Cloud Computing and Data Security

Cloud Computing and Data Security

Cloud computing service providers have made their systems so inexpensive to use and easy to access, that there is little reason that companies should not be exploring this option for providing data and services. -- Roger Smith, 2009a

Businesses utilize Information Technology (IT) such as computer hardware and software to run their operations. Even small companies such as a local gift shop have at least one computer that runs accounting or point of service applications. In today's economy, it is not uncommon to find businesses in virtually every industry utilizing complex IT hardware and software. There are many examples of IT business applications and hardware. Salesmen use customer relationship management systems to manage interactions with their customers. They may also use applications that identify sales leads to help generate potential new sources of revenue. All of these activities are done with a computer or mobile device. Logistics departments utilize software, which helps match open orders ready for shipment with the cheapest available carrier automatically. Plant managers monitor and tweak their production lines using software specifically designed for manufacturing. Analysts uncover important trends and business insights through business intelligence applications, which pull information from company databases stored on locally owned and maintained servers (Slabeva 2010, 47).

Information technology is vital in helping businesses reduce costs and generate more revenue. In today's highly competitive and increasingly globalized economy, IT hardware and software make it possible to reduce costs. This cost reduction is obtained through automating and increasing the efficiency of tasks, including customer billing and product development. Businesses using IT solutions can increase revenues through business analysis and customer service applications. These businesses may also use marketing options associated with Web applications to increase revenue. In many cases, in a given industry, the company with the best IT hardware and software has the advantage over their competitors in efficiency and opportunities for revenue. They may have access to technology that their competitors do not, or they may utilize the technology that they and their competitors both have more effectively to create the advantage (Armbrust et al. 2009, 14).

Harnessing the potential benefits that can be achieved through the informed and meaningful use of information technology is now important for all businesses. However, it can be expensive if significant hardware is required, and this can be an obstacle for smaller companies (Talbert 2011). For example, a large and small shipping company may want to invest in third party sales forecasting software. The software may require investment in expensive software volume licenses, new servers/computers, or IT personnel (Buyya, Yeo & Venugopal 2008, 1). For the large company, finding the money for this is less of a problem than it is for the smaller company. They may even have additional server space, computers, and IT resources already available to handle the implementation of the new software. The smaller company may not have money available to invest in the software, computers, servers, and IT resources necessary to successfully implement the forecasting software (Slabeva 2010, 50).

Currently, the software and servers a business implements must exist close to its client computers to maximize the efficiency of application execution (Armbrust et al., 2009). This paradigm is what makes investment in information technology expensive for businesses. All of the software on the client machine in an organization must be installed and updated individually, requiring investment in IT human resources to carry out these responsibilities (Buyya, Yeo & Venugopal 2008, 1). In addition, departments using intricate software may need to invest in high-performance, high-cost computers in order for the software to run properly. Moreover, as this software improves and grows more complex over time, investment in new hardware to replace old, outdated computers may be necessary. Furthermore, business data must be stored on physical servers that require heavy investment to purchase and maintain (Armbrust et al. 2009, 3).

The current information technology paradigm used by most businesses today involves having all hardware and software and data storage close to the place of business. While this paradigm is currently pervasive, it is predicted that in the not-so-distant future, businesses will rapidly shift to the cloud computing. Cloud computing can be understood as a model of operations in which computing is viewed as a service instead of a product. In this paradigm information, software, and data storage are provided to computers and other technology devices as a service. This can be conceptualized as similar to the way electricity is provided to a number of clients over a grid that can be used in many different ways (Armbrust et al. 2009, 12). These services are most commonly provided over the Internet. In the cloud computing model, software and hardware exist as services shared by many companies. Software in the cloud can be accessed by companies through lightweight front-end applications such as a simple web browser, and the majority of the processing of these applications occurs on the third party providers' machines. All of this is predicted to yield reduced costs for businesses through increased technology upward and downward scalability options, cheaper client hardware, and reduced IT human capital cost. In addition, the cloud computing model provides for more rapid updating of technology for businesses. It also increases software availability on various operating systems and mobile devices (Harding 2011, 38, 42-44).

As cloud computing matures, businesses are more likely to invest in cloud-based technologies such as remote data storage, because of the significant cost reductions and technology advantages that are associated with storing data on remote servers operated by third parties (Armbrust et al. 2009, 12). Many companies, though, are wary of various issues that are inherent in cloud computing such as data security, auditability, and availability. Notwithstanding these potential constraints and threats, it is the thesis of this paper that the uploading and downloading of information into the cloud are currently well protected and safe from data abuse provided certain steps are followed. Furthermore, data in the cloud is also likely to be safe, and these types of concerns should not serve as a deterrent for businesses to use the cloud in this manner. Additional research needs to be done on the safety level of data storage in the cloud. This paper puts forth suggestions for possible research in this area as discussed further in the literature review below.

Literature Review

Background and Overview

As the inexorable march towards pervasive computing continues, computers and wireless devices are becoming smaller and the number of online services that are available continues to proliferate. This shift from on-site computing to Web-based computing is cited by Smith who reports, "Pioneers like Google offer a future driven by online services in which the average consumer needs a less powerful personal computer, not a more powerful one. They suggest that all of the computational, storage, and net working power that you need will reside in 'the cloud'" (2009b, 9). Although there is no universally recognized definition for the term "cloud computing" (Brown 2011, 2), some salient examples from the peer-reviewed literature include the following:

1. "Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of computing resources, including servers, data storage and applications and services" (Brown 2011, 2).

2. "In essence, [cloud computing] is a means of renting computers, storage and network capacity on an hourly basis from some company that already has these resources in its own data center and can make them available to you and your customers via the Internet" (Smith 2009a, 66).

3. "Cloud computing is an approach that places application processing and storage in network-based data centers, rather than in end-user devices such as personal computers" (Werbach 2011, 1762).

4. "The easiest way to think about cloud computing is as doing business on the Web, therefore eliminating the need for in-house technology infrastructure -- servers and software to purchase, run and maintain. Unlike traditional software, which is distributed and deployed on-premise, cloud applications are designed for Web deployment. They are multitenant (delivered by one vendor to many customers), and users share processing power and space that is managed by the vendor" (Defelice 2010, 50).

5. "Cloud computing is maintaining data, applications and programs on a remote server that can be accessed through many devices, such as desktop computers, netbooks or smartphones" (Salow, Meier & Goodwin 2011, 43).

6. "A cloud computing delivery method is Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand" (Mauro 2010, 24).

Put more simply, Gozzi provides a more straightforward definition of cloud computing: "Cloud computing involves sending your computing tasks away from your computer, to a cloud of computers that will send back results. Or perhaps the cloud will house applications, so you do not need to have them on your computer" (2010, 119). Irrespective of the precise definition used, it is apparent that the growth and interest in cloud computing has been significant. One industry observer suggests that, "It is pretty much a given that the use of outsourced services delivered over the internet, as opposed to maintaining software and other infrastructure in-house, will grab hold of business. It's a tidal wave that's going to engulf us all within the next five years. Cloud services will be a $160 billion industry by the end of 2011" (Ginovsky 2011, 21).

Although the decision to transition from a traditional approach to cloud computing will depend on each organization's unique circumstances, a number of general benefits have been cited for those companies that have made the partial or complete transition to cloud computing, including the following:

1. It reduces cost in the organization.

2. It does not require additional hardware.

3. It does not require additional resources.

4. Time to market is quicker.

5. It is a way to implement cutting-edge technology without the cost that is associated with it (Ginovsky 2011, 21).

Other authorities have also weighed in on the benefits that can be attained by switching to cloud computing, with some of the potential benefits that can accrue to its deployment including those set forth in Table 1 below.

Table 1

Potential Benefits of Switching to a Cloud Computing Environment

Benefit

Description

Quick implementation process

Most vendors claim their applications can be up and running in a few minutes because there is no software to install. The implementation process also is easier for companies with multiple locations or remote workers to all have access to the same version of the application simultaneously.

Anytime access from anywhere with an Internet connection

Includes the ability for employees to work remotely.

Lower upfront costs

Rather that paying a license fee and for annual maintenance, most cloud-computing models allow users to pay as they go (usually monthly, though some require annual contracts). They can pay per user and easily add more users. Vendors can offer their products at a lower cost in this situation because their systems are built to allow several customers to share infrastructure (both servers and storage areas) in a way that is transparent to users and does not allow those customers access to each other's data. It may be difficult to conduct a cost comparison of doing business on-premise vs. In the cloud unless a company has moved all its business off-premise. Some companies may outsource services such as their e-mail and/or infrastructure support, but still manage their core applications. Upfront costs include the cost of hardware and IT employees that no longer required to remain in-house.

Little or no hardware or maintenance costs

The vendor has responsibility for maintaining the software and servers. In an on-premise environment, the customer pays for the hardware, storage space and IT personnel to maintain the system in addition to the software. In a cloud environment, the vendor fronts those costs, so a larger percentage of the total cost of ownership by the customer shifts away from hardware and people and toward software. Some industry analysts estimate the break-even point of leasing vs. buying the software at about three years.

Source: Defelice 2010, 51

While the experiences of any given business will likely differ, many industry analysts suggest that a primary benefit of switching to cloud computing relates to cost savings. Even though it takes about 3 years for the average enterprise to recoup its initial investment in the switching costs to cloud computing, the increased efficiency and other benefits that have been shown to accrue to cloud computing make the investment worthwhile over the long-term (Defelice 2010, 52). The decision to make a partial or complete transition to cloud computing, though, also requires a careful assessment of a company's unique circumstances, but some general factors that should be taken into account on a case-by-case basis include the following:

1. Reduced support costs. Rather than having to employ in-house experts for product support, the vendor typically provides support directly for the customer.

2. Reallocation of resources. IT staff can be reallocated for more strategic projects, rather than spending time on system upgrades and maintenance.

3. Easier and more regular upgrades. Vendors can regularly tweak their products. In many cases, those enhancements are made automatically in the background without disrupting the customer's work. Most vendors provide advance notice to alert customers about the changes and give them the option of when to turn new features on or off, if they don't like them or aren't ready to upgrade.

4. Disaster recovery and backup capabilities. One of the costs incurred by customers who keep their data on-premise is backing up their data, typically via tape or by contracting a third-party backup provider. This is another area covered by the vendor in a cloud environment. Often vendors have redundant backup systems so that customer data is replicated in a separate data center in case of fire, flood or other disaster. The infrastructure is "self-healing" so that when a failure occurs and the backup becomes the primary source of information, the system launches a new backup instance of the data (Defelice 2010, 52).

Not surprisingly, as more and more experience is gained with cloud computing, an increasingly wider array of applications is becoming available for this technology. In this regard, Werbach reports that, "For example, instead of running local email applications and downloading mail from an ISP to their own hard drives, users can access email through Google's Gmail, a web-based service that stores messages on Google's own Internet-based servers. Instead of running a sales force automation package locally, a salesperson can log into Salesforce.com and access contact and sales pipeline information over the Internet" (2011, 1762).

Other recent trends in cloud computing include those identified in a recent study by DeFelice (2010):

1. An increasing number of applications are available in the cloud. These include, but are not limited to, bill management, enterprise resource planning applications, payroll, sales tax, tax preparation and workflow.

2. Worldwide, revenue from "cloud computing" services is forecast to reach $68.3 billion in 2010, according to analyst firm Gartner Inc.

3. The cloud services industry is poised for strong growth through 2014, when worldwide cloud services revenue is projected to reach $148.8 billion, with the financial services and manufacturing industries being the largest early adopters of cloud services.

4. Benefits of working in the cloud include quick implementation, anytime access, lower upfront and maintenance costs, and easier and more frequent updates.

5. Security and reliability remain top concerns for switching to a cloud environment. There are several questions that should be considered before making an investment in these products to ensure these concerns are minimized (Defelice 2010, 50).

In fact, the cloud computing industry has already reached the $70 billion mark, representing a substantial 16.6% increase over 2009 revenues and all signs predict future consistent growth causing a concomitant increase in concerns over security (Defelice 2010, 50). Although there is no universal definition for cloud computing, there is a growing consensus that the increased use of cloud computing demands increased scrutiny of the potential risks that are associated with this alternative (Werbach 2011, 1762) and these issues are discussed further below.

Risks Associated with Cloud Computing

While all cloud computing applications and their specific potential benefits differ, they all share the common issue of risk. In this regard, Ginovsky emphasizes that, "The current hot topic in business technology is software as a service, or some other form of cloud computing. They all represent leaps forward in productivity, capability and profitability. What they all have and continue to require, however, is an acute focus on and control of risks" (2011, 21). Likewise, Brett Wilson an information technology and compliance for Trust-wave, a company that provides cloud services for merchant banks, emphasizes that like all technological innovations, there are some risks that are associated with cloud computing that must be taken into account in deploying this alternative. According to Wilson, though, "The fortunate thing, though, is that with cloud there are no new risks involved. The worst-case scenario does not change, regardless of infrastructure. The worst-case scenario for any organization around IT security are breaches, the notifications that go along with those, financial loss, reputational damage and regulatory actions that might result" (quoted in Ginovsky 2011 at 22).

Based on his analysis of current trends in cloud computer, Givonsky identified seven of the most significant cloud-computing risks that should be considered:

1. Increased dependency on a third-party provider;

2. Loss of control over the physical and/or logical environment affecting data;

3. Loss of availability should the cloud provider have a service interruption;

4. Privacy and legal liability in the event of a security breach;

5. Difficulty defining exact locations of data;

6. Commingling of data; and,

7. Difficulty of protecting trade secrets (Ginovsky 2011, 22).

Beyond the foregoing, other specific threats have also been associated with cloud computing including the following:

1. Abuse and nefarious use;

2. Insecure application programming interfaces;

3. Malicious insiders;

4. Shared technology vulnerabilities;

5. Data loss or leakage;

6. Account, service and traffic hijacking; and,

7. Other, unknown risks (Ginovsky 2011, 22).

Some of the precautions that businesses can take when making the switch to a cloud-computing environment from an on-site approach have been formalized based on the National Institute of Standards and Technology's (NIST) two working documents, the first of which provides an operationalization of the term and a second that sets forth timely guidelines concerning security and privacy issues that are involved in public cloud computing (Ginovsky 2011, 22). Among the major points of the latter NIST document are the following:

1. Entities, including private businesses, should carefully plan the security and privacy aspects of cloud computing solutions before engaging them.

2. They should understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.

3. They should ensure that the client-side computing environment meets organization security and privacy requirements for cloud computing.

4. They should maintain account ability over the privacy and security of data and applications implemented and deployed in public cloud computing environments (Givonsky 2011, 22).

Beyond the foregoing precautions, there are other factors that must be considered during the implementation of a cloud-computing alternative. Although the various permutations that are possible are virtually limitless, cloud computing typically involves five basic actors: (a) consumer, (b) provider, (c) auditor, (d) broker and (e) carrier (Brown 2011, 2).

Although some of the current NIST security standards were developed for pre-cloud computing technologies such as Web-based services and the Internet, the NIST working group is working on formulating security standards that are specifically designed to support cloud functions and requirements (Brown 2011, 3). According to Brown, "The [NIST] working group identified a number of gaps in available standards ranging from fundamental issues such as security and privacy protection to user interfaces and important business-oriented features. The group also provided definitions for the five "actors" involve in cloud computing and identified standardization priorities for the federal government, particularly in areas such as security auditing and compliance, and identity and access management" (2011, 3). The NIST working group also solicited support from federal agencies to become more actively involved in developing cloud computing-specific standards that facilitate its implementation and administration (Brown 2011, 3).

One of the most important steps that companies can take to help ensure the security of their proprietary data is to verify that their cloud computing provider uses a data center that has received an AICPA Service Organization Controls Report (SOC) (Defelice 2010, 51). The AICPA formulated these guidelines in order to provide a way for companies to evaluate a service organization's internal control using one or more of the three types of SOC reports as set forth in Table 2 below:

Table 2

Three Types of Service Organization Controls Reports

Report Type

Description

AICPA SOC 1

Report on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting. These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) no. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of user entities' management and their auditors, as they evaluate the effect of the controls at the service organization on the user entities' financial statement assertions.

AICPA SOC 2

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy. These reports, prepared using the AICPA guide Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy (currently under development), are intended for users that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of the users' oversight of the service organization; vendor management; and internal corporate governance and risk management.

AICPA SOC 3

Trust Services Report (Trust Services Principles, Criteria, and Illustrations) (AICPA, Technical Practice Aids, vol. 1, (TPA sec. 100) commonly referred to as SysTrust reports). These reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not need the level of detail provided in a SOC 2 Report. These reports are general use reports and can be freely distributed or posted on a Web site as a seal.

Source: Defelice 2010, 52

These reports are intended to assess the components of a cloud-computing system which include:

1. Infrastructure. The physical and hardware components of a system (facilities, equipment and networks).

2. Software. The programs and operating software of a system (systems, applications and utilities).

3. People. The personnel involved in the operation and use of a system (developers, operators, users and managers).

4. Procedures. The programmed and manual procedures involved in the operation of a system (automated and manual).

5. Data. The information used and supported by a system (transaction streams, files, databases and tables) (Defelice 2010, 52).

Other factors that should be taken into account include the potential for unscheduled downtime as well as the ease with which the company is able to access its own data. Although there has been a consistent trend in the reliability of cloud computing providers in recent years, unscheduled maintenance represents a harsh reality that remains a salient issue irrespective of past track records (Defelice 2010, 52). In this regard, Defelice emphasizes that, "Best practices also include using a third-party monitor, such as McAfee Secure or Comodo HackerGuardian, to test the security of the vendor's Web applications on a daily basis. Look for that logo and the date-tested stamp on the vendor's site" (Defelice 2010, 52).

Indeed, many of the same attributes that are making cloud computing an attractive alternative for a growing number of businesses of all types and sizes are also causing some increased security concerns from other sources as well. For instance, Salow and his associates emphasize that:

"Cloud computing hubs are an attractive target for information thieves and those interested in disrupting cloud computing capabilities. Such attacks can plague remote networks, and they just as easily can take the form of physical intrusions and attacks. This renders comprehensive data center physical security and information redundancy at multiple locations an absolute must." (Salow et al. 2011, 43)

This point is also made by Defelice who also stresses the need for businesses to ensure that they have the "right stuff" needed to ensure a reliable connection with their cloud-computing providers. In this regard, Defelice notes that:

"While the specifics will vary depending on the applications you use, the point is that the more of your business you do in the cloud, the more important it becomes to make sure your Internet connectivity is reliable. Choose an Internet service provider that provides the largest amount of affordable bandwidth in your area. Prices vary tremendously across the country, but $100 to $200 a month is well worth it for reliable access. On top of that, whichever company you choose, also consider paying for a secondary or backup provider" (Defelice 2010, 52)