Controlling Data Security Risks in Cloud Computing

By Miciano, Jaquelyn Abstract

Cloud Computing is a recently emerging business solution towards the costly maintenance of Information Technology (IT) infrastructure of established enterprises. The objective is to outsource the IT services of a firm to a cloud computing service provider which in turn minimizing overhead expenses for maintaining a highly efficient data flow throughout the company. Technology has penetrated every line of industry and it has created an unconventional type of business where everything can be obtained through the internet. The effectiveness of implementing Information Technology comes with underlying costs that can be detrimental to the company. Cloud Computing service providers can alleviate maintenance costs for the IT system infrastructure by managing data from their end. This breaks the conventional safekeeping of company records as data is deliberately made available to third-party users. Security concerns are a major challenge for cloud computing despite meeting the contractual obligations between negotiating parties while managing the data. There are a number of approaches that can be taken into account to keep confidentiality and promote data security. Service providers can ensure an effective and transparent data encryption limiting data availability to authorized users. Nonetheless, consumers are denied of control over data security that in turn increases the barriers towards adapting the cloud technology. This paper points out the importance of security, existing security threats and gaining control over security control through encrypting valuable information prior to transmission.

Technology advancement continues to deliver limitless boundaries in providing services for the global market. Cloud-based service is the next significant attempt to revolutionize the way computers and the internet is conventionally employed. Incorporating on-demand operations, expanded accessibility, virtualization, increased delivery of services and scalable resources, the cloud technology offers a lot of advantages to both the consumer and provider of service industries. [2, 12] The uninhibited nature of the cloud stifles both large and small enterprises into adopting cloud services while clinging to the notion of traditional approaches and security. In addressing security concerns, the campaign for the movement to cloud computing is attainable. [1] 1.1 Defining the Cloud Concept The National Institute of Standards and Technology (NIST) that is formed to promote technical leadership across the nation provided a definition for cloud computing to standardize the unfamiliar cloud concept and it is stated as follows,
Cloud computing is a model for enabling ubiquitous, convenient and on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

1.0 Introduction The emergence of Information Technology (IT) transformed the structure of business processes within the global network. IT guarantees database security and accessibility through software applications made available with the computing technology. As the common workplace becomes completely reliant on computers, the need to manage valuable data information has been critical. The key concern of promoting IT for businesses is the costeffectiveness of communication that in turn increases profitability, productivity and efficiency within the system. [1, 3, 9]

The cloud technology can be modeled accordingly to the nature of the business but was narrowed down to three different service models that classify the services provided to the market. Data in cloud computing can be deployed in four ways: public, private, community and hybrid. The four deployment models presents the various ways of handling data while adhering to the contractual agreements between the parties involved. [1, 2, 10] NIST identified five essential characteristics of the cloud technology that advocates the movement of the IT industry towards the cloud model. 1) On-demand self-service: Eliminates human interaction between the consumer and the cloud provider as computing services can be utilized as needed. 2) Broad Network Access: Cloud Service accessibility is readily available across the network through a well-established set of platforms agreed upon with the clients. 3) Resource pooling: The provider has

complete governance over computing resources such as storage, processing, memory, network bandwidth and data centers, that are collectively granted to function for multiple consumer demands. 4) Rapid elasticity: Computing services can be obtained in any quantity at any time as cloud computing upholds flexibility in its services. 5) Measured service: Transparency for provider and consumer is catered to maintain credibility as well as to optimize the utilization of services through control and management of resources. [2, 10, 11] The three cloud service models represent the scope of the services being offered to consumers which also satisfies various types of service levels demanded by businesses in accordance to their needs. 1) Software as a Service (SaaS): User-specific applications running on a cloud infrastructure fully controlled and maintained by the provider are made accessible to consumers through a limited client web interface compatible to different devices. 2) Platform as a Service (PaaS): Consumercreated applications that are deployed on a cloud infrastructure fully controlled and managed by the provider are generated through the platform service offered by the provider. Consumers are granted control in configuring the applications constructed through the platform. 3) Infrastructure as a Service (IaaS): Fundamental computing resources are made available for the consumers to run software applications in a shared cloud infrastructure that is entirely overseen by the service provider. [2, 5, 11] Four deployment models defined by NIST serve as classifications to identify the existing boundaries between different service models. 1) Private cloud: Operations are exclusively for an enterprise at the same time having management control in the cloud infrastructure. 2) Community Cloud: Infrastructure is shared for a specific group of organizations that have similar goals. 3) Public Cloud: Services are accessible to consumers from a third party service provider through the internet. Consumers are granted access control by service providers. 4) Hybrid cloud: Two or more cloud deployment models are comprised in an infrastructure that encompasses uniqueness in delivering services through a standardized technology. Figure 1 lists examples of the different types of service offered by cloud providers. A completely new

market has been opened for potential vendors of the emerging cloud technology. [5, 9, 12, 13] Software Services
Billing Financials Legal Sales Desktop productivity Human Resources CRM Backup and recovery Content & Document Management Salesforce.com Google Apps

Platform Services
General purpose Business intelligence Integration Development and Testing Database Force.com Caspio

Infrastructure Services
Storage Compute Services management Networking Security Rightscale

Amazon web services

Google Apps Engine

Eucalyptus
Gogrid

Oracle
Facebook Netsuite

Microsoft Azure

Figure 1. Cloud Service Model Functions and Vendors

1.2 Virtualizing the Cloud Infrastructure In order to address the security concerns being raised on the Cloud Computing Technology, it is necessary to understand the fulfillment of virtualization of infrastructures. There has been a common notion of the public that Cloud Computing is completely without physical structures. In reality, a single physical server is optimized to virtually operate for multiple computing users. Virtualization of computing services creates an abstraction of the underlying physical infrastructure. [13]

Figure 2 Virtualization of Physical Infrastructure

Migrating to a virtual cloud is a process pursued by enterprises mainly to cut costs of resources as well as to increase flexibility and efficiency of performing computing services. Not every nature of businesses has to adapt to the cloud technology to cut costs. But this paper focuses solely on the security of migrating to cloud and will not be dealing with the economics of implementing the new technology. For the purpose of this paper, the standpoint concentrates on enterprises that actually find cloud computing as a valuable utility. To instigate Cloud Computing, service providers have to identify the nature of businesses their clients handle. The underlying factor in establishing an effective Cloud service is setting up a direct objective that the client wants to accomplish. Consumers have the freedom to choose the kind of cloud service to outsource and implement to their system. The sense of ownership and control over data and resources is pre-arranged between the client and the service provider. Table 1 shows the level of control of consumer and service provider over the IT resources being utilized in the process. [9] Consumer has complete ownership of data for the three cloud service models. Application is controlled by the consumer for IaaS while being shared for PaaS. [13] Given the limited level of authority to consumers, it is subsequently important that the security management concern be focused on Data. IaaS Data Applications Systems Storage Network Consumer Consumer Service Provider Service Provider Service Provider PaaS Consumer Shared Service Provider Service Provider Service Provider SaaS Consumer Service Provider Service Provider Service Provider Service Provider

The findings of IDC are shown in Figure 3 where 224 IT executives were surveyed in 2008. [6, 11] Technology has made information freely available and accessible through the internet which makes it both convenient and unsecured. Data Security is the major barrier for enterprises to adapt the cloud technology. Without a reliable security standard, the cloud technology cannot fully penetrate the IT market.

Figure 3 Major Concerns of Cloud Technology

This paper aims to address the concerns for data security in the cloud computing technology in order for the consumers to establish a reliable level of security when using the cloud service. 2.1 Identifying Issues in Cloud Security The Cloud Security Alliance (CSA) listed six significant threats to data security. Figure 1 shows the major threats identified by CSA together with examples of specific instances how these threats occur. [3, 4, 5]

Table 1 Ownership and Control over Services

2.0 Focusing on Cloud Security According to a research conducted by the International Data Corporation (IDC) to address market concerns of cloud computing, security is the most alarming issue that blocks the implementation of cloud computing technology.

Figure 4 Data Security Threats

Security is a constant subject in most internet provided service but due to the complicated and dynamic nature of cloud technology, new and amplified threats continue to appear as listed in Figure 4. 2.2 Evaluating Data Security Risk A set of security principles is fundamentally used as benchmarks of evaluating the reliability of the cloud environment. The most common areas to examine cloud network security are: availability, confidentiality, integrity, authentication, non-repudiation, anonymity and authorization. [4, 5, 13] These issues are raised by consumers migrating to the cloud technology. Availability pertains to the accessibility of data and services ondemand considering network interruptions. The integrity of the service provider in configuring authorized networks is an apparent regulation that should be followed. Assuring authenticity of participants within the network through proper decryption of data with a shared key enables the identification of legitimate sender. Non-repudiation allows transparency between senders and receivers as it mandates confirmation on message delivery and retrieval to distinguish corrupted data. Anonymity concerns all client information being handled within the system of the provider. The last criterion is confidentiality which concerns the data privacy within the network of authorized parties. Securing the cloud network from the consumers standpoint is very challenging with limited control over the IT resources. [5, 8, 13] Among the criteria discussed, cloud consumers can only have control over confidentiality through data encryption for accessibility and authentication of local and authorized users. Consumers have the option to increase data security within the network by implementing data encryption within their system. 3.0 Managing Data Security An effective security risk management engages in a constant process of developing and improving control to guarantee data security. [13]

Figure 5 Risk Management 3.1 Security Risk Management The activities of managing risks can be grouped into four stages: Plan, Implement, Evaluate and Maintain. In following these stages, risks of security penetration can be mitigated before causing damages. [8, 13] To have a reliable security operation, it is important to determine the possible risks that can be encountered. Each of the plausible scenarios which may cause critical data corruption should be dealt with the most suitable security control to address the risks with a systematic approach. This describes the first stage of the security risk management which is to Plan. After planning, the plan must be implemented and configured and keyed in to the security controls as a preventative action. Continuous and regular evaluation of security controls is necessary to ensure the effectiveness of the plot. The last stage is to maintain a high security level while being operated. As a whole, the risk management plot is a very simple and effective approach in addressing the security issues and concerns. Improvement in security control is equally significant as well. Knowing the dynamic nature of the cloud, security controls must be frequently updated to adapt to new security threats. Modification of security controls ultimately goes through the four stages of security risk management like the cycle shown in Figure 5. [13]

3.2 Consumer Data Encryption The attempt to extend data security control for consumers can be achieved through protecting the data in between transmissions within the cloud network. Encrypting the critical data meticulously where it only discloses information in a verified network and authorized user can fulfill a highly secured environment together with a strong usage policy. [9] Consumers should consider this as an added level of protection knowing the randomly shared cloud environment poses a lot of security risks. Data that is encrypted prior to being transmitted to the network is more difficult to decipher even when intercepted. Different approaches are taken into account to secure vital information. [5] Cloud providers protect data while it is in transit over their network through their own set of security controls which creates a lack of transparency on the consumers side. [13] In the different types of cloud services models (IaaS, PaaS and SaaS), the consumer is provided limited accessibility corresponding to the type of service requested thus resulting to a constant struggle of controlling data between the cloud provider and consumer. Consumers can practice data encryption across the critical and accessible areas in the cloud network. Cryptography offers developments in encrypting information through the form of a ciphertext that allows consumers the computing capability from a secret key. [7, 9, 14] This allows the cloud to provide access to data granted that the user has the exact equivalent key without disclosing any other information. Security can be further extended by assigning a unique encryption key to every cloud user that serves as an identification key. [13] Implementing these protocols leads to a better security control as well as a new and modified set of risks. The risk management flow keeps on track with improvement in security measures that forces relentless researches for an effective cloud computing security control. [14]

4.0 Recommendations Understanding the existing constraints in terms of accessibility and security control between the provider and consumer is significant in establishing an effective consumer security protocol. Cloud providers should be encouraged to increase capability in insider threat detection through developing ways to effectively distinguish consumer encrypted data without decrypting any information. On the other hand, proper key management must be practiced by the consumer as data encryption is implemented within their system. [13, 14] Adherence to government standards assures a more regulated and reliable data encryption in proposing new developments in security structures. Existing government standards should be promoted as a benchmark in establishing and selecting a secure system. 5.0 Summary and Conclusion Cloud computing has penetrated the industry and promises a low IT infrastructure and maintenance costs though outsourcing computing services while risking data security and being vulnerable to threats. Data holds valuable information that is considered as an intellectual property that demands a well-established security control of data within the cloud network. Cloud providers lack trusted computing standard practices to ensure a secure network for the consumers. Evading the adaptation to the advancement of cloud technology is not the only course of action to protect critical data information. Consumers need to gain more control over data security through data encryption practices. Challenges come with new practices but with proper data security management, cloud technology can be realized and fully deployed.

6.0 References [1] Armbrust, M., Fox, A., Griffith, R. et al. Above the Clouds: A Berkeley View of Cloud Computing. UCB/EECS-2009-28, EECS Department, University of California, Berkeley, 2009. [2] Badger, Lee, Robert Bohn, Shilong Chu, et al. United States of America. U.S. Department of Commerce. US Government Cloud Computing Technology Roadmap. Gaithersburg, MD: NIST Special Publication, 2011. Web. [3] Bhardwaj, Aashish. "Cloud Security Assessment and Identity Management." Society for Education & Research Development. Sample publication. Web. 18 Aug. 2012. <http://iccit2012.cu.ac.bd/sample.pdf>. [4] Cloud Security Alliance, Top Threats to Cloud Computing V1.0, <http://www.cloudsecurityalliance. org/topthreats.v1.0.pdf.> [5] Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, pp. 6367, 2009. [6] Gens, Frank. "Bringing Cloud Into the Enterprise." Cloud Leadership Forum. International Data Corporation. May 2010. <https://www.eiseverywhere.com/file_uploads/ 86cde4f4bf015bb8cd2153ea7e0287ff_Day_1_815am_Fran k_Gens_Bringing_Cloud_into_the_Enterprise.pdf> [7] Hayes, Brian. "Alice and Bob in Cipherspace." American Scientist. Oct 2012: 362-367. Web. 9 Sep. 2012. <http://www.americanscientist.org/libraries/documents/20 1286159329266-2012-09CompSciHayes.pdf>. [8] Krutz, R., and R. Vines. Cloud security: A comprehensive guide to secure cloud computing. Indianapolis: Wiley, 2010. eBook. [9] Kumar, Ashish. "World of Cloud Computing & Security." International Journal of Cloud Computing and Services Science. Volume 1.No. 2 (2012): 53-58. Web. 25 Aug. 2012.

[10] Mell, Peter, and Timothy Grance. United States of America. U.S. Department of Commerce. NIST Definition of Cloud Computing. Gaithersburg, MD: NIST Special Publication, 2012. Web. [11] Mewada, Shivlal, Umesh K Singh, and Pradeep Sharma. "Security Based Model for Cloud Computing." International Journal of Computer Networks and Wireless Communications. Vol. 1.No.1 (2011): 13-19. Web. 18 Aug. 2012. <http://www.ijcnwc.org/papers/vol1no12011 /3vol1no1.pdf>. [12] National Institute of Standard and technology. csrc.nist.gov/groups/ SNS/cloud-computing/cloud-def v15.doc, 2009 [13] Speake, Graham, and Vic Winkler. Securing The Cloud, Cloud Computer Security Techniques And Tactics. Syngress, 2011. eBook. [14] Song, Dawn, Elaine Shi, Ian Fischer, and Umesh Shankar. "Cloud Data Protection for the Masses." IEEE Computer Graphics and Applications. JAN 2012: 39-45. Web. August 2012. <http://www.cs.berkeley.edu/ ~dawnsong/papers/2012 Cloud Data Protection for the Masses.pdf>.