The topic of cloud computing has garnered a lot of media attention over the last few years. The scope and capabilities of cloud computing are still emergent. The 2008 article on the CIO.com web site, “Cloud Computing: Hype Versus Reality,” described the state of the cloud computing model,
“Cloud computing may seem more hype than reality as the technology industry is busy refining the term. However, substantive business and market trends are catapulting cloud computing to the forefront. Companies and governments are using this emerging concept in the real world, and its uses are growing.” (Chiu, 2008)
The United States Department of Commerce’s National Institute of Standards and Technology (US, DoC, NIST) provides operational definitions for cloud computing terminology in the document, “The NIST Definition of Cloud Computing Version 15.” (Mell & Grance) The NIST definitions are an aid in standardizing terminology such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). (Mell & Grance) The Cloud Security Alliance defines five principals that define cloud computing: abstraction of infrastructure, resource democratization, service-oriented architecture, elasticity/dynamism of resources, and utility model of consumption and allocation. (Reavis & Puhlmann, 2009) Business leaders perceive in cloud computing a potential to improve efficiency, enable more environmentally friendly data centers, and improve returns on investments.
However, there are also significant privacy and security concerns associated with the cloud-computing model. Bradner’s 2009 Network World article, “Cloud computing security: Who knew?” attributes John Chambers, CEO of Cisco, as saying, “that cloud computing is a ‘security nightmare’.” (Bradner, 2009) As Ristenpart et al state in their 2009 article, “customers must trust their cloud providers to respect the privacy of their data and the integrity of their computations.” (Ristenpart, Tromer, Shacham, & Savage, 2009)
A critical factor for successful operation within a cloud computing framework will be effective information governance. Primost describes some of the unique information security facets of cloud computing, especially service oriented architecture (SOA), “While many of the problems could be traced to technology, having integrated technology with business means we may have a new set of problems with the business logic or the business process.” (Primost, 2008) As SOA and cloud computing solutions are implemented within organizations, business process and technology become interlinked by design and information technical security issues become linked to business logic. Robust governance is a principal component of successfully implementing cloud computing technologies and realizing the benefits of a service oriented enterprise. (Primost, 2008)
The Cloud Security Alliance (CSA) provides a report entitled, “Security Guidance for Critical Areas of Focus in Cloud Computing,” that is a taxonomy and set of guidelines for establishing and managing a cloud computing environment. (Reavis & Puhlmann, 2009) The CSA report divides cloud computing security into 15 knowledge domains. (Reavis & Puhlmann, 2009) The CSA dedicates Domain 2 to the topic of governance and the management of risks associated with cloud computing. Undercoffer et al very succinctly state, “Services, like any resource of value, are vulnerable to exploitation and misuse if access to them is not adequately governed.” (Undercoffer, Perich, Cedilnik, Kagal, & Joshi, 2003)
Attacks and Threats
In the 2009 article, “Controlling data in the cloud: outsourcing computation without outsourcing control,” Chow et al provide a comprehensive analysis of the security concerns related to cloud computing. (Chow, et al., 2009) The authors identify several “new problems” associated with cloud computing security: cheap data and data analysis, cost-effective defense of availability, increased authentication demands, and mashup authorization. (Chow, et al., 2009) Supporting Chow et al’s assertions that the cheap data and data analysis offered by clouds is a security threat are recent reports of a botnet that steals banking identity information and money operating within the Amazon EC2 cloud compute service. (Ferrer, 2009)
Ristenpart et al report research that demonstrates the ability to determine and control placement of virtual machines within the Amazon EC2 cloud compute service. (Ristenpart, et al., 2009) Ristenpart and his colleagues demonstrate the feasibility of several side-channel attacks that exfiltrate information such as cryptographic keys and, in some cases, keystrokes. (Ristenpart, et al., 2009) The combination of being able to place a malicious virtual machine within the same locality as a victim machine and the ability to conduct side-channel attacks on machines within the same locality presents a substantive threat for those operating within cloud computing environments.
Defense and Mitigation
While there are significant risks to operating within a cloud computing environment, there are advances being made to research security enhancements. Wei et al present proposed security controls that would provide provenance tracking, access control, and malware screening for the virtual machine image repositories that underlie cloud computing services. (Wei, Zhang, Ammons, Bala, & Ning, 2009) Christodorescu et al report on complementary research wherein a security virtual machine operates in parallel to a virtual machine and inserts a monitoring agent to analyze whether the instance has been the victim of malware. (Christodorescu, Sailer, Schales, Sgandurra, & Zamboni, 2009)
Chow et al describe several research areas that are “new directions” for mitigating cloud computing security risks: information centric security, high-assurance remote server attestation, and privacy-enhanced business intelligence. (Chow, et al., 2009) Technologies within these areas show promise for mitigating some of the cloud computing risks. Undercoffer et al present a proposed secure service registry to provide improved, secure management of cloud-based services. (Undercoffer, et al., 2003)
The perceived benefits of cloud computing are compelling. Organizations seek to reduce costs, increase business agility, and more closely align information services with business goals. The emerging frameworks, standards, and technologies that are collectively known as cloud computing will enable these business goals. However, there are unique security risks associated with cloud computing. The risks and mitigations are an area of active research.
Bradner, S. (2009). Cloud computing security: Who knew? Network World, 26, 1.
Chiu, W. (2008). Cloud Computing: Hype Versus Reality. CIO. Retrieved from http://www.cio.com/article/438371/Cloud_Computing_Hype_Versus_Reality
Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., et al. (2009). Controlling data in the cloud: outsourcing computation without outsourcing control. Paper presented at the Proceedings of the 2009 ACM workshop on Cloud computing security.
Christodorescu, M., Sailer, R., Schales, D. L., Sgandurra, D., & Zamboni, D. (2009). Cloud security is not (just) virtualization security: a short paper. Paper presented at the Proceedings of the 2009 ACM workshop on Cloud computing security.
Ferrer, M. C. (2009, 12/11/2009). Zeus “in-the-cloud”. http://community.ca.com/blogs/securityadvisor/archive/2009/12/09/zeus-in-the-cloud.aspx
Mell, P., & Grance, T. (2009). The NIST Definition of Cloud Computing Version 15: National Institute for Standards and Technology.
Primost, S. (2008). Applying Security within a Service-Oriented Architecture. [Article]. Information Security Journal: A Global Perspective, 17(1), 26-32.
Reavis, J., & Puhlmann, N. (2009). Security Guidance for Critical Areas of Focus in Cloud Computing: Cloud Security Alliance.
Ristenpart, T., Tromer, E., Shacham, H., & Savage, S. (2009). Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. Paper presented at the Proceedings of the 16th ACM conference on Computer and communications security.
Undercoffer, J., Perich, F., Cedilnik, A., Kagal, L., & Joshi, A. (2003). A secure infrastructure for service discovery and access in pervasive computing. Mob. Netw. Appl., 8(2), 113-125.
Wei, J., Zhang, X., Ammons, G., Bala, V., & Ning, P. (2009). Managing security of virtual machine images in a cloud environment. Paper presented at the Proceedings of the 2009 ACM workshop on Cloud computing security.