Cloud Computing Security
(Author note: This paper published here anonymously)
There have been rapid growths in adopting of cloud computing by enterprises users for hosting application, data and deployment of software services over the past two years. This trend is expected to continue for next few years. According to a Gartner, Inc report, revenue in this industry is projected to reach $148.8 billion in 2014.
Cloud computing offers the enterprises the possibility of delivering IT resources that can be scaled dynamically to meet the changing requirements of the businesses. The cloud computing provides Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). The SaaS provides the use of software application over the internet while PaaS provides a development platform for the developers. Together with IaaS, which provides a virtualized computer infrastructure, they offer all level of cloud computing services that could replace or complement the existing traditional datacenters.
Key benefits for the enterprises are the reduction of IT investment and maintenance cost by off-sourcing the hosting and application management to a third parties software vendor or Cloud Service Providers (CSP), enterprises can reduce cost of running own infrastructure to support the application.
Although there are huge economic benefits offered by the cloud, it also brings with it security issues. In many survey and research reports, security risk has been cited as the top concern by many enterprises, who are contemplating moving their computing service to the cloud.
There are various security challenges specific to the SaaS, PaaS and IaaS. The set of security risks can range from the traditional physical, network, application vulnerabilities; to improper user access rights configuration and control; and lack of regulatory compliances in different countries.
We are proposing a layered approach to manage these security issues in each model. This approach is based on three domains of Technology, Process and Regulation. The Technology layer approaches security risks through technology measures while the Process layer approaches the security risks through tightening the workflow and human processes. The Regulation layer deals with ensuring the regulatory or legal requirements of the businesses are being met by the cloud providers.
Enterprises considering the move to cloud computing can adopt the above layered approach to mitigate the security risks in cloud computing, thereby minimizing any potential business impact while maximizing the potential Return-on-Investment (ROI) for the businesses.
Cloud computing provides enterprises the capability to deliver IT resources in a way that can be scaled dynamically to address customers ever changing requirements. Key benefits to the enterprise are the reduction of investment and maintenance cost, however, with the great potentials offered by the cloud, it also comes with the security issues. Since the computation and storage of data are on the cloud, outside the enterprises’ datacenter, there are greater risks of data leakage and cyber-attack by hackers.
In this paper, we explain definitions and models of cloud computing and its benefits that it offered to the enterprise users. We will then discuss the various security challenges associated with the use of cloud services and propose a layered approach of security measures that the organization can undertake to manage the risks associated with the use of cloud computing.
Cloud, definitions, characteristics, security, issues, challenges models, SaaS, PaaS, IaaS, Internet, bandwidth, pay-as-you-use, risks, vulnerability, AAA, MITM, XML, DoS, SSL, CIA, CCIA, IPS, BCP, API layered approaches, cloud computing, information assurance, service providers, customer, data centers, network security, virtualization, dynamic infrastructure, SOA, off-sourcing, OS, VMs, NIST, framework, technology, process, regulatory Trends, Legal, compliance.
There have been rapid growths in cloud computing adoption by enterprises users for the hosting of data and deployment of services over the past 2 years and this trend is expected to continue for next few years.
Gartner forecasted that World-wide cloud services revenue would “reach $68.3 billion in 2010, a 16.6 percent increase from 2009 revenue of $58.6 billion. The industry is also expected for strong growth through 2014, when revenue is projected to reach $148.8 billion” (Gartner, 2010).
Cloud computing, where the provisioning of storage and computing resources can be made available on demand via the internet, offers the enterprises an attractive option to reduce the capital expenditure (CapEx) and increase their revenue opportunities (Datapipe, 2010). Instead of the upfront investment cost in infrastructure and the long term manpower resources to maintain this infrastructure, company can procure cloud services, where the Cloud Service Provider (CSP) may have better infrastructure and more technically competent professionals to maintain the IT services. As the cost of using the cloud is determined by the ‘pay as you use‘ model, company only incurs operating cost when the resources are used, for example, if an online sale is held during Christmas, the company need not invest in additional servers and network bandwidth to handle the expected surge in the online traffic. The Cloud Service Provider is able to provision additional computing resources near real-time when the load increases. After the sale, the company need only pay for the resource incurred during this period. Thus company can realize their Return-On-Investment (ROI) earlier from their IT investment and that translate to the reduction of IT operating cost which benefit the business bottom line. One company considering such a move to the cloud is Lojas Renner, a Brazilian online retailer. The CIO is considering moving the company’s database offshore (Rosenbaum, 2011), where he is optimistic that their data could be safer in an Oracle center located in the U.S. than their dedicated datacenter in Brazil.
Before any organizations jump onto the cloud computing wagon, certain inherent issues with cloud computing need to be understood. Customer data security is the top most issue in cloud computing. Failure to thoroughly analyse the risks involved and taking measures to safeguard the company’s most valuable asset on the cloud – company data, could have direct and indirect impacts to the business. The impacts could range from direct loss of company’s intellect properties to indirect loss of reputation that will ultimately affect the companies’ bottom line. Many smaller companies may not survive such an impact.
As cloud computing services are increasing used for processing confidential data, in application like e-commerce website and back-end office accounting system, the security and privacy implication are high should there be a lapse in the security processes. There have been many cases of high profile breach of security in the recent years (Greenberg, 2008). In 2007, retailers TJX, reported the theft of 45 million credit card numbers to hackers while online software company Salesforce.com had some of its customers’ e-mail addresses and phone numbers captured by cybercriminals. With Oracle offering their database and middleware application services running on Amazon EC2 (Amazon Web Services Blog, 2008), more enterprises can be expected to move their in-house Oracle database to the cloud. With this move, privacy concerns like data leakage and loss of privacy will continue to increase as these in-house databases already contain the companies’ confidential data (Pearson, 2009).
In the next section, we will describe in detail, definition of cloud computing and the various benefits which enterprises could gain by adopting the various service model in the cloud computing. Then we will discuss the security concerns and associated risks for the organization. We will then propose a layered approach to address these security issues. There are three layers in this security approach, consisting of Technology, Processes (Practices) and Regulation (Legal). They could be adopted by the organization to address and reduce the risk exposures that the organization would face should they choose to move their in house IT services to a cloud based one. This approach could also be used by cloud service provider to assure their customers that a sound security management framework is in place.
Cloud computing is a latest buzz in information technology era which shifts computing resources and data away from traditional backend servers on to data centers. Basically applications, storages, databases and various IT services are delivered as a service over the Internet. (Dikaiakos, Katsaros, Mehra, Pallis & Vakali, 2009). Presently many very large companies are part of the cloud service development and offering examples are Microsoft, IBM, Amazon and Google.
Definition of cloud computing
“It is an on-demand self-service Internet infrastructure where user ‘pay as you go‘. You pay only what you need and everything are managed by an Internet browser, application or API. Cloud computing is classified into several parts includes: Cloud Platforms, Cloud Infrastructure and Cloud Applications”. (Serverpath, 2011). Refer to Figure 1.
Figure 1. The NIST cloud definition framework. (NIST, 2009)
“Cloud computing can be compared to the supply of electricity and gas, or the provision of telephone, television and postal services. All of these services are presented to the users in a simple way that is easy to understand without the users needing to know how the services are provided”. (NIST, 2009)
Cloud Computing Model
In cloud computing model, IT resources are being accessed on demand from the shared pool of computing resources over the Internet as services. Such services can be provisioned quickly and managed with least management sweat or little service provider involvement. Examples of resources are networks, storage, servers, applications and various other services. This cloud model improves availability and mobility. Here we discuss the following essential characteristics,
deployment models and service models.
Essential Characteristics are:
Figure 2. Essential characteristics. (NIST, 2009)
in cloud computing, customers are capable of provisioning computing resources such as servers, and storages as needed dynamically without needing interaction from cloud service provider’s support personal. It enables service provider to dynamically assign and reassign services according to customer preference (Mell & Grance, 2009).
Broad network access,
basically it is a web-based user interface and accessible from anywhere via Internet/network. Services are also available through heterogeneous thick or thin client platforms such as mobile phone, laptop/tablets PC and PDA’s (Mell & Grance, 2009).
Resource pooling, service provider’s IT resources are being pooled to service many customers using a multi-tenant model consists of diverse virtual and physical resources. Examples are storages, processing (CPU) power, memory, virtual machines and network bandwidth resources. Service provider’s computing resources are location independence that means customer has no idea or control over the precise location of its data and computing resources (Mell & Grance, 2009).
Rapid elasticity, cloud computing capabilities are delivered rapidly and elastically, capable of quick scale out or in for any service or release provisioning. For the customer these capacities often appears to be unlimited and able to purchase in any amount at any time (Mell & Grance 2009).
Measured Service, cloud service providers has a capacity to automatically control and measure resource used by utilizing a metering capability at some level of services such as processing, storage, Internet bandwidth as well active user’s accounts. Resource utilization can be checked, measured, limit and reported thus it provides clarity for both the service provider and customer of the consumed service (Mell & Grance, 2009).
Deployment Models are
Figure 3. Deployment models. (NIST, 2009)
Private cloud, computing capability provided as a service which providers offer to a select group of customers or only to a particular customer. This could be managed by an organization or third party and might have been available on premise or off premise. Services are not made available for public (Mell & Grance, 2009).
Public cloud, computing capability provided as a service that providers offer to large industry group or general public via the public Internet owned by an organization offering the cloud service available in a “pay as you go” manner to the public (Mell & Grance, 2009). Refer to Figure 4.
Figure 4. Public cloud. (Mather, Kumaraswamy and Atif, 2009)
Community cloud, this type of cloud infrastructure is shared by many or particular community that support a society that has shared common interest for its policy and compliance, mission and vision, security and other relative considerations. (Mell & Grance, 2009)
Hybrid cloud, this cloud infrastructure is a combination of more than one cloud deployment models such as private, community or public. It enables ease of data and application portability and load balancing between clouds (Mell & Grance, 2009). Refer to Figure 5.
Hybrid cloud (Wikipedia, 2011)
Cloud Service Models and its security risks
The virtualization technologies is a core technology behind cloud infrastructures. Virtualization provides flexibility to move virtual machines in any location for resource optimization, thus it creates challenge to enforce organization’s security and compliance policy since customers are uncertain of the actual physical location of the data and computing resources. As shown is the IDC report in Figure 6, that the top most concern is security for cloud computing (Jaems & Seattlepi, 2008).
Figure 6. Cloud computing challenges (IDC, 2009)
Enterprises are increasingly moving towards Cloud Computing to save cost and increase efficiency. However, enterprise needs to understand that all Cloud Service Models are not identical in terms of its underlying security risks.
Cloud Service Models can be classified as ‘Software-as-a-Service‘ (Saas), ‘Platform-as-a-service’ (PaaS) and ‘Integration-as-a-Service’ (IaaS). Enterprises should be considering the differences as well as its similarities among these three classifications despite many overlapping areas.
Figure 7. Service Models
Figure 8. Identified Risk grouped into the 3 cloud model; SaaS, PaaS and IaaS
As shown in Figure 8, all cloud computing risk were identified and grouped into the three cloud computing model of SaaS, PaaS and IaaS. There were two risks identified to be common for all three models. They are the rapid adoption and evolution of cloud computing and the increasing risk of cloud computing being targeted by the hackers. The main reason being that cloud computing is dynamic and is constantly changing. Changes in the technology as well as changes in the process make it vulnerable to hacking and policy maker have to keep pace with this changes to come out with the regulation. In the next section, the paper will discuss in details the risks identified and the proposed solutions for the three cloud computing service model.
Security Risks in Software-as-a-Service (SaaS) Model
This particular service model provides access to applications which runs on a service provider infrastructure. Services are available from many different client devices via various methods such as a web browser and mobile app. Examples are web-based email, WebEx video conferencing, and Salesforce.com. Here the customer does not control or manage underlying IT infrastructure. (Thibodeau, 2010). The following are possible security issues in SaaS model (certain issues here could be available in some other models as well, as many of such issues are overlapping in different models):
Sole dependencies on vendor security model, customers are solely depending on cloud service provider security measures and standard. Since cloud provider in SaaS supports large number of users, it is hard to make sure that appropriate security measures are taken into the consideration to protect customer data and at the same time, also ensure that the customer application is available with proper security when needed.
Security on the network,
customers are unable to have true picture on the cloud provider systems and network security behind their slick marketing. Hackers can exploit weakness in network security sniffing the packets. Possible threats are Man-In-The Middle (MITM) attack, network penetration, session management weakness and insecure Secure Socket Layer (SSL) trust settings (Morsy, Grundy & Muller, 2010).
hackers can manipulate weakness in data security model to get an illegitimate access to data or application. SaaS are vulnerable for improper access control, virtual machines operating system flaws, cookies and hidden field manipulation as well as insecure storages and configurations (Morsy et al., 2010).
Identity control, due to large customers base and verities service type supports by the cloud powder, it is an another difficult tasks in cloud environment and mismanagement of identity control may lead to unauthorised data access. Passwords management are also complex and becoming less efficient because hackers are now has the readily available tools over cloud and computing capacity to bust through password protections (Smith, 2011).
Data isolation, encryption maybe helpful in segregating different users’ data alongside with other customers in shared environment but it is not an effective cure. Mismanagement (loss of key) of encrypted data can make data totally unusable, and hinter availability of the encrypted data. Beside this, it is difficult to controls or outline administrative tasks between client and cloud provider as often they often need to work together to accomplish certain task. Active third party liabilities protections are also very important because of the amount of data the cloud providers handle make screening quite impossible (Brodkin, 2008).
Data locality risks, in a cloud customer data may not be physically stored in a source country, perhaps data will be distributed or stored beyond the border thus international data privacy protections and export restriction law may apply and also increase chances of data leaks due to poor security in different geographic (Brodkin, 2008).
Privileged user access, confidential data processed outside the organisation causes an inherent level of risks, as off-shore services bypass the “physical, logical and personnel controls” of IT management over in-house applications (Brodkin, 2008).
Data integrity, it is difficult to maintain data integrity over distributed infrastructure like cloud computing. In SaaS, applications are multi-tenant hosted by 3rd party thus it usually exposes functionality via XML (Extensible Markup Language) based APIs (application Program Interface). Improper integrity controls at the data level (directly access database bypassing application logic) could result multifaceted security issues (Morsy et al., 2010).
Recovery, since system images are being backed-up and distribute or replicate between multiple sites, it is difficult to do a system recovery when lacking of proper procedure and support from cloud vendor (Brodkin, 2008). Disaster recovery process could jeopardise the security of the customer’s data.
Long term viability, cloud computing service providers may stop operations or get acquired by a bigger company. So it is difficult to ensure that client data will be removed or it is not being mirrored by other service providers, therefore chances are that data will be remained available over the cloud for long period of time (Brodkin, 2008). This also applies to the PaaS model.
business cannot put up with interruptions in service regardless of cause due to bandwidth constraints to distributed denial-of-service attacks. The business is nowadays more concern about quality of such service rather the low cost. It is unlike having our own infrastructure which we have ultimate control over modification. We have no control over what else is running on the cloud that could degrade performance and poses security risks (Smith, 2011).
Investigation and Auditing, timely response to custom request for audit or investigation to specific incident will be an issue since cloud service provider supports large customer base. They may not be able to accept any request which fall outside of the standard Service Level Agreement (SLA), thus it could lead to security breaches (CCIA, 2009), this situation is relevant to PaaS model as well where customer own custom build applications issues are generally fall outside of the cloud provider SLA.
Problems with live analysis techniques, live analysis analyses system activities while system is active. Memory forensics are done by examines snapshot of running virtual machines (snapshot is not available while virtual machines power-off). This procedure carries certain risks; if the attacker manages to compromise the system and he or she will be able to hide his or her activities effectively and valuable information can be gleaned by this live analysis on the running system (CCIA, 2009), these issue applies to PaaS model as well.
Event assessment supports, examining inappropriate activities and events, are basically difficult in cloud computing as users logging, resource access, alert, events information as well as data for many customers may co-located and also spread across a globe with ever changing virtual hosts and all over the data centers.
Customer specific logging,
cloud computing’s essential characteristic is “resource pooling” which leads to multitenant infrastructures. So events generated by the infrastructure may point to non-customer specific parts of the infrastructure, resources of a single customer or resources of several customers. For providing customers access to event sources, the cloud service provider must implement mechanisms that ensure all relevant event information should be accessible but one customer should not be able to view event information of other customers (Grobauer, 2010).
Forensic analysis, this method performs in-deep incidents analysis in a highly dynamic cloud environment with so many interdependencies such as redundant servers, storages, caching and mobile devices. There is a recent trend that attackers are targeting the cloud infrastructure as many companies are moving towards cloud services. Hackers could use botnets (A botnet is a collection of software agents that run in a computer system autonomously and automatically) in cloud computing to hide their activities (Golden, 2009) and misuse of cloud computing infrastructures by starting Denial-of-Service (DoS) attacks against large scale infrastructures (Grobauer, 2010).
Proposed Solutions for SaaS Model
Refer to Table 1 in Appendix A, several technologies were identified to mitigate risks in the SaaS model, mainly the Audit log and the Authentication, Authorization and Accounting or the authentication, authorization and accounting (AAA) Systems. The AAA system will provide a solution to clients that may feel that they have lost control of the services they are using. Such a system can provide identity control, data isolation or segregation and prevent unauthorized access. Another important technology used was the backup system which mitigates the risk of service unavailability in the event of a disaster. Not only is this technology useful for the provider but it also provides the client a peace of mind which could even be used by other provider as a service alternative in the event where the provider is no longer viable or have violated the clients security policy. Technology such as Intrusion Prevention Systems (IPS), encryption and Public Key Infrastructure (PKI) can also be implemented to mitigate network infrastructure security and also endures data integrity. Proper Change Management process should be implemented to supplement the AAA Systems. The Backup Systems should have a process for recovery and a periodic testing of the Business Continuity Planning (BCP).
Provider giving the Services on the Cloud should be regulated by the authority to be certified compliance to mitigate the risk of service unavailability and the risk of any data leak when data is moving between organizational boundaries.
Security risks in Platform-as-a-Service (PaaS) Model
In PaaS model, service provider provides a platform for customer (developer) to develop and deploy their own or acquired applications. Often service provider provides application programming interface (API) or template based development engine to build custom application. Customer does not manage or control the infrastructure such as servers, network, operating system except deployed applications and its configuration. This service free-up programmers or IT professionals from the complexity of managing own IT infrastructure. Major players in this area are: Google’s App Engine, Yahoo Developer Network and Microsoft’s Azure Web Services (Thibodeau, 2010), PaaS is also vulnerable to most of the SaaS model vulnerabilities discussed above. Possible specific security risks in PaaS are:
Absence of interoperability among cloud providers and legacy systems, different cloud provider uses different type of security products and methods to secure their infrastructure and legacy stem may have their own backward security protocol thus integration among these pose a security risk and challenge (CCIA, 2009).
Service provider lock-in, various cloud providers design their cloud service using their proprietary technology and use security standard or protocol proprietary to their own platform. For an example: Microsoft Azure platform which is built on .NET and if customer needs to move from Microsoft to some open source platform provided by other vendors, it would be challenging and also the migration process may cause security issues. Therefore it is difficult to move from one provider to another. This scenario could exist in SaaS model as well.
SOA related issues, PaaS service model is built on Service Oriented Architecture (SOA) model thus it inherits security issues which exists in SOA model such as DoS attacks, MITM and XML related attacks, dictionary attacks, replay attacks, SQL injection attacks and data entry validation related attacks (Morsy et al., 2010). SOA threats are also available in SaaS model.
API related issues, if the application programming interface (API) that the customer used to manage and interact with cloud services is not secured, it could the result in sending data in the clear text and that could cause security breach. Different API cloud vendors are using different type of API standard. Applications created with much different type of APIs could create potential security risks due to incompatibility and integration issues (Morsy et al., 2010).
Identification of appropriate data sources,
it is a challenge to determine which data sources are relevant for incident detection particularly with IaaS (providing intrusion detection for virtual machines without knowing installed operating system) and Paas (providing intrusion detection for web applications without knowing the type of applications hosted) (Morsy et al., 2010).
Proposed solution for PaaS Model
Refer to Table 2 in Appendix A, IPS and the Backup System are the two main technologies proposed to mitigate risks for the PaaS model. Backup systems provide the clients a solution when there are interoperability issues between cloud providers and legacy systems or when the providers tried to lock clients into migration to other cloud providers. IPS will provide the technology for any SOA and API related issues.
Just like in the SaaS model, the process for recovery and a periodic testing of the Business Continuity Planning (BCP) is important for provider of this model. Client should ensure that the providers of the PaaS, conduct full data recovery so that they are locked–in to a specific provider and find it difficult to migrate to another provider.
Security Risks in Infrastructure-as-a-Service (IaaS) Model
This capability provided to the customer is often refers to as “everything-as-a-service“. Generally it represents entire virtual infrastructure as a service over the Internet (includes firewall, RAM, CPU. Purpose of this offering is to replace a customer’s server room and network through virtualization technology and it also contributes to cost reduction and improved flexibility. Major players include Amazon, Rackspace, Savvis, HP, IBM, Sun and Google (Thibodeau., 2010). Possible security risks are:
Trusting provider underlying security equipments, it is difficult for cloud customers to fully understand the provider security configuration in core physical level and also ensuring that the service provider configuration standard does not conflict with customer own organizations security policy (CCIA, 2009).
Virtual Machine (VM) security, malware, viruses, DOS, memory leaks and other VM operating system and various workloads are most common security threats. The VM’s security is a part of customer responsibility in IaaS (Morsy et al., 2010).
Security in VM images repository, unlike physical server, VMs image are still under risk when it is in offline. It is common practice to take a snapshot of VMs for disaster recovery. Thus VM images can be under the risk of malicious codes injection when offline and these VM files could be stolen too. Although customer is ultimate responsible for the VM security but since vendor is an owner of the physical hardware there is possibility that cloud provider may copy existing customers VM and reuse for other customer. Another issue in the VM environment is related to VM templates, it is common practice to use template for rapid deployment of system and all these templates may contain the original owner information which may be re-used for new customers.
Virtual network security, In IaaS, cloud customers share provider physical infrastructure with many different customers and that increase the risk level of exploiting vulnerabilities in different servers running DHCP, DNS and IP protocols. Virtual Switches (vSwitch) used in IaaS to provide network access to the customer could also be attacked (Morsy et al., 2010).
Securing VM boundaries, VM servers can be designed with virtual boundaries (isolated from other VMs) to provide network connectivity among VM servers for security. Generally VMs co-exist in a physical server to share CPU, memory, network card and other resources. Securing VM boundaries fallen under cloud provider responsibility thus misconfiguration and mismanagement could lead unauthorized access and data leaks (Morsy et al., 2010).
Hypervisor security, hypervisor is a ‘virtualizer’ which map physical server to virtual server. It acts as a central medium of any access to the physical server resources by VMs. therefore; any compromise on hypervisor means a compromised hosted VMs. Cloud service provider provides the security of the hypervisor and any vulnerability in hypervisor software (Microsoft Hyper-V, VMware or Xen) inherits security risk in customer VMs (Morsy et al., 2010).
Proposed Solution for IaaS Model
Refer to Table 3 in Appendix A, IPS and the Backup System are the 2 main technologies proposed to mitigate risks for the IaaS model. Most providers would take advantage of virtual machines to reduce hardware cost when building cloud infrastructure. IPS and encryption are the most important technology to make sure that the data is not shared and will not leak to other clients. PKI technology can also be used to make sure data integrity in the virtual environment.
Proper Change Management process is crucial so that the shared infrastructure in cloud computing remain secure. The Backup Systems should have a process for recovery and a periodic testing of the Business Continuity Planning (BCP) and the infrastructure should be replicated off-site. With more virtual infrastructure being the core business of cloud computing, authority should make certain that the providers are certified and have the expertise to maintain and manage a virtual data center.
Following security risks may apply to all of the above service models:
Rapid adoptions of cloud and ongoing evolutions of technologies and business models creates dynamic services ecosystem which itself is a security risks,
it is difficult to keep up with the growth of cloud development and forestalling upcoming demands and build a secure could. The revolution of cloud trends has already begun with the speedy growth of virtualization technology and a rising acceptance of cloud services that combines power of computing capacity, portable devices, web-services and enterprise software’s. Moreover, cloud platform enables custom applications build and provisioned by the third party developers and hosted at the cloud providers platform. Therefore, it is hard to maintain strong internal partnership between third party developers and cloud service provider for security compliance and standard that could enables trustworthy service (CCIA, 2009).
Continuing attempts to penetrate or interrupt cloud offerings grows more complicated as more commerce
happens, whereas hackers are trying variety of techniques including domain hacking and MITM attacks. Complex malicious attracts that are targeting to acquire identities or access to sensitive business data which has underground market for stolen information (Microsoft, 2009).
It is worth mentioning that any vulnerability at the lower level might have effect in higher level service model. For examples vulnerability in IaaS (hardware firmware level) could lead to security risk at the PaaS and SaaS. Similarly, PaaS model risk (erroneous codes or API) would pose security risk at the SaaS model. IT industry acknowledges the great potential benefits from cloud computing, on the other hand low-level operational details such as data replication and server configuration are unknown to the users like a black box system. This behavior not only raises a set of security issues but also makes a new set of legal issues such as compliance and auditing. “A survey from security vendor Trend Micro in 2009 found that 89% of the respondents want security to be addressed in the cloud before they are willing to adopt the technology (Iskol, 2006). 61% of the respondents in the survey are willing to adopt cloud computing services until they can be sure that there is no significant security risk” (Iskold, 2006).
LAYERED SOLUTION FRAMEWORK TO THE CLOUD COMPUTING MODELS
There is no easy solution to the security issue in cloud computing. Addressing the security issues is a continuous process from designing, implementing and to the eventual decommissioning of the system. It requires a solid understanding of underlying technology and business process and practices. We propose a layered approached to the solution starting from technology; business processes (practices) and Regulation (Legal prospective). Cloud services may flourish further when cloud providers are able to provide these services in an effective manner and at the same time provide customers an assurance that customer’s data will be always secured and available. However, since more customers and enterprise data moving to the cloud platform, it triggers the concern about the legal and regulatory obligations towards these data which could risk the benefits of cloud.
Proposed Solution using three Layered Approach
The main three pillar of security are confidentiality, integrity and availability. (Friedman & West, 2010) has added accountability, assurance and resilience. Accountability is the recognition of the identity of the different stakeholders by means of authentication through the availability of an audit trail. Assurance is the responsibility of the provider by making sure that they give what the client wants. Resilience might be similar to Availability. However, Availability is defined as timely-accessibility whereas Resilience is defined as robust and fail-free.
Figure 9. A framework that comprises Technology, Processes (Practices) and Regulation (Legal) domains
Figure 9 is derived to show the layered approach solution to cloud computing from all the identified risks in Table 1, 2 and 3 for SaaS, PaaS and IaaS respectively. This layered approach solutions can be used by either cloud providers or enterprise customers as discuss in the scenario below.
seems to be the ultimate solution to mitigate nearly every security risk. If we are concerned about logical security, there are firewalls, Intrusion Prevention Systems, encryption and the different types of Anti-Malware, Virus, Spam and Spyware technology. Technology on physical security will be biometrics access and redundancy such as onsite-offsite backup systems. A common misperception by provider or even customer is that if they have put in place all the technology available to combat security issues, then they would have performed their due diligence.
There are many technological devices available to mitigate logical or physical security. However when there are regulatory requirements, having the most advanced system is insufficient without proper processes in place as will be mentioned in our layered approach. From the literature review there were several technology commonly identified such as a backup or a logging system. Technologies used can be expensive options such as online and synchronize data backup to a remote disaster recovery site using fast speed fiber connection or it can be a low cost alternative such as using the existing audit log provided free from the respective applications or security devices.
in cloud computing is still evolving due to the dynamism of cloud computing itself even though it has been around for some years. In the earlier years, lot of focus has been revolving around the cost and its business strategy but as requirements and the complexity of cloud technology increased, processes focusing on security now become the main concern for the customers.
We can complement security in business strategy by making security compliance a competitive edge among provider, (Friedman & West, 2010). Providers can boost their client take-up from different sectors especially the mission critical industry like the finance and healthcare by being certified in security compliance such as Sarbanes-Oxley Act (SOX) and Health Insurance Portability and Accountability Act (HIPPA) respectively.
There seems to be no difference between Cloud Computing and Outsourcing. When outsourcing was first introduced, security was always a concern for the finance industry, however, more finance companies, for example, DBS and SGX have adopted it. Business practices and its processes will be the differentiator between implementing cloud computing and outsourcing. When we talk about security for cloud computing across geological boundaries, we can model this business strategy similar to that of off-shoring in business outsourcing. Similarly to off-shoring, processes such as hiring and Business Continuity Strategy, it is important to guarantee the security of enterprise data when implementing cloud computing.
Security is also very much dependent on control. More control in the business processes by the customer will ensure appropriate security measures is taken rather than depending on the best practices employed by the provider. Processes such as Change Management, is crucial for organization to have full control. Unauthorized or untested changes could result in grave consequences to the business daily operations.
it is the core of our layered approach however this is still a gray area. Most legal and contractual agreement does not clearly spell out the responsibility of the providers and the customers. It is advised that if you are you are unable to understand what is being laid on the contractual agreement by the provider then you should not go to cloud computing (Microsoft, 2009). The responsibility of the provider is limited to the best of their ability and is debatable whether the provider has exercised sufficient due care and diligence.
The best solution to ensure regulatory or legal requirements being met by provider is always to have the security requirements drafted out by customers themselves instead of the provider. Legality and Regulatory compliance will almost always involve the issue of accountability. As suggested by (Pearson, 2009) instead of focusing on privacy, accountability guidelines and governance can be modeled or formulated. Build mechanisms for accountable, responsible decision-making while handling data which may include Law enforcement. Spell out in detail the security and privacy requirements and assign stakeholders to be accountable for.
Note that some provider (Microsoft, 2009) states that “Policies relating to the business’s handling of this data in the cloud environment are controlled and set by that business rather than by Microsoft. Similar to that of a company that rents physical warehouse, even though someone else might own the building, access to those files and the use of information within them is still governed by the policies of the company that rents the space.” If a company does not have a sound policy this can be critical factor to determine accountability.
Benefits from the proposed solution:
The layered approach as discussed (Yildiz, Abawajy, Ercan & Bernoth, 2009) is an infrastructure type of approach. They are Network, Process Hosting (Server), Storage, System Management and Application Layer. Our proposed solution is a framework that comprises of the three domains of Technology, Processes (Practices) and Regulation (Legal) as shown in the Figure 9. The three layered proposed solution or framework, as highlighted in the scenario below, can be used by both the organization using cloud computing and by the provider providing them .
Scenario using the framework to beef up security for an organization
Our proposed framework solution above can be adopted by enterprise customer as a guide to tighten or come out with a policy or requirements for provider to adhere to. In Figure 10, Technology is at the outer layer and Regulation is at the core of the solution. Multiple technological measures can be adopted to secure the cloud investment, however to further tighten its security this technology must be further complemented with the right process and the process must move further to the inner circle.
An example would be the implementation of several logical security technologies such as the Firewall, IPS, Encryption and physical security technology such as Biometric access and online synchronization with DR site. This can be complemented with a process such that off-site disaster recovery should be tested twice a year. A common mistake or perception is that a technology such as firewall can protect a network infrastructure as long as the firewall meets the requirements. However, without a sound policy such as looking into the details of the firewall administrator hiring process or looking into the qualification of the administrator, no technology capabilities can withstand such breaches.
The core of this framework would be the Regulation later, in addition to the technology and processes layers. Implementing the regulatory or legal requirements would further strengthen the security framework and as discuss earlier, not complying with the regulatory requirements could put the accountability on the providers.
The perfect scenario would be to have everything at the core of our layered approach, however certain approach can only be achieved at the outer layer. For example, the biometrics requirement might not be needed by certain country or certain industry and when the cloud is hosted in this country, provider can use that as an excuse for any unauthorized access when there is any legal tussle.
Scenario using the framework to comply with regulatory or legal requirements
The proposed framework solution can also be adopted by provider to adhere to a certain regulatory or legal requirements. However for this scenario the provider will instead look at the core domain of the framework i.e. Regulation and move the requirements the outer circle onto Process domain and finally to the Technology domain. Unlike the scenario discuss above where a customer is given an option whether to implement processes and regulation when they implemented a new technology in the technology layer, whenever there is a regulation requirements in the regulatory layer, processes and technology must be implemented when using this framework. An example would be the requirements imposed by a governing authority to have a Business Continuity Plan (BCP) on financial industry. In this scenario, processes such as the backup strategy and the frequency of mock up recovery test need to be drafted into the process layer.
As for the technology layer, online synchronize data backup to an off-site facilities can be implemented.
From our proposed framework, it is not possible for a regulation or legal requirement be fulfilled just by implementing the most advanced and most costly technology without the necessary processes. For example even when organizations have an off-site and online synchronize backup system through fast-speed fiber connection, it could be proven useless if there is no process to test whether the backup data can be recovered and operational. Thus when implementing the technology layer in our framework, there is no need to have an advanced and expensive technology but instead can be a simple incremental backup strategy using tape drive and have the tape manually delivered off-site.
CLOUD COMPUTING SECURITY TRENDS
We have discussed above that security issues are the highest concern among the enterprises for adaption of cloud computing and we believe this trends will continue to be the decision factors for the coming days. Following are a few major trends in cloud computing and its security issues.
Cloud benefits will no longer be questioned, (Focus Research, 2010) as testified by many early adopters of cloud computing, the many benefits of cloud computing outweigh the advantages of hosting their own in-house IT services despite incumbent security issues. Companies will continue to reap almost immediate cost saving from cutting back on the hardware and software investment and at the same time, existing in-house IT staff can be redeployed to take up higher value job functions within the companies.
The rise of mobile cloud computing, (Focus Research, 2010) the phenomenal growth of mobile phones and tablets, with 3G and WIFI capabilities that allow internet connection from almost everywhere, enable enterprise users to access their corporate data and work outside their office. The widespread use of mobile devices for work will accelerate the use of enterprise cloud services. All these devices are mostly ready for cloud computing services such as email, social networking sites, VoIP calls, various sales portals (eg. salesforce.com) and CRM web applications. More users using mobile devices will increase the volume of connections and transfer of data to the cloud. However, lost and stolen mobile devices could expose the sensitive and confidential data to unauthorised audiences. Another risk lies with the common practice of backing up and synchronisation of data without encryption between multiple mobile devices. Certainly, upcoming solution will address the mobile security but there could be large data breach that exposes this issue before the new solution arrives (Violino, B., 2010).
Greater need for better identity and access control policy, as nature of the cloud is highly virtual, dynamic and distributed; there is a greater need to manage identities across the cloud services. For this, there could be some third parties who will develop the solutions to address this issue but this kind of solutions may not be adequate for large organizations with mixing of legacy and cloud services (Violino, B., 2010).
Ongoing concerns for the compliance, compliance issue will be in the moonlight; specifically payment card industry (PCI) standard is likely to be a security problem. Concern about financial and healthcare data will continue to pose higher degree of security risks in cloud computing (Violino, B., 2010).
Emerging cloud certifications and standards, cloud security provider’s security capacity will be evaluated for choosing the cloud services. Thus certifications and standards will be crucial import to build customer confidents and trust that their data will be secured (Violino, B., 2010).
Redesign security, there will be enormous opportunities for security team to redesign the way business and security interacts. Security personnel will need to reset the clock to address security and business alignment issues. Moreover, security personnel will have an opportunity to take ownership and guide their customers on the right way to use cloud service and adopt best practice to keep data secure (Violino, B., 2010).
Increased market competition and consolidation, (Focus Research, 2010) many large companies like the Telco, cable and wireless operators are entering the cloud market, offering a whole range of integrated services (telephony, video conference, leased line, hosted applications, IT infrastructure platforms) to their enterprises customers. The larger Cloud Service Providers will also acquire the smaller companies to offer more comprehensive and secure cloud solutions.
Increased adoption of cloud services by SMBs, (Focus Research, 2010) small businesses without IT department would be able grow their business faster leveraging on the benefits from the pay-as-you-use model of cloud services, without having to invest in the IT infrastructure and its security. Middle sized business will also find that their IT infrastructure difficult to compete against the cloud providers, thus will start consider migrating over to the cloud.
The rise of private clouds, (Focus Research, 2010) many enterprises will be setting up their own cloud within their datacenters, to improve the delivery of internal IT services, including increased speed of service delivery, improved agility and reduced cost. The private clouds are also set up as an alternative to using the services offered by public cloud service providers, due to the security concerns.
As discussed throughout this paper, adoption of cloud computing by enterprise will, no doubt, continue to grow at a rapid pace since security risks did not outweigh its benefits. With the continuous technologies advancements and the formalization of the regulatory frameworks to safeguard the interests of the customers and the cloud industries, more enterprises will move their critical applications and data into the cloud.
The proposed three layer solution framework can be used by both by the enterprises that uses cloud computing or by the providers that provide application or platform on the cloud computing services. Enterprises can use the framework starting from the outer layer of technology depending on their budget constraints in implementing technology and progressively improve privacy and security by moving inwards to the middle circle to comply with the appropriate processes and eventually move into the inner core to demand providers the necessary regulatory compliances. With the framework in place, enterprises could be certain that they have minimised the security risks related to cloud computing.
Providers on the other hand can use this framework to look at the regulatory requirements, for example SOX or HIPPA compliance from the core and move outward towards complying with the necessary processes and finally support the technologies to demonstrate that they are compliance with the regulatory requirements. Note that when the regulatory requirements were imposed in the framework, no technology solutions can fulfill these requirements without the necessary processes. Lastly, we believed cloud computing is still in its early stage, it will be matured in days to come and solutions provided today will not be sufficient in the future, therefore we suggest further study in the cloud computing and its security implications.
01. Gartner (2010). Forecast: Public Cloud Services, Worldwide and Regions, Industry Sectors, 2009-
014. Retrieved from April 02, 2011 from http://www.gartner.com/it/page.jsp?id=1389313
02. Datapipe (2010). The Dollars and Cents of Cloud Computing. Retrieved from April 02, 2011 from
03. Forbe (2011). 2011 Trends Report: Cloud Computing. Retrieved from April 02, 2011 from
04. Rosenbaum (2011). Clear Reasons for Moving into the Cloud. Retrieved from April 02, 2011 from
05. Greenberg (2008). Cloud Computing’s Stormy Side. Retrieved from April 02, 2011 from
06. Amazon Web Services Blog (2008). Oracle Enters the AWS Cloud. Retrieved from April 02, 2011
07. Focus Research (2010). 2011 Trends Report: Cloud Computing. Retrieved from April 02, 2011 from
08. Dikaiakos, M. D., Katsaros, D., Mehra, P., Pallis, G., Vakali, A. (2009). Cloud Computing:
Distributed Internet Computing for IT and Scientific Research. In IEEE Internet Computing,
September/October, 2009, Vol. 13, No. 5, Pp. 10-13.
09. Wikipedia (2011). Cloud Computing. Retrieved March 13, 2011 from
10. Servepath (2011). Definition of commonly used terms in server hosting. Retrieved March 13, 2011
11. NIST (2009). The NIST Cloud Definition Framework. Retrieved March 14, 2011 from
12. Thibodeau., P. (2010). The Vapour 10 big cloud trends for 2010. Computerworld Singapore. January-
February 2010 issue, page 33
13. Mell P, Grance T., (2009). The NIST Definition of Cloud Computing. Retrieved March 14, 2011 from
14. The Royal Academy of Engineering (2009). Dilemmas of Privacy and Surveillance: Challenges of
Technological Change”. Retrieved March 01, 2011 from ww.raeng.org.uk/policy/reports/default.htm
15. Wikipedia (2011). Information Privacy. Retrieved March 13, 2011 from
16. Mather T., Kumaraswamy S., Atif S. (2009). Cloud Security and Privacy. An Enterprise Perspective
on Risks and Compliance, Published by O’Reilly Media, Inc., Sebastopol, USA.
17. Horrigan J. B., (2008). “Use of cloud computing applications and services”, Pew Internet & American
Life project memo. Retrieved March 04, 2011 from
18. Microsoft (2008). Privacy Guidelines for Developing Software Products and Services. Retrieved
March 17, 2011 from http://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-
19. Greenberg, A., (2008). “Cloud Computing’s Stormy Side”, Forbes Magazine. Retrieved March 21,
2011 from http://www.forbes.com/2008/02/17/web-application-cloudtech-intel-
20. Pearson S., (2009). Taking Account of Privacy when Designing Cloud Computing Services. HP Labs,
21. Salesforce.com inc (2008). Sales Force Automation web page,
Retrieved March 23, 2011 from http://www.salesforce.com/products/sales-forceautomation
22. James A., (2008) Will cloud computing transform IT, Retrieved March 27, 2010 from
23. IDC (2009). Cloud Computing 2010. IDC Enterprise Panel. Retrieved March 25, 2011 from
24. Kirkwood (2010). Will One Company Become the Dominant Player in Cloud Computing? Retrieved
on March 25, 2010 fromhttp://www.readwriteweb.com/cloud/2010/02/cloud-computing-leader.php
25. Brodkin, J., (2008). Seven cloud-computing security risks. Retrieved March 24, 2011 from
26. Smith L., (2011). Advice for dealing with the top 10 risks in public cloud computing. Retrieved
March 27, 2011 from http://searchcio.techtarget.com/news/2240031598/Advice-for-dealing-with-the-
27. CCIA (2009). Abstract: Cloud Computing, Computer & Communications Industry Association
Retrieved on March 30, 2011 from
28. Microsoft (2009). Securing Microsoft’s Cloud Infrastructure. Retrieved March 29, 2011 from
29. Grobauer B., Schreck T., (2010). Towards Incident Handling in the Cloud: Challenges and
Approaches. ACM 2010, Siemens CERT, Germany.
30. Iskold A., (2006).AmazonWebservices success stories. Read WriteWeb. Retrieved March 01, 2011
from http://www.readwriteweb.com/archives/amazon web services success stories.php
31. Golden, B. (2009). CIO: Forrester bucks conventional wisdom on cloud computing. Retrieved March
01, 2011 from http://www.cio.com/article/496213/Forrester Bucks Conventional Wisdom on Cloud
32. Morsy A. M., Grundy J., Muller I., (2010). An Analysis of The Cloud Computing Security Problem.
Retrieved Feb 25, 2011 from http://www.ict.swin.edu.au/personal/malmorsy/Pubs/cloud2010_1.pdf
33. Yildiz, M., Abawajy, J., Ercan, T., & Bernoth, A. (2009). A Layered Security Approach for Cloud
34. Friedman A, West D., (2010). Privacy and Security in Cloud Computing
35. Violino, B., (2010). What do IT security practitioners expect to be major cloud security issues in
2011? Retrieved April 19, 2011 from http://www.csoonline.com/article/647128/five-cloud-security-