Cloud computing is touted as the next big thing in the Information Technology (IT) industry, which is going to impact the businesses of any size and yet the security issue continues to pose a big threat on it. The security and privacy issues persisting in cloud computing have proved to be an obstacle for its widespread adoption. In this paper, we look at these issues from a business perspective and how they are damaging the reputation of big companies. There is a literature review on the existing issues in cloud computing and how they are being tackled by the Cloud Service Providers (CSP). We propose a governing body framework which aims at solving these issues by establishing relationship amongst the CSPs in which the data about possible threats can be generated based on the previous attacks on other CSPs. The Governing Body will be responsible for Data Center control, Policy control, legal control, user awareness, performance evaluation, solution architecture and providing motivation for the entities involved.
National Institute of Standards and Technology (NIST) defines cloud computing as a computing model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) [
Cloud computing has been regarded as the next big thing in the Information Technology (IT) industry. It is predicted that it will have a global impact on how people store and access their data. Apart from storage, it also provides other services which can be utilized from anywhere and at any time. The only concern, however, with cloud computing is the security and privacy issues. As people put their valuable data on the cloud, they are completely dependent on the Cloud Service Provider (CSP) to ensure proper security for their data. Due to large amount of attacks on the data on the cloud, many people have lost their important data and moreover, the confidentiality of their data has been compromised. Therefore, security and privacy are big concern in cloud computing. These issues have been impeding the growth of cloud computing and are proving to be a major obstacle for its widespread adoption.
Cloud service providers try to provide cloud services with built-in security features. They try to build a cloud infrastructure that can withstand any sort of failure whether it is technical, logical or physical. However, there are many factors that can harm the security and reliability of the Cloud infrastructure despite of taking all the necessary steps.
They are generally categorized in the following three layers, in which an organization takes control of the security. These are as follows:
・ Physical Layer: The physical layer of security encompasses many factors.
1) Data Center: This deals with the geographical location of the data center. Locations are chosen in such a way that they are not prone to natural or man-made disasters. No data center will be successful in withstanding severe earthquakes, cyclones, volcanic eruptions etc. and it is best to keep the data center in a place that is less vulnerable to be affected by these factors. Also, location of data centers is kept confidential so that it does not fall prey to external attacks.
2) Biometric Scanning: There are methods such as finger-print scan or retina-scan which allow only selected employees to enter the data center. There are usually very few people that are allowed physical entry inside the area where the data are actually stored.
3) Building: The buildings are generally designed to be a data center from the start. They are built in such a way that they can withstand fires. There are cameras all around the place and alarms that go off in case of emergency. Employees and security guards are present in the data center 24 × 7.
・ Logical Layer: Logical Layer of security deals with the design of the network that is used for providing cloud services. The network is kept secured with the help of firewalls, anti-virus and intrusion detection systems. Companies that provide cloud services do not want to compromise with the quality of the software used, since it would harm their reputation and affect their business. The hypervisors are generally of high standards and these systems are centrally managed and protected.
・ Methodology Layer: This concerns with the security method used at local level in a cloud service provider and it may differ from one organization to another. The main concept of this layer is to assure that various other aspects of security is taken care of. The password that every employee has is made to be very secure and difficult to crack as opposed to some preposterous passwords like “1234” which do not really help in making the system secure. The environment inside a data center is generally very secure and only a few trusted staff members are allowed to make significant changes in the system. The cloud service providers try to give the tasks to trusted staff members instead of outsourcing the tasks.
Organizations are playing a vital role in determining the course of Cloud Computing. If the security and privacy issues continue to remain, then future of Cloud Computing might be in danger. We have to find solutions and controls to the security, privacy and reliability problems in order to make cloud computing a trustworthy paradigm.
As cloud computing offers exciting new opportunities to the companies to expand their Infrastructure, some companies took it to the next level and started providing cloud services. The big names in cloud service providing industry are Amazon, Google and of late, IBM and Microsoft. Oracle/Sun and HP are also not far behind. Google has built the largest Cloud Computing infrastructure with Data Centers existing in Taiwan, Singapore, Finland, Belgium and Ireland apart from various US states. Amazon, besides being a huge online shopping site, is also a big mover in cloud computing revolution. With Microsoft Azure, Microsoft has also entered the Cloud Computing industry. Oracle/Sun, IBM and Rack Space have also tied their future to Cloud Computing. However, the security issues existing in cloud computing also reflects upon the security breaches and attacks to the Data Centers of these companies.
There have been many instances where the Data Centers of the Cloud Service Providers have slowed down or have stopped working altogether. In June 2012, a big storm in North Virginia affected the Amazon’s Data Center. As a result, websites like Netflix, Instagram, Pinterest, and Heroku were down for few hours because they relied on Amazon’s cloud service [
To overcome such security threats, cloud providers try to minimize the risk of attacks by various ways. The whole process of deployment of security is also governed by how they deploy the technology of cloud computing in the first place. The way each cloud service provider deploys the cloud is different from one to another. Therefore, the techniques followed by them are significantly different. For example, as per Cloud Security Alliance Guide [
According to a recent survey [
Some surveys show that malicious attacks (defined as a combination of hacking and insider theft) accounted for nearly 47 percent of the recorded breaches in 2012 in the United States. Hacking attacks were responsible for more than one-third (33.8 percent) of the data breaches recorded [
According to a survey by Open Security Foundation [
As we discussed earlier, the main concern in cloud computing is of security and the security issues in cloud computing remain the chief obstacle that may prevent its widespread adoption. As more and more data is being migrated to the cloud, there have been more attacks, such as Denial of Service and Authentication attacks. For example, the increase of Internet-capable devices creates opportunities for remote hacking and data leakage. More cloud adopters have been at the receiving end of cloud infrastructure security incidents as compared to traditional IT infrastructure security events. These security incidents and data breaches can have financial consequences on a corporate organization [
In traditional outsourcing, service providers are commissioned to handle data, system and process actively for the user according to the organization’s mandate. However, cloud computing has a self-service nature, where users pay for pre-packaged IT resources made available by the cloud providers, using which they process data or other jobs on their own in a self-service fashion. In such cases, the users use infrastructure/resources supplied by the provider, and don’t need to own them. Unlike outsourcing, service providers who act actively, cloud providers can be considered as agents who help users to process data and perform other jobs. Cloud providers can, at most, store data passively that the users decide to store on the provider’s infrastructure, which is readily retrieval as and when needed.
Shared infrastructure/environments and economies of scale are what drive the public cloud computing providers instead of tailor-made infrastructure to fit the needs of every customer. Though customization of the service is possible in some cases, it would cost additional time and money.
The organization exercises better control over the service provider in traditional outsourcing due to the body of knowledge related to process and systems. Due to one size fit all nature and type of service in the cloud, it’s often seen that organization lose control on the cloud providers and struggle with the use of resources on the cloud.
Although, a substantial number of studies already exist on Cloud Computing, it is still unclear how or whether CC differs from the traditional concept of Information Technology Outsourcing. The risks that persisted in IT Outsourcing has just been transferred to Cloud Computing. Security is a prime concern while outsourcing the IT resources of a company and the third party organization that provides outsourcing cannot be trusted blindly with confidential data. Although many service providers are scrupulous about securing their facilities but there may still be risks persisting. The facility has to be secured both on the physical as well as the logical level. All these security risks and privacy concerns can be associated with the issues persisting in cloud computing.
Eric and Yuanyuan [
・ Vendor Lock-in: The risk of interoperability persists in cloud computing. Client find themselves locked-in to a specific cloud provider, unable to transition from one provider to another, or finding a lack of interoperability between their existing in-house infrastructure and cloud based services.
・ Security and privacy of data: The data that is stored on the client’s servers, the client retains control over the security of the servers. But where client data is given to the cloud provider to store, it is stored by the cloud provider in multiple data centres across multiple jurisdictions. Google, for example, has data centres in the US, Europe, Russia, South America and across Asia. Whilst storage across multiple locations may distribute the risk of a single point of failure, it also creates multiple possible points for intrusion.
・ Undermining of the confidential data: Concerns regarding security, privacy and integrity of data are further exacerbated by little and/or inconsistent regulatory framework regarding the privacy and security of data. In some countries laws give government agencies a right to inspect data held there and privacy law safeguards are unknown. This clearly undermines the confidentiality of the data stored in the cloud.
Compared to traditional IT environment, security deployed at every level in the cloud environment must be different while considering the security needs for each level. Chow et al., [
Per our literature review, common security issues that arise in cloud computing can be classified broadly into six areas:
・ Infrastructure: This concern is mainly related to the physical security provided by the cloud service provider. Cohen [
・ Data: The 2011 Ernst and Young Global Information Security Survey [
・ Access: Jansen and Grance [
・ Availability: To ensure availability to all the users, that try to access their account or data, the cloud service must scale itself according to the number of users. The number of servers increase or decrease to keep up with the traffic. This scalability feature is performed either automatically by the cloud providers’ servers through knowledge learning or manually by prompting the administrator to do this. This however, will not ensure that a cloud can handle any amount of traffic that comes its way. SAP’s CEO, Leo Apotheker stated: “There are certain things that you cannot run in the cloud because the cloud would collapse. Don't believe that any utility company is going to run its billing for 50 million consumers in the cloud.” This raises another issue that in case of huge traffic caused by DoS attacks, the cloud might just collapse and for that time the users will not be able to access their data.
・ Compliance: Several organizations such as SAS 70 and ISO 27001 put forth regulations from the security audits, operation traceability and data location perspective. Cloud providers are supposed to follow these rules & regulations in order to ensure security of the cloud. Users need to be completely aware of what all rules and regulations are followed by their cloud provider. There have been many instances such as the case of Google Docs in March 2009, where full security and data safety audit reports were not made public and data integrity was allegedly compromised by improper access [
・ Role of Users: The customers also play an important role in determining the course of cloud computing. Cloud adopters need to trust the cloud providers and understand that until the technology is fully matured, that cloud computing customers will need to make every effort to protect the information consciously. Reed and Bennett [
1) The biggest risk that the technology faces today is Users.
2) Shadow IT is an on-going risk and generally introduced by such employees who have no concerns beyond their own role in considering the risks involved in the solution provided.
3) Experienced teams often roll out new technologies, but there still exists the risk when traditional security practices are ignored or adapted to the new environment.
4) Attackers will always go after the valuable things and it may not be money itself.
5) A single security standard is unlikely to save you.
・ Related Solutions Proposed in Literature: There are few organizational control perspective solutions proposed in the literature to address the issues discussed earlier. Organizational control will help to manage the overall services of the cloud service provider and in return, reduce the security and reliability issues of cloud computing. The cloud computing governance model by Guo, Song and Song [
In the territory of compliance management, Matthews et al. [
The security risks in cloud computing can be reduced by specifically outlining the attacks and threats which may be considered as malicious. Ristenpart et al. [
Another organizational control is punishment, which is carried out to reduce the undesirable behavior of employees such as non-compliance to the safety regulations and rules. Punishment is generally considered as a very effective way to produce behavior change. As a management tool within organizations, punishment is defined as “the application of a negative consequence to, or the withdrawal of a positive consequence from, an employee” [
All the solutions mentioned above are very limited and specific to some particular areas of the cloud computing industry. Acting on these specific details from outside will be very painstaking and time consuming. Therefore, we need to come up with such a solution that integrates all these methods and binds them into a unit that will control all the proceeding in the cloud environment. We will call it the Governing Body. This will help to bring some kind of Organizational Control in the cloud environment and reduce the security and reliability issues persisting in cloud computing.
There is a need for the cloud providers to hide some security related information, as they need to keep all the information about the security procedures confidential in order to minimize any security breaches. Do we have any reference to substantiate this claim This lack of transparency results in the cloud customers losing trust on the cloud providers. As a result, customers are reluctant to store their valuable data on the cloud, which undermines the potential of cloud computing. Our framework approach to solve these issues is by the formation of a governing body which will act as an interface between the cloud providers and cloud end users and provide organizational control. The governing body in our framework is unique compared to the existing infrastructure due to the following reasons: This governing body will be an independent unit and will not be influenced by any of the two entities involved. It will be responsible for any and every actions that take place inside the cloud environment. Various cloud providers will need to register themselves to the governing body and then that body will assess all the procedures and methodologies involved in the technology.
In general, this Governing Body will be responsible for risk assessment & management, security performance evaluation, policy, audit and compliance with respect to the deployment of cloud layer. The Governing Body is different from the existing infrastructure as it will not be limited to just assessing the conditions. In addition, it will also provide solutions and alternatives to the customers in case of any issues that takes place in the cloud environment whether it is due to technology failure or any external factors.
As shown in
Governing body will be responsible for the operations inside the cloud environment. By migrating applications to the cloud, the risk factors increase. The traditional data control methods need to be modified in order to cope with the security and privacy challenges associated with the cloud environment. The entity that is at most risk inside the cloud environment is data center. The data center is a centralized location, where the entire customer’s data are stored. Hence, cloud providers need to ensure that no security breaches take place inside the data center. To achieve this, the governing body should continuously monitor the possible security related threats and the products/solutions available to counter those threats, procure and implement them. For instance, some of the solutions include data replication facilities with hot site disaster recovery service. The governing body would need to ensure that the data centers are safe and secure and that all the data that resides inside it, must be backed up to ensure the business continuity in case of disaster. Disaster recovery and business continuity is one thing that every cloud provider promises. However, to ensure it gets implemented and operates in a right manner, there needs to be a centralized authority to get them implemented.
The security features that are included in the cloud environment are very important to determine the level of security present in the cloud. The security policy that will be drafted by the governing body will be responsible for all the layers of the security features that will be included in the cloud. For example, the security policy shall specify the use of firewalls, anti-virus, type of virtualization and the hyper-visor used to achieve the secure cloud
functionality. It is to be noted that the above features may vary depending upon the budget of the cloud provider, which in turn will reflect in the use and adoption of that cloud. We suggest that the governing board and the cloud provider would jointly determine the security features to be included. Only an outline of the features will be discussed between the two and once the cloud is deployed, the governing body would validate to see if all the features discussed before have been implemented.
The governing body will need to specify all the procedures and methods that a cloud provider and user follow to ensure the security and privacy of the cloud. The governing body needs to filter and provide information to users in such a way that the users are aware of the security features and at the same time, no confidential information is leaked. Our automated control framework described in next section, ensures that based on triggers, central body convey right information at right time to right parties involved in the environment in an automated fashion. This will ensure removal of the lack of transparency in communicating security features, such that users are able to trust the cloud providers.
There are a number of jurisdictions and laws that apply to cloud computing. Laws vary from place to place and generally the data centers of a cloud provider are located in different countries or may be different continents. To gain knowledge and abide by all the laws of different location can be very difficult to cope with. For example US Patriot Act can be applied to foreign organizations that use U.S based cloud provider. Per US Patriot Act the Governmental authorities only may access cloud data pursuant to the Patriot Act to 1) “obtain foreign intelligence information not concerning a United States person” or 2) “protect against international terrorism or clandestine intelligence activities”. Even a single law broken may affect the organization in many different ways. These laws and jurisdiction vary from geographical locations to the methods involved in the cloud computing and allowing the personnel to enter or work in the facility. Complying with all the jurisdiction and laws is a very time consuming job and may reflect in the efficiency of the cloud. Therefore, by outsourcing and letting the governing body take care of all the legal matters, the cloud provider can redirect the resources to ensure their cloud services are safe, secure and efficient and at the same time ensure all the jurisdictions and laws are followed.
One of the parameters to evaluate the performance of the cloud is the number of security breaches and attacks to determine the performance of the cloud. Governing body should assess the performance of the cloud environment based on the security parameters and draft a report that will determine the efficiency of the cloud. This will help users in determining what all security features are being ignored by the cloud provider and help them make decisions by providing the right choices. The performance evaluation of the providers would motivate the good providers to increase their trust score with the governing body, compared to those providers who can try to negatively affect the organization. This will also help the governing body to rank the providers based on the provider’s trust score. The cloud providers will also benefit from this evaluation, as they will get to know the limitations and the disadvantages in their implementation of security controls in the cloud computing environment and redirect the resources where the attention is needed. With the help of the performance evaluation functionality, the factors that caused attacks and threats can be identified and response strategies cab be applied to remove those threats and attacks, to ensure the cloud is safe and reliable.
The governing body shall not only be responsible for the policy, monitoring, evaluation and legal controls but also responsible for providing solutions to the customers: providers and end users. For example, following are some of the problem samples that the governing body shall be responsible for providing solutions: 1) Customers lost their data or are unable to access their data due to the occurrence of mishap in the cloud environment. 2) If a Cloud Provider goes bankrupt or due to some other factors and decides to shut down some of the data centers, many users’ data will be at risk. At that point of time, the governing body will be responsible for providing alternative solutions to the users. The solution might range from migration of data to some other cloud provider or giving all the data back to the user so that they can manage it themselves in their internal IT environment. This results in tighter organizational control for the resources, which is the governing body’s mandate.
In a large organization that caters to the needs of millions of customers, there could be many unsatisfied customers, who often file legal complaints or threaten to damage the reputation of the organization in some way or the other. Disputes and conflicts may also arise between two or more cloud providers, due to the disagreement over the issues. Disputes in IT industry are very common and there have been a number of incidents where some company adopted someone else’s ideas to develop their own product. For instance, recently Microsoft sued Salesforce.com for the cloud computing patent infringement. In this case, the governing body will make sure that the conflicts and disputes are solved through our framework. This is done with the help of threat index, which we introduced in our framework. The threat index is computed by the security parameters, of which conflicts and disputes are part of it.
The proposed framework ensures that the entities involved: Cloud provider, governing body and the end user are motivated to participate in the operations. The motivation for the governing body is in the satisfaction on its leadership service to control the cloud operation between the cloud provider and the end user successfully in a secure manner. The Governing Body will also hold the power to send a warning or shut-down a cloud provider if the cloud provider fails to comply with most of the regulations set by the Governing Body. The cloud provider can also be warned if its recent methods to secure the cloud are proving to be ineffective or even dangerous. In this case, the cloud providers might be reluctant to support the Governing Body and might even question its existence as it is harming them in one way. On the other hand however, by complying with all the regulations set by the Governing Body, they will ensure quality in their functioning and therefore will attract a large number of customers. In this way, the Governing Body can prove to be a negative factor to those who aren’t securing their technology properly and can also prove to be massively beneficial for those who are abiding by all the rules and regulations of the Governing Body.
As a result, the cloud providers who are detrimental to the needs of the user are marginalized and the cloud providers who are sensitive to the secure operations of the cloud become successful in their operations. This also ensures that the provider works collaboratively with the governing body to ensure its success in its existence.
Thus the governing body provides organizational control to the cloud environment by keeping track of all the activities going on and providing solutions as and when required. By establishing a central body, cloud computing will become organized and managed by ensuring right information is conveyed at right time to right parties. Thus, through this governance control framework enabled governing body, which is trusted by both the cloud provider and the end user, we can eliminate the lack of transparency that exists between the user and the cloud provider. As the end users perceive security and transparency in the communications, with minimal conflicts and disputes, they would be motivated to participate in the clouds computing activities (
The functionalities that were discussed earlier can be achieved by our framework, as shown in
Security Challenges | Method(s) |
---|---|
Data Centre | 1. Design a basic layout for the Data Centre such that secure cloud services are provided by cloud provider to the user 2. Continuously monitor security related threats and provide solutions such as data replication and hot-site recovery service, if the need arises |
Policy Creation and Control | 1. Security policy will be drafted by Governing Body to ensure the security at all layers 2. Cloud Provider and Governing Body will collaborate to implement and control the features in the security policy. |
User Awareness | 1. The governing body will need to specify all the procedures and methods that a cloud provider and user need to follow 2. Filter the information and make the users aware of the security features without leaking any confidential information. 3. central body convey right information at right time to right parties involved in the environment in an automated fashion |
Legal Control | 1. Governing body would acquire global laws pertaining to the cloud operation and take care of all the legal matters related to global cloud operations so that the Cloud Provider can focus its resources on making the cloud safe, secure and efficient. |
Performance Evaluation | 1. Assess the performance of the cloud provider based on the security parameters and estimate the efficiency and the threat index of the provider’s operations. 2. Governing Body will then rank all the cloud providers based on their efficiency. |
Conflict and Dispute Resolution | 1. This will be done with the help of threat index that computes security parameters of which, conflicts are a part. 2. If the cloud provider is found guilty in a dispute, its license will be revoked. |
Cloud computing is purported to be the future of the IT industry. Cloud computing marks a true paradigm shift in how the computing would happen in the future and cloud computing is likely to have the same impact on IT industry that foundries have had on the manufacturing industry. However, one thing that proves to be the biggest obstacle in its course is security issue.
Security issues vary from physical and legal level involving data centers and geographical locations to methodological level involving the policy and logic used in deploying the cloud to technical level involving the technology involved in implementing the cloud. This has prevented cloud computing from its widespread adoption.
From an organizational control perspective, we provided an automated control framework comprised of independent governing body that will mediate between the cloud provider and the user. Governing body will be responsible for ensuring the security of cloud based data center, implementation of a secure policy & control, increase the user awareness about security methods deployed, handling the legal matters, resolution of disputes, evaluation of performance and providing solutions for the end user. We have described a framework, which computes threat index based on the security parameters, that the governing body could apply to fulfill their responsibilities and use in the planning the implementation of the security policy to keep the organization in control from the cloud computing security and privacy issues.