Introduction
Cloud computing has started to move beyond hype and into the fabric of businesses today. Small and Medium Businesses have discovered by utilizing cloud services, they can gain significant benefits including access to novel business application and state of the art infrastructure resources.
Although Enterprise Organizations are gaining valuable insight into the potential benefits of cloud, IT directors still have concerns about the security of their corporate data in the cloud. There are three major security issues inherent in cloud computing that make implementation in Enterprise Organizations a challenge. These issues are:
- Loss of control over data and
- Dependence on the Cloud Service Provider (CSP)
- Spying
These three issues can lead to a number of legal and security concerns related to infrastructure, identity management, access control, risk management, regulatory and legislative compliance, auditing and logging, integrity control as well as Cloud Computing provider dependent risks (CEPIS, 2011).
This paper will set out to show that while there are significant security threats that an enterprise faces when it migrates to the cloud, there are solutions that can be implemented to mitigate these threats and ensure that the enterprise is able to benefit from the numerous advantages of the cloud without exposing itself to unnecessary risks.
Defining Cloud Computing
The concepts behind cloud computing have been applied for over two decades (CEPIS, 2011). However, the widespread implementation of cloud computing services has only become prevalent over the last 7 years.
The National Institute of Standards and Technology defines cloud computing as “a model for enabling ubiquitous, convenient, on demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and delivered with minimal management effort or service provider interaction” (Chirag et al., 2013, p.562).
Cloud computing offers a number of significant benefits, therefore making it attractive to many enterprises. To begin with, cloud computing utilizes a pay-per-use model, meaning that the organization only gets to pay for the services that it uses. Chirag et al. (2012) document that cloud computing present businesses with the ability to increase their IT capabilities on demand and without having to invest much in new infrastructure or training of personnel.
The enterprise is therefore allowed to focus on its core business concerns instead of dealing with technical IT issues. According to Chirag et al. (2013), many of the organizations in the US and Europe that have migrated to the Cloud environment have done so in order to exploit the advantages or cost reduction. Skendrovic (2013) reaffirms this observation by noting that most enterprises acknowledge that using a cloud solution is integral to maintaining future organizational growth and productivity.
Concerns
In spite of the widespread enthusiasm for cloud computing, there still exists significant apprehension about migrating to the cloud. Cloud computing brings about risks that an organization would not be forced to face if its applications were run in-house. A number of significant and valid security concerns have caused this apprehension.
Loss of Control over Data
When an enterprise makes use of cloud services it, in essence, relegates the control of data and applications to third parties. An enterprise that migrates from the traditional in-house environment to a cloud environment immediately relinquishes its control over the networking infrastructure.
The cloud service provider (CSP) is in control of infrastructure including servers, log files, and incident reports. The first issue that arises is that the enterprise does not have control over the physical infrastructure where its data is stored.
Chirag et al. (2013) assert that a reality for organizations that choose to make use of cloud computing is that their data will be stored off-site. Since the servers, storage space, and application programs are provided by external service providers, the organization will have a loss of control over the infrastructure.
Enterprises expose themselves to a higher risk of facing unauthorized access when they use a cloud system as opposed to the traditional network system. Cloud service providers store data for various organizations at the same location. This stored data (data at rest) needs to be protected from physical and electronic compromise.
A non-authorized user who is able to access the shared environment has access to the private data of the organizations that use the particular cloud computing service provider. The distributed nature of cloud system resources makes it hard to ensure data security and privacy (Qaisar & Khawaja, 2012).
This risk is high since the cloud system typically has a high number of administrators and users. Malicious users can successfully attack a cloud control interface and gain control of an enterprise’s account. When this happens, the intruder will have access to the data stored in the account. Enterprises are likely to be co-tenants with attackers on the Cloud (Juels & Oprea, 2013). This jeopardizes the enterprise’s data since the malicious co-tenant is well placed to carry out a successful attack.
Since the enterprise does not own or control where the data is stored and processed, there is a threat of theft or misuse. If the cloud provider does not provide solid physical or logical security, the organization’s data might be stolen. The organization’s data may also be used in a way that the client has not agreed to.
Cloud providers might use the data for different purposes from those originally notified to and agreed with the consumer. Pearson and Yee (2012) document that cloud service providers may gain revenue from unauthorized uses of client data such as resale of detailed sales data to competitors.
Enterprises that make use of cloud services do not have control over the lifecycle of their data. Organizations that maintain data onsite have data lifecycle plans that determine how long the data will be retained and when it will be destroyed.
When using a cloud service provider, the enterprise cannot be guaranteed that its request for data deletion will be honored. The organization might issue a command to delete data using its application program, but the service provider might continue to store the data without the knowledge of the organization.
Dependence on the Cloud Computing provider
As previously noted, employing cloud computing services means that the enterprise will be using the computing resources of a third party; the Cloud Service Provider. This reliance on a third party to provide critical services might lead to a number of problems. To begin with, the organization is not in control of the availability of the computing services it requires.
Since the services are provided through the internet, there is a possibility that temporary or permanent loss of services might be caused by Denial of Service attacks. Vulnerabilities in the network have a direct negative effect on the security of the Cloud. Chirag et al. (2013) declare that the network is the backbone of Cloud computing since it is the most crucial component of Cloud services.
Enterprises that make use of the cloud might suffer from access limitations. Since data and information flow occurs through the service provider, it is not possible to ensure that an organization can access its data at all times. The power to limit access control lies with the service provider who has overall control of the communication infrastructure. The enterprise is therefore at risk of having its data locked in by the CSP for a number of reasons including orders from the government.
In addition to this, use of cloud services presents a transparency issue. Users are often abstracted from the details of how the applications run on the Cloud and in most cases, the organization is kept in the dark concerning issues such as the exact location where the data is stored and who owns it or what will be done with it. This lack of transparency means that organizations are at risk of having their data used in ways that they did not authorize.
In addition to relying on the Cloud service provider to make the computing resources available, enterprises have to rely on the cloud provider to provide adequate security for the data at rest. The enterprise has to depend on the CSP to notify it of any security breaches that might occur on its data or applications. Since the enterprise does not control the data, it might be unaware of any security breaches that occur.
Pearson and Yee (2012) state that there are uncertainties about notification, including of any privacy breaches that occur in the cloud. The organization will find it difficult to know if any breach has occurred since the cloud service provider might be reluctant to reveal such information since it will damage the image of the provider. It is also hard to determine whose fault it is in case of a security breach since the comprehensive security logs are maintained by the cloud service provider.
Spying
Spying has become an issue of significant concern over the last two years. The issue of electronic surveillance has gained a lot of interest following the revelations that the US National Security Agency is engaged in rampant data collection. Use of CSP increases the risk that an organization might be spied on.
To begin with, cloud services are provided through the internet creating an opportunity for government agencies to intercept data as it is transferred from one location to the other. Saroj (2014) suggests that this risk would not be there is an organization made use of an intranet where all the data was processed in-house.
The relationship between the major technology companies that serve as CSPs and intelligence agencies increases the level of spying that enterprises face. Hamilton (2013) reveals that in the US, there is cooperation between technology companies such as Microsoft, Google, and Amazon and intelligence agencies.
There have been reports of the NSA and the FBI being provided access to data from the cloud storages of these companies. When the CSP provides government agencies with access to its data, the organization’s information is open to illegal scrutiny by the government entities.
The risk of spying increases when the data has to cross over geographical boundaries that are subject to different laws. Different countries have varying data protection laws. An organization that is storing personal data with a CSP operating in a different country might find itself subjected to different data protection laws in the host country. Saroj (2014) confirms that due to the exposure of the high level of espionage activities conducted by the NSA, most enterprises are likely to invest more to on-premise solutions for their technology needs.
Solutions
Coming up with solutions to the security issues inherent in cloud computing is integral to the future success of cloud computing. Undoubtedly, the pooled computing resources and multi-tenancy model utilized by cloud computing introduces new security challenges that call for novel techniques to address them. Without feasible solutions to the challenges, organizations will continue to demonstrate reluctance to migrating to cloud computing.
Solutions to Loss of Control
Most organizations would like to ensure that they do not lose control of their data. This outcome can be achieved in a number of ways. Enterprises can enter into contracts to ensure that their data and especially intellectual property rights are protected even in the cloud (KPMG, 2013).
Ownership of intellectual property should remain with the organization at all times. As such, intellectual property attached to the data or generated by applications that is hosted in the cloud should belong to the user of the cloud. The enterprise can increase control over its data by negotiating a customer-oriented contract with the CSP. Priya and Ward (2013) state that such an agreement should increase the liability of the CSP in the event of a security breach and increase the rights of the organization over its data.
Ensuring that the CSP can only use the organization’s data in ways that the organization has stipulated is important. Many organizations are keen to ensure that unauthorized secondary usage or their data do not happen. Pearson and Yee (2012) warn that at the present, there are no technological barriers to such secondary uses and as such, the cloud service provider might misuse company data. However, this risk might be mitigated by developing legally binding agreements as to how data provided to the CSP can be used.
Solutions to Dependence on the CSPs
The problems of availability that are caused by the high dependency on the cloud computing provider can be solved in a number of ways. Enterprises can make use of multiple providers to ensure continuous availability. Most CSPs provide the data proliferation function which entails having data stored or processed at different data centers.
Replicating data in multiple data centers ensures full-time availability since it is unlikely that all data centers will be experiencing problems at the same time. Juels and Oprea (2013) state that distributing data across multiple cloud providers provides redundancy therefore ensuring that reliable cloud services can be obtained from unreliable components.
The enterprise can increase their protection against data loss due to damage to the cloud infrastructure by maintaining backup storage. Organizations should demand that the service provider maintains an off-site data backup that can be used in case the cloud infrastructure collapses. The provide should also have a standby disaster recovery and continuity plan that will ensure that the clients are able to resume normal functioning in the shortest period of time after a catastrophic failure (Zissis & Lekkas, 2010).
Chirag et al. (2013) confirm that it is hard to prevent all the attacks to the Cloud network due to the distributed nature of the cloud. However, implementing security solutions such as firewalls, anti-malware and strong encryption technology will mitigate these threats. In addition to protecting the data from online attacks, it is important to ensure that physical security of the cloud computing infrastructure.
This security can be assured by ensuring that the servers are located in a secure location where there is constant surveillance. Nkhoma and Dang (2013) notes that most CSPs make use of the best security technologies such as biometric screening to ensure that only authorized staff have physical access to the company’s servers. Saroj (2014) confirms that majority of the cloud data centers offer great security than on-site data centers.
The safety of organizational data is therefore better secured in the cloud that it would be if the company stored the data on its own premises. The higher than average security is possible since most cloud providers have the resources and expertise to implement the best security technologies available in the market.
Solution to Spying
The ability of spying agencies to access organizational data can be inhibited by encrypting data before transmission. Researchers agree that the greatest risk for data being transmitted to or from the cloud is poor encryption technology. Hamilton (2013) observes that organizations such as the NSA find it easy to spy on organizations since they access the data in raw text or they are provided with keys that make it possible to successfully decrypt data.
Organizations should ensure that their data is always encrypted before it is transmitted over the network. Using strong encryption standards during data transmission will increase the user confidence that the data is not prone to attacks from opportunistic hackers or government intelligence agencies. In addition to this, the enterprise should demand for its data to be stored in encrypted form in the CSPs storage facilities. This would ensure that even if spying takes place, it would require significant effort to decrypt the data.
The threat of spying is exacerbated if the CSP allows government agencies free access to its databases. Cloud service providers should be able to tell their clients if the data in the cloud is being accessed by any government agency. This transparency will enable the enterprise to make an informed decision on whether to store their data on the cloud.
Addressing the spying problem is critical for enterprises to have confidence in cloud solutions. Most US cloud service providers are aware of the negative effect that the NSA spying could have on this industry. In recognition of the damage that spying might have on the cloud business, many companies are enforcing security measures intended to ensure that governments are not able to illegally spy on users.
Google enforces mandatory encrypting of all the data stored on its cloud on behalf of the clients. Organizations that make use of the Google cloud are allowed to manage their own encryption keys, therefore increasing the level of security.
Conclusion
This paper set out to discuss the issues that an enterprise might face when it makes use of cloud computing providers as well as the solutions to these problems. It began by highlighting the increasing interest that organizations have shown to cloud computing due to the benefits that this technology offers.
It then highlighted some of the major issues inherent in cloud computing. The paper has demonstrated that security remains to be the primary factor preventing most organizations from migrating to the cloud. From the facts presented in this paper, it is clear that these fears are valid since the cloud infrastructure has some major vulnerability that could lead to problems for the enterprise.
It should be noted that most of the threats inherent in cloud computing are not unique to the cloud environment. Problems such as data loss, unauthorized data access and spying can occur even when the data is maintained by the organization on-site. The problems inherent in Cloud Computing can be mitigated by implementing the solutions proposed in this paper.
References
Chirag, M., Dhiren, P., Borisaniya, B., Avi, P., & Rajarajan, M. (2013). A survey on security issues and solutions at different layers of Cloud computing. Journal of Supercomputing, 63(2), 561-592.
Council of European Professional Informatics Societies (CEPIS) (2011). Cloud Computing Security and Privacy Issues. Web.
Hamilton, D. (2013). Leaked Documents Implicate Microsoft in Giving Government Agencies Access to Cloud, Email, VoIP Data. Web Host Industry Review (WHIR). Web.
Juels, A., & Oprea, A. (2013). New Approaches to Security and Availability for Cloud Data. Communications of the ACM, 56(2), 64-73.
KPMG (2013). The cloud takes shape. Web.
Nkhoma, M. Z. & Dang, D. P. (2013). Contributing Factors of Cloud Computing Adoption: a Technology-Organisation-Environment Framework Approach. Proceedings of the European Conference on Information Management & Evaluation, 2(1), 180-188.
Pearson, S., & Yee, G. (2012). Privacy and Security for Cloud Computing Computer Communications and Networks ITPro collection. NY: Springer.
Priya, D., & Ward, C. (2013). Cyber-Security Threats and Privacy Controls for Cloud Computing, Emphasizing Software as a Service. The Computer & Internet Lawyer, 30(3), 20-24.
Qaisar, S., & Khawaja, F. (2012). Cloud Computing: Network/Security Threats and Countermeasures. IJCRB, 3(9), 1323-1329.
Saroj, K. (2014). NSA Spying Will Hurt Cloud Computing Software Spending in 2014. Cloud Times. Web.
Skendrovic, D. (2013). Growing pains in the cloud. NTT Communications. Web.
Zissis, D., & Lekkas, D. (2010). Addressing cloud computing security issues. Future Generation Computer Systems, 28(3), 583–592.