Transcript
  • 8/8/2019 Understanding the Risks of Cloud Computing

    1/6

    JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617

    HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/

    WWW.JOURNALOFCOMPUTING.ORG 72

    Understanding the Risks of Cloud ComputingMaximilian ROBU

    Abstract Last few years were marked by a major IT revolution, the extending world-wide, based on scale economy of the

    major vendor resources, such as IBM or Google. The current economical crisis has affected the IT market as well. A solution

    came from the Cloud Computing area by optimizing IT budgets and eliminating different types of expenses (servers, licences,

    and so on). Cloud Computing is an exciting and interesting phenomenon, because of its relative novelty and exploding growth.

    But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about

    just how safe the environment is. Naturally, raises the issue of security: Is it safe to put our most important data in a cloud? This

    paper analyzes the various security risks that can arise in the Cloud Computing area.

    Keywords cloud computing, risks, security, technology

    1 INTRODUCTION

    loud Computing is a relatively new concept in the ITfield, which marks the evolution and innovation ofthe way the information technology is provided. It

    describes how the technology will be offered in the fu-ture, as a service. Also, it can be considered a funda-mental factor of the evolution of the Internet and how toaccess information.

    The freshness and boost of cloud computing makes itan exciting subject for research. The concept is on thefront-stage of recent publications in the area of informa-tion and communications technologies.

    The cloud computing model allows access, via a net-work, to a preconfigured number of informational re-sources (applications, services, storage facilities, and soon) which can be used with minimal effort and no interac-tion with the supplier.

    The problem appears when our dependency on cloudcomputing increases: as any technology it has its vulner-abilities and the more we use it the more we expose our-selves to these risks.

    The reminder of this paper is organised as follows.First of all an overview of cloud computing concept isgiven. Next the research presents some details aboutcloud computing architecture and services delivered.These are followed by a presentation of risks categoriesthat can appear in the cloud computing area. Finally,some discussions and conclusion are drawn.

    2 THE CLOUD COMPUTING CONCEPT

    Literature doesnt offer any universally accepted defi-nition or a "founding father" of this topic, there are sever-al approaches of the term.

    One of the most frequently used definitions is the onewho described cloud computing as a style of computingwhere massively scalable IT-related capabilities are pro-vided as a service across the Internet to multiple exter-

    nal customers [15]. This definition presents the cloudcomputing concept referring to any computing capabilitythat is delivered as a service over the Internet.

    National Institute for Standards and Technologies(NIST) [21] and Cloud Security Alliance [2] presentscloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurablecomputing resources (e.g., networks, servers, storage,applications, and services) that can be rapidly provi-sioned and released with minimal management effort orservice provider interaction. This approach leads to aconsumption basis way of pay for IT services just like itnow happens with electricity, gas or water.

    Another interpretation explains cloud computing likean on-demand service model for IT provision, often basedon virtualization and distributed computing technologies.

    Cloud computing architectures have: highly abstractedresources; near instant scalability and flexibility; near in-stantaneous provisioning; shared resources (hardware,database, memory, etc); service on demand, usuallywith a pay as you go billing system; programmaticmanagement (e.g., through WS API) [3].

    As you could probably deduce by now, cloud compu-ting implies a service oriented architecture (SOA) throughoffering software and platforms as services, reduced in-formation technology overhead for the end-user, greatflexibility, reduced total cost of ownership(TCO) and of-fers on demand services.

    Basically, cloud computing represents the IT service,offered via a network, that is designed to be scalable andthus, better adjusted to the customers needs.

    To conclude cloud computing its a result of the con-tinuous expansion of the Internet, we are of course refer-ring to the ease of access to both data and applications,and a new concept that the IT market offers.

    Maximilian ROBU, PhD Student, Faculty of Economics and BusinessAdministration, Alexandru Ioan Cuza University of Iassy.

    C

    2010 Journal of Computing Press, NY, USA, ISSN 2151-9617

    http://sites.google.com/site/journalofcomputing/

  • 8/8/2019 Understanding the Risks of Cloud Computing

    2/6

    JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617

    HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/

    WWW.JOURNALOFCOMPUTING.ORG 73

    3 AN OVERVIEW OF CLOUD COMPUTINGARCHITECTURE AND SERVICES

    Since cloud computing is a very broad term, it makesthe architecture classification complicated. There isnt anyuniversally accepted model. An example of cloud compu-ting architecture is displayed in Figure 1. Customers con-nect to the cloud from their own computers or portable

    devices, over the Internet. To these individual users, thecloud appears as a single application, device, or docu-ment.

    As you could notice the architecture contains compris-es hardware and software designed by a cloud architectwho typically works for a cloud provider. Usually thisinvolves a number of cloud components that are commu-

    nicating with each other most often over web services.This architecture will then be relayed to the client overweb browser thus enabling him to access the applicationsfrom the cloud.

    Applications of cloud computing can be split intothree types, known as cloud service delivery models [2], [3] :

    1. Infrastructure as a Service (IaaS).2. Platform as a Service (PaaS).3. Software as a Service (SaaS).

    Previously presented services can be integrated intothe architecture which is based on Internet, as you can seein the Figure 2. For every level there are a set of sugges-tive examples.

    The first service from the list, Infrastructure as a Ser-vice (IaaS), allows consumers to rent processing, storage,networks, and other fundamental computing resourcesthat enables them to deploy and run arbitrary software,

    like operating systems and applications. For example, itsworth mentioning various server hosting solutions likeAmazon Web services or BlueLock.

    Platform as a Service (PaaS) is a service that enables

    the consumer to deploy into the cloud, infrastructure,custom-created applications using a specific environmentand toolset supported by the provider. Google App En-

    gine and Windows Azure are two of the most knowntools in this area.

    Software-as-a-Service (SaaS) represents the ability ofthe consumer to run applications into a cloud using asimple interface such as a Web browser. These applica-tions can be everything from Twitter or an importantweb-based email, SalesForce.com or Google Mail.

    4 MODELS OF CLOUD COMPUTING

    When we speak about the cloud computing conceptthe keyword that defines it is cloud. Cloud describesthe use of services, applications, information, and infra-structure comprised of pools of compute, network, infor-mation and storage resources. The scalability of the cloud:up or down, addition of applications is done throughthese components.

    Specialized literature presents several cloud comput-ing models. One of the most important classificationcomes from ISACA (Information Systems Audit and Con-trol Association) [4] and contains 4 major models that arereproduced in Table no. 1.

    Fig. 2. Services that can be found into a cloudsource: Kraan, W, Yuan, L., Cloud computing in institutions, JISCCETIS,2009,http://wiki.cetis.ac.uk/images/1/11/Cloud_computing_web.pdfion.

    Fig. 1. An example of cloud computing architecture.source: http://www.smartcloudsw.com/

  • 8/8/2019 Understanding the Risks of Cloud Computing

    3/6

    JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617

    HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/

    WWW.JOURNALOFCOMPUTING.ORG 74

    When deciding what type of cloud to use companies

    must take into consideration several factors and of coursetheir needs. It is good to know that public, private or hy-brid do not point to location. Its true that public cloudsare generally on the Internet and private ones on dedicat-ed premises but a private cloud can also be hosted at acolocation facility too. Because companies can rapidlychange their needs they can also choose to use two differ-ent types of cloud if it best fits their interest. For exampleif you need a certain application just for a limited periodof time you will most probably opt for a public cloud soyou wont have to acquire any storage equipment. On theother hand, if we are talking about important softwarethat will be used on a daily basis you will rather deploy it

    in a private or hybrid cloud.

    5 RISKS OF CLOUD COMPUTING

    Moving informational resources to the clouds gives alot of flexibility and efficiency, but also has consequencesin a number of areas that require some thought.

    Although the benefits of cloud computing are wellknown, safety concerns have received less attention. Con-cerning security an important aspect represents the studyof risks that arise from using this technology. Researchhas identified three types of cloud computing risks: poli-cy and organizational, technical, and legal [2], [3].

    5.1 Policy and organizational risks

    These are business-related risks that organizations mayface when considering to choose cloud computing serviceproviders. The most common risks that we can include inthis category are lock-in, loss of governance, compliancechallenges, loss of business reputation, and cloud service

    termination or failure.Lock-in refers to the inability of a customer to movehis applications and / or data away from a the cloud of avendor [5]. The problem found here is the possibility tochange your vendor when you find it necessary. It isworth mentioning that interoperability has improvedamong platforms, application programming interfaces forcloud computing itself are still largely proprietary

    According to European Network and Information Se-curity Agency (ENISA) [3] currently there are few "tools,procedures or standard data formats or services interfacesthat guarantee data, application or services portability"and because of that it can be "difficult for the customer tomigrate from one provider to another or migrate data and

    services back to an in-house IT environment".Customers might be exposed to price increase, reliabil-

    ity issues or the imminent bankruptcy of providers whenchoosing customer lock-in. It is true that for the providersmight prove itself quite a deal. One of the motivating fac-tors for lock-in that is the permanent desire of vendors toincrease the prices for the provided services.

    One other thing worth mentioning is that customersmight be interested in portability from one cloud provid-er to another without much fuss and, some others mightbe interested in using multiple clouds at the same time[11]. Because the cloud computing concept is so new anddidnt reach maturity, not many users have faced this sort

    of problems.One of the top security risks is Loss of gover-

    nance. Customers give the control to cloud computingservice providers on a number of issues that may impacttheir security, mission, and goals. Cloud Security Alliance[2] suggests that businesses are vulnerable when theyentrust their data to a third party, and many things can gowrong.

    Finnie [13] sees cloud computing as a "minefield"when referring to CIOs and IT organizations concerningto loss of control that can lead to low security levels. Thiswill result in the inability to satisfy some requirementsconcerning the lack of confidentiality, integrity or the

    availability of data.Compliance challenges represent the third risk fromthis category. Cloud Security Alliance [2] suggest thatlack of governance over audits and industry standardassessments may leave cloud computing customerswithout a view into the processes, procedures, and prac-tices of the provider in the areas of access, identity man-agement, and segregation of duties non-inclusively leav-ing control risks an unknown quantity.

    Cloud computing service providers need to be moretransparent, so customers can ensure they meet the ap-propriate rules and regulations. If a company is trying toget a certain certification, the acceptance might

  • 8/8/2019 Understanding the Risks of Cloud Computing

    4/6

    JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617

    HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/

    WWW.JOURNALOFCOMPUTING.ORG 75

    be jeopardize by the fact that the cloud computing serviceprovider can't offer data about their own compliance ormight not accept an audit from one of their customers.

    Loss of business reputation is another important riskthat refers to one customer s bad behavior, one neighborfrom the cloud, that can affect negatively the reputationof the cloud as a whole [5].

    Cloud service termination or failure refers to the fi-nancial viability of cloud service providers. When youchoose a vendor, the financials aspect is a critical issueand should be evaluated [2]

    ENISA [3] also states the possibility to terminate somecloud computing serviced as a result of competitive orfinancial pressures. Because this sort of termination candisturb your business and not only, the Cloud SecurityAlliance [2] suggests an alternative location for the servic-es to be taken on for all cloud computing customers. Thislocation can be either another cloud computing serviceprovider site or the costumers own data center.

    5.2 Technical risks

    When we speak about a subject like cloud computing itis inevitably that we have to speak about some specificrisk, the technical ones. Usually these risks have a direct,technological impact on the cloud computing systems.Such risks include: availability of service, resource ex-haustion, intercepting data in transit and distributeddenial of service.

    Availability of service describes availability of serviceas the number one obstacle to the growth of cloud com-puting.

    When you use a single vendor for cloud computingyou expose yourself to the risk of single point failure. Af-ter all, the provider also has a business that can go wrong,

    depends on different network providers and can also goout of business.

    Resource exhaustion is another risk type that have tobe taken into consideration when we speak about to thetechnical side of cloud computing. Cloud computing ser-vices are considered on-demand, which suggests a levelof calculated risk because resources of a cloud service areallocated to statistical projections [3].

    It's true that the virtual machines that are used incloud computing share CPUs and main memory but diskI/O sharing proves to be more troublesome. Armbrust [5]states that the main problem with virtual machines andoperating systemsis that they fail to offer a programmatic

    way in order to make sure that all the threads of an appli-cation run at the same time.

    The Intercepting data in transit risk is the result of thedistributed architecture, cloud computing implies moredata is in transit than in traditional infrastructures.

    Data is viewed as a risk especially when it's in transit,so companies have to ensure that the data is encrypted inall the phases [7].

    Encryption should be strong and employ key man-agement that allows customers to keep data encryptedand therefore private [2]. The threat sources that worthmention here, without proper encryption, include sniff-ing, spoofing, man-in-the-middle attacks, side channel

    and replay attacks [2].Distributed Denial of Service (DDoS) attacks

    represents another risk to using cloud computing servic-es. Douglis [11] launches an alarm in what concerns virusattacks as this technology grows heading to one singleinterface. It will help the transmission of viruses or onecompany that is a hack victim might affect other organi-zations that share the same cloud.

    5.3 Legal risks

    The last risk category is related to the legal nature ofoperations from clouds, and can also have a negative im-pact on an organization that uses cloud computing ser-vices. Legal risks include subpoena and e-discovery,changes of jurisdiction, data privacy, and licensing.

    Subpoena and e-discovery refers to the possibility ofthe confiscation of physical hardware as a result of sub-poena by law-enforcement agencies or civil suits. Theresult can be the disclosure of clients data to unwantedparties.

    Changes of jurisdiction can be a high risk for the cus-

    tomers data keep data in multiple jurisdictions. Becausejurisdictions apply their own laws, the issues and risks ofdata being unintentionally disclosed will grow in com-plexity as cloud computing is more widely adopted [2].

    Gatewood [16] stated that the supplier's location andthe data location might not be the same. Also, if that datais held in a country that does not honor internationallaws, the underlined contracts might be disclosed. Thesame applies to countries that are considered high-risk.

    Data privacy remains one of the longest standing andmost important concerns with cloud computing[16] .There are many aspects regarding this specific risk.

    First of all its important to known the person respon-

    sible with data privacy is. Generally it's expectable thatthe customer is also the person in charge on processingpersonal data, even when this type of data processing isbeing performed by the cloud provider.

    Companies have already been held liable for activitiesperformed by their subcontractors by government agen-cies in the US and European Union [2].

    Another aspect refers to the fact that information thatbelongs to an entity may be resident in several locationsand coexist with another organizations data [16]. Takinginto consideration data type and location you can getmore legal issues concerning data privacy. The safety offinancial data, intellectual property or health must be tak-en into consideration.

    It can be difficult for the cloud customer (in its role ofdata controller) to effectively check the data processingthat the cloud provider carries out, and thus be sure thatthe data is handled in a lawful way. Violation of the pro-visions on data security can bring administrative, civiland also criminal sanctions, which varies from country tocountry.

    Licensing conditions is also a risk that organizationsmay pay more than desired to license software on sys-tems hosted by cloud computing service providers. ENI-SA [3] explains that licensing conditions, such as per-seat agreements, and online licensing checks may be un-

  • 8/8/2019 Understanding the Risks of Cloud Computing

    5/6

    JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617

    HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/

    WWW.JOURNALOFCOMPUTING.ORG 76

    workable in a cloud environment.In the case of PaaS and IaaS services appears the possi-

    bility for creating original work in the cloud for examplenew software. In this point we can talk about the fact thatthere arent laws to protect new created products and theoriginal work may be at risk.

    6 CONCLUSIONIn the current economic environment, cloud compu-

    ting is one of the top technology trends and intends to

    be the saving solution for optimizing the IT budgets.

    Currently, cloud computing is considered the next

    best thing when in comes to optimize IT budgets in the

    current economic environment. It's believed that it

    will become a key technology oriented at sharing in-

    frastructure, software or business processes.

    As cloud computing will be used more the risks it

    involves will arise according to Pearson. It will be wise

    to place data into a cloud as long as you know the per-

    sons that have access to that information.

    The novelty of the concept, the lack of international

    security specific standards and the immaturity of this

    technology have given way to many interpretations on

    how the application security should be treated in the

    cloud.

    REFERENCES

    [1] ***, CPNI INFORMATION SECURITY BRIEFING 01/2010.CLOUD COMPUTING, 2010, retrieved fromhttp://www.cpni.gov.uk/Docs/cloud-computing-briefing.pdf .

    [2] ***, Cloud Security Alliance, Security guidance for critical areas of

    focus in cloud computing, 2009 retrieved fromhttp://www.cloudsecurityalliance.org/guidance/csaguide.pdf

    [3] ***, ENISA, Cloud computing: benefits, risks and recommendationsfor information security, 2009 retrieved fromhttp://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport

    [4] ***, ISACA, Cloud Computing: Business Benefits With Security,Governance and Assurance Perspectives, 2009, retrieved fromhttp://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf

    [5] Armbrust, M., Fox, A., Griffith, R., Joseph, A., Katz, R., Konwinski, A.,et al, Above the Clouds: A Berkeley view of cloud computing, 2009,retrieved fromhttp://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf, 28.html

    [6] Barrett, D., Kipper, G., Visions of the Future: Virtualization andCloud Computing Virtualization and Forensics, 2010, pp. 211-220,retrieved from www.informationweek.com.

    [7] Brynko, B. (2008). Cloud computing: Knowing the ground rules.Information Today, 25 (10), 23, retrieved from Business Source Premierdatabase:http://search.ebscohost.com.libproxy.uoregon.edu/login.aspx?direct=true&db=buh&AN=35126515&loginpage=login.asp&site=ehost-live&scope=site .

    [8] Cagle, K., But what exactly is cloud computing?, OReilly Broad-cast, 2008, retrieved fromhttp://broadcast.oreilly.com/2008/12/but-what-exactly-is-cloud-comp.html .

    [9] Chonka, A., Yang, X., Zhou, W., Bonti, B., Cloud security defence toprotect cloud computing against HTTP-DoS and XML-DoS attacks

    Journal of Network and Computer Applications, 2010, retrieved fromhttp://www.sciencedirect.com

    [10] Coviello, A. - Securing cloud computing is industry responsibility,Infosecurity, Volume 7, Issue 2, March-April 2010, p. 11, retrieved fromwww.infosecurity-magazine.com/.../rsa-securing-cloud-computing-is- industry-responsibility-says-art-coviello

    [11] Douglis,F.(2009).Staringatclouds.InternetComputing,IEEE,13(3),46.

    doi:http://doi.ieeecomputersociety.org/10.1109/MIC.2009.70[12] Everett, C., Cloud computing, A question of trust, Computer Fraud

    & Security, Volume 2009, Issue 6, June 2009, pp. 5-7, retrieved fromhttp://www.sciencedirect.com

    [13] Finnie, S., Peering behind the cloud, Computerworld, 2008, p. 22.retrieved from Academic Search Premier database:http://search.ebscohost.com.libproxy.uoregon.edu/login.aspx?direct=true&db=aph&AN=34703832&loginpage=Login.asp&site=ehost-live&scope=site

    [14] Fitz-Gerald, SJ Cloud Computing: Implementation, Managementand Security, INTERNATIONAL JOURNAL OF INFORMATION

    MANAGEMENT, Volume: 30 Issue: 5, 2010, pp. 472-472.[15] Gartner Research Definition of Cloud Computing. Cloud Compu-

    ting: It's the destination, not the journey that is important, DevCentral

    Weblog, 2008, retrieved fromhttp://devcentral.f5.com/weblogs/macvittie/archive/2008/11/03/cloud-computing-its-the-destination-not-the-journey-that-is.aspx.

    [16] Gatewood, B., Clouds on the information horizon: How to avoid thestorm, Information Management (15352897), 43(4), 32-36, retrievedfrom Academic Search Premier database:http://search.ebscohost.com.libproxy.uoregon.edu/login.aspx?direct=true&db=aph&AN=43659227&loginpage=login.asp&site=ehost-live&scope=site

    [17] Kraan, W, Yuan, L., Cloud computing in institutions, JISC CETIS4A, 2009,http://wiki.cetis.ac.uk/images/1/11/Cloud_computing_web.pdf

    [18] Jaeger, P. T. , Lin, J., Grimes, J. M. , Cloud Computing and Informa-tion Policy: Computing in a Policy Cloud?, Journal of InformationTechnology & Politics, Vol. 5 Issue 3, 2008, pp. 269 283, retrieved

    from http://citeseerx.ist.psu.edu.[19] Lillard, T. V., Garrison, C. P., Schiller, C.A., Steele, J. Legal Implica-tions and Considerations, Digital Forensics for Network, Internet, andCloud Computing, 2010, pp. 275-299

    [20] Mansfield-Devine, S., Danger in the clouds , Network Security, Vo-lume 2008, Issue 12, 2008, pp. 9-11

    [21] Mell, P., Grance., T., The NIST Definition of Cloud Compu-ting,Version 15, National Institute of Standards and Technology, In-formation Technology Laboratory, 2009, retrieved fromhttp://csrc.nist.gov/groups/SNS/cloud-computing.

    [22] Paquette, S., Jaeger, P T., Susan C. Wilson, Identifying the securityrisks associated with governmental use of cloud computing, Gov-ernment Information Quarterly, Volume 27, Issue 3, 2010, pp. 245-253,retrieved from http://www.sciencedirect.com.

    [23] Shipley, G. CLOUD COMPUTING RISKS, InformationWeek , Issue1262, 2010, pp. 20-24. retrieved from

    http://www.informationweek.com.[24] Subashini, S., Kavitha, V. A survey on security issues in service

    delivery models of cloud computing,Journal of Network and Comput-er Applications, In Press, 2010

    [25] Svantesson, D., Clarke, R., Privacy and consumer risks in cloudcomputing , Computer Law & Security Review, Volume 26, Issue 4,2010, pp. 391-397, Taylor, M., Haggerty, M., Gresty, D., Hegarty, R. Digital evidence in cloud computing systems, Computer Law & Se-curity Review, Volume 26, Issue 3, 2010, pp. 304-308, retrieved fromhttp://www.sciencedirect.com/.

    [26] Walsh, P.,J., The brightening future of cloud security, NetworkSecurity, Volume 2009, Issue 10, 2009, pp. 7-10, retrieved fromhttp://linkinghub.elsevier.com/retrieve/pii/S1353485809701096

  • 8/8/2019 Understanding the Risks of Cloud Computing

    6/6

    JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617

    HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/

    WWW.JOURNALOFCOMPUTING.ORG 77

    [27] Walter, S. Cloud security: is it really an issue for SMBs? , ComputerFraud & Security, Volume 2010, Issue 10, 2010, pp. 14-15

    Robu Maximilian Currently trying to get my PhD in EconomicComputer Science at Al. I Cuza University Iassy, Romania. Im aninformation technology enthusiast who's interested in what's newand exciting in today's computer business. Ive have a Postuniversi-tary degree in Business Administration System (2010) and an Eco-

    nomic Computer Science degree achived in 2008 both achieved atthe Al. I Cuza University Iassy, Romania . Cloud computing, greencomputing, ERP systems and their practical implementations areinterests of mine, so it was only normal to place my research inthese areas.


Top Related