An Overview of the Security Concerns in Enterprise Cloud Computing

International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 DOI : 10 .5121/ijnsa.20 11.3103 30 A N OVERVIE W OF TH E S ECURITY C ONCER NS IN E NTERPRI SE C LOUD C OMP UTING Anthon y Bisong 1 and S y ed (Shawon) M. Rahman 2 1 Ph.D. Student, Capella Universit y 225 South 6th S treet, 9th Floor Minneapolis, MN 55402, USA Email : abisong@gmail.com 2 Assistant Professor of Compu ter Science, Universit y of Hawaii-Hilo, Hilo, H I, USA and Adjunct Facult y, Capella University, Minneapolis, MN 55402, USA Email: S Rahman@Ha waii.edu Abstract Deployin g cloud computing in an enterprise infrastructu re bring significant security concerns. Successful implementa tion of cloud computing in an enterprise requ ires prop er planning a nd understan ding of emerging risks, th reats, vu lnerabilities, a nd p ossible co untermeasures. We b elieve enterprise should an alyze the company/o rganization security risks, threats, and available counte rmeasures before ad opting this techno logy. In this paper, we ha ve discussed security risks an d concern s in clo ud compu ting and enlightened steps that an enterprise can take to reduce sec urity risk s and p rotect th eir resources. We have also expla ined cloud computing strengths/bene fits, weakn esses, and applica ble areas in in formation risk man agemen t. 1.0 Introduction This paper discusses the cloud computing security concerns a nd the security risk associated with enterprise cloud com puting includ ing its threa ts, risk and v ulnerability. Throughout the years, organizations have ex perienced and will continue to experience i n t his cloud com puting era num erous system losses which will have a direct impact on their most valuable a sset, information (Otero, Otero, Qureshi, 2010) and its protection is utmost important to all organizations. There have bee n pu blicized attacks on cloud com puting providers and this paper discusses reco mmended steps to handle cloud se curity, issues to clarify before adopting cloud computing, the need for a governance strategy and good governance technology, cl oud computing st rengths, wea knesses, anal yzes the benefits and costs of cloud computing in inform ation security management. Cloud computing is continuously evolving and there are several major cloud computing providers such as Amazon, Google, Microsoft, Yahoo and several others who a re providing services such as Software- as-a-Service (SaaS), P latform- as-a-Service (PaaS), Stor age- as-a- Service and I nfastructure-as-a- Service ( IaaS) and t his paper has di scussed some of t he services being provided. There are many scholarly researches, articles and periodicals on cloud computing security concern out there. Security researchers and professionals are working on security ri sks, pote ntial threats, vulnerabilities, and possible countermeasure in enterprise cloud computing constantly. International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 31 2.0 Background Study Enterprises a re start ing t o look i nto cl oud computing technolog y as a way to cut down on cost and increase profitability, because across all industries "CIOs are under c ontinuou s pressure to reduce capital assets, headcounts, and support costs, and cloud systems give them a way to meet those goals" (Brendl, 2010). There are many defini tions of c loud computing and the most comprehensive definition available is by Bren dl (2010) who def ined cloud co mputing as "collections of IT res ources (servers, databases, and applications) which are available on an on-dem and basis, provided by a service com pany, available through the internet, and provide resource pooling among multiple users." Figure 1 . shows what is available to enterprises in the cloud. Brendl (2010) went on t o say t hat due to the potential profitability of cloud computing to save enterprises money and increase t he bottom l ine "CIOs are looking for any and all opportunities Figure 1. Cloud Computing Resources (Cloud Tweaks, 2010) Figure 2. Cl oud Providers. Top 500k sites by Cloud Provider - April 2010 (CloudTweaks, 2010). International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 32 to move internal company systems to ex ternal cloud systems because cloud systems reduce capital assets, IT maintenance c osts, and direct labor costs". Figure 2. shows the t op 500k sites by the major cloud provider s. 2.1 Cloud Computing Growth Cloud computing is a combination of severa l key technologies that have evolved and m atured over the years (see Figure 3.). T his evolution to present day cloud computing includes a combination of open API’s, storage, computing, infrastructure as shown i n Figure 3. T he " cost associativity" formulae as shown in Formula 1. (Arm brust, Fox, Griffith, Joseph, Katz, Konwinski and et al., 2009) can be used to c ompute the profitability of cloud computing. For example u sing 1000 A maz on EC2 machines for 1 hour costs the s ame as using 1 traditional non cloud m achine for 1000 hours (Armbrust et a l., 2009). The Profitability of cloud computing can be explained in the "cost associativity" formulae shown in Formula 1., the left-hand side multiplies the net re venue per user- hour by the number of user-hours, giving the expected profit from using cloud computing while the right-hand side performs the s ame calculation for a fixed-capacity datacenter by factoring in t he a verage utilization, including nonpeak workloads, of t he datacenter; whichever si de is greater represents t he opportunity for hig her profit" (Armbrus t et al., 2009). Ambrust et al. (2009, p. 10-11) gave example on elasticity with calculations on the potentials of cloud computing saving s and cost reduction: Figure 3. The growth of Cloud Com puting. (Hinchcliffe, 2009) International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 33 Formula 1. (Armbrust et al., 2009 p. 2 ). 2.2 Cloud Computing Example There are several major cloud c omput ing providers including Amazon, Google, Salesforce, Yahoo, Microsoft and others that a re providing cloud computing s ervices (Figure 4. shows current cloud providers). Cloud c omputing providers provide a variety of services to t he customers and these services include e-mails, storage, so ftware-as-a-services, infrastructure- as-a-services etc. The attractiveness of cloud com puting is not only to large enterprises but also entrepreneurs, startups, medium companies and s mall companies would benefit greatly and t hey will have a new alternative and opportunities t hat is not available to them in the past that would save them m illions of dollars because with c loud computing they will have the choice to only rent the necessary computing power, storage space and communication capacity from a large cloud computing provider that has all of thes e assets connected to the I nternet (Smith, 2009). Companies "can pay only for the volum e of these services that they use, they can quickly add or subtract resources from their order, and t hey never have t o t ake posses sion of the hardware a nd all of the technical support headaches associated with it " (Smith, 2009). Table 1 shows the pay per use competitive matrix of some of the m ajor cloud computing providers for infrastructure as a service (IaaS), platform as a service (PaaS). Smith (2009) gave an example of the tremendous benefits of cloud co mputing to a company, how a startup com pany cal l Animoto t hat allo w people to turn a series of p hotog raphs into a Figure 4. Cloud Computi ng Overview (CloudTweaks, 2010). International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 34 simple movie with a nice sound track in the bac kg round and ha ve them online t o share with friends and family beco me a poster child for the cl oud computing concept; when the online photo to mov ie application be came a vailable on the int ernet, suddenly over a three-day period Animoto registration increased f rom 25,000 to 250,000 users and as a result they ramped up their usag e of Amazon cloud c omputers from 24 m achines to nearly 5, 000 machines within a week. This c apability before cloud c omputing would ha ve been near i mpossibl e and it could have cost the s tartup company millions o f dollars and several m onths of time and ef fort to achieve without cloud computing . Table 1. Competitive matrix . (CloudTweaks, 2010) diagrams Provider IaaS PaaS Comput e Billing Model Storage Billing Model Relational Database Service Hybrid capabilities Windows Azure No Yes (.Note, Java, Ruby, Python, PHP) Pay-per-use Pay-per-use Yes (SQL Server) Yes (on- premise to cloud) Amazon Web Services Yes No Pay-per-use Pay-per-use Yes (MySQL- based) Yes (via third-party tools) Rackspace Yes Yes (LAMP, .Net (PaaS) Pay-per-use (IaaS); Monthly (PaaS) Pay-per-use (IaaS); Included in monthly f ee (PaaS) Yes (FathomDB) No (but dedicated resources to cloud planned) Joyent Yes Yes (Java, Ruby, Python, PHP) Monthly (IaaS); PaaS pricing no t announced Included in monthly f ee (IaaS) No Yes (on- primise to cloud) Google No Yes (Python, Java) Pay-per-use Pay-per-use No No GoGrid Yes No Pay-per-use or pre-paid Included wit h each instance No Yes (dedicated resources to cloud) With all these cloud computing capabilities an d potential to save c ost, large enterprises and others should step back, move cautiously and a nalyz e the security risks and concerns associated with cloud computing before adapting the technology. 2.3 Cost Minimization Cost minimization of c loud com puting to enterprise s can be explaine d in clo ud computing elasticity capa bility. Assume our ser vice ha s a predictable daily demand wh ere the peak requires 500 servers at noon but the trough requires o nly 100 servers at m idnight, as shown in International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 35 Figure 2(a). As long as th e av erage u tilization ov er a whole d ay i s 300 servers, t he a ctual utilization over the whole day (shaded area under the curve) is 300 x 24 = 7200 server-hours; but since we must provision to the peak of 500 ser vers, we pay for 500 x 24 = 1 2000 server- hours, a factor of 1.7 more tha n what is needed. Therefore, as long as the pay- as-you-go cost per server- hour over 3 years is less than 1.7 times t he cost of buying the server, we can sa ve money using utility com puting (Armbrust et al., 2009 p. 10). Figure 5. Provisioning f or peak load and underprovi siong (Armbrust et al., 2009 p. 11). In Fi gure 5: (a) Ev en if peak load c an be correctly anticipated, without e lasticity we w aste resources (shaded area) during nonpeak times. (b) Underprovisioning case 1: potential revenue from users not served (shaded area) is sacrificed. ( c) Underprovisioning case 2: some users desert the site perm anently a fter experiencing poor service; this attrition and po ssible negativ e press result in a permanent loss of a portion of th e revenue stream (Armbrust et al., 2009). 3.0 Security Threats, Ri sks, and Vulnerabil ities With the increasing popularity of enterprise cloud com puting and its p ublic connectivity via t he internet it is the next frontier for viruses, worms, hackers and cyber-terrorists t o start probing and attacking. Many enterprises are seri ously looking i nto cloud computing to save cost , in the not too distance fu ture cloud com puting adoption r ate will sky rocket and cloud com puting vulnerability to viruses, wor ms, hackers and cyber attacks will increase because organized criminals, terrorist and hostile nations would see this as a new frontier to try to steal private information, disrupt s ervices and course harm t o the e nterprise c loud computing network. Cloud computing security risk incident has happened when Google a major cloud computing and Software a s a Ser vice (Saa S) provider had its s ystems at tacked and hac ke d; the cy ber- forensics has been traced to the at tacks coming from China (M arkoff, Barboza, 2010). International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 36 With cloud computing, physical lo cation of data are spread across geog raphic area that could span over continen ts, count ries or reg ions. One of the top security concerns of e nterprises are the physical location of the dat a that are being stored in t he cloud especially if t hey are loc ated in another country b ecause the laws of the host country of th e equipment apply to the data o n the machines (Smith, 2009) and that could be a bi g i ssue if the ho st country does not have adequate laws to protect sensitive da ta o r if the host nation becomes hostile or when the government of the hosting nation chang es and become unfriendly. There have been i nstances where there has been a complete blackout of entire cloud services and making it unavailable for ho urs and even days due to bugs (S mith, 2009). Google's Gmail went down for t wo hours, Ctrix's GoToMeeting and GoToWebinar were temporarily unavailable, Amazon.com's Simple Storage Service was "out of comm ission for excruciating eight hours" (Hoover, 2008). Imagine an enterprise that c ompletely depends on a cloud computing service provider whose system had been disrupted for hours or day s, the lost of business could be catastrophic. 3.1 Threats Cloud computing faces j ust as much se curity t hreats that are c urrently found in the existing computing platforms, networks, i ntranets, i nternets in enterprises. These threats, risk vulnerabilities come i n vari ous forms. The Cloud Secu rity Alliance ( Cloud Computing Alliance, 2010) di d a research o n the threats facing clo ud computing and i t identified the flowing seven m ajor threats: ♦ Abuse and Nefarious Us e of Cloud Com puting ♦ Insecure Application Programming Interfaces ♦ Ma licious Insiders ♦ Shar ed Technology Vulnerabilities ♦ Dat a Loss/Leakag e ♦ Accoun t, Service & Traffic Hijacking ♦ Unknown Risk Profile 3.2 Risks Risk according to SAN Institute " is the potential harm tha t may a rise fr om some cur rent process or from some future event." In IT security, risk management is the process in which we understand and respond to factors that may lead to a failure in the confidentiality, i ntegrity or availability of an information system (SAN Institute); the IT security r isk is the har m to a process or the related inform ation r esulting from some purposeful or accidental event t hat negatively impacts the process or the related information (SANS I nstitute). Moving to the cloud presents the enterprise with a num ber of risks and that include securing critical information li ke the protection of intellectual property, t rade secrets, personally identifiable i nformation that could fall in to the wrong hands. Making sensitive information available on the internet requires a considerable investment in security controls and monitoring of access to the cont ents. In the cloud environment, the enterprise may have little or no visibility to storag e and back up processes and little or no physical access to stor ag e devices by the cloud computing pr ovider. And, because the data from multiple customers may be stor ed in International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 37 a single repository, f orensic inspection of the storage media and a proper understanding of file access and deletion will be a significant cha llenge (Information Security Magaz ine, 2009). 3.3 Vulnerabili ty According t o Pfleenger (2006) vulnerability “is a weakness in the security s ystem” t hat could be exploited to cause harm. Ent erprise cloud com puting is j ust as vulnerabl e as any o ther technology that uses the public i nternet for connectivity. The vulnerability includes eavesdropping, hacking, cracking , malicious attacks and outages. Mov ing your data to a cloud service is just like “putting all y our egg s in one basket” (Perez, 2009) and in ear ly 2009 social bookmarking site Ma.gnolia experienced a serv er crash in which it lost massive data of its users that its bookm arking services was shut down permanently. Research has shown that it is possible for attackers to p recisely map where a target's data is physically located within the "cloud" and use various tricks to gather intelligence (Talbot, 2009, p. 1) . Another vulnerab ility to an attack is the use of denial-of- service a ttack and it has been found out that if an attacker is on the sam e cloud servers as his victim, a conventional denial- of- service attack can be initiated by am ping up his resource usage all at once ( Talbot, 2009, p. 5). Researchers at t he Un iversity of Ca lifornia at San Diego and at M.I.T. say they can buy cloud services from Amazon and place a virtual machine on the same physical machine a s a t arget application and once there, the y ca n use their virtual m achine’s access to the shared resources of the physical machine to steal d ata such as passwords (Greene, 2009 ). This technique the researchers said is experimental an d do esn’t wo rk al l t he time, but it indicates that service providers’ clouds are susceptible to new types of attacks not seen before. And while they attacked was c arried out inside Am azon’s EC 2 clo ud, they sa y their m ethod would work equally well with other cloud providers. (Gre ene, 2009). The researchers went on to say that a way ar ound the weakness t hey found in Am azon's EC2 is for c ustomers to insist that their cloud machines are placed on physical machines that onl y they can access or that t hey and trusted t hird parties can access (Greene, 2009). T his solution will likely be at a price pr emiu m be cause part of the economy of cl oud services is maximizing use of physical servers by efficiently loading them up with cloud machines (Greene, 2009) and locating the cloud datacenter whe re the utility price is the cheapes t. The work by the researchers highlights that clouds and the virtual environments they employ are relatively new; as a resul t they still d raw the attention of attackers be nt on f inding and exploiting unexplored vulnerabilities (Greene, 2009). This doesn’t mean that cloud services are unsafe and shouldn’t be used (Gre ene, 2009). In defendi ng cloud computing secur ity Edwards (2010) said t hat by using cl oud computing as a "thin client t echnology , businesses can li mit exposure threats posed by data-crammed la ptops and backups. There will be more e fficient security sof tware because with cloud computing software vendors will be driven to fix inefficient security approaches that burn up resources (Edwards, 2010). T he cloud will be a better anti-v irus detection a nd the University of Michigan researchers has f ound out that if anti-v irus software tools were mov ed from a PC t o International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 38 the cloud t hey could detect 35 p ercent more recent viru ses than a single anti-virus program on a personal c omputer (Edwards, 2010). The b ottom line is that businesses should treat clouds with a certain amount of suspicion; they should a ssess t he ris k the cloud service represents and only commit data to such service s that can tolerate that risk" (Greene, 2009). 4. Cloud Computation I mplementation Guidelines 4.1 Steps to Cloud Security Edwards (2009) stated that, with the security risk a nd vulnerability in the enterprise cloud computing that are being dis covered enterprises that want to proceed with cloud computing should, use t he following s teps to verify and understand cloud security provided by a cloud provider: ♦ Underst and the cloud by realizing how the cloud's uniquely loose structure affects t he security of dat a sent i nto i t. This can be done by having an i n-depth und erstanding of how cloud computing transm it and handles data. ♦ Dem and Transparency by making sure that the cloud provider can supply detailed information on its security architecture and is willi ng to accept regular security au dit. The regular security audit should be f rom an independent body or federal agency . ♦ Rei nforce Internal Security by making sur e that t he cl oud provider's i nternal security technologies and pract ices including firewalls and use r access con trols are very stron g and can mesh very w ell with the cloud security measures. ♦ Consi der the Legal Implications by knowing how the laws an d regulations will affect what you send into the cloud. ♦ P ay a ttention by constantly monitoring any development or changes in th e clou d technologies and practices that m ay impact your data's security. 4.2 Issues to Clarif y Before Adopting Cloud Computing Gartner, I nc., the world's le ading i nformation technology rese arch and advisory company, has identified seven security concer ns that an enterprise cl oud computing user should address with cloud computing providers (Edwa rds, 2009) before adopting: ♦ User Access. Ask providers for specific inf orm ation on the hiring and oversight of privileged administrators a nd the cont rols over their access to information. Maj or companies should d emand and en force their own hiring criteria fo r pe rsonnel that will operate their cloud computing environments. ♦ Regul atory Co mpliance. Make s ure your provider is willing to s ubmit t o ex ternal audits and security certifications. ♦ Data location. Enterprises should require that the cloud computing provider store and process data in specific jurisdictions and should obey the privacy rules of those jurisdictions. International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 39 ♦ Data Segrega tion. Find out what is done t o segregate your dat a, an d ask for proof t hat encryption schemes are deployed and are ef fective. ♦ Dis aster Recovery Ver ification . Know what will happen i f disaster strik es by asking whether your provider will be able to completely restore your data and service, and find out how long it will take. ♦ Dis aster Recovery. Ask the provider for a contractual commitm ent to sup port specific types of investigations, su ch as the research involved in t he discovery phase of a lawsuit, and verify t hat the p rovider has successfully supported such acti vities in the past. Without evidence, don' t assume that it can do so. ♦ Long-t erm Viability. Ask prospective p roviders how you would get your data b ack i f they were to fail or be acquired, and find out if the d ata would be in a format that y ou could easily import into a r eplacement application. 4.3 Need for a Governa nce Strategy and Good Governan ce Technology Moving into the cloud computing re quires a good governance strategy and a good governance tec hnology (Kobielus, 2009). Interest in governanc e has been r evitalize because trust i s be ing extended to a cloud p rovider across prem ise and across cor porate boundaries (Kobielus, 2009, p. 26). A cl oud computing governance function requires active management participation, t he proper f orum to make IT re lated decisions, and effective communication between the IT o rganiz ation and the c ompany' s management team (Maches, 2010). Mac hes (2010) proposed cloud risk management be included in t he cloud co mputing governance function that r equires risk awareness by senior cor porate officers, a clear understanding of the enterprise' s appetite for risk, understanding of compliance r equirem ents, transparency about the significant r isks to the en terprise and embedding of risk managem ent responsibilities into the I T organization . 5.0 Cloud Computin g Strengths, weaknesses, and Application Areas in Information Risk Man agement 5.1 Cloud Computing Strengths/Benefits The strength of cloud com puting in information ri sk management is the abi lity to manag e risk more effectively from a centralize point. Security updates and new patches can be applied more effectively thereby allowing business cont inuity in an event of a secur ity hole. 5.2 Weaknesses Cloud com puting weakness include list of i ssues such as the security and priv acy of business data being hosted in remote 3rd p arty data centers, being l ock- in to a pla tform, reliability/performance concerns, and the fears of making the wr ong dec ision before the industry begins to mature (Hinchcliffe, 2009 ). International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 40 5.3 The b enefits and costs of Cloud Com puting in information security management Acc ording to Bendand i (2009, p. 7) the top security benefits of cloud computing includes: ♦ T he security and benefits of scale that all kinds of security measures a re cheaper when implemented on a large scale including all kinds o f defensive measures such as filtering, patch managem ent, hardening of virtual machine instances and hypersivors, etc. The benefits of scale also include m ultiple locations, e dge networks (content delivered or processed closer to its destination), timeliness of response to incidents and centralized threat management. ♦ Sec urity as a market differentiator that give cloud prov iders a strong driver to improve security practices and many clou d customers will buy on t he ba sis of the reputation for confidentiality, integrity an d resilient of and the security services offered by a provider ♦ Lar ge cloud providers will offer a standardized, o pen ed interface to manage security thereby opening a m arket for security services. ♦ Rapi d and s m art scaling of resources where cloud prov ider dynam ically r eallocate resources for filtering, tr affic shaping, authentication, e ncrypt ion and defensive measures such as distributed denial- of-service (DDoS) attack ♦ Audit and evidence-gathering where d edicated pay- per-use forensic i mag es of virtual machines are accessible wit hout ta king infrastructure offline and i t provide cost- effective storage fo r logs allowi ng comprehensive logging without compromising performance. The cost of cloud computing in information s ecuri ty management includes the costs of migrating, implementing, integrating, t raining, a nd redesigning. Al so it includes the cost of training supporting people in the new processes. The new architecture could genera te new security holes a nd issues during redesig ning and depl oying the i mplem entation ther eby driving cost up. In the application areas in information risk management, cloud c omputing is commercially viable alternative for enterprises in search of a cost-effective storage and server solution. (Waxer, 2010). Gar tner Inc. predicts t hat by 2012, 80 percent of Fortune 1000 enterprises will pay for s om e cloud-computing service (Waxer, 2010), while 30 percent of them will pay f or cl oud- computing i nfrastructure. W hile the technology has its fair s hare of drawbacks (such a s privacy and security concerns), an undeniable potential benefi t is turning a lot skeptics into enthusiasts (Waxer, 2010 ). 6.0 Recommendations The following recommendations a nd strategies put forward by Indiana University(2009) intended to assist its departments and units in their approach to evaluating the pru dence and International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 41 feasibility of leveraging cloud services can also be us ed in accessing cloud computing in enterprises. ♦ Ris k/benefit analysis: Units considering university services that may be delivered using cloud te chno logy, or new ser vices provided by cl oud technology, must i ndentify and understand the risks and benefits of the service. Recog nize that vendor security failures will potentially involve or at least reflect on the university. Consider the sec urity and privacy objectives of confidentiality , integrity, avail ability, us e control, and availability, a nd determine what would happen if these objectives were not met. Honestly compare costs of the i nternal and e xterna l serv ices, including costs t o manage the vendor relationship, and costs of integrating the service with existing internal services and processes. ♦ Consultati on: Con sult with a ppropriate da ta stewa rds, process own ers, stakeho lders, and subject matter expe rts dur ing t he ev aluation process. Also, consult with Purchasing, t he General Counsel' s Offi ce, the University Information Pol icy Of fice, and the University Inform ation Security Office. ♦ Lower risk candidates: W hen considering university services that may be del ivered using cloud technology, ideal candidates will be those that are non-critical to operations, involve public infor m ation, and ot herwise would require significant internal infrastructure or investm ent to d eliver or continue delivering internally. These a re likely to represent the best oppor tunities for maximizing benefit while minimizing risk. ♦ Higher risk candidates: University services that are cr itical to th e operation of the university o r involve differentiating or core com petencies, and/or involv e restrict ed, or critical information or intellectual p roperty, are necess arily higher risk candidates and require careful scrutiny. ♦ Consi der "internal cloud" alternatives : Due to the decentralized nature of the university, some duplication o f effort is inev itable. Units sho uld con sider leveraging in ternal cloud-like services when looking for ways to red uce cost, e .g., units managing their own e mail servers and/or server hardware should consider migrating to the institu tional email solutions and /or a vi rtual server solut ion (i.e., Intellig ent Infrastructure). "L arge enterprises should generally avoid p lacing sensitive information in public clouds, but concentrate on building internal cloud and hybrid cloud capabilities in the near term," (Dan Blum , " Cloud Computi ng Security in the Enterprise," Burton Group, July 15, 2009). ♦ V endor agreem ent: In all cases, strive to obtain a con tract or service level agreem ent with the vendor. For non-critica l services involving public data, it may be possible to leverage a cloud service without such an agreem ent if the vendo r is willing to prov ide International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 42 adequate assurances; however, services critical t o the university and/or those involving more se nsitive dat a (i .e., restricted or critica l) m ust not be provided by a cloud vendor without an appropriate agreem ent in place. Purchasing, the General Counsel's Office, the University Information Pol icy Office, and the University Infor mation Security Office must be consulted when draf ting such agreements. ♦ Pro portionality of safeguards: Vendor physical, technical, and adminis trative safeguards should be equal to or better than those in place internally fo r similar services and i nformation. Areas to e xplore with t he vendor include privileg ed user a ccess, regulatory compliance, data location, data segregation, recovery/data availability, change management, user provisioning and de-provisioning, per sonnel practices, incident response plans, and investigative/m anagement support, as well as the issues identified in the previous se ction. Scrutinize any g aps identified. ♦ Due diligence: Due dilige nce sh ould be conduc ted to determ ine t he viability of the vendor/service provider. Consider such fac tors as vendor repu tation, transparency, references, financial (means and resources), and independent t hird- party assessments of vendor safeguards and processes. ♦ Exi t strategy: Cloud services should not be engaged without dev eloping an exit strategy for di sengag ing fr om the vendor or service and integrating the service i nto business continuity and d isaster recov ery pl ans. Be sure to determine ho w you would recover your data from the vendor, especially in cases where the v endor shuts down. ♦ Pro portionality of ana lysis/ev aluation: The de pth of the above analysis and e valuation and the scope of r isk m itigation measures and re quired vendor assurance s must be proportional to t he ris k involved, as determined by the sensitivity level of the information involved and the criticality or value to the University of the Ser vice involved. 7.0 Conclusion Cloud computing is a com bination of several key technologies that have evolved and matured over the years . Cloud com puting has a potential for cost savings to the enterprises but the security risk ar e also enormous. Enterprise looking int o cloud computing te chnology as a way to cut down on co st and i ncrease profitability should seriously analyze t he security risk of cloud computing. The strength of c loud computing in informat ion risk management is the ability to manage risk more effectively from a centralize point. Se curity updates a nd new patches ca n be applied more effectively thereby al lowing busi ness continuity in an event of a secu rity hole. Cloud computing weakness incl ude list of issues such as the security and p rivacy of busi ness data being hosted in r emot e 3rd party data centers, being loc k- in to a pla tform, International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 43 reliability/performance concerns, and the fears of making the wr ong dec ision before the industry begins to mature. Enterprise should verify a nd understand cloud security, carefully analyze the security issues involved and plan for ways to resolve i t bef ore implementing the technology. Pilot pr ojects should be setup and good governa nce should be put i n place to effectively d eal wit h security issues and concerns. We believe the mov e into the c loud com puting should be planned and it should be gradual over a period of tim e. References Armbrust, M. Fox, A, Gr iffith, R. Joseph, D. A. Katz , R. Konwinski, A. et al. (2009 , February). Above the clo ud s: A Berkeley Vi ew of c loud computing. Retrieved on March 10, 2010 from http://d1smf j0g31qzek.cloudfront.net/abovetheclouds.pdf ) Bendandi, S. (20 09). scribd.com. Cloud c omputing : Benefits, risks an d recommendations for information security. Ret rieved on March 15, 2 010 from http://www.scribd.com/doc/23185511/C loud-Computing- benefits-risks-and-recomm endations- for-information-security Brandl D. (2010, January). Don' t cloud your compliance data. Control Eng ineering, 57(1), 23. CloudTweeks. (2010, Janua ry). Plugging into the cloud. Retrieved f rom http://www.cloudtweaks.com /cloud-diagrams Cloud Security Alli ance (2010). Top T hreats to Cl oud Computing. Cl oud Security All iance. Retrieved from http://www.cloudsecurity alliance.org/topthreats/csathrea ts.v1.0.pdf CloudTweeks. (2010, January). Posts tagg ed cloud com puting g raph. Retriev ed from http://www.cloudtweaks.com /tag/cloud-computing-graph/ Cohen, D. Farber, M. Fontecilla, R. (2008). Cloud computing a transition methodology. Booz Allen Hamilton. Retrieved from h ttp://www.boozallen.com/m edia/file/cloud-computing- t ransition-methodology .pdf Edwards, J. (2009). Cutting through the fog of cloud se curity. Computerworld. Fra m ingham: Feb 23, 2009. Vol. 43, Iss. 8; pg. 26, 3 pgs. Edwards, J . (2010). Defending the cloud - and your business. Webhostingunleashed.com . Retrieved on March 9, 2 010 from htt p://www.w ebhostingunleashed.com /features/defending- cloud-090208/ Greene, T . (2009). New attacks on cloud services call f or due diligence. Network Wor ld. Southborough: Sep 14, 2009. Vol. 26, Iss. 28; pg. 8, 1 pgs. Retrieved from http://www.networkworld.c om/newsletters/vpn/2009/090709c loudsec2.html International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 44 Hinchcliffe, D. (2009, March 3) . Cloud computing: A new era of IT opportunity and challenges. ZDNet. March 3rd, 2009. ht tp://blogs.zdnet.com /Hinchcliffe/?p=261 Hoover, J. N. (2008, August 16). Outages force cloud c omputing user to rethink tactics. InformationWeek. Retrieved on March 26, 2010 from http://www.informationweek .com/news/services/saas/showArticle.jhtm l?articleID=210004236 Information Security Ma gazine. 20 09. The three cloud computing risks to consider. Issue: June 2009. Retrieved from http://www .arma.org/press/ARMAnews/I nfosecurity.pdf Indiana University. 2009. U s e o f Cl o u d C o m p ut i n g . I n d i a n a Un i ve r s i t y Ar t ic l e s an d P a p e r s 2 6 Au g u s t 2 0 09 . R e t r i e ve d f r o m h tt p: / / i nf o r m a t i o np o l i c y .i u . e d u / r es o u r c e s/ a r t i c l e s /c l o u d _ c o mp u t i n g Kobielus, J. ( 2009). Storm clouds ahead . Network World. Southborough: Mar 2, 2009. Vol. 26, Iss. 9; pag. 24, 3 Maches, B. (2010, January 25). The Impact of cloud computing on corporate IT governance. HBCWire.com. Retrieved on March 4, 2010 from http://www.hpcwire.com /specialfeatures/cloud_computing/features/ The-Impact-of-Cloud- Computing-on- Corporate-IT-Governance-82623252.htm l Markoff, J. Barboza, D. ( 2010, February 18), 2 China Schools Said to Be Ti ed to Online Attacks. Retrieved from http://www .nytimes.com/2010/02/19/techno logy/19china.html Otero, A. R., Otero, C. E. , Qureshi, A.(2010). Sec uring data t ransfer in the clo ud through introducing identification pack et and UDT – authentication op tion field: a characterizat ion. International Journal of Network Security & Its Applications (IJNSA), Vol.2, No.4, October 2010. Retrieved from http://airccse.org/ journal/nsa/1010ijnsa01.pdf Talbot, D. (2009). Vulnerability se en in Amazon's cloud-computing. Technology Review. Friday, October 23, 2009. Re trieved on March 4, 2010 from http://www.cs.sunysb.edu/~sion/ research/sion2009mitTR.pdf Perez, S. ( 2009). The Cloud Isn’t Safe?! ( Or Did Black Hat Just Scare Us?). August 5, 2009.ReadWriteWeb. Retrieved fro m http://www.readwriteweb.com /archives/the_cloud_isnt_safe_or_did _blackhat_just_scare_us.php Pfleeger, C. P. Pfleeger, S. L. (2006). Se curity in Computing . Fourth Edition. Prentice Ha ll. SANS Institute. (2007). An I ntroduction to information system risk management Retrieved March 4, 2010, from http://www.sans.org/reading _room/whitepapers/auditing /an_introduction_to_inform ation _system_risk_management_1204?show=1204.php&ca t=auditing Smith, R. (2009). Computing in the cloud. Research Technolog y Management, 52(5), 65- 68. Retrieved March 17, 2010, f rom ABI/INFORM Global. (Document ID: 1864072981). International J ournal of Net work Securit y & Its Applicatio ns (I JNSA), Vol.3 , No.1, Ja nuary 2011 45 Waxer, C. (2010). The benefits of cloud computing. Webhostingunleashed.com. Retrieved on March 9, 2010 from http://w ww.webhostingunleashed.com /features/cloud-computing-benefits/ Authors Anthony Bisong Anthony Eban Bisong is a P h.D. Student at Capella U niversity majoring in Information Ass urance and Security . Anthony a lso wor ks full time co nsulting as Se nior Sof tware En gineer a nd has wor ked on Information T echnology projec ts at fortune 50 0 corporations using leadin g inter net technolo gies. H is experience a nd interest in information technology are vast and includes Clo ud Computi ng; Smartp hone and mobile te chnologies – Android, IPhone, JavaFX, Me eGo, WebOS; Information Securit y and Internet technolo gy using W eb 2.0 technologies. Syed (Shawon) M. Rahman Syed (Sha won) Ra hman is an Assistan t Pr ofessor in the De part ment of Computer Science & Engi neering at the Universit y o f Hawaii-Hilo and an ad junct faculty o f Infor mation T echnolog y, Infor mation Assurance & Sec urity at t he Capella University. Dr. Rahman ’s research intere sts include Software Engineering Educatio n, Data Visualizat ion, Data Mod elling, In formation Assurance & Securit y, Web Accessibility, and Software Testing & Q uality Assurance. He has p ublished more than 5 0 p eer-reviewed papers. He is an active membe r of many profes sional organiza tions includin g ACM, ASE E, ASQ, IEEE , and UPE .