


Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The history, services, and security concerns of cloud computing. It discusses the evolution of cloud computing from its origins in the 1990s to its current state, including various cloud services such as infrastructure, software, application, and business clouds. The document also highlights the importance of trust and security in cloud computing, with a focus on data confidentiality, integrity, and availability.
Typology: High school final essays
1 / 4
This page cannot be seen from the preview
Don't miss anything!



John Harauz, [email protected] Lori M. Kaufman, [email protected] Bruce Potter, [email protected]
JULY/AUGUST 2009 ■ 1540-7993/09/$26.00 © 2009 IEEE ■ COPUbLIShEd bY ThE IEEE COmPUTEr And rELIAbILITY SOCIETIES 61
Lori M. K aufMan BAE Systems
ers, partners, and vendors. By shar- ing resources at various levels, this platform offers various services, such as an infrastructure cloud (for ex- ample, hardware or IT infrastruc- ture management), a software cloud (such as software, middleware, or traditional customer relationship management as a service), an ap- plication cloud (application, UML modeling tools, or social networks as a service), and a business cloud (for instance, business processes as a service) (see www.thecloud computing.org/2009/2/). Cloud computing itself is a field within s ervice computing , a cross-discipline that bridges the gap between busi- ness and IT services. This disci- pline aims to enable IT services and computing technology to perform business services more ef- ficiently and effectively (see http:// tab.computer.org/tcsc/). The UC Berkeley Space Sci- ences Laboratory’s SETI@home (Search for Extra-Terrestrial Intel- ligence) project began in 1999 as an attempt to implement distrib- uted computing through comput- ers connected via the Internet to search for intelligent life beyond Earth. This implementation’s suc- cess demonstrated the viability of using the Internet as a host for grid computing applications. Concur- rent with this project, others were also developing their own variants of cloud computing. Salesforce.com introduced one of the first practical cloud comput- ing implementations in 1999 and established the concept of deliver- ing enterprise services through a Web site. In 2002, Amazon Web Services launched a suite of cloud-
This environment strives to be dynamic, reliable, and customiz- able with a guaranteed quality of service.^1 Within this system, users have a myriad of virtual resources for their computing needs, and they don’t need a complete un- derstanding of the infrastructure. Cloud computing’s advent has made the declaration by Scott Mc- Nealy, Sun Microsystems’ founder, that “The network is the comput- er” a reality and given the old Sun marketing motto a new life. In this new world of comput- ing, users are universally required to accept the underlying premise of trust. In fact, some have con- jectured that trust is the biggest concern facing cloud computing. 2 Nowhere is the element of trust more apparent than in security, and many believe trust and secu- rity to be synonymous. Here, I examine some security issues and the associated regulatory and legal concerns that have arisen as cloud computing emerges as a primary distributed computing platform.
The concept of cloud computing has been evolving for more than 40 years. In the 1960s, J.C.R. Licklider introduced the term “in-
tergalactic computer network” at the Advanced Research Proj- ects Agency. This concept served to introduce the concept that the world came to know as the Inter- net. The underlying premise was a global interconnection of com- puter programs and data. The term “cloud” originates from the telecommunications world of the 1990s, when pro- viders began using virtual pri- vate network (VPN) services for data communication. VPNs maintained the same bandwidth as fixed networks with consider- ably less cost: these networks sup- ported dynamic routing, which allowed for a balanced utilization across the network and an increase in bandwidth efficiency, and led to the coining of the term “tele- com cloud.” Cloud computing’s premise is very similar in that it provides a virtual computing en- vironment that’s dynamically al- located to meet user needs. From a technical perspective, cloud computing includes service- oriented architecture (SOA) and virtual applications of both hard- ware and software. Within this environment, it provides a scalable services delivery platform. Cloud computing shares its resources among a cloud of service consum-
data Security in the World
of Cloud Computing
62 IEEE SECUrITY & PrIVACY
based services, including storage, computation, and even human intelligence through the Amazon Mechanical Turk. It followed up
this accomplishment in 2006 with its Elastic Compute Cloud (E2C) service, which provides a com- mercial service through which users can rent computers and run their own applications. AT&T also entered the cloud computing realm when it acquired USinter- networking (USi) in 2006. USi was an application service provid- er for more than 30 countries. In 2008, AT&T introduced Synaptic, which combined USi’s five Inter- net data centers in the US, Eu- rope, and Asia to serve as regional gateways within its cloud. Today, the latest example of cloud computing is Web 2.0; Google, Yahoo, Microsoft, and other service providers now offer browser-based enterprise service applications (such as webmail and remote data backup). Now that cloud computing has emerged as a viable and readily available plat- form, many users from disparate backgrounds (for example, finan- cial institutions, educators, or cy- bercriminals) are sharing virtual machines to perform their daily activities. This environment re- quires an implicit level of trust as well as an explicit level of vigi- lance to ensure success.
Within the cloud computing world, the virtual environment lets users access computing power that exceeds that contained within their own physical worlds. To enter this virtual environment requires
them to transfer data throughout the cloud. Consequently, several data storage concerns can arise. Typically, users will know neither
the exact location of their data nor the other sources of the data collectively stored with theirs. To ensure data confidentiality , integrity , and availability (CIA), the storage provider must offer capabilities that, at a minimum, include
Security is implicit within these capabilities, but further fundamental concerns exist that need attention. For example, is security solely the storage provid- er’s responsibility, or is it also in- cumbent on the entity that leases the storage for its applications and data? Furthermore, legal is- sues arise, such as e-discovery, regulatory compliance (including privacy), and auditing. The range of these legal concerns reflects the range of interests that are cur- rently using or could use cloud computing. These issues and their yet-to-be-determined answers provide significant insight into how security plays a vital role in cloud computing’s continued growth and development. To overcome these and other concerns, we must develop a se- curity model that promotes CIA. This model could enable each cloud to offer a measure of its to-
date and projected CIA, but the obvious difficulty is that obtain- ing security data is difficult, if not impossible. This problem has ex- isted since computing’s advent due to financial, business, and national security concerns. It might be exacerbated in cloud computing because the need to provide data confidentiality can also impact in- cident reporting.
Cloud computing users range from individuals and small businesses to Fortune 500 firms and govern- ments. According to a September 2008 survey from the Pew Re- search Institute, nearly 69 percent of Americans use cloud computing services (such as webmail and on- line data backup sites). 3 In India, companies such as Ashok Ley- land, Tata Elxi, Bharti, Infosys, Asian Paints, and Maruti are either piloting or using cloud computing. Additionally, nearly 1,500 compa- nies in India already use blended (voice-chat-data) cloud-based com- munication services from vendors such as Cisco WebEx and Micro- soft.^4 The US government projects that between 2010 and 2015, its spending on cloud computing will be at approximately a 40-percent compound annual growth rate (CAGR) and will pass $7 billion by 2015.^5 A major selling point for cloud computing is that it offers significant computing capability that otherwise might not be af- fordable. For example, a startup might not have the resources to purchase in-house computers or ensure the necessary secu- rity, but the cloud offers a cost- effective alternative. Similarly, well-established entities might see the cloud as an effective way to reduce costs and improve IT capabilities. Although these two examples might be at the ex- tremes, they describe the range of entities that will be partner-
64 IEEE SECUrITY & PrIVACY
created a cloud computing security group. This group envisions its role as promoting “the effective and se- cure use of the technology within government and industry by pro- viding technical guidance and promoting standards” (see http:// csrc.nist.gov/groups/SNS/cloud- computing/index.html). NIST has recently released its draft “Guide to Adopting and Using the Securi- ty Content Automation Protocol” (SCAP; see http://csrc.nist.gov/ groups/SNS/cloud-computing/in- dex.html), which identifies a “suite of specifications for organizing and expressing security-related infor- mation in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues.” 4 Its application includes maintaining enterprise systems’ security. Inter- estingly, a major concern included in SCAP is the lack of interoper- ability among system-level tools. It states that
many tools for system security, such as patch management and vulnerability management soft- ware, use proprietary formats, nomenclatures, measurements, terminology, and content. For example, when vulnerability scanners do not use standard- ized names for vulnerabilities, it might not be clear to security staff whether multiple scanners are referencing the same vul- nerabilities in their reports. This lack of interoperability can cause delays and inconsistencies in security assessment, decision- making, and remediation.
This concern is but one of many SCAP has noted that needs action.
I
n addition to NIST’s efforts, the industry itself can affect an enterprise approach to cloud secu- rity. If it applies due diligence and develops a policy of self-regulation to ensure that security is effec-
tively implemented throughout all clouds, then this policy can serve to facilitate law-making as well. By combining industry best practices with the oversight NIST and other entities are developing, we can effectively address cloud computing’s future security needs. To achieve a recognized and ac- tionable security policy, SCAP recommends that organizations demonstrate compliance with se- curity requirements in mandates such as the US Federal Informa- tion Security Management Act (FISMA). By adhering to this ap- proach, the policy needed to en- sure cloud security can provide effective governance to both in- dustry and lawmakers.
References
Lori M. Kaufman is a deputy chief technology officer at BAE Systems. Her research interests include cybersecurity, software assurance, and biometrics. Kaufman has a PhD in electrical engi- neering from the University of Virginia. Contact her at [email protected].
Computational
tools and
methods for 21st
century science.
MEMBERS
$47/year
for print and online
Interdisciplinary
Communicates to those at the intersection of science, engineer- ing, computing, and mathematics
Emphasizes real-world applica- tions and modern problem-solving