The common buzzword of Information Technology era during the last decade is “Cloud Computing”, with many world-market players shaping the field, such as Amazon Elastic Computing Cloud (Amazon EC2), Skype, Box.com, Dropbox, Twitter, Facebook and chatter.com. Cloud computing frameworks redefined the parameters involved in TCO (Total cost of ownership) associated with IT applications, services, infrastructure and data used by them (Mirashe & Kalyankar 2010). The table below lists major Cloud Computing framework providers within different models (Chou 2013). These models are SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service).
|Antenna Software, Cloud9 Analytics, CVM Solutions, Exoprise Systems, Gageln, Host Analytics, Knowledge Tree, LiveOps, Reval, Taleo, NetSuite, Google Apps, Microsoft 365, Salesforce.com, Rackspace, IBM,and Joyent
|Amazon AWS, Google Apps, Microsoft Azure, SAP, SalesForce, Intuit, Netsuite, IBM, WorkXpress, and Joyen
|Amazon Elastic Compute Cloud, Rackspace, Bluelock, CSC, GoGrid, IBM, OpenStack, Rackspace, Savvis, VMware, Terremark, Citrix, Joyent, and BluePoint
Table: Cloud Computing Service Providers on Cloud Service Models
Cloud computing offers great benefits of re-scaling a firm’s capital investment in hardware, software and human resources to run small, medium as-well-as significantly large businesses. However, despite much popularity and worldwide acceptance of the phenomenon, there are a number of security risks attached to it. With anywhere, anytime access of applications and services, the vulnerability of data increases. Furthermore, cloud computing framework features instant access to flexible and low cost IT resources, exposure to unauthorized parties seems to increase. This article highlights some of the major security threats and legal issues associated with cloud computing. They are not restricted to SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service) architectures supported by cloud computing.
Service traffic hijacking in cloud computing
An addicted cloud computing user tends to store identification documents (birth certificate, passport, license, etc.), degree certificates, marriage documents, travel tickets, bank account statements, loan documents, pay slips, spouse information, personal photographs and planner entries digitally with at-least one of the services offered by cloud-computing framework. A single hijack incident targeting a few hundred users to millions of users is sufficient to eradicate a whole business.
Data breach & data loss
Irrespective of the efforts which service providers put in ensuring best cloud computing platforms, data loss due to natural and man-made disasters needs to be addressed. Traditional backup and disaster recovery management techniques play a major role here. By segregating data at different locations in multiple copies with appropriate encryption and authorized access, data breaches and losses can be handled till some extent.
Such an incident was reported by LinkedIn, the world’s largest professional networking website with ownership of professional data, work summaries and academic records of more than 175 million users, reported that their password database was compromised in a security breach. Approximately 6.5 million hashed passwords were stolen. These passwords were released on a Russian web forum. More than 200,000 of these passwords have been cracked (Silveira 2012).
The users of cloud computing services are completely unaware of the whereabouts of their data. After merely storing data, users do not bother to look into any security issues, irrespective of the fact that data contains classified as well as immensely private information about them. With the well known Snowden effect, firms are now taking meticulous measures before investing in global cloud computing platforms. Consequently, they prefer their own traditional approach of de-centralized data centre, independent infrastructure setup and applications for their users, ensuring them a secure service.
The most common inside attacks were (G. Hogben; D. Catteddu 2009):
- Unauthorized access to and use of corporate information (63%)
- Unintentional exposure of private or sensitive data (57%)
- Virus, worms, or other malicious codes (37%)
- Theft of intellectual property (32%)
As the Cloud Computing Service models incorporate sharing of same infrastructure, platform and services, all clients rendering the services of any such provider fall into same trap if any security threat occurs. Different models (Saas, Paas & IaaS) have low, medium and high risk associated with above threats.
Sacrificing private data behind a jurisdiction law mask
Addressing security issues while negotiating with cloud service providers, and selection of services consequently follows addressing legal issues and risk associated with them. Researchers and practitioners find it challenging to implement and address all the legal issues associated in a cloud computing environment. Irrespective of the knowledge of the clients or users within the application domain, their private data stored on cloud can be sacrificed and reasons can be masked fairly by the jurisdiction laws followed by the service providers (G. Hogben; D. Catteddu 2009).
Major cloud computing services offered globally are offered by companies in United States. These companies follow American Lawsuits and American IP protection acts. These lawsuits at times differ for certain clauses from state-to-state. Where-as, European companies follow their own lawsuit.
With new age cyber crime risk involved, countries follow a strict jurisdiction which allows national agencies responsible to counter terror groups and other dangers to fully access data if required. A battle between service providers, promising high data security and lawmakers trying to enforce data sharing clauses with government agencies leads an unending debate. High risk is associated when it is calibrated with customers trust and security of critical personal data.
Data protection norms
Data, the connecting point of customer and service provider often endangers higher risk, merely due to storage procedures followed by service provider. It is extremely difficult to protect data from exposure to national agencies or third party advertisers if appropriate lawsuit is not enforced while auditing data protection measures.
Licensing terms & conditions
Medium impact and risk is involved in licensing terms stated by service providers. With service delivery procedures at stake, lack of transparency and incomplete terms often leave clients in delusion about the future usage of services.
Impact on current practices of cloud computing
Apple Inc.’s iOS8 promised an all encrypted version of data for their users, hence differentiating them from other phone companies. Advertisers which collect user’s data by purchasing them from phone companies, benefiting them significantly were left speechless with this new development. Further development in the area of legal risk analysis involves negotiating with lawsuits and compensation analysis in case of threats.
So, before data bleeds and create a stormy havoc, benchmarking the cloud computing framework with strong defensive procedures is recommended. But, if the cloud gets chained by a threat and luckily stands a chance to resurrect, calling the audit ambulance, to re-audit the framework, identifying and addressing all the loopholes of security threats and legal issues once again is seems obligatory.
Ensuring the usage of right encryption methods to protect data makes a cloud computing framework reliable. Recommended practices are split key management and homomorphic key encryptions to protect the data as well as the data access mechanism.
- Chou, T., 2013. Security threats on Cloud Computing vulnerabilities. International Journal of Computer Science and Information Technology, 5(3), pp.79–88. Available at: http://airccse.org/journal/jcsit/5313ijcsit06.pdf.
- Hogben; D. Catteddu, 2009. Cloud Computing Benefits, Risks and Recommendations for Information Security. The European Network and Information Security Agency (ENISA), November.
- Mirashe, S.P. & Kalyankar, N. V, 2010. Cloud Computing N. Antonopoulos & L. Gillam, eds. Communications of the ACM, 51(7), p.9. Available at: http://arxiv.org/abs/1003.4074.
- Silveira, V., 2012. An Update on LinkedIn Member Passwords Compromised. June. Available at: http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/.