Security Issues in Cloud Computing Technology ...

7 downloads 63772 Views 1MB Size Report
And further many types of services are adding in to the cloud computing like ...... cloud users and providers lead to cause many security breaches argued Kothari ...
MSc. Computer Security Final Project – IMAT5314 Supervisors: Susan Brammer & Clinton Ingrams

Security Issues in Cloud Computing Technology and the attributes and concerns towards it

KIRAN BHARATH KUMAR DAMARLA De Montfort University Student ID: P10545638 September, 2012 1|Page

Contents.................................................................................................................................

02

Abstract..................................................................................................................................

04

Chapter ONE: Introduction..................................................................................................... 1.1 Overview......................................................................................................................

05 06

Chapter TWO: Research Methodology................................................................................... 2.1 Definition............................................................................................................. .. 2.2 Research Approaches........................................................................................... .. 2.2.1 Survey Approach........................................................................................ .. 2.2.2 Empirical research..................................................................................... .. 2.2.3 Types of Surveys....................................................................................... .. 2.2.4 Sampling.................................................................................................. .. 2.2.5 Case studies............................................................................................ .. 2.2.6 Experiment.............................................................................................. .. 2.2.7 Grounded Theory...................................................................................... .. 2.3 Research Data Methods..................................................................................... .. 2.3.1 Secondary Research................................................................................... .. 2.3.2 Primary research........................................................................................ .. 2.4 Research Models............................................................................................... .. 2.4.1 Quantitative............................................................................................... .. 2.4.2 Qualitative................................................................................................ .. 2.5 Research Methods.............................................................................................. .. 2.5.1 Questionnaire........................................................................................... .. 2.5.2 Interview.................................................................................................. .. 2.5.3 Observation............................................................................................... .. 2.5.4 Documents................................................................................................. .. 2.6 Proposed research approach and method............................................................. .. References……………………………………………………………………………………………………………..

09 09 09 10 10 10 11 12 12 12 13 13 14 14 14 14 15 15 16 17 17 18 19

Chapter THREE: Literature Review..........................................................................................

21

Chapter FOUR: Related Research............................................................................................. 4.1 Definitions..................................................................................................................... 4.2 Cloud Architecture......................................................................................................... 4.3 Cloud Models ................................................................................................................ 4.3.1 Public cloud.......................................................................................................... 4.3.2 Private cloud........................................................................................................ 4.3.4 Community cloud................................................................................................. 4.3.5 Hybrid cloud......................................................................................................... 4.4 Cloud Services................................................................................................................ 4.4.1 Cloud Software as a Service (SaaS)...................................................................... 4.4.2 Cloud Platform as a Service (PaaS)................................................................... .. 4.4.3 Cloud Infrastructure as a Service (IaaS).............................................................. 4.5 Characteristics of Cloud computing.............................................................................. 4.5.1 On-demand self-service....................................................................................... 4.5.2 Broad network access........................................................................................... 4.5.3 Resource pooling.................................................................................................. 4.5.4 Rapid elasticity...................................................................................................... 4.5.5 Measured service..................................................................................................

37 38 38 39 39 39 40 40 40 41 41 41 42 42 42 42 43 43

2|Page

4.6 Advantages..................................................................................................................... 4.6.1 Low Cost............................................................................................................... 4.6.2 No extra licences.................................................................................................. 4.6.3 Quality of service.................................................................................................. 4.6.4 Reliability.............................................................................................................. 4.6.5 Strong Platform.................................................................................................... 4.6.6 Backup and Recovery........................................................................................... 4.6.7 Mobile endpoints................................................................................................. 4.6.8 Data concentration.............................................................................................. 4.6.9 Easy IT maintenance............................................................................................. 4.7 Disadvantages........................................................................................................ .... 4.7.1 Complexity of environment............................................................................ .... 4.7.2 Multi-tenant culture....................................................................................... .... 4.7.3 Loss of control............................................................................................... .... 4.7.4 Network risks................................................................................................ .... Chapter FIVE: Security Issues in cloud computing.................................................................... 5.1 Introduction................................................................................................................... 5.2 Authentication......................................................................................................... 5.3 Access control.................................................................................................. ..... 5.4 Hypervisor......................................................................................................... ..... 5.5 Virtual network................................................................................................ ..... 5.6 Issues related to Cloud User and Cloud Provider.................................................... ..... 5.6.1 Governance.................................................................................................... ..... 5.6.2 Trust............................................................................................................... ..... 5.6.3 Compliance............................................................................................................. 5.6.4 Data Location......................................................................................................... 5.6.5 Digital forensics...................................................................................................... 5.6.6 Investigative Report............................................................................................... Chapter SIX: Security measures......................................................................................... ..... 6.1 Introduction........................................................................................................... .... 6.2 Onion routing.................................................................................................... .... 6.3 SSL/TLS............................................................................................................ .... 6.4 XML Encryption.............................................................................................. .... 6.5 XML Signature................................................................................................... .... 6.6 Security standards............................................................................................... .... 6.6.1 ITIL (Information Technology Infrastructure Library)........................................ ..... 6.6.2 ISO/IES 27001/27002....................................................................................... ..... 6.6.3 OVF (Open virtualisation Format)................................................................. .....

43 43 43 43 43 46 45 46 46 46 46 44 47 47 47 49 49 49 50 50 50 50 50 51 51 52 52 53 53 53 54 55 55 56 56 57 57 57

Chapter SEVEN: Research Analysis and Findings....................................................................... 7.1 Cloud Users Survey....................................................................................................... 7.1.1 Summary of findings.............................................................................................. 7.2 Cloud Providers Survey................................................................................................. 7.2.1 Summary of findings...............................................................................................

58 58 61 62 68

Chapter EIGHT: Recommendations & Conclusions................................................................. References:................................................................................................................................ Appendices:............................................................................................................................... Appendix A: Cloud Users Questionnaire.............................................................................. Appendix B: Cloud providers Questionnaire........................................................................ Appendix C: Project Plan ……………………………………………………………….. 80

69 70 71 71 74

3|Page

Abstract: Nowadays IT companies believe that adopting cloud in to their IT networks is an important trend and this growing scenario is seen throughout the world. Rise in productivity, cost reduction and flexibility for their business are some of the benefits provided by the cloud. Although the most important fact is that the cloud also has many downsides as other IT technologies. In the cloud environment the information may move or lie anywhere around the world for ease of access, reliability and on the other hand this can lead user’s data out of control. There are several issues which needed to be take care with respect to security and privacy in cloud environment, but without even considering those issues, many IT companies are moving swiftly to adopt cloud technology. This extensive research paper aims to take an insight into cloud and analyse the various issues that threaten the cloud computing. Some cloud users believe cloud providers are more responsible for security of data in cloud, and in contrast to this cloud providers say that users are responsible. This research paper draws out views between the cloud users and providers by addressing these issues and why the need to take care of the security of information in cloud.

4|Page

Introduction: Cloud computing is becoming a more popular word and technology among computing world. Cloud computing is a modern technology, which makes data access easy, new idea to make online infrastructure computing environment. Generally normal users store, process information on their limited storage systems. To perform any tasks like data process they have to install an application or program which takes space in the traditional hard disk storage systems. Often customers felt that it is difficult to carry always their storage devices with them. They are looking for the alternatives to carry their files or large quantity of data and also access their information wherever they go. Here cloud computing provides the solution for those type of clients. Along with individual user many organisations want outsource their data to make it available to other locations business process. Cloud computing provide flexibilities which are not offered by personal storage devices like how much use just pay for it. User can access many applications and services along with storage just with an internet enabled device. HostingTag (2012) Major companies like Google, Microsoft, and Amazon and many more, contribute their part in developing and advancing the cloud technology and providing services to a huge number of customers. Now days the success of above mentioned corporations like Microsoft, Amazon and so on, are encouraging to new companies enter in to the cloud technology like Mosso, MediaTemple, Joyent and more, making cloud is more competitive filed among many companies.

And further many types of services are adding in to the cloud computing like

SaaS, PaaS, IaaS, and some more. Not only specialised services and also some other packages for example pay-as-you-go, on-demand to attract millions of consumers. While on consumers view due to the benefits provided by cloud services many are considering it is an important aspect to adopt it and starting to setup applications or utilising services in cloud computing. So many researchers predicted that cloud become more extend, be adopted by millions of clients and be expand by multiple of providers as it provides profits for both users and providers. Hence cloud computing is a slogan not only among computing professionals but also between normal computing users. Zhou (2010) When the sensitive information and application started moving in to the cloud, process those resources in the form virtual resources opens many new challenges including security, privacy, application vulnerabilities and many. Cloud computing is a long dreamed vision of computing and still it is in development stage. It is general in every ongoing development 5|Page

may involve and pose to new flaws or risks including cloud computing. Similarly along with attractive benefits, cloud computing also brings critical problems especially regarding security risks. So as it is in early stages, many challenges will continue to occur. It is clear that there is a demand for extensive discussion of security challenges in cloud. This research primarily aims to discuss the major security issues along with other issues such as compliance, trust, data location. And further draw out attributes, concerns of the cloud users and providers addressing the requirement of protection of information in cloud environment. And the remainder of this study is formed in to various chapters as follows. Chapter 2 presents research methodology carried out in this research. Chapter 3 contains literature review regarding issues in cloud. Chapter 4 presents related research including cloud models, services, advantages and disadvantages. Chapter 5 presents the security issues and addressing in cloud computing. Chapter 6 presents security measures and standards which are utilising in cloud environment. Chapter 7 presents analysis on survey results. Finally chapter 8 contains recommendations and conclusions

Research Rationale: Currently IT companies dealing the cloud with some difficulties with to create a secure environment for cloud computing, while we conceive the findings from these research can offer guidance on how to deal the jeopardises in cloud technology. This research can be helpful in gaining knowledge about how users and providers of cloud computing applications, infrastructure and platforms are addressing the need to safeguard information in the cloud.

Deliverables: 

Report / Thesis : A complete research report includes: • An insight into Cloud Computing • Security issues in Cloud Technology. • A critical analysis on security issues in cloud with a literature review. • Advantages and disadvantages of cloud computing. • Critical analysis on attitudes, concerns of cloud users and cloud providers. • Set of Suggestions.

6|Page

Risk Analysis: Most importantly to avoid any unwanted, some common risks such as power failure and data loss will be identified during the development process of project and as part of the assessment. At the end of work, work can be saved each and every time. The proposed research work is about cloud computing technology and its security, there is huge amount of information available related to this topic. So the objectives of this research work will be achieved accurately. This project can be progressed outside university network. So there is no chance to damage on network and any one by any reason or cost. Most of the work done by using personal laptop, the data backed up and also archived on extra storage device. There are no physical equipments and Substances involved or working with this research.

Ethical Issues: This research is not dealing with any human objects or living creatures. This research results will be analysed based on the past conducted surveys, interviewing the professional who are dealing real time industry which is presented in anonymous format. Therefore there is no clue of ethical issues should be concerned regarding this research.

Initial Research Methods and Plan: Information extracted from the journals, books, articles, web and other resources will be used as a source or this research. And this research utilises the findings from studies, literatures, books, and also some case studies. Issues grounded in research findings should be tested against the survey results. And finally critically analysed results are made to draw generalised conclusions with a proposal of suggestions

7|Page

References: HostingTag (2012) Basic Introduction on Cloud Computing Available http://www.hostingtag.com/basic-introduction-on-cloud-computing/ [Accessed on: 10/8/2012]

at:

Zhou, M. et al (2010) Security and Privacy in Cloud Computing: A Survey, In Proc IEEE 2010

8|Page

Chapter Two: Research Methodology 22.1 Definition: Research is a process to answer for questions by collecting and analysing the data. De Vos, Schurink & Strydom (1998) stated that”research is a structured enquiry that utilizes acceptable scientific methodology to solve problems and creates new knowledge that is generally acceptable”.

2.2 Research Approaches: This review of different research approaches will improve the planning and investigation ways which in turn makes a good outcome from the research. Selection of suitable approach may depend upon the kind of research problem. Some are perfectly suitable than others and each approach have a set of own advantages and disadvantages. Hence there is no particular approach that accepts or rejects particular method. A research strategy is different from research methods which are using as tools for data collection through questionnaires, interviews, documents and observation. And particular methods are used with particular strategies. For instance Surveys often associated with method like questionnaire for data acquire. However researcher can utilise different types of methods for any selected strategy. It depends upon their convenient.

2.2.1 Survey Approach: Denscombe (2007) referes that survey means ‘to view comprehensively and in detail’ and in another view it refers specifically to the act of ‘obtaining data for mapping’. The survey approach is a research strategy not a research method. But researchers who adopt the survey strategy can use various other methods in this approach. Denscombe (2007) Some critical characteristics of surveys are described below as: Denscombe (2007) Wide and inclusive coverage: In research, survey should have wide and inclusive coverage. A survey could have fundamental quality that gains all the views in wide range.

9|Page

At a specific point in time: The main aim of survey is carry out things with latest state. Surveys usually connect with current affairs and offer a picture of how things are at particular time when the information gathered.

2.2.2 Empirical research: Survey carries with meaning ‘to look’ and bring the idea of empirical research. It conveys the idea saying that gathers required data ‘out there’. It is major concern to recognise that these three characteristics of survey strategy not specify particular research method. This approach is just like a research strategy but not a method. Though there are several types of methods, researchers can incorporated with survey as discussed earlier. Denscombe (2010) Surveys are also have own advantages and disadvantages like other strategies and methods. Wide and inclusive coverage of more data is likely than other methods to get data. Surveys are best suited when to get data from large group of persons and researcher can find best effect when the unbiased information is necessary about groups of people such as what they think, what they need, what they are. While survey is good at collecting data fairly on straight forward, behaviour, thoughts. Compared to ethnography and experiments, with a research can get more volume of data at low cost. Within less span of time period internet surveys are capable to distribute and get responses from participants with completed questionnaire. On the other hand surveys cannot make sure accuracy of genuine responses. If the response rate is low, researcher s will find it difficult to get a rational response. And these are not good at dealing with issues like sensitive and complicated.

2.2.3 Types of Surveys: Denscombe (2007) reported that researchers are using wide range of surveys for variety of aims and objectives. Some are presented as: 

Postal surveys



Internet Surveys



Face to Face surveys



Telephonic surveys

10 | P a g e



Group-administered surveys



Observational surveys



And Surveys of documents

2.2.4 Sampling: Sampling can be a feasible solution for survey researcher because its basic rule by using a researcher can get accurate results even without gathering data from each and every individual of a survey population. It can save money and time by lessen the huge quantity of data.

2.2.5 Case studies: Case studies aim for just one or few instances of a specific phenomenon with the intension to produce in depth experiences, account of events and relationships in a specific instance. Case studies are well utilised in small scale projects. The basic principle of case studies is focusing only on individual instance rather than broad spectrum but sometimes researchers use two or more instances. The logic behind aim for only one instance rather than more might be advantage of gaining insights with broad range of implications. Denscombe (2007) stated that case study can study things in depth and very detail than a survey normally cannot. In general relationships and processes are interrelated and interconnected. Hence to study a particular thing it should require study more things critically about how they connected each other. The best thing of case study is to provide an insight of reasons for why certain results may occur and more than that what are those results. The main advantage of case study approach is that provide researcher to employ multiple sources, multiple methods and a different types of data in research investigation. “The case study is helpless when criticism is in relation to the credibility of generalizations made from its discoveries and further it researcher find it difficult to decide which data to include and which data to be exclude”. Denscombe (2007)

11 | P a g e

2.2.6 Experiment: According to Denscombe (2007) an experiment is an empirical investigation designed to analyse properties and relationship between specific factors under specific controlled conditions. The main reason to do an experiment is keep apart individual factors, inspect their characteristics, and impacts very clearly. Experiments have been used for find new relationships or properties connected with materials or to test existing theories. As a research strategy, experiments deal with the aims of investigation and design but not about how information to be gathered. This is why experiments are well regarded as an approach rather than a method. Types of experimental designs: 

True experiments



Repeated Measures



Time series Design



Quast-experimental Design



Ex Post Facto Design

Instructional researchers should aware of possible internal validity threats when working with experiments. For beginners experiments are difficult to start at design and conducting experimental study phase. Ross & Morrison (2003) Experiments are regarded by many people as the most scientific and most credible approach to research and it provide itself to being verified by being repeatable by other researchers also. Denscombe (2010) While dealing with experimental approach many ethical considerations will arise and there is a question rises saying that whether the experimental conditions would be match to the real world conditions in which behaviour or decisions would be take part.

2.2.7 Grounded Theory: Described that it is an approach than a method because it employs many methods and these approaches are alleged as knowledge production did not come from existing theory, but grounded in data collection from one or more empirical studies. One of the major condemnation is its data analysis is not scientific. Though ground theory employs multiple 12 | P a g e

methods for information collection and analysis of data and moreover it guides to show deeper understanding than inductive coding. Gasson (2003) Grounded theory is an inductive approach in fundamental and mainly focused on dynamic and interpersonal transactions. Due to its fundamental principle, grounded theory shows no difference between theory and design. Utilisation of ground theory based upon the production of data from various sources and various perspectives of a problem. This approach may use most of ethnographic research techniques like interviews, observations, collections and analysis of texts. D'Onofrio (2000/2001)

2.3 Research Data Methods There are number of methods available to use for design and development for a research projects. And these can be defined basically as two types one is primary another one is secondary.

2.3.1 Secondary Research: Secondary research is renowned as primary research and in this research the researcher might be a secondary user. Secondary research can be obtained data quickly that has been already existed or published. Most of the information carried out at less cost or free. Virtually every research makes use of some secondary data include results of recent surveys, reports, data bases generated by government agencies or institutions.

Stages include in secondary research are as follows: •

Recognise data sources



Collect existing information



Compare and finalise data if necessary



Data analysis

In this method data can be obtained from primary research which is already collected by someone. Researchers might be able find accurate information what they exactly searching through secondary research. It is an alternative method to primary research if the researchers 13 | P a g e

find out difficulties in doing primary as it is very burdensome and need lot of time with more money. Secondary research can be adoptable in any research due to benefits such as less time, low cost and exact information.

2.3.3 Primary research: Primary research can be achieved by collecting the original information or primary data and usually start after the researcher has got some understanding on investigation by reviewing the secondary research. It can be carried out through different strategies like surveys, questionnaires, interviews, case studies and more. And this can be done by applying methods like qualitative or quantitative.

2.4 Research Models: There are two types of research models, quantitative and qualitative.

2.4.1 Quantitative: Quantitative research involves the collection and analysis of numerical data. It follows the scientific method and concentrate on providing conclusions and new theories through controlling variables and collection of measurable data. Quantitative data is collection in the form of numbers and numbers represent many types of things. Researcher must know clear idea about which numerical type of data to be derived. Hesketh (ND) Denscombe (2010)

2.4.2 Qualitative: Qualitative data can be collect in the form of words either spoken or written and visual information. Primarily it associated with various strategies like survey, case studies and methods interviews and observation. For example if the researcher uses survey as a strategy and its productions of answers can be in the form of written words or text from participants. Qualitative data should be prepared, organised before analysis and catalogued and indexed. Otherwise identification and reference will be difficult with raw data Denscombe (2010).

14 | P a g e

2.5 Research Methods 2.5.1 Questionnaire: Questionnaire is a very useful method and a flexible tool for data collection. And it must be carried out very precisely to accomplish the requirements of a particular thing in a research otherwise it can keep apart from the crucial factors which need to be consider before employ it into research. Impersonality is one of questionnaires main characteristic. Once questions are fixed, researcher do not form questions based upon the answers. Questionnaire is a closely affordable method in less cost, time and collecting data from huge groups of people. Walliman (2001) Characteristics of questionnaire: Denscombe (2010) •

Designed to collect data for analysis



List of written questions



Gather information by asking people

Questionnaires are better suited when need of large responses from different places and for straight forward information. Questionnaires produce two kinds of information, facts and opinions which is distinct from data collected through interviews, observations and case studies. Facts contain straight forward information from respondents. Opinions related to feelings, attitudes, views etc derived through questionnaire. And planning the use of questionnaire is stand on factors like cost, time and other. These factors should identify carefully at planning stage rather than distributing the questionnaire early. Here cost is about amount of money spending on distribution and analysis of data. Basically there are types of delivery of questionnaire, personal delivery and postal delivery. Researcher can ensure high response with personal delivery. But personal delivery facing problems with time and geographical locations restrict the range and scope of delivery. Postal delivery is the only the method of questioning people various locations around even in remote areas. Sometimes cost is affecting factor for postal distribution but it is cheaper than interview. Welliman (2001) Internet questionnaires are well used in recent days. Questionnaire could be an email, or an email attachment and a web based form. Data accuracy and pre-coded answers are the advantages of questionnaire method. 15 | P a g e

2.5.2 Interview: Interviews are systematic procedure to discuss with people and a method to get information from people using conversations. Data id derived from respondent which is utilised as primary research of the investigation. It is a collection method for data and knowledge from participants. Interviews are pretty impressive proposal for a researcher because it does not required many technical issues at initial stage and just need a skill to prepare a conversation. Gray (2004) stated that there several reasons for use interviews as follows: •

Requirement of highly personalised information



Possibilities need for investigation



Fair response rate



Language problems of respondents

There are many types of interviews include structure, semi structured, unstructured and nondirective interviews.

Structured interviews: In sometimes structured interviews are referred as standardised interview because same questions given to all participants. Kajornboon (2004) Corbetta (2003) states that “interviews in which all respondent are asked the same questions with the same wording and in the same sequence”. Structured interviews give control on topics and format of the interview to the researcher.

Semi structured interview: Unlike to the structured interview, semi structured interview is non-standardized and some additional questions may be asked. Often it is carried in qualitative analysis.

Unstructured interviews: This type of interview is more flexible method for researcher and this is a non-directed interview and these are more casual than others. It does not follow any interview guide as each interview is different from other.

Non-directive interview: Researcher may control structured and semi-structured interview by setting issues and questions but non-directive interviews do not allow preset topic and

16 | P a g e

questions. Means that questions are not planned before interview, the interviewee leads the conversation and the interviewer simply follows respondent. Boon

Group interview: in this kind of interviews participants are more than one at same time are interviewed to increase the range and number of respondents in interview and to get more and more responses.

2.5.3 Observation: It provides a clear cut collection of information for a researcher. It accomplished with eye witness of events and direct evidence of researcher at first hand. It does not depend on participant’s thoughts, opinions and what they say. There are two categories of observation research. Systematic observation is one type of observation. Generally it is derived by using statistical analysis and connected with production quantitative data. Another one is participant observation. It is linked with sociology, anthropology and the production of qualitative data. Mostly used as part of investigation to infiltrate and undercover operations to study culture and processes of group of people. Though both observations have share some common characteristics like direct observation, field work, natural settings and the issue of perception. Both observations rely on direct observation but unlike to interviews and questionnaire. Both dedicated to gather information from real life situations. Observe things from natural way rather than artificial settings like laboratory based experiments. Denscombe (2010)

2.5.4 Documents: In research documents also considered as a source of data, identified as written sources and sometimes visual sources such as pictures, sounds etc. written sources from government publications official statistics are consider as key source of documentary information and becomes attractive proposal for researcher as these are authoritative, objective and factual. In addition with that newspapers and magazines also produce vital source of data for public and research purposes with up to date information. Documents available in the form of letters and memos, dairies and online web documents and sites. 17 | P a g e

2.6 Proposed research approach and method: The classification of these approaches give clarity to the researcher that which approach can be better suited for selected investigation and which methods or strategies provide feasible solution for research problem. As discussed earlier each approach and methods have their own advantages and disadvantages. The selection of approach of data collection relies on type of data needed. To get brief idea, it is necessary to review the objectives once again.  The main objective of this project is to provide an overview of cloud computing environment and explore its various unresolved issues in cloud  Analyse numerous security issues which are obstacles to the cloud computing development and adoption.  Critically analyse recent security breaches that happened in cloud and draw out the impact of those incidents  To identify the pros and cons of implementation and adoption of cloud environment.  Analyse critically, attitudes and concerns of cloud users and providers towards

security of the information in cloud technology and the need to secure the data in the cloud. As earlier mentioned each approach and strategies have their advantages. Mainly the selection of particular approach and the methods is based upon the kind of data needed and the nature of query.

Conclusion: After reviewing the approaches and objectives, specifically to find attitudes and concerns of cloud users and providers about security in cloud computing, the survey approach selected as right strategy for this research. This research makes use of two surveys conducted between cloud users and cloud providers to identify the attitudes and concerns towards

security

of

cloud.

First survey named as cloud service users conducted by researcher by himself. This survey conducted through questionnaire by using internet. Most of the participants responded through emails and remain of them gave their responses through web online survey.

18 | P a g e

Second survey named as Cloud providers survey. However this research utilises previous conducted survey among provider, rather than survey conducted by own because of several reasons. It is difficult to conduct two surveys for this selected research because it takes lot of time and money. But within the tight period of time third party survey is most feasible solution. It is highly difficult to reach cloud providers; even if the researcher contacts them there is no guarantee to get right response because cloud technology is quietly new to so many users. And other survey strategies like postal and electronic surveys are not best solution as participants response can be low or may not be reveal truths about their opinions. It is highly difficult to reach and cover major service providers around the world. Similarly contacting and getting information from well known service providers would require large numbers of interviewers. Hence third party survey utilised in this research due to resource limitations either human or others and to avoid late and inaccurate reporting results.

References: Corbetta, P. (2003) Social Research Theory, Methods and Techniques, SAGE Publications. London. Denscombe, M. (2007) The Good Research Guide – For Small-scale Social research projects, 3rd edition. Berkshire: Open University Press. Denscombe, M. (2010) The Good Research Guide For small-scale social research projects, Fourth Edition, mcgraw-Hill, USA. De Vos, A.S. Schurink, E.M., & Strydom, H. (1998) The nature of research in the caring professions. In A.S. De Vos (Ed.), Research at grass roots, a primer for the caring professions (pp. 3‐22). Pretoria: Van Schaik. Gray, D. E. (2004) Doing Research in the Real World, SAGE Publications. London. Hesketh, E. A. & Laidlaw, J. M. (ND) Quantitative Research, Designed and produced by the Education Development Unit, NHS Education for Scotland, [www] http://www.nes.scot.nhs.uk/nes_resources/ti/quantativeresearch.pdf Last Accessed Aug 19, 2012. Kajornboon, A. B. (2004) Using interviews as research instruments, Language Institute. Chulalongkorn University. Walliman, N. & Baiche, B. (2001) Your research project a step-by-step guide for the first-time researcher, SAGE Publications, London. Thousand Oaks. New Delhi.

19 | P a g e

Gasson, S. (2003) Rigor In Grounded Theory Research: An Interpretive Perspective on Generating Theory From Qualitative Field Studies, Chapter VI. Drexel University, USA. D'Onofrio, A. (2000/2001) Grounded Theory, Ed 714 Qualitative Research Methods in Education, Spring/Summer 2001. [www], http://www2.widener.edu/~aad0002/714grounded.html Ross, S. M. & Morrison, G. R. (2003) Experimental Research Methods, In D. J. Jonassen (Ed). Handbook of Research on Educational Communications and Technology, (2nd Ed., 1021-1043). Mahwah, NJ: Lawrence Erlbaum Associates, Publishers.

20 | P a g e

Chapter THREE: Literature Review Introduction: Cloud is categorized into different models. Few models are simple, so those models are widely used and rest of them are not so popular due to their complexity. From past two years there is rapid enhancement in the Information Technology and gained momentum with introduction of new and advance Technologies. Due to this new concerns and threats are raised. But addressing these novel concerns and risks are simply fallen behind. For instance risks such as electronic discovery and forensics, this kind of issues are rising which are most desirable considerations and must be determined in cloud computing. It should become necessary to identify that data stored and processed in cloud computing will be available to discovery, forensics. Ion (2011) stated that recent survey projected that cloud computing will become more top priority for clients rather than desktop computing and another survey by Hosting 2011 reported that cloud storage enforces the rapid expansion of cloud technology. Present day’s online storage services like Goole Docs, DropBox, FolderShare and many are available to store end-users data from their personal desktops and laptop storage systems. Transit from traditional computing to cloud computing brings many benefits such as availability of information anytime and anywhere with free of cost or less and it enables users set free from limited and self data backup storages. In 2008, 69% of US online users used cloud computing as store data online, webmail services, and web based software applications. Horrigan (2008), Ion (2011) Wang et al (2010) stated that the cloud computing adds new security threats to outsourced data in cloud environment. In cloud technology, data out sourcing is allowing cloud service providers assumed as separate administrative distinct controls, due to that cloud users are surrendering the control of their own data to fate. Therefore the correctness of the out sourced data remains at the risk. And also Wang et al (2010) mentioned that the infrastructure of cloud threaten by lot of challenges for data integrity from both internal and external sides. These all happening because of cloud providers exist their own purposes, motivations and behaviour towards cloud users out sourced data. Cases involve service providers for money related issues, regain the storage by removing unused or infrequently used data, and hiding 21 | P a g e

incidents like data loss and data theft to maintain reputation and value. From starting onwards there are so many break downs and security breaches are happening in cloud services. Though outsourcing the data in to the cloud is so tempting because it allows large data storage capacity for long term period at very low cost. Wang et al (2010) Horrigan (2008) reported that 51% online users answered reason for using cloud saying because it is easy and convenient and 41% cloud users expressed as they like having access their data from any computing device with cloud applications. Popović and Hocenski (2010) argued that according to the International Data Corporation (IDC) survey, Security of data in cloud ranked top as the highest issue or risk in cloud computing environment. Most of the companies are facing a major issue about to move their vital information into public and shared cloud environment which is going to outside of their network defence and control. Even traditional cryptographic methods cannot protect effectively because users don’t have physical access of their data in cloud network. Popović and Hocenski (2010) stated “Who controls the encryption/decryption keys? Logically it should be the customer”. Verification of the correctness of outsourced data in cloud turns into a big issue as there is no longer availability of local data files. And auditability of data in cloud becomes a big challenge for the users due to restricted resource control and large in data size. Besides that the integrity verification of data in cloud is no more feasible solution as it requires download and transmit of large quantity of data across network and it’s highly in cost. Popović and Hocenski (2010) stated that “Ensuring the integrity of the data (transfer, storage, and retrieval) really means that it changes only in response to authorized transactions. A common standard to ensure data integrity does not yet exist”. Certainty of data integrity depends upon and may vary on authorised proceedings. Still there is no method or standard to ensure the integrity of data argued by Popović and Hocenski (2010). Chow et al (2009) argued that Trusted Computing can assure the integrity of a cloud network. Wang C et al (2010) Gellman (2009)explained that if any person become cloud service user then any data accessed on a personal computer could be processed and stored in a cloud, including email, word processing documents, spreadsheets, videos, health records, photographs, tax or other financial information, business plans, PowerPoint presentations, accounting information,

22 | P a g e

advertising campaigns, sales numbers, appointment calendars, address books, and more. And all of these contents may be stored in a selected provider or sometimes many cloud service providers. Generally privacy or confidentiality questions may raise whenever an entity like an individual, an Enterprise, a government agency, or others shares their own or others information in the cloud. Gellman (2009) Weissberger (2009) reported that “Northern CA Technology and Civil Liberties Policy Director Nicole Ozler warned that cloud computing could compromise privacy rights of its users” and also stated that once the data transmitted into the cloud is not in your network, could not believe as its your own property and not another subsidiary of your company. Since the data located in many locations in cloud, it can be available to access in plenty of regions across world and it might be used in many ways that one cannot be imagine. And it is very difficult to delete their own data once it is in the cloud due to the long data retains, and with inadequate deletion procedures. O’SHEA (2011) argued cloud services and applications are rapidly becoming more efficient and less cost for many IT companies to deal information. But there is no answer; is the data in cloud exempted fully from outages and security breaches? And also companies still don’t know clearly about which applications or data should put in cloud and which should keep in their own network to free from security threats? queried O’SHEA (2011). O’SHEA (2011) argued that most of the corporations are simply adopting either public or private cloud services because of their low IT overhead and flexibility offers more users to access anywhere in the world. Nevertheless some high level outages and security breaches in recent years let them knew that simply outsourcing their services in to the cloud not exempted from any threats. He gave an example that a recent high level outage happened in Amazon cloud data center which affected number of clients business who using Amazon web services. Similarly another one occurred in Google, this Google mail outage led to loss of many clients’ e-mails. In addition with that cloud service companies like Microsoft and Dropbox also have had experience such type of risks and even though such problems happened very rarely. O’SHEA (2011) concluded that “Small businesses can make great use of cloud services, but nothing is 100 percent reliable and you just have to be smart about these things and plan for the possibility of disaster”. O’SHEA (2011) Cosgrove & Determann (2012) stated that issues such as “Cloud Computing Presents

23 | P a g e

Fundamentally New and Unique Challenges for Data Privacy and Security Compliance, Cloud Computing Involves More Data Sharing, Which Is Inherently Bad for Privacy, Cloud Computing Is Bad for Data Security” are myths. Cosgrove & Determann (2012) argued that the security of information on a system controlled by user or vendor rely on who is the user and vendor, and also depends up on how strong and efficient security measures used by particular company. Transmit the data in cloud globally creates new issues related to privacy law is a misconception. The truth is that companies are already transfer data globally to send emails, documents and more by using internet to other offices, partners and customers in other country jurisdictions. Cosgrove & Determann (2012) described privacy laws and jurisdictional complications as some privacy laws in some country jurisdictions need certain records or information to hold and stay in their country forever. Though such laws applicable only on particular kind of information or record and in that case they don’t prevent the transfer of information in to the cloud environment. As per privacy law, service provider has only two duties, one is simply follow customer’s instructions and another is secure the data from unauthorised access. Here the main conception is most companies still confusing whether to stay control with modern IT systems or to hire service providers for their IT infrastructure. Though users have needed to reserve the right to audit cloud provider’s compliance measures but not must have right. And the cloud service providers may not allow users to verify data centers as it may imperfects the security of others customers information. Because individual audits can be expensive and may lead to unwanted troubles. Nonetheless companies are swiftly moving to cloud computing and simply ignoring or not giving much attention to any issues or concerns related to it explained Cosgrove & Determann (2012). To contrast, Kothari (2011) specified that “Despite the accelerating adoption in small and mid markets, cloud adoption is not a slam-dunk for enterprises. They still think long and hard about moving applications and their data to the public cloud from traditional on-premise computing models”. Even though the cloud computing technology is widely known between IT companies but its ongoing consequences have not been addressed or identified clearly. There are still some questions such as what are the possible risks, who are most responsible for security of data in cloud, are still unanswered. And some researchers believe most of the issues of the cloud are myths. Kothari (2011) Wang et al (2009) believes that the security of data storage in cloud computing environment still unresolved field with lot of challenges and of most important, is still in its early stage of

24 | P a g e

growth. Kothari (2011) stated that organisations make use of cloud computing services continues to grow rapidly. Forrester Research, an independent research firm predicts cloud computing market to touch 241 billion dollars in 2020. And he expressed doubts regarding cloud as there are plenty of resources and articles available on cloud computing, but still raising the question “can the cloud be trusted?”. Kothari (2011) asked that in spite of more significant benefits like fast deployment, easy scalability, more economy and low cost of cloud, many organisations still refuse adoption of cloud beyond inactive; Why because, most vital issues about security, data privacy and compliance in cloud not yet answered. And they are rejecting transfer of their data which contains sensitive information and valuable resources in to publicly accessible cloud. In Kothari words, according to the Goldman Sachs Equity Research Report reveals that majority of the CIOs testify significant concerns are related to security of data storage in cloud environment. Their major concerns are about cloud network how it is protected, location of data, loss of transparency, and how to control their valuable business data. He showed an example regarding recent high profile security data breach of Epsilon which effected more number of companies like BestBuy, Ritz Carlton, JPMorgan, Citi along with 10s of millions of cloud users and exposed their sensitive information at risk. He stated other elemental issues in cloud are security policies and compliance failure. To support his argument he also gave an example of recent massive data theft outbreak in Sony; which result over 100 million consumers lost their valuable information such as date of birth, bank detail and credit card information to hackers. There are still some significant concerns like regulatory compliance, loss of governance, lack of transparency to consider in cloud. To opposite to the others, Kothari (2011) argued that once the data is in outside company’s direct control, the misuse of this data may lead to privacy and intellectual property claims issues, and the control of regulatory compliance still company responsible rather than cloud providers. The location of data and the whereabouts of cloud service provider’s operations are also significant issues in cloud arena. Because these concerns influence law applies to the user’s records. By the way of illustration, if a cloud provider in an EU Member State could apply EU law to the user’s personal data. Once the EU law applies to the data the export of the data will be subject to the EU rules restrict the transfer of data to outside EU. Thus, if US enterprises outsource their data to EU cloud service provider originated in UK, UK data 25 | P a g e

protection law could come in to action and the export of data return to the US would be prohibited or regulated. And further more under the UK law the subjects of data could obtain rights of access, correction and more. (Gellman (2009)) Clouds are not transparent, cloud service providers are rarely share details about their service, location of the data centres and where the data is stored. While firms are not getting sufficient information regarding where their data is stored, how it is transmitted and accessed by consumers. As a result of misunderstanding, mismatch of policies and compliances between cloud users and providers lead to cause many security breaches argued Kothari (2011). Chow et al (2009) also agrees transparency is a major aspect of cloud implementation. And it is required for regulatory controls and to raise concerns towards security breaches. As a result of absence of control, major companies still resting to adopt cloud services or using only for small services with low confidential data. Even though, trusted computing is a most assurance procedure to address this kind of complications. In that situation, a trusted monitor can monitor, audit the operations of the cloud server, provide “proofs of compliance” to the owner of data, and verify violation of certain access policies argued Chow et al (2009). Heiser (2008) conveyed that cloud computing services are low transparent sourced delivery method externally. From a security and risk view, it contains information of many millions of consumers, store and process customers’ information from many unknown sites and accessed by so many. Cloud services offers economies of scale. It introduces some risks as other external services and to addition with those it has affected from some unique challenges. To gain more flexibility with cloud, service providers are ready to give up on things like technical staff, infrastructure, location, subcontractors. And to meet targets and maintain low cost, many services providers linking with other chain of providers, the data process and storage is performed out of sight on behalf of a service provider which cannot be allow direct control of any invisible data. Heiser (2008) explained that sometimes things to meet user’s new demands, service providers are ready to do unacceptable things. At the end by using such type of services makes risk assessment of your enterprise will become a puzzle. He stressed about it really racks your brains to come out of the problems connected with cloud technology. And to conduct risk assessment of new cloud services, it should require to include CIO’s, security, compliance and privacy officers and business manger which are associated with the control and security of cloud service. To oppose to others Chen (2010) mentioned in his research as cloud computing and its operating systems are not new, and the 26 | P a g e

security threats of cloud technology have been already matched with previous time sharing systems (Chen (2010), Roberts (2011)). Chow and Roberts clarified most of these issues are just reappearing. Roberts (2011) argued that most of the security threats of cloud technology are already found in present computing technology. Hence there is no need to worry about risks of cloud; because of some issues already made clear and have solutions. However he agrees that security of cloud not only user’s valuable information and could be more than that. Similarly Chow et al (2009) also reported that many of the issues such as trust, regulatory, virtual machine attacks and web service vulnerabilities are already found long back before cloud services became well known. Another issues is viability, for any service it should necessary to run at least for a long periods. Assume that your service provider went off or down or acquired by another provider, what happen to your cloud service? Is there any guarantee offered by your provider, even if it does can you get data back as it is in previous form? How? Can you use your data normally? Is it possible to go for another service provider easily? On the other hand cloud infrastructure is based upon the virtual network and interconnected systems. For the reason that now a day’s research communities trying to put much effort to protecting virtual network and the operating systems on which the cloud services are deployed and running described by researchers. (Christodorescu (2009), Jensen (2009), Nurmi (2009), Perz (2008), Raj (2009), Wei (2009)). Zhou (2010) discussed about online service portals like Amazon, eBay, buy.com and many more are works as market place for retail traders. As part of the business process, these retail portals collect information about product details and inventory data from merchants, and allow potential online buyers with an online store which they can search select and buy products. By moving their applications and retail business in to cloud, both providers and traders are getting profits from the economics of cloud technology. Present days social networking services are well known among people because of cloud computing. Through an online social network topology, social networking services like Facebook, Twitter, and LinkedIn provide customers to interact with others. Most of these networking services work on centralised architectures and stores customers sensitive data on their database centers. According to Facebook, their clients worried about control and privacy

27 | P a g e

of their public and private details stored in Facebook. And many of thought controls attached by provider were too complex. Zukerberg (2010) Zukerberg (2010) argued that many of the people did not understand or no idea about how their private data used and simply bothered that it shared in unaccepted ways. Similarly Bilton (2010) argued that Facebook is one of the most widely used social networking service with more than 400 million clients but in recent times it changed its privacy policy which makes expose of client information public by default and make users to opt out if they want keep data in confidential. In addition with that third party web sites can get some private data of clients. Performance is another issue in cloud technology. Due to the high access from the client side, cloud providers may be run low or goes down by allowing process to all of the systems recognised Ahmed (2010). Ahmed (2010) stated that responsibility of information management and security transferred to the CSP. Only a responsible CSP can provide a proper data communication with a fool proof layout of cloud. If the consumers fully rely on provider, then consumers lose control over the hardware and information. It happens only if the consumer believes their provider is full of trustworthy. Chow et al (2009). Ahmed (2010) argued that developers addressed number of problems related to loss of control over the virtual network because of high trust on provider. If the organisation belongs to a medical field then it should be extremely important to protect it from any threats as it contains the medical information of a person and it’s a highly confidential personal data. Medical data security is a very critical issue and it should needs to be understandable completely. In addition with that data has to be verified with proper forensic techniques argued Ahmed (2010). To similar to Wang et al (2009) also suggested that a Third Party Auditor (TPA) can be need to audit the cloud providers infrastructure and activities. Data availability and performance are also major concern of the cloud argued Ahmed (2009). “The cloud service requirements for image reconstruction, rendering and diagnosis require high performance machines due to large volume of data generated per day by diagnostic scanning and medical imaging like CT (Computed Tomography), MRI (Magnetic Resonance

28 | P a g e

Imaging), and PET (Positron Emission Tomography etc” explained Ahmed (2009). Hospitals and related departments all ways need fault tolerance and data availability with well equipped high level infrastructure and large volumes of data. These large volumes of data contain medical data of patients from over long periods of time. The medical data spread over various systems at various locations around world for flexibility of storage, easy management of data and mostly for retrieval of data or data availability across different locations. So hospitals got chance to outsource chunks of medical data in to data archiving, search and retrieve etc to the cloud. In this case hospitals only pay service cost and remain things like security of data and availability are cloud providers duty resolved by Ahmed (2009). Brodkin (2008) asked the question described as can anyone have trust on cloud? But the users of an online cloud storage service named The Linkup, said a big “no”. On august 8, The Linkup failed to access large lumps of their client’s data and it went shutdown which had around 20,00o paid customers. Without any concern regarding their client’s data, The Linkup simply displayed a message on their website saying the service is no longer available and please visit Box.net another storage website. This is best example to explain the liability and performance assurances are very serious issues in cloud technology argues Brodkin (2008). He catechized saying without any responsibility the CEO of the Linkup service provider says not less than 55 percent of client’s data was safe but no reply about leftover 45%. In fact Linkup maintained a relationship with a company called Nirvanix for to host their client’s data and also contracted another company known as Savvis to host application and database. It’s still vague regard who is direct responsibility for this incident. It’s a big failure of direct responsibility and satisfactory service. Here liability remains big question in cloud services argued Brodkin (2008). Insider access and security is a critical risk for most of the enterprises since data stored and operated outside of their network and security controls. Even though there is a name contrast, insider security is well applied to all outsourced services specified by Jansen (2011). Inside security risks caused by employees, contractors, affiliates of the company and others who have access permission to the firms network to process data. As a result of lack of management and security policies of an organisation, incidents such as security breaches, fraud, sabotage of services and resources, and theft of data can be occur argued Jansen(2011). Outsourcing of applications and information to cloud, broaden the scope of insider security threat not only because of an enterprise own staff or service providers employees, but also 29 | P a g e

can be a client using the service. Impact of these types of attacks can be greatly zenith on cloud networks where data and resources allocate between large numbers of clients clarified Jansen (2011). For instance recently some attacker showed how Amazon’s cloud platform known as Elastic Compute Cloud (EC2) was vulnerable to resource theft attacks. It allows an attacker into EC2 as authorised user to create initial accounts and to boot up several numbers of virtual machines and permit to steal valuable process time or computing bandwidth or resources of other users. It demonstrated successfully showing by using this insider denial of service DoS attack, just by paying only one time for an Amazon Machine Instance (AMI), create more copies and no need to pay again. (Amazon (2012), Marco (2009)) Chow et al (2010) categorised the security risks of cloud in to three main areas as traditional security, availability and third party data control. First one involve computer, network and provider related issues such as cloud providers vulnerabilities, platform level and virtual machine (VM) level threats, authentication and authorisation, and cloud network risks. Availability addresses primarily on data availability, applications and also uptime, single point failures and assurance of data integrity. While last one concerns with due diligence, auditability, contract issues, cloud provider espionage and data lock in. With the wide spread adoption of cloud computing increases new challenges such as authentication, cheap data and data analysis. With rise of cloud computing as technology made data collection and data analysis cheaper even with low level infrastructure argues chow. For instance, Google earning money through massive advertising network, by using advantage of its own cloud base to gather and analyse of enormous of data very cheaply argued Chow et al (2010). He revealed that as a result of cheap data mining, cloud become victim of attackers, where they can massively reap centralised databases and run analysis to get critical sensitive data. Google’s cheap data mining and search results caused to more privacy issues. Chow et al (2009) explained that due to these security concerns and privacy policy issues, EPIC has sent warning to Google to shut down Gmail, Google Docs, Google Calendar, and its other applications until appropriate privacy policies and government approved safe guards are applied. But one of senior counsel for Goole argued that "privacy by design is ingrained in our culture, and security is one of our fundamental design principles" and if the clients are not satisfied with security of our products then they can transfer data into somewhere else. Also cloud computing is a new market place and more and more cloud service providers are 30 | P a g e

entering into market with more services explained by Condon (2009). Still there are some advantages in cloud model, rather than purchase and install the licensed software on client systems; client can simply authenticate in order to use such applications. Hence it may prevent piracy and share of vital information. Though moving towards cloud computing is reasonable but outsourcing data and applications fully on cloud services is likely to be on the increase of threats like phishing and lifting the user’s credentials argued Chow et al (2009). Along with adoption of cloud raises, more cloud providers doing mash-ups of data. Alas, more and mash-ups of data may aspire security jeopardises like data leaks and number of sources of data. On the other hand centralised access may or may not control such type of threats argued Chow et al (2009). He mentioned that there are some approaches still available to extend the control of data in cloud network. Among one is information-centric security, in which switching the protection of data from outside to protecting the data from inside. This is a natural extension of most powerful, finer and usable data protection approach. But this self protection method requires some intelligence regarding data, and its territory. In this approach data must packed with encryption techniques and a usage policy. Data should accessed only before consulting its policy, processed in secured conditions using virtualisation, and available only if the environment is trustworthy or authorised. More enterprises are worried about less transparency of cloud services and afraid to load their data in to the cloud. Similar to other researchers Chow et al (2009)also suggested that to avoid such doubts and worries data owners require to audit the cloud infrastructure to know how data is supervised in cloud, to verify is there any data leaks or misuses, and also some repeat changeless audit trails have to carry out when any data disruptions happen. Trusted Computing is another assured procedure to address the transparency in cloud. Encryption is another different strategy to regain the control of the data in cloud domain. But there is a problem with encryption that throttles the data utilisation. Besides that searching and indexing of data is also troublesome. Chow et al (2009) In hybrid public and private cloud technologies, the risk with services and data went out of control is very high because all the information has to be protected by using encryption and key management could turn out be difficult task in such cases argued Bhadauria (ND) Jansen (2011) described that physical location of the cloud infrastructure is decided by cloud service supplier. A virtual machine monitor or a hypervisor is an additional layer of software

31 | P a g e

among operating system and hardware. It manages virtual machines (VM), applications and performs administrative operations. Nevertheless handling and complexity of VM environments can be more unmanageable than traditional computing. Operations like paging, check pointing and migration involve with virtual machines, for that reason it is easy to subvert any protection mechanisms in operating systems and VMs can leak confidential data as well. Along with that the hypervisor can also be undermine. For example, downfall of nearly 100,000 virtual server base web sites at Vaserv.com due to a zero-day exploit in version 2.0.7992 of the application in the HyperVM virtualisation illustrates the problem domain. Goodin (2009) Prevention is better than cure as such that detection and block of an attack is better before system has been compromised. Similar to that deploy intrusion detection systems in cloud architecture can protect it from possible security threats. Dhage (2011) Jansen (2011) reported that duplication of physical network protections might be beneficial against harmful intra host attacks and loss of visibility. A successful defence against threats requires a secure client, secure infrastructure and a secure cloud service provider. Ownership, portability, and interoperability are also important aspects in cloud computing which make conflicts between cloud users and cloud providers. Still answer for the question stating that who owns the cloud providers? It’s a mysterious question in cloud domain. All most all of the users in cloud don’t know whom the real owner of their cloud service provider. Because of cloud providers terms of service don’t allow them to reveal who actual owns this service whether it might be a subsidiary of another company, local government agency, or a foreign agency. Thus make led to raise many problems like privacy issues. For instance if a local government body own the provider that terms of service allow them to share all of the users information with their affiliates, intelligence agencies and may be obtained by prosecutors without any notice. There are some possibilities which could make transfer of user information along with cloud providers service and operations. Possibilities involve sale of cloud provider’s company, service, terminate by several reasons. Here another risk is that the bankruptcy will put an end to the cloud service provider without any further notice. And further it tends towards user valuable information for sale or transfer to other companies. At the end who did not maintain local backup of data stored in cloud can lose the data for ever. Gellman (2009)

32 | P a g e

Horrigan (2008) reported that 90% of cloud application users are worried about their data in cloud if the company at which data stored to be sold to another party. In some cases companies need to move their applications from one provider to another if they did not find best matched platform in present provider. Issues like portability interoperability rise when enterprises cannot transfer their data and applications when they find another best suited cloud platform than the current one. To complete a specific task, various types of cloud platforms should interact with each other or sometimes particular platform is required for particular type of application. To handle these issues infrastructure of both firm and cloud are compulsory to keep balance to manage interoperability among separate cloud platforms. Bhadauria (2011) Conclusion: This literature review addressed various issues in cloud computing from multiple perspectives which have not been well covered previously. Discussed those issues like security, privacy, reliability and more found which have been more important for both users and providers who’s ready to adopt or already using cloud computing technology may found this review useful. Along with that some procedures and applications like Information centric security, Encryption, usage Policy, Trusted computing, TPA are presented to prevent and establish more manageable and security in their environment. This literature review addresses the some of the following research questions: o

Issues which are dealt with the Cloud computing and its Environment

o

Security issues which are challenging the Cloud computing

The review in literature conducted on issues in cloud computing has gave a well depth focus of subject to the new researchers or researchers who are on the similar research filed and lead to the new research. Future research Questions:

33 | P a g e

o

Perceptions cloud users and providers towards laws and regulations around the world.

o

Review of current security schemes in cloud.

References: Ahmed, S. and Raja, M. Y. A. (2010) Tackling Cloud Security Issues and Forensics Model, In Proc. IEEE, 2010. Amazon, (2012) Amazon Elastic Compute Cloud (Amazon EC2), [www], Available from: http://aws.amazon.com/ec2/ [Accessed 01/08/12]. Bhadauria, R. Chaki, R. Chaki, N. and Sanya, S. (2011) A Survey on Security Issues in Cloud Computing, arXiv.org, arXiv:1109.5388 Bilton, N. (2010) Price of Facebook Privacy? Start Clicking, The New York Times, 12 May 2010, [www], Available from: http://www.nytimes.com/2010/05/13/technology/personaltech/13basics.html [Accessed 01/08/12]. Brodkin, J (2008) Loss of customer data spurs closure of online storage service 'The Linkup', [www], Available from: http://www.networkworld.com/news/2008/081108-linkup-failure.html [Accessed 03/08/12]. Chen, Y. Paxson, V. and Katz, H. R. (2010) What’s New About Cloud Computing Security?, Technical Report No UCB/EECS-2010-5, Berkeley, 2010, [www], Available from: http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.html [Accessed 05/08/12]. Chow, R. Golle, P. Jakobsson, M. Shi, E. Staddon, J. Masuoka, R. and Molina, J. (2009) 'Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control , ACM, CCSW’09, November 13, 2009, Chicago, Illinois, USA Christodorescu, M. Sailer, R. Schales, L. D. Sgandurra, D. and Zamboni, D. (2009) Cloud Security is not (just) Virtualization Security, In Proc. CCSW, 2009. Condon, S. (2009) FTC questions cloud-computing security, CNET, March 17, 2009, [www], Available from: http://news.cnet.com/8301-13578_3-1019857738.html?part=rss&subj=news&tag=2547-1_3-0-20. [Accessed 05/08/12]. Cosgrove, B. & Determann, L. (2012) Data Privacy in the Cloud: A Dozen Myths & Facts, March 7-9 Washington DC, IAPP GLOBAL PRIVACY SUMMIT, [www], Available from: https://www.privacyassociation.org/media/presentations/12Summit/S12_Privacy_Compliance_PPT.p df [Accessed 05/08/12]. Dhage, S. N. Meshram, B. B. Rawat, R. Padawe, S. Paingaokar, M. & Misra, A. (2011) Intrusion Detection System in Cloud Computing Environment, International Conference and Workshop on Emerging Trends in Technology (ICWET 2011) – TCET, Mumbai, India Gellman, R. (2009) Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing, World privacy forum, Feb23, 2009. Goodin, D. (2009) Webhost Hack Wipes Out Data for 100,000 Sites, Vaserv suspects zero-day virtualization vuln, The Register, June 8, 2009, [www], Available from: http://www.theregister.co.uk/2009/06/08/webhost_attack/ [Accessed 05/08/12]. Heiser, J. & Nicolett, M. (2008) Assessing the Security Risks of Cloud Computing, Gartner 3 June 34 | P a g e

2008. [www], Available from: http://cloud.ctrls.in/files/assessing-the-security-risks.pdf [Accessed 08/08/12]. Horrigan, J. (2008) Use of Cloud Computing Applications and Services, Pew Internet, Pew Research Center, Sep 12, 2008. Ion, I. Sachdeva, N. Kumaraguru, P. & Cˇapkun, S. (2011) Home is Safer than the Cloud! Privacy Concerns for Consumer Cloud Storage, Symposium on Usable Privacy and Security (SOUPS) 2011. July 14–16, 2011. Pittsburgh, PA, USA. Jansen, W. A. (2011) Cloud Hooks: Security and Privacy Issues in Cloud Computing, In proc. 44th Hawaii International Conference on System Sciences – 2011. Jensen, M. Schwenk, J. Gruschka, N. & Iacono, L. L. (2009) On Technical Security Issues in Cloud Computing, In Proc. CLOUD, 2009. Kotari, P. (2011) Building Trust in the Cloud, SILICON INDIA,US Edition, [www], Available from: http://www.siliconindia.com/magazine_articles/Building_Trust_in_the_Cloud-UNPN806818863.html [Accessed 10/08/12]. Marco, (2009) BlackHat presentation demo vids: Amazon, Sensepost, [www], Available from: http://www.sensepost.com/blog/3797.html [Accessed 10/08/12]. Nurmi, D. Wolski, R. Grzegorczyk, C. Obertelli, G. Soman, S. Youseff, L. & Zagorodnov, D. (2009) The Eucalyptus Open-Source Cloud-Computing System, In Proc. CCGRID, 2009. O’SHEA, D. (2011) How to Move Your Business Data into the Cloud -- Safely, Enterpreneur, September 1, 2011, [www], Available from: http://www.entrepreneur.com/article/220230 [Accessed 10/08/12]. Perez, R. Doorn, L. V. & Sailer, R. (2008) Virtualization and Hardware-Based Security, In Proc. IEEE S&P, 2008. Popović, K. & Hocenski, Z. (2010) Cloud computing security issues and challenges, MIPRO 2010, May 24-28, 2010, Opatija, Croatia. Raj, H. Nathuji, R. Singh, A. & England, P. (2009) Resource Management for Isolation Enhanced Cloud Services In Proc. CCSW 2009. Roberts, J. C. & AL-Hamdani, W. (2011) Who Can You Trust in the Cloud? A Review of Security Issues Within Cloud Computing, ACM, Information Security Curriculum Development Conference 2011, October 7-9, 2011, Kennesaw, GA, USA. Wang, C. Wang, Q. Ren, K. & Lou, W. (2009) Ensuring Data Storage Security in Cloud Computing IEEE, 2009. Wang, C. Wang, Q. Ren, K. & Lou, W. (2010) Privacy-Preserving Public Auditing for Data Storage Security in Cloud Computing. IEEE INFOCOM 2010. Wei, J. Zhang, X. Ammons, G. Bala, V. & Ning, P. (2009) Managing Security of Virtual Machine Images in a Cloud Environment, In Proc. CCSW, 2009. 35 | P a g e

Weissberger, A. (2009) ACLU Northern CA: Cloud Computing- Storm Warning for Privacy?, [www] Available from: http://viodi.com/2009/02/13/aclu-northern-ca-cloud-computing-storm-warning-forprivacy/ [Accessed 10/08/12]. Zhou, W. Sherr, M. Marczak, R. W. Zhang, Z. Tao, T. Loo, T. B. & Lee, I. (2010)Towards a Datacentric View of Cloud Security, ACM, CloudDB 2010, October 30, 2010, Toronto, Ontario, Canada. Zuckerberg, M. (2010) From Facebook, Answering Privacy Concerns with New Settings, The Washington Post, 24 May 201, [www], Available from: http://www.washingtonpost.com/wpdyn/content/article/2010/05/23/AR2010052303828.html?sub=AR [Accessed 10/08/12].

36 | P a g e

Chapter FOUR: Related Research Introduction: The name “cloud computing” has popularised in computing world from past few years as a new technology in way that users can transmit and access data through cloud network. Long back ago, users operated mainframe computers with very less computing capability. With the introduction of the personal computing systems from late 1980’s , user had the little more processing power to access basic application like documents, spread sheets processing. While in large enterprises they used same computers to implement network, data transfers might been started and made use floppy disks to carry data from one system to another. It was changed everything when internet came in to available in the 1990s, increase of desktops usage not only for word processing but also for access data through online with world wide web. Because of World Wide Web people found it very efficient, started internet access from their desktops and also from their offices. After that developments in advanced technologies have led to increase of decentralised systems and more distributed computing platforms. Low cost storage, rise in high speed data, emergence of wireless networks, rapid increase of handheld devices for accessing the internet and all together indirectly revealed a user can access data that stores in a data center. Users can browse web and also access information from various types of systems through connection wired network or wireless network including desktops, laptops, and handheld devices. But clients faced many problems regarding manage and access of their information that may be stored in different devices. Here cloud computing was entered, it allows users to purchase access to information and applications which resides on data centers. Cloud technology is useful for either small or large scale companies. Particularly for companies that running on broad locations such as special software or applications running from various locations to perform information oriented operations. In this case without grid networked computing accessing data and software may be practically unachievable. The computing resources are well spread across different places beyond user’s location and the access ability of those come from cloud. At present for normal internet users cloud computing is an online activity for accessing information and applications. They may access wide range of devices with different networks such as desktops, Laptops; smart phones connect through a WIFI or wired networks. Horrigan (2008)

37 | P a g e

Computing changed in to a service model composing of several services which are served and delivered and become users’ part of life similar to utilities such as water, electricity, internet and more. And these services are performed according to the customer requirements except service where about. Various computing technologies like Grid computing, P2P computing are assured to deliver this type of utility computing idea in past and now the cloud computing also entered in to this mission. To catch up modern cloud computing capability some prominent companies such as Amazon, Google, Microsoft, IBM and Sun Microsystems started to create their own clouds and deployed various locations across the globe. Currently there are some popular clouds are available such as Amazon-EC2, Google, Microsoft, Salesforce.com, and these can be fall under any of cloud classification model depend upon model they offer. To achieve faster response time enterprises with global operations distributing their work load to multiple clouds in different places at the same time. It demands setting up of more efficient cloud environment for dynamically interconnect and operating clouds from number of areas in world. Buyya (2010) While as mentioned in introduction, cloud computing available in many models, service, and there are some definitions that have been generated to explain cloud technology. And it is very essential and more helpful to discuss those models, services that cloud implemented and offered services. The following sections contain the definitions of cloud computing, various deployment models and services. 4.1 Definitions: According to NIST “Cloud computing is a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. It is consisted of some essential characteristics, service models and deployment models. Mell (2011) Buyya et al (2010) defined "A Cloud is a type of parallel and distributed system consisting of a collection of interconnected and virtualised computers that are dynamically provisioned and presented as one or more unified computing resources based on service-level agreements established through negotiation between the service provider and consumers.”

38 | P a g e

4.2 Cloud architecture: Cloud architectures overcome the difficulties such as large scale data processing where as traditional data centers face difficult to process more machines as per application requirements. And distribute, organise high profile job on multiple machines, add more machines if needed, scaling and dynamic work loads are supported by cloud architecture. The utilisation of resources in cloud architecture is pay as you go, on demand basis for short span or long duration thus provide high efficient, cost reductions with more profits. Basically cloud computing composed of three parts showed in figure cloud architecture, including cloud application services, cloud platform services, and cloud infrastructure services.

The deployment models of cloud computing may also present in separated or mixed ways, which can also influence the security and privacy implication of cloud environment 4.3 Cloud Models: According to NIST, Primarily there are four types of cloud models called as Public cloud, Private cloud, Community cloud, and Hybrid cloud as represented in below figure.

39 | P a g e

4.3.1 Public cloud: Here resources are openly available to the general public by a service provider and it may be owned and operated by an organisation, government body, academy, or combination of them. Services in public cloud might be freely available or sometimes offered as pay per usage service. Deployment of public cloud is easy and economical and also infrastructure cost will be covered by cloud provider including software, hardware and network bandwidth. Resources are utilised in manner affordably as pay per only how much you used or needed. Amazons EC2, IBM Blue cloud, and Google AppEngine are examples for public cloud services. Mell (2011) Rouse (2009) 4.3.2 Private cloud: private cloud is also known as corporate cloud or internal cloud and the infrastructure of this model is operated by an enterprise consisting of many clients. It is a proprietary computing model serviced only to minimal customers behind a firewall. The private cloud model is a derivative of public cloud, running on private network and operated for an organisation. In depth, as a result of advance technology in virtualisation and distributed computing made many corporate companies become service providers to support and meet the needs of their clients. Rouse (2009) Smoot (2012) 40 | P a g e

4.3.4 Community cloud: In a community cloud the infrastructure is shared and serviced between several organisations from a particular group with common computing concerns like security, regulatory compliance, and jurisdiction or might be audit requirements. Community cloud provide benefits of public cloud such as multi-tenancy and a pay-as –yougo billing system and as well as private cloud futures like extra level of privacy, security and policy compliance controls. The community cloud operated by either internally or by a third party a managed service provider similarly it hosted either on-premises or off-premises. Rouse (2012) 4.3.5 Hybrid cloud: hybrid cloud infrastructure is a composition of two or more cloud infrastructures either public, or community, or public cloud, those remain different entities but combined to offer benefits of multiple models. It proposed in two ways showed in below figure, a vendor with private cloud may forms an association with a public provider, or a public provider forms an association with private cloud vendor. In hybrid model cloud provider manage and provide some services internally and others provide externally. Similar to public cloud model, hybrid cloud environment provides advantages such as affordability, and scalability without exposure of sensitive data to third party vulnerabilities. Rouse (2010) Mell (2011)

41 | P a g e

4.4 Cloud Services: Different cloud types are described in deployment model based upon which infrastructure is deployed. Development in cloud computing led different cloud provider’s offer clouds with different services. These set of services created another set of definitions named service models of cloud. Universally there are three types of services are accepted all are showed in the form as: XaaS, or “ as a Service”. Three services represented in terms as SaaS, Paas, and IaaS. 4.4.1 Software as a Service (SaaS): Provider allows customers to use available applications on a cloud platform. These applications are accessible by using a thin client interface such as a Web browser from different client devices. In this type provider does not allow any controls of infrastructure to consumers including operating systems, servers, storage, network, and any separate application capabilities though limited application configuration settings are provided. Oracle On Demand, SalesForce.com, and SQL Azure are the best example for SaaS cloud services. 4.4.2 Platform as a Service (PaaS): Clients has capability to deploy their own applications on providers cloud infrastructure and those applications programming languages and tools are compatible or supported by the provider. The customer does not control the infrastructure of cloud including operating systems, servers, storage, network, but has control of their own deployed applications with possible configurations of application hosting environment. Examples include Windows Azure Platform, Google AppEngine, Force.com and more. 4.4.3 Infrastructure as a Service (IaaS): Client was given to capability that processing, storage, and primary resources where the customer can install and run arbitrary software. Similar to other services in this also consumer does not has any control or manage capability of providers cloud infrastructure but has control on operating systems, servers, storage, user deployed applications, and with limited control of selection of network devises like firewalls. Examples include Amazon’s EC2, Eucalyptus, Terremark and more.

42 | P a g e

Figure SPI model with software, platform and infrastructure Source: Smoot (2011)

Figure SPI model with services Source: Smoot (2011)

And combine of three service models to be referred as the SPI model. In the SPI model three classes of capabilities stayed on top of the physical infrastructure of cloud as represented in both Figures: SPI model. IaaS is base for Paas and Paas is a base for SaaS or they can be individual. However implementation of services may base upon the service provider. There are not only SaaS, PaaS, and IaaS, and also some other specialised services of SPI model have been placed such 43 | P a g e

as Data center as a Service, Security as a Service, Monitoring as a Service, and Identify as a Service. Smoot (2011)

4.5 Characteristics of Cloud computing: Peter Mell and Tim Grance for NIST defined five essential characteristics of cloud computing systems as: 4.5.1 On-demand self-service: A customer can provision computing resources like server time and network storage without any personal contact with the service provider. 4.5.2 Broad network access: Consumer can access resources available over the network by using standard mechanisms that allow platform independent permission to consumers includes heterogeneous thick and thin platforms like laptops, mobile phones, and PDAs. 4.5.3 Resource pooling: service provider make resources pool for multiple clients’ model to support multi-tenant usage, different physical and virtual resources are allocated and reallocated dynamically according to client demand. The main idea of resource pooling is sense of location independence in that consumer has no control or knowledge about location of resources such as storage, memory, processing, network bandwidth and connectivity, and also virtual machines. 4.5.4 Rapid elasticity: resources can be provisioned both rapidly and elastically. Capabilities may add automatically or manually by either scaling out or scaling up systems. From the client side resources available for provisioning look to be unlimited and can be ready to buy any time. 4.5.5 Measured service: cloud systems automatically control and optimise the resources utilisation through measuring, auditing and reporting to clients by using a metered system. Running of resources can be monitored, controlled, and reported for transparency between both consumer and provider. A consumer can pay the bill based on metrics for example amount of data stored, data used, number of transactions, processing power, network bandwidth, and so forth.

44 | P a g e

4.6 Advantages: Five essential characteristics of cloud also considered as benefits of cloud computing and further some other addition advantages are followed as: 4.6.1 Low Cost: Cloud computing networks are run at greater efficiency and top utilisation at affordable cost. Infrastructure is provided by the service provider and does not need to be purchase. 4.6.2 No extra licences: based on kind of service being utilised, client can see that no need to pay extra software or hardware licenses for service implementation. Most of resources are provided by vendor and no need to buy for one-time or frequently. 4.6.3 Quality of service: consumers may get assured quality of service from provider under contract. 4.6.4 Reliability: The scaling in cloud networks make cloud computing more reliable than any computing in single company. Scaling can provide load balancing and automatic failover to make very reliable service on a computing. NIST (2011) stated that “Redundancy and disaster recovery capabilities are built into cloud computing environments and on-demand resource capacity can be used for better resilience when faced with increased service demands or distributed denial of service attacks, and for quicker recovery from serious incidents. When an incident occurs, an opportunity also exists to contain attacks and capture event information more readily, with greater detail and less impact on production”. 4.6.5 Strong Platform: Compare to traditional computing centers, cloud computing architecture is more uniform. Therefore greater uniformity and homogeneity make easier the platform hardening and encourages automation of security activities involving security audits, vulnerability testing and configuration control. NIST (2011) 4.6.6 Backup and Recovery: In general backup and recovery procedures of vendor might be high-quality and more robust than the client company. In cloud network data availability, faster data reload, and more reliable in many cases than the traditional data centers. Scalability in cloud provides greater availability. While cloud services could work as an offsite repository for a company’s data center under offsite storage and local compliance requirements. 45 | P a g e

4.6.7 Mobile endpoints: Technology advancement of cloud provides service end points to the client used to access hosted applications and services. Clients of service can be some web browsers or special purpose applications and clients of service can be lightweight or embedded computational devices benefit the service of wider mobile work force including laptops, notebooks, tablets, and smart phones. 4.6.8 Data concentration: Data processed in public cloud for an enterprise with a mobile work force may present lesser threats with controlled access compared to processing data on portable computers, and other devices. Hence many enterprises supporting the access of enterprise data through mobile device to increase work flow, to obtain more productivity and to gain much operational efficiencies. NIST (2011) 4.6.9 Easy IT maintenance: cloud clients no need to worry about management of company’s IT infrastructure, once cloud computing deployment done, someone such as vendor can manage computing infrastructure. Even without employing much IT staff companies may achieve significant It maintenance and cost reductions. Consumer had chance to access latest versions of software and easily apply patches and upgrades as cloud computing is centralised system. 4.7 Disadvantages: On the other hand cloud computing also brought some potential disadvantages along with advantages. Some of those pros include the following: 4.7.1 Complexity of environment: compared to the traditional data centers, cloud computing environments are very complex as multiple interconnections and resource pooling. Several capabilities and components involved in cloud computing much more than normal computing including storage, virtual machines, applications, supporting middle ware and management activities like resource metering, data replication and recovery, workload management, and further more. Upgrades and improvements of all these confounding matters involved in cloud environment. Security not only relies on the correctness of devices but also on interactions between them. If the number of interactions between devices increases then the degree of complexity goes high. Often cloud provider may face challenges related to understanding and

46 | P a g e

security of application interfaces because of complexity commonly inverse to the security. NIST (2011) 4.7.2 Multi-tenant culture: In public cloud clients normally share resources and components with other clients that are unknown to them. Instead of physical division of resources as a control, cloud computing fully relies on logical division at more layers of the application stack. And logical division is a significant problem that is make worsen by the scaling in cloud computing. In multi tenant environment an attacker can act as a client to exploit vulnerabilities in cloud environment and may gain unauthorised access of resources. In sometimes access to resources and vital data could also inadvertently be revealed to others or destroyed, through a software crash or misconfiguration. Sharing resources or infrastructures with other unknown group can be a major threat for some resources which need high level security and privacy. 4.7.3 Loss of control: Moving towards cloud could result a move of control and responsibility over data and components to the service provider. Generally shift to cloud followed by the lack of knowledge about management of operations and decisions regarding cloud infrastructure. This circumstance makes company rely on cloud provider to manage activities involve both side responsibilities like constant monitoring, auditing, security, and incident response. Loss of control to provider over both physical and logical sides could take off the corporation capabilities including awareness, measure set priorities, and many issues related to privacy and security which are critical aspects of a corporation. And further legal protections for security and privacy may also ineffective when data is stocked in third party service provider zone. 4.7.4 Network risks: Cloud services are carried out through internet, manage, access of accounts are accomplished with administrative interfaces and accessing of deployed applications could be obtained through non administrative interfaces. In past access, process of applications and data were performed only in organisation premises through intranet, but when moved to public cloud should challenge problems from network hazards which were safeguarded in the past against at the organisations intranet zone. But now exposing the interfaces through internet can attract new threats. Compared to conventional data centers, putting assets in cloud and accessing with remote administrative access by using internet may maximises risk.

47 | P a g e

And if consider all previous pros together like complexity of environment, loss of control, multitenant culture whose services are running on internet and accessed by others certainly affected by a probable attack surface.

48 | P a g e

Chapter Five: Security Issues in cloud computing 5.1 Introduction: In cloud computing domain, resources like information and applications are not stored in client computer or customer organisation premises but the accessibility of those resources will be performed through internet by using any internet enabled device from any where one can access web. This could be the main reason to rise of so many risks regarding either security or privacy or may be other. Kadukuri et al (2009) argued that many organisations are using cloud computing as service and critically it look like testing the privacy and security concerns of their organisations operations and applications. Assurance of security of an organisations data in cloud domain is yet cleared completely. And service providers are providing various services like SaaS, PaaS, and IaaS. Besides that each service has its own weaknesses and security concerns. Chow et al (2009) stated that security is one of the top priority for cloud computing users as answer for the question what are the security issues resisting to taking of the cloud computing. Ion et al (2011) reported that cloud storage boosting the emergence of cloud as well as poses security and privacy risks. And analysis regarding security and privacy concentrated only on enterprise level cloud. Although ignoring end user privacy and security can cause severe problems like expose of users private data to hackers. The data availability, integrity, and confidentiality threats are affected by the privacy policies, compliances, and Terms of Service (ToS) of cloud provider. It is very common in cloud environment that in the free cloud service user scenario no assurance of any data loss, quality of service, and may remove accounts without any prior notification, as well as stop or termination of service at any time. Now a day’s one can be witnessed that many organisations are adopting cloud computing in their It business because of its attractive economical and cost benefits. While along with benefits cloud computing also brought some significant security and privacy related concerns. Even though cloud technology is a latest ongoing technology, understanding of crucial concerns of security can be derived and experienced from the reported incidents and also from the researches conducting on present cloud infrastructure and its technologies. Security and privacy related issues that are accepted as long term critical issues for cloud computing described on following sections.

49 | P a g e

5.2 Authentication: In cloud many service providers are using SAML standard for authentication process to allow user to access data and applications. However security validation of SOAP messages is very difficult as it required highly skills, and should be accomplished systematically to detect attacks. For instance recently a demonstration showed XML wrapping attacks are succeeded against public cloud. Generally some parts of the SOAP message get signed to assure message integrity. And it is easily detectable if any modification is performed on signed data. While with XML signature wrapping attack an attacker can change or replace with malicious content in to signed part even without invalidation of signature. WS (2011) 5.3 Access control: In cloud environment service provider utilise some standards to control access to resources through identity management as such XACML (eXtensible Access Control Markup Language) is one. XACML can control proprietary service interfaces but not determine any protocols, transport mechanisms, or validation of any user credentials. Third parties like hackers may get unauthorised disclosure of message while transmitting between XACML entities by using malicious attacks such as message replay, deletion, modification attacks. 5.4 Hypervisor: in cloud network a hypervisor or virtual machine monitor is an additional piece of software between operating system and hardware and is used to manage multiple virtual machines in multi-tenant model. Usually a hypervisor support application interface to perform administrative operations including creating, starting, migrating and termination of virtual machines or instances. It involve multiple of components and operations compared to traditional and non virtual environments. Many operations, methods, channels and data items are posing to attacker to exploit vulnerabilities. For instance paging, check pointing, and migration of virtual machines may expose private information. In cloud environment the hypervisor works as manger, so if the hypervisor compromise itself can potentially compromise of all systems in its domain. Several security threats related to hypervisor implementation also found recently by security groups and hackers. Such as hypervisor holes which are setup by vulnerabilities found in virtual machines. Once an attacker get access to the hypervisor can get chance to access other instances running on that system as well. Thus a hacker can get unauthorised access, steal sensitive data, and may disrupt services through these hypervisor holes. 50 | P a g e

5.5 Virtual network: in virtualisation platforms virtual machines no need of outer network access, in which most of the virtual network software’s support same-host or intra-host networking. Most considerable aspect is traffic between or over virtual network may not detect by security devices on the physical network including prevention systems and intrusions detection systems. Another downside of virtualised environment is virtual networks will divide or separate potential administration responsibilities in an enterprise. Roles and responsibilities of compute and network security administrators can break down into single virtual administrator. 5.6 Issues related to Cloud User and Cloud Provider: 5.6.1 Governance: Generally in an organisation governance involves the control and oversight on procedures, policies also design, testing, development and deployment of applications, technology, and services. But with adoption of cloud technology and services, less or no control over such services can be generating plenty of challenges. As a result of easiness of platform adoption in cloud, there is no need of any governance. Normal procedures and standards for acquire computing devices as capital expenditures will be bypassed by anyone. Consequently operations not governed by internal organisation make a source of problems as it unconsidered organisations policies, procedures, and compliances for privacy and security. Without appropriate governance especially in cloud environment an organisational computing infrastructures can be remodelled in to straggling, mix of vulnerable or uncontrollable operations and services. In cloud environment clients have least role, even though they chose their own privacy settings and security measures for their resources, it highly unthinkable to ensure security lacking of proper governance. 5.6.2 Trust: since clients lost lack of control of their resources in cloud, they cannot employ any methods or mechanisms to protect their data from unauthorised access or misuse, or theft by third party. They must depend on provider through contracts or trust mechanisms. Consumers may not even aware of identity of their cloud provider. Particularly terms in cloud like on-demand, pay as you go models have involved of many third parties with loose security practices. And these carried out fully on weak trust relationships. To provide more and more service, to meet customer demands, new providers could be added to the existing ones in which there is no chance to verify the identity and in particularly trustworthiness. 51 | P a g e

Often providers lack of control and lack of visibility on customers information as it how or by whom it accessed, resulted in losing customers trust. Pearson (2010) Organisations not ready to outsource their critical data and applications in to cloud without any assurance. Consumers should be provided with the evidence of trustworthiness from vendor is necessarily. But the complexity of infrastructure and dynamic nature make it difficult to establish the trust model. 5.6.3 Compliance: Every organisation must agree to follow respected rules, regulations, laws, and standards. Every organisation doesn’t has the same privacy laws and regulation, can vary on their operational location. So simply following some particular counties laws does not make any useful because of different types of laws and procedures are established within countries at nationally and locally. Compliance is very problematic issue in cloud domain. Also critical issues like law, regulations and data locations are coming under compliance issue. In cloud data can be stored anywhere in the world; in that case location of the data can be an issue. Data location means that physical location can decide the law and jurisdiction. And what is authorised in one country might be violation in other country. For instance if the service provider operating from one of the European country, clients may find it difficult to retrieval of their data if they are from USA, why because EU data protection laws enforce additional laws and restrict the transfer of the data from EU to Non EU region like US. Data might not be stored in one place and there is no guarantee that an organisation can get its data back or remove when required because some service providers may have the right to keep the data and sometimes sell to third parties. 5.6.4 Data Location: it’s quite common in cloud domain that client no idea about where data is hosted, in truth with the wide spread of cloud’s global infrastructure, individuals may not aware of in which country their data is located, indeed it should be most significant issue in terms of privacy and law regulations. In fact different regions follow different, own kind privacy regulations, laws and those cannot be exact or similar to other regions. By the way of illustration if a US based organisation processed its data to a service provider in Germany,

52 | P a g e

then after the export of information back to US can be problematic or even restricted because of under EU law. Once the law is attached to private data, it is highly impossible to escape from that law and even retrieval of data. Gellman (2009) Gartner (2008) 5.6.5 Digital forensics: To perform digital forensics is highly impossible in cloud environment, to perform any investigation it heavily depend upon the physical access of computing systems and logs. But in cloud because of non-availability of physical access of infrastructure and system logs can be impracticable. 5.6.6 Investigative Report: Investigation of services in cloud environment is unthinkable because logging and access of data by huge number of consumers might be co located or distribute across various hosts or data centers. And internal investigations and electronic discovery are very difficult and very expensive proposition for individuals or groups in cloud. If client anticipate to conduct investigations then they might not be assume that service provider allow or support them. In cloud domain without contractual commitment, investigation and discovery should be prohibitive. Kandukuri (2009) Heiser (2008) Cloud provider vulnerabilities could be present at platform level including some web based attacks similar to SQL injection, cross-site scripting vulnerabilities. Phishers and social engineers also found a new attack vector called phishing cloud provider. Finally adoption of cloud computing is a question of tradeoffs among issues such as security, privacy, and more.

Chapter Six: Security measures 6.1 Introduction: Today IT companies attracts towards cloud computing because of its benefits. They are very keen about cloud services, In spite of all these matters many companies have been hesitate to welcome the cloud technology into their business owing to security concerns. They are not cleared about whether to procure the cloud services or not, on the other hand IT business benefiting from clouds futures like on-demand capacity, economies of scale and pay- as-you-go; but majority of users surrender the control over their 53 | P a g e

data and applications. It automatically creating clients must rely on cloud provider for all concerns. Although security and privacy controls may vary from one service provider to one provider. Thus then it is certain to make sure that companies check whether their service provider employed state of the art security measures. Also companies should verify that those security measures and data protection policies are properly applied to their subscribed applications. It should well know that best procedures always direct the protection of data, and also from all potential threats. Organisations should focus on four basic areas of concern while assessing provider, involve infrastructure, process, application and personnel security. Wide variety of technologies are applied and joined to develop cloud computing system. Depending up on cloud models and services as defined earlier, the access technologies may differ from web browser core thin client to service based thick clients. 6.2 Onion routing: It is a technique especially used for unspecified communication through multiple nodes in a network. Often messages are encrypted and transmit through several network nodes a.k.a onion routers. To unveil routing instructions, each onion router detaches a layer of encryption and sends the message to the next router. And this process repeats until the message go to its target. Gellman (2009) 6.3 SSL/TLS: TLS (Transport Layer Security) was established by Netscape under named as SSL (Secure Sockets Layer). It is a popular internet security protocol and an implementation of public-key encryption. Broadly used in internet for transmit data securely through web browsers and servers. And SSL is also part of TLS security protocol. It consists of two parts first, The Record Layer encrypts and decrypts the TCP data streams in networks by using algorithms and keys, and TLS Handshake is also used to authenticate client and server. TLS provide variety of choices for encryption, keys, and authentication of peers including X>509 certificate. The web browser configured with a X.509 certificate from a “trusted” certification authority (CA), then the browser verify the certificate whether it is “trusted” or not to proceed to go further. Jensen (2009) Tyson (ND) To further enhance the security of browser security API the following two methods are desirable. Those are XML Encryption and XML Signature both built on advanced cryptographic technology.

54 | P a g e

6.4 XML Encryption: Technologies such as SSL or TLS or only used for provide confidentiality of information while transmit not when stored, but XML encryption maintain confidentiality of data both in transmit and stored. It utilised in two ways, one is symmetric key (shared key) encryption for arbitrary sized messages while asymmetric key encryption used for small or limited messages. XML encryption is from W3C standard for encrypting XML elements to help solve security issues like XML data eavesdropping. It is best technique for XML data protection. Duan (2006) Rosenberg (2011) 6.5 XML Signature: XML signature technology is basically used for web based services to reinforce security and extensively use in cloud computing to ensure information/message security. It provides a secure procedure for message integrity and no-denial by encoding digital signatures into XML. It allows XML fragments to be signed or digital signature is enclosed in the document itself, signature still with document and verified without being extracted to ensure integrity or proof of authentication. Rosenberg (2011) Jensen (2009) 6.6 Security standards: There are some security standards available to practice to manage security in cloud including ITIL, ISO/IES 27001/27002, and OVF are briefly described as following section 6.6.1 ITIL (Information Technology Infrastructure Library): ITIL is a set of best practices, guidelines and widely accepted approach for managing information technology services. ITIL can be applied variety of organisational environments including cloud computing environment. ITIL (2012) 6.6.2 ISO/IES 27001/27002: International Organisation for Standardisation (ISO), ISO/IES 27 is an certification standard indicates essential requirements and appropriate information security control for an Information Security Management System (ISMS) in cloud. Popovic (2010) 6.6.3 OVF (Open virtualisation Format): it provides efficient, flexible, industry standard content verification, integrity checking and secure distribution of enterprise software generally to be run in virtual machines. VMware (2012)

55 | P a g e

References: NIST (2011) Guidelines on Security and Privacy in Public cloud computing NIST Special Publication 800-144. September

2011

Horrigan, J. B. (2008) PEW Use of cloud computing applications and services. Pew Research Center, September 2008. VMware (2012) Virtual applications, [www] Available from: http://www.vmware.com/technicalresources/virtualization-topics/virtual-appliances/ovf [Accessed on: 20/8/2012] ITIL (2012) [www] Available from: http://www.itil-officialsite.com/ [Accessed on: 20/8/2012] Zhou, M. et al (2010) Security and Privacy in Cloud Computing: A Survey, In Proc IEEE 2010 Buyya, R. (2010) Cloud computing: The next revolution in information technology (CLOUDS Lab., Univ. of Melbourne, Melbourne, VIC, Australia) Source: 2010 1st International Conference on Parallel, Distributed and Grid Computing (PDGC 2010), p 2-3, 2010 Buyya, R. et al. (2010) Market oriented Cloud Computing: Vision, hype, and reality for delivering it services as computing utilities, in Proc 10th IEEE. Jensen, M. Schwenk, J. Gruschka, N. & Iacono, L. L. (2009) On Technical Security Issues in Cloud Computing, In Proc. IEEE 2009. Tyson,

J

(ND)

How

Encryption

Works,

howstuffworks,

[www]

Available

from:

http://computer.howstuffworks.com/encryption4.htm [Accessed on: 20/8/2012]

Duan, L. (2006) XML Encryption Syntax and Processing, , [www] Available http://users.informatik.haw-hamburg.de/~schmidt/it/presentations/XMLEncrypt-limiao-06.pdf

from:

[Accessed on: 20/8/2012]

Rosenberg, J. & Mateos, A. (2011) The Cloud at Your Service The when, how, and why of enterprise cloud computing, MANNING publications USA. Mell, P. Grance, T. (2011) The NIST Definition of Cloud Computing, Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-145. September Rouse,

M.

(2012)

Definition

Community

cloud.

Search

Cloud

2011 Storage

Tech

Target.

Available

from:

Target.

Available

from:

Target.

Available

from:

http://searchcloudstorage.techtarget.com/definition/community-cloud Accessed: [20/08/2012] Rouse,

M.

(2009)

Definition

Public

cloud.

Search

Cloud

Storage

Tech

http://searchcloudcomputing.techtarget.com/definition/public-cloud Accessed: [20/08/2012] Rouse,

M.

(2010)

Definition

hybrid

cloud.

Search

Cloud

Storage

Tech

http://searchcloudcomputing.techtarget.com/definition/hybrid-cloud Accessed: [20/08/2012] Rouse, M. (2009) Definition private cloud (internal cloud or corporate cloud). Search Cloud Storage Tech Target. Available from: http://searchcloudcomputing.techtarget.com/definition/private-cloud Accessed: [20/08/2012] Smoot, S. R. & Tan, N. K. (2012) Private Cloud Computing Consolidation, Virtualization, and Service-Oriented Infrastructure, Elsevier, Morgan Kaufmann, 225 Wyman Street, Waltham, MA 02451, USA Winkler, V. (J.R.) (2011) Securing the Cloud: Cloud Computer Security Techniques and Tactics, 1 st Ed. Elsevier, Syngress, USA.

56 | P a g e

Kandukuri, B. R. Paturi, R. V. & Rakshit, A. (2009) Cloud Security Issues, In proc IEEE. 2009

WS (2011) XML Signature Wrapping, WS-Attacks.org http://clawslab.nds.rub.de/wiki/index.php/XML_Signature_Wrapping

[www]

Available

from:

Pearson, S. & Benameur, A. (2010) Privacy, Security and Trust Issues Arising from Cloud Computing, In proc 2nd IEEE (2010). Gellman, R. (2009) Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing, World privacy forum, Feb23, 2009.

57 | P a g e

Chapter SEVEN: Analysis Introduction: The main purpose of both surveys is to understand how both providers and users of cloud computing are conveying the necessity of security in cloud environment. The following two sections contain discussion of findings from cloud users survey and cloud providers survey. And also the results obtained from both surveys are analysed and examined against the findings made from literature review. First section presents the discussion on results of cloud user’s survey.

The cloud user’s survey (Appendix-A): Question 1 is used for the screening whether their organisation use any of cloud resources Question 2 : This question looked for the users company’s cloud computing deployment model

The results show that majority of the users are using mostly public cloud services, only 25 % users using private. While only 12% responded as they utilising both type of cloud services. Question 3 This question aimed to look for the reasons contributing to use the cloud services

The above results show that 94% users responded by using cloud services they can achieve more efficiency normal data centers. And more than 80 percent responded they are using cloud services

58 | P a g e

because of easy to deploy and access. Though only thirty one percent users responded as cloud services provide more security. Question 4 This question aimed to identify the attributes of respondents concerns about the security of cloud within their company. It is clear that results show that most of the attributions are similar response and around fifty percent disclosed many users believes are not promising regarding cloud security in their company. More than fifty percent of users viewed their company do not use cloud applications that are not protective against risks. Only 31% respondent’s viewed their company’s security team are responsible for ensuring the safe use of cloud services. While nearly fifty percent responded believe their company may perform security assessment and audits before adoption of cloud services. Question 5: This one is targeted to disclose the fact that the responsibility of security of cloud resources within client company.

It is evident from the responses that many (78%) clients said cloud computing vendor is most responsible for the cloud resources including services and applications. Surprisingly nearly half of them accepted responsibility of security is depend upon the both company and the provider. On the other hand 37% believed their company security team are to be answerable for the protective environment and others thought that end-user also authoritative for the security of cloud services. 12 percent of the respondents still confusing and said not sure about the responsibility of security of cloud resources. Question 6: 6th question deals with the user’s utilisation of cloud services in their critical business processes It can be seen that users clearly mentioned that the dependency of cloud services to target business operations are very limited. Just few of them using cloud services more than fifty percent of business operations. Most of the users (40%) said their companies using cloud services for just up to 25% of their critical business processing’s.

59 | P a g e

Question 7: This question inquires about users confidence regarding does their company maintain any security objectives to ensure secure environments. It is evident from the results that most of the users have maintaining enough security objectives in practice. The results are favourable to the secure cloud environment in company. More than half of them viewed their companies maintaining security through restricted access control on cloud infrastructure, conduct training sessions and awareness programs regarding security and further consult security people for risk assessment and managements. More or less 40% responded their company implemented security policies and data loss prevention techniques. Maintaining any of compliance frameworks and find solution for external threats are viewed by only 31% of them. Question 8: This one is aimed for to check for are there any technologies practiced by the users side to enforce secure cloud computing. It is clear that majority of respondents disclosed that they are practicing the primary methods for ensure secure services along with some advanced techniques. Highly 68 percent of respondents depend on firewalls and followed by intrusion detection systems (56%) and Antivirus programs (53%) respectively. Half of users adopted technologies such as the encryption and the log management. Only 21% viewed they may depend upon single sign-on and identity federation. Question 9: This question inquired for type of information that users think too risky to be handling in cloud including employee records, credit card data, customer’s data, and intellectual properties. The responses show that 78% of the cloud users are considered intellectual properties of their company could be unsafe to process in cloud environment. While 68% of the cloud users think that financial information and 62% of them consider credit card data could be unsafe to store. Fifty percent cloud users said employee records are also critical. Just 31% of users concerned about research findings. Question 10: 10th question verify the views of cloud users about which type of applications can be consider risky to connect with cloud.

60 | P a g e

As response to the question 10, cloud users clearly said using financial related applications in cloud computing can be risky. And also more than half of users consider not host applications such as ERP and Manufacturing applications (56%). Further Time management (25%) and other applications (21%) got only less response. Question 11: 11th question inquires about the cloud users concerns regarding critical areas that need to be care.

According to the results, each one has the average important response of cloud users. As can be seen risk management (56%), Access management (53%), and virtual operations (50%) are viewed as top most considerable issues that need to be take care before implementing cloud computing. Similarly more or less four tens percent of them rated disaster recovery, compliance and legal requirements, and methods for electronic discovery should also be consider carefully before going for it. Question 12: AppendixA-Q12 12th question aimed for checking the privacy right of the cloud user violate by cloud provider It is clear that majority of the cloud users strongly said cloud provider do not have the right to do anything with their sensitive information stored cloud data centers. Similarly 46% percent of them agreed that their provider may know the information stored in cloud but it against privacy law if provider engage with any actions such as modify or remove. Besides that 37% accepted that provider may carry out any action if the information connects with any personal or countries violations.

Summary of findings: Highest of the cloud users responded they are using cloud because of more efficiency, easy to use, and speed deployment rather than security. Many of them rated that they are not favourable to security posture of cloud in their company. Surprisingly fifty percent of the cloud users were not aware of security checks and the audits. It is clear that most of the users viewed cloud provider is most responsible for protection of cloud resources. They clearly mentioned that the dependency of cloud resources to meet business requirements is very limited. 61 | P a g e

Very less users concerned about r compliance, legal requirements, disaster recovery, and electronic discovery

More of the cloud users viewed cloud providers do not have the right to take any action with their private data in cloud.

The cloud computing provider’s survey (Appendix-B): The cloud computing provider’s survey: Section two contains results of cloud service provider’s survey conducted by the Ponemon Institute entitled as “Security of Cloud computing Provider Study”. Ponemon Institute surveyed broadly 127 different cloud providers from both US and Europe regions. Within the tight schedule it is unattainable to conduct survey among providers by researcher himself, because major providers are spread across the world and it is highly difficult to meet and gather information from most popular service providers. So the present research utilised the results derived from it. First, second and third questions were sought background information of service providers included type of services and deployment models. Question1 & 2: Appendix Q1 & Q2 The first, second questions similar in type and assigned to identify types of service providers participating in this survey. It is evident that there are three types of providers, majority of them operate SaaS followed by Iaas, and Paas are less. It is clear that Software as a service is the most preferable service among organisations, providers to host applications and data while PaaS stood least popular service. Question 3: Appendix Q3 The third question looked at what kind of cloud models providers are dealing, expressed as either public, or private, or hybrid cloud. The results show that more than half of organisations primary cloud model is public cloud same as like Amazon EC2, Google AppEngine, and IBM Blue cloud. Only 18% client’s use private cloud for their IT business with cloud computing and same goes for hybrid cloud example VMware vCloud.

Questions from 4 to 12 were aimed at the attributions and concerns about security in cloud. Question 4: Appendix Q4

62 | P a g e

The 4th question aimed for three attributions of service provider about security of their services. The response shows that only 30% US and 25% European cloud providers strongly agree or agree that their organisation believes security as one of the key responsibility. Similarly both US, EU providers with 27% and 25% respectively stated that their organisation can provide appropriate security for their clients private data. Much same to other attributes, Just 19% of US providers agreed security as a competitive advantage while EU provider also stands similar with 18%. Question 5: Appendix Q5 5th question concentrated on most essential fact or concern saying that whose is the most responsible for the protection of data in the cloud.

The response reveals that merely 23% US providers responded that IT governing body of their organisations are responsible for the security of cloud and convey remaining 69% providers simply left the responsible to users such as they strongly believed that clients are responsible for protection of data in cloud. Compared to US, EU providers are slightly better when 35% providers responded as they concerned about provide security for resources in cloud. Though most of EU providers also followed US service providers saying users are responsible for protection of information in cloud environment. Question 6: Appendix Q6 This question related to the quantity of dedicated resources for control and security related activities.

63 | P a g e

Interestingly results revealed that maximum of cloud providers both US & EU together (79%) agree that they gave 10% slightly more or less efforts to security related functions. Question 7: Appendix Q7 This question concerned with views of provider referring importance of security for meeting the IT and data processing.

The response discloses that 43% of US and 46% of EU cloud providers consider security is vital for meeting their enterprise information processing objectives. Question 8: Appendix Q8 This question is about confidence of providers regarding security of applications and resources provided by them. The response discloses poor confidence of providers as an average of only 38% mentioned that they are very confident or confident about their applications and resources can be protected. Also it assumed that remaining 62% are not confident. Question 9: Appendix Q9 9th question look for the security assessment of new applications. Nearly half of them (47%) expressed that infrequently they evaluate security of new cloud applications provided to the clients. Question 10: Appendix Q10 64 | P a g e

10th question deals with the primary reasons for customer selection of particular company for cloud services. Choices are reduce cost, increase efficiency, improve security, and more.

The results show that the views of providers saying majority percentage of providers do not believe security is a reason for clients to adopt their cloud services. According to providers believes main reasons for choosing cloud following cost reductions (91%), speedy deployment (79%), better customer service (37%) followed by efficiency (36%) and flexibility (34%) respectively. It can be clearly seen that hardly 11% of suppliers thought that because of improved security in services consumers decided to go for their cloud. Question 11: (Appendix Q11) 11th question deals with supplier’s confidence whether they met the consumer’s security demands or not.

More than half of both UD and EU providers are unsure or not confident about their efforts can properly secure the cloud applications. Almost same response was found for customer’s security requirements as 61% EU and 66% US cloud suppliers unsure of confident about their capabilities matched to the consumer’s security conditions. Question 12: (Appendix Q12) 12th question is deal with organisational functional areas and the responsibility for make certain the customer’s security needs.

65 | P a g e

According to the results, barely 11% of US & seven percent of EU respondents said their information security professionals should take care of security conditions. Responses from both US and EU are similar saying that providers consider IT operations can look after the security. Even twenty percent of responses from EU region disclosed that suppliers viewed security is part of Help desk supervisor duty. Question 13: (Appendix Q13) Question 13 concentrated on security objectives which were taken in to the account to make strong computing environment. It can be seen that most of providers have utilised available security measurements and precautions to ensure sufficient security in cloud. In that majority of providers approaching highly security professionals, concentrated on protection against viruses and malwares. And further more than half of the providers have adopted legal, compliance frameworks, physical access controls, conducting training and awareness programs. The results show favourable to the security in cloud environment as providers employed primary or advance safe guards. Question 14: (Appendix Q14) Similar in type to the previous one, this one also aimed to verify the security technologies implemented by the service providers. One can be witnessed that the results are very surprising and revealed that highest percent of cloud providers did not follow precise techniques or standards. An overall, thirty percent of them hardly implemented specific technologies and methods. Noteworthy fact is that none of them aware of identity federation. And also it can be evident that they simply deployed general techniques like antivirus and firewalls which are usually basic for personal computing systems. Question 15: (Appendix Q15) Question15 related to the providers future consideration to operate security as a service like present operated services.

66 | P a g e

Only nine percent of cloud providers are operating security as a service in cloud. But 91% of providers not interested in providing security as a service and around 60% of providers expressed that they will offer in future. Question 16: (Appendix Q16) It aimed at implementation of control activities by providers to enhance quality of service, better security in cloud infrastructure. The response shows that 76% percent of them functioning help desk activities to assist their consumers, one-third are rely on policies and procedures followed by quality checks (52%), holding certifications (44%) to maintain reputation, sustainability, and to keep secured environment. Though only 5% of them running end-user trainings and similarly training of security staff is only offered by four percent. In total 29% of respondents practicing appropriate control activities. Question 17: (Appendix Q17) This question checks about the ability of provider against most critical seven security threats including recovery, security of data location, availability and compliance.

It is clear that most of the provider have the ability to handle seven mentioned risks. Sixty five percent service providers are confident about assurance of recovery from IT failures and fifty four percent of them believe security of data centers location. Though 36% and 32% of providers have low confident about their capability to ensure suitable data segregation and users access control.

67 | P a g e

Question 18: (Appendix Q19) 18th, 19th questions aimed for type of private data and applications that vendor feel too risky to store or process in cloud environment. Surprisingly least providers assumed that storing the confidential information such as customer data and research data are not that precarious. Even though less or same fifty percent of them regarded health, financial data, and intellectual properties are consider too perilous to handle in cloud. And nearly half of them thought applications related to the individuals and finance needs more and more protection. Besides that below 10% respondents pondered that manufacture, logistics and timetable applications are not that much risky. Question 20: (Appendix Q20) 20th inquires whether they functioning dedicated security team to supervise the protection of applications and cloud platform or not. Response cleared that hardly 26 percent of US and 19 percent of European cloud service suppliers maintaining a special team to monitor security of cloud applications and platform. Question 21: (Appendix Q21) It identifies what are most critical areas need to be take care while moving to the cloud environment. Around hundred percent of them consider operations of data center are the top most critical area to be concentrate followed by business continuity and disaster recovery (72%). And some of the providers felt that virtualisation operations, application security, and information management are least areas to be concentrate in terms of security. Summary of Findings: According to the results majority of the cloud providers does not concern about the security of cloud services and the protection of their clients confidential data. Instead of provide security, they mostly concerned about benefits offered by the cloud computing such as cost reductions and fast deployment. Even they believed that their customers choosing cloud services because of low cost, speed deployment, and increase efficiency. Cloud service providers do not have much confidence that security of their cloud applications and data. And further they viewed that the responsibility of the security of cloud resources belongs to the cloud user rather than cloud provider. They agreed that their inability to maintain appropriate restricted user access controls to cloud resources. Though private cloud providers are little better than public cloud providers in terms of ensure security of cloud environment.

68 | P a g e

Recommendations It is evident from the results that concentrating only on speed and cost rather than protection of cloud resources may open to security breaches. Before going to migrate any of the cloud services it is important to confirm the service provider capabilities including present consumer feedback, reputation. Details of audits and incident reports can be stand the best provider among from others. Users should verify their cloud provider qualities before going for their service as following All round coverage and protection: Coverage and protection deal with data, infrastructure, and application, inside and outside security. Provider must put in to practise strong industry level security standards, implement security measures, meet compliance regulatory requirements, and satisfy customer requirements to built confidence. 24/7 customer service: Just as their services and applications availability all time, provider should also provider 24/7 customers support. And further operate incident response teams for any emergence incident Multilayer security protection: expert provider can understand the value of multilayer protection how it protect client private information and resources. Sagacious provider must follow complete life cycle procedure to implement security from start to end stage of service Best provider knew that security of cloud environment can only manage by defence –in-depth, constant monitoring and also some regular or interval trainings, risk assessments and auditing. It is clear that both service providers and users are blaming each other for the responsibility of cloud resources security. The better solution is that cloud user and providers should come to an understanding, discuss about the significance of security and work together to make strong secure cloud computing environment. As cloud computing is becoming more popular, many new customers attracting towards it but hesitating to migrate. These conditions must change otherwise cloud technology will not go next level. The cloud providers must take more responsible to ensure the secure cloud environment and its long time standing. Most of the noted security breaches occurred because of practicing improper or least privileged access controls. So that cloud providers should employ restricted access controls to cloud resources. Many cloud users believing that it is more profitable, efficient and secure. Most of them are not aware of complete knowledge of cloud technology and moreover that to assess the risks before migrating to cloud. It is clear that there is huge knowledge gap. It should necessary to educate them, besides that providing trainings and security awareness programs will make better secure environment. Both cloud providers and cloud users should constantly check whether they are using up to data software are not. Because old versions may pose to attack surface and easily one can perform attacks with known vulnerabilities.

69 | P a g e

Conclusion: The present study explored the security issues related the cloud computing technology including privacy, compliance, data location, and trust. This research includes the findings of two surveys conducted between cloud users and cloud providers individually. This report also revealed the attributes, concerns of both cloud users and providers regarding how they addressing the need of security in cloud environment. According to the survey results, cloud providers are only focusing o how to provide more features to attract customers including low cost, efficient, speed deployment, and easy access instead of security. Providers are not confident about assurance of security about their cloud services as they re concerning only about the features rather than security. According to literature review, survey findings many more issues are restricting new users to go for cloud technology. And misunderstanding between them in terms of responsibility of security may lead to future conflicte. It is concluded that the knowledge gap is clearly identified as most of the users swiftly moving to cloud services before gain knowledge about cloud technology and even not performing security checks. Results from both surveys clearly showed that clients want more security in future and especially assurance from providers. This report is generated based upon the resources including journals, books, and internet. Those have their own limitations to produce data accuracy. This research collected data from surveys one is conducted by researcher himself and another one is taken from the professionally conducted survey. And the accuracy of these results may be constrained and biased. The results presented in this report are self generated and determined from surveys. This results findings provide guidelines to researchers who want to go further research.

70 | P a g e

Appendices:

APPENDIX-A

Survey Questionnaire Introduction: the following questionnaire belongs to the security, privacy of cloud computing and its services and applications such as Amazon, Google, Dropbox, Yahoo, Hotmail, Facebook, Foldershare and more. So who are more familiar with cloud computing may participate and give your valuable response otherwise please ignore it. Selected 32 participants out of Total 48 1. Does your company use any cloud computing services? (Screening) Yes 32 (Continue) NO 16 (Discontinue)

N=32

2. Which type of service your company use? Public 62% Private 25% Both 12% 3. What are the primary reasons to use cloud computing services? Low cost or Free More efficient Easy to use and implement More secure

56% 94% 87% 31%

4. Security of cloud computing in your company? My company does not use cloud computing applications that are not stable or secure My company does identify thoroughly which data is too sensitive to store or process in cloud My company’s security team are responsible for safe use of cloud. My company conduct audits and security assessment before adopting cloud services.

50% 31% 46%

5. Who is the most responsible for security of cloud services or applications in your company? A. My company’s end-users B. Cloud service provider C. My company and provider E. My company’s security team D. Don’t know

28% 78% 50% 37% 12%

6. Does your company use cloud services for most critical business operations? 10>0 25>10 50>25 75>50 100>75 Don’t know

28% 40% 21% 9% 0% 0%

53%

7. Does your company follow any of the Security objectives to ensure your company’s secure cloud environment? Prevention of external threats 43% Prevention of Data loss 53% 71 | P a g e

Identify cause of cyber attacks Restricted access control Obtain compliance frameworks like ISO and PCI DSS Implement Security policies Provide training and awareness Perform own Audits Approach IT security people

10% 21 % 10% 56% 62% 43% 62%

8. Please verify the security technologies that are practised by your company both internally and externally to ensure secure cloud environment? Anti-virus and malware 53% Encryption 50% Firewalls 68% Network intelligent systems 31% Log management 50% Identity federation 21% Intrusion detection systems 56% Identity and Access management 43% Single sign-on 21% 9. Please verify types of data does your company consider unsafe to be store in cloud? Employee records Customer’s data Credit card data Financial information Intellectual properties Research findings Other

50% 46% 62% 68% 78% 31% 12%

10. Please verify types of applications does your company consider unsafe to be store in cloud? Manufacturing Applications 56% ERP applications 62% Financial applications 81% Time management 25% Other 21% 11. Please rate the following critical areas, which are to be focus for company going to adopt cloud technology? Approaches for electronic discovery 37% Access management 53% Disaster recovery 46% Compliance and legal requirements 43% Virtual operations 50% Data center operations 43% Risk management 56% Other 12% 12. Does your provider have the right to look, or modify, or delete company’s information stored in cloud? They do not have right to do anything with company’s information 56% 72 | P a g e

They can see the information but do not have right to anything with them They can have the right to verify only if the data belongs to personal or country’s violations Don not know

73 | P a g e

46% 37% 15%

“Security of Cloud Computing Providers Study” Presented by Ponemon Institute, April 2011 [www] Available at: http://www.ca.com/~/media/Files/IndustryResearch/security-of-cloud-computingproviders-final-april-2011.pdf [Accessed on: 10/7/2012]. APPENDIX-B

74 | P a g e

75 | P a g e

76 | P a g e

77 | P a g e

78 | P a g e

79 | P a g e

Appendix C: Primary Project Plan (Gantt chart)

Break down

Events

Start

Finish

Preparation

Project proposal

1-7-2012

______

Ethical review, risk 10-7-2012

17-7-2012

analysis Deliverables, Project 18-7-2012

27-7-2012

Plan Gathering Information

15-7-2012

30-7-2012

Literature Review

28-7-2012

10-8-2012

Writing Report

28-7-2012

15-8-2012

Formulate questions

13-8-2012

21-8-2012

Survey results

21-8-2012

24-8-2012

24-8-2012

29-8-2012

Prepare survey

Analysis of the data Writing Final report

Finalise

report

submission

80 | P a g e

and 30-8-2012

7-8-2012

81 | P a g e