Privacy and Security in Cloud Services - Literature review Example

PRIVACY AND SECURITY IN CLOUD SERVICES Abstract Computer technology never ceases to amaze especially in its rapid development. For the a few decades past, the advent of the Internet seemed like the ultimate prize for consumers. The Internet has since evolved into a phenomenal tool of exploitation for both good and bad. The most notable recent development is the introduction of cloud computing. Over the years, users have relied on the processing power and the software installed on their personal computers, or the services of a server computer in an organization’s network. Computer users needed to acquire PCs, purchase and install operating systems, and specific user applications relevant to their type of work on their PCs. Organizations did the same but expanded their systems to include local-area and wide-area networks controlled by powerful servers, so that they could enable many users and employees to access their system at the same time. Cloud services have brought a new meaning to networked and multi-user computing. According to Mell et al (2011), cloud computing is a commercial data-processing model involving the use of Internet-based servers, storage, applications and infrastructure to process and store data from anywhere and at any time with minimal management. Users no longer need to use their own PCs or invest in hardware or software or network infrastructure because the cloud service provider avails all these resources on any platform such as a PC, tablet, mobile phone, and so on. On the other hand, the Internet is a haven for criminals who exploit its sheer mass and anonymity to wreck havoc on many hapless users in the form of cyber attacks. Cloud services thus face the biggest security threat especially because they transmit and pool huge amounts of important and private data on the Internet, where it becomes the target of cyber criminals. Cyber attacks keep growing in both number and viciousness by the day. Sanger et al (2013) exposes the vulnerability of cloud services arguing that attackers no longer aim at only stealing important data, but also on shutting down highly sensitive national services such as the water supply and power grid. Jansen (2013) emphasizes that cloud services expose an organization’s system to its adversaries. Undeniably, cloud computing is a breakthrough idea. However, the risks that face it may eventually outweigh its usefulness. It is therefore imperative that key issues of data security and handling of personal data on cloud systems undergo a fresh study or review in order to forestall future disasters that threaten cloud service providers and their users. Holbl (2011, p.1) emphasizes that security and privacy issues in cloud services must be prioritized before marketing and implementation of cloud services, otherwise cloud services may gain a huge but vulnerable market share. The Structure of Cloud Systems Jansen et al (2011, p.6) describes Cloud services as the perfect model of outsourcing for information technology services (IT) which involves which involves transitioning the organization’s software, its data, procedures and other resources to a commercial public system. Holbl (2011) denies that cloud computing is a modern day concept, arguing that it is an improved version of Data Processing Service Bureaus (DPSBs) created four decades ago. However, he asserts that unlike DPSBs, modern cloud services serve more organizations and individual users. Takabi (2010) concedes that cloud computing is not really a new concept but an evolving paradigm utilizing existing systems and concepts such as distributed processing, networks, telecommunications, and so on. Interestingly, Takabi et al (2010, p.1) declares that there is no standard definition of cloud computing because computing stakeholders have not agreed on one yet. Holbl (2011, p.1) identifies the two most important areas of concern in cloud computing to include; 1) The client’s complete loss of control over data. 2) Complete dependence on the Cloud computing Provider. He argues that the two factors may cause the individual or the organization to fall into legal and security challenges. These challenges may arise from the use of infrastructure, management of user identities, access control, system and data auditing, compliance to legislation, management of serious risks such as litigation, assets mismanagement and so on. According to Holbl (2011, p.2), the first angle to loss of control is the fact that cloud services rely completely on telecommunication services. These are two very different services offered by different providers and at the same time controlled by different laws and regulations. The cloud service must conform to the regulations of the telecommunications service provider. The greatest cause of concern for most customers is the complete dependence on the cloud service provider. This works against the spirit of a free market in that it leaves the customer with no options. It allows the cloud service provider to monopolize service provision to that particular customer. It becomes very difficult for the customer to change providers. This makes the customer completely vulnerable. Again, Holbl (2011, p.3) observes that should such a provider go bankrupt, the client might no be able to access their data and would be forced to cease operations immediately. That would be a major disaster. The service provider could drag the clients’ businesses down as well. Unlike Holbl (2011), Jansen (2011, p.39) takes a deeper look and identifies the main concerns of cloud computing as the following; 1) Inadequate policy and practice that fails to address cloud provider failures, failed data and integrity checks due to mismatched client and provider policies and loss of privacy die to poor handling of data by provider. 2) Weak confidentiality and Integrity sureties that fail to implement security and integrity checks thus compromising system integrity. 3) Weak Availability Sureties that fail to ensure uninterrupted availability of service. 4) Principal-Agent Problem that occurs when the interests of providers conflict the interest of clients, leading to immeasurable level of performance. 5) Attenuation of Expertise, which occurs because of outsourcing, causing the organization’s staff to loose experience and expertise, thus compromising the organization’s ability to keep up with technology in future. On the other hand, Takabi et al (2010, p.1) identifies the main challenges of cloud computing as; 1) Creating and enabling a trustworthy operating environment. 2) Multi-tenancy (p. 25). This is a situation where a cloud service provider manages to utilize the cloud resource by providing a virtualized and shared infrastructure which serves a large number of customers. The fact that each client’s data is private, yet it undergoes processing on a shared system may cause unease among clients. According to IBM (2013), cloud services attract a pay-per-use fee from providers. Von et al (2011) supports this arguing that the fee is directly proportional to the cloud resources that the client uses. There are three main types of cloud services, which include; 1) Software as a Service (SaaS): Cloud applications running on remote computers become available to the user over the internet via a browser. 2) Platform as a Service (PaaS): This complete cloud environment allows users to enjoy web-based applications without the need to purchase hardware, software, and the network infrastructure. Hon et al (2013, p.6) asserts that PaaS is an online tool for the complete construction and deployment of custom application software. According to Takabi et al (2010, p.2), PaaS requires additional authorization because of its capabilities in accessing sensitive parts of the operating system (OS) and the file system. 3) Infrastructure as a Service (IaaS): This is a commercial service to companies, which includes servers, storage, data centre and networking on a pay-as-you-use basis. Mell et al (2011, p.2) observes that the power of cloud services emanates from five salient features which include; 1) On- demand self-service where users can access cloud services such as server time and storage with no human intervention. 2) Broad network access through common telecommunications such as tables, mobile phones, workstations, and so on. Jansen et al (2011, p.10) asserts that this portends greater benefit to users in that users can access the system easily anywhere because the lightweight client software requires a simple browser to access the more complex applications running on the server. However, Jansen et al (2011, p.10) cautions that mobile devices are more vulnerable to attacks and therefore require special configuration and protection, which may not be available. Holbl (2011) confirms that communication links between mobile devices are vulnerable to eaves dropping, spoofing and denial of service (DoS) attacks. Holbl (2011, p.2) expose another side of user vulnerability in that users assume data shared locally on mobile devices via cloud applications such as Google Apps involves a local transfer. This is not the case because what seems local is actually a cloud service transfer which might involve transmission of personal data to a remote computer. 3) Resource pooling where geographically scattered users can access common resources with automatic allocation as per the demand, without exposing the location of the users and the resources. 4) Rapid Elasticity where the system expands or reduces resources and capabilities as demand grows or shrinks, without disadvantaging any user. 5) Measured service where both the users and the providers enjoy transparency through a metering system that quantifies resources such as bandwidth, storage, server time, and so on. Cloud services obviously portend huge benefits to users. Takabi et al (2010, p1) asserts that cloud services enhance collaboration, flexibility and scale such that they may finally create the true global village phenomenon. According to IBM (2013), users will make huge cost saving because they do no need to purchase expensive operating systems and application software. Takabi et al (2010, p2) notes that this fact eliminates or greatly reduces the start-up costs for consumers. Again, users pay for only what they use in a cloud service. Better still, cloud services provide elasticity in that the user and provider may scale down or scale up these services depending on need or demand. The other benefit is that cloud systems provide high-speed self-service of all information technology (IT) services. Maybe the greatest attraction to users is that the responsibility of data in a cloud system lies with the service provider. Jansen et al (2011, p.9) adds weight to these benefits by asserting that the greatest strength of cloud services is constant availability of resources. Cloud services enjoy powerful facilities such as fault tolerance and disaster recovery and therefore offer better availability than other systems. Besides this availability, cloud systems have more robust and superior backup and recovery systems. Cloud services mirror data to two or more offsite locations. Thus, data is more secure and recovery may be faster and more effective. However, Jansen et al (2011) cautions that the same resilience may inflict a huge cost burden on the organization because an attack may cause protective applications to consume a larger bandwidth in order to fend off or overcome the attack. The larger bandwidth will result to higher costs to the customer. Despite these huge benefits however, the developers and providers of cloud services have exposed users to huge losses by storing their data on the Internet effectively putting it in the line of fire of cyber attackers. Jansen et al (2011) confirms that the risks of cloud computing revolve around moving the sensitive organization’s data and applications and entrusting the same to a public provider. It means the organization must make a decision to relinquish its security responsibilities to another organization. This portends loss of control to the management of the organization’s assets. Jansen et al (2011) argues that cloud services expose an organization to possible mismanagement of its assets. Again, as earlier stated, cloud services allow users to exploit the system from anywhere and at any time. This provides another form of vulnerability because hackers operate from remote terminals. Hackers may impersonate genuine users and thus gain unauthorized entry into the cloud system. Holbl (2011, p.2) again argues that it not just lost of control of data and management that an organization or individual faces. Users also face loss of technical control to the cloud service provider. For example, system logging to verify who accessed the system at what time is an important security tool that the organization can no longer access. In case of a security breach occasioned by the service provider, the organization will never know. Again, a cloud system cannot guarantee complete data deletion in case data is no longer needed or in the case where the organization terminates its contract with the cloud service provider. The greatest weakness in a cloud service lies in the fact that the system stores all the users’ data in one large pool. Jansen et al (2011, p.10) concedes that this provides a “large attack surface”. This is in sharp contrast to the old adage, “do not store all your eggs in one basket”. This is unlike the situation where users store their own data on personal computers, which are mostly offline and thus more secure from cyber attacks. Organizations also attempt to secure their data by storing it within their own internal systems and making backups, such that even in the event of an attack, there is a chance that their data may remain secure. Takabi et al (2011, p.26) adds that the platform virtualization software that enables several operating systems to run concurrently on the same system enlarges the attack surface too. This makes the cloud system more vulnerable to attacks. As much as companies would like to assure users of their security, there is always the chance that attackers will locate a weak point in the system and use it to expose or destroy vital data, or deny a vital service. Jansen et al (2011, p.10) asserts that the complex nature of cloud systems makes security more problematic. To ensure total security all the components of the system must operate effectively and correctly. Takabi et al (2011, p.25) provides another angle to this problem when he argues that in a SaaS system, clients exploit the use of software from different software providers. This is a major security challenge in that controlling security issues of a diversity of providers is a difficult task. One of the software components may just be the weak link in securing the cloud system. There is also a possibility that the different software components may access the same data from the cloud meaning that an insecure component or a malicious one gains access to vital data thus compromising the system. The provision of software components by many providers weakens the security controls on the system and makes the effort of securing the cloud even more difficult. The true benefit of cloud services will emerge from a secure operating environment that current providers cannot possibly assure. However, Jansen et al (2011, p. 10) refutes this when he argues that cloud services offer data concentration (pooling) which is less risky than data that is dispersed on several mobile devices and workstations that can get lost or stolen easily. When software developers create restrictive login software allowing for proper checks and verification, it becomes hard to compromise a mobile device or workstation. The deployment of cloud services poses a further security risk to personal and organizational data. Mell et al (2011, p3) identifies four forms of cloud deployment models. A private cloud serves a single organization with multiple users. The system may exist on the organizations premises or in another location. A community cloud serves one specific community that has shared interests, for example, a several organizations on a humanitarian mission. One or more of the community members or an external player may own this system. Again, it may be located within the community’s premises or externally. A public cloud serves the public. Usually a business, an academic body or a government institution owns it. It is located within the provider’s premises. A Hybrid cloud allows the public, private and community to share a single standardized cloud infrastructure, without loosing their uniqueness. This type of infrastructure boasts of data and application portability, thus allowing data from the different clouds to move smoothly within the system. Evidently, none of these clouds exists in isolation. Hon et al (2011), cautions that on many occasions where a single service befits a customer, several layers of cloud providers may be involved, more so without the customer’s knowledge. There are two or more players charged with the running of a single type of cloud. For example, the data storage company DropBox offers SaaS, yet it uses the Amazon’s company infrastructure (IaaS) to reach its clients. Interestingly, not just companies exploit layering of cloud services. Even customers have the freedom to hire the services of several cloud providers (Hon et al (2011, p.7). Takabi et al (2011, p.26) supports this aspect of cloud services arguing that one client may acquire several cloud services from different providers for example an IaaS from one provider, a PaaS from another, and several SaaS from several other providers. This interconnectivity and sharing of resources compromises cloud security because all the players have complete access to the system and a weakness on the part of one player affects all adversely. Again, all cloud systems serve multiple users. It is hard for any organization to control how users deal with the information on their hands. Some users may actually join the cloud with malicious intent. According to Jansen et al (2011, p.11), the shared multi-tenant environment in cloud computing allows clients to share components in absolute ignorance of other users. Cloud computing exploits logical separation at the physical layer rather than physical separation. This provides a safe environment for malicious users to pose as genuine clients while exploiting weaknesses within the system to gain access to restricted data, or wreck havoc. Furthermore, all clouds, even the private cloud, exploit the public infrastructure in the form of the Internet connectivity. This removes the safe haven that the organization previously enjoyed at its protected intranet, and exposes it to serious Internet attacks. Again, Hon et al (2011, p.10) argues that hackers have managed to hack or crack some of the encryption methods used to protect data from prying eyes. So, none is safe from cyber attacks. That means data held in cloud systems faces serious risks. Jansen et al (2011, p.8) seems to differ with this viewpoint arguing that cloud services provide the opportunity for better innovations that will lead to improvement of online security services for many organizations. They especially argue that smaller organizations stand to benefit the most from cloud services because they already fall short of the necessary security machinery needed for any organizations in terms of personnel, finances, and so on. Jansen et al (2011, p. 9) again favors cloud computing arguing that cloud computing platforms provide uniformity in their operations. This allows better automation of security activities such as security audits, system testing, and so on. Challenges to Processing Private Data Hon et al (2011, p.7) exposes another challenge to privacy in the proliferation of personal data within different cloud systems and how that data is processed and shared. As stated in the previous paragraph, users may join several cloud services systems at their pleasure. On these systems, they provide personal data for the purposes of creation and personalization of their private accounts with the cloud service provider. This freedom allows personal data to proliferate within numerous providers to the extent that this personal data may seem to become public. At the same time, the availability of this information within different cloud systems increases its chances of its exposure through errors or cyber attacks. The proliferation of personal data on public systems may worsen the data protection situation and render data-protection legislation of no consequence. According to Hon et al (2011), many nations such as the European Union (EU) provide strict regulations for the storage, processing, transmission, and retrieval of personal data. Once the company receives personal data from a cloud service user, it is the responsibility of that company to protect that data from any form of exposure. Hon et al (2011) suggests that the only method commonly adopted by all companies in the protection of personal data is encryption, which involves conversion of data into nonsense characters using a given algorithm and encryption key. Only those systems that can reconvert the data (decrypt) back to sensible form can read the data. The greatest challenge for cloud systems is processing of personal data. For example, a list of customer records may require classification by arranging in a certain order or sorting for a certain purpose, for example in descending order of age to determine behavior of certain age groups. Currently, there are no methods of performing specialized operations such as sorting on encrypted data, so that would entail decrypting the data first then introducing it to the sorting application. The sorting applications form part of the cloud system, which is accessible by thousands of users. It is at this point that the now decrypted personal data becomes exposed to theft or unauthorized exposure. Users may download this data in its decrypted form, a fact that would render the cloud provider guilty of exposure of private data. At the same time, users may get hold of encrypted data, and use the cloud system to decrypt the data, again exposing the service provider to serious litigation. Worse still, some regulations totally outlaw processing of personal data. That means the cloud service provider may store personal data on their system but cannot perform processing on it. In the event that the company wishes to, for example arrange all its clients in a certain order, which would constitute processing of personal data. This is a major challenge to the storage and transmission of legally stored personal data. Perhaps an even greater challenge is the cross-border legislation between different countries that may bring conflict in the handling of personal data about subjects of different nations. According to Holbl (2011, p.2), cloud services are global services yet different countries have different data laws. This will definitely bring major conflicts between users, providers and governments. Users of cloud systems also face some challenges with personal data just like the providers. According to Hon et al (2011, p.34), cloud services companies need to provide the facilities for creating accounts and logging in to their users, without the option of viewing or modifying the user’s data unless with express consent from the user. Normally, the cloud services provider creates and maintains the user login software. The provider does not need the users consent or intervention while doing this. This may be good in that the user may feel happy operating the improved software without much hassle. However, this puts the cloud provider in complete control over the user’s personal data. Many authors seem to agree unilaterally to this fact. In fact, as Hon et al (2011) asserts, while joining the cloud system, the company’s terms of use expressly ascribe all powers to monitor the user’s data and usage solely to the provider. The customers must consent to these terms of use before they can acquire an account with the company. In fact, Jansen et al (2013) asserts that fixed service agreements that have no room for further negotiation form the norm in cloud computing agreements. Therefore, it is not just individual customers who are at risk of data control by the cloud service provider, but also corporate customers. Holbl (2011, p.3) confirms this when he says that some cloud services providers do not even offer any contractual document. In case of a problem, the client suffers loss because there is no legal document to support their claims. Therein lays the danger that the provider reserves the right over personal data. The company forces the user to forfeit control over their personal data; data that the law protects. Hon et al (2011, p.35) cites an example of social networking sites, a SaaS service which can expose personal data completely to the public due to the nature of the arrangement. Holbl (2011, p.2) notes that many providers take the liberty to perform data mining from some sites, and especially the social networking websites (SNWs). Some laws (Hon et al, 2011, p.36) even allow processing of such data without the user’s consent, by virtue of the fact that the user ‘allowed’ the company to expose the data. Some providers may then proceed to build backdoors into the software that allow the provider, and maybe some other players to gain access to user’s personal data via their accounts. Holbl (2011, p.2) supports this arguing that service providers can compromise the client’s personal data. Even competitors may compromise data by posing as customers to the other cloud service provider. Takabi et al (2011, p.25) agrees with this when he emphasizes that there may not be any technical capabilities anywhere in the world currently that may prevent the abuse of customer data by the cloud service provider. All this happens without the user’s knowledge. Worse still, the government may force providers to provide this information to it without the user’s knowledge or consent. This is a new phenomenon that beats the purpose of cloud computing. The original intent of cloud computing was to bring convenience to the user while saving them huge costs in terms of buying hardware, software, and implementing network infrastructure. However, the service provider, the government, and other players with vested interests exploit the opportunity to glean otherwise unavailable personal data for the purposes of advancing their own missions. Overcoming Challenges The solutions offered by most authors vary and are mostly vague in most situations. They are not practical although they may sound strong theoretically. Jansen et al (2011, p.6) offers that security and privacy challenges may be overcome when the organization that provide cloud services implements measures such as staff specialization. This ought to enable some IT staff to concentrate on security issues and therefore make them acquire deeper knowledge and experience. This would make them more capable of preventing or dealing with security breaches. This process obviously requires time to perfect. It does not provide a solution to the current security crisis for cloud services that are already in use. Takabi et al (2011, p.25) seems to offer a different approach. He suggests that cloud service providers may be prevented from abusing customer data through both technical and non-technical means. He also makes a vague suggestion that customers need to have deep trust in the technical competence of a provider. This is a difficult thing to achieve because cloud services are a new paradigm where many companies have not yet achieved enough experience and exposure. Again, it is difficult to determine how new clients may gain the confidence in a provider whom they hardly know about. Again, Takabi et al (2011, p.25) suggests that clients must have confidence in a client’s economic stability. This is hard to achieve too because most businesses do not expose their finances, and even what they expose may be misleading. Takabi et al (2011, p.25) also suggests that both the client and the cloud service provider must share the security and privacy responsibilities in the cloud. This is partly true because clients also need to secure login details and ensure they log out securely. Clients must also ensure the source documents remain secure. However the major portion of the security issues lie squarely with the cloud service provider. Holbl (2011, p.4) recommends that cloud services providers must get into a well documented contract clearly addressing all terms, risks, data confidentiality, termination, data deletion, logging, auditing, and legal issues. Contracts and performance of both the provider and the client must fall within the confines of the law. Clients need to pay particular attention to data law of countries of prospective cloud providers, and vice versa. Takabi et al (2011, p.26) exposes the weak side of this argument, offering that security, privacy and trust cannot be quantified, and therefore it is hard to bargain about them in a contract. He suggests the involvement of third-party mediators who would be charged with the responsibility of measuring critical service parameters as agreed upon, and report incidences of violations. Jansen (2011, p. 35- 36) takes an ordinary approach to providing solutions. He seems to lean more on current non-cloud systems functionality. He classifies recommendation first according to governance, encouraging organizations to pursue policy, procedure and standards in system implementation. Next is to ensure that the system complies with existing legislation. Next is to ensure trust by providing transparency between both the client and the service provider. Then the client must understand the architecture implemented by the service provider. The next step is to ensure that user identity and verification processes are foolproof. The next step is to ensure data protection through proper access methods, data back up, encryptions, and so on, and to mitigate risks. Availability is the next most important consideration ensuring that the system is available at al times and that data recovery and protection mechanisms are efficient enough to enable a full and fast recovery in case of an incident. Finally, response to any mishaps or incidences is key to restoring the system and in ensuring a continued mutual working relationship between the client and the provider. These suggestions, though good, achieve a more theoretical approach than a possible practical one. Conclusion The originators of cloud services were quick to sell their ideas without first addressing privacy issues exhaustively. Unfortunately, many organizations and the public bought the idea and have now outsourced their ICT requirements. Inevitably, now both the providers and the customers have to wade through the murky and dangerous waters of cyber-attacks. The solutions needed must solve the current security crisis and ensure future systems largely avoid such threats. Evidently all the studies conducted above have failed to give practical solutions to security and privacy issues in cloud services. Unless cloud service providers can assure complete cyber security and privacy, a Herculean task, the future of cloud services may well be more pain than gain. The following questions beg more questions than answers, clearly necessitating further study and research. (a) To protect consumers and their data, both the cloud service provider and the customer must get into a legal contract. In a legal environment that lacks adequate legislation to cover cloud services, how will it be possible to make effective and workable legal contracts? Furthermore, aspects of the contracts such as security and trust are not quantitative. How will the customer and cloud provider engage in competitive bargaining? (b) Consumers who opt for cloud services finally must engage a certain cloud service provider. As earlier discussed in this paper, it is pertinent that customers must develop trust in the provider’s technical expertise and sound financial situation. It is very difficult to gauge a cloud provider on their expertise and financial status. Again, the financial status may change for the better or for worse? How would new customers identify a well- experienced and reputable cloud services provider who would also be financially sound? In the event that a client selects a provider who later becomes bankrupt, how will the client recover and avoid disruption of service? (c) The customer must relinquish the security responsibility and asset management to the cloud service provider once they acquire their services. From the studies above, there is no mechanism available to monitor the provider’s behavior and especially as pertains to the abuse of customer’s data. How will cloud services provide complete and trustworthy transparency to win customer’s confidence that their data is fully secure with them? Who finally shoulders the responsibility in case of data theft or misuse? References Holbl, M. (2011, March 15). Cloud Computing Security and Privacy Issues. The Council of European Professional Informatics Societies (CEPIS) Information Document LSI SIN (10)02. Retrieved December 10, 2013, from http://www.cepis.org/media/CEPIS_Cloud_Computing_Security_v17.11.pdf Hon, W.K., Millard, C., Walden, I. (2011, April 13). The Problem of ‘Personal Data’ in Cloud Computing – What Information is Regulated? Legal Studies Research paper No. 75/2011. Queen Mary University of London, School of Law. Retrieved December 10, 2013, from http://ecgi.ssrn.com/delivery.php?ID=1621100711271221020 78025075086098066004059040068032056094121092028064069085085030007 05505900400904705802808602808500907601110210704609501507402508608 1092007126083001066062066012031121089073103124097082007&EXT=pdf IBM. (2013). What is Cloud? – Computing as a service over the Internet. IBM Cloud. Retrieved December 8, 2013, from http://www.ibm.com/cloud-computing/us/en/what-is-cloud- computing.html Jansen, W., Grance, T. (2011, December). Guidelines on Security and Privacy in Public Cloud Computing. National Institute of Standards and Technology (NIST) Special Publication 800-144. Retrieved December 10, 2013, from, http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494 Mell, P., Grance, T. (20111, September). The NIST Definition of Cloud Computing. NIST Special Publication 800-145. National Institute of Standards and Technology. Retrieved December 8, 2013, from http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf Sanger, D.E., Perlroth, N. (2013, May 12). Cyber Attacks Against US Corporations are on the Rise. The New York Times. Retrieved August 13, 2013, from http://www.nytimes.com/2013/05/13/us/cyberattacks-on-rise-against-us- corporations.html?pagewanted=all&_r=1& Takabi, H., Joshi, J.B.D., Ahn, G. (2010). Security and Privacy challenges in Cloud Computing Environments. The IEEE Computer and Reliability Societies Paper No. 1540-7993/10. Retrieved December 13, 2013, from http://www.sis.pitt.edu/~jjoshi/courses/IS2620/Spring13/S&P.pdf Read More