Cloud Computing Choices and Risks

Cloud Computing Choices and Risks

Cloud Computing Choices and Risks

One of the fastest-growing methodologies used with the Internet today is cloud computing. Cloud computing is a method of using resources provided by an outside company rather than hosting those resources "in house." According to Armbrust et al. (2010), "cloud computing refers to the applications that are delivered as services over the internet and the hardware and software in the data centers that provide the services."(p. 50). One of the great attractions of cloud computing is the pay-as-you-go business model and the proposed ability to have infinite resources ready at any given moment. For example, companies could pay the same amount for one hour of computing done by 1000 machines as they would for 1000 hours of computation done by one machine. This flexibility and granularity are very attractive, but research shows that many companies who are looking to adopt cloud services will hesitate because they have concerns about data security, availability of data and the control of data while it is in the cloud. Concern arises in these areas because of the way that cloud computing is layered. There are several points where third-party vendors could be contracted for services, which complicates managing operations. Consumer data is very important and how it is handled must be considered whenever business changes are implemented, including deciding to base services in the cloud.

The largest concern by any company using the Internet in their day-to-day operations is data security. To secure data means that it must be maintained in a state of confidentiality, known only to the user and any parties that they have given consent to access it as well. Considering that there are at least the cloud user, the cloud vendor and any other third-party vendors that users may rely on, there are potentially many parties who will be responsible for the security of data. (Armbrust et al., 2010). This means that there is more than one point of possible failure in the cloud. Failure could occur by the user, the provider, or by any other parties involved. Since information is being externally hosted and may need to be duplicated or transferred, there must be safeguards in place to protect it. Any hole in security could result in severe legal issues, loss of customers as well as loss of income.

An important fact to note is that the physical security and the location of the facility play important roles in how data is treated while it is being stored. Data centers are best located near the Internet backbone, in locations where taxes are low, and electricity is affordable. (Jaeger, 2009). The regions that have these attributes, though, may not fall under laws that create the most secure environment for user information. Providers must comply with rules and regulations in their regions, whether they are in the United States or other parts of the world. Also to be considered are how cases will be adjudicated in the region the center is located, how involved the government is there and how these factors will affect business cost. (Jaeger, 2009). Laws vary throughout the world and may or may not cover the level of security that a company requires to meet their needs. Mowbray (2009) points out that a company utilizing cloud computing may find itself using hardware and software in different locations than the company and its users. In these situations, companies must carefully route traffic and data to places where it is both safe and legal. The providers and users will have to use contracts and courts to guard themselves and ensure security.

Not only must data be physically secure, it must also be digitally secure. There are many ways to protect data including encryption, but unique to the cloud is the fact that this responsibility will reside with providers of the cloud services and must still be accessible by users. The basis of this thought is that the data must stay correct and intact throughout all phases of use. Wang et al. (2010) underline that this type of security is still lacking with their statement, "data storage security is still in its infancy now, and many research problems are yet to be identified." There have been many proposed theories and equations for how to handle data in the cloud, however, none have proved to be completely thorough yet. In fact, data that is processed using cloud services will likely be found in an unencrypted state in a machine somewhere in the cloud. (Mowbray, 2009). This means that there is a possibility that someone could encounter this raw data either intentionally or unintentionally.

All users must understand that data can be compromised in many ways. Personal information that most users take for granted to be secure and untouchable could become accessed due to mistakes such as misconfigurations made by the provider. With cloud providers choosing to serve all kinds of companies and users, they house data in large data centers where hundreds of machines are working daily. Within these large data centers, information may coexist with other users' data. (Gatewood, 2009). With shared resources like this, if a misconfiguration does occur, one customer could potentially map themselves into the database of a second customer and see all of the secure data that the second customer thought was being protected. (Catteddu and Hogben, 2009). If an outside attacker exposed this vulnerability, they could also access the databases of both customers and any others that may have been linked in the same manner by the provider's mistake. This sounds far-fetched but it has happened in today's industries and is a very real threat.

Security attacks from the outside are also a large concern and are becoming a greater hazard with more users going to the cloud. Cloud computing can create potentially large data sets that could be engineered to be used for unintended purposes. This type of social engineering is currently practiced by Google, who uses its cloud infrastructure to gather consumer data for its own advertising network. (Chow et al., 2009) Malicious attackers, however, could use the power of the cloud to mine data centers for huge amounts of user information. Since multiple users' data could be stored in one location, multiple companies could become victims of social engineering by the same culprit, resulting in loss of data and reputation.

If at any time a failure in security does occur, it is important that the provider alert the users that are affected. According to Sotto, Treacy, and McLellan (2010) there are more than 45 states that currently require breach notification if data is accessed without permission. In cloud systems, there are many possible locations of data that would have to be checked