Cloud Computing is a concept that involves providing particular Information Technology solutions that are hosted on the internet, which include Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS), among other services. In addition, the technology is marketed as a replacement of the conventional client-server paradigm. As such, Cloud Computing involves a paradigm shift that leads to loss of data control and new issues in security and privacy. The emerging Security and privacy concerns can be attributed to either loss of data control or customer dependency on the Cloud Computing provider. Since Cloud Computing is rapidly growing in popularity, emerging security and privacy should be addressed before the concept acquires a significant market share by adopting a number of particular practices.
In Information Technology, Cloud Computing cannot be considered a state-of-the-art concept, owing to the fact that the idea borrows a lot from the Data Processing Service Bureaus that existed about forty years ago. Nonetheless, in the field of Information Technology, the most popular companies offer or will start to offer-in the near future-Cloud Computing services to a wide range of users that span from individuals to organizations regardless of their size. Google with Google Apps (such as Gmail, Google Calendar, and Google Docs), Microsoft with Azure, and Amazon with EC2 are some of the largest and most popular providers services (Amazon, 2017) (Google, 2017). In a simple definition, the model of Cloud Computing can be described as providing specific Information Technology services hosted on the internet, which include Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) (Tejaswi & Guidici, 2011).
In most Cases, Marketing is based on efficiency and cost, whereby the concept is marketed as a cheap and efficient solution, which is bound to replace the conventional client-server model. However, the model change includes or leads to data control loss, and new issues regarding security and privacy. As such, when implementing and using Cloud Computing in businesses, caution is required to minimize or eliminate chances of either security or privacy compromise. Notably, in Europe, the first major issue in the protection of data occurred in the final years of 1960’s, when a company from Sweden procured data processing services from a service bureau in Germany regardless of different data processing legislations in both countries. With the popularity increasing at a very high rate, it is essential to take note of the resulting risks. In addition, security and privacy issues should be addressed, before Cloud Computing acquires a significant share of the market, due to their importance. According to ENISA (2009), most of the Information Technology and research bodies are conversant with risks associated with Cloud Computing and have documented them through analyses and reports.
According to Gartner (2008), while there is no section of Information and Communication Technology that Cloud Computing does not affect, the two major problems are associated with security and privacy facets of the concept, which involve loss of data control and Provider dependency. CSA (2009) argues that provider dependency and lack of data control can lead to several security and legal issues. Some of the issues can be attributed to management of identity, infrastructure, control of access compliance, management of risks, logging, and auditing, control of integrity, and risks associated with Cloud Computing dependency.
Some of the typical issues associated with loss of data control include that users possess adequate knowledge regarding the risk of losing control over data and using a third party for data storage on cloud (CEPIS, 2008). As such, most of the clients understand that the Cloud Computing services provider or competitors that procure services from the same provider may interfere with the integrity of data. In that regard, customers do not fully understand processing of their data in terms of time, reason, and the manner of processing. Apparently, such kind of lack of transparency contravenes the requirement of data protection, which guarantees customers the knowledge of any activity regarding their data.
Data Mining is also another issues associated with procuring data storage services on Cloud; hence, loss of control of the data. A big number of these services vendors analyze client’s data using several techniques of data mining (Microsoft, 2010). The ability by providers to analyze customer’s data can pose immense risk considering the sensitivity of data stored and processed, on cloud, by users. For instance, some of the social media applications, which entice the user to share aspects of their privacy such as sensitive photos, end up exposing them.
The manner in which mobile devices share data also creates a massive risk associated with loss of data control. In most cases, mobile devices, due to a limitation in computing and storage capabilities use services hosted on the cloud rather than using locally hosted applications (Gartner, 2008). Therefore, data sharing must involve the cloud due to its reliance on applications hosted their even when such transfer is local, that is, between two mobile devices. As such, Users of such mobile devices expose themselves to an enormous risk due to the assumption that data sharing occurs locally.
Remote access requirement that comes with Cloud Computing is also a source of concerns associated with loss of data control. According to (Tejaswi and Guidici, 2011), Cloud Computing is a service; hence, must be accessed in a remote manner. However, in some cases, the link between the client and the provider lacks sufficient protection; hence, is exposed to security risks. Some of the security risks associated with the line of transfer include Denial-of-Service attacks, eavesdropping, and DNS spoofing.
Cloud Computing; hence, Data Control loss is also associated with the risk of making conventional risk management techniques hard to apply or completely inapplicable. Use of Cloud Computing services attracts a model change, which requires state-of-the-art techniques of risk management due to the fact that management of risks and compliance concerns are shared between the internet services provider, Cloud Computing services provider, and the client, regardless of data control responsibilities shifting to the Provider of the Cloud Computing services (CSA, 2009). Nonetheless, Compliance is perceived as one of the essential trust aspects between the client and the provider of the cloud computing services. The fact that data centres can be dispersed over large geographical areas with different regulatory and legislative requirements indicate that there exist an inadequate definition of Compliance.
Deleting of data hosted in the cloud is also a source of concern due to the difficulty of identifying all copies of electronic material. As such, not all copies of data can be deleted; hence, enforcing compulsory data deletion is also very difficult. Nevertheless, any impending regulation associated with Cloud Computing services should include compulsory deletion but there should be no over reliance on such regulations. The fact that currently, a complete deletion cannot be guaranteed indicates that caution should be observed at the time of collecting and storing data in the cloud (Microsoft, 2010).
Differences in data protection and privacy rules, in many countries, also pose an enormous risk to the end user. Considering that, is expected to span the entire globe in the near future, lack of uniform legislations will be a major source of concern. Therefore, issues and risks that affect legislations and regulations related to data protection in a certain geographical region must be sufficiently considered even when platforms are hosted on servers in another region with different rules (CSA, 2009).
Finally, a telecommunication network is required to support operations of the end user of Cloud Computing provider’s services. Therefore, for the operations of the end user to be successful, the telecommunication network must be reliable and secure. However, distinct providers offer Cloud Computing and telecommunication services; hence, theprovider cannot guarantee a secure and reliable network. As such, the Cloud Computing provider cannot guarantee complete security or reliability of services (Gartner, 2008).
Availability is a primarily concern associated with depending on a particular provider of Cloud Computing. For instance, if the particular provider ceased service provision, maybe due to bankruptcy, data access could be problematic to the consumer. Such problems in data access may translate to potential issues in business continuity of the consumer.
Lack of contractual agreements, in the major services such as GoogleDocs, between the customer and the provider of the Cloud Computing is also a source of major concern (Tejaswi & Guidici, 2011). In cases of incidents or issues, the consumer lacks anything to refer to due to the lack of a contract. Therefore, addressing such issues or incidents can be very problematic to the Cloud Computing customer.
The size of organizations that offer these services is also a source of issues regarding dependence. Like in the provision of conventional utilities and services, huge providers that deal with small consumers provide Cloud Computing services. As such, in most cases, the consumer must depend with the provider due to the difficulty in changing the large providers. In that regard, conventional services are regulated considering the range of functionality such as coverage and compulsory functions, reliability, pricing, provider’s liability, and pricing, among other factors. On the other hand, Cloud Computing indicates a pattern that suggest Information and Communication Technology security is not necessarily a technical matter but an issue that involves organizations and individuals; hence, includes organizational and human aspects; for instance, contracting, management, and legal enforcement (Microsoft, 2010).
The following recommendations should be considered while addressing security and privacy issues in Cloud Computing:
- The contract between the customer and the provider must adequately define legal compliance and risk management issues as well as enhance transparency as concerns data storage and processing. Such a contract can successfully strengthen the trust between the customer and the provider
- The service offered should satisfy the legislation and regulation requirement of the customer as well as enable the consumer to comply with the particular rule.
- Issues and risks, which affect legislations and regulations of data protection in a particular region, must be sufficiently considered when platforms of Cloud Computing are hosted on servers in a different area.
- The customer and provider’s line of communication must be sufficiently protected to enhance authentication control, integrity, confidentiality and reduce the chances of DoS attacks as well. In that regard, every provider should be obliged to provide an apparent and open specification of the measures adopted to guarantee the communication line security, which should also be based on transparent and open technologies and qualities.
- Providers should be compelled to enhance confidentiality of data.
- Potential rule regarding the services should include compulsory data deletion.
- Since it is a fact that complete data deletion cannot be guaranteed, collection and storage of data needs to be conducted acknowledging that fact.
- Customers should consider local backups to guarantee data availability.
- Software that enhances local data transfer, without involving the cloud, should be encouraged.
- The telecommunication network supporting it should be adequately protected and secured to minimize or eliminate DOS or malware threats.
- Sufficient auditing and logging should be offered. In that regard, an external audit is considered essential for a strengthened trust between the customer and the provider as well as promoting the provider’s reputation.
- Users should be offered the relevant education regarding the new model, which should improve decision making as concerns these services.
- Professionals should possess adequate skills and knowledge to handle new categories of risks.
- Considering that, in future; for instance, for balancing customer and providers , it is necessary to evaluate issues and weaknesses of the concept before it acquires a significant market share. The idea should be perceived with dimensions of the expected regulatory and conflict potential relevance. Particularly, relevant limitations and regulations may be appropriate, when a provider of Cloud Computing becomes a member of crucial information infrastructure to prevent takeover by another party.
- Study of the fundamental matters and concepts in privacy, security, and informatics as well as their trade-off and impacts as concerns is recommended. Additionally, matters regarding the probable effects of platforms on applications’ validity of certification may also be necessary.
Amazon. (2017). Amazon Elastic Compute Cloud (EC2) Documentation. Retrieved from https://aws.amazon.com/documentation/ec2/
CEPIS. (2008). CEPIS Statement, Social Networks – Problems of Security and Data Privacy. Retrieved from http://www.cepis.org/index.jsp?p=942&n=963#Social%20Networks
CSA. (2009). Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. Retrieved from https://wenku.baidu.com/view/88305531b90d6c85ec3ac624.html
ENISA. (2009). ENISA (2009) ‘Cloud Computing: Benefits, risks and recommendations for information security’, European Network and Information Security Agency. Retrieved from http://www.storm-clouds.eu/services/2017/03/enisa-2009-cloud-computing-benefits-risks-and-recommendations-for-information-security-european-network-and-information-security-agency/
Gartner, J. (2008). Gartner: Seven cloud-computing security risks | Network World. Retrieved from https://www.networkworld.com/article/2281535/data-center/gartner–seven-cloud-computing-security-risks.html
Microsoft. (2010). Cloud Computing Security Considerations. Retrieved from http://www.microsoft.com/malaysia/ea/whitepapers.aspx
Tejaswi, R., & Guidici, T. (2011). Windows Azure Platform. Retrieved from http://www.apress.com/us/book/9781430235637
Google. (2017). G Suite – Gmail, Drive, Docs and More. Retrieved from http://www.google.com/apps/ CEPIS. (2008). CEPIS Statement, Social Networks – Problems of Security and Data Privacy. Retrieved from http://www.cepis.org/index.jsp?p=942&n=963#Social%20Networks