









Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
In the following Lecture Notes of Business Management, the Lecturer has illustrated these points in detail : Outsourcing Computation, Controlling Data, Outsourcing Control, Cloud Computing, Traditional Security, Cloud Provider Vulnerabilities, Phishing Cloud Provider, Authentication and Authorization, Forensics In the Cloud, Single Point of Failure
Typology: Study notes
1 / 16
This page cannot be seen from the preview
Don't miss anything!










Table of Contents ...................................................................................................... i
Introduction
Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control
1
Over the last couple of years the word “Cloud Computing” became really famous. Cloud technology became more mature and more affordable than before, with 3 service models, cloud computing made huge impact on IT services. SaaS or Software as a Service on the top tier, PaaS or Platform as a Service on second tier and IaaS or Infrastructure as a Service are the 3 models, which can serve businesses really well.
The two factor which makes cloud technology could change traditional concept of computing are cost and scalability. This two factors help a lot of startup businesses or small to medium businesses to run their daily business without investing so much on IT infrastructure, in this case company’s data center.
With affordable cost and relatively easy to scale computing power and storage comes a serious problem, which is the control of the data. In this term paper I would like to address this particular topic, how can we outsource the computational power and storage without compromising control over the data.
Lack of control in the cloud is the major worry. One aspect of control is transparency in the cloud implementation, somewhat contrary to the original promise of cloud computing in which the cloud implementation is not relevant. Transparency is needed for regulatory reasons and to ease concern over the potential for data breaches. Because of today’s perceived lack of control, larger companies are testing the waters with smaller projects and less sensitive data. In short, the potential of the cloud is not being realized.
What is cloud computing? Everyone in the technology world is talking about it and a lot of people in the business world are asking the same question, “What is cloud computing, and what does it mean for my business?”
Most IT departments are forced to spend a significant portion of their time on frustrating implementation, maintenance, and upgrade projects that too often don’t add significant value to the company’s bottom line. Increasingly, IT teams are turning to cloud computing technology to minimize the time spent on lower-value activities and allow IT to focus on strategic activities with greater impact on the business.
The fundamental cloud computing infrastructure has won over the CIOs of some of the world’s largest organizations—these once-skeptical executives never looked back after experiencing first-hand the host of benefits delivered by cloud computing technology.
1
Introduction
Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control
2
Figure 1 - Cloud Computing Logical Diagram 2
2
Fear of The Cloud
Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control
4
Based on IDC survey, companies are afraid the most of security issues on the cloud environment, with significant effect of application performance on the second position.
Figure 3 - General Challenges/Issues of Cloud^4
This section will discuss about 15 domains, which are preventing companies from taking advantage of the cloud. These 15 domains will be divided by 3 main categories:
These concerns involve computer and network intrusions or attacks that will be made possible or at least easier by moving to the cloud. Cloud providers respond to these concerns by arguing that their security measures and processes are more mature and tested than those of the average company.
2.1.1. VM-level Attacks
Potential vulnerabilities in the hypervisor or VM technology used by cloud vendors are a potential problem in multi-tenant architectures.
Fear of The Cloud
Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control
5
Figure 4 - Multi-tenant Architectures 5
The problem with multi-tenant architectures is, if the host’s operating system has a hole, a guest’s operating system could compromise the data of the other tenants.
2.1.2. Cloud Provider Vulnerabilities
These could be platform level, such as an SQL-injection or cross-site scripting vulnerability.
2.1.3. Phishing Cloud Provider
Phishing is attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication 6 , in this case phishing comes from the cloud provider.
2.1.4. Expanded Network Attack Surface
The cloud user must protect the infrastructure used to connect and interact with the cloud, a task complicated by the cloud being outside the firewall in many cases.
Figure 5 - Cloud Type Based on Location 7
Fear of The Cloud
Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control
7
2.2.3. Assurance of Computational Integrity
Can an enterprise be assured that a cloud provider is faithfully running a hosted application and giving valid results? For example, Stanford's Folding@Home project gives the same task to multiple clients to reach a consensus on the correct result.
The legal implications of data and applications being held by a third party are complex and not well understood. There is also a potential lack of control and transparency when a third party holds the data. Part of the hype of cloud computing is that the cloud can be implementation independent, but in reality regulatory compliance requires transparency into the cloud.
2.3.1. Due Diligence
If served a subpoena or other legal action, can a cloud user compel the cloud provider to respond in the required time-frame? A related question is the provability of deletion, relevant to an enterprise’s retention policy: How can a cloud user be guaranteed that data has been deleted by the cloud provider?
2.3.2. Auditability
Audit difficulty is another side effect of the lack of control in the cloud. Is there sufficient transparency in the operations of the cloud provider for auditing purposes? Currently, this transparency is provided by documentation and manual audits. One popular auditing guideline is the SAS 70, which defines guidelines for auditors to assess internal controls, for instance controls over the processing of sensitive information. SOX and HIPAA are other well-known regulations. US government agencies generally need to follow guidelines from FISMA, NIST, and FIPS.
2.3.3. Contractual Obligations
One problem with using another company's infrastructure besides the uncertain alignment of interests is that there might be surprising legal implications.
2.3.4. Cloud Provider Espionage
This is the worry of theft of company proprietary information by the cloud provider. For example, Google Gmail and Google Apps are examples of services supported by a private cloud infrastructure. Corporate users of these services are concerned about confidentiality and availability of their data.
2.3.5. Data Lock-in
How does a cloud user avoid lock-in to a particular cloud-computing vendor? The data might itself be locked in a proprietary format, and there are also issues with training and processes.
Fear of The Cloud
Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control
8
2.3.6. Transitive Nature
Another possible concern is that the contracted cloud provider might itself use subcontractors, over whom the cloud user has even less control, and who also must be trusted. One example is the online storage service called The Linkup, which in turn used an online storage company called Nirvanix. The Linkup shutdown after losing sizeable amounts of customer data, which some say was the fault of Nirvanix.
New Problems
Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control
10
mining? Because of the cloud, attackers potentially have massive, centralized databases available for analysis and also the raw computing power to mine these databases. For example, Google is essentially doing cheap data mining when it returns search results. How much more privacy did one have before one could be Googled?
Availability also needs to be considered in the context of an adversary whose goals are simply to sabotage activities. The damages are not only related to the losses of productivity, but extend to losses due to the degraded trust in the infrastructure, and potentially costly backup measures. The cloud computing model encourages single points of failure. It is therefore important to develop methods for sustained availability (in the context of attack), and for recovery from attack. The latter could operate on the basis of minimization of losses, required service levels, or similar measures.
The development of cloud computing may, in the extreme, allow the use of thin clients on the client side. Rather than a license purchased and software installation on the client side, users will authenticate in order to be able to use a cloud application. There are some advantages in such a model, such as making software piracy more difficult and giving the ability to centralize monitoring. It also may help prevent the spread of sensitive data on untrustworthy clients.
Thin clients result in a number of opportunities related to security, including the paradigm in which typical users do not have to worry about the risks of any actions – their security is managed by the cloud, which maintains the software they run. This architecture stimulates mobility of users, but increases the need to address authentication in a secure manner. In addition, the movement towards increased hosting of data and applications in the cloud and lesser reliance on specific user machines is likely to increase the threat of phishing and other abusive technologies aimed at stealing access credentials, or otherwise derive them, e.g., by brute force methods.
As adoption of cloud computing grows, we are likely to see more and more services performing mash-ups of data. This development has potential security implications, both in terms of data leaks, and in terms of the number of sources of data a user may have to pull data from – this, in turn, places requirements on how access is authorized for reasons of usability. While centralized access control may solve many of these problems, that may not be possible – or even desirable.
New Directions
Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control
11
This section is for discussing the solution of the problems, which are raised on previous section.
In order for enterprises to extend control to data in the cloud, the proposal is shifting from protecting data from the outside (system and applications which use the data) to protecting data from within.
This self-protection requires intelligence be put in the data itself. Data needs to be self-describing and defending, regardless of its environment. Data needs to be encrypted and packaged with a usage policy. When accessed, data should consult its policy and attempt to re-create a secure environment using virtualization and reveal itself only if the environment is verified as trustworthy (using Trusted Computing). Information-centric security is a natural extension of the trend toward finer, stronger, and more usable data protection.
Lack of transparency is discouraging businesses from moving their data to the cloud. Data owners wish to audit how their data is being handled at the cloud, and in particular, ensure that their data is not being abused or leaked, or at least have an unalterable audit trail when it does happen. Currently customers must be satisfied with cloud providers using manual auditing procedures like SAS-70.
A promising approach to address this problem is based on Trusted Computing. Imagine a trusted monitor installed at the cloud server that can monitor or audit the operations of the cloud server. The trusted monitor can provide “proofs of compliance” to the data owner, stating that certain access policies have not been violated. To ensure integrity of the monitor, Trusted Computing also allows secure bootstrapping of this monitor to run beside (and securely isolated from) the operating system and applications.
The monitor can enforce access control policies and perform monitoring/auditing tasks. To produce a “proof of compliance”, the code of the monitor is signed, as well as a “statement of compliance” produced by the monitor. When the data owner receives this proof of compliance, it can verify that the correct monitor code is run, and that the cloud server has complied with access control policies.
A different approach to retaining control of data is to require the encryption of all cloud data. The problem is that encryption limits data use. In particular searching and
Conclusion
Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control
13
Cloud computing is not only trend these days, but also cloud computing is really helping companies to do their daily business more efficient. But before a company decides to move to cloud system, it should look all the consequences and all the models available for the cloud environment.
The solutions proposed by the journal, I think are still too early, we cannot implement them at the moment, because cloud technology is still new and we need to wait a little bit more, we need to let the technology approach the majority, because by then everyone will use this standard or approach. If we implement these proposals today, the overhead would be too big. If everyone were using thing approaches, the solutions technology would be cheap and affordable.
Regarding the cloud type solutions, if the company’s data are not required to be confidential, a company does not have to use private cloud environment, it can use public cloud environments.
Most of the startup businesses do not have big budget especially for cloud infrastructure, so if they are on tight budget, they can use combination of public cloud and private cloud environment or traditional in-house server, of course they will suffer on performance and hard to expand, but again to put on public space, the risk exposing the company’s data is still high. On the other hand, big companies will have enough money to create their private cloud environment, since their best interest are the security and confidential of their data.