Cloud computing is an architecture engineered for providing computing services via the Internet. The key features of a cloud computing service are the presence of an on demand and pay per use usage facility to a pool of shared resources, namely networks, storage, servers, services and applications. It’s a completely Internet dependent technology where client data is stored and maintained in the data center of a cloud service provider like Google, Amazon, Salesforce.com and Microsoft etc. Nowadays, several industries like banking, healthcare and education are switching to cloud computing, as it has minimal infrastructural requirement and is highly efficient and mobile in its functioning.

The National Institute of Standards and Technology (NIST), defined cloud computing as follows: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

 

Essential Characteristics of Cloud Computing

On-demand self-service: A consumer can manually configure his requirements of server time and network usage, without requiring the assistance of service providers at each step of his usage.

Broad network access: A cloud-computing server can be accessed using the available network capabilities through standard mechanisms. That is, through the heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: The service provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to the consumer’s demand. There is a sense of location anonymity in which, the customer generally has no control or knowledge over the exact location of the host server. Examples of such resources include storage, processing, memory, network bandwidth, and virtual machines.

Rapid elasticity: The provision for rapidly responding to the increasing consumer demand, can be facilitated by the service provider, through this model.

Measured Service: Consumer’s resource usage can be monitored, controlled, and reported through this model.1

Software-as-a-Service (SaaS): SaaS can be described as a process by which Application Service Provider (ASP) provides different software applications over the Internet. This helps in eliminating the need for installing and operating the application on one’s own computer and also eliminates the tremendous load of software maintenance, continuing operation, safeguarding and support.2 The SaaS vendor automatically assumes the responsibility for deploying and managing the IT infrastructure (servers, operating system software, databases, data center space, network access, power and cooling, etc) and processes (infrastructure patches/upgrades, application patches/upgrades, backups, etc.) required to run and manage the full solution. The SaaS, features a complete application offered as a service on demand. Examples of SaaS include: Salesforce.com, Google Apps.

Cloud Platform as a Service (PaaS): PaaS is the delivery of a computing platform and solution stack as a service without software downloads or installation for developers, IT managers or end-users. It provides an infrastructure with a high level of integration in order to implement and test cloud applications. The user does not manage the infrastructure (including network, servers, operating systems and storage), but he controls the deployed applications and, possibly, their configurations. Examples of PaaS include: Force.com, Google App Engine and Microsoft Azure.

Cloud Infrastructure as a Service (IaaS): It refers to the sharing of the hardware to make resources such as servers, network and storage more readily accessible by applications and operating systems. It primarily makes use of the Application Programming Interface (API) for interaction between the hosts, switches and routers along with the capability of adding new equipment in a simple and transparent manner. In general, the user does not manage the underlying hardware in the cloud infrastructure, but he controls the operating systems, storage and the deployed applications. The service provider owns the equipment and is responsible for housing, running and maintaining it. A client typically pays on a per-use basis. Examples of IaaS include: Amazon Elastic Cloud Computing (EC2), Amazon S3, GoGrid.

 

The Cloud Computing Entities

Cloud providers and consumers are the two main entities in the business market. But, service brokers and resellers are the two more emerging service level entities in the Cloud world. These are discussed as follows:

Cloud Providers: Includes Internet service providers, telecommunications companies, and large business process outsourcers that provide either the media (Internet connections) or infrastructure (hosted data centers) that enable consumers to access cloud services. Service providers may also include systems integrators, that build and support data centers hosting private clouds and they offer different services (e.g., SaaS, PaaS, IaaS, and etc.) to the consumers, the service brokers or resellers.3

Cloud Service Brokers: This includes technology consultants, business professionals, service organizations, registered brokers and agents, and influencers that help guide consumers in the selection of cloud computing solutions. Service brokers concentrate on the negotiation of the relationships between consumers and providers without owning or managing the whole Cloud infrastructure. Moreover, they add extra services on top of a Cloud provider’s infrastructure to make up the user’s Cloud environment.

Cloud Resellers: Resellers can become an important factor of the Cloud market when the Cloud providers will expand their business across continents. Cloud providers may choose local IT consultancy firms or resellers of their existing products to act as “resellers” for their Cloud-based products in a particular region.

Cloud Consumers: End users belong to the category of Cloud consumers. However, also Cloud service brokers and resellers can belong to this category as soon as they are also customers of another Cloud provider, broker or reseller.4

 

Security Concerns In The Cloud

Cloud computing comes with numerous possibilities and challenges. Of the challenges, data security and data location5 are considered to be a critical barrier in path of its success.6 Although location transparency is one of the prominent flexibilities in cloud computing, however not knowing the specific location of data storage, is a serious concern.7

In terms of customer’s personal or business data security, the strategic policies of the cloud service providers are of highest significance.8 Another concern is trust, which raises the issue of credibility of the cloud service,9 for the reason that it’s directly related to the credibility and authenticity of the cloud service providers. Developing a trust in cloud computing, might be dependent on a number of factors among which are, automation management, human factors, processes and policies.10

All kinds of attacks that are applicable to a computer network and data transmission are equally applicable to all cloud based services. Some threats in this category are man-in-the-middle attack, phishing, eavesdropping, sniffing and other similar attacks. DDoS (Distributed Denial of Service) attack is also one of the common cloud computing attacks.11 The security of the virtual machine will define the integrity and level of security of a cloud environment to a greater extent.12

The techniques of accounting and authentication, as well as using encryption, falls within the practice of safe computing, which can be well considered as a part of the security concerns of cloud computing.13

However, it is important to distinguish between risk and security concerns in this regard. Other examples of business risks of cloud computing could be licensing issues, service unavailability, provider’s business discontinuity that do not fall within the security concerns from a technical viewpoint. Also like any other network scenario, the provision of insider-attack remains as a valid threat for cloud computing. Any security tools or other kinds of software used in a cloud environment might have security loopholes, which in turn would pose security risks to the cloud infrastructure itself. The problems with third party APIs as well as spammers are also a threat to the cloud environment.14

As cloud computing normally means using public networks and subsequently putting the transmitted data visible to the world, cyber attacks in any form are anticipated in cloud computing. The modus operandi of cloud computing has made it prone to both information security and network security threats.15 Also a third party relationship might emerge as a risk for the cloud environment along with other security threats inherent in infrastructural and virtual machine aspects. Factors like software bugs, social engineering, human errors make the security for the cloud a dynamically challenging one. The issue of intrusion detection is also one of the most important network monitoring techniques to reduce security risks. If the contemporary IDSs (Intrusion Detection Systems) are inefficient, the resultant consequence might be an undetected security breach for the cloud environment.

The facets from which the security threat might be introduced into a cloud environment are numerous ranging from database, virtual servers, and network to operating systems, load balancing, memory management and concurrency control. Data segregation and session hijacking are two potential and unavoidable security threats for the cloud users. The issue of privacy and its underlying concept in cloud computing might significantly vary in different regions and thus it may lead to security breach for cloud services in specific contexts and scenarios. Besides, multi-tenancy model is also an aspect that needs to be given attention. Also, security in the data-centres of cloud service providers, are also a cause of concern, as a single physical server would hold many clients’ data making it a common shared platform in terms of physical server or operating system. The storage security at the cloud service providers data centres are also directly linked with the security of the cloud services. Therefore, threats to a cloud infrastructure are applicable both to the data as well as the infrastructure.

Similarly, the different modes of data transfer and communication means (e.g. satellite communication) also needs to be taken into account. Huge amounts of data transfer along with the communication technology used and the security concerns of the adapted communication technology also becomes a security concern for the cloud computing approach. Therefore, the broadcast nature of some communication technology is a core concern in this regard. Also, the arbitrary intermittent intrusion needs to be taken into account. Some authors have argued that using Internet technologies is not a must for cloud computing but the cost efficiency and globalization trends will enforce and motivate almost all the businesses to admit the Internet and its associated technologies to be the ultimate means towards the cloud computing approach.

The wide transition to mobile computing practices in recent years has made it imperative to include mobile computing and its associated technologies as an essential part of cloud computing. Resource scarcity, as well as other constraints of mobile computing poses a barrier to cloud computing. The demand of huge data processing is a problem for mobile end-user devices which has been further complemented by the security concerns of mobile cloud computing. For mobile cloud computing, the device level limitations has inspired researchers to suggest the inclusion of another level of cloud termed as ‘mobile cloud’ to aid the processing of the specific computing and processing for mobile computing devices. The hierarchical arrangement of cloud computing, facilitates the different level of extensibility for the cloud users with varying degree of associated security issues. Thus, using cloud products or services may lead to security concerns for the consumers if they are not well aware with the type and particulars of the products or services they are procuring or using in a cloud environment.16

 

  1. Rajesh Piplode and Umesh Kumar Singh, “An overview and study of security issues and challenges in Cloud Computing,” International Journal of Advanced Research in Computer Science and Software Engineering, Vol. 1, No. 2, December 2011
  2. R. L Grossman, “The Case for Cloud Computing,” IT Professional, Vol. 11(2), pp. 23-27, 2009.
  3. Pring et al., “Forecast: Sizing the cloud; understanding the opportunities in cloud services,” Gartner Inc. Tech. Rep (2009), G00166525
  4. Aman Bakshi, Yogesh B. Dujodwala, “Securing cloud from DDoS Attacks using Intrusion Detection System in Virtual Machine,” {ICCSN ’10 Proceeding of the 2010 Second International Conference on Communication Software and networks}, IEEE Computer Society USA (2010), 260-64.
  5. Teneyuca D., “Internet Cloud Security: The illusion of inclusion,” Information Security Technical Report 16 (2011): 102-07, doi:10.1016/j.istr.2011.08.005.
  6. Khorshed T.M., Ali A.B.M.S and Wasimi, S.A., “A Survey on gaps, threat remediation challenges and some thoughts for proactive attack detection in Cloud computing,” Future Generation Computer Systems 28 (2012): 833-851, doi:10.1016/j.future.2012.01.006
  7. Joint A., Baker E. and Eccles E., “Hey, you get off of that cloud?,” Computer Law & Security Review 25 (2009) : 270-74, doi:10.1016/j.clsr. 2009.03.001.
  8. Joint, A. and Baker, E., “Knowing the past to understand the present issues in the contracting for Cloud based Services,” Computer Law and Security Review 27 (2011): 407-15, doi:10.1016/j.clsr. 2011.05.002
  9. Ryan, P. and Falvey, S. (2012), “Trust in the Clouds,” Computer Law and Security Reviews 28 (2012): 513-21. http://dx.doi.org.10.1016/j.clsr.2012.07.002
  10. Abbadi I.M. and Martin A, “Trust in the Cloud,” Information Security Technical Report 16 (2011): 108-14. doi:10.1016/j.istr.2011.08.006.
  11. Chen D and Zhao H, “Data Security and Privacy Protection Issues in Cloud Computing,” International Conference on Computer Science and Electronics Engineering (2012), 647-51, doi:10.1109/ICCSEE.2012.193
  12. Rashmi, Sahoo G. and Mehfuz, S., “Securing Software as a Service Model of Cloud Computing: Issues and Solutions,” International Journal on Cloud Computing: Services and Architecture 3(4) (2013): 1-11. Doi: 10.5121/ijccsa.2013.3401.
  13. Lee K., “Security Threats in Cloud Computing Environments,” International Journal of Security and its Applications 6(4) (2012), 23-32.
  14. Bisong, A. and Rahman S.S.M., “An Overview of the Security Concerns in Enterprise Cloud Computing,” International Journal of Network Security and Its Applications 3(1) (2011), 30-45, doi:10.5121/ijnsa.2011.3103
  15. Qaisar S. and Khawaja K.F., “Cloud Computing: Network/Security Threats and Countermeasures,” Interdisciplinary Journal of Contemporary Research in Business 3(9) (2012), 1323-29.
  16. Svantesson D. and Clarke R., “Privacy and consumer risks in cloud computing”, Computer Law & Security Review 26 (2010), 391-397, doi:10.1016/j.clsr.2010.05.005.

Posted by Digvijay Dam

Digvijay is currently a student of law at the Gujarat National Law University. A researcher at heart, he keeps writing for many reputed journals.

Leave a Reply