Understanding the Risks of Cloud Computing

Download Understanding the Risks of Cloud Computing

Post on 09-Apr-2018




0 download

Embed Size (px)


  • 8/8/2019 Understanding the Risks of Cloud Computing





    Understanding the Risks of Cloud ComputingMaximilian ROBU

    Abstract Last few years were marked by a major IT revolution, the extending world-wide, based on scale economy of the

    major vendor resources, such as IBM or Google. The current economical crisis has affected the IT market as well. A solution

    came from the Cloud Computing area by optimizing IT budgets and eliminating different types of expenses (servers, licences,

    and so on). Cloud Computing is an exciting and interesting phenomenon, because of its relative novelty and exploding growth.

    But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about

    just how safe the environment is. Naturally, raises the issue of security: Is it safe to put our most important data in a cloud? This

    paper analyzes the various security risks that can arise in the Cloud Computing area.

    Keywords cloud computing, risks, security, technology


    loud Computing is a relatively new concept in the ITfield, which marks the evolution and innovation ofthe way the information technology is provided. It

    describes how the technology will be offered in the fu-ture, as a service. Also, it can be considered a funda-mental factor of the evolution of the Internet and how toaccess information.

    The freshness and boost of cloud computing makes itan exciting subject for research. The concept is on thefront-stage of recent publications in the area of informa-tion and communications technologies.

    The cloud computing model allows access, via a net-work, to a preconfigured number of informational re-sources (applications, services, storage facilities, and soon) which can be used with minimal effort and no interac-tion with the supplier.

    The problem appears when our dependency on cloudcomputing increases: as any technology it has its vulner-abilities and the more we use it the more we expose our-selves to these risks.

    The reminder of this paper is organised as follows.First of all an overview of cloud computing concept isgiven. Next the research presents some details aboutcloud computing architecture and services delivered.These are followed by a presentation of risks categoriesthat can appear in the cloud computing area. Finally,some discussions and conclusion are drawn.


    Literature doesnt offer any universally accepted defi-nition or a "founding father" of this topic, there are sever-al approaches of the term.

    One of the most frequently used definitions is the onewho described cloud computing as a style of computingwhere massively scalable IT-related capabilities are pro-vided as a service across the Internet to multiple exter-

    nal customers [15]. This definition presents the cloudcomputing concept referring to any computing capabilitythat is delivered as a service over the Internet.

    National Institute for Standards and Technologies(NIST) [21] and Cloud Security Alliance [2] presentscloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurablecomputing resources (e.g., networks, servers, storage,applications, and services) that can be rapidly provi-sioned and released with minimal management effort orservice provider interaction. This approach leads to aconsumption basis way of pay for IT services just like itnow happens with electricity, gas or water.

    Another interpretation explains cloud computing likean on-demand service model for IT provision, often basedon virtualization and distributed computing technologies.

    Cloud computing architectures have: highly abstractedresources; near instant scalability and flexibility; near in-stantaneous provisioning; shared resources (hardware,database, memory, etc); service on demand, usuallywith a pay as you go billing system; programmaticmanagement (e.g., through WS API) [3].

    As you could probably deduce by now, cloud compu-ting implies a service oriented architecture (SOA) throughoffering software and platforms as services, reduced in-formation technology overhead for the end-user, greatflexibility, reduced total cost of ownership(TCO) and of-fers on demand services.

    Basically, cloud computing represents the IT service,offered via a network, that is designed to be scalable andthus, better adjusted to the customers needs.

    To conclude cloud computing its a result of the con-tinuous expansion of the Internet, we are of course refer-ring to the ease of access to both data and applications,and a new concept that the IT market offers.

    Maximilian ROBU, PhD Student, Faculty of Economics and BusinessAdministration, Alexandru Ioan Cuza University of Iassy.


    2010 Journal of Computing Press, NY, USA, ISSN 2151-9617


  • 8/8/2019 Understanding the Risks of Cloud Computing






    Since cloud computing is a very broad term, it makesthe architecture classification complicated. There isnt anyuniversally accepted model. An example of cloud compu-ting architecture is displayed in Figure 1. Customers con-nect to the cloud from their own computers or portable

    devices, over the Internet. To these individual users, thecloud appears as a single application, device, or docu-ment.

    As you could notice the architecture contains compris-es hardware and software designed by a cloud architectwho typically works for a cloud provider. Usually thisinvolves a number of cloud components that are commu-

    nicating with each other most often over web services.This architecture will then be relayed to the client overweb browser thus enabling him to access the applicationsfrom the cloud.

    Applications of cloud computing can be split intothree types, known as cloud service delivery models [2], [3] :

    1. Infrastructure as a Service (IaaS).2. Platform as a Service (PaaS).3. Software as a Service (SaaS).

    Previously presented services can be integrated intothe architecture which is based on Internet, as you can seein the Figure 2. For every level there are a set of sugges-tive examples.

    The first service from the list, Infrastructure as a Ser-vice (IaaS), allows consumers to rent processing, storage,networks, and other fundamental computing resourcesthat enables them to deploy and run arbitrary software,

    like operating systems and applications. For example, itsworth mentioning various server hosting solutions likeAmazon Web services or BlueLock.

    Platform as a Service (PaaS) is a service that enables

    the consumer to deploy into the cloud, infrastructure,custom-created applications using a specific environmentand toolset supported by the provider. Google App En-

    gine and Windows Azure are two of the most knowntools in this area.

    Software-as-a-Service (SaaS) represents the ability ofthe consumer to run applications into a cloud using asimple interface such as a Web browser. These applica-tions can be everything from Twitter or an importantweb-based email, SalesForce.com or Google Mail.


    When we speak about the cloud computing conceptthe keyword that defines it is cloud. Cloud describesthe use of services, applications, information, and infra-structure comprised of pools of compute, network, infor-mation and storage resources. The scalability of the cloud:up or down, addition of applications is done throughthese components.

    Specialized literature presents several cloud comput-ing models. One of the most important classificationcomes from ISACA (Information Systems Audit and Con-trol Association) [4] and contains 4 major models that arereproduced in Table no. 1.

    Fig. 2. Services that can be found into a cloudsource: Kraan, W, Yuan, L., Cloud computing in institutions, JISCCETIS,2009,http://wiki.cetis.ac.uk/images/1/11/Cloud_computing_web.pdfion.

    Fig. 1. An example of cloud computing architecture.source: http://www.smartcloudsw.com/

  • 8/8/2019 Understanding the Risks of Cloud Computing





    When deciding what type of cloud to use companies

    must take into consideration several factors and of coursetheir needs. It is good to know that public, private or hy-brid do not point to location. Its true that public cloudsare generally on the Internet and private ones on dedicat-ed premises but a private cloud can also be hosted at acolocation facility too. Because companies can rapidlychange their needs they can also choose to use two differ-ent types of cloud if it best fits their interest. For exampleif you need a certain application just for a limited periodof time you will most probably opt for a public cloud soyou wont have to acquire any storage equipment. On theother hand, if we are talking about important softwarethat will be used on a daily basis you will rather deploy it

    in a private or hybrid cloud.


    Moving informational resources to the clouds gives alot of flexibility and efficiency, but also has consequencesin a number of areas that require some thought.

    Although the benefits of cloud computing are wellknown, safety concerns have received less attention. Con-cerning security an important aspect represents the studyof risks that arise from using this technology. Researchhas identified three types of cloud computing risks: poli-cy and organizational, technical, and legal [2], [3].

    5.1 Policy and organizational risks

    These are business-related risks that organizations mayface when considering to choose cloud computing serviceproviders. The most common risks that we can include inthis category are lock-in, loss of governance, compliancechallenges, loss of business reputation, and cloud service

    termination or failure.Lock-in refers to the inability of a customer to movehis applications and / or data away from a the cloud of avendor [5]. The problem found here is the possibility tochange your vendor when you find it necessary. It isworth mentioning that interoperability has improvedamong platforms, application programming interfaces forcloud computing itself are still largely proprietary

    According to European Network and Information Se-curity Agency (ENISA) [3] currently there are few "tools,procedures or standard data formats or services interfacesthat guarantee data, application or services portability"and because of that it can be "difficult for the customer tomigrate from one provider to another or migrate data and

    services back to an in-house IT environment".Customers might be exposed to price increase, reliabil-

    ity issues or the imminent bankruptcy of providers whenchoosing customer lock-in. It is true that for the providersmight prove itself quite a deal. One of the motivating fac-tors for lock-in that is the permanent desire of vendors toincrease the prices for the provided services.

    One other thing worth mentioning is that customersmight be interested in portability from one cloud provid-er to another without much fuss and, some others mightbe interested in using multiple clouds at the same time[11]. Because the cloud computing concept is so new anddidnt reach maturity, not many users have faced this sort

    of problems.One of the top security risks is Loss of gover-

    nance. Customers give the control to cloud computingservice providers on a number of issues that may impacttheir security, mission, and goals. Cloud Security Alliance[2] suggests that businesses are vulnerable when theyentrust their data to a third party, and many things can gowrong.

    Finnie [13] sees cloud computing as a "minefield"when referring to CIOs and IT organizations concerningto loss of control that can lead to low security levels. Thiswill result in the inability to satisfy some requirementsconcerning the lack of confidentiality, integrity or the

    availability of data.Compliance challenges represent the third risk fromthis category. Cloud Security Alliance [2] suggest thatlack of governance over audits and industry standardassessments may leave cloud computing customerswithout a view into the processes, procedures, and prac-tices of the provider in the areas of access, identity man-agement, and segregation of duties non-inclusively leav-ing control risks an unknown quantity.

    Cloud computing service providers need to be moretransparent, so customers can ensure they meet the ap-propriate rules and regulations. If a company is trying toget a certain certification, the acceptance might

  • 8/8/2019 Understanding the Risks of Cloud Computing





    be jeopardize by the fact that the cloud computing serviceprovider can't offer data about their own compliance ormight not accept an audit from one of their customers.

    Loss of business reputation is another important riskthat refers to one customer s bad behavior, one neighborfrom the cloud, that can affect negatively the reputationof the cloud as a whole [5].

    Cloud service termination or failure refers to the fi-nancial viability of cloud service providers. When youchoose a vendor, the financials aspect is a critical issueand should be evaluated [2]

    ENISA [3] also states the possibility to terminate somecloud computing serviced as a result of competitive orfinancial pressures. Because this sort of termination candisturb your business and not only, the Cloud SecurityAlliance [2] suggests an alternative location for the servic-es to be taken on for all cloud computing customers. Thislocation can be either another cloud computing serviceprovider site or the costumers own data center.

    5.2 Technical risks

    When we speak about a subject like cloud computing itis inevitably that we have to speak about some specificrisk, the technical ones. Usually these risks have a direct,technological impact on the cloud computing systems.Such risks include: availability of service, resource ex-haustion, intercepting data in transit and distributeddenial of service.

    Availability of service describes availability of serviceas the number one obstacle to the growth of cloud com-puting.

    When you use a single vendor for cloud computingyou expose yourself to the risk of single point failure. Af-ter all, the provider also has a business that can go wrong,

    depends on different network providers and can also goout of business.

    Resource exhaustion is another risk type that have tobe taken into consideration when we speak about to thetechnical side of cloud computing. Cloud computing ser-vices are considered on-demand, which suggests a levelof calculated risk because resources of a cloud s...


View more >