cloud computing -risks, countermeasures, costs and benefits-
DESCRIPTION
Risks Associated with Cloud computing, Countermeasures, Costs and Benefits -WHITE PAPERTRANSCRIPT
Running Head: CLOUD COMPUTING
Risks Associated with Cloud computing, Countermeasures, Costs and Benefits
Lillian Ekwosi-Egbulem
University of Maryland University College, 2011
In partial fulfillment of the requirements for CSIA454
Professor’s Name: James Caroland
Date: 10/30/2011
CLOUD COMPUTING 2
Risks Associated with Cloud Computing, Countermeasures, Costs and Benefits
Introduction
The advances in information technology have ushered in a totally different way of
dominating the Internet and computing. Cloud computing is a relatively new emerging
technology driven by virtualization and considered the Internet of the future. Corporate and
individual users can rent “bandwidth, processing power and operate the virtual machines.” It
offers flexibility, saving, simplicity, and three delivery models namely Infrastructure as a Service
(IaaS), Platform as a Service (PaaS) and Software as a Service (Badger, Grance, Patt-Corner &
Voas, 2011).
Cloud computing technological resources and services are offered to users through the
internet or the intranet. In essence, users can host software, process and store data in a remotely
accessed servers instead of the hard drives, household personal computers, or servers. However,
the jurisdictional locations of these remotely accessed servers are neither known nor controllable
by the user (Svantesson, 2010). Cloud computing concept is still immature and as a result
presents a vague definition which the National Institute of Standard and Technology (NIST)
acknowledges as an evolving paradigm (Tech Target, n.d.).
Though cloud computing offers scalability, cost saving, increased IT stability and agility,
the risks associated with cloud environment makes it a threat to information security.
Risks Associated with Cloud Computing
Cyberattack
As recorded in Hacking the Cloud, cloud environment is more vulnerable than regular
environment. Hackers can infiltrate the cloud by deploying malwares that take advantage of an
existing weakness such unlatched hole. Malware can spread from one user to the other and
CLOUD COMPUTING 3
compromised cloud spaces can be hijacked and used by attackers as botnets to perform
distribution of denial attack (Pacella, 2011). The Department of Defense's Defense Information
Systems Agency built RACE (Rapid Access Computing Environment), a cloud of computing
resources for use by DOD personnel (Gibson, 2008). This decision seems very hasty because
this technology is still immature and has presented many recorded security issues. For countries
like China and Russia who thrive in stealing confidential information from the US, it is business
as usual as the cloud environment offers them exploitable vulnerabilities.
Data location and Segregation
Cloud computing is similar to outsourcing and providers may not store data in a specific
jurisdiction. Consequently, cloud customers may not even be aware of the location of their data.
Furthermore, data are stored in a shared environment and though vendors may employ the due
diligence to encrypt data, but then, that is not enough. For instance, in a bid to save time and
bandwidth, Dropbox hashes user’s files that have same hash value into one file. As a result, users
files are linked together until a file is modified or the hash changes. They also experienced a
security glitch that gave users access without authentication and caused users to access each
other accounts (McCullagh, 2011).
Trust boundary and investigative support
It appears trust boundary is the most perplexing risk because different countries where
data is stored have different laws which in effect can affect the security of stored data. This is a
big security issue because State nations like China view hacking as ethical and sponsor their
hackers to constantly level cyberattacks on the US. Furthermore, trust boundary makes
investigation of illegal activities in the cloud complicated. Without policies outlining how to
obtain evidence spread across multiple servers, data centers, and locations from vendors,
CLOUD COMPUTING 4
investigation and discovering requests will be impossible (Brodkin, 2008). The provisions of
Title II of Electronic Communications Privacy Act also known as Stored Communications Act
reduces the amount of data a cloud service provider may give to authorities. This act provides a
safe haven for the cloud vendors and puts investigators at a disadvantage.
Privacy Risks
Cloud computing is associated with a range of severe and complex privacy issues such as
data collection, use, disclosure, storage, retention, and access. (Svantesson & Clarke, 2010).
Problems arise with how to characterize cloud computing activity and current laws have not been
able to define clearly what exactly is protected in the cloud computing environment. Defining
these laws is essential to ensure that consumer’s privacy is protected and that their personal
information is not shared without their consent.
Solutions to Achieve Cloud Computing Security
A well documented policy and procedures to enforce laws governing cloud computing is
critical. The document must be reviewed and updated according the changing nature of
information and information technology. This will be useful to users in selecting a provider.
Service providers must sign a service level agreement with users defining the technical
control that safeguards the cloud environment. They will also define management control that
stipulates how risk will be assessed, managed, and mitigated. Operational control will
additionally define contingency planning and incidence response.
The cloud-based service provider must have a continuous risk assessment and subsequent
penetration testing plan to determine the existence of vulnerabilities and deploy appropriate
security measures before hackers take advantage of the vulnerabilities. Disaster recovery plan
that provides backup during cloud outages ensures availability of services and uninterrupted
CLOUD COMPUTING 5
access to data any time. Encrypting of files may not be the overall solution but presently, it is the
best solution available and must be the responsibility of both the user and the provider. Also,
proper segregation of individual files is very important to avoid comingling of files.
Information systems security is such a critical element in today’s business, government,
education, and home technology based environment and when it is at risk, organizational goals
and objectives are at risk. In view of this, The National Institute of Standard and Technology
(NIST) has freely made available to the public, SP 800-144,145 and 146 series to address the
guidelines on security and privacy in public cloud computing, definition and recommendation.
Costs and Benefits
The matrix used in evaluating the costs and benefits of the recommended solution rates
the effectiveness of each control as high, medium or low. Policy and risk assessment are rated
high because an organization security is only as strong as its policy and the first step in data
protection begins with understanding the risks and managing it. Encryption and service level
agreement are rated medium because there are decrypting tools out there and some companies
may breach their contracts hoping users will avoid litigation due to its high cost. These controls
are basics, affordable and highly recommended to the management.
Conclusion
Cloud computing is a new arena that must be threaded with care. Compliance guidance
exists but they are not yet clearly defined due to the immature nature of the cloud environment.
Therefore, users must not concentrate solely on the scalability, cost saving, increased IT stability
and agility this new technology offers but must understand that ultimately the security of their
delivery models is primarily their responsibility.
CLOUD COMPUTING 6
References
Badger, L., Grance, T., Patt-Corner, R., Voas, J. National Institute of Standards and Technology.
DRAFT Cloud Computing Synopsis and Recommendations: Recommendations of the
National Institute of Standards and Technology. (2011, May). (Special Publication No.
800-146) archived at: http://webtycho.umuc.edu
Brodkin, J. (2008). Gartner: Seven Cloud-Computing Security Risks. Inforworld. Retrieved from
http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-
risks-853?page=0,1
Gibson, S. (2008). GAMBLING ON THE CLOUD?. eWeek, 25(28), 39. Retrieved from
EBSCOhost. Retried from http://ehis.ebscohost.com.ezproxy.umuc.edu/eds/detail?sid
=a4ec9f01-73ed-4527-8494-1b2a7df62848%40sessionmgr12&vid=39&hid=2&bdata
=JnNpdGU9ZWRzLWxpdmUmc2NvcGU9c2l0ZQ%3d%3d#db=f5h&AN=34838261
McCullagh, D. (2011). Cnet. Retrieved from Dropbox confirms security glitch--no password
Required. Retrieved from http://news.cnet.com/8301-31921_3-20072755-281/dropbox-
confirms-security-glitch-no-password-required/
Pacella, R. (2011). HACKING THE CLOUD. Popular Science, 278(4), 68. Retrieved from
EBSCOhost. Retrived from http://ehis.ebscohost.com.ezproxy.umuc.edu/eds/pdfviewer
/pdfviewer?sid=a4ec9f01-73ed-4527-8494 1b2a7df62848%40sessionmgr12&vid=
8&hid=2
Svantesson, D., & Clarke, R. (2010). Privacy and consumer risks in cloud computing. Computer
law and security review, 26(4), 391-397. Retieved from http://epublications.bond.edu.au
/cgi/viewcontent.cgi?article=1346&context=law_pubs
CLOUD COMPUTING 7
TechTarget. (n.d.) SearchCloudComputing.com E-Guide Expert insight: Cloud computing
defined. Retrieved from http://docs.media.bitpipe.com/io_10x/io_100433/item_419064
/HPandIntel_sCloudComputing_SO%23034437_E-Guide_052611.pdf