The growth of the phenomenon commonly known as Cloud Computing represents a fundamental change in how information technology (IT) solutions are developed, maintained, updated, scaled, deployed, expanded, along with settled for.
As most organisations require efficient ways to store and analyse the vast amount of information that they collect and produce, Cloud Computing as an enabler provides scalable resources and substantial financial advantages in the form of reduced operational expenditure. Nonetheless, if Cloud Computing is to achieve its potential, there needs to be a clear understanding of the various issues and challenges associated, both from the perspectives of the consumers and the providers of the technology.
Additionally, Cloud Computing has unveiled key enabling technologies such as hypervisors and virtual machines to develop an extraordinarily agile and dynamic computing ecosystem. These technologies, however, also result in a host of challenges and risks.
Furthermore, the substantial sharing of infrastructure and computing resources in a multitenant environment, particularly with users spanning different organisations and security needs, creates a ÔÇ£shared virtual environmentÔÇØ where users/organisations are no longer clearly divided by physical server racks and separate networks. Within a cloud, it is difficult to physically locate where the data is stored and how it is segregated. Thus, this paradigm raises a diverse range of privacy and security issues that must be considered. In this brief article, we recognise the critical challenges in Cloud Computing environments such as multi-tenancy, loss of controls and trust as the subject of our discussion.
PRIVACY STRATEGY FOR PERSONAL DATA
Any architectural considerations regarding data-privacy protections begin the moment the data is collected. Privacy issues must be addressed at all stages of the data lifecycle ÔÇö from collection to storage to analysis to action (not to mention the periods when data is no longer being used: archival, purging, and destruction). Meanwhile, all of the privacy controls in the world (and any information security built to protect them) are useless if administered to irresponsibly collected data. Protecting privacy means data must be handled responsibly at every step of the process that moves it from the initial point of collection to its ultimate home in a privacy-protected data store.
Corporate policymaking regarding information privacy has been primarily reactive in nature, in that, executives focus on information privacy issues only in response to a perceived external threat as (HJ Smith, 1994) brilliantly puts it in his book titled Managing Privacy: Information technology and corporate America. Meanwhiles, calls for voluntary adherence to industry privacy principles are common, as call for additional regulation of many industry practices. However, voluntary adherence in many industries has been at best sporadic (Culnan, 1993), which given rising concerns, may result in broad regulation of information privacy issues in the private sector.
I have no intention whatsoever to bore my beloved readers. If youÔÇÖve come thus far, please spare an extra minute. Alright, letÔÇÖs go.
The charity requires individuals to provide a range of personal information about themselves to conduct its business functions. The charity needs to ensure that clients are aware that their personal information has been/needs to be collected, why it has been/needs to be raised, where the data is stored and who has access to it.
The charity should take steps to ensure that personal information is protected from misuse, loss and inappropriate access and disclosure. Additional consideration should be given to the protection of sensitive personal information. Storage and security practices should apply to personal information stored in both ICT systems and paper files.
Should we have a Privacy Strategy statement for The Charity? This would be an encompassing statement that identifies the requirement for privacy given the data and the overall strategy. However, if it was left unchecked, that could reflect a lion blow. You know folks, privacy canÔÇÖt be bought for certain.
Cloud computing has touched every one of us recently. I wouldnÔÇÖt assume that all my readers host their own email servers in some spare room within their dwellings. If Gmail, iCloud, Hotmail, Yahoo, etc., happened to maintain your email account, consider buying them coffee. Because it is what constitutes Cloud.
If I were to describe t Computing, I would lazily dumb words such as it is on-demand nuggets, that only requires a quick microwave warming to make it eatable. But, as a Computer Scientist, IÔÇÖm at least obliged to serve more than nuggets. LetÔÇÖs go.
Rather than owning your own data centre, why donÔÇÖt you just rent one? ItÔÇÖs a sound great option to me. Oh, you might be questioning security. I sense that, and I appreciate it. But letÔÇÖs cover Cloud Security next time. Just stick with me on Cloud Privacy for now.
As I promised, my intentions werenÔÇÖt to bore you. But letÔÇÖs briefly dig in a bit further on what Cloud Computing is.
The definition of cloud computing according to the Nation Institute of Standard and Technology (NIST), (Mell & Grance, 2011): ÔÇ£Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.ÔÇØ. This definition describes cloud computing as having five characteristics, i.e., on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Although it is not disgustedly nuggets, letÔÇÖs explore it a bit further.
Cloud computing has emerged as a significant shift in how computing resources are deployed and consumed, both by individuals and enterprises. However, despite benefits such as reduced up-front investment, lower costs and more eco-friendly operation, a significant proportion of potential cloud customers are voicing misgivings concerning how security and privacy are handled in the cloud. This distrust has been further fuelled by media events, such as the PRISM scandal, which shows how difficult it can be to know to what extent our data is being monitored for legitimate or illegitimate purposes.
What Is Your Concern? Multitenancy or Data Breach? LetÔÇÖs take on the latter first.
An organisationÔÇÖs cloud-based data may have value to different parties for different reasons. For example, organised crime often seeks financial, health and personal information to carry out a range of fraudulent activities. Competitors and foreign nationals may be keenly interested in proprietary information, intellectual property, and trade secrets. Activists may want to expose information that can cause damage or embarrassment. Unauthorised insiders obtaining data within the cloud are a significant concern for organisations.
The risk of a data breach is not unique to cloud computing, but it consistently ranks as a top concern for cloud customers. A cloud environment is subject to the same threats as a traditional corporate network as well as new avenues of attack by way of shared resources, cloud provider personnel and their devices and third-party partners of the cloud provider.
Cloud providers are highly accessible, and the vast amount of data they host makes them an attractive target As Murugesan & Bojanova describe it.
LetÔÇÖs flip the coin to exposing some of the multi-tenancy and take a short drive, shall we?
Multi-tenancy is an architectural feature whereby a single instance of software runs on a SaaS vendorÔÇÖs servers, serving multiple client organisations. The software is designed to virtually partition its data and configuration so that each client organisation works with a customised virtual application instance. The cloud service model affects the security in the SaaS model, customers are users of multi-tenant applications developed by CSPs, it is likely that CSP stores personal data and even financial data in the cloud, and it is the responsibility of the CSP to secure the data. Ultimately, usage of the cloud is a question of trade-offs between security, privacy, compliance, costs and benefits. Trust is key to the adoption of SaaS, and transparency is an important mechanism. Furthermore, trust mechanisms need to be propagated right along the chain of service provision (Pearson & Benameur, 2010).
Software-as-a-Service (SaaS) Security Issues
Forgive me for being alarming. Now it is what we all hold in our pockets. If you guessed phone, you probably know what I mean or where IÔÇÖm coming from.
With SaaS, the burden of security lies with the cloud provider. In part, this is because of the degree of abstraction; the SaaS model is based on a high degree of integrated functionality with minimal customer control or extensibility. By contrast, the PaaS model offers greater extensibility and greater customer control. Primarily because of the relatively lower degree of abstraction, IaaS provides greater tenant or customer control over security than do PaaS or SaaS. (Hashizume, Rosado, Fernández-Medina & Fernandez, 2013).
