CLOUD COMPUTING SECURITY AND PRIVACY
Today Cloud computing is being used in various fields such as academia and industries. It signifies a novel model in both business and computing models, which allows a high demand for storage capital assets and the provision of computation services. According to Sengupta et al. (2011), he defined cloud computing as a model for allowing suitable, on-time demand web access to a communal pool of arrangeable computing resources; such as applications, storage, web, services. Servers and can still be provided and released at a faster rate and, at the same time, ensure that the services are cost-effective. Cloud computing ensures that the service providers offer services using applications, software and hardware by the use of the internet. This model of computing enables users to use minimal cost, less effort and provide individuals with a chance to strip themselves of structure administration and emphasis on essential capabilities, and at most have the quickness presented by the on-request delivery of computing.
There are four delivering models used in cloud computing based on the service providers; these cloud models include Community, Hybrid, Private and Pubic cloud. The models could be used solely or in combination, depending on the organization’s policies or the available resources. Community cloud involves services that are shared by several institutions for helping a selected community that has common interests such as security needs, policies, acquiescence and deliberations. The services may be managed by a third party or the organization itself. They can also exist away from the specified site; an example of this type of Cloud is the government. It is provided by different agencies and can be used by all. Private Cloud involves the provision and management of services by a specific institution or a third party. Public Cloud includes services that are availed and managed by the public but owned by an institution trading the cloud service example Alibaba cloud service. Hybrid Cloud- this type involves a combination of different clouding models such as public and private cloud models or community and individual models. From the viewpoint of an institution delivering service, three types of cloud services may be used, which are a platform providing service where applications are developed and implemented. The second is a software servicing where applications are rented instead of purchasing and installing as the chief administrator the third is where the internet services are offered on a developed infrastructure by services providers offering the needed storage and the power to compute (Manas, Nagalakshmi and Shobha 2014). Cloud computing poses a lot of benefits to the user. From a hardware point of view, the illusion is that the computing resources are adequate and not limited. Hence service providers do not need to plan for the provisions; it provides a platform for institutions with little capital to start with fewer resources and increase the support as the need increases. One can pay for the services on a short-term base and release the facilities when not needed. Cloud computing has created a platform for operations to be carried out on a large scale while decreasing operational costs for the service providers (Jansen and Grance, 2011).
Cloud computing poses many issues and concerns that would affect the provision of services to its users. The first concern is that the user has limited control over his or her data or the performance of the application that he would want to use, or the ability to alter the rules and procedures that he is required to perform efficiently (Zhou et al.,2010). Obeying to laws and regulations can be difficult, mainly when speaking about cross-border matters. The second issue is that users quickly lose their data when they are sealed into registered arrangements and can lose governance over their information since the apparatus for checking who is using and viewing them is not always given to the user (Sengupta, Kaulgud and Sharma, 2011). The third concern is that not always easy to provide a 100% tailor-made service specific to the user or business even though there could be a form of compensation (Mather, Kumaraswamy and Latif, 2009). Lastly, the standards are undeveloped and inadequate for managing the quickly changing technology of cloud computing. Security is the biggest challenge that companies face when dealing with cloud computing.
Companies are unable to secure their users from alteration and loss of data, and they are considered to have failed in terms of their working track record. Businesses involved in cloud computing use resources to adequately secure their customers from external cyber-attacks and also inside attackers (Angadi and Gull, 2013). However, most of the companies encrypt their data to mitigate snooping, but this does not prevent the data from deletion and alteration. New advances are upcoming such as HMAC used by Amazon to protect their users by using a digital signature that deters malicious change. Cloud computing issues involve many information technologies such as operating systems, networking, management transaction and load balancing. Organizations providing services to their users should ensure that data is secure by providing that they monitor who is maintaining the data and who is accessing the data and also keep records of the users. The organization should also have unlimited access to the server to manage and monitor the server to prevent malicious activities (Behl, 2011). The other way organizations should secure data is ensuring that security is conducted on two basic levels—one being on the customer stage and the other on the service provider level. To Authenticate the admission panel, one should establish up data access regulations with privileges and then confirm these admission panels by the network providers cloud customers are using every time data. To ensure admission control approaches for the customer side, the organization providing the service should define and guarantee that the only approved operators can access the customer’s data (Chen and Zhao, 2012).
There are various risks involved in the cloud computing securities, which include; privileged user access on data, which is first addressed. After the data is keyed in the Cloud, the provider can access data and also have control of the data available in the Cloud (Sabahi, 2011). Controlling the confidentiality of data and restricting privileged user access is achieved by having data encryption before entry into the Cloud. This is to separate the ability to store data and also the ability to use that data. The second way to maintain the confidentiality of the data can be by enforcing legal requirements to cloud provider through assurance mechanisms and contractual obligations to enhance data confidentiality standards are fully met. Effective data encryption is maintaining data confidentiality, where decryption keys must be segregated securely from the cloud environment. To ensure that only an authorized party can decrypt data that can be achieved by storing keys on separated systems in house or by storing keys with a second provider. Secondly, there are e-investigations and protective monitoring that works by employing protective tracking in the Cloud, which presents challenges for both cloud providers and customers since there is a distinct location of physical data. There are a high number of providers involved. According to Jansen and Grance. (2011) technologies enabled by Cloud have been designed to place a security boundary between the cloud service systems and the cloud users. Still, the weaknesses in this level of security cannot be run out altogether. This creates insider threats and attacks on the Cloud. This is likely to require expertise in e-investigations and protective monitoring. In the cloud environment, auditability is another side effect threat due to a lack of control. Insufficient transparency in the cloud operations to the providers is a crucial challenge. Audits provided in manual checks and documents may be distributed and spread all over the globe. Hence a problem of transparency since regulations that restrict data and operations to move from one geographical to another. Assessing the security of a third-party cloud provider is another major challenge, especially to the vendor cloud clients, is having the assurance over the security controls of their cloud provider. This is aggravated by the fact that there is currently no common industry cloud computing security standard that customers can scale their providers with. Third-party data control the legal effects of data and applications being held by a third party are complex. They are hardly understood by cloud users, which becomes a cloud security risk. There is also a potential lack of control and transparency when the third party holds the data of the customer. There is also part of the public cloud computing that is the Cloud that can be implementation-independent, but there are legal requirements of transparency into the Cloud (Belh, 2011).
Another threat is the side-channel attacks that are an emerging concern for cloud delivery models via virtual platforms that cause data leakage across co-resident virtual machine instances. This is an evolving risk and is considered to be in its early stages, as the virtual machine technologies developed. This is a threat since the attackers can penetrate cloud infrastructure from outside the cloud perimeter by acting as a rogue customer within a shared cloud infrastructure and can access other customers’ data illegally. Another threat is the denial of service attacks where data availability is a crucial concern of concern to the service providers who must design solutions to mitigate this threat. According to Sengupta, Kaulgud and Sharma. (2011) denial of service has been associated with network layer distributed attacks. This occurs when the infrastructure is flooded with much traffic to cause critical components to wear out. It may also consume all available hardware resources. In a multi-tenant cloud infrastructure, there are threats such as shared resource consumption attack, which deny other clients the system resources such as thread execution time, storage request and network interfaces, which can result in denial of service. Insider and organized crime threat is also a risk that most of the Cloud providers store different types of data, such as personal data, financial data and credit cards. This stored data may be available in the organizations involved, which can be accessed by criminals from the insiders of the organizations. This may the insiders may be agents to crime since they may provide access to customer data and system to execute internet attacks (Kong, Lei and Ma, 2016). According to Chowdhury et al. (2013), data location and segregation is another threat in the cloud environment that is particularly important in the Cloud, given that there are distinct physical data sites and common computing resources. This results in contractual obligations toward Cloud users to make sure that the data stored is well processed and managed. This may spring out risks when the cloud providers forced to provide decryption keys to a risky third party.
Standardization activities in cloud computing are activities undertaken by various standard organization development groups to ensure privacy and security in cloud computing. These different focus group and their actions are; Cloud security alliance which is a nonprofit making organization which gives security guidance on essential areas in cloud computing. Through a published report, cloud security alliance guides on various strategic fields to provide a secure relationship between security practitioners and cloud providers. Distributed Management Task Force is a task force that comes up with interoperable information technology management resolution standards. It deals with topics like Open Virtualization Format and Open Cloud Standards Incubator. This task force has partnered with cloud security alliance to promote ideals for cloud security as part of task force Open Cloud Standard Incubator. The Open Cloud Standard Incubator group is tasked with formulating several management protocols, packaging setups and security tools to foster interoperability between Cloud, followed by specifications that will promote cloud service portability and cross-cloud management consistency. Storage Networking Industry Association is an association that has formed the Cloud Storage Technical Work Group to develop a framework associated with system implementations of cloud storage technology. It enhances cloud storage as a new way of providing just-in-time storage billed only for what it is customized for. Using a cloud data management interface, a customer can identify their data with unique metadata and also one can move their cloud data from one vendor to another without experiencing any problems with the various interfaces.
Open Cloud Consortium is an organization that supports the development of standards, benchmarking of the progress, implementation of open source references, cloud computing workshops and events. It is involved mainly in four working groups, namely, standard cloud performance measurement, large data clouds working group, information sharing and finally, security working group. Organization for the Advancement of Structured Information Standards is a nonprofit international organization that ensures development integration and use of e-business standards. It provides the most web services standards alongside other standard services such as e-business, security and also ensures standardization in public sectors. The organization has various technical committees with objectives that are clearly defined; TM panels are an association that involves technological vendors like the international business machines, dell and large communication service providers. TM panels provide a document that acts as a guideline and offers a range of conventional methods, procedures and metrics to be used; International Telecommunication Union. This focus group was established following recommendations from other organizations to contribute to telecommunication aspects, which include security telecommunication aspects, service requirements and telecommunication networks. This focus group works hand in hand with universal cloud computing communities such as laboratories and research forums, among others; European Telecommunications Standards Institute is an association that is interested in providing solutions involved in the integration of information technology and telecommunications. It comes into place where the connectivity is beyond the local network. It includes grid computing as well as Cloud computing emerging trends. Object Management Group is a nonprofit organization that comes up with enterprise integration standards for an extensive range of industries. Arrangement of services and applications on Cloud is modelled to ensure portability, reuse and interoperability. Association for Retail Technology Standards is an international organization that advocates for the use of standards as a way to reduce costs, mainly in the retail industry. Institute of Electrical and Electronics Engineers has ensured cloud computing goes to new levels by coming up with a design guide and a standard for interoperable cloud service.
Cloud computing settings pose a multiple-domain field situation whereby each field uses diverse trust needs as well as a security mechanism. Such areas might characterize independently permitted services or structural components of any application (Zhou et al.,2010). With the advancement of technology, new emerging trends in cloud computing and privacy need to be realized to identify and manage critical security and privacy issues. Access control has been made flexible enough to accommodate the diversity of services; this involves the formation of policies that allow adequate access control to the services offered (Behl, 2011). Users can access their information and share it across the network. The user is prompted to input his or her credentials for authenticity purposes. The processor speed has been improved as well as the memory capacity. This has enabled large volumes of data to be stored and increased the performance of the system. Mobile phones and laptops have overtaken the old aged computers, which had few features on internet connectivity. Mobile phones have been customized to the user’s preference as well as multiple functionalities. The trend will continue to increase in complexity in the coming years, which will also lead to more issues regarding privacy and security. Trust management and policy integration deal with service provided by the service providers in the cloud environment. This is done by the collaboration of multiple service providers though they usually have different approaches in the provision of the services. Cloud service provision may cause security violations, and this causes the providers to be careful to manage access control policies to ensure there are no security breaching via integration policies that have been developed. Integration should provide challenges such as semantic heterogeneity, policy evolution management and also secure interoperability (Mather, Kumaraswamy and Latif, 2009).
Though Cloud computing is still at its infancy, it has gained universal popularity because of its ability to provide on-demand services, flexible efficiency, and it is also less costly. However, despite its technical advantages, it is prone to security issues, which may thwart its success as a new information technology model. A lot of businesspeople have not fully adopted cloud computing, or they are using it partially to store only less sensitive information. For cloud computing to be said as Secure and private, it means it should contain various features, which are confidentiality, accountability and integrity, among others. Though these security issues seem new because of the adversities they cause, they are not new, and they are already in existence(Ang and gull, 2013). To ensure security, some focus groups have been formed to come up with solutions and frameworks in the form of standardized specifications to provide a secure cloud computing environment. Several emerging trends have also evolved to ensure that cloud computing achieves reliable threshold measures. Due to the dynamic climate, however, new privacy and security strategies ought still to be researched for better results and new heights in cloud computing.
References
Angadi, A. B., & Gull, K. C. (2013). Security Issues with Possible Solutions in Cloud Computing-A Survey. International Journal of Advanced Research in Computer Engineering & Technology (IJARCET), 2(2), 2278-1323.
Behl, A. (2011). Emerging security challenges in cloud computing: An insight to cloud security challenges and their mitigation. In 2011 World Congress on Information and Communication Technologies (pp. 217-222).
Chen, D., & Zhao, H. (2012). Data security and privacy protection issues in cloud computing. In 2012 International Conference on Computer Science and Electronics Engineering (Vol. 1, pp. 647-651).
Chowdhury, C. R., Chatterjee, A., Sardar, A., Agarwal, S., & Nath, A. (2013). A comprehensive study on Cloud green computing: To reduce carbon footprints using clouds. International Journal of Advanced Computer Research, 3(8), 78-85.
Jansen, W. A., & Grance, T. (2011). Guidelines on security and privacy in public cloud computing.
Kong, W., Lei, Y., & Ma, J. (2016). Data security and privacy information challenges in cloud computing. In 2016 International Conference on Intelligent Networking and Collaborative Systems (INCoS) (pp. 512-514).
Manas, M. N., Nagalakshmi, C. K., & Shobha, G. (2014). Cloud Computing Security Issues And Methods to Overcome. International Journal of Advanced Research in Computer and Communication Engineering, 3(4), 6306-6310.
Mather, T., Kumaraswamy, S., & Latif, S. (2009). Cloud security and privacy: an enterprise perspective on risks and compliance. ” O’Reilly Media, Inc..”
Sabahi, F. (2011). Cloud computing security threats and responses. In 2011 3rd International Conference on Communication Software and Networks (pp. 245-249). Sabahi, F. (2011, May). Cloud computing security threats and responses. In 2011 3rd International Conference on Communication Software and Networks (pp. 245-249).
Sengupta, S., Kaulgud, V., & Sharma, V. S. (2011). Cloud computing security–trends and research directions. In 2011 IEEE World Congress on Services (pp. 524-531).
Takabi, H., Joshi, J. B., & Ahn, G. J. (2010). Security and privacy challenges in cloud computing environments. Security & Privacy, 8(6), 24-31.
Xiao, Z., & Xiao, Y. (2012). Security and privacy in cloud computing. Communications surveys & tutorials, 15(2), 843-859.
Zhou, M., Zhang, R., Xie, W., Qian, W., & Zhou, A. (2010). Security and privacy in cloud computing: A survey. In 2010 Sixth International Conference on Semantics, Knowledge and Grids (pp. 105-112).