Cloud Computing to Store Information
Abstract
Efficient solutions to store and analyze huge amount of information is the demand of many organizations and companies. Cloud service is the solution of many companies to store their data and information in easy and reliable way. Cloud computing allows its users to access huge amounts of data and use distributed computational resources via different interfaces. A major issue in information technology is data security and privacy. Cloud entities such as cloud service providers, users and business associates share the offered resources at diverse levels of technological operations. This paper will review some of the existing technologies and wide array of cloud security and privacy.
Chapter 1: Introduction to the study
Situation Analysis
Alvin Toffler in his book “The Third Wave” 1980, stated that the civilization has progressed in three waves so far: the first wave was agricultural societies, the second was the industrial age and the third is the information age. The third or the information age has brought a big change to human civilization which has a lot of sub-waves.
Pic: Sub waves within the information age
“Adaption of cloud computing is clearly a strategic direction for many companies. The convergence of inexpensive computing, pervasive mobility, and virtualization technologies has created a platform for more agile and cost-effective business applications and IT infrastructure. The cloud is forcing the novel and thoughtful application of security controls, creating a demand for best practices in the security program and governance regimes.”
For the efficient method for storing the information, analysis and general computer power, cloud computing has always been in a priority in today’s world of information and technology. Most of the companies, not only companies, cloud has been a first choice to store and save the data and information securely. Cloud computing is a budding and rapidly evolving technology with a lot of new aspects and capabilities. Big companies like Apple, Google, Microsoft, Intel have contributed a lot of their time and money in the process of developing and modifying the cloud computing to its finest level.
Cloud computing is based on business model in which resources are shared. Here, multiple users can use the same resource at the network level, host level and application level. Users pay for only the resources they actually use and for only the time they require them. Pay per service based cloud computing applications to process data is used by businesses of different models and sectors which is very efficient and economical too. 6some of the relevant technologies in cloud computing are: cloud access devices, browsers and thin clients, high-speed broadband access, data centers and server farms, storage devices.
There is a big deal of uncertainty about how security at all levels can be achieved as cloud computing represents a new computing model. Because of this uncertainty, it led the information executives to give the number one concern and priority in cloud computing to security. And side by side, the ability of cloud computing to address privacy regulations was also questioned. To protect the privacy of individuals’ information, today organizations are facing different numerous requirements. It is still not clear that if cloud computing model provides adequate protection of individuals’ information. Though cloud computing has been the hot cake in today’s world of technology, we cannot highly rely upon it when it comes to security and privacy. Technology has always been a matter of threat specially with cybercriminals and hackers. They pose a major threat to the large database and networks that are in the clouds. Today, data security has become more important using cloud computing at all levels.
Companies have been using cloud to save their data securely but at the same time hackers and cybercriminals are searching for new ways to hack the system and steal information from it. The attacks against big companies like Target data breaching in 2013, clearly shows the risk of data in the cloud. Hackers stole credit and debit card records from more than 40 million Target customers, as well as personal information like email and mailing addresses from some 70 million people. Target agreed to pay $10 million to settle a lawsuit brought by shoppers affected by the breach. Moreover, security breaches at health sector is of more risk and should be taken in attention in right time.
Cyberattackers gained access to the limited number of Banner Health Computer Services, including the servers that process payment card information where food and beverages are sold at the Phoenix-based health system in 2016. The number of affected patients, food beverage customers and providers, Banner health plan members and beneficiaries reached around 3.7 million.
Companies should take a conscious and right decision to make their data and storage secure as scold storage, big database and applications are more vulnerable to attacks and possess more threats. They need a dedicated team and resources to make it secure and maintain data privacy. In this paper, some information about cloud computing, advantages of using cloud based technology will be covered. The paper will include the cloud computing technology in government base, personal base and business based uses. Though cloud computing has benefits, it is also equally vulnerable ad has risk of the data being stolen. To understand proper mitigation to the exposure and liability to the risks of cloud based technology, all the users are responsible and it is their duty and responsibility to make their data secure in the cloud system.
Premise Statement
Cloud computing is a very useful, efficient and powerful tool for government, business and personal use. Though it is very efficient or easy, it also bears risks that requires the users’ attention to make it secure and maintain the privacy of their data in the cloud. The cloud based technologies are always vulnerable so that stakeholders should always remain vigilant against such security and privacy violations.
Key Definitions
Big Data: Extremely large data sets that may be analyzed computationally to reveal patterns, trends, and associations, especially relating to human behavior and interactions.
Business: An organization that exists to provide a service or product for money or profit.
Cloud: Computer resources, including processing and storage, pooled together via a network and available to end users as a resource or utility. An internet connection is not required to be considered a cloud architecture.
Computing: Processing, storing, communicating or otherwise using a computer or electronic device.
Cloud Application: Cloud app is the phrase used to describe a software application that is never installed on a local computer. Instead, it is accessed via the Internet.
Cloud computing: The practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer.
Data Protection: The process of safeguarding important information from corruption and/or loss.
Encryption: The process of converting information or data into a code, especially to prevent unauthorized access.
Government: Nation state or organization, bureau, agency, department, sponsored or funded by a nation state.
Inherently: An attribute of an item that exists within the item and cannot be removed without destroying it.
Multitenancy: Multiple virtual instances running on the same physical platform but appearing as different physical platforms to the end user.
Personal: Used by an individual for private applications.
Powerful: Providing an increased level of strength or capability.
Privacy: Data or information is only accessible to authorized individuals. Also the right to keep sensitive or personal information separate to prevent public consumption, viewing or exploitation.
Risk: Uncertainty created by vulnerabilities, threats. Or unplanned actions that can cause damage, loss, or failure of a task.
Security: Process, measure or actions taken to ensure the safety or protection of a network, network resource, or data. Security can be physical, such as a lock or hardened facility or software based such as a firewall or encryption system.
Stakeholders: Anybody involved in a process either directly or indirectly, who has a vested interest in a portion of that process.
Technology: Equipment, process or system designed to accomplish a task previously conducted by manual or more tedious methods.
Trust: Firm belief in the reliability, truth, ability, or strength of someone or something.
Vigilant: Cautious, alert and attentive
Virtualization: Allocating computing resources from a physical platform to simulate a separate in order to accomplish a specific task, such as run a separate instance of an operating system or application.
Study Limitations
- Limited time of only nine weeks is given to the student to perform whole research and prepare the paper and final presentation.
- Research is limited to second hand sources do the nine-week time constraint for paper and presentation preparation.
- More sources of information are limited to online sources, some books related to the topic and Webster Library.
- The student is from different background so has limited technical expertise with computers or network security.
Work Plan
Week 1 – First class where the templates for the paper was discussion.
Week 2 – The topic for the paper was submitted for approval. The topic research was conducted and the work began on premise development.
Week 3 – Situation Analysis, premise development, work plan, core course content, project constraints and limitation.
Week 4 – Topic Research continued
Week 5 – Research for chapter 2
Week 6 – Research for chapter 3
Week 7 – Key findings, conclusion, and recommendation
Week 8 – Presentation, work on abstract
Week 9 – Turn in Final paper to professor
Requirements of 6000
ITM 5000 Information Technology Management
This subject was a requisite one which aim was to provide a broad overview of major aspects of information technology. The main topics that were covered in the subjects were technical and managerial aspects of information technology and business impacts, including costs and benefits of technology in the marketplace. It also covered about the impacts of cloud computing to all the businesses and personal use.
MNGT 5590 Organizational Behavior
Strategic vision, decision making and organizational change models were covered in this subject. The subject emphasized in the importance of security and cloud computing to drive business to focus on preventative measures rather than reactionary measures.
BUSN 5200 Basic Finance for Managers
It was a transfer credit from Fontbonne University which covered the basics of financial disclosure statements and the sources of funding for business which also included instruments such as stocks and bonds. Companies need to be aware of the risks involved and the financial implications of security breaches and privacy lapses if they rely on cloud computing.
ITM 5200 Project Management of Information Technology
The tools, steps and certifications used by project management professionals to control information technology projects from initiation through retirement were covered. It also covered security and privacy controls in the scope of the project including project planning, scope development and control, resource allocation, project control and evaluation.
ITM 5300 Procurement and Contract Management for Information Technology
The skills necessary for the procurement and contract management for information technology was covered under this subject. The decisions to make vs buy, decision to outsource to a pay per use cloud computing based resource was also covered.
ITM 5400 System Analysis, Design and Implementation
The topics like lifecycle of an information technology system from identifying a need, through design, feasibility assessments, implementations, support and retirement were covered by this subject. All stakeholders should be accounted for the security and privacy concerns as cloud based systems are designed.
ITM 5600 Information and Communications Security
The technology, equipment, personnel and certifications related to information and communications security were covered in this subject. Companies need to have extensive recovery and continuity plans and must be prepared to execute them at a moment ‘s notice if they rely on cloud computing for business.
Chapter 2: Literature Review
Many people have done a number of studies and researches regarding the data security and privacy in cloud computing. As we all know that in information technology, data security and privacy in cloud has consistently been a major issue. It is more serious when it comes to cloud computing as the data is located in different places all around the globe. When it comes to cloud computing, data security and privacy protection are the two main factors to be considered. There are many other topics that are related to the cloud computing but data security and privacy protection has always been in focus as it is the important factor because of which they can build up the trust in the users or the clients. It has become the important and most prioritized topic in all the sectors like government, private companies, industries and businesses. It is relevant to both hardware and also software in the cloud architecture. This part of paper will be discussing about the existing research work related to the data security and the privacy protection strategies and techniques of the users in cloud computing.
Both applications and resources are delivered on demand over the internet as service in cloud computing. We need to be aware of the types of services that are offered, the way those services are delivered to those using the services, and the different types of people and groups that are involved with cloud services.
Cloud computing delivers computing software, platforms and infrastructures as services based on pay-as-you go models.
Fig: Categorization of Cloud Service Models and Features with examples
The service can be categorized in various ways as shown in the figure above: software as a service (Saas), platform as a service (PaaS) and infrastructure as a service (IaaS). This given model features NIST cloud service models that can be delivered to consumers using different models such as a private cloud, community cloud, public cloud or hybrid cloud.
There are seven main categories in which the activities of cloud provider can be divided: service deployment, resource abstraction, physical resources, service management, security and privacy. The security and privacy responsibilities of cloud providers include integrating solutions to ensure legitimate delivery of cloud services to the cloud consumers. The security and privacy features that are necessary for the activities of cloud providers are described in the following table.
Table: Security and privacy factors of the cloud providers
CIA Triad (confidentiality, integrity and availability)
Fig: The CIA Triad
Data Integrity
One of the most critical elements in any information system is data integrity. In general, protecting data from unauthorized deletion, modification, or fabrication is data integrity. Managing entity’s admittance and rights to specific enterprise resources ensures that valuable data and services are not abused, misappropriated or stolen. With a single database, it can be easily achieved in a standalone system. It is maintained through database constraints and transactions which is usually finished by a database management system in a standalone system. To control the access data, authorization is used. This mechanism works by a system determining what level of access a particular authenticated user should have to secure resources controlled by the system.
Preserving information integrity is data integrity in cloud system. Unauthorized users should not modify or steal the data. It is the basis to provide cloud computing service such as SaaS, PaaS, and IaaS. With the techniques like RAID-like strategies and digital signature, data integrity can be obtained. Having the large amount of data, entities and access points in a cloud environment, authorization is crucial in assuring that only authorized entities can interact with data. We can do that by avoiding the unauthorized access so that company can get more confidence in data integrity. Cloud computing providers are trusted to maintain data integrity and accuracy. However, it is always necessary to build the third-party supervision mechanism besides users and cloud service providers.
Data Confidentiality
Data confidentiality is very important for users to store and keep their data private or confidential in the cloud. To ensure data confidentiality, authentication and access control strategies are used. The data confidentiality, authentication, and access control issues in cloud computing could be addressed by increasing the cloud reliability and trustworthiness. Without the trust towards cloud providers and cloud storage, it is impossible for users to eliminate potential insider threat which can be dangerous for users to store their sensitive data in cloud directly.
Some of the strategies or techniques to keep data confidential can be:
- Homographic Encryption
Encryption is the solution of the problem. Encryption is used to ensure the confidentiality of data. It ensures that the cipher text algebraic operation results are consistent with the clear operation after encryption results.
- Encrypted Search and Database
Researchers turn to study applications of limited homographic encryption algorithm in the cloud environment as the homographic encryption is not sufficient. In-Memory database encryption was proposed for the privacy and security of sensitive data in untrusted cloud environment.
- Distributive Storage
It is also a good approach in the cloud environment. One option could be to store data in multiple clouds or cloud databases to ensure data integrity.
- Hybrid Technique
It is proposed for data confidentiality and integrity which uses both key sharing and authentication techniques.
- Data Concealment
It also can be used to keep data confidential in the cloud. This is the concept which was introduced for database security. This approach merges real data with the visual fake data to falsify the real data’s volume.
- Deletion Confirmation
The data could not be removed or deleted when users delete their data after the deletion confirmation. More than one copy exists in cloud for the security and convenience of data recovery so the issue is very serious. All the data are deleted at the same time if the users delete data after deletion confirmation.
Data Availability
When accidents such as hard disc damage, IDC fire and network failure occurs, the extent that user’s data can be used or recovered and how the user verify their data by techniques rather than depending on the credit guarantee by the cloud service provider alone is the data availability. The user should always be provided the data security, particularly data confidentiality and integrity by the cloud provider. The guarantee of data safety and explain jurisdiction of local laws to the clients also should be provided by the cloud vendor. Locating data can help users to increase their trust on the cloud.
Data Privacy
Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal them selectively. Data privacy, also called information privacy, is the aspect of information technology (IT) that deals with the ability an organization or individual has to determine what data in a computer system can be shared with third parties. The privacy in cloud means when users visit the sensitive data, the cloud services can prevent potential adversary from inferring the user’s behavior by the user’s visit model.
Fig: Organization of data security and privacy in cloud computing
Service Abuse
Service abuse means that attackers can abuse the cloud service and acquire extra data or destroy the interests of other users. This may lead to increase in the cost of cloud service because of attackers. The consumption of the specific data by attackers may lead to the increment of the cost for cloud service payment.
Averting Attacks
Cloud systems should keep potential to averting the attacks like Denial of Services (Dos) as cloud computing facilitates huge amount of shared resources on the internet and they might be very delicate to be exposed. Some of the key points for ensuring security in cloud computing can be identity management, data recovery, and management, application architecture, trust, visibility and security in cloud confidentiality.
Identity Management
Cloud computing also increases the security threat when trusted third party is involved beside providing an avenue to use wide range of internet-based services. There might be the chance of heterogeneity of users by involving a trusted third party which can affect security on cloud. The use of a trusted third party independent approach for identity management to use identity data on untrusted hosts can be a possible solution to the problem. To prevent data leakage and privacy loss in the cloud, different levels of protections can be used.
Chapter 3:
Most of the businesses and organizations who plan surviving in the corporate world usually have a customer base to rely on for revenue. We have been observing that most of the organizations maintain the customer’s information which includes their addresses, phone numbers, SSN and even credit card information through cloud. So, securing the information and data is very important for the organizations. Many clients worry about their susceptibility to attack if their businesses’ crucial IT resources and information are outside firewall. Sensitive information in the context of cloud computing includes data from a wide range of different areas and disciplines.
Security Management in the Cloud
A large part of our network, system, applications and data will move under third-party provider control with the adoption of public cloud services, the islands or clouds of virtual perimeters is created by the cloud services delivery model as well as a security model with responsibilities shared between the customer and the cloud service provider. New security management challenges to the IT sector of organizations are brought because of this shared responsibility model. So, the first thing that the customer thinks before giving their information or data is how secured will their information be and next thing is what about maintaining their privacy.
Fig: Security management and monitoring scope
It is the responsibility of the cloud service provider to secure the shared infrastructure which includes routers, switches, load balancers, storage networks, DNS, directory services, firewalls and cloud API. The figure above highlights the layers, within a cloud service that are secured by the provider versus the customer. To perform a gap analysis on the cloud service capabilities is very important before signing up with any provider. This exercise should benchmark the cloud platform’s maturity, transparency, compliance with enterprise security standards (e.g. ISO 27001) and regulatory standards such as PCI DSS, HIPAA and SOX.
Public/Hybrid Cloud -Threats | Private Cloud -Threats | Mitigation | |
IaaS | · OWASP Top 10
· Data leakage (inadequate ACL) · Privilege escalation via management console misconfiguration · Exploiting VM weakness · DoS attack via API · Weak protection of privileged keys · VM Isolation failure |
· OWASP Top 10
· Data theft (insiders) · Privilege escalation via management console misconfiguration |
· Testing apps and API for OWASP Top 10 vulnerabilities
· Hardening of VM image · Security controls including encryption, multi-factor authentication, fine granular authorization, logging · Security automation – Automatic provisioning of firewall policies, privileged accounts, DNS, application identity (see patterns below) |
PaaS | [In addition to the above]
· Privilege escalation via API · Authorization weakness in platform services such as Message Queue, NoSQL, Blob services · Vulnerabilities in the run time engine resulting in tenant isolation failure |
[In addition to the above]
· Privilege escalation via API |
|
Table: Cloud Security Threats and Mitigation
Fig: Cloud Security Architecture-Plan.
Some of the best practices to mitigate risks to cloud services are as follows:
- Architect for security-as-a-service
- Implement sound identity, access management architecture and practice
- Leverage APIs to automate safeguards
- Always encrypt or mask sensitive data
- Do not rely on an IP address for authentication services
- Continuously monitor cloud services
Cloud security principles
Different enterprise or organization has different levels of risk tolerance which is demonstrated by the product development culture, IT service delivery models, new technology adoption, technology strategy and investments made in the area of security tools and capabilities. When a business unit within an enterprise decides to leverage SaaS for business benefits, the technology architecture should lend itself to support that model. Moreover, the technology architecture and principles should be aligned with the security architecture. Some of the principles for cloud security that an enterprise security architect needs to consider can be as follows:
- Data masking and encryption should be employed based on data sensitivity aligned with enterprise data classification standard.
- The principles of least privileges should be followed by services running in a cloud.
- Applications in a trusted zone should be deployed on authorized enterprise standard VM images.
- Isolation between various security zones should be guaranteed using layers of firewalls – Cloud firewall, hypervisor firewall, guest firewall and application container. Firewall policies in the cloud should comply with trust zone isolation standards based on data sensitivity.
- Existing enterprise security monitoring tools using an API should be integrated with security monitoring in the cloud.
- Data sensitivity aligned with enterprise data classification standard should be made base for data masking and encryption.
- Applications should use end-to-end transport level encryption (SSL, TLS, IPSEC) to secure data in transit between applications deployed in the cloud as well as to the enterprise.
- Industry standard VPN protocols such as SSH, SSL and IPSEC should be employed when deploying virtual private cloud (VPC).
Fig: Subset of the cloud security architecture pattern (published by open security architecture group
This pattern illustrates the actors (architect, end user, business manager, IT manager), interacting with systems (end point, cloud, applications hosted on the cloud, security services) and the controls employed to protect the actors and systems (access enforcement, DoS protection, boundary protection, cryptographic key & management, etc.). Let’s look at details communicated by the pattern.
Privacy
Data Privacy and information security are the different two terms. There is a common misconception that data privacy is a subset of information security. Personal information should be managed as part of the data used by the organization. It should be managed from the time the information is conceived through to its final disposition.
Fig: KPMG data life cycle
The components within each of these phases are:
Generation of the information
- Ownership: Who in the organization owns PII, and how is the ownership maintained if the organization uses cloud computing?
- Classification: How and when is PII classified? Are there limitations on the use of cloud computing for specific data classes?
- Governance: Is there a governance structure to ensure that PII is managed and protected through its life cycle, even when it is stored or processed in a cloud computing environment?
Use
- Internal versus external: Is PII used only within the collecting organization, or is it used outside the organization (e.g., in a public cloud)?
- Third party: Is the information shared with third parties (e.g., subcontractors or CSPs)?
- Appropriateness: Is the use of the information consistent with the purpose for which it was collected? Is the use within the cloud appropriate based on the commitments the organization made to the data subjects?
- Discovery/subpoena: Is the information managed in the cloud in a way that will enable the organization to comply with legal requirements in case of legal proceedings?
Transfer
- Public versus private networks: When information is transferred to a cloud is the organization using public networks, and is it protected appropriately? (PII should always be protected to address the risk level and legal requirements.)
- Encryption requirements: Is the PII encrypted? Some laws require that PII will be encrypted when transmitted via a public network (and this will be the case when the organization is using a public cloud).
- Access control: Are there appropriate access controls over PII when it is in the cloud?
Transformation
- Derivation: Are the original protection and use limitations maintained when data is transformed or further processed in the cloud?
- Aggregation: Is data in the cloud aggregated so that it is no longer related to an identifiable individual (and hence is no longer considered PII)?
- Integrity: Is the integrity of PII maintained when it is in the cloud?
Storage
- Access control: Are there appropriate controls over access to PII when stored in the cloud so that only individuals with a need to know will be able to access it?
- Structured versus unstructured: How is the data stored to enable the organization to access and manage the data in the future?
- Integrity/availability/confidentiality: How are data integrity, availability, and confidentiality maintained in the cloud?
- Encryption: Several laws and regulations require that certain types of PII should be stored only when encrypted. Is this requirement supported by the CSP?
Archival
- Legal and compliance: PII may have specific requirements that dictate how long it should be stored and archived. Are these requirements supported by the CSP?
- Off-site considerations: Does the CSP provide the ability for long-term off-site storage that supports archival requirements?
- Media concerns: Is the information stored on media that will be accessible in the future? Is the information stored on portable media that may be more susceptible to loss? Who controls the media and what is the organization’s ability to recover such media from the CSP if needed?
- Retention: For how long will the data be retained by the CSP? Is the retention period consistent with the organization’s retention period?
Destruction
- Secure: Does the CSP destroy PII obtained by customers in a secure manner to avoid potential breach of the information?
- Complete: Is the information completely destroyed? Does the destruction completely erase the data, or can it be recovered?
US Laws and Regulations
To ensure users are in legal compliance, they may want to know more about American laws. In the United States, privacy and security are spread over different industry specific laws and regulations:
Health Insurance Portability and Accountability Act (HIPAA)
Under HIPAA’s Privacy Rule, an entity may not use or disclose protected health information unless as permitted or required by the Rule, or as authorized in writing by the individual affected. HIPAA’s Security Rule complements the Privacy Rule and deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical. The Rule identifies various security standards for each of these types. Required specifications must be adopted and administered as dictated by the Rule.
The Gramm-Leach-Bliley Act (GLBA)
It has 2 key rules for “financial institutions” storing data in the cloud: The Financial Privacy Rule and the Safeguards Rule. The Financial Privacy Rule requires institutions to notify each customer at the time the relationship is established and annually thereafter about the personal information about them collected, where that information is kept, with whom is shared, how is used, and how it is protected. The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company plans to protect clients’ nonpublic personal information.
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) was jointly developed by Visa and MasterCard to simplify compliance for merchants and payment processors. It has 6 core areas and 12 requirements that cover best practices for perimeter security, data privacy, and layered security.
Family Educational Rights and Privacy Act (FERPA)
FERPA is a federal law that protects student information collected by educational institutions and associated vendors. These institutions must have the student’s consent prior to disclosure of personal data including grades, enrollment status, or billing information. Protection of student information according to FERPA regulations is a key consideration in using cloud-based applications that handle student records. IT administrators must be aware of the information that is passed to a cloud network or application.
Chapter 4: Key Findings, Conclusions
Key Findings
In today’s world business and government are increasingly pushing towards the cloud computing model. It is because cloud computing offers many benefits including lower upfront capital expenditure of computing power, immediate access to business applications and software, and scalability for increasing or decreasing requirements. The cloud is an immense system of networks and layers with multiple models of ownership, points of entry, physical locations and stakeholders. Secure private cloud based storages, large databases, and applications are subject to numerous methods of attack from both nation states and independent threats. Before the industry and infrastructure were prepared to handle the sensitive information contained in medical records, the shift to electronic health care records occurred. Regardless of technological security measures and policies, human factors and errors pose a major threat to cloud security and privacy. Prior to the implementation, security and privacy aspects of cloud should be designed. Limiting the amount of sensitive data available in a cloud hinders the likelihood of privacy breach. Accountability for security and privacy in public cloud deployments cannot be delegated and remains an organizational obligation. As a consumer, we should always be aware before we give our vital information to any third party organizations or companies. Consumer as well as the companies should be aware about the security and privacy issues.
Conclusion
Cloud computing is a promising and emerging technology for next generation of IT applications. The barrier and hurdles toward the rapid growth of cloud computing are data security and privacy issues. The paper reviewed and discussed about the several security and privacy issues on data in the cloud. It also described several data and cloud computing key concepts and several security and privacy challenges. The results that are presented in the area of cloud security and privacy are based on cloud provider activities. Security and privacy factors that affect the activities of cloud providers in relation to legal processioning of consumer data were identified and reviewed.
Reducing processing cost and data storage is a mandatory requirement of any organizations, while most important tasks in all organizations for decision making is always the analysis of data and information. Until and unless the trust is not built between the service provider and consumers, no organizations will transfer their data or any information to the cloud. To attain highest level of data security in the cloud, researchers have proposed a number of techniques for data protection. However, there are still many gaps to be filled by making these techniques more effective. To make it acceptable by the cloud service consumers, more work is required in the area of cloud computing security and privacy.
Recommendations
- The sensitive information should not be stored unnecessarily in cloud and the personal exposure via the cloud should be limited in order to maintain privacy. Clouds are vulnerable to hacking regardless of privacy policies and access controls and regulations.
- I would recommend to do some research on the cloud before storing vital data and information in the cloud. Some research into the benefits of personal cloud applications and weighing those benefits against the inherent risks of storing information in a cloud architecture is recommended.
- For developing a cloud a cloud architecture, follow the NIST best practices. Fully plan and implement security and privacy controls before launching, understand cloud services, ensure the cloud meets organization security and privacy requirements and maintain accountability.
References
- Jerry Archer, CISO, Intuit
- D.H.Rakesh, R.R.Bhavsar, and A.S. Thorve, “Data security over cloud,” International Journal of Computer Applications, 2012
- F. Pagano and D. Pagano, “Using in-memory encrypted database on the cloud,” in Proceedings of the 1st IEEE International Workshop on Securing Services on the Cloud (IWSSC’11), September 2011