1. Running Head: CLOUD COMPUTING Risks Associated with Cloud computing, Countermeasures, Costs and Benefits Lillian Ekwosi-Egbulem University of Maryland University College, 2011 In partial fulfillment of the requirements for CSIA454 Professor’s Name: James Caroland Date: 10/30/2011
2. CLOUD COMPUTING 2 Risks Associated with Cloud Computing, Countermeasures, Costs and BenefitsIntroduction The advances in information technology have ushered in a totally different way ofdominating the Internet and computing. Cloud computing is a relatively new emergingtechnology driven by virtualization and considered the Internet of the future. Corporate andindividual users can rent “bandwidth, processing power and operate the virtual machines.” Itoffers flexibility, saving, simplicity, and three delivery models namely Infrastructure as a Service(IaaS), Platform as a Service (PaaS) and Software as a Service (Badger, Grance, Patt-Corner &Voas, 2011). Cloud computing technological resources and services are offered to users through theinternet or the intranet. In essence, users can host software, process and store data in a remotelyaccessed servers instead of the hard drives, household personal computers, or servers. However,the jurisdictional locations of these remotely accessed servers are neither known nor controllableby the user (Svantesson, 2010). Cloud computing concept is still immature and as a resultpresents a vague definition which the National Institute of Standard and Technology (NIST)acknowledges as an evolving paradigm (Tech Target, n.d.). Though cloud computing offers scalability, cost saving, increased IT stability and agility,the risks associated with cloud environment makes it a threat to information security.Risks Associated with Cloud ComputingCyberattack As recorded in Hacking the Cloud, cloud environment is more vulnerable than regularenvironment. Hackers can infiltrate the cloud by deploying malwares that take advantage of anexisting weakness such unlatched hole. Malware can spread from one user to the other and
3. CLOUD COMPUTING 3compromised cloud spaces can be hijacked and used by attackers as botnets to performdistribution of denial attack (Pacella, 2011). The Department of Defenses Defense InformationSystems Agency built RACE (Rapid Access Computing Environment), a cloud of computingresources for use by DOD personnel (Gibson, 2008). This decision seems very hasty becausethis technology is still immature and has presented many recorded security issues. For countrieslike China and Russia who thrive in stealing confidential information from the US, it is businessas usual as the cloud environment offers them exploitable vulnerabilities.Data location and Segregation Cloud computing is similar to outsourcing and providers may not store data in a specificjurisdiction. Consequently, cloud customers may not even be aware of the location of their data.Furthermore, data are stored in a shared environment and though vendors may employ the duediligence to encrypt data, but then, that is not enough. For instance, in a bid to save time andbandwidth, Dropbox hashes user’s files that have same hash value into one file. As a result, usersfiles are linked together until a file is modified or the hash changes. They also experienced asecurity glitch that gave users access without authentication and caused users to access eachother accounts (McCullagh, 2011).Trust boundary and investigative support It appears trust boundary is the most perplexing risk because different countries wheredata is stored have different laws which in effect can affect the security of stored data. This is abig security issue because State nations like China view hacking as ethical and sponsor theirhackers to constantly level cyberattacks on the US. Furthermore, trust boundary makesinvestigation of illegal activities in the cloud complicated. Without policies outlining how toobtain evidence spread across multiple servers, data centers, and locations from vendors,
4. CLOUD COMPUTING 4investigation and discovering requests will be impossible (Brodkin, 2008). The provisions ofTitle II of Electronic Communications Privacy Act also known as Stored Communications Actreduces the amount of data a cloud service provider may give to authorities. This act provides asafe haven for the cloud vendors and puts investigators at a disadvantage.Privacy Risks Cloud computing is associated with a range of severe and complex privacy issues such asdata collection, use, disclosure, storage, retention, and access. (Svantesson & Clarke, 2010).Problems arise with how to characterize cloud computing activity and current laws have not beenable to define clearly what exactly is protected in the cloud computing environment. Definingthese laws is essential to ensure that consumer’s privacy is protected and that their personalinformation is not shared without their consent.Solutions to Achieve Cloud Computing Security A well documented policy and procedures to enforce laws governing cloud computing iscritical. The document must be reviewed and updated according the changing nature ofinformation and information technology. This will be useful to users in selecting a provider. Service providers must sign a service level agreement with users defining the technicalcontrol that safeguards the cloud environment. They will also define management control thatstipulates how risk will be assessed, managed, and mitigated. Operational control willadditionally define contingency planning and incidence response. The cloud-based service provider must have a continuous risk assessment and subsequentpenetration testing plan to determine the existence of vulnerabilities and deploy appropriatesecurity measures before hackers take advantage of the vulnerabilities. Disaster recovery planthat provides backup during cloud outages ensures availability of services and uninterrupted
5. CLOUD COMPUTING 5access to data any time. Encrypting of files may not be the overall solution but presently, it is thebest solution available and must be the responsibility of both the user and the provider. Also,proper segregation of individual files is very important to avoid comingling of files. Information systems security is such a critical element in today’s business, government,education, and home technology based environment and when it is at risk, organizational goalsand objectives are at risk. In view of this, The National Institute of Standard and Technology(NIST) has freely made available to the public, SP 800-144,145 and 146 series to address theguidelines on security and privacy in public cloud computing, definition and recommendation.Costs and Benefits The matrix used in evaluating the costs and benefits of the recommended solution ratesthe effectiveness of each control as high, medium or low. Policy and risk assessment are ratedhigh because an organization security is only as strong as its policy and the first step in dataprotection begins with understanding the risks and managing it. Encryption and service levelagreement are rated medium because there are decrypting tools out there and some companiesmay breach their contracts hoping users will avoid litigation due to its high cost. These controlsare basics, affordable and highly recommended to the management.Conclusion Cloud computing is a new arena that must be threaded with care. Compliance guidanceexists but they are not yet clearly defined due to the immature nature of the cloud environment.Therefore, users must not concentrate solely on the scalability, cost saving, increased IT stabilityand agility this new technology offers but must understand that ultimately the security of theirdelivery models is primarily their responsibility.
6. CLOUD COMPUTING 6 ReferencesBadger, L., Grance, T., Patt-Corner, R., Voas, J. National Institute of Standards and Technology. DRAFT Cloud Computing Synopsis and Recommendations: Recommendations of the National Institute of Standards and Technology. (2011, May). (Special Publication No. 800-146) archived at: http://webtycho.umuc.eduBrodkin, J. (2008). Gartner: Seven Cloud-Computing Security Risks. Inforworld. Retrieved from http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security- risks-853?page=0,1Gibson, S. (2008). GAMBLING ON THE CLOUD?. eWeek, 25(28), 39. Retrieved from EBSCOhost. Retried from http://ehis.ebscohost.com.ezproxy.umuc.edu/eds/detail?sid =a4ec9f01-73ed-4527-8494-1b2a7df62848%40sessionmgr12&vid=39&hid=2&bdata =JnNpdGU9ZWRzLWxpdmUmc2NvcGU9c2l0ZQ%3d%3d#db=f5h&AN=34838261McCullagh, D. (2011). Cnet. Retrieved from Dropbox confirms security glitch--no password Required. Retrieved from http://news.cnet.com/8301-31921_3-20072755-281/dropbox- confirms-security-glitch-no-password-required/Pacella, R. (2011). HACKING THE CLOUD. Popular Science, 278(4), 68. Retrieved from EBSCOhost. Retrived from http://ehis.ebscohost.com.ezproxy.umuc.edu/eds/pdfviewer /pdfviewer?sid=a4ec9f01-73ed-4527-8494 1b2a7df62848%40sessionmgr12&vid= 8&hid=2Svantesson, D., & Clarke, R. (2010). Privacy and consumer risks in cloud computing. Computer law and security review, 26(4), 391-397. Retieved from http://epublications.bond.edu.au /cgi/viewcontent.cgi?article=1346&context=law_pubs