flow and environmental conditions with the data analyzed in the cloud to optimize traffic signals and improve air quality.
Additionally, the growth of IoT devices and cloud computing has led to several limitations, particularly in security. The complexity of securing hybrid systems is compounded by the diversity of IoT devices and their resource limitations. That makes it challenging to apply traditional cloud security measures effectively. Moreover, issues like virtualization vulnerabilities, insider threats, and data breaches are increased when IoT data are transferred to cloud environments. Furthermore, the lack of standardized frameworks to address both IoT and cloud-specific vulnerabilities highlights a significant gap, as many solutions focus on one aspect without considering an overview approach to security. This failure underscores the need for innovative and validated strategies to tackle the emerging security challenges in this integration. Addressing these challenges requires robust security protocols and increased user awareness, as emphasized by Tawalbeh [2] and repeated by General Data Protection Regulation (GDPR) [3] principles that support risk awareness and privacy-preserving guarantees. However, this survey investigates key security challenges, analyzes existing mitigation strategies, and highlights research gaps to guide future advancements in securing IoT–cloud ecosystems.
The rest of this paper is structured as follows: Section 2 presents the background, while Section 3 provides an overview of related works. Section 4 presents security challenges in IoT–cloud integration. Section 5 explores existing mitigation techniques and security solutions. Section 6 discusses open research gaps and future directions. Finally, Section 7 concludes with a summary of findings and outlines future directions for research.

2. Background

2.1. Cloud Computing Architecture

A cloud computing architecture is designed to provide scalable and flexible IT resources over the internet. It typically involves several layers and components, as shown in Figure 1. They work together to deliver computing services efficiently and securely. Moreover, with the increasing adoption of the IoT, many critical infrastructures (CIs) are moving toward cloud-based systems to enhance operational efficiency and scalability. Critical Infrastructures refer to the essential systems and assets that are vital to national security, public health, transportation, and economic stability.
However, this shift increases the demand for strong security frameworks to ensure high assurance because vulnerabilities in connected systems can have significant consequences. Below is a breakdown of the main elements of cloud computing.

2.1.1. Cloud Service Models

(a)
Infrastructure as a Service (IaaS): Provides virtualized computing resources over the internet and has virtual machines, storage, and networking. Also, it is used for scalable computing resources, data storage, and networking capabilities. IaaS provides virtualized computing resources such as servers and storage that enable utility-like services for users [4].
(b)
Platform as a Service (PaaS): Offers hardware and software tools over the internet, which are usually used for application development, including development frameworks, databases, middleware, and development tools. Often, developers use it to build, deploy, and manage applications without dealing with the underlying infrastructure. PaaS offers development environments with APIs and middleware for custom application creation without the need for local configuration [4].
(c)
Software as a Service (SaaS): Provides software applications over the internet on a subscription basis. Moreover, it has fully functional software applications and user interfaces. Users can access SaaS applications via a web browser, which includes email services, CRM systems, and collaboration tools. Also, SaaS allows users to access cloud-based software on a subscription or pay-per-use basis [4].

2.1.2. Cloud Deployment Models

Cloud deployment models define how cloud services are provided and managed. Each model offers different levels of implementing cloud systems, varying in administration, ownership, access control, and security protocols [5]. The four primary deployment models are public, private, hybrid, and community clouds [6,7].
(a)
A public cloud is a cloud infrastructure that is owned and operated by a third-party cloud service provider that delivers computing resources like servers and storage over the internet. These resources are shared among multiple organizations (tenants).
(b)
A private cloud is a cloud infrastructure that is exclusively used by a single organization. It can be hosted on-premises within the organization’s data center or by a third-party provider.
(c)
A hybrid cloud is a combination of public and private clouds that allow data and applications to be shared between them. This model offers the benefits of both environments.
(d)
A community cloud is shared among several organizations with similar interests or requirements such as compliance and security. It is managed by one or more organizations in the community or by a third-party provider.

2.1.3. Cloud Computing Components

Cloud computing architectures consist of various components that work together to deliver cloud services. Thus, understanding these components helps in effectively managing and utilizing cloud resources.

Compute Resources

Computing resources provide the processing power required to run applications and services in a cloud. The components needed are as follows:
  • Virtualized servers that run on physical hardware, but they are managed independently. Examples include AWS EC2 instances and Azure Virtual Machines;
  • Containers that offer lightweight virtualization at the operating system level, providing agility and efficiency compared to traditional virtual machines (VMs) [8];
  • Serverless computing, or Function as a Service (FaaS), which enables cost-efficient, rapidly scalable applications without configuration and management overheads [9].
Containers, serverless computing, and virtualized servers are complete parts of modern cloud computing. The integration of containers and serverless computing has led to serverless container solutions, such as AWS ECS with the Fargate and SCAR framework [10]. These technologies build upon microservice-based architectures and state-of-the-art container technology, allowing users to manage complex applications without system-level expertise [11]. However, container-based virtualization is facing challenges in terms of isolation and security that prompts the development of new container runtimes and security-oriented solutions [8].

Storage

Cloud storage services offer block, file, and object storage options as part of their IaaS offerings [12]. These storage types are crucial for modern healthcare systems, which generate large volumes of data requiring scalable, secure, and reliable storage solutions [13]. Also, object storage is increasingly adopted for healthcare big data due to its scalability, cost effectiveness, and suitability for data analytics. On the other hand, cloud-backed file systems seek to combine the benefits of local POSIX-interface storage with remote cloud storage. However, they faces challenges in supporting efficient random file access on object storage systems [14].

Networking

Networking components manage how cloud resources communicate with each other and with external networks, as follows:
  • Virtual private clouds (VPCs) are integral components of cloud network architectures that provide isolated virtual network environments within a public cloud infrastructure [15].
  • Load balancers distribute incoming traffic across multiple instances to ensure high availability and reliability.
  • A content delivery network (CDN) is responsible for distributing content to edge locations around the world to improve performance and reduce latency.
Load balancers and CDNs are crucial components in cloud environments. Load balancers distribute traffic across virtual machines to prevent overloading or insufficient utilization of networking nodes that ensures data availability and perfect performance [16]. On the other hand, CDNs can be virtualized by using cloud infrastructure to provide customized content delivery services for providers. These virtual CDNs utilize shared virtual machines in IaaS clouds. Also, they can dynamically scale resources to meet changing demands while adhering to service level agreements [17].

Management and Monitoring

There are three main tools and services for managing cloud resources, monitoring performance, and ensuring security. First, monitoring tools, such as AWS CloudWatch, Azure Monitor, and Google Cloud Operations Suite, can track resource usage, performance metrics, and health. Second, management tools allow administrators to provide, manage, and automate resources. Last, automation tools like Azure Resource Manager enable automated deployment and scaling of resources. These tools and technologies collectively support the development of future internet applications, enhance market opportunities for smart infrastructures, and improve business processes in cloud computing environments [18].

Cloud Security

Cloud security is a vital concern for businesses adopting cloud computing. As organizations move their data and applications to the cloud, protecting sensitive information becomes essential. Several strategies have been proposed to enhance data security in cloud storage.
One important approach is using Service Level Agreements (SLAs). These formal contracts define expectations between users and cloud service providers. SLAs help ensure that both parties are aligned on data protection standards.
In addition to SLAs, it is crucial to implement strong protections for data storage, transfer, and authorization [19]. This includes techniques like encryption for data at rest and in transit, secure authentication protocols, and strict access controls.
A combined approach has been suggested to further enhance security. This includes using secure sockets layer (SSL) encryption for secure data transmission, message authentication codes (MACs) for integrity checks, and dividing data into three sections. This division reduces the risk of breaches by ensuring that no single point of failure can compromise all data [20].
Effective cloud security solutions should also focus on encryption, access control, data loss prevention, and regular security audits. These practices are crucial for maintaining data confidentiality, integrity, and availability [21]. Regular audits help identify vulnerabilities and ensure compliance with regulations.
Additionally, a new two-tier framework called WAY (Who Are You?) has been proposed. This framework uses a virtual machine (VM) monitoring system to assess user trust. Also, it enforces security measures at multiple levels that include the network, infrastructure, and data storage [22]. By addressing the unique challenges of diverse cloud platforms, WAY aims to improve overall data protection.

APIs and Interfaces

Application programming interfaces (APIs) are essential for deploying applications and facilitating interactions between cloud service providers and consumers [23,24]. They support various cloud service models like SaaS, PaaS, and IaaS [25]. Additionally, cloud APIs come in different forms like standards-based APIs, which are particularly useful for certain cloud applications [26]. Another form is command-line interfaces (CLIs), which developers generally favor over web consoles, especially for CRUD tasks [27].
How do APIs work?
  • In the request phase, the application sends a request to a cloud service through an API. This request can include commands like “get data”, “store data”, or “delete data”.
  • In the processing phase, the cloud service receives the request and processes it, and this might involve interacting with databases, computing resources, or other services.
  • In the response phase, after processing the request, the cloud service sends a response back to the application via the API, as shown in Figure 2. This response typically includes the requested data or a confirmation of an action taken (like a successful upload).
  • In the user interaction phase, the application uses the data or confirmation from the response to update what the user sees, completing the interaction.
As cloud computing adoption grows, securing APIs becomes increasingly important to protect cloud services and data [23]. Additionally, real-time computing capabilities and quality of service (QoS) assurance are emerging challenges that cloud providers are addressing through specialized APIs [25]. Understanding API trends and developments is crucial for both cloud users and providers [24].

2.1.4. Key Cloud Considerations

(a)
Scalability
A fundamental advantage of cloud computing is its ability to dynamically adjust resources based on current demands. This flexibility enables businesses to scale up their infrastructure during peak periods such as during a product launch or seasonal traffic spikes and scale down during quieter times to avoid unnecessary costs. Scalability can be achieved in the following two ways: horizontal scaling, which adds more instances, and vertical scaling, which upgrades existing instances. Additionally, auto-scaling features automatically adjust resources based on predefined policies. This ensures that applications remain responsive and cost effective without manual intervention. Cloud scalability enables modern computing systems to efficiently adapt to dynamic workloads [28].
(b)
Reliability
Reliability is crucial for maintaining continuous service and minimizing downtime. Cloud providers design their systems with high availability in mind, employing strategies like data replication across multiple geographic regions and implementing load balancing to evenly distribute traffic. Therefore, these practices ensure that if one component fails, another can take over, thereby maintaining service continuity. Disaster recovery plans, such as regular backups and failover mechanisms, enhance reliability by ensuring data recovery and operational continuity in the event of a major disruption.
(c)
Compliance and security
Cloud providers invest heavily in security measures, including encryption, access controls, and regular audits to safeguard data. However, organizations must also implement their own security practices to ensure compliance with regulations such as GDPR. This involves configuring security settings appropriately, managing access permissions, and continuously monitoring for vulnerabilities to protect against potential threats.
(d)
Performance optimization
Cloud environments require careful configuration of resources to meet performance expectations such as low latency and high throughput. Additionally, regular monitoring and performance setting are necessary to identify and address inefficiencies. Thus, performance monitoring tools provide insights into resource utilization and application behavior, enabling organizations to make necessary adjustments to maintain high performance levels.
(e)
Integration and interoperability
Effective integration involves using APIs and middleware to connect cloud services with on-premise systems and facilitate smooth data flows. Data migration strategies are important for transferring data between cloud environments or integrating with legacy systems, ensuring that all components of the IT infrastructure operate cohesively.

2.2. IoT Architectures

The IoT architecture typically consists of the following five layers: physical perception, the network and protocol, transport, application, and data/cloud services, as shown in Figure 3 [29]. These layers encompass various hardware, protocols, and services, each with its own specific security considerations.

2.2.1. Perception Layer

The perception layer, also known as the device layer, is the critical interface between digital data and physical devices. This serves as the foundation for environmental sensing and control [30]. This layer typically comprises various sensors, actuators, RFID tags, and other edge devices that gather real-time data from the surrounding environment. Due to its close interaction with physical components, it plays a pivotal role in detecting and collecting key parameters such as temperature, humidity, motion, light, and location.
However, the perception layer also encounters a wide array of security challenges. Many IoT devices operating at this level are constrained by limited computational power, memory, and energy resources, which makes it difficult to implement robust security mechanisms [31].

2.2.2. Network Layer

The network layer is integral for enabling seamless communication between devices that shapes the backbone of data transmission and device coordination. It supports the transfer of data from the perception layer to the application layer, typically through a combination of LANs, WANs, cellular networks, and specialized IoT communication protocols like 6LoWPAN, Zigbee, or LoRa [32]. One of the main challenges in the network layer is the integration of diverse device-to-device (D2D) communication technologies. With numerous devices relying on various protocols, such as IPv6, Bluetooth, and Zigbee, ensuring smooth interoperability requires robust addressing, routing, and mobility management solutions.
Additionally, the routing protocols used in this layer must be optimized to handle the unique characteristics of IoT networks, such as large-scale node deployment, frequent topology changes, and low-power operations. Also, routing decisions must balance energy consumption and communication reliability. This means that many IoT devices operate on limited battery power, particularly in large-scale environments like smart cities or industrial IoT [33].
Additionally, security is a significant concern in the IoT network layer, as it handles sensitive data and is vulnerable to various attacks [34]. As the layer responsible for transporting sensitive data between devices and central processing hubs, it is highly vulnerable to a variety of attacks. These include man-in-the-middle attacks, where malicious actors restrict or change communication between devices, representing denial of service (DoS) attacks. This means that the network will be overflown with traffic to disable services, and routing attacks, like wormhole attacks, disrupt normal data flow by manipulating routing information. Moreover, the rise of smart devices and their integration into IoT systems, along with the huge volume and diversity of devices, have significantly expanded the attack surface of IoT networks [35].

2.2.3. Edge or Fog Layer

This layer is a transformative architecture that brings computational power and data processing closer to physical devices and end-users. Unlike traditional cloud computing, which requires data to travel long distances to centralized servers, fog computing allows localized processing, which helps to reduce the bandwidth challenges posed by the large growth of IoT devices [36]. This proximity to the data source enables faster data collection, analysis, and processing, which makes it more efficient than relying only on cloud architectures.
Fog computing is especially crucial for IoT applications that demand low latency and real-time decision-making, such as autonomous vehicles, smart manufacturing, and healthcare systems. By reducing the data-processing time, the fog layer enhances response times, which are vital for mission-critical IoT deployments. The architecture is typically organized into two tiers—the lower tier, which manages incoming data streams from devices, and the upper tier, which focuses on more complex tasks such as data analytics and distributed storage [37].
This two-tier structure enables the fog layer to effectively support modern technologies like 5G networks and embedded artificial intelligence, where fast communication and intelligent processing are essential. By incorporating low-cost devices and FPGA-based (field programmable gate array) accelerators, the fog layer can process large amounts of data streams while running advanced machine learning algorithms at the same time, such as deep neural networks (DNNs), close to the data source [37]. This capability greatly enhances the efficiency and responsiveness of IoT systems that provide scalability and flexibility in a wide range of applications.

2.2.4. Middleware Layer

In the IoT, the middleware layer plays a pivotal role as a software layer that bridges the gap between the underlying technological infrastructure and the application layer. Its primary function is to provide common services that simplify the development, management, and integration of various IoT devices and systems. This is essential in environments where various devices, sensors, and protocols need to interact seamlessly. Middleware abstracts the complexities of device communication, data management, and protocol translation, thereby allowing developers to focus on creating applications without needing to worry about the specific implementation details [38].
Also, this layer makes IoT application development easier by providing reusable components like data storage and device management. This reduces the need for developers to manage hardware and protocols manually. Also, it supports data integration and combining data from numerous sources, which is especially crucial for large-scale IoT systems like smart cities and industrial IoT [39]. With the rise of 5G, middleware must now handle larger data volumes, high-speed communication, and low latency. This layer needs to efficiently process and transmit big data in real time, particularly in critical applications like autonomous vehicles, smart healthcare, and industrial automation [40].

2.2.5. Application Layer

The application layer is responsible for providing essential services to users and facilitating communication between devices that enable data exchange and coordination across various platforms [41]. Moreover, it acts as the interface between IoT devices and the end-users, translating raw data into actionable information and services. By supporting different protocols, this layer ensures that IoT devices, often built by different manufacturers and utilizing various technologies, can work together seamlessly [42]. This layer relies on multiple communication protocols, each designed to address specific requirements such as real-time data exchange, security, and scalability. The following are key protocols used at this layer:
Key Protocols in the Application Layer
  • Constrained Application Protocol (CoAP)
This protocol is designed for lightweight devices with limited computational power and bandwidth and enables communication in resource-constrained environments like smart homes or industrial IoT. Also, it is often used with devices that operate on low power and in networks with limited data-transfer capacities.
2.
Message Queuing Telemetry Transport (MQTT)
A publish/subscribe protocol ideal for remote monitoring and control applications. MQTT enables devices to send messages to a broker, which then distributes them to subscribers. It is highly efficient for applications requiring minimal data transmission, such as sensors in smart agriculture.
3.
Extensible Messaging and Presence Protocol (XMPP)
This protocol is often used for instant messaging and real-time data exchange in IoT systems. For instance, in a smart healthcare system, it can be used for sending alerts and notifications between monitoring devices and medical staff.
4.
Data Distribution Service (DDS)
A DDS is a protocol designed for real-time systems where data need to be distributed across multiple nodes instantly. It is commonly applied in industries like aerospace, automotive, and robotics where real-time data exchange is crucial.
5.
Advanced Message Queuing Protocol (AMQP)
This protocol focuses on ensuring reliable and secure messaging between systems. It is widely used in environments that require guaranteed delivery, such as financial systems, and is increasingly being applied in IoT use cases that handle sensitive transactions or communications.
6.
Representational State Transfer (REST)
REST is commonly used in web-based applications and allows systems to communicate using HTTP protocols. This makes it a popular choice for IoT applications with cloud integration, such as smart home ecosystems that allow users to control devices via mobile apps or web interfaces.
7.
WebSocket
WebSocket provides bi-directional, full-duplex communication between clients and servers. This is essential for real-time IoT applications like live data streaming or instant messaging between devices in IoT ecosystems.
8.
Java Message Service (JMS)
JMS is used to send messages between Java-based applications, which makes it a preferred choice for enterprise-level IoT applications where Java is the dominant programming language.
These protocols ensure efficient data transfer, device interaction, and service delivery by enabling devices to communicate with one another and with cloud platforms. This provides the backbone for IoT services such as monitoring, automation, and control [43]. For example, in smart home systems, protocols like MQTT or CoAP allow the control of appliances (lights, thermostats, security systems) through apps or voice commands. Similarly, in smart cities, data from traffic sensors and surveillance cameras are processed and shared using these protocols to manage resources efficiently.
Table 1 compares communication protocols commonly used in the application layer based on the following four key parameters: transport, QoS, architecture, and security. Each protocol operates over specific transport layers, with most using TCP, which is known for reliable transmission, while protocols like CoAP rely on UDP, which prioritizes speed. Some protocols, like MQTT, DDS, AMQP, and JMS, offer built-in QoS that ensures guaranteed message delivery. Architecturally, they either follow a “request/response” or “publish/subscribe” model depending on the communication style, with WebSocket supporting both “client/server” and “publish/subscribe”. Finally, security is achieved through encryption standards like TLS/SSL, DTLS, or HTTPS, except for JMS, which utilizes SSL for secure messaging over MSTP. The protocols’ varying combinations of these features makes them suitable for different application environments.
Security is one of the most critical concerns for the application layer since it directly interacts with end-users and often deals with sensitive data. Common security threats at this layer include the following:
  • Data breaches: Hackers can intercept data being transmitted between devices;
  • DoS attacks: Malicious actors overflow the network, which makes services unavailable;
  • Unauthorized access: Poor authentication mechanisms can lead to unauthorized users accessing sensitive systems, such as surveillance feeds in a smart city.
To mitigate these risks, researchers have proposed various security solutions, such as encryption techniques to protect data integrity, authentication protocols to ensure that only authorized devices and users can access the system, and access control mechanisms that limit the actions that users and devices can perform [43]. Additionally, there is a growing interest in applying blockchain and AI-driven security at the application layer to further enhance protection.

3. Related Work

The rapid growth of IoT devices and the widespread adoption of cloud computing have introduced significant security challenges across various domains. While numerous studies have been conducted on the individual security concerns of the IoT and cloud computing, few have focused on the unique risks arising from their intersection. To provide a comprehensive understanding of the current state of research in this area, it is essential to review the existing literature on IoT security, cloud security, and the integration of these technologies. The purpose of this section is to evaluate key studies and surveys that address these domains. By analyzing their contributions and limitations, this section highlights the gaps in the literature that necessitate further research. This review establishes a foundation for understanding challenges, highlights current studies, identifies open issues, and outlines future research directions.

3.1. IoT Security Studies

Recent surveys highlight ongoing security challenges in the IoT ecosystem. Key issues include confidentiality, integrity, and authenticity [44]. While some studies have categorized the most and least discussed IoT security issues, they often fall short of exploring how these challenges have been addressed by researchers.
Moreover, ref. [45] reports that industrial IoT faces critical security and privacy challenges due to its complex architecture. Also, the authors pointed out that existing solutions to address these issues might not be effective. Tan, Soo Fun, and Azman Samsudin proposed a four-layer Industrial Internet of Things (IIoT) security architecture and conducted a comprehensive security analysis on each layer. Also, their work identifies open security and privacy issues in IIoT, including the need for a standardized bottom-up security architecture. They provide a detailed review of security challenges and solutions relevant to various IIoT technologies and standards across the proposed layers. However, traditional security mechanisms may be insufficient for securing modern IIoT technologies. For example, relying on outdated or insecure cryptographic algorithms like RSA, MD5, RC4, and DES-56 is risky. Additionally, there are concerns about the limitations of IPSec and TLS/SSL mechanisms, such as insufficient authorization, access control, availability, and non-repudiation. Furthermore, using weak, single-factor password authentication makes systems more vulnerable.
Further highlighting these issues, ref. [46] identified several open research problems in IoT security, including secure service discovery, on-device credential security, network anomaly detection, and application-layer security. Also, the authors provide guidelines for future exploration. However, the study emphasizes the need for additional research to validate the usability of proposed security solutions (e.g., HIP, DTLS, CapBAC) within large-scale IoT systems. Existing security solutions mainly focus on access control and information security but often ignore critical aspects like resource efficiency and functional robustness, which are essential for IoT applications. Moreover, many current security mechanisms are incompatible with IoT systems, which leads to significant security and privacy concerns [47]. The literature reveals that while some vulnerabilities have been addressed, several challenges remain unresolved in IoT security. These vulnerabilities include weaknesses at the device level, insufficient authentication mechanisms, network security risks, and concerns related to data privacy [48]. Due to their simplistic architecture, low-power hardware, and design often prioritized for convenience over security, IoT devices are especially vulnerable to attacks [49]. Several studies have identified critical security vulnerabilities inherent in IoT architectures. For example, ref. [50] discusses various attacks targeting IoT devices, including unauthorized access and data breaches. While IoT security challenges have received significant attention, the cloud environment also presents unique threats that need consideration.

3.2. Cloud Security Studies

Cloud computing offers numerous benefits but faces significant security challenges, including data breaches, compliance, insider threats, and unauthorized access [51,52]. Ensuring data privacy, confidentiality, and integrity is crucial in addressing these challenges [52,53]. Identity and access management (IAM) plays a vital role in improving authentication and access controls [52,54]. Other challenges involve securing cloud orchestration platforms, ensuring service availability, and addressing cloud-native security risks [52]. Cyberattacks, misuse of cloud resources, and insecure APIs pose ongoing threats [54]. To reduce these risks, various solutions are proposed, including robust access controls, encryption, API security measures [51], advanced encryption techniques, virtual firewalls [54], and ensuring data availability and investigative support [53]. Collaborative efforts across fields are essential for developing innovative security solutions and best practices for cloud environments [52].
In addition, while cloud computing provides scalable and cost-effective services, security issues that span multiple levels of the cloud infrastructure, such as applications, networks, hosts, and data, remain a major concern. These issues limit its widespread adoption [55,56]. Also, multi-tenancy, a core feature of cloud computing, poses significant challenges across all infrastructure levels. This potentially leads to unavailability, data loss, and privacy breaches [56]. Researchers have proposed various solutions to address these concerns, such as multi-factor authentication (MFA) [57]. However, many challenges remain unresolved, particularly those related to cloud features like flexibility [56]. Ongoing research focuses on developing effective security measures to protect user data and applications in the cloud environment [55,58]. Addressing these security and privacy issues is essential for increasing cloud adoption and deployment [57]. However, integrating the IoT with cloud infrastructure introduces a new aspect of complexity, which is examined in the following section.

3.3. IoT and Cloud Integration Security Studies

The integration of IoT and cloud computing introduces substantial security challenges. This includes account hacking, phishing, malware attacks, man-in-the-middle attacks, and DoS [59]. The complexity of securing these systems is compounded by limited resources, diverse device types, and the vast volumes of data generated within IoT ecosystems [60]. Vulnerabilities in cloud environments arise from virtualization, insider threats, data breaches, and insecure APIs, which further complicate security [60].
Security concerns in IoT-enabled cloud computing can be categorized into the following four key areas: data security, network and service security, application security, and human-related issues [61]. Traditional security measures often fail, necessitating innovative approaches such as the use of deep learning and artificial intelligence (AI) [61]. Moreover, a shared responsibility model between IoT users and cloud service providers is important to improve security in cloud-based IoT applications [60]. The exploration of open-source solutions and the integration of security operations centers (SOCs) into IIoT systems are ongoing efforts in this area [62]. Addressing these challenges requires a comprehensive approach that integrates secure service discovery, on-device credential protection, and network anomaly detection [46]. In industrial contexts, it is necessary to focus on data collection methods, cloud system usability, and implementation of robust cybersecurity measures [62]. Ongoing research focuses on developing holistic security frameworks and best practices to mitigate these challenges.
A recent comprehensive study examined IoT privacy and security challenges and proposed a variety of solutions, such as robust encryption protocols and privacy-preserving mechanisms. However, it did not sufficiently address cloud-specific security concerns inherent in IoT–cloud integration scenarios [2]. Similarly, Sharma provided an in-depth review of security challenges in IoT environments, highlighting various attacks and mitigation strategies. However, it did not sufficiently cover the latest threats, such as adversarial attacks targeting AI-driven IoT–cloud applications [63]. Furthermore, Abdur conducted a broad analysis of IoT security issues, describing security threats, vulnerabilities, and defense mechanisms, but offered limited insights into lightweight cryptography techniques essential for resource-constrained IoT devices that communicate with cloud environments [64].
The review of existing studies indicates that while significant progress has been made in IoT and cloud security individually, limited research has focused on their integration. Key gaps include the lack of standardized security frameworks, lightweight cryptographic solutions, and adversarial AI threats, which will be further explored in the following sections. Table 2 provides a structured comparison of past surveys, outlining their focus areas, key contributions, and limitations. Our study expands the scope of IoT–cloud security research by incorporating discussions on lightweight cryptographic techniques for constrained IoT devices, adversarial AI threats, API security best practices, and the transition to post-quantum security in IoT–cloud systems. This work extends the current body of literature and provides a clearer path for future research directions.

4. Security Threats and Challenges in IoT–Cloud Integration

The integration of the IoT and cloud systems has introduced several ongoing security challenges. While significant progress has been made in identifying risks and proposing countermeasures, several key gaps remain.

4.1. Device-Level Challenges

IoT devices often operate under severe resource constraints, limiting their ability to implement conventional security mechanisms. Also, they are often limited in terms of processing power, memory, and battery life. This makes it difficult to implement standard cryptographic algorithms such as AES, RSA, and SHA-256. These traditional methods require significant computational resources, leading to increased latency and energy consumption, which reduces the efficiency of IoT systems. Recent surveys on IoT security underscore the focus on confidentiality, integrity, and authenticity, with attention being directed toward resource-constrained environments and lightweight security protocols [2,34]. Moreover, many studies tend to overlook device-level security vulnerabilities, such as weak authentication mechanisms, insecure firmware updates, and poor physical security [36].
A growing concern in device-level security is the transition from classical cryptography to Post-quantum cryptography (PQC) while ensuring resistance to side-channel attacks. IoT devices are particularly vulnerable to physical attacks, such as power-based side-channel attacks, which can compromise cryptographic implementations. While PQC algorithms are designed to withstand quantum threats, they remain exposed to leakage through physical side channels, which makes their deployment in resource-constrained IoT devices difficult. Additionally, implementing effective countermeasures against side-channel attacks in PQC remains an ongoing research challenge, as existing methods may not be fully effective [66].

4.2. Network-Level Challenges

Network-level vulnerabilities are among the most exploited in IoT–cloud integration, particularly due to the wireless and untrusted nature of communication. The resource constraints of IoT devices make it difficult to implement advanced security protocols such as IPsec and TLS/SSL, which makes communications vulnerable to interception and manipulation [20]. Despite the development of alternative protocols, such as Datagram TLS and lightweight encryption methods, ensuring secure data transfer remains a challenge, particularly in large-scale and real-time IIoT environments [3,30].
A major network-level security concern is replay attacks, where attackers block valid messages and resend theirs to gain unauthorized access or manipulate behavior. These attacks exploit authentication codes and regular data exchanges, compromising system integrity and security [67]. Existing authentication mechanisms often fail to prevent replay attacks effectively, necessitating more robust cryptographic techniques and enhanced timestamp validation.

4.3. Cloud-Level Challenges

This integration makes security challenges more difficult, especially concerning data protection, network security, and malware attacks [2,3]. The challenge of securing hybrid systems is increased by the variety of IoT devices and their resource constraints. This makes it difficult to apply traditional cloud security mechanisms [34]. For instance, issues related to virtualization, insider threats, and data breaches are expanded when IoT data are transmitted to cloud environments. A common challenge highlighted in the literature is the lack of standardized frameworks that address both IoT and cloud-specific vulnerabilities. Many proposed solutions focus on either IoT or cloud security independently but fail to integrate a comprehensive approach that ensures end-to-end security [20]. The lack of a suitable framework increases the risk of inconsistent security implementations, which can leave gaps that attackers can exploit.

4.4. API and Interface Challenges

APIs are the primary communication channels between IoT devices and cloud platforms, enabling data exchange and remote-control functionalities. However, insecure APIs pose significant security risks, as attackers can exploit them to gain unauthorized access, manipulate data, or launch DoS attacks [68]. Many large-scale IoT deployments have suffered breaches due to weak API security, making it a critical area of concern.
Common API security threats include weak authentication and authorization, where attackers exploit insecure API mechanisms, such as hardcoded API keys or weak codes, to gain unauthorized access to sensitive IoT data or cloud resources [69]. Another risk is excessive data exposure, where APIs may return more data than necessary, which increases the potential for data leaks if controlled by malicious parties. Rate-limiting bypass is also a concern, as attackers can flood APIs with too many requests, causing DoS attacks or service degradation. Additionally, APIs that fail to sanitize inputs are vulnerable to injection attacks, including SQL injection, cross-site scripting (XSS), and remote code execution (RCE) [70]. These vulnerabilities enable attackers to manipulate database queries, execute malicious scripts, and potentially gain unauthorized control over IoT devices and cloud servers. Therefore, enhancing API security requires stronger authentication methods, encryption, and improved access control mechanisms to mitigate risks effectively.

4.5. AI and Advanced Threats

AI-driven security techniques are being explored to enhance IoT–cloud security, particularly in anomaly detection and automated threat mitigation. However, AI itself introduces new risks, such as adversarial AI attacks that manipulate machine learning models used for security analytics. Attackers can craft adversarial inputs to trick AI-based intrusion detection systems, which makes them ineffective [58]. However, the integration of AI also introduces new security challenges through adversarial attacks, where malicious inputs are crafted to exploit vulnerabilities in AI models and bypass detection mechanisms [71].
  • Types of Adversarial AI Attacks
  • Evasion Attacks
Attackers craft malicious inputs that trick AI models into misclassifying them. For instance, attackers may modify network traffic patterns to bypass AI-based intrusion detection systems (IDSs).
2.
Poisoning Attacks
Attackers inject manipulated data into the training dataset, which leads to compromised AI decision-making. This can be quite dangerous in IoT environments where AI models continuously learn from real-time data streams.
3.
Model Inversion Attacks
Attackers attempt to rebuild sensitive training data by analyzing the outputs of an AI model. This may extract confidential information processed in cloud environments [71].

5. Security Solutions and Mitigation Strategies

Various solutions have been proposed to mitigate the challenges discussed, with key areas of focus being lightweight cryptography, post-quantum cryptography, and enhancing cloud security.

5.1. Lightweight Cryptography and Post-Quantum Cryptography for IoT Security

Limitations in processing power, memory, and battery life make it challenging to implement traditional cryptographic algorithms like AES, RSA, and SHA-256, which can be addressed using the following approaches:

5.1.1. Lightweight Cryptographic Solutions

To address the limitations of conventional encryption methods, researchers have developed lightweight cryptographic algorithms specifically designed for resource-constrained IoT devices [72]. These approaches include the following:
  • Elliptic curve cryptography (ECC), which offers strong security with shorter key sizes, reducing computational overhead while maintaining high levels of protection.
  • Lightweight block ciphers
    • PRESENT is an ultra-lightweight cipher designed for embedded systems, offering strong encryption with minimal power consumption.
    • SIMON and SPECK are a pair of flexible lightweight ciphers optimized for IoT applications, balancing security and performance.
  • Lightweight hash functions are cryptographic hash functions optimized for efficiency in IoT devices, ensuring secure data integrity with minimal resource usage.

5.1.2. Post-Quantum Cryptography and the IoT

With the beginning of quantum computing, traditional cryptographic methods such as RSA, ECC, and AES face significant security risks. Quantum algorithms like Shor’s algorithm can break widely used cryptographic techniques, which makes IoT systems vulnerable. However, integrating PQC into IoT environments presents challenges due to larger key sizes and higher computational requirements. Some promising PQC solutions include the following:
  • NTRU (lattice-based cryptography) is known for its efficiency in resource-constrained environments. NTRU offers a balance between security and computational complexity, making it a possible option for IoT applications [73].
  • Crystals–Kyber (NIST-recommended PQC algorithm) is a strong candidate for post-quantum secure IoT networks. It provides efficient key exchange mechanisms while maintaining high security standards [74].

5.2. Blockchain-Based Security Frameworks

IoT and cloud integration presents notable security challenges that lead researchers to explore blockchain-based solutions. Traditional centralized architectures are vulnerable to cyber threats like distributed DoS (DDoS) attacks and unauthorized access. Blockchain enhances security through decentralization, cryptographic hashing, and immutable records, ensuring data integrity and confidentiality [75]. Innovative frameworks such as adaptive multi-layer security (AMLS) and blockchain-enabled distributed trust (BEDT) have shown high detection rates for cyber threats and strong data integrity preservation [76]. Additionally, blockchain enables decentralized identity management to reduce dependence on vulnerable credential-based authentication.
Beyond authentication, blockchain strengthens data security and access control. Smart contracts execute automated policies that prevent unauthorized access and data leaks. A BEDT security framework using edge cloud and software-defined networking (SDN) has been effective in enhancing data confidentiality [77]. Moreover, integrating blockchain with decentralized storage solutions like IPFS improves secure data storage. Blockchain’s role in IoT–cloud integration promises enhanced privacy, data integrity, and secure transactions [78]. However, challenges like scalability and resource constraints must be addressed through optimized blockchain models and lightweight consensus mechanisms to ensure efficient large-scale adoption.

5.3. Mitigating Adversarial AI Threats in IoT–Cloud Security

AI-based security mechanisms, such as anomaly and intrusion detection systems, are increasingly used to enhance IoT–cloud security. However, as discussed in Section 4.5, these systems are vulnerable to adversarial AI threats that can bypass detection and compromise system integrity.
Real-world implications in IoT–cloud systems highlight significant vulnerabilities, especially in terms of adversarial threats. One major concern is the bypassing of IoT anomaly detection mechanisms. By introducing adversarial noise into sensor data, attackers can manipulate AI-driven monitoring systems to ignore security threats. For example, a smart city’s environmental sensors could be tricked into reporting normal pollution levels when an actual dangerous situation exists. Similarly, cloud-based intrusion detection systems (IDSs) powered by AI are exposed to manipulation through adversarial samples. These crafted inputs can mislead an IDS, enabling cybercriminals to evade detection while carrying out malicious activities.
  • Countermeasures and Defenses
Adversarial training plays a crucial role in enhancing the resilience of AI systems by training models on adversarial examples, which enables them to recognize and defend against manipulated inputs. On the other hand, explainable AI (XAI) improves AI transparency, allowing security analysts to better understand decision-making processes and detect anomalies in adversarial scenarios [79]. Additionally, robust AI architectures, such as ensemble learning and defensive distillation techniques, can strengthen models against adversarial attacks. Addressing adversarial AI threats is vital for ensuring the reliability of AI-driven security systems in IoT–cloud environments. Future research should focus on enhancing the robustness of AI models, integrating explainability techniques, and developing proactive defenses against emerging adversarial attack strategies.

5.4. Defending Against Replay Attacks in IoT–Cloud Security

Many IoT devices use local networks for communication, which can be vulnerable to replay attacks. These attacks occur when an adversary intercepts legitimate signals (such as commands or data) between an IoT device and the cloud and then retransmits them to manipulate the system into executing unauthorized actions. A study revealed that 75% of devices tested for local connectivity were exposed to such attacks. The researchers proposed REPLIoT, a tool that automatically tests IoT devices for replay attack vulnerabilities with high accuracy (0.98–1). The study highlights the importance of securing local communication alongside cloud connectivity [67].
  • Mitigation Techniques for Replay Attacks
  • Nonce-based authentication implements unique, randomly generated values (nonces) for each authentication session, preventing attackers from reusing stopped credentials.
  • Timestamp validation enforces strict timestamp-based request validation to ensure that old or replayed messages are automatically rejected [80].
  • Secure session codes that use cryptographic session codes that expire after a single use can prevent attackers from exploiting previously valid authentication data [81].
To enhance IoT–cloud security, it is crucial to integrate these countermeasures into device communication protocols, authentication mechanisms, and cloud API security frameworks. Therefore, organizations can effectively mitigate the risks associated with replay attacks and strengthen the integrity of IoT–cloud systems.

5.5. API Security in IoT–Cloud Integration

To mitigate the API vulnerabilities outlined in Section 4.4, robust security mechanisms must be implemented to protect IoT–cloud systems. Weak authentication, data leaks, and injection attacks remain significant risks, emphasizing the need for secure API design principles [82].
The following best practices are essential for securing APIs in IoT–cloud environments:
  • Secure APIs with OAuth 2.0 token-based authentication rather than relying on static API keys;
  • Implement API gateways to act as intermediaries, filter out malicious traffic, and enforce security policies;
  • Restrict the number of API requests per second to prevent abuse and DoS attacks;
  • Use strict input validation to prevent injection attacks and ensure that all API requests use HTTPS encryption.

6. Case Study: IoT–Cloud Security Challenges in Smart Healthcare

The healthcare industry increasingly relies on IoT-enabled medical devices to monitor and manage patient health. Smart healthcare systems utilize wearable sensors, remote patient monitoring (RPM) devices, and cloud-based electronic health records (EHRs) to provide real-time diagnostics and treatment recommendations. These IoT devices collect, process, and transmit sensitive medical data to cloud platforms for storage and analysis. However, the integration of IoT with cloud services introduces significant security challenges, making patient data vulnerable to cyber threats.

6.1. Security Risks in Smart Healthcare

Several critical security risks affect IoT–cloud integration in healthcare environments, as follows:
  • Data breaches: Unauthorized access to EHRs due to insecure APIs or weak authentication mechanisms can expose sensitive patient information. A comprehensive analysis of healthcare data breaches from 2010 to 2019 revealed that hacking and IT incidents were the most prevalent causes, with a significant increase in recent years [83].
  • Replay attacks: Medical IoT devices, such as smart insulin pumps and pacemakers, rely on wireless communication for remote configuration and monitoring. In a replay attack, an attacker intercepts and resends previous commands to manipulate drug dosages or disable life-saving equipment, potentially leading to fatal consequences. Studies have highlighted vulnerabilities in wireless infusion pumps, which could be exploited for malicious purposes [84].
  • Adversarial AI attacks: Many smart healthcare systems use AI-driven diagnostic models to detect health conditions based on sensor data. Attackers can manipulate input data (e.g., ECG readings, blood glucose levels) to trick AI models into misdiagnosing conditions, leading to incorrect treatments. Research has shown that adversarial attacks on medical image classification systems can lead to misdiagnoses, posing significant risks to patient safety [85].

6.2. Applied Security Solutions

To mitigate these security risks, various IoT–cloud security solutions have been implemented in smart healthcare, as follows:
  • Lightweight cryptography: Given the resource constraints of medical IoT devices, lightweight encryption algorithms such as ECC and PRESENT are used to ensure data confidentiality while maintaining low power consumption. Research has identified that IoT healthcare vulnerabilities in both devices and software pose risks to patient safety and system integrity, making lightweight cryptographic solutions critical [84].
  • API security measures: Healthcare APIs are secured using OAuth 2.0 authentication, API gateways, and rate limiting to prevent unauthorized data access and DoS attacks. A study emphasizes the need for robust API security measures in healthcare IoT systems to prevent unauthorized access and data breaches [86].
  • AI-based IDS: Machine learning models monitor IoT device activity and detect anomalies in data transmission that may indicate an attack, such as replay attempts or adversarial AI manipulations. Therefore, deep learning techniques would be effective in identifying attack patterns and securing IoT healthcare networks.

6.3. Key Findings and Future Directions

Despite advancements in IoT–cloud security, smart healthcare systems still face critical security challenges. Balancing security with device constraints is a significant challenge for medical IoT devices, which operate with limited processing power and battery life. This makes it difficult to implement strong cryptographic protections. Recent studies emphasize the need for cybersecurity self-evaluation in healthcare organizations to effectively manage security alongside operational constraints [87]. As quantum computing advances, current encryption methods may become outdated, which highlights the need for PQC to secure healthcare data. While specific studies on PQC in healthcare IoT are limited, researchers emphasize the importance of developing quantum-resistant security measures [88]. Additionally, implementing a zero-trust security model, where every device and user must continuously authenticate before accessing cloud services, can mitigate the risk of unauthorized access in healthcare environments. A study suggests that zero-trust security can significantly enhance IoT–cloud integration resilience [89].
By integrating these security measures, smart healthcare systems can enhance patient safety and data protection, ensuring that IoT–cloud-based medical services remain resilient against emerging cyber threats. This case study supports the broader applicability of the IoT–cloud security frameworks discussed in this paper. Also, it highlights the urgent need for ongoing research and adaptive security strategies.

7. Discussion and Open Research Challenges

The integration of IoT and cloud computing has enabled scalable, data-driven services across various industries, but it also introduces critical security risks that remain poorly addressed. IoT devices, which are constrained in terms of processing power and memory, rely on cloud infrastructure for storage and computation. However, multi-tenancy vulnerabilities, API security flaws, adversarial AI attacks, and blockchain scalability issues continue to challenge the security of IoT–cloud environments. While recent research proposes various countermeasures, gaps remain in ensuring end-to-end security from IoT devices to cloud services. This section provides a critical analysis of the reviewed studies that focuses on common trends, weaknesses, and future research directions.

7.1. Evaluation of Current Security Solutions

Cloud computing has become a fundamental component in the realization of IoT ecosystems, offering scalable resources and on-demand computing power. As IoT devices generate massive amounts of data, cloud platforms provide an ideal solution for processing, storage, and analytics. However, cloud environments, particularly when integrated with the IoT, present unique security concerns that remain poorly addressed in many solutions.
A primary challenge in cloud security is ensuring data privacy, confidentiality, and integrity across multi-tenant environments. While IAM systems have been developed to address these issues, they still face challenges, such as maintaining consistent access control policies across hybrid environments and scaling with rapidly growing IoT devices and data streams. Existing IAM solutions often fail to secure cloud orchestration platforms that control and manage cloud resources, leaving them susceptible to insider threats and unsecure APIs [4]. These vulnerabilities can become worse in IoT–cloud systems where the interaction between resource-constrained devices and robust cloud infrastructures creates a complex attack surface.
Additionally, the multi-tenancy nature of cloud systems poses further risks, such as the potential for resource isolation failures, privacy breaches, and service unavailability. These issues arise when multiple tenants (e.g., IoT service providers and consumers) share the same cloud infrastructure. Current research proposes solutions like MFA, but these face limitations due to the cloud’s inherent flexibility, leading to inconsistent security implementation across various services.
To mitigate these risks, blockchain-based identity management has been explored for secure access control and decentralized authentication mechanisms. AI-driven security monitoring can enhance cloud threat detection by analyzing real-time attack patterns. However, these solutions require further refinement to handle cross-tenant security issues and dynamic cloud workloads efficiently.

7.2. IoT–Cloud Integration and Emerging Trends

The integration of the IoT with cloud systems has introduced new research areas, especially in terms of security. Since IoT devices are often deployed in diverse and resource-limited environments, traditional cloud security measures, such as encryption and access control, may not always be suitable. To address these challenges, lightweight cryptography has emerged as a promising solution. Algorithms like ECC and lightweight ciphers such as PRESENT, SIMON, and SPECK are being explored to ensure secure communication while minimizing the strain on the limited resources of IoT devices [45].
Despite the potential of lightweight cryptography, scalability remains a critical challenge. Many IoT systems, particularly those deployed in large-scale industrial contexts like IIoT, require real-time processing and low latency. Traditional cryptographic techniques like RSA and AES are too resource-intensive for IoT devices and fail to provide adequate scalability for large-scale deployments. This issue is particularly significant in IIoT systems where timely decision-making and security are critical. Therefore, lightweight cryptographic methods must balance between maintaining robust security and optimizing the efficiency of IoT systems. As IoT ecosystems develop, further exploration into hybrid models of cryptography, which combine lightweight and traditional methods, could offer more scalable solutions.
Moreover, recent research has highlighted the role of AI in enhancing IoT–cloud security. AI-driven anomaly detection and IDSs have proven to be effective in identifying suspicious activities within IoT networks. However, the vulnerability of AI models to adversarial attacks poses a significant risk to their deployment in IoT–cloud systems. Attacks like evasion, poisoning, and model inversion can compromise the performance of AI models, enabling attackers to bypass detection mechanisms and manipulate IoT systems without detection. Future research must focus on enhancing the resilience of AI models against adversarial attacks through techniques such as adversarial training, XAI, and robust optimization. Moreover, the integration of AI and blockchain could further strengthen security by providing decentralized and tamper-proof systems for secure data exchange and authentication.

7.3. Research Gaps and Future Directions

From the analysis of current studies, several research gaps are evident. First, while layered architectures are being proposed for IIoT systems, there is still a critical need for comprehensive end-to-end security frameworks. These frameworks should address the entire data lifecycle from IoT devices to the cloud. Additionally, they must be scalable and adaptable to accommodate various IoT use cases. Second, given the resource constraints of IoT devices, particularly in industrial and consumer contexts, there is a significant demand for lightweight cryptographic solutions. These algorithms must ensure robust security while maintaining good performance and finding a balance, which is critical for the effective operation of IoT devices. Third, as multi-tenancy remains a foundational aspect of cloud services, researchers should concentrate on developing improved resource isolation techniques. Stronger methods are essential to enhance the security of cloud environments to protect against cross-tenant attacks. Finally, integrating AI can enhance real-time detection and response to security threats when, for example, AI is deployed in a financial institution or bank to monitor transactions for malicious activity.
The AI system would analyze massive volumes of transaction data and detect unusual patterns (e.g., unusually large transfers or transactions from high-risk locations). Then, the system can flag suspicious transactions or temporarily suspend them in real time. Therefore, this would make the organization review or stop suspicious transactions before significant losses occur. However, using AI for monitoring financial issues might raise privacy and compliance concerns that need to be addressed. Additionally, applying blockchain technology can create decentralized and tamper-proof IoT–cloud ecosystems. Also, blockchain provides end-to-end traceability, data privacy, authentication, and cryptographic security benefits to address IoT security and privacy issues [65,90]. However, blockchain transactions are processed in blocks, and each block needs to be validated through a consensus mechanism, which causes delays. This latency is a significant concern in IoT–cloud ecosystems, particularly for real-time applications like self-driving vehicles and healthcare systems, where every second counts. These areas are promising for further exploration and validation. Such innovations could significantly strengthen security measures in both cloud and IoT environments.

Final Considerations and Future Impact

IoT–cloud security requires a mixed approach that integrates cryptography, AI-driven security models, and blockchain technology. Even though existing solutions partially address security threats, significant research gaps remain in ensuring scalability, real-time protection, and AI security against adversarial attacks.
The combination of AI-powered threat detection and blockchain-based security frameworks offers a promising direction for decentralized security models. Furthermore, integrating hybrid cryptographic techniques will enhance security performance for resource-constrained IoT devices [91]. Future research should prioritize the development of scalable, low-latency, AI-enhanced security mechanisms that ensure real-time threat detection, automated responses, and secure data transmission. As IoT ecosystems continue to expand into critical areas like healthcare, finance, and industrial automation, addressing these security gaps will be essential for building resilient and trustworthy IoT–cloud infrastructures. Table 3 summarizes risks, existing solutions, and future research directions identified in recent studies to provide a better understanding of the security challenges in IoT and cloud integration.

8. Conclusions

The combination of IoT and cloud computing has reformed data management and processing by enabling real-time monitoring, advanced analytics, and enhanced decision-making. IoT devices generate massive volumes of data that are stored and analyzed in the cloud to facilitate various applications. However, this integration also introduces significant security challenges, including data breaches, virtualization vulnerabilities, insider threats, insecure APIs, adversarial AI attacks, replay attacks, and post-quantum cryptographic concerns. The resource constraints of IoT devices, which are associated with the complexity of securing hybrid cloud environments, make traditional security mechanisms insufficient. Also, the lack of standardized frameworks to address combined IoT–cloud vulnerabilities further worsens the problem. While encryption, access control, and SLAs provide some level of security, emerging approaches such as AI-powered anomaly detection, blockchain-enhanced authentication, and lightweight cryptographic solutions show greater promise. Research highlights critical gaps such as the need for end-to-end security frameworks, lightweight cryptographic solutions for resource-constrained devices, the development of post-quantum cryptographic algorithms suitable for IoT devices, and improved isolation techniques for multi-tenant cloud environments. Replay attacks and adversarial AI threats have emerged as critical concerns, requiring robust countermeasures such as real-time authentication mechanisms and adversarial training models for AI security systems.
Furthermore, the case study on smart healthcare demonstrates how IoT–cloud security risks translate into real-world vulnerabilities that emphasize the urgency of securing medical data, APIs, and IoT-enabled medical devices. Moreover, future efforts should focus on integrating AI for intelligent threat detection, leveraging blockchain for decentralized security models, and optimizing cryptographic techniques for resource-constrained IoT environments. By addressing these challenges, the security, reliability, and scalability of IoT–cloud ecosystems can be significantly improved, ensuring their safe deployment across critical industries.

Author Contributions

Conceptualization, M.A.; methodology, M.A.; software, M.A.; validation, M.A. and F.T.S.; formal analysis, M.A.; investigation, M.A.; resources, M.A.; data curation, F.T.S.; writing—original draft preparation, M.A.; writing—review and editing, F.T.S.; visualization, M.A.; supervision, F.T.S.; project administration, F.T.S.; funding acquisition, M.A. and F.T.S. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
IoTInternet of ThingsAWSAmazon Web Services
GDPRGeneral data protection regulationPOSIXPortable operating system interface
CICritical infrastructureVPCVirtual private cloud
IaaSInfrastructure as a serviceCDNContent delivery network
PaaSPlatform as a serviceSLAService level agreement
SaaSSoftware as a serviceMACMessage authentication code
CRMcustomer relationship managementSSLSecure sockets layer
VMVirtual machineAPIApplication programming interface
FaaSFunction as a serviceCLICommand–line interface
QoSQuality of serviceLANLocal area network
RFIDRadio frequency identificationWANWide area network
BEDTBlockchain-enabled distributed trust6LoWPANIPv6 over low-power wireless Personal area network
DoSDenial of serviceFPGAField programmable gate array
TCPTransmission control protocolDNNDeep neural network
UDPUser datagram protocolIIoTIndustrial Internet of Things
IAMIdentity and access managementAIArtificial intelligence
SOCSecurity operations centerMSTPMaster–slave/token-passing
RPMRemote patient monitoring EHRElectronic health record
ECCElliptic curve cryptography PQCPost-quantum cryptography
IDSIntrusion detection systemXAIExplainable AI
MFAMulti-factor authenticationXSSCross-site scripting
D2DDevice-to-deviceRCERemote code execution
AMLSMulti-layer securitySDNSoftware-defined networking
DDoSDistributed DoS

References

  1. Sutikno, T.; Thalmann, D. Insights on the internet of things: Past, present, and future directions. TELKOMNIKA (Telecommun. Comput. Electron. Control) 2022, 20, 1399–1420. [Google Scholar] [CrossRef]
  2. Tawalbeh, L.A.; Muheidat, F.; Tawalbeh, M.; Quwaider, M. IoT Privacy and Security: Challenges and Solutions. Appl. Sci. 2020, 10, 4102. [Google Scholar] [CrossRef]
  3. Marco, G.D. Privacy Risk in the IoT Environment: The Need for a Multiple Approach According to the GDPR Principles. In Proceedings of the INTERNET 2019: The Eleventh International Conference on Evolving Internet, Rome, Italy, 30 June–4 July 2019. [Google Scholar]
  4. Gibson, J.; Rondeau, R.; Eveleigh, D.; Tan, Q. Benefits and challenges of three cloud computing service models. In Proceedings of the 2012 Fourth International Conference on Computational Aspects of Social Networks (CASoN), Sao Carlos, Brazil, 21–23 November 2012; pp. 198–205. [Google Scholar]
  5. Patel, H.B.; Kansara, N. Cloud Computing Deployment Models: A Comparative Study. Int. J. Innov. Res. Comput. Sci. Technol. 2021, 9, 45–47. [Google Scholar] [CrossRef]
  6. Tanque, M. Cloud-Based Platforms and Infrastructures. In Cloud Security: Concepts, Methodologies, Tools, and Applications; Information Resources Management Association, Ed.; IGI Global: Hershey, PA, USA, 2019; pp. 84–126. [Google Scholar] [CrossRef]
  7. Parsi, K. A Comparative Study of Different Deployment Models in a Cloud. Int. J. Adv. Res. Comput. Sci. Softw. Eng. 2013, 3, 512–515. [Google Scholar]
  8. Mavridis, I.; Karatza, H.D. Orchestrated sandboxed containers, unikernels, and virtual machines for isolation-enhanced multitenant workloads and serverless computing in cloud. Concurr. Comput. Pract. Exp. 2021, 35, e6365. [Google Scholar] [CrossRef]
  9. Lynn, T.; Rosati, P.; Lejeune, A.; Emeakaroha, V. A Preliminary Review of Enterprise Serverless Cloud Computing (Function-as-a-Service) Platforms. In Proceedings of the 2017 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), Hong Kong, China, 11–14 December 2017; pp. 162–169. [Google Scholar]
  10. Jain, P.; Munjal, Y.; Gera, J.; Gupta, P. Performance Analysis of Various Server Hosting Techniques. Procedia Comput. Sci. 2020, 173, 70–77. [Google Scholar] [CrossRef]
  11. Eyk, E.; Iosup, A.; Grohmann, J.; Eismann, S.; Bauer, A.; Versluis, L.; Toader, L.; Schmitt, N.; Herbst, N.; Abad, C. The SPEC-RG Reference Architecture for FaaS: From Microservices and Containers to Serverless Platforms. IEEE Internet Comput. 2019, 23, 7–18. [Google Scholar]
  12. Bala, R.; Chandrasekaran, A.; McArthur, J. Magic Quadrant for Public Cloud Storage Services, Worldwide. 2017. Available online: https://winpro.com.sg/wp-content/uploads/2017/01/Magic-Quadrant-for-Public-Cloud-Storage-Services-Worldwide-24-July-2017.pdf (accessed on 25 March 2025).
  13. Armoogum, S.; Khonje, P. Healthcare Data Storage Options Using Cloud. In Internet of Things; Springer: Cham, Switzerland, 2021. [Google Scholar]
  14. Chung, L.; Lee, C.; Chou, J.C. Dynamic Block Partitioning Strategy for Cloud-Backed File Systems. In Proceedings of the 2016 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), Luxembourg, 12–15 December 2016; pp. 253–260. [Google Scholar]
  15. Hu, Z.; Zhang, H.; Sun, S.; Gao, C.; Li, Y.; Li, X. FDRA: Fully Distributed Routing Architecture for Private Virtual Network in Public Cloud. In Proceedings of the International Symposium on Parallel Architectures, Algorithms and Programming, Shenzhen, China, 28–30 December 2020. [Google Scholar]
  16. Moharana, S. Analysis of load balancers in cloud computing. Int. J. Comput. Sci. Eng. 2013, 2, 101–108. [Google Scholar]
  17. Um, T.W.; Lee, H.; Ryu, W.; Choi, J. Dynamic Resource Allocation and Scheduling for Cloud-Based Virtual Content Delivery Networks. ETRI J. 2014, 36, 197–205. [Google Scholar]
  18. Zahariadis, T.; Papadakis, A.; Alvarez, F.; Gonzalez, J.; Lopez, F.; Facca, F.; Al-Hazmi, Y. FIWARE Lab: Managing Resources and Services in a Cloud Federation Supporting Future Internet Applications. In Proceedings of the 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing, London, UK, 8–11 December 2014; pp. 792–799. [Google Scholar]
  19. Zhang, X.; Du, H.; Chen, J.; Lin, Y.; Zeng, L. Ensure Data Security in Cloud Storage. In Proceedings of the 2011 International Conference on Network Computing and Information Security, Guilin, China, 14–15 May 2011; Volume 1, pp. 284–287. [Google Scholar]
  20. Sood, S.K. A combined approach to ensure data security in cloud computing. J. Netw. Comput. Appl. 2012, 35, 1831–1838. [Google Scholar]
  21. Waghchaude, K.G. A Review on Cloud Computing Security Issues, Applicable Solutions and Implementation. Int. J. Sci. Res. Eng. Manag. 2024, 8, 1–3. [Google Scholar] [CrossRef]
  22. Pal, S.; Khatua, S.; Chaki, N.; Sanyal, S. A New Trusted and Collaborative Agent Based Approach for Ensuring Cloud Security. arXiv 2011, arXiv:1108.4100. [Google Scholar]
  23. Gunjan, K.; Tiwari, R.; Sahoo, G. Towards Securing APIs in Cloud Computing. arXiv 2013, arXiv:1307.6649. [Google Scholar]
  24. Odun-Ayo, I.; Okereke, C.; Evwieroghene, O. Cloud and Application Programming Interface—Issues and Developments. In Proceedings of the World Congress on Engineering, London, UK, 4–6 July 2018. [Google Scholar]
  25. Katsaros, G.; Cucinotta, T. Programming Interfaces for Realtime and Cloud-Based Computing. In Achieving Real-Time in Distributed Computing; IGI Global Scientific Publishing: Hershey, PA, USA, 2012. [Google Scholar]
  26. Sill, A. When to Use Standards-Based APIs (Part 2). IEEE Cloud Comput. 2015, 2, 80–84. [Google Scholar] [CrossRef]
  27. Coleman, C.; Griswold, W.; Mitchell, N. Do Cloud Developers Prefer CLIs or Web Consoles? CLIs Mostly, Though It Varies by Task. arXiv 2022, arXiv:2209.07365. [Google Scholar]
  28. Taher, H. Harnessing the Power of Distributed Systems for Scalable Cloud Computing A Review of Advances and Challenges. Indones. J. Comput. Sci. 2024, 13, 1750–1769. [Google Scholar] [CrossRef]
  29. Mrabet, H.; Belguith, S.; Alhomoud, A.; Jemai, A. A Survey of IoT Security Based on a Layered Architecture of Sensing and Data Analysis. Sensors 2020, 20, 3625. [Google Scholar] [CrossRef]
  30. Wang, H.; Sun, Z.; Chen, S. A novel real-time method for moving vehicle detection. J. Internet Technol. 2016, 17, 1501–1509. [Google Scholar]
  31. Wu, C.K. IoT Perception Layer Security. In Internet of Things Security. Advances in Computer Science and Technology; Springer: Singapore, 2021. [Google Scholar] [CrossRef]
  32. Bello, O.; Zeadally, S.; Badra, M. Network layer inter-operation of Device-to-Device communication technologies in Internet of Things (IoT). Ad Hoc Netw. 2017, 57, 52–62. [Google Scholar] [CrossRef]
  33. Khan, J.Y.; Yuce, M.R. (Eds.) Internet of Things (IoT): Systems and Applications, 1st ed.; Jenny Stanford Publishing: New York, NY, USA, 2019. [Google Scholar] [CrossRef]
  34. Hussain, B.; Elmedany, W.; Sharif, S. The Internet of Things Security Issues and Countermeasures in Network Layer: A Systematic Literature Review. In Proceedings of the 2022 International Conference on Data Analytics for Business and Industry (ICDABI), Virtual, 25–26 October 2022; pp. 787–793. [Google Scholar]
  35. Zaib, M.; Reegu, F.; Dar, A.; Bhat, W. Recent Privacy and Security Issues in Internet of Things Network Layer: A Systematic Review. In Proceedings of the 2022 International Conference on Sustainable Computing and Data Communication Systems (ICSCDS), Erode, India, 7–9 April 2022; pp. 1025–1031. [Google Scholar]
  36. Chiang, M.; Zhang, T. Fog and IoT: An Overview of Research Opportunities. IEEE Internet Things J. 2016, 3, 854–864. [Google Scholar] [CrossRef]
  37. Trivedi, U.; Sanghavi, F.; Nguyen, S.; Salcic, Z. Predicting Parking Occupancy in Real-time Using Fog Layer Hosted DNN Implemented in FPGA. In Proceedings of the 2021 IEEE International Conference on Artificial Intelligence and Computer Applications (ICAICA), Dalian, China, 28–30 June 2021; pp. 345–352. [Google Scholar]
  38. Fersi, G. Middleware for Internet of Things: A Study. In Proceedings of the 2015 International Conference on Distributed Computing in Sensor Systems, Fortaleza, Brazil, 10–12 June 2015; pp. 230–235. [Google Scholar]
  39. Chaqfeh, M.; Mohamed, N. Challenges in middleware solutions for the internet of things. In Proceedings of the 2012 International Conference on Collaboration Technologies and Systems (CTS), Denver, CO, USA, 21–25 May 2012; pp. 21–26. [Google Scholar]
  40. Amaral, L.A.; Matos, E.D.; Tiburski, R.T.; Hessel, F.; Lunardi, W.T.; Marczak, S. Middleware Technology for IoT Systems: Challenges and Perspectives Toward 5G. In Internet of Things (IoT) in 5G Mobile Technologies; Springer: Cham, Switzerland, 2016. [Google Scholar]
  41. Bani Yassein, M.; Shatnawi, M.; Al-Zoubi, D. Application layer protocols for the Internet of Things: A survey. In Proceedings of the 2016 International Conference on Engineering & MIS (ICEMIS), Agadir, Morocco, 22–24 September 2016; pp. 1–4. [Google Scholar]
  42. Tayur, V.M.; Suchithra, R. Review of interoperability approaches in application layer of Internet of Things. In Proceedings of the 2017 International Conference on Innovative Mechanisms for Industry Applications (ICIMIA), Bengaluru, India, 21–23 February 2017; pp. 322–326. [Google Scholar]
  43. Ferdows, J.; Mehedi, S.; Hossain, A.; Shamim, A.; Rasiq, G.M.; Rasiqul, I. A Comprehensive Study of IoT Application Layer Security Management. In Proceedings of the 2020 IEEE International Conference for Innovation in Technology (INOCON), Bangaluru, India, 6–8 November 2020; pp. 1–7. [Google Scholar]
  44. Imran, S.M.A.; Alam, M.M.; Su’ud, M. A Survey of IoT Security Issues—From Past to Future Trends. J. Comput. Sci. 2021, 17, 1031–1045. [Google Scholar] [CrossRef]
  45. Tan, S.F.; Samsudin, A. Recent Technologies, Security Countermeasure and Ongoing Challenges of Industrial Internet of Things (IIoT): A Survey. Sensors 2021, 21, 6647. [Google Scholar] [CrossRef] [PubMed]
  46. Hossain, M.M.; Kayas, G.; Hasan, R.; Skjellum, A.; Noor, S.A.; Islam, S.M. A Holistic Analysis of Internet of Things (IoT) Security: Principles, Practices, and New Perspectives. Future Internet 2024, 16, 40. [Google Scholar] [CrossRef]
  47. Pannayagol, B.B.; Deshpande, S. Security in Internet of Things: An Overview. In Proceedings of the 2023 International Conference on Device Intelligence, Computing and Communication Technologies, (DICCT), Dehradun, India, 17–18 March 2023; pp. 243–248. [Google Scholar]
  48. Şen, E.; Dash, E.A. Unveiling the Shadows: Exploring the Security Challenges of the Internet of Things (IoT). Int. J. Sci. Res. Eng. Manag. 2023, 7, 1–12. [Google Scholar]
  49. Kabir, M.; Elmedany, W.; Sharif, S. Securing IoT Devices Against Emerging Security Threats: Challenges and Mitigation Techniques. J. Cyber Secur. Technol. 2023, 7, 199–223. [Google Scholar] [CrossRef]
  50. Dritsas, E.; Trigka, M. A Survey on Cybersecurity in IoT. Future Internet 2025, 17, 30. [Google Scholar] [CrossRef]
  51. Tiwari, A.R. Securing the Cloud: Overcoming Challenges and Implementing Solutions for Effective Cloud Computing Security. Int. J. Res. Appl. Sci. Eng. Technol. 2024, 12, 5100–5110. [Google Scholar] [CrossRef]
  52. Aijaz, U.; Abubakar, M.; Reddy, A.; Pujari, A.C. An Analysis on Security Issues and Research Challenges in Cloud Computing. J. Secur. Comput. Netw. Distrib. Syst. 2024, 1, 37–44. [Google Scholar] [CrossRef]
  53. Surya, K.; Nivedithaa, M.; Uma, S.; Valliyammai, C. Security issues and challenges in cloud. In Proceedings of the 2013 International Conference on Green Computing, Communication and Conservation of Energy (ICGCE), Chennai, India, 12–14 December 2013; pp. 889–893. [Google Scholar]
  54. Mallisetty, S.B.; Devineni, P.; Tripuramallu, G.A.; Kavitha, D.S.; Kamada, K.; Venkata, D.A.; Krishna, P. A Review on Cloud Security and Its Challenges. In Proceedings of the 2023 International Conference on Intelligent Data Communication Technologies and Internet of Things (IDCIoT), Bengaluru, India, 5–7 January 2023; pp. 798–804. [Google Scholar]
  55. Chaudhari, A.R.; Gohil, B.N.; Rao, U.P. A review on cloud security issues and solutions. J. Comput. Secur. 2022, 31, 365–391. [Google Scholar] [CrossRef]
  56. Alghofaili, Y.; Albattah, A.; Alrajeh, N.; Rassam, M.A.; Al-rimy, B.A. Secure Cloud Infrastructure: A Survey on Issues, Current Solutions, and Open Challenges. Appl. Sci. 2021, 11, 9005. [Google Scholar] [CrossRef]
  57. Alenizi, B.A.; Humayun, M.; Jhanjhi, N.Z. Security and Privacy Issues in Cloud Computing. J. Phys. Conf. Ser. 2021, 1979, 012038. [Google Scholar]
  58. Singh, N. Cloud Computing Security Issues. Int. J. Res. Appl. Sci. Eng. Technol. 2024, 12, 2295–2298. [Google Scholar]
  59. Kulsoom, U.; Nasim, S.F.; Qaiser, A.; Aziz, S.; Fatima, S.A. A Review about Internet of Things (IoT) integration with Cloud Computing with a Limelight on Security. Pak. J. Eng. Technol. 2024, 6, 1–6. [Google Scholar] [CrossRef]
  60. Surianarayanan, C.; Chelliah, P.R. Integration of the Internet of Things and Cloud: Security Challenges and Solutions—A Review. Int. J. Cloud Appl. Comput. 2023, 13, 1–30. [Google Scholar]
  61. Bazgir, E.; Haque, E.; Sharif, N.B.; Ahmed, M.F. Security aspects in IoT based cloud computing. World J. Adv. Res. Rev. 2023, 20, 540–551. [Google Scholar]
  62. Ferencz, K.; Domokos, J.; Kovács, L. Cloud Integration of Industrial IoT Systems. Architecture, Security Aspects and Sample Implementations. Acta Polytech. Hung. 2024, 21, 7–28. [Google Scholar] [CrossRef]
  63. Shaukat, K.; Alam, T.M.; Hameed, I.A.; Khan, W.A.; Abbas, N.; Luo, S. A Review on Security Challenges in Internet of Things (IoT). IEEE Access 2021, 9, 168475–168496. Available online: https://ieeexplore.ieee.org/abstract/document/9594183 (accessed on 16 March 2025).
  64. Abdur Razzaq, M.; Habib, S.; Ali, M.; Ullah, S. Security Issues in the Internet of Things (IoT): A Comprehensive Study. Int. J. Adv. Comput. Sci. Appl. 2017, 8, 383–388. [Google Scholar] [CrossRef]
  65. Alotaibi, B. Utilizing Blockchain to Overcome Cyber Security Concerns in the Internet of Things: A Review. IEEE Sens. J. 2019, 19, 10953–10971. [Google Scholar] [CrossRef]
  66. Kamucheka, T.; Fahr, M.; Teague, T.; Nelson, A.; Andrews, D.; Huang, M. Power-based Side Channel Attack Analysis on PQC Algorithms. IACR Cryptol. ePrint Arch. 2021, 2021, 1021. [Google Scholar]
  67. Lazzaro, S.; Angelis, V.D.; Mandalari, A.M.; Buccafurri, F. Is Your Kettle Smarter Than a Hacker? A Scalable Tool for Assessing Replay Attack Vulnerabilities on Consumer IoT Devices. In Proceedings of the 2024 IEEE International Conference on Pervasive Computing and Communications (PerCom), Biarritz, France, 11–15 March 2024; pp. 114–124. [Google Scholar]
  68. Kamruzzaman, A.; Thakur, K.; Ali, M.L. Cybersecurity Threats using Application Programming Interface (API). In Proceedings of the 2024 International Conference on Computing, Internet of Things and Microwave Systems (ICCIMS), Gatineau, QC, Canada, 29–31 July 2024; pp. 1–6. [Google Scholar]
  69. Hussain, F.; Noye, B.; Sharieh, S. Current state of API security and machine learning. IEEE Technol. Policy Ethics 2019, 4, 1–5. [Google Scholar] [CrossRef]
  70. Altayaran, S.A.; Elmedany, W.M. Security threats of application programming interface (API’s) in internet of things (IoT) communications. In Proceedings of the 4th Smart Cities Symposium (SCS 2021), Online, 21–23 November 2021. [Google Scholar]
  71. Pauling, C.; Gimson, M.; Qaid, M.; Kida, A.; Halak, B. A Tutorial on Adversarial Learning Attacks and Countermeasures. arXiv 2022, arXiv:2202.10377. [Google Scholar]
  72. Karthik, S.; Rengarajan, A. Advancing IoT Security: A Comprehensive Survey of Lightweight Cryptography Solutions. IJARCCE 2024, 13, 91–94. [Google Scholar] [CrossRef]
  73. Kumari, S.; Singh, M.P.; Singh, R.; Tewari, H. Post-quantum cryptography techniques for secure communication in resource-constrained Internet of Things devices: A comprehensive survey. Softw. Pract. Exp. 2022, 52, 2047–2076. [Google Scholar] [CrossRef]
  74. Liao, Q.; He, L. Lightweight key generation circuits for CRYSTALS-Kyber. In Proceedings of the 2024 3rd International Conference on Electronics and Information Technology (EIT), Chengdu, China, 20–22 September 2024; pp. 209–213. [Google Scholar]
  75. Jadhav, S.B. Blockchain in IOT Security. Int. J. Res. Appl. Sci. Eng. Technol. 2024, 12, 1074–1077. [Google Scholar] [CrossRef]
  76. Srinivas, C. Innovative Security Frameworks for IOT and Cloud Computing Integration: Challenges and Solutions. Int. J. Innov. Res. Sci. Eng. Technol. 2015, 4, 9535–9543. [Google Scholar] [CrossRef]
  77. Medhane, D.V.; Sangaiah, A.K.; Hossain, M.S.; Muhammad, G.; Wang, J. Blockchain-Enabled Distributed Security Framework for Next-Generation IoT: An Edge Cloud and Software-Defined Network-Integrated Approach. IEEE Internet Things J. 2020, 7, 6143–6149. [Google Scholar] [CrossRef]
  78. Albshaier, L.; Budokhi, A.; Aljughaiman, A. A Review of Security Issues When Integrating IoT With Cloud Computing and Blockchain. IEEE Access 2024, 12, 109560–109595. [Google Scholar] [CrossRef]
  79. Thalpage, N. Unlocking the Black Box: Explainable Artificial Intelligence (XAI) for Trust and Transparency in AI Systems. J. Digit. Art Humanit. 2023, 4, 31–36. [Google Scholar] [CrossRef]
  80. Farha, F.; Ning, H.; Yang, S.; Xu, J.; Zhang, W.; Choo, K.R. Timestamp Scheme to Mitigate Replay Attacks in Secure ZigBee Networks. IEEE Trans. Mob. Comput. 2022, 21, 342–351. [Google Scholar] [CrossRef]
  81. Arora, S.; Hussain, M. Secure Session Key Sharing Using Symmetric Key Cryptography. In Proceedings of the 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI), Bangalore, India, 19–22 September 2018; pp. 850–855. [Google Scholar]
  82. Kumar, N.A.A.; Tl, N.D. Security measures implemented in RESTful API Development. Open Access Res. J. Eng. Technol. 2024, 7, 105–112. [Google Scholar] [CrossRef]
  83. Seh, A.H.; Zarour, M.; Alenezi, M.; Sarkar, A.K.; Agrawal, A.; Kumar, R.; Khan, R.A. Healthcare Data Breaches: Insights and Implications. Healthcare 2020, 8, 133. [Google Scholar] [CrossRef] [PubMed]
  84. Mejía-Granda, C.M.; Fernández-Alemán, J.L.; Carrillo-de-Gea, J.M.; García-Berná, J.A. Security vulnerabilities in healthcare: An analysis of medical devices and software. Med. Biol. Eng. Comput. 2024, 62, 257–273. [Google Scholar] [CrossRef]
  85. Tsai, M.J.; Lin, P.Y.; Lee, M.E. Adversarial Attacks on Medical Image Classification. Cancers 2023, 15, 4228. [Google Scholar] [CrossRef]
  86. Al-Rumaim, A.; Pawar, J.D. Exploring the Evolving Landscape of API Security Challenges in the Healthcare Industry: A Comprehensive Review. In Proceedings of the 2023 16th International Conference on Security of Information and Networks (SIN), Jaipur, India, 20–21 November 2023; pp. 1–8. [Google Scholar]
  87. Burke, W.; Stranieri, A.; Oseni, T.; Gondal, I. The need for cybersecurity self-evaluation in healthcare. BMC Med. Inform. Decis. Mak. 2024, 24, 133. [Google Scholar] [CrossRef]
  88. Li, S.; Chen, Y.; Chen, L.; Liao, J.; Kuang, C.; Li, K.; Liang, W.; Xiong, N. Post-Quantum Security: Opportunities and Challenges. Sensors 2023, 23, 8744. [Google Scholar] [CrossRef] [PubMed]
  89. Sarkar, S.; Choudhary, G.; Shandilya, S.K.; Hussain, A.; Kim, H. Security of Zero Trust Networks in Cloud Computing: A Comparative Review. Sustainability 2022, 14, 11213. [Google Scholar] [CrossRef]
  90. Pais, M.S.; FayizAhamed, K.; Raghavendra, G.; GowthamiK, M.; Suvarna, J.N. Adoption of Blockchain in IoT: Challenges and Solutions. Int. J. Adv. Res. Sci. Commun. Technol. 2022, 2, 294–302. [Google Scholar] [CrossRef]
  91. Murugan, G.; Chinnadurai, M. ESHA-256_GBGO: A high-performance and optimized security framework for internet of medical thing. Sci. Rep. 2025, 15, 9576. [Google Scholar] [CrossRef]
Electronics 14 01394 g001
Figure 1. Cloud computing architecture.
Figure 1. Cloud computing architecture.
Electronics 14 01394 g001
Electronics 14 01394 g002
Figure 2. How APIs work in a cloud.
Figure 2. How APIs work in a cloud.
Electronics 14 01394 g002
Electronics 14 01394 g003
Figure 3. Conceptual Model of IoT Layered Architecture.
Figure 3. Conceptual Model of IoT Layered Architecture.
Electronics 14 01394 g003
Table 1. Summary of Key Application Layer Protocols in IoT Systems.
Table 1. Summary of Key Application Layer Protocols in IoT Systems.
ProtocolTransportQoSArchitectureSecurity
CoAPUDPYesRequest/responseDTLS
MQTTTCPYesPublish/subscribeTLS/SSL
XMPPTCPNoRequest/response
Publish/subscribe		TLS/SSL
DDSTCP/ UDPYesPublish/subscribeTLS/SSL
AMQPTCPYesPublish/subscribeTLS/SSL
RESTHTTPNoRequest/responseHTTPS
WebSocketTCPNoPublish/subscribe
Client/server		TLS/SSL
JMSMSTPYesClient/server
Request/response		SSL
Table 2. Evaluation of Previous IoT–Cloud Security Surveys and the Advancements Presented Herein.
Table 2. Evaluation of Previous IoT–Cloud Security Surveys and the Advancements Presented Herein.
AuthorsFocus AreaKey ContributionsLimitations/GapsHow Our Paper Improves
Tawalbeh et al. (2020) [2]IoT risk securityDiscusses data breaches, insecure APIsLacks coverage on IoT–cloud security integrationAnalyzes IoT–cloud security holistically, including API security and replay attacks
Marco (2019) [3]IoT privacy concernsCovers GDPR compliance issuesLacks discussion of post-quantum cryptography (PQC) risksExplores PQC challenges and integration with IoT–cloud systems
Gibson et al. (2012) [4]Cloud security risksCovers IAM and insider threatsIgnores IoT-specific vulnerabilitiesDiscusses the integration of IAM with IoT–cloud-specific security threats
Sood (2012) [20]Cloud data securityDiscusses SSL, MAC-based integrity checksLacks zero-trust security and homomorphic encryptionIntroduces lightweight cryptography for constrained IoT devices
Hussain et al. (2022) [34]IoT network securityAnalyzes DDoS, routing issuesLacks discussion of API security concernsProposes API security best practices and lightweight cryptography
Alotaibi (2019) [65]Blockchain in IoTFocuses on decentralized trustLacks API security and multi-tenancy discussionsExplores blockchain-enhanced authentication tailored for IoT–cloud integration
Singh (2024) [58]Cloud multi-tenancy risksCovers virtualization securityLacks discussion of adversarial AI and replay attacksAnalyzes adversarial AI threats in IoT–cloud systems and proposes mitigation strategies based on AI resilience techniques
Wang et al. (2016) [30]IoT data processingDiscusses edge computing and secure APIsIgnores API rate limiting and secure gatewaysAnalyzes API security gaps and proposes enhanced API gateway protections
Bello et al. (2017) [32]IoT communication securityCovers authentication protocolsLacks IoT–cloud-specific threatsIntegrates device-to-cloud security mechanisms
Chiang and Zhang (2016) [36]Fog computing securityDiscusses latency and encryptionLacks discussion of adversarial AI risksAnalyzes adversarial AI threats in IoT–cloud systems and proposes mitigation strategies based on AI resilience techniques
Alam et al. (2022) [35]IoT data privacyCovers encryption and privacy techniquesLacks a focus on PQC and emerging cryptographic risksExplores PQC integration for IoT–cloud privacy
Dritsas and Trigka (2025) [50]Cybersecurity in IoTDetailed survey on IoT cybersecurity and emerging threatsLacks dedicated IoT–cloud integration and PQC discussionsIntegrates IoT–cloud security, including PQC, API security, and adversarial AI threats
Tawalbeh et al. (2020) [2]IoT privacy and securityComprehensive IoT security and privacy overviewCloud security integration gaps and emerging threats not covered clearlyExplores cloud integration and emerging threats
Shaukat et al. (2021) [63]Security challenges in the IoTDetailed analysis of IoT-specific threatsLimited discussion on IoT–cloud integration and adversarial AIProvides detailed coverage of IoT–cloud security and adversarial AI
Abdur et al. (2021) [64]Comprehensive IoT securityBroad IoT security surveyLacks adequate discussion of PQC and API security Provides integration of comprehensive API and PQC solutions
Table 3. Summary of Key Security Challenges in IoT–Cloud Environments.
Table 3. Summary of Key Security Challenges in IoT–Cloud Environments.
RisksExisting SolutionsFuture Research Directions
Data privacy and confidentiality in multi-tenant cloud environmentsIAM, MFA, blockchain-based identity managementDeveloping adaptive IAM systems with AI-based anomaly detection, enhancing cross-tenant data isolation
Weak authentication and API security VulnerabilitiesOAuth 2.0, API gateways, rate limiting, secure session managementStrengthening API authentication with AI-driven anomaly detection, enhancing zero-trust API security models
Scalability challenges in lightweight cryptographyECC and lightweight block ciphers (PRESENT, SIMON and SPECK)Hybrid cryptographic models for large-scale IoT
Adversarial AI threats in IoT–Cloud securityAdversarial training, XAI, robust AI models (ensemble learning, defensive distillation)Integrating robust adversarial AI models with blockchain for secure and tamper-proof AI-driven security
Replay attacks on IoT communication channelsNonce-based authentication, timestamp validation, cryptographic session tokensImproving real-time secure session management and adaptive authentication for IoT–cloud systems
Blockchain scalability for real-time IoT applicationsOptimized blockchain consensus mechanisms (proof-of-authority, DAG-based blockchain)Developing scalable blockchain solutions with low-latency transaction validation for time-sensitive IoT applications
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Almutairi, M.; Sheldon, F.T. IoT–Cloud Integration Security: A Survey of Challenges, Solutions, and Directions. Electronics 2025, 14, 1394. https://doi.org/10.3390/electronics14071394

AMA Style

Almutairi M, Sheldon FT. IoT–Cloud Integration Security: A Survey of Challenges, Solutions, and Directions. Electronics. 2025; 14(7):1394. https://doi.org/10.3390/electronics14071394

Chicago/Turabian Style

Almutairi, Mohammed, and Frederick T. Sheldon. 2025. "IoT–Cloud Integration Security: A Survey of Challenges, Solutions, and Directions" Electronics 14, no. 7: 1394. https://doi.org/10.3390/electronics14071394

APA Style

Almutairi, M., & Sheldon, F. T. (2025). IoT–Cloud Integration Security: A Survey of Challenges, Solutions, and Directions. Electronics, 14(7), 1394. https://doi.org/10.3390/electronics14071394

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop