Running Head: CLOUD COMPUTING

Risks Associated with Cloud computing, Countermeasures, Costs and Benefits

Lillian Ekwosi-Egbulem

University of Maryland University College, 2011

In partial fulfillment of the requirements for CSIA454

Professor’s Name: James Caroland

Date: 10/30/2011

CLOUD COMPUTING 2

Risks Associated with Cloud Computing, Countermeasures, Costs and Benefits

Introduction

The advances in information technology have ushered in a totally different way of

dominating the Internet and computing. Cloud computing is a relatively new emerging

technology driven by virtualization and considered the Internet of the future. Corporate and

individual users can rent “bandwidth, processing power and operate the virtual machines.” It

offers flexibility, saving, simplicity, and three delivery models namely Infrastructure as a Service

(IaaS), Platform as a Service (PaaS) and Software as a Service (Badger, Grance, Patt-Corner &

Voas, 2011).

Cloud computing technological resources and services are offered to users through the

internet or the intranet. In essence, users can host software, process and store data in a remotely

accessed servers instead of the hard drives, household personal computers, or servers. However,

the jurisdictional locations of these remotely accessed servers are neither known nor controllable

by the user (Svantesson, 2010). Cloud computing concept is still immature and as a result

presents a vague definition which the National Institute of Standard and Technology (NIST)

acknowledges as an evolving paradigm (Tech Target, n.d.).

Though cloud computing offers scalability, cost saving, increased IT stability and agility,

the risks associated with cloud environment makes it a threat to information security.

Risks Associated with Cloud Computing

Cyberattack

As recorded in Hacking the Cloud, cloud environment is more vulnerable than regular

environment. Hackers can infiltrate the cloud by deploying malwares that take advantage of an

existing weakness such unlatched hole. Malware can spread from one user to the other and

CLOUD COMPUTING 3

compromised cloud spaces can be hijacked and used by attackers as botnets to perform

distribution of denial attack (Pacella, 2011). The Department of Defense's Defense Information

Systems Agency built RACE (Rapid Access Computing Environment), a cloud of computing

resources for use by DOD personnel (Gibson, 2008). This decision seems very hasty because

this technology is still immature and has presented many recorded security issues. For countries

like China and Russia who thrive in stealing confidential information from the US, it is business

as usual as the cloud environment offers them exploitable vulnerabilities.

Data location and Segregation

Cloud computing is similar to outsourcing and providers may not store data in a specific

jurisdiction. Consequently, cloud customers may not even be aware of the location of their data.

Furthermore, data are stored in a shared environment and though vendors may employ the due

diligence to encrypt data, but then, that is not enough. For instance, in a bid to save time and

bandwidth, Dropbox hashes user’s files that have same hash value into one file. As a result, users

files are linked together until a file is modified or the hash changes. They also experienced a

security glitch that gave users access without authentication and caused users to access each

other accounts (McCullagh, 2011).

Trust boundary and investigative support

It appears trust boundary is the most perplexing risk because different countries where

data is stored have different laws which in effect can affect the security of stored data. This is a

big security issue because State nations like China view hacking as ethical and sponsor their

hackers to constantly level cyberattacks on the US. Furthermore, trust boundary makes

investigation of illegal activities in the cloud complicated. Without policies outlining how to

obtain evidence spread across multiple servers, data centers, and locations from vendors,

CLOUD COMPUTING 4

investigation and discovering requests will be impossible (Brodkin, 2008). The provisions of

Title II of Electronic Communications Privacy Act also known as Stored Communications Act

reduces the amount of data a cloud service provider may give to authorities. This act provides a

safe haven for the cloud vendors and puts investigators at a disadvantage.  

Privacy Risks

Cloud computing is associated with a range of severe and complex privacy issues such as

data collection, use, disclosure, storage, retention, and access. (Svantesson & Clarke, 2010).

Problems arise with how to characterize cloud computing activity and current laws have not been

able to define clearly what exactly is protected in the cloud computing environment. Defining

these laws is essential to ensure that consumer’s privacy is protected and that their personal

information is not shared without their consent.

Solutions to Achieve Cloud Computing Security

A well documented policy and procedures to enforce laws governing cloud computing is

critical. The document must be reviewed and updated according the changing nature of

information and information technology. This will be useful to users in selecting a provider.

Service providers must sign a service level agreement with users defining the technical

control that safeguards the cloud environment. They will also define management control that

stipulates how risk will be assessed, managed, and mitigated. Operational control will

additionally define contingency planning and incidence response.

The cloud-based service provider must have a continuous risk assessment and subsequent

penetration testing plan to determine the existence of vulnerabilities and deploy appropriate

security measures before hackers take advantage of the vulnerabilities. Disaster recovery plan

that provides backup during cloud outages ensures availability of services and uninterrupted

CLOUD COMPUTING 5

access to data any time. Encrypting of files may not be the overall solution but presently, it is the

best solution available and must be the responsibility of both the user and the provider. Also,

proper segregation of individual files is very important to avoid comingling of files.

Information systems security is such a critical element in today’s business, government,

education, and home technology based environment and when it is at risk, organizational goals

and objectives are at risk. In view of this, The National Institute of Standard and Technology

(NIST) has freely made available to the public, SP 800-144,145 and 146 series to address the

guidelines on security and privacy in public cloud computing, definition and recommendation.

Costs and Benefits

The matrix used in evaluating the costs and benefits of the recommended solution rates

the effectiveness of each control as high, medium or low. Policy and risk assessment are rated

high because an organization security is only as strong as its policy and the first step in data

protection begins with understanding the risks and managing it. Encryption and service level

agreement are rated medium because there are decrypting tools out there and some companies

may breach their contracts hoping users will avoid litigation due to its high cost. These controls

are basics, affordable and highly recommended to the management.

Conclusion

Cloud computing is a new arena that must be threaded with care. Compliance guidance

exists but they are not yet clearly defined due to the immature nature of the cloud environment.

Therefore, users must not concentrate solely on the scalability, cost saving, increased IT stability

and agility this new technology offers but must understand that ultimately the security of their

delivery models is primarily their responsibility.

CLOUD COMPUTING 6

References

Badger, L., Grance, T., Patt-Corner, R., Voas, J. National Institute of Standards and Technology.

DRAFT Cloud Computing Synopsis and Recommendations: Recommendations of the

National Institute of Standards and Technology. (2011, May). (Special Publication No.

800-146) archived at: http://webtycho.umuc.edu

Brodkin, J. (2008). Gartner: Seven Cloud-Computing Security Risks. Inforworld. Retrieved from

http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-

risks-853?page=0,1

Gibson, S. (2008). GAMBLING ON THE CLOUD?. eWeek, 25(28), 39. Retrieved from

EBSCOhost. Retried from http://ehis.ebscohost.com.ezproxy.umuc.edu/eds/detail?sid

=a4ec9f01-73ed-4527-8494-1b2a7df62848%40sessionmgr12&vid=39&hid=2&bdata

=JnNpdGU9ZWRzLWxpdmUmc2NvcGU9c2l0ZQ%3d%3d#db=f5h&AN=34838261

McCullagh, D. (2011). Cnet. Retrieved from Dropbox confirms security glitch--no password

Required. Retrieved from http://news.cnet.com/8301-31921_3-20072755-281/dropbox-

confirms-security-glitch-no-password-required/

Pacella, R. (2011). HACKING THE CLOUD. Popular Science, 278(4), 68. Retrieved from

EBSCOhost. Retrived from http://ehis.ebscohost.com.ezproxy.umuc.edu/eds/pdfviewer

/pdfviewer?sid=a4ec9f01-73ed-4527-8494 1b2a7df62848%40sessionmgr12&vid=

8&hid=2

Svantesson, D., & Clarke, R. (2010). Privacy and consumer risks in cloud computing. Computer

law and security review, 26(4), 391-397. Retieved from http://epublications.bond.edu.au

/cgi/viewcontent.cgi?article=1346&context=law_pubs

CLOUD COMPUTING 7

TechTarget. (n.d.) SearchCloudComputing.com E-Guide Expert insight: Cloud computing

defined. Retrieved from http://docs.media.bitpipe.com/io_10x/io_100433/item_419064

/HPandIntel_sCloudComputing_SO%23034437_E-Guide_052611.pdf