Cloud Computing, Privacy and Security 22
Cloud Computing
Wesam Al-Abssi
Colorado Technical University
Author Note
This paper was prepared for CSS410 Cloud Computing, Privacy and Security, taught by Makan Diarra on December 9th, 2012.
Abstract
Many advances in learning technologies are taking place throughout the world; these advances offer a range of tools and new opportunities to enhance teaching and learning by enabling individuals to personalize their environments in which they work or learn. There is growing acceptance of virtualization and cloud computing today across the world to meet the rapidly changing economic needs and improve service delivery. Proponents suggest that the cloud delivery model will help cut down on IT management cost, while providing greater flexibility in maintaining security, reliability and compliance.
Contents
Introduction 4
What is Cloud Computing? 5
Cloud Types 7
1- Public Cloud 7
2- Private Cloud 8
3- Community Cloud 9
4- Hybrid Cloud 10
Cloud services 11
1- SaaS 11
2- PaaS 11
3- IaaS 11
Risks (disadvantages) 12
Benefits (Advantages) 13
Security Breaches 14
Privacy in the Clouds 15
Security Audit in the Cloud 17
The Jericho Cloud Cube Model 18
Data Breaches 19
Introduction
Computers have become an indispensable part of life. We need computers everywhere, be it for work, research or in any such field. As the use of computers in our day-to-day life increases, the computing resources that we need also go up. For companies like Google and Microsoft, harnessing the resources as and when they need it is not a problem. But when it comes to smaller enterprises, affordability becomes a huge factor. With the huge infrastructure come problems like machines failure, hard drive crashes, software bugs, etc. This might be a big headache for such a community. Cloud Computing offers a solution to this situation. Cloud computing is a paradigm shift in which computing is moved away from personal computers and even the individual enterprise application server to a ‘cloud’ of computers. A cloud is a virtualized server pool, which can provide the different computing resources of their clients. Users of this system need only be concerned with the computing service being asked for. The underlying details of how it is achieved are hidden from the user. The data and the services provided reside in massively scalable data centers and can be ubiquitously accessed from any connected device all over the world. Cloud computing is the style of computing where massively scaled IT related capabilities are provided as a service across the Internet to multiple external customers and are billed by consumption. Many cloud-computing providers have popped up and there is a considerable growth in the usage of this service. Google, Microsoft, Yahoo, IBM and Amazon have started providing cloud-computing services. Amazon is the pioneer in this field. Smaller companies like Smug Mug, which is an online photo-hosting site, has used cloud services for the storing all the data and doing some of its services. Cloud Computing is finding use in various areas like web hosting, parallel batch processing, graphics rendering, financial modeling, web crawling, genomics analysis, etc
What is Cloud Computing?
Cloud computing (CC) is a term for networked computers that deliver IT services over the internet to many users in an on-demand environment. The type of services range from adaptations of familiar tools to address customers' various needs, ranging from scientific research to e-commerce, Commercial and individual cloud computing services are already available from Amazon, Yahoo, Salesforce, Desktop Two, Zimdesk, and Sun Secure Global Desktop, while Google's efforts in cloud computing have attracted a great deal of interest. (Bowers, L., 2011)
There are certain salient features of CC that are relevant to academics. However, it has to be noted that any detailed technical aspects of CC are certainly out of the scope of this paper. The concept of CC is not new, as cloud computing evolved out of earlier technologies for distributed processing, such as "grid computing." Typically, the cloud computing infrastructure resides in a large data center and is managed by a third party, who provides computing resources as if it were a utility (such as electricity or water) - accessible by anyone, anywhere over a network. The cloud is a metaphor for the internet; some people call it the World Wide Computer. Actually, it is designed to work like a whole computer in the cloud and aimed at a wider audience, including those who cannot afford their own computer. (Bowers, L., 2011)
The cloud computing model serves its clients with whatever they request for, whether it is the internet, software applications, his or her personal files. It also allows users to access supercomputer-level power.
loud computing is ultimately going to enable a significant transformation of education to increase quality, increase access to educational resources, and at the same time lower costs ... I think the next two to three years will really be about developing shared services, exploiting cloud computing models, and really driving fundamental transformation in how we organize education and deliver value to students and the education community. (Thomas, P. Y., 2011)
Other typical uses of cloud computing to academics are:
· It can be used as a personal workspace.
· A convenient tool to engage in the scholarship of teaching and learning.
· Personal learning environments (PLEs) used by many people as an alternative to institutionally controlled virtual learning environments (VLEs)/LMS with different personalized tools to meet their own personal needs and preferences; as teachers we are always learning.
· Provides opportunity for ubiquitous computing.
· No need for backing up everything to a thumb drive and transferring it from one device to another.
· No need to copy all stuff from one PC to another when buying a new one. It also means you can create a repository of information that stays with you and keeps growing as long as you want them.
· Provides large amounts of processing power comparable to supercomputer level.
The cloud platform has evolved to include an array of providers whose offerings fall into three broad categories: Software-as-a-Service (SaaS), Inf rastructure-as-a-Ser vice (IaaS), and Platform-as-a-Service (PaaS) (Figure 1). There is no requirement for upfront capital expenditure with any of these cloud configurations, so choosing the right cloud structure is a function of a customer's need to communicate outside firewalls, need for mobile access, interest in limiting upfront costs, scalability requirements, and high collaboration requirements. (Newton, J., 2010)
Cloud Types
1- Public Cloud (talk about it)
2- Private Cloud (talk about it)
3- Community Cloud (talk about it)
4- Hybrid Cloud (talk about it)
Cloud services
1- SaaS (talk about it)
2- PaaS (talk about it)
3- IaaS (talk about it)
Risks (disadvantages)
Need to talk about it
Benefits (Advantages)
Security Breaches
Privacy in the Clouds
Cloud privacy continuously evolves as does the methods to secure the information rich environment. Ann Cavoukian has identified a security method known as “privacy-enhancing technologies, (PET’s) (Cavoukian, 2008). This concept of PET’s was created to raise awareness of privacy-enhancing technologies which targets systems designers and appointing them. So much data is transferred and or accessed by individuals, organizations, and third party entities that need to be secured. A greater portion of the data is personally distinguishable, which lies in the hands of third party organizations. I was not able to identify anything that was new to cloud security, and as much as I could research this article written in 2008. The word “trust” was emphasized to give the user a little added assurance. Trust can only go so far, organizations have to do more than trust hardware, software, third parties, or the personal devices that interface with the Internet.
Centric identity was labeled as a security measure that can be implemented against cloud attacks. “In user-centric identity systems, a user logs in to a Web site via a third party identity provider, who passes on information at the user’s request” (CDT, 2009). User-centric identity places the burden of security on the user. Once the user gives their credentials to a third party identity provider they then pass the information along upon the user’s request. This method is safer because the user is not directly logging on to the organizations website, their identity is verified via third party then they pass it along as being safe. This method improves the way users interact with organization information while leveraging current credentials for users.
In conclusion, the need to provide privacy is a critical aspect to cloud computing, however, some privacy issues are related to system complexity and providing CIA. For example tracking cookies associated with cloud computing are generally used for the following purposes (Lanois, 2011):
• Authentication purposes, such as to identify server-based sessions
• To store and maintain login and password information and similar data
• To administer users’ accounts
• To identify the browsers used
This leave data vulnerable to potential privacy risk with relation to the information in tracking cookies as well as the data distributed throughout the CSP systems. For this reason it would seem that it would be appropriate to outline some data privacy policies. While countries like EU are enacting laws and regulation that protect personal data, the United States has been slow to take a stance on the matter leaving the states to form a lay of protection.
Security Audit in the Cloud
The Jericho Cloud Cube Model
In the article Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration by Jericho Forum it is noted to “be wary of making a false assumption that Internal is more secure than External. The effective use of both is likely to provide the most secure usage model” (N.A., 2012).Therefore, it would not be as important to evaluate security as involving internal and external implementations on an domain bases but rating and ranking the implementation based on the collaborative needs then strategically aligning the implementation within the appropriate controls. For example: where both internal and external domains collaborate or share data traditional security approach of protecting the internal network from the external is seen as limiting information flow to the intended parties because the intended parties could exist on either ends of the spectrum (Anthes, 2010). By managing internal/external cloud security in a manner that best suits the strategic alignment as they relate to organizational needs and business functions. However, it is enviable that there will be an erosion of the network perimeter. This concept equates to building security into the information infrastructure as well as taking an outside-in approach (Jikumar, 2009).
The implementation of SAAS is accompanied with explicit list of vulnerabilities that should be taken into account before considering it a more secure solution. These considerations include: the governance and ownership; data security policies; data protection, location of data; identity and access control; communications; service level and contract management; regulatory compliance; vendor management (Ames, 2011). This list identifies the security issues surrounding the SAAS as well as issues of evaluating the associated risk based on the traditional outside-in security model. To combat these issues CSA(Cloud Security Alliance) illustrates an audit program that consist of various layers to address security concerns at various layers. These layers include: hardware and infrastructure layer, database layer, server layer, application layer, network layer, and governance (Ames, 2011).
Data Breaches
Data Confidentiality and Integrity in the Public Cloud
One of the challenges of using the public cloud is data confidentiality and integrity. It could be terrifying for a public cloud subscriber to surrender control of its sensitive data and depend solely on the cloud provider to keep that data safe. But, if I were to move my data in the public cloud, what was the first thing I could think of to make sure the confidentiality and integrity of my sensitive information. I would ask the cloud provider for a stricter service level agreement (SLA). This may include an agreement that the cloud provider will abide by and enforce all legal policies and procedures while handling the sensitive information. Another way of ensuring data integrity and confidentiality in the public cloud is by using good encryption.
According to Rubens, “The obvious solution to this integrity problem -- and one which also provides confidentiality -- is to encrypt any data stored in the cloud. This will ensure you data can't be maliciously modified, deter curious administrators or hackers from prying on your data, and reduce the risk that cloud storage devices could be sold or reused while they still contain confidential company information, he said. Make sure encryption keys are kept secure and separate from the data. "Encrypting a volume won’t stop a hacker if the encryption key is also easily available in the cloud (2011)." This means that the information stored in the cloud needs to be encrypted so it can’t be modified and to prevent prying eyes from spying on your data. (still need to talk more)
Data remanence is the data that is left, in other words is the residue or bits that are left when a media or system is deleted (Mather, Kumaraswamy and Latif, 2009). Those pieces left of the data could be used to reconstruct the data that was deleted (Krutz and Vines, 2010). According to Bloomberg (2011), the data remanence issue gets very complicated when dealing with cloud computing, due to the fact that you don’t have physical access to where your data is. Schmelzer (2011) states, “But in a Cloud, you can never be sure that data is truly deleted, given the multitude of distributed data stores, logs, temporary tables, caches, and who knows what else” (para. 10).
Mather et al., (2009), talks about the risk data remanence has in the cloud and how can it be “inadvertently exposed to an authorized party” (p. 64). No matter what type of cloud services your using, the data can be compromise. Mather et al., (2009) states, “ When using SaaS or Paas, the risk is almost certainly unintentional or inadvertent exposure” (p. 64). One thing that Mather et al., (2009), discusses is the low attention that is pay to the data remanence by the cloud service provider and how some of the cloud service providers don’t even discuss it in the service’s they offer. No one is paying attention to this problem in the cloud, except for the hackers that will use this data remanence that is left in the cloud to steal your data without you even knowing it (Bloomberg, 2011).
Cloud providers should refer to the NIST special publication 800-88. This publication will provide the cloud service providers with guidelines on how data security should be accomplish (Mather et al., 2009). Even companies are using these guidelines to learn how to secure the data (Mather et al., 2009)