Security threats and legal issues related to cloud computing

The common buzzword of Information Technology era during the last decade is “Cloud Computing”, with many world-market players shaping the field, such as Amazon Elastic Computing Cloud (Amazon EC2), Skype, Box.com, Dropbox, Twitter, Facebook and chatter.com. Cloud computing frameworks redefined the parameters involved in TCO (Total cost of ownership) associated with IT applications, services, infrastructure and data used by them (Mirashe & Kalyankar 2010). The table below lists major Cloud Computing framework providers within different models (Chou 2013). These models are SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service).

SaaS Antenna Software, Cloud9 Analytics, CVM Solutions, Exoprise Systems, Gageln, Host Analytics, Knowledge Tree, LiveOps, Reval, Taleo, NetSuite, Google Apps, Microsoft 365, Salesforce.com, Rackspace, IBM,and Joyent
PaaS Amazon AWS, Google Apps, Microsoft Azure, SAP, SalesForce, Intuit, Netsuite, IBM, WorkXpress, and Joyen
IaaS Amazon Elastic Compute Cloud, Rackspace, Bluelock, CSC, GoGrid, IBM, OpenStack, Rackspace, Savvis, VMware, Terremark, Citrix, Joyent, and BluePoint

 Table: Cloud Computing Service Providers on Cloud Service Models

Cloud computing offers great benefits of re-scaling a firm’s capital investment in hardware, software and human resources to run small, medium as-well-as significantly large businesses. However, despite much popularity and worldwide acceptance of the phenomenon, there are a number of security risks attached to it. With anywhere, anytime access of applications and services, the vulnerability of data increases. Furthermore, cloud computing framework features instant access to flexible and low cost IT resources, exposure to unauthorized parties seems to increase. This article highlights some of the major security threats and legal issues associated with cloud computing. They are not restricted to SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service) architectures supported by cloud computing.

Service traffic hijacking in cloud computing

An addicted cloud computing user tends to store identification documents (birth certificate, passport, license, etc.), degree certificates, marriage documents, travel tickets, bank account statements, loan documents, pay slips, spouse information, personal photographs and planner entries digitally with at-least one of the services offered by cloud-computing framework. A single hijack incident targeting a few hundred users to millions of users is sufficient to eradicate a whole business.

Data breach & data loss

Irrespective of the efforts which service providers put in ensuring best cloud computing platforms, data loss due to natural and man-made disasters needs to be addressed. Traditional backup and disaster recovery management techniques play a major role here. By segregating data at different locations in multiple copies with appropriate encryption and authorized access, data breaches and losses can be handled till some extent.

Such an incident was reported by LinkedIn, the world’s largest professional networking website with ownership of professional data, work summaries and academic records of more than 175 million users, reported that their password database was compromised in a security breach. Approximately 6.5 million hashed passwords were stolen. These passwords were released on a Russian web forum. More than 200,000 of these passwords have been cracked (Silveira 2012).

Malicious insider

The users of cloud computing services are completely unaware of the whereabouts of their data. After merely storing data, users do not bother to look into any security issues, irrespective of the fact that data contains classified as well as immensely private information about them. With the well known Snowden effect, firms are now taking meticulous measures before investing in global cloud computing platforms. Consequently, they prefer their own traditional approach of de-centralized data centre, independent infrastructure setup and applications for their users, ensuring them a secure service.

The most common inside attacks were (G. Hogben; D. Catteddu 2009):

  1. Unauthorized access to and use of corporate information (63%)
  2. Unintentional exposure of private or sensitive data (57%)
  3. Virus, worms, or other malicious codes (37%)
  4. Theft of intellectual property (32%)

As the Cloud Computing Service models incorporate sharing of same infrastructure, platform and services, all clients rendering the services of any such provider fall into same trap if any security threat occurs. Different models (Saas, Paas & IaaS) have low, medium and high risk associated with above threats.

Sacrificing private data behind a jurisdiction law mask

Addressing security issues while negotiating with cloud service providers, and selection of services consequently follows addressing legal issues and risk associated with them. Researchers and practitioners find it challenging to implement and address all the legal issues associated in a cloud computing environment. Irrespective of the knowledge of the clients or users within the application domain, their private data stored on cloud can be sacrificed and reasons can be masked fairly by the jurisdiction laws followed by the service providers (G. Hogben; D. Catteddu 2009).

Major cloud computing services offered globally are offered by companies in United States. These companies follow American Lawsuits and American IP protection acts. These lawsuits at times differ for certain clauses from state-to-state. Where-as, European companies follow their own lawsuit.

Jurisdiction amendment

With new age cyber crime risk involved, countries follow a strict jurisdiction which allows national agencies responsible to counter terror groups and other dangers to fully access data if required. A battle between service providers, promising high data security and lawmakers trying to enforce data sharing clauses with government agencies leads an unending debate. High risk is associated when it is calibrated with customers trust and security of critical personal data.

Data protection norms

Data, the connecting point of customer and service provider often endangers higher risk, merely due to storage procedures followed by service provider. It is extremely difficult to protect data from exposure to national agencies or third party advertisers if appropriate lawsuit is not enforced while auditing data protection measures.

Licensing terms & conditions

Medium impact and risk is involved in licensing terms stated by service providers. With service delivery procedures at stake, lack of transparency and incomplete terms often leave clients in delusion about the future usage of services.

Impact on current practices of cloud computing

Apple Inc.’s iOS8 promised an all encrypted version of data for their users, hence differentiating them from other phone companies. Advertisers which collect user’s data by purchasing them from phone companies, benefiting them significantly were left speechless with this new development. Further development in the area of legal risk analysis involves negotiating with lawsuits and compensation analysis in case of threats.

So, before data bleeds and create a stormy havoc, benchmarking the cloud computing framework with strong defensive procedures is recommended. But, if the cloud gets chained by a threat and luckily stands a chance to resurrect, calling the audit ambulance, to re-audit the framework, identifying and addressing all the loopholes of security threats and legal issues once again is seems obligatory.

Ensuring the usage of right encryption methods to protect data makes a cloud computing framework reliable. Recommended practices are split key management and homomorphic key encryptions to protect the data as well as the data access mechanism.

Bibliography

Khushboo AR

Khushboo has done her M.Tech in Information Technology from Devi Ahilya University, Indore. With experience in software development, database administration and management, she exudes command over training and mentoring engineering students. Her areas of training are data-mining assignments, lab assignments, thesis and journal paper writing. Her areas of interest are Database design, Data-mining, Artificial Intelligence and IT project management. Apart from her interests in academics she also loves reading fiction, writing prose and poetry.

Latest posts by Khushboo AR (see all)

Related articles

  • Information technology (IT) The term IT or information technology refers to the entire technology industry. The IT is the use of software...
  • How do unrestricted mobile apps pose threat to your privacy? Operation of smart phones is made possible by use of mobile applications. A mobile application, commonly referred to as apps.
  • 2014, a year of device revolution or an year of intelligence The Digital Revolution, (Third Industrial Revolution) of the 1950s’ - 1970s’, has recently paved the way into the Intelligence Revolution (Fourth Industrial Revolution) making the world smaller, faster and better in decision making than ever before.
  • The process of information technology In the early 1950's and 1960's, information technology was a little known phrase that was used by those who works in the places like hospitals and banks to describe the process they used to store the information.
  • Importance of cloud computing in the modern age Cloud computing has been trending in the recent years due to the effective functionality that it provides. It has been adopted by many organizations and they are utilizing it to get most of their business activities operate with ease of manageability and also less maintenance.
Discussions

1 Comments.

  1. Need help in implementation
    Secure Dynamic Data Storage Auditing Protocol in Batch Processing in Cloud Computing

Discuss

We are looking for candidates who have completed their master's degree or Ph.D. Click here to know more about our vacancies.