Enhancing Data Security in Cloud-Based Information Systems: A Systematic Literature Review

A structured data extraction form was developed to collect relevant information from each selected study systematically. The form was piloted on a random sample of ten articles and adjusted to improve clarity and comprehensiveness of selected data. The key data fields extracted included:

• Author(s) and Year of Publication
• Methodology Employed (e.g., simulation, case study, prototype implementation)
• Specific Data Security Threat(s) Addressed
• Proposed or Evaluated Security Approach
• Evaluation Type (e.g., empirical testing, comparative analysis, formal proof)
• Dataset or Use Case (e.g., public cloud, healthcare application, IoT integration)
• Key Findings and Limitations

The synthesis of information was conducted using a narrative thematic approach. Each study was coded based on recurring patterns and clustered under key thematic dimensions such as the type of security technique, the nature of threats addressed, and the layer of the cloud stack (IaaS, PaaS, SaaS) targeted. The extracted data were also used to populate comparative matrices to identify overlaps, gaps, and methodological trends. Descriptive synthesis allowed the categorisation of methods and results to answer the predefined research questions.

When specific data fields (such as dataset descriptions or evaluation methods) were ambiguous or missing, interpretations were agreed upon through discussion among the reviewers to minimise extraction bias. All extracted data were entered and managed in spreadsheet software to facilitate efficient sorting, filtering, cross-tabulation, and meta-level thematic analysis. This structured approach enabled the consistent and transparent comparison of studies, ultimately supporting the identification of prevalent challenges, effective techniques, and areas needing further investigation. The extracted data is shown in Table 3 below:

Table 3. Data extraction and analysis for the selected studies.

2.5. Risk of Bias and Reporting Bias Assessment

In accordance with PRISMA 2020 guidelines, this review incorporated a multi-layered risk of bias assessment to ensure the credibility and validity of included studies. Each paper was evaluated using a structured rubric covering four key dimensions: (i) methodological rigor, (ii) transparency of results, (iii) relevance to cloud data security, and (iv) robustness of validation methods. Studies that provided empirical evidence, clearly documented experimental setups, and articulated limitations were marked as high quality. Conversely, papers lacking these elements were rated as having a moderate or high risk of bias.

Two independent reviewers conducted the risk assessment process to reduce subjective judgment, and disagreements were resolved through discussion. Additionally, publication-related biases were considered. Reporting bias was assessed by examining whether included studies presented balanced outcomes or selectively reported only favourable results. Any discrepancies in the scope of findings and the claims made were noted. To counteract possible publication bias, the search strategy was designed to include multiple databases across technical and interdisciplinary domains. However, only peer-reviewed articles were included, which may inherently limit grey literature and increase susceptibility to publication bias.

2.6. Certainty of Evidence Assessment

The evidence derived upon this SLR was quantitatively evaluated through a triangulated approach. To begin with, consistency of results in a variety of high-quality studies was taken as a proxy of confidence. An example of this is that encryption-based confidentiality and blockchain-based integrity methods were repeatedly and reliably verified in various environments and data, which strengthens the reliability of their observations.

Second, some degree of certainty was supported by the availability of empirical reviews like the experimentation on real-life or simulated validation and comparative analysis. The weight of the certainty assessment was lower on studies based on theoretical constructs or unverifiable models.

Third, the judgment of the confidence also took into consideration the quality rating based on the risk of bias assessment. Key conclusions and recommendations were made using only findings of the studies with low or moderate bias. Weaknesses were explicitly recognised where there was diminished certainty because of small sample sizes, absence of assessment or unreported fields.

Consequently, the review gives high-certainty information on major trends (e.g., access control models in healthcare data), and indicates low-certainty gaps that require additional empirical validation (e.g., multimedia cloud content steganography).

3. Thematic Analysis of Cloud Security Challenges

To bridge the fragmented understanding of evolving data security challenges in cloud-based information systems, this Systematic Literature Review (SLR) was focused on research questions guided by this review:

1. What are the primary data security threats across sectors and service layers in modern cloud environments?
2. What security techniques and frameworks have been proposed, and how effective are they contextually and technically?
3. What research gaps and limitations persist in current solutions, and what targeted directions should future studies pursue?

Through the thematic synthesis procedure (open coding → axial coding → selective coding), three assertive themes were derived from the literature. These themes are not new questions but structured outcomes that map directly to the guiding RQs:

Theme 1: Persistent and Emerging Threats: Identity theft, credential leakage, latency in MFA, scalability weaknesses, and privacy vulnerabilities.

Theme 2: Effectiveness of Security Techniques and Frameworks: Encryption models (AES, ECC), IAM/RBAC/ZKP, blockchain-based identity, and ML-driven anomaly detection, assessed for their contextual strengths and limitations.

Theme 3: Research Gaps and Future Directions: Limited scalability in multi-cloud settings, lack of standardised ZKP protocols, insufficient real-world validation of ML methods, and interoperability gaps across IaaS/PaaS/SaaS layers.

By aligning the derived themes with the original research questions, this review ensures consistency, maintains focus, and demonstrates how the coding-based synthesis contributes directly to answering the RQs. While several past reviews have discussed general trends in cloud security, none have integrated domain-specific and layer-specific evidence with technique-oriented classifications in a meta-synthesised manner. This review fills that gap using a structured coding framework to consolidate and contrast research contributions from 2013 to 2024.

3.1. Coding Strategy and Thematic Construction

The data extracted from 40 selected studies were coded through a three-phase process:

• Open Coding: Initial labels were assigned to text fragments representing security threats, approaches, or outcomes.
• Axial Coding: Similar codes were grouped into categories like “access control,” “encryption,” “data sharing,” or “application specificity.”
• Selective Coding: These categories were distilled into six major themes that comprehensively reflect cloud security challenges.

The Table 4 below summarises the frequency of these themes across the reviewed literature:

Table 4. Thematic summary of cloud security challenges.

3.2. Unauthorised Access and Identity Management

One of the most frequent and noticeable topics of the reviewed studies is the problem of unauthorised access to cloud resources, especially in multi-tenant or multi-system environments. Several articles noted that traditional identity and access management (IAM) systems are inefficient in the cloud due to their dynamics and decentralised nature. As an illustration, [73] designed the decentralised access control model of industrial control systems to help eliminate the possibility of an unauthorised device access to the critical infrastructures. In a similar manner, the research by [79] paired identity spoofing in hybrid clouds and proposed a role-based IAM model to mitigate this threat.

In addition, identity and attribute-based access control (ABAC) models have also been examined in cloud-specific situations. [76] designed a version of the ABAC model to work in the context of Hadoop and complicate access to information, but did not impose any restrictions on big data processing, whereas [75] based their ABAC on blockchain through Hyperledger to reduce the risks of data leakage. Although these innovations exist, many implementations do not test the ability of their designs to scale, the latencies, and performance at large workloads.

3.3. Data Confidentiality and Encryption Limitations

Confidentiality of data has continued to be a significant issue of concern, when data is outsourced to third party infrastructures. Most papers have been examining lightweight encryption, homomorphic encryption, and hybrid cryptography as leading solutions. As an example, [63, 67] have suggested new lightweight cryptosystems aiming at lowering the computational burden without the loss of encryption capabilities. Still, their methods need to be brought to real-life tests on a much greater scale to establish the resilience and compatibility.

DNA-based encryption and homomorphic encryption were also claimed to be promising methods, but computationally expensive. Although, [81] reported the high level of protection of multimedia files using DNA-based approaches, they mentioned the high processing requirements as a limitation. [54] emphasised the prevalent capability of optimised homomorphic encryption in image data security, but the bottleneck was scalability. Generally, existing research admitted that though encryption secures data in motion and at rest, performance trade-offs tend to result in low applicability in large-scale or latency-sensitive workloads.

3.4. Access Control in Multi-Tenant and Dynamic Environments

As the multi-cloud and hybrid designs have emerged, access control in dynamic and multi-tenant environments has grown to be very complex [83, 84]. Some research tried to incorporate the contextual or environmental determinants in the access policy [85, 86]. The approach to the environmental characteristics and label-based access control model proposed by [74] increases the adaptability of the deployed access control model, but remains to be checked in real-world loads.

In addition, attribute-based encryption (ABE) and revocable identity-based encryption (IBE) had been commonly discussed on the fine-grained access to data [87]. For instance, [46] created an identity-based encryption scheme with revocable storage, in which revocation of a user does not affect system efficiency. These solutions have flexibility providing access control capabilities but the major complexity of key management is often high and lack interoperability between cloud platforms.

3.5. Secure Data Sharing and Search

The other main theme was safe data sharing and searchable encryption. One can often discover cloud users who need to exchange or access encrypted data without compromising privacy. This problem was addressed by some studies such as [47, 50] by taking into consideration the advancement of a dynamic searchable and symmetric scheme of encryption in the medical and multipurpose clouds. These programs can improve searches without causing information of value to leak out. However, not all of them have been widely empirically tested in a multi-user or high-volume search environment.

In edge-cloud collaborative systems, such as the one presented by [44], it was additional complicated to make sure that keyword searching was secure and efficient. To realise greater granularity, they combined encrypted search and attribute-based encryption, but observed that scalability is a challenge that restrains general deployment.

3.6. Emerging Solutions: Blockchain and Steganography

Blockchain security is also being investigated more. It is a tool to guarantee data’s immutability, transparency, and decentralisation. [55, 56, 61] have presented papers with frameworks that use blockchain to secure access control, asset trading, and anonymous authentication. When homomorphic or ring-based encryption is used with blockchain, the result is both audibility and trust, but with significantly expensive overhead processing and possible latency, particularly in resource constraints.

Cloud steganography is another innovative solution that is increasingly used and is studied by [82]. Steganography provides an additional level of privacy by utilising hidden content within the most benign of data [88, 89]. Although this is more effective in improving concealment, it is not widely validated and might not hold against advanced intrusion detection methodologies.

3.7. Application-Specific Security and Sectoral Needs

Several articles discussed security requirements relevant in specific areas like healthcare, agriculture, and genomic information. In a recent case, [68] proposed EPM-KEA encryption in healthcare systems focusing on compliance and real-time security. Similarly, [78] developed PCS-ADS, a privacy computing system for agricultural data. Such studies highlight that security adaptations in various sectors must be considered, where solutions developed with the idea of being widespread may be unsuitable for sensitive or regulatory environments.

4. Techniques for Enhancing Data Security in the Cloud

Development of cloud computing has changed the manner in which organisations access, store and manage data. However, these have many advantages linked with massive dangers in safeguarding confidential information. An analysis of literature has revealed that a variety of methods have been developed to address threats against confidentiality, integrity, and availability. This section will involve a deep discussion of the major techniques that are actively pursued or are gaining momentum in order to enhance the degree of data security within cloud settings.

4.1. Encryption Techniques: Symmetric, Asymmetric, and Hybrid Models

Encryption remains the backbone of data confidentiality in cloud systems. Non-cryptographic symmetric encryption algorithms, commonly known as traditional symmetric encryption algorithms, are highly used because of their speed and simplicity. One of the prominent examples is the Advanced Encryption Standard (AES) [90]. Nevertheless, symmetric encryption may not be adequate for cloud applications due to the difficulties in distributing and managing keys [91].

Although they are more computationally intensive, more efficient key management is provided by asymmetric encryption algorithms such as RSA. Consequently, numerous studies suggest a hybrid system of encryption that assimilates the most effective attributes of both systems. As an example, [64] proposed a hybrid cryptographic framework that combined AES-OTP and RSA, adaptive key management, and time-limited access control. Such practice improves the security and flexibility of access and meets the real-time control requirements in dynamically scaled-up environments and clouds.

Furthermore, lightweight cryptography has become popular, including IoT and mobile cloud computing [92]. The proposed efficient homomorphic and symmetric encryption schemes were created by [63, 67] and optimised depending on low-power conditions, featuring not only efficient execution but also high-security standards.

4.2. Attribute-Based and Identity-Based Encryption

Fine-grain access control has also been repeatedly implemented using attribute-based encryption (ABE) and identity-based encryption (IBE). The attributes of these encryption paradigms are that there is a data access mechanism that entails user attributes or roles that can be very helpful in multi-user and collaborative cloud environments [93].

The scheme of revocable storage identity-based encryption (RS-IBE) was proposed by [46] that secures data sharing and allows revoking users without re-encryption. It is an economical method of administration where user turnover is high.

In the same context, [51] used ABE to restrict user access to their health records stored in the cloud. Their structure guarantees decryption via qualified medical staff only by using specific characteristics such as department, level of clearance, and specialization. These models have been useful in upgrading data privacy and flexibility in operations, but they are always associated with advanced computational and key management complexity.

4.3. Homomorphic and Searchable Encryption

A major challenge in cloud data security is performing operations or searches on encrypted data without decrypting it. This is where searchable encryption (SE) and homomorphic encryption (HE) come into play.

Homomorphic encryption enables the computations to be made over encrypted data, generating encrypted outputs; the data need not be decrypted, nor intermediate values be revealed [94]. Despite being resource-intensive, it offers unmatched confidentiality on applications such as cloud-based analytics and financial modelling.

The case of the secure image processing in clouds optimised by HE was studied by [54]. They are built privately with light computation, and partly address mass scale. Searchable encryption has been subjected to rigorous research where the encryption is required when one has to search a database that has been encrypted. [47, 50] reported dynamic searchable symmetric encryption (DSSE) schemes which possess a keyword search and can provide data privacy. These techniques have been practically applied in the legal or medical field, where it would be important to preserve the privacy of the documents under search.

4.4. Blockchain for Secure Data Integrity and Access Control

Cloud data security has been very alluring by using blockchain technology, primarily because it ensures integrity of data, traceable record mechanisms and decentralised access control. Its consensus algorithms and tamper-resistant ledger add the dimension of graph to sharing and storage of clouds [55, 56] augmented encryption models using blockchain that implemented smart contracts and homomorphic encryption to control entry and the recording of every exchange. [75] also used blockchain to offer Hyperledger-based access to attribute control that facilitated a decentralised user verification and implemented policies.

Such situations are the best fit with blockchain since its immutability and transparency ensure data auditing and non-repudiation. It is thus appropriate in financial systems, healthcare and the trade of digital assets [95, 96]. However, the greatest limitation is that blockchain has large computation and storage overheads, which hamper its implementation in high-frequency access systems.

4.5. Advanced Access Control Mechanisms

The initial aspect of cloud security is the application of controls to ensure that only authorised users can access the cloud data. Sophisticated systems such as Context-Aware Access Control (CAAC), Role-Based Access Control (RBAC), and Environmental Attribute-based Control were employed to respond to the ever-changing live contexts of cloud environments [97].

In one such case, [74] proposed an environmental attribute-based model, the parameter of which is context-dependent (location, time, and system state) and is applied to access decisions. The model glues it more to the real-life situations and improves security and usability.

In addition, [76] implemented an ABAC model to products of the Hadoop ecosystem to regulate access to big data. These are policy based and granular models and hence can be useful in hybrid, federated clouds.

They are capable of complex rule engines and proper decision-making mechanisms to prevent the delays that will be a bottleneck in real time systems in undertaking access evaluation.

4.6. Data Hiding and Obfuscation Techniques

Data hiding techniques such as steganography have also been considered as lightweight security layers of multimedia data to complement encryption in the cloud environment. The cloud steganography model introduced by [82] allows essential data to be stored in media files that the intruder will not notice.

Such methods are particularly effective when the data must be hidden in plain view, e.g., in secretive communications or in a region with extensive surveillance. Nevertheless, steganography is not enough to offer fully-fledged data security; it is usually incorporated with encryption to offer multi-layered protection.

4.7. Biometric and Multi-Factor Authentication

While encryption protects data in storage and transit, authentication techniques secure access points. The conventional password-based solutions are becoming less adequate as they are prone to phishing attacks and brute forces [98].

Some studies implemented the use of biometric authentication to access the cloud. As an example, the article by [49] employed facial biometrics and fingerprint scanning to verify access to cloud computing in healthcare related to the general population. Such an approach enhances identity authentication and increases user accountability.

Multifactor authentication (MFA) (the combination of something the user knows (password), something they have (device), and something they are (biometric)) is increasingly becoming important as well [99]. Such solutions are much more likely not to be breached, and they might need extra measures of infrastructure or user compliance.

4.8. Privacy-Preserving Data Sharing and Revocation

With the introduction of collaboration characteristics in cloud systems, there is a need to share information and data in a privacy-preserving and secure way. Providing temporary and traceable access to a third party is increasingly offered over schemes like proxy re-encryption, revocable keys, and zero-knowledge proofs [100].

The data sharing schemes provided by [46, 52] allow sharing data to be used medically and in genomics, respectively. They can be cancelled, dynamically altered, and added. These models take note of confidentiality, compliance, and adaptability, but the usage of keys and identity of users across organisations continues to pose integration issues.

5. Comparative Analysis of Findings

5.1. Trends Across Techniques

The security of cloud computing evolves rapidly and it is apparent that it is skewed towards hybrid and fine-grained access control processes. Even though the traditional encryption remains the heart of the matter, researchers are adding such technologies as blockchain, attribute-based encryption (ABE), searchable encryption, and the context-aware access models to make the security mechanism more dynamic and scalable.

A number of frameworks have been established that can address the constraint on resources in both IoT and mobile by implementing lightweight cryptography. To illustrate this, [63] developed a lightweight homomorphic encryption algorithm, which can enhance security without causing much load on computational resources. Other authors, such as [64], also suggested some complementary models including AES, RSA, and OTP mechanisms to establish a more secure encryption and better key management process.

The other trend is the use of blockchain to guarantee decentralised access control and auditability. Such works as [55, 56] employed blockchain in situations where it was required that data is visible and that logs are tamper-proof, particularly in multi-tenant and financial applications.

5.2. Solution Effectiveness by Cloud Layer

The security responses achieved different levels of performance at distinct cloud service layers: infrastructure-as-a-service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS).

At the IaaS layer, encryption methods and key management are prevalent. There are fast, hardware-compatible cryptographic systems, like lightweight cryptography [67, 80].

In the case of the PaaS layer, the solutions can work regarding role, identity, and attribute control. The customised ABAC model based on Hadoop environments [76], and access control based on the Hyperledger platform was developed to perform the same operation securely [75].

Researchers concentrated on searchable encryption, biometric authentication, and context-based access control in SaaS environments where sharing data and user interaction plays a crucial role. As an example, [50] created searchable symmetric encryption of healthcare data, whereas [49] used biometrics to allow secure access to the work of healthcare systems.

5.3. Evaluation Methods

The most prevalent assessment methods used in all the studies were simulation, prototype implementation, and empirical testing. Cryptographic models were the most used in simulations, with [64, 77] calculating new procedures in controlled conditions.

It was employed to test the real-time behaviour and scalability, especially on blockchain systems like [66, 73]. Very few studies operated on publicly available data or users’ real-world environments, these researchers need to standardise more benchmarks.

5.4. Best-Suited Techniques by Security Objective

• Confidentiality: Solutions such as homomorphic encryption [54], searchable encryption [47], and a hybrid model of AES-RSA [64] provided high confidentiality in the sharing of data and in computation.
• Integrity: The model of blockchain was most helpful in retaining data immutable and transaction transparency, especially in financial systems or healthcare settings [55, 61].
• Availability: Availability was covered by redundant encryption and encrypted storage, access recovery through smart contracts, and systems such as PCS-ADS for agricultural information [78]. Table 5 shows a comparative analysis of the methods employed, along with the threats, strengths, and limitations.

Table 5. Comparative analysis.

Conclusion

The systematic literature review analysed 40 peer-reviewed articles on data security in information systems based on clouds and discussed the primary techniques, methods of assessment and challenges. The outcomes create an active research setting through developing confidentiality, integrity and availability through encryption, access control, blockchain and biometric techniques. Though traditional encryption is still the foundation of cloud data security, other newer approaches, such as homomorphic encryption, searchable encryption, and blockchain-based offerings are gaining pace due to their ability to offer finer-grained, transparent, and scalable security.

The effectiveness of these approaches often determines the choice of the cloud layer to apply to them, i.e., IaaS, PaaS, or SaaS, and the environment, i.e., healthcare, IoT, or enterprise collaboration. Methods like identity-based models and ABE provide finer control, but blockchain ensures integrity and traceability. However, the various approaches have trade-offs where they are characterised by computational costs, practicality, and difficult implementation.

Nonetheless, despite the improvements, there are some research gaps. Such drawbacks are the absence of practical verification, issues with scaling, and the inability to be user-oriented and industry-specific. The future of cloud security is based on integrated, adaptive, and intelligent solutions that combine efficient encryption with behavioural analytics, cloud-hosted monitoring, and compliance-enhancing solutions.

Researchers and practitioners must cooperate to develop balanced, effective, sustainable security solutions as cloud services extend into more environments and devices. These systems should not only protect against current threats but also cope with upcoming complexities in digital environments of the future.

Author’s ContributionS

Yazeed Alsuhaibany has contributed to data collection, data analysis and interpretation and writing of paper.

Finding

None.

Conflict of Interest

The authors declare that there is no conflict of interest regarding the publication of this manuscript. No financial, personal, or professional relationships have influenced the content or outcomes of this study.

Acknowledgement

The authors would like to express their sincere gratitude to all the researchers whose work was reviewed and cited in this study. Their contributions have been instrumental in shaping the insights and findings of this systematic literature review. We also thank the academic community and institutions providing access to high-quality digital libraries and databases, which enabled a comprehensive and rigorous analysis.