Project report DCN

1

Introduction:

Successfully addressing the privacy, trust and security risks inherent in deployments of cloud computing represents a complex and difficult challenge for one significant reason: The widespread use of cloud technologies brings into sharper focus linkages among issues that formerly were firmly within the purview of ‘stove-piped’ regulatory or technological approaches or domains.Although the technologies and legal or compliance requirements associated with the cloud may not be new or particularly innovative (for example, the audit requirements resemble .Those required for outsourcing arrangements), the public policy challenge hinges on whether their combination in a cloud environment undermines or degrades current policy approaches. For example: Widespread take up of cloud computing might contradict or adversely affect globally established data protection and privacy principles. Consent and user‘ control’ of personal data are key tenets of privacy and data protection frameworks that are particularly pertinent for Europe. However, widespread implementation of cloud computing reduces users’ and even cloud providers’ control of personal information as it is opaquely and autonomously disassembled and re-assembled across a highly distributed infrastructure.

The technological challenges of providing for confidentiality in the cloud present potential barriers to establishing trust. For example, encryption and similar technologies are currently the best way to maintain data confidentiality but their effectiveness is reduced in cloud environments because the cloud user has little or no other effective (logical or physical) security controls.

Cloud computing deployment poses operational challenges in respect of compliance and risk management. For example, verifying compliance with certain regulatory or voluntary standards is significantly more complex in a cloud environment since the point at which a satisfactory level of assurance is achieved might incur greater and greater costs for the cloud user. Cloud users may have to take on trust their providers compliance with the requisite operational procedures.

The hypothesis investigated by this research is that the complexity associated with cloud computing is sufficiently distinct from what has

2

gone before to warrant the development of entirely new public policy approaches.

Our research investigated the security, privacy and trust aspects of cloud computing and determined whether these were sufficiently distinct to warrant public policy intervention. On the whole, cloud computing brings into acute focus many security and privacy challenges already evident in other domains such as outsourcing or behavioral advertising.

The starting point for any public policy analysis is the definition of terms and concepts. In light of its novelty there are many definitions of cloud computing. Based on an analysis of twenty such definitions Vaquero et al. find that the literature appears to be converging on the following operational definition:

Clouds are a large pool of easily usable and accessible virtualised resources (such as hardware, development platforms and/or services). These resources can be dynamically reconfigured to adjust to a variable load (scale) allowing also for an optimum resource utilisation. This pool of resources is typically exploited by a payper- use model in which guarantees are offered by the Infrastructure Provider by means of customised service level agreements.4 This definition emphasises a core characteristic of cloud computing: the availability of unbounded computing resources to individuals and organisations upon demand without the need for significant local infrastructure provisioning. Essentially, cloud computing should allow users to pay exclusively for the resources they actually use and reduce up-front infrastructure commitments.

Cloud computing is an evolved form of ICT outsourcing that utilises (in part) technologies developed to meet the needs of grid computing. This leads to some conflation of the use of the terms grid and cloud computing. The main difference is that grid computing was originally driven by scientific research purposes5 with the objective of coordinating resources which are not subject to centralised control under standard, open, general purpose protocols and interfaces. Cloud computing, in contrast, involves provision of services with varying proprietary and open toolkits and interfaces. Thus, cloud computing may be considered an IT service, defined as:

A paradigm in which information is permanently stored in servers on the Internet and cached temporarily on clients that include desktops, entertainment centres, tablet computers, notebooks, wall computers,

3

handhelds, sensors, monitors, etc.6 As previously indicated, a clear definition (or coherent set of definitions) of cloud computing may be helpful for effective identification of public policy options, especially in the pan-European context across national and linguistic divides. However, while thedefinition proposed by Vaquero et al. emphasises one core characteristic of cloud computing – its ephemeral approach to defining and deploying computing resources – it does not consider precisely the technological and operational factors. In this context, an interesting alternative perspective is provided by the definition proposed by the US National Institute for Standards and Technology (NIST): Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and releasedwith minimal management effort or service provider interaction.7This definition, adopted for the purposes of this research, emphasises the flexibility and convenience of the cloud which allows customers to take advantage of computing resources and applications that they do not own for advancing their strategic objectives. It also emphasises the supporting technological infrastructure, considered an element of the IT supply chain that can be managed to respond to new capacity and technological servicedemands without the need to acquire (or expand) in-house complex infrastructures. Building upon this definition, the literature identifies four different broad service models for cloud computing:• Software as a Service (SaaS), where applications are hosted and delivered online via a web browser offering traditional desktop functionality, eg, Google Docs, Gmail and MySAP.• Platform as a Service (PaaS), where the cloud provides the softwarePlatform. for systems (as opposed to just software), the best current extent.Hardware as a Service (HaaS), where the cloud provides access to dedicated firmware via the Internet, eg, XEN and VMWare.12The literature also differentiates cloud computing offerings by scope. In private clouds, services are provided exclusively to trusted users via a single-tenant operating environment. Essentially, an organisation’s data centre delivers cloud computing services to clients who may or may not be in the premises. Public clouds are the opposite: services are offered toindividual and organisations who want to retain elasticity and accountability without absorbing the full costs of in-house infrastructures. Public cloud users are by default treated as untrustworthy. There are also hybrid clouds combining both private and public cloud service offerings. The overall cloud

4

computing environment is evolving and, therefore, its service models may change with time.

What’s pushing cloud take-up?

Due to the immaturity of the cloud ecosystem there is still a significant lack of qualitative and quantitative research about motivations for using cloud computing services. Currently, the most valuable insights come from market research literature.13 This literature typically emphasises the economies of scale arising from commoditisation of IT services and theremoval of complex on-site infrastructure deployment and management. Cloud computing, therefore, can reduce capital investments and limit the risks of overprovisioning, which is the usual response to the management of uncertain demand. The market research literature does not support these claims with detailed quantitative evidence. However, some data are available from cloud computing service providers and government organisations that are in the process of procuring such services.According to Amazon Web Services,14 cloud computing allows substantial economies of scale in hardware utilisation in an area where traditional in-house data centres commonly use about 30 percent of available capacity. Migration to a cloud computing environment gives 100 percent utilisation. This is especially beneficial when serving heterogeneous userswith highly dynamic demands for usage and capacity. Cloud computing also reduces software updating and licensing costs (especially in the SaaS model). Amazon Web Services has provisionally quantified these savings: an organisation operating over the web having low but steady usage with occasional peaks can reduce costs by 85 percent, rising to 95 percent for organisations needing high-performance computing. Cloud computing also leads to efficiency savings via the reallocation of staff and other resources. Again, the literature does not provide comprehensive evidence but the assertion is supported by anecdotal evidence from the business case justifying the decision by a US public institution (in this case the City of Los Angeles) to migrate towards a Googleenhanced email service for its employees.15 The introduction of this cloud computingservice is expected to save US$6 million in terms of software licence fee and US$500,000in hardware retirement costs. At the same time, the organisation expects to achieve additional efficiency savings of US$6 million via the reallocation of staff to other tasks and US$1 million by reallocating IT infrastructure to other activities.

5

Cost reduction is not the only benefit of cloud computing. Thecommoditisation of the overall infrastructure and related services allows organisations to focus time and resources on mission critical tasks. More importantly, cloud computing provides flexible sourcing16; should business environments change, organisations can adapt their infrastructureaccordingly. This flexibility can also be used for testing new services orrunning low priority business applications such as collaboration applications for employees, consultants and suppliers.Aside from arguments regarding the deployment of cloud computing for efficiency reasons, others have argued that cloud computing has the potential to produce an ‘explosion in creativity, diversity and democratization predicated on creating ubiquitous access to highpowered computing resources’.17 In particular the broad adoption of common tools coupled with the emergent possibilities of using technological components of cloud computing (like service-orientated architectures or web services) to mash data together illustrates the potential innovative aspects of a ‘cloud’ way of thinking.Nonetheless, some of the reasons why organisations are turning to the cloud reflect different user characteristics, whether they are public or private or whether they seek to obtain back-office functions (eg, accounting), email or other communication or collaboration services, or even ‘niche’ high-performance computing. Whilst some cloud drivers are consistent across both the public and private sectors there are nonetheless some unique demand-side factors arising from the different emphasis put on issues such as privacy and security by public sector organisations.Citizens and consumers also have specific reasons for using cloudcomputing: accessibility of their data and the almost limitless quantities of storage space, for example, may be regarded as features of cloud-hosted email services such as Gmail likely to be more attractive to individuals than to organisations.

The economics of cloud computingimplications for security:

6

In this section, some of the basic economics of the cloud in relation to privacy and security are presented. This is not intended to provide a comprehensive guide to ‘cloud economics’ or to the economic policy issues raised by the deployment of cloud services.18 Rather, it is an impression of the evolutionary landscape in which cloud businesses and business modelsmust survive and the implications for the allocation and management of privacy and security issues. 16Cloud computing has its commercial roots in the convergence of the computing and communications industries.Economic regulation of computing has in the past been based on the ‘effective competition’ model, while communications (especially fixed-linecommunications) have generally been regulated as monopolistic oroligopolistic public utilities. There has been relatively little progress towards a hybrid model that can regulate the combined performance of ICT without distorting its development; initial forays into ‘converged regulation’ aimed at the Internet (eg, net neutrality, broadband spectrum auctions/trading, etc.) have aroused continuing controversy. Two developments are of particular relevance to cloud computing and to privacy and security. The first concerns business model evolution, in particular the relation betweeneconomic regulation and non-economic (or non-monetised) behaviour. Economic regulation is generally linked to explicit contracts and to direct exchanges of money for services; in contrast, many new business models involve little or no direct two-party monetized relationships of this nature, but rely instead on third-party monetisation by selling the attention of free service users, bundling services with other services, equipment, and so on,or effectively investing in other value-generating relationships. Each ofthese can be detected in relation to different ‘as a Service’ cloud models because each of the ‘Services’ is used for a variety of purposes by a variety of customer groups. Where there exist concrete and direct monetary contractual relationships (for example, between ISPs and theircustomers on one side and between ISPs and those who handle their traffic on another), regulatory leverage can be used to encourage compliance with privacy and security rules (where they exist) as well as competition rules. Where no money changes hands, this may be much harder to accomplish.The second development is the delivery of services through extended pathways. The interposition of communications service provider(s) between cloud service provider(s) and user(s) complicates the internalisation and monitoring of both public and private privacy and security obligations. Where the cloud service providers and users have no direct contract or connection – and may not even be aware of each others’ identities or

7

locations– it may be very difficult to ensure that costs and benefits not central to the service arrangement are handled appropriately. Cloud services themselves have some private good characteristics in the sense that access can be controlled and in the sense that they are congestible (the ‘worst-case’ total capacity required to serve a group can beApproximated by adding the capacities required to serve each member). Suitably regulated markets could deliver them efficiently. But privacy and security concerns associated with overall capability to provide cloud services – or at least with their most innovative and productive uses –resemble public goods in that they can be delivered en masse by a ‘cloud’ of suppliers to a ‘cloud’ of users, often without a specific contract or means of charging for access. Such open clouds are not the only mode of provision, but the evolutionary contest between different models will influence the identification, pricing and management of privacy andsecurity. Moreover, the privacy and security capabilities inherent in different cloud models will affect their acceptance by different groups and the way innovative applications develop. For instance, groups of users for whom privacy is critical may favour an explicit collective contract with a consortium of service providers who jointly and severally undertake to deliver specific levels of security and privacy as part of a bundle of services.

Definitions of cloud computing:

8

The starting point for any public policy analysis is the definition of terms and concepts. In light of its novelty there are many definitions of cloud computing. Based on an analysis of twenty such definitions Vaquero et al. find that the literature appears to be converging on the following operational definition:

“Clouds are a large pool of easily usable and accessible virtualised resources (such as hardware, development platforms and/or services). These resources can be dynamically reconfigured to adjust to a variable load (scale) allowing also for an optimum resource utilization. This pool of resources is typically exploited by a paper-use model in which guarantees are offered by the Infrastructure Provider by means ofcustomised service level agreements.4”

This definition emphasises a core characteristic of cloud computing: the availability of unbounded computing resources to individuals and organisations upon demand without the need for significant local infrastructure provisioning. Essentially, cloud computing should allow users to pay exclusively for the resources they actually use and reduce up-front infrastructure commitments.Cloud computing is an evolved form of ICT outsourcing that utilises (in part) technologies developed to meet the needs of grid computing. This leads to some conflation of the use of the terms grid and cloud computing. The main difference is that

9

grid computing was originally driven by scientific research purposes,5 with the objective of coordinating resources which are not subject to centralised control under standard, open,general purpose protocols and interfaces. Cloud computing, in contrast, involves provision of services with varying proprietary and open toolkits and interfaces. Thus, cloud computing may be considered an IT service, defined as:4

Defining cloud computing:

For the purposes of this study, we adopt a definition of cloud computing proposed by the US National Institute for Standards and Technology (NIST) in 2009:

“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

The literature identifies four different broad service models for cloud computing:• Software as a Service (SaaS), where applications are hosted and delivered online via a web browser offering traditional desktop functionality• Platform as a Service (PaaS), where the cloud provides the software platform for systems (as opposed to just software)

10

• Infrastructure as a Service (IaaS), where a set of virtualised computing resources, such as storage and computing capacity, are hosted in the cloud; customers deploy and run their own software stacks to obtain services.• Hardware as a Service (HaaS), where the cloud provides access to dedicated firmware via the Internet Cloud computing offerings also differ by scope. In private clouds, services are provided exclusively to trusted users via a single-tenant operating environment. Essentially, an organisation’s data centre delivers cloud computing services to clients who may or may not be in the premises. Public clouds are the opposite: services are offered to individuals and organisations who want to retain elasticity and accountability without absorbing the fullcosts of in-house infrastructures. Public cloud users are by default treated as untrustworthy.There are also hybrid clouds combining both private and public cloud service offerings.

Defining security, privacy and trust:

Before assessing the literature dealing with security, privacy and trust in the cloud, it is important to define these terms because their currency and usage can change radically indifferent contexts:• Security concerns the confidentiality, availability and integrity of data or information. Security may also include authentication and non-repudiation.

11

• Privacy concerns the expression of or adherence to various legal and non-legal norms regarding the right to private life. In the European context this is often understood as compliance with European data protection regulations.Although it would be highly complex to map cloud issues onto the full panoply of privacy and personal data protection regulatory architectures, the globally accepted privacy principles give a useful frame: consent, purpose restriction, legitimacy, transparency, data security and data subjectparticipation.• Trust revolves around ‘assurance’ and confidence that people, data, entities, information or processes will function or behave in expected ways. Trust may be human to human, machine to machine (eg, handshake protocols negotiated within certain protocols), human to machine (eg, when aconsumer reviews a digital signature advisory notice on a website) or machine to human (eg, when a system relies on user input and instructions without extensive verification). At a deeper level, trust might be regarded as a consequence of progress towards security or privacy objectives.

12

Issues security privacy trust risk and cloud computing:

Cloud computing:

We identified a number of issues in the literature relating to technological and legal challenges confronting privacy, security and trust posed by cloud computing. Regarding the challenges in the technological underpinnings of cloud computing, we note evidence stemming from: virtualisation (e.g. vulnerabilities in hypervisors could have potential widespread effects on data integrity and confidentiality); whether grid computing modelscan afford the appropriate level of interoperability ; if Web Services will be effective for identity management in the cloud; establishing trust when using Service Orientated Architectures and web application frameworks and finally whether current technical methods of encryption will remain viable to achieve confidentiality. There are a number of challenges posed by a range of legal and regulatory frameworks relevant to cloudcomputing. These include the viability of legal regimes which impose obligations based on the location of data; the ex-ante definition of different entities (such as distinguishingbetween data controllers and processors); establishing consent of the data subject; the effectiveness of breach notification rules; the effectiveness of cyber-crime legislation indeterring and sanctioning cyber-crime in the cloud and finally difficulties in determining applicable law and jurisdiction. From an operational perspective, the study uncovered issues relating

13

to the effectiveness of existing risk governance frameworks, whether cloud customers can meet their legal obligations when data or applications are hosted overseas, how to be compliant and accountable when incidents occur; whether data will be locked into specific providers; the complexities in performing audit and investigations; how to establish the appropriate level of transparency and finally measuring security of cloud service provision.The case studies identified a number of challenges relating to cloud service provision from recent real-world instances. These include the immature and exploratory nature of cloud computing deployments; the necessity that those using cloud services should be versed in their tolerance for risk prior to migrating to the cloud; how to balance the business benefitsof cloud computing with achieving security and privacyobligations; the need to integrate cloud security into existing security measures; the importance of understanding untowarddependencies created by cloud computing deployments and finally that tailored and specific security agreements can be achieved but only if the cloud user has sufficient negotiating power.These identified real-world concerns were supplemented by additional material gathered at an Expert Workshop. Participants commented that it was difficult to achieve a highdegree of accountability or transparency in the cloud; that there was little awareness raising for either cloud customers or private citizens; little established guidance on expectations for

14

cloud users in meeting their legal obligations and finally lack of harmonisation of relevant legal and regulatory frameworks, potentially presenting an impediment to realizing theeconomic and social benefits of cloud computing for Europe.Summarized below are the main considerations in respect of the security, privacy and trust challenges associated with the technological or legal domains constituting cloud computing. This is populated from the review of the literature made during the course of this study and reflects key concerns noted from the desk research: Summary of main challenges arising from the technological or legal domains constituting cloud computing.

Security privacy trust risk cloud:

The following chapters will summarise the key challenges associated with cloud computing from technological and legal (including organisational) perspectives. This overview is based on an extensive literature review, validated by key stakeholders . As noted in theintroduction to this report, the study team participated in the SecureCloud conference in Barcelona on March 16–17 2010 in order directly to seek feedback via interviews with stakeholders from various domains and enrich the analysis.32It is important to note this overview of challenges is not intended to present solutions but rather to illustrate how they arise from the technical and legal characteristics of the cloud

15

computing. In this way, challenges are set up as open questions for further exploration in the final chapters of the report.29.We identified a number of issues in the literature relating totechnological and legal challenges confronting privacy, security and trust posed by cloud computing. Regarding the challenges in the technological underpinnings of cloud computing, we note evidence stemming from: virtualisation (e.g. vulnerabilities in hypervisors could have potential widespread effects on data integrity and confidentiality); whether grid computing modelscan afford the appropriate level of interoperability ; if Web Services will be effective for identity management in the cloud; establishing trust when using Service Orientated Architectures and web application frameworks and finally whether current technical methods of encryption will remain viable to achieve confidentiality. There are a number of challenges posed by a range of legal and regulatory frameworks relevant to cloudcomputing. These include the viability of legal regimes which impose obligations based on the location of data; the ex-ante definition of different entities (such as distinguishing between data controllers and processors); establishing consent of the data subject; the effectiveness of breach notification rules; the effectiveness of cyber-crime legislation in deterring and sanctioning cyber-crime in the cloud and finally difficulties in determining applicable law and jurisdiction. From anoperational perspective, the study uncovered issues relating to the effectiveness of existing risk governance frameworks,whether cloud customers can meet their legal obligations when data or applications are hosted overseas, how to be compliant and accountable when incidents occur; whether data will be

16

locked into specific providers; the complexities in performing audit and investigations; how to \establish the appropriate level of transparency and finally measuring security of cloudservice provision.The case studies identified a number of challenges relating to cloud service provision from recent real-world instances. These include the immature and exploratory nature of cloud computing deployments; the necessity that those using cloud services should be versed in their tolerance for risk prior to migrating to the cloud; how to balance the business benefitsof cloud computing with achieving security and privacyobligations; the need to integrate cloud security into existing security measures; the importance of understanding untowarddependencies created by cloud computing deployments and finally that tailored and specific security agreements can be achieved but only if the cloud user has sufficient negotiating power.These identified real-world concerns were supplemented by additional material gathered at an Expert Workshop. Participants commented that it was difficult to achieve a highdegree of accountability or transparency in the cloud; that there was little awareness raising for either cloud customers or private citizens; little established guidance on expectations forcloud users in meeting their legal obligations and finally lack of harmonisation of relevant legal and regulatory frameworks, potentially presenting an impediment to realising the economic and social benefits of cloud computing for Europe.

17

CEPIS:

The Council of European Professional Informatics Societies (CEPIS) is a non‐profit organisation seeking to improve and promote a high standard among Informatics Professionals in recognition of the impact thatInformatics has on employment, business and society. CEPIS –which represents 36 Member Societies in 33 countries across greater Europe– has agreed on the following statement:

1. Background:Cloud Computing is not a very new concept in IT, in fact Cloud Computing is a more advanced version of the Data Processing Service Bureaus that we had 40 years ago. Nevertheless, the best known companies in the IT field offer or will shortly offer Cloud Computing services to a range of customers from organisations of all sizes to individuals. The biggest and best known Cloud Computing providers include Amazon with EC2 [5],Microsoft with Azure [6] and Google with GoogleApps (e.g. Gmail, Google Docs, Google Calendar) [7]. The paradigm of Cloud Computing can be described in simple terms as offering particular IT services that are hosted on the internet the most common ones being Platform as a Service (PaaS), Infrastructure as a Service (IaaS) and Software as a service (SaaS).Cloud Computing is often marketed as an efficient and cheap solution that will replace the client‐server paradigm. The paradigm shift involves/results in the loss of control over data as well as new security and privacy issues. For this reason caution is advised when deploying and using CloudComputing in enterprises.After all, the first big issue in data protection in Europe arose at the end of the 1960’s, when a Swedish company decided to have its data processing done by a service bureau in Germany and the data protection legislations in both countries were not alike.With Cloud Computing rapidly gaining popularity, it is important to highlight the resulting risks. As security and privacy issues are most important, they should be addressed before Cloud Computing establishes an important market share. Many IT and important research agencies are aware of these risks and have produced reports and analyses to document them [1], [2], [3] ,[4].

18

2. Concerns:There seems to be no area of ICT that is not affected by Cloud Computing. Two main issues exist withsecurity and privacy aspects of Cloud Computing:1. loss of control over data and2. dependence on the Cloud Computing provider.These two issues can lead to a number of legal and security concernsrelated to infrastructure, identity management, access control, risk management, regulatory and legislative compliance, auditing and logging,integrity control as well as Cloud Computing provider dependent risks.Typical issues due to the loss of control over data are:DecisionDiscussion

1. Most customers are aware of the danger of letting data control out of their hands and storing data with an outside Cloud Computing provider. Data could be compromised by the Cloud Computing provider itself or other competitive enterprises which are customers with the same CloudComputing provider. There is a lack of transparency for customers on how, when, why and where their data is processed. This is in opposition to the data protection requirement that customers know what happens with their data.

2. Many Cloud Computing providers are technically able to perform data mining techniques to analyse user data. This is a very sensitive function and even more so, as users are often storing and processing sensitive data when using Cloud Computing services. This holds especially true for social media applications that encourage users to share much of their private life e.g. private photos1.

3. Mobile devices, in particular with their limited storage and computing capabilities are drivers for having services provided by Cloud Computing instead of using software on individual computers. Even data that are only to be transferred from one mobile device to another (local) device, are oftentransferred via the cloud, when cloud oriented applications on the mobile devices are involved. Therefore users often put themselves at risk without noticing this, as they assume that the data is transferred locally.

19

4. Since Cloud Computing is a service, it has to be accessed remotely. The connection between the Cloud Computing provider and customer is not always adequately protected. Security risks that threaten the transfer line include eavesdropping, DNS spoofing, and Denial‐of‐Service attacks.

5. The paradigm shift in Cloud computing makes the use of traditional risk management approaches hard or even impossible. Irrespective of the fact that control over data is transferred to the Cloud Computing provider, risk management and compliance issues are split between the CloudComputing provider,Internet provider and customer. However, compliance can be seen as oneof the important trust factors between the Cloud Computing provider and customer. Regulatory and legislative compliance is also problematic. Cloud data centres can be geographically dispersed. Therefore legislativecompliance is not currently adequately defined.

6. As all technical control is given to the Cloud Computing provider, customers often want to have an external audit of this provider. Therefore logging and auditing information has to be stored and protected in order to enable verification. Appropriate logging could provide the possibility forForensic investigation in cases of incident.

7. Concerns also exist with regard to deletion of data: It is difficult to delete all copies of electronic material because it is difficult to find all copies. It is impossible to guarantee complete deletion of all copies of data. Therefore it is difficult to enforce mandatory deletion of data. However, mandatorydeletion of data should be included into any forthcoming regulation of Cloud Computing services, but still it should not be relied on too much: the age of a “Guaranteed complete deletion of data”, if it ever existed has passed. This needs to be considered, when data are gathered and stored.

8. Data Protection and Privacy legislation is not even similar in many countries around the globe yet Cloud Computing is a global service of the future. Consequently the problems and risks that affect data protection rules in Europe must be considered properly when Cloud Computing platforms are locatedon servers in non‐European countries.

9. Cloud computing depends on a reliable and secure telecommunications network that assures and guarantees the operations of the terminal users of the services provided in the cloud by the cloud computing provider.

20

Telecommunications networks are often provided separately from the Cloud computing services.

Typical issues with regard to the dependence on the Cloud Computing provider are:

1. A major concern regarding dependence on a specific Cloud Computing provider is availability. If the Cloud Computing provider were to go bankrupt and stopped providing services, the customer could experience problems in accessing data and therefore potentially in business continuity.

2. Some widely used Cloud Computing services (e.g. Google Docs) do not include any contract between the customer and Cloud Computing provider. Therefore a customer does not have anything to refer to if incidents occur or any problems arise.

3. Cloud Computing is a service similar to other more “traditional” services and utilities (e.g. telecommunication, transaction banking, electricity, gas, water, etc.) Both Cloud Computing services and traditional services and utilities tend to be offered by large providers dealing with smaller customers. Therefore the customers usually depend on the providersbecause it is difficult to change providers if it is possible at all.Consequently traditional services (e.g. telecommunication, transaction banking, electricity, gas, water, etc.) are usually regulated with regard to the functionality range (e.g. mandatory functions, coverage), pricing, liability of the provider, and reliability. Cloud Computing corroborates a trend that ICT security is no longer a purely technical issue but an issue between individuals and organisations and thus includes both human and organisational aspects such as management, contracting, and legal enforcement.

21

3. Recommendations:

In particular the following points need to be considered.

1. Risk management and (legal) compliance issues must be well defined in the contract between Cloud Computing provider and customer and should enable transparency with regard to the processing and storage of data, e.g. the physical location of data storage. In this way the trust between theCloud Computing provider and customer can be strengthened.

2. The service provided shall be compliant with the regulation and legislation that the customer needs to follow, and also customers should be enabled to be compliant with the respective regulation and legislation.

3. The problems and risks that affect data protection rules in Europe must be considered properly when Cloud Computing platforms are located on servers in non‐European countries.

4. The communication line between the Cloud Computing provider and the customer has to be adequately protected to ensure confidentiality, integrity, authentication control and further to minimise the risk of denial‐of‐service attacks. An open and clear specification of the measurements taken to ensure the security of the communication line should be obligatory for any Cloud Computing provider and should be based on open and transparent standards and technologies.

5. The Cloud Computing providers should be obliged to ensure data confidentiality.

6. Mandatory deletion of data should be included into potential regulation of Cloud Computing services,but it should not be relied upon too much.

7. The fact that there is no guaranteed complete deletion of data needs to be considered, when data are gathered and stored.

8. In order to guarantee the availability of data, local backup of essential data by customers should be considered.

22

9. Development and better promotion of software that enables local data transfers between devices should be encouraged.

10. The telecommunications network that supports the cloud computing services should be secured and protected against malware and DOS attacks.

11. Adequate logging and auditing should be provided. An external audit can be beneficial for the reputation of the Cloud Computing providers as well as for strengthening the trust with the customer.

12. Non‐professionals (e.g. the usual user) should be educated with regard to the new paradigm. Education should prepare them to make competent decisions on using Cloud Computing services including what information should be transferred into the Cloud and under what circumstances.

13. Professionals should be skilled to manage the new types of risks.

14. Given that some regulation will be needed in the future, e.g. to balance the power between providers and customers of Cloud Computing services, it would be wise to consider its weaknesses and issues before Cloud Computing becomes a critical service or infrastructure. It needs to be checked which of the dimensions of conflict and regulatory potential will be relevant (e.g. the guarantee and liability with regard to confidentiality and integrity of processed data). In particular when a Cloud Computingprovider becomes part of a critical information infrastructure some regulation or limitations concerning their possible takeover by another party may be appropriate.

15. Research on the basic concepts and issues in informatics, security, and privacy and their consequences and trade‐off’s with regard to Cloud Computing should be encouraged. Also issues concerning the possible impact of Cloud Computing platforms on the validity of certification of applications that are certified according to criteria (e.g. Common Criteria, European Privacy Seal, etc.) may need to be investigated.

23

References:

[1] J. Brodkin, Gartner: Seven cloud‐computing security risks, available at:www.infoworld.com/d/security‐central/gartner‐seven‐cloud‐computing‐security‐risks‐853.[2] Cloud Computing Security Considerations, A Microsoft Perspective, Microsoft Whitepaper, 2010, available at: www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3269a73d ‐ 9a74‐4cbf‐aa6c‐11fbafdb8257.[3] Cloud Computing: Benefits, Risks and Recommendations for Information Security, ENISA Report,2009, available at: www.enisa.europa.eu/act/rm/files/deliverables/cloud‐computing‐riskassessment.[4] Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, Cloud Security Alliance (CSA)Report, 2009, available at: www.cloudsecurityalliance.org/csaguide.pdf.[5] Amazon Elastic Compute Cloud (Amazon EC2), http://aws.amazon.com/ec2/.[6] Windows Azure platform, www.microsoft.com/windowsazure/.[7] Google Apps, www.google.com/apps/[8] CEPIS Statement, Social Networks – Problems of Security and Data Privacy, 2008,www.cepis.org/index.jsp?p=942&n=963#Social%20Networks

24