security issues and solutions in cloud computing

8/22/2019 Security Issues and Solutions in Cloud Computing

1/14

Security Issues and Solutions in Cloud

Computing

AbstractCloud computing is a growing area of concern in the IT security community because cloudarchitectures are literally popping up all over. Public clouds are available from Google.com,

Amazon.com, Microsoft, Oracle/Sun, Canonical/Eucalyptus and many other vendors. Private

cloud technologies, where the cloud software is loaded on local or in-house server hardware, are

available from VMware, Eucalyptus, Citrix, Microsoft, and there are thousands of vendors

offering cloudsolutions of all sorts. A search forprivate cloud hosting on

Google.com produced 581,000 page results. With all of the hyperbole has come a large swell of

early-adopters and developers. This paper is concerned with discovery of the vulnerabilities in

the landscape of clouds, discovery of security solutions, and finding evidence that early-adoptersor developers have grown more concerned with security.

Keywords: cloud computing, cloud security

Security Issues and Solutions in Cloud ComputingThis paper concerns security issues and solutions in cloud computing. Cloud computing is a

catch-all phrase that covers virtualized operating systems running on virtual hardware on untold

numbers of physical servers. The cloud term has consumed High-Performance

Computing (HPC), Grid computing and Utility Computing. The Cloud Security Alliance hasadopted the definition developed by NIST; a computing in the cloud is a model exhibiting the

following characteristics, on-demand self-service, Broad Network Access, Resource pooling, and

Rapid elasticity and Measured service (Cloud Security Alliance Guidance Version 2.1, 2009, p.

15). This is an area that appears to be growing larger and more pervasive as the benefits of cloud

architectures become better understood. More organizations start their own cloud projects and

more application developers sign on for cloud development as the hyperbole is shaken out and

the real parameters of the key technologies are discovered and perfected. The basic areas of

cloud vulnerability are similar to the standard issues that surround networking and networked

applications. The issues specific to cloud architectures include network control being in in the

hands of third parties and and a potential for sensitive data to be available to a much larger

selection of third-parties, both on the staff of the cloud providers, and among the other clients of

the cloud.

The quick adoption of the cloud model is plain in the success of the Amazon Elastic Cloud

Computing (EC2) product, the buy-in from IBM with their backing of the highly concurrent,


2/14

massively parallel language X-10 (Saraswat, Vijay, 2010) and Microsofts investment in its

Azure cloud (Qiu et al., 2009). Janine Milne reported that eight of ten businesses surveyed in the

UK were opting for private cloud initiatives rather than public cloud projects and they stated the

issues of concern to be data security in transit, in storage or during processes (Milne, 2010). It is

plain that the field is full and the harvest for the IT security profession and IT in general areexcellent.

The literature available on cloud security is plentiful, and there is enough higher-quality work to

develop a conceptual framework for security issues and solutions

BackgroundCloud computing is a marketing term that refers to web-based application, storage, and

communications services. Though this move to computing in the cloud seems to be

inevitable, at least part of the reason why it is inevitable is expedience for the supplier

companies, and vendor lock-in, or as Richard Stallman says in the Guardian, If you use a

proprietary program or somebody elses web server, youre defenceless (sic). Youre putty in the

hands of whoever developed that software. (Cloud computing is a trap, warns GNU founder |

Technology | guardian.co.uk, 2008)Perhaps because the definition of Cloud

Computing is so broad and vague, there is a tendency to define it by what it is not. There is

also a tendency to define as cloud computing whatever is in great supply, such as a large

data centers surplus processing capacity. Christodorescu, Sailer, Schales, Sgandurra & Zamboni

(2009) point out that clouds are not synonymous with virtualization though most clouds must usesome sort of virtualization at hardware, OS or application level (Christodorescu, Sailer, Schales,

Sgandurra, & Zamboni, 2009, p. 99).

VulnerabilitiesCloud computing shares in common with other network-based application, storage and

communication platforms certain vulnerabilities in several broad areas:

Web application vulnerabilities, such as cross-site scripting and sql injection (which aresymptomatic of poor field input validation, buffer overflow; as well as default configurations or

mis-configured applications.

Accessibility vulnerabilities, which are vulnerabilities inherent to the TCP/IP stack and theoperating systems, such as denial of service and distributed denial of services (Krgel, Toth, &

Kirda, 2002)


3/14

Authentication of the respondent device or devices. IP spoofing, RIP attacks, ARP poisoning(spoofing), and DNS poisoning are all too common on the Internet. TCP/IP has some

unfixable flaws such as trusted machine status of machines that have been in

contact with each other, and tacit assumption that routing tables on routers will not be

maliciously altered. Data Verification, tampering, loss and theft, while on a local machine, while in transit, while at

rest at the unknown third-party device, or devices, and during remote back-ups.

Physical access issues, both the issue of an organizations staff not having physical access to themachines storing and processing a data, and the issue of unknown third parties having physical

access to the machines

Privacy and control issues stemming from third parties having physical control of a data is anissue for all outsourced networked applications and storage, but cloud architectures have some

specific issues that are distinct from the usual issues. Christodorescu, et al. show a significantgap between what is assumed and what is reality, i.e., all virtual machines are brought into

existence clean, when in reality a compromised hypervisor can spawn compromised VMs, or all

VM operating systems are known and available for audit, when in reality the Windows source-

code, among others, is not available for audit (Christodorescu et al., 2009, p. 100).

Security SolutionsThere are several groups interested in developing standards and security for clouds and cloud

security. The Cloud Security Alliance (CSA) is gathering solution providers, non-profits and

individuals to enter into discussion about the current and future best practices for informationassurance in the cloud (Cloud Security Alliance (CSA) security best practices for cloud

computing, 2009) The Cloud Standards web site is collecting and coordinating information

about cloud-related standards under development by other groups (CloudsStandards,

2010). The Open Web Application Security Project (OWASP) maintains a top 10 list of

vulnerabilities to cloud-based or Software as a Service deployment models which is updated as

the threat landscape changes (OWASP, 2010). The Open Grid Forum publishes

documents to containing security and infrastructural specifications and information for grid

computing developers and researchers (Open Grid Forum, 2010).

Web Application SolutionsThe best security solution for web applications is to develop a development framework that

shows and teaches a respect for security. Tsai, W., Jin, Z., & Bai, X. (2009) put forth a four-tier

framework for web-based development that though interesting, only implies a security facet in


4/14

the process (Tsai, Jin, & Bai, 2009, p. 1). Towards best practices in designing for the

cloud by Berre, Roman, Landre, Heuvel, Skr, Udns, Lennon, & Zeid (2009) is a road

map toward cloud-centric development (Berre et al., 2009), and the X10 language is one way to

achieve better use of the cloud capabilities of massive parallel processing and concurrency

.(Saraswat, Vijay, 2010)

Accessibility SolutionsKrgel, C., Toth, T., & Kirda, E. (2002) point out the value of filtering a packet-sniffer output

to specific services as an effective way to address security issues shown by anomalous packets

directed to specific ports or services (Krgel et al., 2002)

(Krgel et al., 2002) An often-ignored solution to accessibility vulnerabilities is to shut down

unused services, keep patches updated, and reduce permissions and access rights of applications

and users.

Authentication SolutionsHalton and Basta (2007) suggest one way to avoid IP spoofing by using encrypted protocols

wherever possible. They also suggest avoiding ARP poisoning by requiring root access to change

ARP tables; using static, rather than dynamic ARP tables; or at least make sure changes to the

ARP tables are logged. (Basta & Halton, 2007, p. 166).

Data Verification, Tampering, Loss and Theft

SolutionsRaj, Nathuji, Singh and England (2009) suggest resource isolation to ensure security of data

during processing, by isolating the processor caches in virtual machines, and isolating those

virtual caches from the Hypervisor cache (Raj, Nathuji, Singh, & England, 2009, p. 80). Hayes

points out that there is no way to know if the cloud providers properly deleted a clients purged

data, or whether they saved it for some unknown reason (Hayes, 2008, p.(Hayes, 2008, p. 11).Would cloud-providers and clients have custody battles over client data?

Privacy and Control Solutions


5/14

Hayes (2008) points out an interesting wrinkle here, Allowing a third-party service to take

custody of personal documents raises awkward questions about control and ownership: If you

move to a competing service provider, can you take a data with you? Could you lose access to a

documents if you fail topay a bill? (Hayes, 2008, p. 11). The issues of privacy and control

cannot be solved, but merely assured with tight service-level agreements (SLAs) or by keepingthe cloud itself private.

Physical access solutionsOne simple solution, which Milne (2010) states to be a widely used solution for UK businesses is

to simply use in-house private clouds (Milne, 2010). Nurmi, Wolski, Grzegorczyk,

Obertelli, Soman, Youseff, & Zagorodnov show a preview of one of the available home-grown

clouds in their (2009) presentation. The Eucalyptus Open-Source Cloud-Computing

System (Nurmi et al., 2009).

ConclusionThe largest gaps between cloud-security practice and cloud-security research lies in the fact that

the assumptions in the research leave out some very important differences between cloud

security and virtual machine security, as pointed out by Christodorescu et al. (2009). My

research questions will center around these differences, and I intend to develop a mixed-method

research framework to discover how the vulnerabilities are exploited, and what must be done to

close the vulnerabilities. One of the pieces of the framework might be developing a way to

monitor the clouds management software, and another might be development of isolated

processing for specific clients applications. Having a way to tell whether the virtual machines in

the cloud are patched properly would also be a useful part of the framework. Peoples behavior

can be tracked and monitored; for instance whether people allow the automated patching

software to run, or updating anti-virus software definitions (on virtual machines running

operating systems that are susceptible to viruses, worms and other such malware), or whether

people understand how to harden their virtual machines in the cloud.

Annotated BibliographyBasta, A., & Halton, W. (2007). Computer Security and Penetration Testing(1st ed.). Delmar

Cengage Learning.

This source is an exhaustive overview of the common computer security issues and penetration

tools used to exploit these vulnerabilities. The methodology of the several experiments with the

tools of the penetration-testing trade is quantitative primary research by Halton. This textbook


6/14

was peer-reviewed, and the authors are both educators in the field of IT and IT security. Basta

received his PhD in Mathematics from Alexandria University in Egypt and Halton helped

develop the Masters in IT Security & Assurance at Capella University. Writing this book was

very useful in my professional career. It is one of fifteen or sixteen very good resource for

concisely-written security basics. It would be immodest to give it a rating for quality.

Berre, A. J., Roman, D., Landre, E., Heuvel, W. V. D., Skr, L. A., Udns, M., Lennon, R., et

al. (2009). Towards best practices in designing for the cloud. InProceeding of the 24th ACM

SIGPLAN conference companion on Object oriented programming systems languages and

applications (pp. 697-698). Orlando, Florida, USA: ACM. Retrieved from

http://portal.acm.org.library.capella.edu/citation.cfm?id=1639950.1639970

&coll=portal&dl=ACM&CFID=80867670&CFTOKEN=24312614

Towards best practices in designing for the cloud by Berre, A. J., Roman, D., Landre, E., Heuvel,W. V. D., Skr, L. A., Udns, M., Lennon, R., & Zeid, A. (2009). The authors biographies

are present and it is readily apparent that they have the skills and experience to write about this

topic (Berre et al., 2009, p. 2). This document is more like a brochure than a report of research

findings, but it gives a good framework upon which to develop best practices for cloud

development. I give it a 2 out of 10. It is credible but not very useful (Berre et al., 2009). It has

not been cited in any other work (ACM Portal, 2010).

Christodorescu, M., Sailer, R., Schales, D. L., Sgandurra, D., & Zamboni, D. (2009). Cloud

security is not (just) virtualization security: a short paper. InProceedings of the 2009 ACM

workshop on Cloud computing security (pp. 97-102). Chicago, Illinois, USA: ACM. Retrieved

from http://portal.acm.org.library.capella.edu/citation.cfm?

Cloud security is not (just) virtualization security: a short paper by Christodorescu, M., Sailer,

R., Schales, D. L., Sgandurra, D., & Zamboni, D. (2009)..There are five listed authors on this

piece, and they are all researchers at IBM, a company well known for its interest in cloud

computing. There are no footnotes but the mechanics of the article and the flow are excellent.

There are sixteen references on this rather short, six page paper. This article comes from the

proceedings of an ACM workshop, which is second-best, so far as refereed publication goes. Afeature article in one of the ACM journals would be stronger. It has not been cited by any other

work, per the ACM catalog (ACM Portal, 2010)

(ACM Portal, 2010) There is no evidence that this article has been reviewed by peers,

and I give it an 8 out of 10 for quality. (Christodorescu et al., 2009).


7/14

Cloud computing is a trap, warns GNU founder | Technology | guardian.co.uk. (n.d.). . Retrieved

March 31, 2010, from

http://www.guardian.co.uk/technology/2008/sep/29/cloud.computing.richard.stallman

This short article, printed in the UK-based Guardian paper and also online on their web site,points out the self-fulfilling prophesy aspect of cloud computing, with quotes from the always

remarkable Richard Stallman and also Larry Ellison of Oracle, among others. Larry Ellison says

The interesting thing about cloud computing is that weve redefined cloud computing to

include everything that we already do, (Cloud computing is a trap, warns GNU founder |

Technology | guardian.co.uk, 2008) He is pointing out the marketing spin that large

companies, such as Amazon.com developed the SAAS model to get paid for their excess

network capability. This is an opinion piece and though thought-provoking, gets only 3 out of 10

for quality.

Cloud Security Alliance (CSA)security best practices for cloud computing. (2009). . Retrieved

April 16, 2010, from http://www.cloudsecurityalliance.org/

The Cloud Security Alliance is an industry group created to promote best practices in security

within cloud computing platforms and to educate practitioners to use cloud technologies to make

other computer architectural models more secure (Cloud Security Alliance (CSA) security

best practices for cloud computing, 2009)

(Cloud Security Alliance (CSA) security best practices for cloud computing, 2009)

This goal is in alignment with my own aims in research and practice, and the site is a useful

source for news related to cloud security.

Cloud Security Alliance Guidance Version 2.1. (2009). . Cloud Security Alliance. Retrieved from

www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf

This resource is a best practices document provided by the Cloud Security Alliance

(Cloud Security Alliance (CSA)security best practices for cloud computing,2009)(CloudStandards, 2010)

for guiding practitioners toward a more secure infrastructure. This is a useful starting point for

developing a framework for further research.

CloudStandards. (2010 3). . Retrieved April 16, 2010, from http://cloud-standards.org/wiki/


8/14

Cloud Standards is an aggregation site chronicling the progress of several organizations that

develop the technological standards for the architecture, control and security of clouds. This is a

useful site for monitoring the progress of standardization, and for developing my own research

questions (CloudStandards, 2010)(Hayes, 2008).

Hayes, B. (2008). Cloud computing. Commun. ACM, 51(7), 9-11. Retrieved from

http://portal.acm.org.library.capella.edu/ft_gateway.cfm?id=1364786&type=html&coll=portal&

dl=ACM&CFID=80867670&CFTOKEN=24312614

Cloud computing by Hayes, B. (2008). This is an overview article in the ACMs

Communications of the ACM. There is only a single author and though plainly a credible

journalist, the author makes no claim to special expertise in this area. It is easy to read but

contains only second-hand information. It has been cited thirteen times by other researchers and

has been a startingplace for over 15,000 readers, based upon the ACMs record. It is a weaksource from a solid journal , and I give it a 4 out of 10 (Krgel et al., 2002).

Krgel, C., Toth, T., & Kirda, E. (2002). Service specific anomaly detection for network

intrusion detection. InProceedings of the 2002 ACM symposium on Applied computing(pp. 201-

208). Madrid, Spain: ACM. Retrieved from

http://portal.acm.org.library.capella.edu/citation.cfm?id=508835&dl=GUIDE&coll=GUIDE&CF

ID=80867670&CFTOKEN=24312614

This resorce is an example of quantitative research relating to Service Specific Anomaly

Detection. Krgel, Toth and Kirda present the results from a sample of over 75,000 DNS

packets to show the value of anomaly detection in the DNS service for developing securitysolutions for networks (Krgel et al., 2002)(Tsai et al., 2009, p. 2). I give it 7 out of 10 rating

for quality.

Milne, J. (2010, February 9). Private cloud projects dwarf public initiatives. Retrieved from

http://www.cbronline.com/news/private_cloud_projects_dwarf_public_initiatives_281009

Milne shows the result of a 2009 survey of UK businesses, and shows the physical access issue is

taken very seriously in the UK. The surveu reported appears to be a quantitative study of

businesses, and is of medium quality, as it published on the business website, and the writersqualifications are not mentioned. I give it a 2 out of 10 for quality.

Nurmi, D., Wolski, R., Grzegorczyk, C., Obertelli, G., Soman, S., Youseff, L., & Zagorodnov,

D. (2009). The Eucalyptus Open-Source Cloud-Computing System. InProceedings of the 2009

9th IEEE/ACM International Symposium on Cluster Computing and the Grid(pp. 124-131).

IEEE Computer Society. Retrieved from


9/14

http://portal.acm.org.library.capella.edu/citation.cfm?id=1577849.1577895&coll=GUIDE&dl=G

UIDE&CFID=80024999&CFTOKEN=42205166

The Eucalyptus Open-Source Cloud-Computing System by Nurmi, D., Wolski, R., Grzegorczyk,

C., Obertelli, G., Soman, S., Youseff, L., & Zagorodnov, D. (2009). is from yet another

conference proceeding. It eminates from the University of California, Santa Barbara, and thisfeature, as well as the open-source nature of the topic, lead one to imagine their bias is not

commercial. The article is only eight pages long but carries forty-one references. It has been

cited in four other works (ACM Portal, 2010). It is a useful article in the private

cloud space. I give it 7 out of 10 for quality (Nurmi et al., 2009).

OWASP. (2010 2). . Retrieved April 16, 2010, from http://www.owasp.org/index.php/

The Open Web Application Security Project (OWASP) is a not-for-profit organization thatdevelops security software for application testing(OWASP, 2010). OWASP is

concerned with Internet and cloud technologies because these areas of study contain myriad

application-level vulnerabilities, which are poorly understood by the people who deploy web

applications. This is a useful site for application-security researchers.

Open Grid Forum. (2010). . Retrieved April 16, 2010, from http://www.ogf.org/

The Open Grid Forum (OGF) is a community of users, developers, and vendors leading the

global standardization effort for grid computing (Open Grid Forum, 2010). This is acentral point for discussion of grid computing standards. It is a useful site for developing

research questions in the grid and cloud space.

Raj, H., Nathuji, R., Singh, A., & England, P. (2009). Resource management for isolation

enhanced cloud services. InProceedings of the 2009 ACM workshop on Cloud computing

security (pp. 77-84). Chicago, Illinois, USA: ACM. Retrieved from

http://portal.acm.org.library.capella.edu/citation.cfm?id=1655008.1655019&coll=portal&dl=AC

M&CFID=80867670&CFTOKEN=24312614Resource management for isolation enhanced cloud services by Raj, H., Nathuji, R., Singh, A.,

& England, P. (2009). This source was first presented at the same 2009 ACM conference as the

Christodorescu et al. article above. All four authors are Microsoft employees, so it would not be

terribly surprising if their research is done in Microsofts Azure cloud and uses the Hypervisor

VM management tool. The writing is effective and the results, though not injurious to Microsoft,

may be useful in evaluating other companies tools. They have sixteen cited works and are cited


10/14

in no other research per the ACM Portal. This is primary research and so I give it 7 out of 10 for

quality and validity (Raj et al., 2009).

Saraswat, Vijay. (2010).Report on the Programming Language X10. x10-lang.org. Retrieved

from http://dist.codehaus.org/x10/documentation/languagespec/x10-latest.pdfThis document is the current specification for the X10 programming language. The author is one

of the project members and programmers on the team, and an IBM employee. It is an

authoritative piece, retrieved from the projects home page. I would give it 9 out of 10 for

quality. The only thing that would make it a perfect ten would be if it was published through a

refereed scholarly journal.

Tsai, W., Jin, Z., & Bai, X. (2009). Internetware computing: issues and perspective.

InProceedings of the First Asia-Pacific Symposium on Internetware (pp. 1-10). Beijing, China:ACM. Retrieved from http://portal.acm.org.library.capella.edu/

citation.cfm?id=1640206.1640207&coll=GUIDE&dl=GUIDE&CFID=

80867670&CFTOKEN=24312614

This resource is high-quality overview of an initiative called Internetware, which focuses on a

development model suggested by Yang in 2008 with a four-step structure based upon building a

software project through the following four models:

Basic component model, Context-driven model, Collaborative model, Intelligent trustworthy model (Tsai, Jin, & Bai, 2009, p1)

There are five focal points for Internetware: Lifecycle model for Internetware, Ontology,

Modeling and simulation, Social ranking for software evaluation, and Adaptation and control

(Tsai et al., 2009, p. 2). I give it 7 out of 10 for quality and validity.

Read more:http://wolfhalton.info/2010/06/25/security-issues-and-solutions-in-cloud-computing/#ixzz2ZOUj4wyyUnder Creative Commons License:Attribution Non-Commercial
http://wolfhalton.info/2010/06/25/security-issues-and-solutions-in-cloud-computing/#ixzz2ZOUj4wyyhttp://wolfhalton.info/2010/06/25/security-issues-and-solutions-in-cloud-computing/#ixzz2ZOUj4wyyhttp://wolfhalton.info/2010/06/25/security-issues-and-solutions-in-cloud-computing/#ixzz2ZOUj4wyyhttp://wolfhalton.info/2010/06/25/security-issues-and-solutions-in-cloud-computing/#ixzz2ZOUj4wyyhttp://creativecommons.org/licenses/by-nc/3.0http://creativecommons.org/licenses/by-nc/3.0http://creativecommons.org/licenses/by-nc/3.0http://creativecommons.org/licenses/by-nc/3.0http://wolfhalton.info/2010/06/25/security-issues-and-solutions-in-cloud-computing/#ixzz2ZOUj4wyyhttp://wolfhalton.info/2010/06/25/security-issues-and-solutions-in-cloud-computing/#ixzz2ZOUj4wyy


11/14

The benefits and challenges

of cloud computingIn recent years, cloud computing has emerged as an important solutionoffering enterprises a potentially cost effective model to ease theircomputing needs and accomplish business objectives. Wilson Law, amanager at member firm, Moore Stephens LLP Singapore, providessome key benefits below worth considering:

a) Optimized server utilisation - as most enterprises typicallyunderutilise their server computing resources, cloud computing willmanage the server utilisation to the optimum level.

b) Cost saving - IT infrastructure costs are almost always substantialand are treated as a capital expense (CAPEX). However if the ITinfrastructure usually becomes an operating expense (OPEX). In some


12/14

countries, this results in a tax advantage regarding income taxes. Also,cloud computing cost saving can be realised via resource pooling.

c) Dynamic scalability - many enterprises include a reasonably large

buffer from their average computing requirement, just to ensure thatcapacity is in place to satisfy peak demand. Cloud computing providesan extra processing buffer as needed at a low cost and without thecapital investment or contingency fees to users.

d) Shortened development life cycle - cloud computing adopts theservice-orientates architecture (SOA) development approach which hassignificantly shorter development life cycle that that required by thetraditional development approach. Any new business application can be

developed online, connecting proven functional application buildingblocks together.

e) Reduced time for implementation - cloud computing provides theprocessing power and data storage as needed at the capacity required.This can be obtained in near-real time instead of weeks or months thatoccur when a new business initiative is brought online in a traditionalway.

For all the above benefits of cloud computing, it also incorporates someunique and notable technical or business risk as follows:a) Data location - cloud computing technology allows cloud servers toreside anywhere, thus the enterprise may not know the physical locationof the server used to store and process their data and applications.Although from the technology point of view, location is least relevant,this has become a critical issue for data governance requirements. It is

essential to understand that many Cloud Service Providers (CSPs) can

also specifically define where data is to be located.

b) Commingled data - application sharing and multi-tenancy of data isone of the characteristics associated with cloud computing. Althoughmany CSPs have multi-tenant applications that are secure, scalable and

customisable, security and privacy issues are still often concerns amongenterprises. Data encryption is another control that can assist data


13/14

confidentiality.

c) Cloud security policy / procedures transparency - some CSPsmay have less transparency than others about their information security

policy. The rationalisation for such difference is the policies may beproprietary. As a result, it may create conflict with the enterprisesinformation compliance requirement. The enterprise needs to havedetailed understanding of the service level agreements (SLAs) that

stipulated the desired level of security provided by the CSPs.

d) Cloud date ownership - in the contract agreements it may statethat the CP owns the data stored in the cloud computing environment.The CSP may demand for significant service fees for data to be returned

to the enterprise when the cloud computing SLAs terminates.

e) Lock-in with CSPs proprietary application programminginterfaces (APIs) - currently many CSPs implement their applicationby adopting the proprietary APIs. As a result, cloud services transitionfrom one CSP to another CSP, has become extremely complicated, time-consuming and labour-intensive.

f) Compliance requirements - todays cloud computing services, canchallenge various compliance audit requirements currently in place.Data location; cloud computing security policy transparency; and IAM,are all challenging issues in compliance auditing efforts. Examples ofthe compliance requirement including privacy and PII laws; PaymentCard Industry (PCI) requirements; and financial reporting laws.

g) Disaster recovery - it is a concern of enterprises about the

resiliency of cloud computing, since data may be commingled and

scattered around multiple servers and geographical areas. It may bepossible that the data for a specific point of time cannot be identified.Unlike traditional hosting, the enterprise knows exactly where thelocation is of their data, to be rapidly retrieved in the event of disasterrecovery. In the cloud computing model, the primary CSP may

outsource capabilities to third parties, who may also outsource the


14/14

recovery process. This will become more complex when the primaryCSP does not ultimately hold the data.Businesses are under increasing pressure to sharpen their businesspractices. Too few people are aware of the security threats that are

emerging. Nevertheless, they are responsible for ensuring that sensitivedata will remain authentic, accurate, available, and will satisfy specificcompliance requirements. Thus, it is essential for an organisation tounderstand their current IT risks profile in order for them to determine

the companys levels ofIT risk tolerance and IT risk policies, andoversee management in the design, implementation and monitoring ofthe risk management and internal controls system.

security issues and solutions in cloud computing

Documents