Risk and Threats of Cloud Computing Services - Research Paper Example

RISKS AND THREATS OF CLOUD COMPUTING SERVICES IN BUSINESS ENVIRONMENTS INTRODUCTION Today, the concept “Cloud” has become a new mechanism for delivering any resources such as applications, computing and storage to customers on demand. Rather than being a new technology in itself, the “cloud” is a new model wrapped around new technologies, such as server virtualization, that take advantage of economies of scale, standardization, and multi-tenancy to reduce the cost of using information technologies resources. “Cloud” computing is a very promising direction of ICT industry development and offers tremendous opportunities for all its strengths in increasing efficiency of business development, (Armbrust, and Griffith, et al., 2009). Inspite of the varied horizon being offered by the cloud computing services, most of the enterprises are skeptical about the safety of the cloud environment and are less willing to take the risks.  In order to maintain the clientage and market competitiveness, cloud service providers must learn from the managed service provider (MSP) model to guarantee secure services to their clients along with increasing virtualization service efficiencies, (Foster, 1998). Further, the companies that are opting for cloud services are unaware of the unidentified risks existing within the cloud environment. The research proposal will focus on the existing security issues regarding cloud computing environments and the techniques that can be employed by these companies for ensuring data safety and compliance regulations.  Also, how the client data is protected within the various cloud computing infrastructures will also be studied in detail.  The three individual service delivery models of cloud computing are usually referred to as the Software, Platform and Infrastructure. a. Software as a Service (SaaS):  The ability of the cloud computing model to offer its clients / users to utilize the service provider’s applications which run on a cloud model infrastructure and these applications can be accessed by a number of clients through a system interface, for example a Web browser , web based email system. The user is free of responsibilities such as to manage the infrastructure, web servers, operation management and applications, data storage server maintenance, and network application tasks. b. Platform as a Service (PaaS): The cloud computing PaaS model offers the user the facility to deploy itself on the computing infrastructure which is built according to the user related applications with the help of programming languages like java, .Net, etc.). As already stated before, the user does not have to manage the infrastructure of the cloud computing service, but the user has full control over could compute applications and environment configurations and can change or edit as per requirements.  c. Infrastructure as a Service (IaaS): in this model for cloud computing, the client rents the various resources like the storage centers, system network, and other computing applications, which assists the client to set and run random software, also consisting of application software and operating systems.   Also in this case similar to PaaS, the client does not has control of the cloud infrastructure, but can manage the operating systems, storage, deployed applications, and probably decide on networking mechanism (e.g., firewalls, load balancers), (Baker, Apon, Ferner, and Brown, 2005). Taking the concept of Saas further, industry has proposed a new model IT-as-a-Service, (ItaaS), which will assist the IT departments to function as a separate entity and become more premeditated while taking operational decisions. For these enhancements in services and infrastructure transformation, companies have adopted Information Technology Infrastructure Library (ITIL) structure for better management of their IT assets by enhancing productivity, reliability, cost cutting, transparency and driving up success rates. The various types of applications offered by cloud computing like pay-as-you-go services, development platforms, processing power, storage space, and definitely possess the ability to change the face of IT in the years to come. But the security fears have held the companies for long to enter into the cloud market which has been estimated at more than $100 billion in the next 10 years, (Armbrust, and Griffith, et al., 2009). Even though there is a noteworthy advantage to leveraging cloud computing, safety measures have led companies to be indecisive to shift significant assets to the cloud. To lighten these apprehensions, a cloud solution supplier be required to guarantee that clients will persist to get the equivalent safety and privacy controls for their applications and services, make available confirmation to clients that their services are protected and they can meet their service-level agreements, and can prove observance to auditors as well. This study aims to target these security concerns and offer suitable recommendations for maintaining security and compliance integrity within cloud computing.   LITERATURE REVIEW To determine the evolution of the “cloud” technology, existing literature on “Cloud” computing was surveyed and a close tab kept on current information related to different players in the “Cloud” computing space. “Cloud” computing resources from some of the providers and vendors were used to understand usage of these services and how these services would be used to run applications. Various theories were applied ranging from Christensen and Raynor’s theory of Disruptive Innovation [5][1] to Charlie Fine’s theory of Clock Speed [3] to determine the evolution of the “Cloud” computing technology and the evolution of the software ecosystem. The appearance of the first technology, close to the modern understanding of the definition “Cloud computing”, is attributed to the company Salesforce.com, founded in 1999. It was a first proposal of a new type of b2b product “Software as a Service” (SaaS). Salesforce’s success in this area aroused interest among the giants of the IT industry, who quickly reported their research in the field of “Cloud” technology. And now the first business solution called “Amazon Web Services” was launched in 2005 by Amazon.com, which since the dot-com crisis, had been actively involved in the modernization of its data centers. Next, the technology was gradually introduced by Google, starting with the 2006 proposal b2b SaaS services under the name “Google Apps”, and later models of the platform as a service (PaaS), entitled “Google App Engine”. And at the PDC 2008 Conference, Microsoft announced its proposal under the title “Azure Services Platform”. In the opinion of established market and trend analysts [1, 6, 10, 13, 19, 20] the release of Microsoft Azure Service Platform started a new round of Web technologies development and raised “Cloud” computing to new levels. Researchers [8, 16] and analysts of large companies Gartner, IDC, The 451 Group, ABI Research, Forrester / Jupiter Research, Burton Group, etc. [1, 6, 10, 11, 13, 19, 20] suggest their understanding and give their definition of this concept as “Cloud” computing. However, analysis of these definitions, studies and scientific papers allowed me to conclude that all these definitions are very similar. Therefore the analysis of literary sources allowed me to conclude that “cloud” computing designates the technology of data processing, in which computing resources and power is granted to the user as a Web service. The user has access to his or her own data, but can not control – and does not have to worry about – the infrastructure, operating system and proprietary software, with which he works. The definition “cloud” is used as a metaphor, based on the image of the Internet on a computer network diagram, or as an image of a complex infrastructure, which hides all the technical details. Reviewing the control of users on their information and assets within the cloud, Data protection offices and authorities have been worried over the implementation of laws like the Sarbannes-Oxley Act, which administers the corporate financial reporting, and the Health Insurance Portability and Accountability Act, which lays down rules for protection and confidentiality of the health records. Clients and users need to be assured that their personal and professional data is stored and about them stored and computed upon as per the regulations and the promises that companies make, (Joseph, Ernest, and Fellenstein, 2004). The achievement of cloud computing services may possibly depend upon whether these concerns about safety and privacy can be resolved for the cloud computing environment. There are a number of security concerns regarding cloud computing, which are preventing many companies from implementing this new service technology. Experts have stated that security is the major concern for the companies which can be categorized into three different types of security concerns. Jurisdiction – Cloud computing poses a major challenge regarding data safety. Experts question about the data protection and data privacy laws that will be applicable in case when a company stores its data in the cloud environment. Further the jurisdiction laws applied upon the international transfer of cloud data and how the determination is made upon the data transfer are issues that are faced by companies, (Armbrust, Fox, Griffith, et al. 2009). Cloud Computing Services allow for the access and computing of data from anywhere across multiple jurisdictions, simultaneously. The existing data protection laws allow linear transfers of information currently, but these laws are still undecided in the case of cloud computing. For example, data transfer and security laws like EU Data Protection Directive (EC/95/46) may not seem to assist the case and it would be more difficult to implement data security in the cloud environment. The European clients using a particular cloud environment face this challenge of data transfer as they need to make sure the data transfer is safe for processing outside Europe, (Armbrust, Fox, Griffith, et al. 2009). In many cases, European companies need to obtain a permit in order to transfer data outside Europe explaining the means, goals, destination and safety techniques applied for the data transfer. Security – the other major concern related to cloud computing is the security of the entire network. It is important that all the companies should follow strict security norms whether they are in the cloud or prefer traditional data processing centers. The issue of safety has risen due to the dynamic nature of the cloud computing environment. However, the fast rate at which cloud computing offers its services is an advantage to the clients. This factor of speed and flexibility has raised concerns of security for the cloud environment. The concern of data security is prominent in the case of European data security context issue. In the case of European data protection, the party which controls the data is responsible for the collection and processing of personal data, even when a third party is processing the data, (Chor, Kushilevitz, Goldreich, and Sudan, 1998). The European Union data protections laws require that the data controller makes sure that the third party, who undertakes the processing of data, takes adequate safety measures in order to safeguard the data. The EU data protection law necessitates a contractual provision between the data controller and data processing party and controllers typically seek to monitor whether this obligation is fulfilled by undertaking an audit or conducting due diligence inquiries. However with the increasing security concerns due to the cloud computing services, the EU data protection authorities have been actively enforcing safety rules and other compulsions against controllers, irrespective of whether the data are processed by a third party on the processor’s behalf, (Shi, Bethencourt, Chan, Song, and Perrig, 2007). Recently, following in the steps of the EU protections laws, the United States Data Protection laws have also made it compulsory for the cloud computing users and service providers to give in writing reliable techniques and ways that will be employed in order to safeguard the personal data and other customer information. Fair Data/Information and Practices International Data Transfer - The capacity to abide by the fair information practices in the data protection industry is decisive to the capability of the organizations to accomplish official requirements and meet the safety concerns of the clients regarding their data safety.  To preserve the faith of the clients and users, it is important that the cloud computing regulators meet their commitments under law, directives and the requirements of their confidentiality policies. The resource data that is present in the cloud must be used as per the rules laid down for information sharing, and transfer as per customer and user preference. As per the rules laid down by the European Union Data protection authority, it is often required that the data controller must inform the client about the destination of data processing. In most of the cases, data processing is usually carried on in another country, for which should be informed to the client of the cloud computing service, (Shi, Bethencourt, Chan, Song, and Perrig, 2007). Clients from almost every industry ranging from financial services to hospital and medical care are moving their database into cloud environment. Moreover, another concern that arises here is the extent of outsource to public clouds which will be done based upon the computing capacity and the security issues. Security-as-a-Service as the latest form of MSSP - During the mid 1990’s, Managed security service providers (MSSPs) like Exoduc, and Global Crossing were the main security providers who dominated the security solutions market for outsourced hosting environments. MSSP offered some information security management and event management services to their customers. These services included VPNservices, firewalls, spam / virus contrl, and some system control and chnages. With the increasing reluctance of companies,  the MSSP market witnessed a downfall. Howevere, with the increasing trend of cloud computing, MSSP have rejuvenated with a new concept of Security-as-a-Service (SaaS) similar to other cloud computing services which does not requires the users to give away full control of their assets within the cloud. This new concept aims to target new threats within the cloud environment with anti spyware and antivirus, scanning, service patching, interface solutions,  asset and authentication management. This new concept will be studied in the research in detail and how this may benefit the cloud computing service providers and clients by safeguarding them from threats and risks present within the cloud environment. Also, another concept of Secure Software Development Life Cycle (SecSDLC), which helps to identify the risks and subsequently develop controls by design to prevent those risks, is also an interesting subject of study which will be referred to in detail during the research. SecSDLC consists of 6 stages – Investigation, Analysis, Logical design, Physical design, Implementation and Maintenance. Accountability Model for Secure Computing - The theory of accountability is not fresh, even if its application may perhaps be new to the industry. The Association for Financial Assistance and Development Guidelines’ accountability model rests the responsibility of abiding by the laws and measures to the data controller, (Narayanan, and Shmatikov, 2008). Similarly, the Asia Pacific Economic Collaboration outline clearly expresses the accountability model and associated laws more clearly than given by the OECD Guide lines. The Canadian confidentiality rule, the individual Information security and Electronic Data Act (PIPEDA), take account of accountability as its foremost standard, and Canadian Privacy Commissioner Jennifer Stoddart lately released regulation on the subject of accountability in data transfers within the cloud computing environment. A comparable conception of accountability is also given by the European Commission’s Binding Corporate Rules mechanism which governs the European Data transfer to international cloud computing companies, (Raywood, 2009). Further, Encryption and key management is also a part of the accountability model which will also be studied in detail. Heavy encryption and bold key management are some of the possible techniques that the cloud computing companies and service providers must use to ensure the safety and privacy of the clients data, (Boneh, Crescenzo, Ostrovsky, and Persiano, 2004). AIM The main aim of my research will be to develop a risk management plan in case of disaster for the IT related infrastructure recovery. The research will clearly focus on the various risks that are faced by cloud computing providers and customers and recommend suitable methods and technique for the same. Also, disaster recovery the plan will consist of planning for the non IT related aspects of cloud computing like key personnel, facilities, crisis communication, and reputation protection, and infrastructure recovery. The risk management plan will be a process consisting of policies to be followed and methods that will concern the recovery of data / infrastructure that is a result of any damage to the cloud environment. The other secondary objectives of the research are – 1.      What are various types of cloud computing models employed by businesses? 2.      What are the risks associated with “Cloud” computing services in business environments? 3.      What are the possible methods to safeguard company information and other cloud environment related risks that exists within business environments? 4.      What are the limitations and future research options available in enhancing the risk mitigating techniques for the cloud environment? RESEARCH METHODS The preferred scheme is to conduct case studies in organizations that implement any kind of cloud computing services and study the existing influence, risks, concerns and achievement of the technology. Primary Data Collection Process This part of the research design is based upon collection of results that exist in the present form of system. The emphasis will be mainly upon data collected from those fields which could be improved with the help of a new model to provide firms with a competitive advantage.  So, the preferred scheme is to study the literature, case studies, and articles on the subject of “Cloud” computing and the related organizations that implement any kind of “Cloud” computing models, and study the existing influence and achievement of the computing techniques before and after the employment of suggested improvements. In my research I’ll study the types of approaches they use, and the risks that are faced for the various activities like optimization, modeling, decision support, implementation and data collection. Further, is possible some companies who have implemented “Cloud” computing will also be referred to. The IT department the chosen companies will be analyzed by taking access to their company profile and information as available on the internet and other sources of information regarding the companies. If this information were not available on the web, an e-mail interview may also be initiated to be sent to the companies regarding the risks involved in “Cloud” computing and the recommendations that can serve the purpose. The literature, articles, and other relevant material that are collected as a part of the data will be worked upon in detail. As a part of my research, I am also planning to conduct a survey of some companies that have employed certain risk management techniques to remove the glitches present in the cloud environment and enhance business efficiency to higher levels. CONCLUSION Cloud computing is the most popular concept that has come up lately in the IT industry today. With this new revolution, it is important that the designers study the cloud computing theory in details and research ways that guarantee data privacy and security at all costs. Moreover, the next generation of computers along with their supporting infrastructure should be designed in manner compatible to cloud computing service environments. The reference of an accountability model suitable for cloud computing safety has been discussed in the paper with a further enhancement of the model through encryption and key management techniques in the face of constantly new threats arising for the users of cloud computing.    TIMELINE  Project Plan - Master Schedule expressed in weeks Week number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Project Design                                     Establishment of Framework of Analysis                                     Data Gathering Phase                                     Data Analysis                                     Discussion                                     Conclusion/Wrapping Up                                       REFERENCES  1. Foster, C. Kesselman, The Grid: Blueprint for a new Computing Infrastructure, Morgan Kaufmann Publishers, San Francisco, CA, 1998.  2.  J. Joseph, M. Ernest, and C. Fellenstein, Evolution of grid computing architecture and grid adoption models, IBM Systems Journal Vol 43, No 4, 2004.  3. M. Baker, A. Apon, C. Ferner, and J. Brown, Emerging Grid Standards, page.43-50, IEEE Computer, April 2005.  4. Armbrust, M., Griffith, R. et al. Above the Clouds: A Berkeley View of Cloud Computing. UCB/EECS-2009-28, EECS Department, University of California, Berkeley, 2009. 6. Chor, B., Kushilevitz, E., Goldreich, O., and Sudan, M. Private Information Retrieval. J. ACM, 45, 6 (1998), 965-981. 7. Shi, E. Bethencourt, J., Chan, H., Song, D., and Perrig, A. Multi-Dimensional Range Query over Encrypted Data. In IEEE Symposium on Security and Privacy. 2007 8. Narayanan, A. and Shmatikov, V. Robust De-anonymization of Large Sparse Datasets. In IEEE Symposium on Security and Privacy. IEEE Computer Society, 2008. 9. Raywood, Dan, “Data Privacy Clarification Could Lead to Greater Confidence in Cloud Computing”, Secure Computing Magazine (UK), March 9, 2009.     Read More