Embed Size (px)
DESCRIPTION
Cloud computing is a double-edged sword from the privacy and security standpoints
Citation preview
Atlantic International University,Honolulu, Hawaii 96813
By MBANZABUGABO Jean Baptiste, ID# UD30956SCO39530
School: Science and Engineering
Program: Doctorate
Major: Computer Science
Kigali - RWANDA
1
SECURITY AND PRIVACY ISSUES IN THE CLOUD COMPUTING SYSTEMS
TABLE OF CONTENTS
ABSTRACT.......................................................................................................................2
1. INTRODUCTION...........................................................................................................2
2. HI-TECH AND RECOGNIZED ENVIRONMENT IN FRONT OF THE CLOUD.....................4
2.1. TECHNOLOGICAL ENVIRONMENT.......................................................................6
3. DISCUSSION..............................................................................................................13
3.1. MANAGERIAL AND POLICY IMPLICATIONS............................................................14
3.2. FUTURE RESEARCH.............................................................................................17
4. CONCLUSION AND COMMENDATIONS.......................................................................17
END NOTES...................................................................................................................18
REFERENCES.................................................................................................................20
ABSTRACT
Cloud computing is a double-edged sword from the privacy and security standpoints. Despite its
potential to provide a low cost security, organizations may increase risks by storing sensitive data in
the cloud. In this paper, I analyze how the cloud’s characteristics such as newness, nature of the
architecture, and attractiveness and vulnerability as a cybercrime target are tightly linked to privacy
and security. I also tried to investigate how the contexts provided by formal and informal institutions
affect privacy and security issues in the cloud.
KEYWORDS: Privacy and security, cloud computing, formal institutions, informal institutions,
security costs, Security vulnerability.
1. INTRODUCTION
Cloud computing is one of the latest innovations of IT which claims to be all capable of driving the
future world of IT within minimum costs. This concept of cloud computing being one side widely
accepted by normal users while on the other hand majority of the Organizations have some serious
security concerns before moving to this form of IT evolution.
Organizations are moving to cloud computing technologies (hereinafter: the cloud) to perform
increasingly strategic and mission critical functions. At the same time, companies are facing
2
pressures and challenges to protect information assets belonging to their customers and other
sensitive data McCafferty, 2010). Unsurprisingly security, privacy and availability are among the
topmost concerns in their cloud adoption decisions rather than the total cost of ownership (Brodkin
2010). The cloud is a double-edged sword from the security standpoint. For organizations that lack
technological and human resources to focus on security third parties in the cloud can provide low-
cost security (Kshetri 2010a). Cloud computing users, on the other hand, face several separate but
related security risks (Talbot 2010).
The cloud poses various technological as well as institutional challenges. The cloud-related legal
system and enforcement mechanisms are evolving more slowly compared to the technology
development. Privacy, security and ownership issues related to data stored on cloud currently fall
into legally gray areas (Bradley 2010). Some argue that an organization, rather than the cloud
provider, is likely legally responsible if customer data stored in the cloud are compromised
(Zielinski 2009). A second criticism is that there has been arguably a “disturbing lack of respect for
essential privacy” among major cloud providers (Larkin 2010, p. 44). For instance, in a complaint
filed with the Federal Trade Commission (FTC), the Electronic Privacy Information Center (EPIC)
argued that Google misrepresented the privacy and security of its users’ data (Wittow & Buller
2010). Cloud providers are also criticized on the ground that they do not conduct adequate
background security investigations for their employees (Wilshusen 2010). This issue is rather
important since significant proportions of cybercrimes are associated with malicious insiders.
Likewise, new bugs and vulnerabilities targeting the cloud are proliferating (Brynjolfsson et al.
2010).
Critics have raised concerns about privacy and security associated with unauthorized access and use
of information stored in the cloud for malicious purposes (McCreary 2008). A commonplace
observation is that while cloud providers offer sophisticated services, their performances have been
weak in policies and practices related to privacy and security (Wittow & Buller 2010; Greengard &
Kshetri 2010).
Businesses and consumers have expressed distrust in the cloud and are cautious in using it to store
high-value data or sensitive information. Due to weak security, the cloud arguably remains “a
largely nascent technology” (Stewart 2010) and critics have argued that its costs may outweigh the
benefits (Tillery 2010)2. According to an IDC report released by the research firm, International
Data Corporation (IDC) in October 2008, security concern was the most serious barrier to cloud
adoption for organizations. Organizations rightfully worry about hidden costs associated with
security breaches or lawsuits tied to data privacy restrictions (Zielinski 2009). 3
This paper, would argue that issues related to security and privacy in the cloud, while well
documented, are only partially understood. The factors related to privacy and security issues of the
cloud focused in the paper can be described by considering a broad approach to institutions, which
defines the concept in terms of a game’s equilibrium. Three factors that determine equilibrium
include:
i. Technologically determined external constraints;
ii. Humanly devised external constraints
iii. Constraints developed within the pillars through patterns of behavior and the creation of
expectations
Cloud computing involves hosting applications on servers and delivering software and services via
the Internet. In the cloud computing model, companies can access computing power and resources
on the “cloud” and pay for services based on usage. Institutions are the “rules of the game” and
include “formal constraints (rules, laws, constitutions), informal constraints (norms of behavior,
conventions, and self-imposed codes of conduct), and their enforcement characteristics”.
2. HI-TECH AND RECOGNIZED ENVIRONMENT IN FRONT OF THE CLOUD
Issues revolving around privacy, and ownership and access to data raise interesting questions in the
cloud. As a visual aid, Figure 1 schematically represents how privacy and security issues in the
cloud are tightly linked to the institutional and technological environments.
We discuss the building blocks of the model in this section.
Various characteristics of the cloud affect organizations’ perceptions of confidentiality, integrity, and
availability of the cloud (Left part of Figure 1). Formal and informal institutions, on the other hand,
affect perception of legitimacy and trustworthiness of the cloud (Right part of Figure 1). Assessment
of institutional and technological facilitators and inhibitors affect organizations’ adoption decisions
(Figure 1).
Figure 1. Cloud Computing Model - Open Secure Architecture
Institutional actors’ responses lag behind the technological changes (Katyal 2001; Brenner 2004).
Moreover, institutional actors vary in their timing of responses. For instance, whereas trade and
professional associations and industry standard organizations are taking measures to respond to
security and privacy issues in the cloud, government agencies have been slow to adopt necessary
legislative, regulatory and other measures to monitor users and providers of the cloud.
4
2.1. TECHNOLOGICAL ENVIRONMENT
2.1.1. THE CLOUD’S NEWNESS AND UNIQUE VULNERABILITIES
The cloud’s newness and uniqueness present special problems. With the evolution and popularity of
virtualization technology, new bugs, vulnerabilities and security issues are being found
(Brynjolfsson et al. 2010). The cloud, however, is not a familiar terrain for most IT security
companies. A lack of mechanisms to guarantee security and privacy has been an uncomfortable
reality for many cloud providers.
Virtualization as one of the implementational model of Cloud Technology, it has found that a user
may be able to access to the provider’s sensitive portions of infrastructure as well as resources of
other client environments that are managed by the same cloud provider
Figure 2. Cloud computing Layers according to Gartner, 2009.
Experts argue that such vulnerabilities could have more adverse impacts in the cloud than in an on-
premise computing (Owens 2010).
The cloud is also forensically challenging in the case of a data breach. For instance, some public
cloud systems may store and process data in different jurisdictions, which vary in terms of laws
related to security, privacy, data theft, data loss and intellectual property theft (McCafferty 2010).
Some organizations may encrypt their data before storing in the cloud.
2.1.2. NATURE OF THE ARCHITECTURE
Virtual and dynamic
The virtual and dynamic nature of the cloud computing architecture deserves mention. For one
thing, the shared and dynamic resources of the cloud such as CPU and networking reduce control
for the user and tend to pose new security issues not faced by on-premise computing. A related point
is that these characteristics of the cloud allow data and information to distribute widely across many
jurisdictions. The locations where data are stored may vary in laws regarding security, privacy, data
theft, and protection of intellectual property (McCafferty 2010).
Virtualization is the primary security mechanism in the cloud, despite their insulation from the
customer, run on physical systems; virtualization environments are not necessarily bug-free.
Sophistication and complexity
5
The cloud’s security related problems can also be linked to its sophisticated and complex
architecture. In April 2010, U.S. and Canada-based researchers published a report on a sophisticated
cyber-espionage network, which they referred as Shadow network. The targets included the Indian
Ministry of Defense, the United Nations, and the Office of the Dalai Lama. The report noted:
“Clouds provide criminals and espionage networks with convenient cover, tiered defenses,
redundancy, cheap hosting and conveniently distributed command and control architectures”
(IWMSF 2010).
Another problem concerns the cloud’s complexity. An important trend facilitated by the cloud is
social media, which are arguably “corporate security nightmare” (BBW 2010). In the Shadow case
noted above, the cyber-espionage network combined social networking and cloud platforms,
including those of Google, Baidu, Yahoo!, Twitter, Blogspot and blog.com with traditional
command and control servers (IWMSF 2010).
2.1.3. ATTRACTIVENESS AND VULNERABILITIES OF THE CLOUD AS A CYBERCRIME BULL
Earlier we mentioned that the cloud can provide a low cost security due to economies of scales.
However, an unintended downside of cheap services is more security issues.
Value of data in the cloud
Target attractiveness depends on offenders’ perceptions of victims. Prior research indicates that
crime opportunity is a function of target attractiveness, which is measured in monetary or symbolic
value and portability (Clarke 1995). Target attractiveness is also related to accessibility, visibility,
ease of physical access, and lack of surveillance (Bottoms & Wiles 2002). Large companies’
networks offer more targets to hackers. Cloud suppliers, which often are bigger than their clients,
are attractive targets. The cloud thus offers a high “surface area of attack” (Talbot 2010). That is,
information stored in clouds is a potential goldmine for cyber-criminals (Kshetri 2010a). In late
2009, Google explained that the company discovered a China-originated attack on its
infrastructures. The company further noted that the attack was part of a larger operation, which
infiltrated infrastructures of at least 20 other large companies.
Criminal-controlled clouds
6
The cloud is potentially most vulnerable, especially when viewed against the backdrop of criminal
owned-clouds operating in parallel. Just like diamond is the only material hard enough to cut
diamond effectively, criminal-owned clouds may be employed to effectively steal data stored in
clouds. The cloud may provide many of the same benefits to criminals as for legitimate businesses.
The well-known Conficker virus, which reportedly controls 7 million computer systems at 230
regional and country top-level domains and has a bandwidth capacity of 28 terabits/second, is
arguably the world’s biggest cloud and probably the most visible example of a criminal-owned
cloud. Just like legitimate clouds, Conficker is available for rent. Cybercriminals can choose a
location they want to rent Conficker and pay according to the bandwidth they want and choose an
operating system (Mullins 2010).
2.2. INSTITUTIONAL ENVIRONMENT
Institutional theory is described as “a theory of legitimacy seeking” (Dickson et al., 2004, p. 81). To
gain legitimacy, organizations adopt behaviors irrespective of the effect on organizational efficiency
(Campbell 2004). Institutional influence on adoption decisions related to the cloud becomes an
admittedly complex process when providers and users of the cloud have to derive legitimacy from
multiple sources such as employees, clients, client customers, professional and trade associations
and governments.
Scott (2001) proposed three institutional pillars:
(i) Regulative;
(ii) Normative
(iii) Cognitive.
These pillars relate to “legally sanctioned”, “morally governed” and “recognizable, taken-for-
granted” behaviors respectively.
The cloud industry is undergoing a major technological upheaval. In such situations, for various
actors, the institutional context may not provide organizing templates, models for action, and
sources of legitimacy (Greenwood & Hinings 1993). In most cases, such changes create confusion
and uncertainty and produce an environment that lacks norms, templates, and models about
appropriate strategies and structures (Newman 2000). Existing institutions are hopelessly inadequate
and obsolete to deal with the security and privacy problems facing the cloud industry. For instance,
7
cloud computing has challenged traditional institutional arrangements and notions about auditing
and security.
2.2.1. THE NATURE OF REGULATIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRY
Regulative institutions consist of “explicit regulative processes: rule setting, monitoring, and
sanctioning activities”, regulative institutions consist of regulatory bodies adhere to the rules so that
they would not suffer the penalty for noncompliance of the system.
Laws to deal with data on the cloud
The importance of regulative institutions such as laws, contracts and courts in the cloud industry
should be obvious if this industry is viewed against the backdrop of the current state of security
standards. In the absence of radical improvements in security technology, such institutions become
even more important.
The cloud-related legal system and enforcement mechanisms are evolving more slowly compared to
the cloud technology development. Compliance frameworks such as SOX, HIPAA and PCI-DSS
(Payment Card Industry Data Security Standard) do not clearly define the guidelines and
requirements for data stored on the cloud (Bradley 2010). Cloud computing thus poses various
challenges and constraints for companies that have responsibilities to meet stringent compliance
related to these frameworks and reporting requirements for their data (McCafferty 2010; NW 2010).
The cloud has several important new and unique features, which create problems in writing
contracts. For instance, an analysis of the contracts between Google and Computer Sciences
Corporation (CSC) with the City of Los Angeles indicated several problems related to data breach
and indemnification of damages. Google was a CSC subcontractor in the arrangement. An attorney
analyzing the case noted that some of the complexity in the case would have been avoided if the
term "lost data" was defined more clearly in the contracts (NW 2010).
While some experts understandably argue that it would not be practical to hold cloud providers
liable for everything, current regulations are heavily biased in favor of cloud providers. For instance,
in the event of a data breach in the cloud, the client, not the vendor, may be legally responsible
(Zielinski 2009). However, cloud providers are required to keep sensitive data belonging to a federal
agency within the country. While Google Apps are FISMA certified for its government cloud, which
is not necessarily the case for the private industry (Brodkin 2010).
Regulatory overreach
8
There have been concerns about possible overreach by law enforcement agencies. The FBI's audits
indicated the possibility of “overreach” by the agency in accessing Internet users’ information
(Zittrain 2009).
For some analysts, the biggest concern has been the government’s increased ability to access
business and consumer data and censor and a lack of constitutional protections against these actions
(Talbot 2010). The cloud is likely to make it easier for governments to spy on citizens. Governments
worldwide, however, differ in their approach to and scale of web censorship and surveillance.
Especially, the cloud is likely to provide authoritarian regimes a fertile ground for cyber-control
activities.
2.2.2. THE NATURE OF NORMATIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRY
Normative components introduce “a prescriptive, evaluative, and obligatory dimension into social
life” (Scott 1995, p. 37). This component focuses on the values and norms held by individuals and
organizations that influence the functioning of the cloud industry. Practices that are consistent with
and take into account the different assumptions and value systems are likely to be successful
(Schneider 1999).
Professional associations’ measures
Compared to established industrial sectors, in nascent and formative sectors such as cloud
computing, there is no developed network of regulatory agencies. For instance, there are few, if any,
national or international legal precedents for the cloud industry (McCafferty 2010). As a
consequence, there is no stipulated template for organizing, and thus pressures for conformity are
less pronounced (Greenwood & Hinings 1996). In such settings, professional and trade associations
may emerge to play unique and important roles in shaping the industry (Kshetri & Dholakia 2009).
These associations’ norms, informal rules, and codes of behavior can create order, without the law’s
coercive power, by relying on a decentralized enforcement process where noncompliance is
penalized with social and economic sanctions (North 1990).
Various professional and trade associations are also constantly emerging and influencing security
and privacy issues in the cloud in new ways as a result of their expertise and interests in this issue. A
visible example is the Cloud Security Alliance (CSA) (www.cloudsecurityalliance.org), a group of
information security professionals. The CSA is working on a set of best practices as well as
information security standards for cloud providers (Crosman 2010).
Industry standards and certification programs 9
Some argue that industry standards organizations may address most of the user concerns related to
privacy and security in the cloud industry (Object Management Group 2009). Organizations such as
Object Management Group (OMG), the Distributed Management Task Force (DMTF), the Open
Grid Forum (OGF), and the Storage Networking Industry Association (SNIA) have made efforts to
address security and privacy concerns in the cloud industry (Wittow & Buller 2010).
There are no formal processes for auditing cloud platforms. Analysts argue that auditing standards to
assess a service provider’s control over data (e.g., SAS 70) or other information security
specifications (e.g., the International Organization for Standardization’s ISO 27001) are insufficient
to deal with and address the unique security issues facing the cloud (Brodkin 2010). Note that these
standards and specifications were not developed specifically for the cloud computing.
2.2.3. THE NATURE OF COGNITIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRY
Cognitive institutions are closely associated with culture (Jepperson, 1991). These components
represent culturally supported habits that influence cloud providers’ and
users’ behaviors. In most cases, they are based on subconsciously accepted rules and customs as
well as some taken-for-granted cultural account of cloud use (Berger & Luckmann 1967). Scott
(1995, p. 40) suggests that “cognitive elements constitute the nature of reality and the frames
through which meaning is made”. Cognitive programs are built on the mental maps of individual
cloud users and thus function primarily at the individual level (Huff 1990). Compliance in cognitive
legitimacy concerns is due to habits. Organizations and individuals may not even be aware that they
are complying.
Perception of vendor’s integrity and capability
In particular concern is the users’ dependency on cloud vendors’ security assurances and practices.
Cloud providers must guard against theft or denial-of-service attacks by users. Users need to be
protected from one another (Armbrust et al. 2010). After several readings, Inspections have shown
that potential cloud adopters are concerned about the possibility that service provider’s security
might have ineffective or noncompliant controls, which may lead to vulnerabilities affecting the
confidentiality, integrity, and availability of data (Wilshusen 2010). Organizations are also
concerned that cloud providers may use insecure ways to delete data once services have been
provided (Wilshusen 2010).
Admittedly, data theft, denial-of-service attacks by users, threats from other users, and bugs are not
the only-and not the biggest-problem associated with the cloud. There is also a high degree of10
temptation for the cloud providers or their employees to engage in opportunistic behavior (Armbrust
et al. 2010). The cloud thus may also increase exposure to organizational vulnerabilities to insider
risks. Indeed, malicious insider risks are among the most important risks that the cyberspace faces.
According to a report released by the FBI in 2006, over 40% of attacks originate inside an
organization (Regan 2006). Some have raised concerns that service providers do not conduct
adequate background security investigations of their employees (Wilshusen 2010).
One fear has been that intellectual property and other sensitive information stored in the cloud
could be stolen. Worse still, cloud providers may not notify their clients about security breaches.
Evidence indicates that many businesses tend to underreport cybercrimes due to embarrassment,
concerns related to credibility and reputation damages and fears of stock price drops. Many of the
cyber-attacks go unnoticed or may go unnoticed for long periods of time. An organization’s data in
the cloud may be stolen but it may not ever be aware that such incidents had happened.
Cloud users’ inertia effects
It is quite possible that organizational inertia1 may affect the lens through which users view security
and privacy issues in the cloud. Organizational inertia may constraint a firm's ability to exploit
emerging opportunities such as cloud computing. An inertia effect is likely to adversely influence an
organization’s assessment of the cloud from the security and privacy standpoints.
Reduction in control is an obvious concern. Cloud users don’t have access to the hardware and other
resources that store and process their data. There is no physical control over data and information in
the cloud (Wilshusen, 2010). A case in point is Google. The company provides security and privacy
assurances to its Google Docs users unless the users publish them online or invite collaborators.
However, Google service agreements explicitly make it clear that the company provides no warranty
or bears no liability for harm in case of Google’s negligence to protect the privacy and security.
Just as vital is preference for localness. From the standpoint of security, most users prefer computing
to be local. Organizations arguably ask: “who would trust their essential data out there somewhere?”
.
3. DISCUSSION
It is important to emphasize that the model presented by figure 1 is dynamic in nature. We anticipate
that the salience of each component of institutional and technological factors will vary across
organizations as well as over time. For instance, barriers associated with newness and inertia effects
11
are likely to decline over time. On the other hand, as the penetration level, width and depth of cloud
increases, it is likely to be a more attractive cybercrime target.
One implication of the dynamic aspects of the model is that institutions change over time in the
cloud industry. The idea of institutional field can be helpful in understanding this dynamic. A field is
“formed around the issues that become important to the interests and objectives of specific
collectives of organizations”. For a field formed around privacy and security in the cloud, these
organizations include regulatory authorities, providers and users of the cloud as well as professional
and trade association. The “content, rhetoric, and dialogue” among these constituents influence the
nature of field formed around the security and privacy issues associated with the cloud.
An understanding of arbiters would provide important insight into the sources of institutional
change in the cloud industry. It has identified three categories of “arbiters” social, legal, and
economic. Much of the early evidence indicates that institutions in the cloud industry should
rebalance towards a higher power of the users. Experts argue that courts (legal arbiters) are likely to
take a “middle ground” and make providers liable for breach. The Electronic Privacy Information
Center (EPIC) (a social arbiter) filed a complaint with the Federal Trade Commission (FTC) against
Google’s cloud services. EPIC made the point that Google
does not adequately safeguard users’ confidential information. It requested the FTC to open an
investigation into Google’s Cloud services18 (Wittow & Buller 2010). Likewise, experts argue that
market forces and consumer demands (economic arbiters) are likely to drive a lot of privacy changes
in cloud computing (TR 2010).
3.1. MANAGERIAL AND POLICY IMPLICATIONS
The model presented in this paper also has implications for management practice and public policy.
Most cloud providers’ services come with no assurance or promise of a given level of security and
privacy. Cloud providers lack policies and practices related to privacy and security. Nor is that their
only problem. Cloud providers have also demonstrated a tendency to reduce their liability by
proposing contracts with the service provided “as is” with no warranty (McCafferty 2010).
Perception of ineffectiveness or noncompliance of cloud providers may thus act as a roadblock to
organizations’ cloud adoption decisions. In this regard, above analysis indicates that security and
privacy measures designed to reduce perceived risk as well as transparency and clear
communication processes would create a competitive advantage for cloud providers.
The newness and uniqueness of the cloud often mean that clients would not know what to ask for in
investment decisions. An understanding of model would also help organizations take technological,12
behavioral and perceptual/attitudinal measures. The users of the cloud are functioning on the
assumption that cloud providers take privacy and security issues seriously (Wittow & Buller 2010).
However, against the backdrop of the institutional contexts, this may well be a convenient but
possibly false assumption.
The model also leads to useful questions that need to be asked before making cloud related
investments. Given the institutional and technological environment, potential adopters should ask
tough questions to the vendor regarding certification from auditing and professional organizations
(e.g., AICPA), locations of the vendor’s data centers, and background check of the vendor’s
employees, etc.
The above analysis suggest that a one size fits all' approach to the cloud cannot work. The model
presented in Figure 1 would also help in making strategic decisions. For instance, organizations may
have to make decisions concerning combinations of public and private clouds. For instance, the
public cloud is effective for an organization handling high-transaction/low-security or low data
value (e.g., sales force automation). Private cloud model, on the other hand, may be appropriate for
enterprises that face significant risk from information exposure such as financial institutions and
health care provider or federal agency. For instance, for medical-practice companies dealing with
sensitive patient data, which are required to comply with the HIPAA rules, private cloud may be
appropriate.
In general, legal systems take long time to change (Dempsey 2008). Regulative institutions related
to liability and other issues in the cloud are not well developed. Cloud providers may feel pressures
to obtain endorsements from professional societies.
AICPA’s endorsements have driven the diffusion of cloud applications among some CPA firms.
Today, accurately or not, businesses are concerned about issues such as privacy, availability, data
loss (e.g., shutting down of online storage sites), data mobility and ownership (e.g., availability of
data in usable form if the user discontinues the services). Cloud providers are criticized on the
ground that they do not answer questions and fail to give enough evidence to trust them. In this
regard, many of the user concerns can be addressed by becoming more transparent.
Since geographic dispersion of data is an important factor associated with cost and performance of
the cloud, an issue that deserves mention relates to regulatory arbitrage. Experts expect that
countries update their laws individually rather than to act in a multilateral fashion (TR 2010).
Economies worldwide vary greatly in terms of the legal systems related to the cloud. Due to the
13
newness, jurisdictional arbitrage is higher for the cloud compared to the IT industry in general. In
this regard critics are concerned that cloud providers may store sensitive information in jurisdictions
that have weak laws related to privacy, protection and availability of data (Edwards 2009).
Anecdotal evidence suggests that due to increasingly important roles in national security, many high
technology sectors are characterized by a high degree of protectionism. The atmosphere of suspicion
and distrust among states can lead to such protectionism. To capture the feelings that accompany
intergovernmental distrust, consider the U.S.China trade and investment policy relationship.
Chinese leaders are suspicious about possible cyber-attacks from the U.S. There has been a deep
rooted perception among Chinese policy-makers that Microsoft and the U.S. government spy on
Chinese computer users through secret ‘back doors’ in Microsoft product. Chinese leaders thus may
be uncomfortable with the idea of storing data on clouds provided by foreign multinationals. U.S.
policy makers are equally concerned about Chinese technology firms’ internationalization. The
above analysis indicates that such concerns are likely to be even more prominent in cloud
computing.
Cyber-espionage has been an obvious application of the cloud. If there is any lesson that recent
major cyber-espionage activities teach, it is that countries with strong cyber-spying and cyber-
warfare capabilities such as China will be in a good position to exploit the cloud’s weaknesses for
such activities.
In view of the technological capabilities of extra-legal and illegal organizations, one area that
deserves attention is the escalation of economic and industrial espionage activities such as
intellectual property theft. There have been reports that U.S. government agencies such as the
Defense Department as well as private companies have been targets and victims of such activities24.
It is thus reasonable to expect that the cloud may enable an upgrade of these activities to industrial
espionage.
Nonetheless, security and privacy issues in the developing world need to be viewed in the context of
weak defense mechanisms of organizations. Information technology’s follow diffusion concept can
be helpful in understanding a weak defense. Many companies in developing countries lack
technological and human resources to focus on security. Hollow diffusion can be human-related
(lack of skill and experience) or technology-related (inability and failure to use security products)
(Otis & Evans 2003). Especially for developing-based organizations that do not deal with high-
value and sensitive data the cloud may provide low-cost security to address some of the security-
related human and technological issues.
14
Providers and users of the cloud face additional challenges in developing economies. Various
aspects of the institutional environment may weaken the cloud’s value proposition and discourage
investors. In many developing countries, factors such as corruption, the lack of transparency, and a
weak legal system can exacerbate security risks. The high-profile attacks on Google cloud allegedly
by China-based hackers in 2009 were an eye opener for the cloud industry.
A final issue that deserves mention relates to the impacts of clouds controlled by the developing
world players on security issues of industrialized countries. It is tempting for global cloud players to
use cheaper hosting services in developing countries. Cyber-criminals, however, find it more
attractive to target rich economies.
3.2. FUTURE RESEARCH
Before concluding, I suggest several potentially fruitful avenues for future research. Cloud-related
institutions are currently thin and dysfunctional. For instance, as noted above, privacy and security
issues of data stored on the cloud currently fall into a legally gray area. Future research might
examine how political, ethical, social and cultural factors are associated with security issues in cloud
computing.
Next, an empirical examination of core premises and propositions of the model presented by Figure
1 would be useful to advance the model's utility as a viable framework for studying the
technological and institutional drivers of the cloud industry. Such a study would shack light on the
relative importance of various components of the model in organizations’ cloud adoption decision.
Finally, future research might also explore antecedents of organizations’ cloud computing decisions
in terms of various technological dimensions such of the country that motivate to run on cloud
despite inerrant of data control.
4. CONCLUSION AND COMMENDATIONS
CONCLUSION
It has been sorely defined cloud computing as management and provision of different resources,
such as, software, applications and information as services over the cloud (internet) on demand.
Cloud computing is based on the assumption that the information can be quickly and easily accessed
via the net. With its ability to provide dynamically scalable access for users, and the ability to share
resources over the Internet, cloud computing has recently emerged as a promising hosting platform
that performs an intelligent usage of a collection of services, applications, information and
infrastructure comprised of pools of computers, networks, information and storage resources. Cloud
15
computing is a multi-tenant resource sharing platform, which allows different service providers to
deliver software as services in an economical way. Cloud computing is the latest technology
revolution in terms of usage and management of IT resources and services driven largely by
marketing and service offerings from the largest IT vendors including Google, IBM, Microsoft, and
HP along with Amazon and VMware.
However along with these advantages, storing a large amount of data including critical information
on the cloud motivates highly skilled hackers, thus creating a need for the security is considered as
one of the top issues while considering Cloud Computing. The paper clarified the security model of
cloud computing, and then analyzed the feasibility, threats, and security pillars in cloud computing
in terms of extensive existing methods to control them along with their pros and cons. Furthermore,
the related open research problems and challenges were explored to promote the development of
cloud computing.
COMMENDATIONS
Virtualized resources in the cloud lower upfront investment and product development costs.
However, the low cost comes with a trade-off. The above analysis suggests that it is too simplistic to
view the cloud as a low-cost security. Legitimate as well as illegitimate organizations and entities
are gaining access to data on the cloud through illegal, extralegal, and quasi-legal means. The
cloud’s diffusion and that of social media have superimposed onto organizations’ rapid digitization
in a complex manner that allows cyber-criminals and cyber-espionage networks to exploit the
cloud’s weaknesses. The above analysis thus indicates that ensuring that both technological and
behavioral/perceptual factors are given equal consideration in the design and implementation of a
cloud network is thus crucial.
Existing institutions are subject to powerful environmental selection mechanisms (Gilson 2001).
Existing institutions are likely to be exposed and restructured to support a new set of beliefs and
actions and the rules are likely to be revised. New institutions and the redesign of existing
institutions are needed to confront emerging security and privacy problems in the cloud industry.
There is an indication that existing institutions related to the cloud are thickening. In this regard, the
war for the future of security and privacy issues in the cloud is just beginning. Tough analysts of
cloud security are gaining new credibility. For instance, a new way of auditing specifically designed
for the cloud industry is evolving. Overall, it is fair to say that privacy and security issues related to
the cloud industry are undergoing political, social, and psychological metamorphosis.
16
END NOTES:
1. Unsurprisingly the response of the cloud industry has been: “Clouds are more secure than
whatever you’re using now” (Talbot 2010).
2. John Chambers, the Cisco Systems chairman, called the cloud a “Security nightmare” that
“can’t be handled in traditional ways” (Talbot 2010).
3. IDC’s another survey conducted in the early 2010 also ranked security concerns as the No. 1
barrier to cloud adoption (Del Nibletto 2010).
4. For instance, an analyst of Gartner noted that it is difficult to know whether cloud providers’
practice of "Hiding the data in a million places" ensures a good security as there is no way to
evaluate such practice (Messmer 2010)
5. A leader of the cloud security team at the National Institute of Standards and Technology
(NIST) was quoted as saying: “Every customer has access to every knob and widget in that
application. If they have a single weakness, [an attacker may] have access to all the data”
(Talbot 2010).
6. Customers also have a range of options for the type of services to put in the Conficker such
as a denial-of-service attack, spreading malware, sending spam or data exfiltration
7. The formation of regulative pillar is characterized by the establishment of legal and
regulatory infrastructures to deal with the cloud industry (Hoffman, 1999). A normative
institutional pillar is said to be established if rich and well developed ethical codes,
guidelines and traditions develop in the cloud industry. Likewise, a cognitive pillar related to
the cloud industry is established if cloud culture is developed that is considered as normal
practices.
8. North’s formal constraints can be mapped with Scott’s (1995, 2001) regulative pillar while
informal constraints can be mapped with normative and cognitive pillars.
9. These institutions focus on the pragmatic legitimacy concerns in managing the demands of
regulators and governments (Kelman 1987).
17
10. While companies have used the cloud for applications such as payroll and email services,
and other MIS, security has been the most often-cited barrier to cloud adoption for
applications involving sensitive information (Armbrust et al. 2010).
REFERENCES
Cloud Computing Explained: Implementation Handbook for Enterprises, Recursive Press, ISBN 0956355609, 2009
Hadoop, the Definitive Guide, O’Reilly Media, ISBN: 978-0-596-52197-4, 2010
Distributed and Cloud Computing, 1st edition, Morgan Kaufmann, 2011.
Clarke, R. V. (1995). Situational crime prevention. In M. Tonry & D. P. Farrington (Eds.), Building
a safer society. Strategic approaches to crime (pp. 91–150). University of Chicago Press.
Crosman, P. (2009). Securing The Clouds, Wall Street & Technology, December 1, pp.23.
Dean, T. J., & Meyer, G. D. (1996). Industry Environments and New Venture Formations in U.S.
Manufacturing: a Conceptual and Empirical Analysis of Demand Determinations. Journal of
Business Venturing, 11, 107-132.
Del Nibletto, P. (2010). The seven deadly sins of cloud computing, March 19, 2010, available at
http://www.itbusiness.ca/it/client/en/home/News.asp?id=56870. Accessed July 24, 2010.
Dempsey, P. J. (2008). Unprepared to fight worldwide cyber crime, available at
http://www.internetevolution.com/author.asp?section_id=593&doc_id=147027&piddl
_msgid=154774#msg_154774.
Edwards, J. (2009). Cutting Through the Fog of Cloud Security. Computerworld, 43(8), 26-29.
ENSIA. (2009). Cloud Computing: Benefits, risks and recommendations for information security.
European Network and Information Security Agency, November, available at
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-
assessment/at_download/fullReport.
Guille´n, M. F. & Sua´rez, S. L. (2005). Explaining the Global Digital Divide: Economic, Political
and Sociological Drivers of Cross-National Internet Use, Social Forces, 84(2): 681–708.
Hoffman, A. J. (1999). Institutional evolution and change: Environmentalism and the US chemical
industry. Academy of Management Journal, 42(4), 351–371.
18
Huff, A. S. (1990). Mapping strategic thought. In A. S. Huff (eds.). Mapping strategic thought
(pp.11–49). Chichester, England: Wiley.
IWMSF (Information Warfare Monitor/Shadowserver Foundation), Shadows In The Cloud:
Investigating Cyber Espionage 2.0, Joint Report: Information Warfare Monitor Shadowserver
Foundation, JR03-2010, April 6, 2010, available at http://www.utoronto.ca/mcis/pdf/shadows-in-
the-cloud-web.pdf. Accessed July 24, 2010.
Jepperson, R. (1991). Institutions, institutional effects, and institutionalism. In W. W. Powell & P. J.
DiMaggio (eds.). The new institutionalism in organizational analysis (pp. 143–163). Chicago:
University of Chicago Press.
Katyal, N. K. (2001). Criminal law in cyberspace. University of Pennsylvania Law Review, 149(4),
1003–1114.
Kshetri, N. (2007). The Adoption of E-Business by Organizations in China: An Institutional
Perspective, Electronic Markets, 17(2), 113-125
Kshetri, N. (2010a). Cloud Computing in Developing Economies. IEEE Computer, October, 43(10),
47-55.
Kshetri, N. (2010b). The Global Cyber-crime Industry: Economic, Institutional and Strategic
Perspectives. New York, Berlin and Heidelberg: Springer-Verlag.
Larsen, E., & Lomi, A. (2002). Representing change: A system Model of organizational inertia and
capabilities as dynamic accumulation processes. Simulation Model Practice and Theory, 10(5), 271-
296. Martin, J. A. (2010). Should You Move Your Business to the Cloud?. PC World, Apr 2010,
28(4), 29-30. Martínez-Cabrera, A. (2010). Security in the computing cloud a top concern, March 6,
2010, available at http://articles.sfgate.com/2010-03-06/business/18378297_1_cyber-security-czar-
howard-schmidt-qualys-rsa.
Messmer, E. (2010). Cloud computing providers working in secret. Network World, July
12, 2010, 27(13), 10-11. Messmer, E. (2010). Secrecy of cloud computing providers raises IT
security risks, available at http://www.mis-asia.com/news/articles/secrecy-of-cloud-computing-
providers-raises-it-security-risks.
19
Mullins, R. (2010). The biggest cloud on the planet is owned by ... the crooks: Security expert says
the biggest cloud providers are botnets, March 22, 2010, available at
http://www.networkworld.com/community/node/58829?t51hb. Accessed July 24, 2010.
NW (Network World). (2010). Inside the cloud security risk, 27(13), p. 11. Newman, K. L. (2000).
Organizational transformation during institutional upheaval.
Rogers, E. M. (1995). Diffusion of innovations. Fourth edition. New York: Free Press.
Schneider, A. (1999). US neo-conservatism: Cohort and cross-cultural perspective. The
International Journal of Sociology and Social Policy, 19(12), 56–86.
Scott, R. (1995). Institutions and organizations. Thousand Oaks, CA: Sage.
Scott, R. (2001). Institutions and organizations. Thousand Oaks, CA: Sage.
Scott, W. R., Ruef, M., Mendel, P. J., & Caronna, C. A. (2000). Institutional change and
healthcare organizations: From professional dominance to managed care. Chicago, IL: University of
Chicago Press.
Snidal, D. (1996). Political economy and international institutions. International Review of Law and
Economics, 16(1), 121–137.
Stewart, B. (2010). Apple Keeps iTunes Out of the Cloud. Information Today, Oct 2010, 27(9), 46-
46.
Sturdevant, C. (2010). Seeding security into the cloud. eWeek, March 15, 2010, 27(6), 38-38.
Talbot, D. (2010). Security in the Ether. Technology Review, 113(1), 36-42.
Taylor, M., Haggerty, J., Gresty, D., & Hegarty, R. (2010). Digital evidence in cloud computing
systems. Computer Law & Security Review, May 2010, 26(3), 304-308.
TR (Telecommunications Reports). (2010). Microsoft Urges Policymakers To Help Secure Cloud
Computing, 76(3), 18-19.
Tillery, S. (2010). How Safe Is the Cloud?, available at
http://www.baselinemag.com/c/a/Security/How-Safe-Is-the-Cloud-273226.
20
Vizard, M. (2010). Assessing the Risks of Cloud Computing, Oct 11, 2010, available at
http://www.itbusinessedge.com/cm/blogs/vizard/assessing-the-risks-of-cloud-computing/?cs=43712.
Wilshusen, G. C. (2010). Information Security Federal Guidance Needed to Address Control Issues
with Implementing Cloud Computing. GAO Reports, July 1, 2010, preceding pp. 1-48.
Wittow, M. H., & Buller, D. J. (2010). Cloud Computing: Emerging Legal Issues for Access to Data,
Anywhere, Anytime. Journal of Internet Law, Jul 2010, 14(1), 1-10.
Zielinski, D. (2009). Be Clear on Cloud Computing Contracts. HRMagazine, Nov, 54(11), 63-65.
21
