Using technology to cut the costs has always played an important role in businesses. Cloud Computing has gotten a lot of interest in recent years as a way to reduce capital expenditures and operational costs. In simple terms, Cloud computing refers to the delivery of software and other technology services over the Internet by a service provider. The client computer accessing the cloud service doesn't need to have software or services installed on their workstation as everything is handled by cloud infrastructure. Interest in cloud computing is growing in order to reduce management overhead, extend existing IT infrastructures, and reducing the barriers for new service providers to offer their services to a wide market with reduced costs and minimum infrastructure requirements.
The concept of cloud computing is directly linked to service-oriented architecture such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). The technology is still new and many aspects of cloud computing are at an experimental stage and it does face some challenges. With the passage of time, the technology will improve and will help in reducing costs associated with IT infrastructure and services. This paper provides brief information about Cloud computing, and discusses how it is related to service oriented architecture. The paper also discusses security and privacy issues involved in Cloud computing and provides recommendation on risk management.
1.0 - Introduction
Cloud computing is defined as dynamically scalable shared resources that are accessed over a network. It is a style of computing in which IT related functions are provided "as a service", allowing users to access technology enabled services from the Internet without knowledge of, expertise with, or control over the technology infrastructure that supports them. The concept of Cloud computing is similar to "time sharing" where IT resources are rented instead of being bought. An individual accessing the services offered by cloud only pays for what they use. Commercial e-mail services such as Yahoo or G-mail and social networking sites like Facebook, MySpace are some of the most obvious examples of cloud service". In fact, e-mail is the most frequently adopted cloud computing service currently. The list cloud services is almost endless and covers a vast area of information technologies, including those "at the top of the stack" such as management and administrative systems; those in the middle such as hardware and software provisioning, disaster recovery, back-up, and data storage; and those down at the network level including Internet service and bandwidth.
2.0 - Background of Cloud Computing
In order to understand the background of cloud computing, it is important to understand the concepts of cyber infrastructure, service oriented architecture (SOA), workflows, and virtualization.
2.1 - Cyber-infrastructure
The term "cyber-infrastructure" describes research environments that support advanced data acquisition, data storage, data management, data integration, data mining, data visualization and other computing and information processing services over the Internet. Scientifically, cyber-infrastructure is a technological problem solving solution that can efficiently connect data, computers, and people. Cyber-infrastructure makes it easier to develop and deploy application, thus expanding the feasible scope of applications possible within budget and organizational constraints, and shifting the scientist's and engineer's effort away from information technology development and concentrating it on scientific and engineering research. Cyber-infrastructure also increases efficiency, quality, and reliability by capturing common features among application needs, and facilitates the efficient sharing of equipment and services.
2.2 - Service Oriented Architecture (SOA)
SOA is a way of offering software applications and support infrastructure into an interconnected set of services, each accessible through standard interfaces and messaging protocols. Once all the elements of enterprise architecture are in place, existing and future applications can access these services as necessary without the need of point-to-point solutions based on proprietary protocols. This architectural approach is particularly applicable when multiple applications running on varied technologies and platforms need to communicate with each other. This allows enterprise applications to mix and match services to perform business transactions with minimal programming efforts.
2.3 - Workflows
A workflow is a model to represent real work for further assessment, e.g., for describing a reliably repeatable sequence of operations. More abstractly, a workflow is a pattern of activity enabled by a systematic organization of resources, defined roles and mass, energy and information flows, into a work process that can be documented and learned. Workflows are designed to achieve processing intents of some sort, such as physical transformation, service provision, or information processing. A workflow can be represented by a directed graph that represents data-flows that connect loosely and tightly coupled (and often asynchronous) processing components.
2.4 - Virtualization
Virtualization is a process of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others. It allows abstraction and isolation of lower-level functionalities and underlying hardware. Virtualization also enables portability of higher-level functions and sharing and/or aggregation of the physical resources.
3.0 - Cloud Computing
Cloud computing is a model that focuses on sharing data and computations over a scalable network of computing devices that are also known as nodes. This includes computers, data centers, and Web Services. This network of nodes is termed as a "cloud". An application based on such clouds is known as a cloud application. Basically cloud is a symbol for internet and is an abstraction for the complex infrastructure it contains. The goal of cloud computing is to use the existing infrastructure in order to bring all feasible services to the cloud and make it possible to access those services regardless of time and location.
3.1 - Types of Cloud Computing
There are many types of cloud computing:
Software as a Service (SaaS): Software as a Service is defined as "Software deployed as a hosted service and accessed over the Internet". In traditional environment, software has been delivered in boxes with a license and often with a support contract. The Internet removes all these requirements and enables SaaS to become an new way of interacting and doing business. SaaS is based on a very simple principle - rather than buying a software license for an application such as Accounting or Human Resources and installing this software on individual machines, a business or an individual signs up to use the application hosted by another company. The consumer uses the software by paying a subscription fee without owning a copy of the software. Successful examples of SaaS are salesforce.com that is a SaaS-based Customer Relationship Management service and webex.com that is an online video conferencing service.
Data as a Service (DaaS): DaaS is defined as the delivery of virtual storage over a network configured with virtual storage and other data services. DaaS is based on a request for a given service level. By simplifying data storage behind a set of service interfaces and delivering it as-needed basis, a wide range of actual offerings and implementations of the DaaS technology are possible.
Platform as a Service (PaaS): PaaS is defined as a platform delivered as a service which can run web services and applications, and which is an abstraction from the infrastructure underneath. PaaS if difference from a normal platform in that PaaS does not require knowledge or care about the underlying infrastructure's hardware or software.
Infrastructure as a Service (IaaS): IaaS is defined as a computer infrastructure, such as virtualization, being delivered as a service. IaaS is most popular in data centers where software and servers are purchased as an outsourced service. The IaaS service is usually billed on usage and how much of the resource is used compared to the traditional method of buying software and servers outright. IaaS can also be called enterprise-level hosting platform.
Identity and Policy Management as a Service (IPMaaS): The IPMaaS service provides managed identity and access control policy for customer.
Network as Service (NaaS): Provider offers virtualized networks (e.g. VPNs).
3.2 - Cloud Computing as Compared to other Technologies
The following is a quick overview of some of the similar technologies related to cloud computing:
Autonomic Computing: Autonomic computing integrates computer technology and allows networks to manage themselves with little or no human intervention.
Client-Server Computing: Client-server computing refers broadly to any distributed application that has two logical parts: a server which provides information or service, and a client, which requests them.
Grid Computing: Grid computing is a form of distributed computing and parallel computing. It involves creation of a cluster of networked, loosely coupled computers acting in concert to perform very large tasks. In grid computing, a large project is divided into smaller parts that work on different computers, in parallel, cost effective, fast, sharing of resources.
Utility Computing: Utility computing a form of computer service where the company providing the service charges users for how much you use it.
Peer-to-Peer: Peer to peer computing is a technology which utilizes the shared resources of every system attached to the Intranet in order to perform a specific task or purpose.
3.3 - Advantages of Clouds Computing
Some of the advantages of cloud computing are provided below:
Reduced Cost: Cloud technology is paid incrementally. In other words, you pay as you go and it saves organizations money in the short run. Money saved can be used for other important resources.
Increased Storage: Cloud computing allows organizations to store more data than on private computer systems.
Highly Automated: Cloud computing free up resources for IT personnel as they not needed to keep software up to date. Maintenance is the job of the service provider on the cloud.
More Mobility: Cloud computing allows employees to access information wherever they are, rather than having to remain at their desks.
3.3 - Disadvantages of Clouds Computing
Cloud computing bears some risk because of its highly dependent nature on Internet.
Internet Connection: If Internet connection is not enabled, access to cloud or cloud services is not possible as Internet connection is required for cloud applications.
Internet Connection Speed: A low speed Internet connection makes cloud computing painful at best and often impossible. Cloud applications require a lot of bandwidth to work.
Performance: Web-based applications can sometimes be slower than a desktop application even on a fast Internet connection. In cloud computing, everything about the program has to be sent back and forth from client computer to the servers where cloud application is hosted. If the cloud application is very resource intensive, response from the cloud server will be slow.
Limited Features: The cloud application lacks many of the advanced features of desktop applications as it is web based. That's the reason power users might not want to leap into cloud computing just yet.
Security: With cloud computing, the data is stored in the cloud but the security of the data is not guaranteed. Only time will tell if a client's data is secured or not in the cloud.
Data Loss: Data stored in the cloud is replicated across multiple servers in the cloud. If the data goes missing and there is no backup available, it will not be possible to recover the data.
3.4 - Key Vendors of Cloud Computing
Key vendors of cloud computing technology are:
Amazon Web Services: The best cloud service that offered by Amazon is Amazon Elastic Compute Cloud, or Amazon EC2, which allows customers to set up and access virtual servers via a simple Web interface.
Google: Google offers some of the best known cloud computing services available for e.g., g-mail, Google Docs, Google Calendar etc.
Microsoft: Microsoft's Azure was formally unveiled in 2008. It is still a work in progress and if it succeeds, Microsoft hope to release "Windows Azure" which will be a cloud based OS offering remote computing power, storage and management services.
Salesforce: Salesforce.com's Sales Cloud and Service solutions for customer relationship management are very popular and are being used by thousands of companies.
3.5 - Users of Cloud Computing
Users of cloud computing can be divided into the following groups:
Virtualized Software Application Users: This type of user use virtually uses a desktop application that is deployed on a powerful server elsewhere, but it outputs the screen down to a local device such as a netbook, laptop, or desktop machine.
Browser Based Software Application Users: These types of users use browser to run applications such as a word processor or CRM front-end. Such cloud application help in reducing users' dependencies on working on any particular operating system, and therefore allowing more and more use of different kinds of software applications that are traditionally deployed as a local application.
Service Oriented Users: These types of users employ cloud applications such as web services from a cloud service provider to implement a business process in their applications.
Service Providers: Service providers can also use cloud services to handle peak load demands. These users purchase and configure data center resources for average use and then use processors or storage from the cloud to handle the demand.
Software Developers: Software developers can employ dynamic resource allocation provided in a cloud to speed application or solution creation.
Academic Users: Academic institutions are also building their own clouds using the cyber infrastructure they currently have. Cloud systems are built upon grid resources in order to resolve Grids limitations raising the possibilities of a new compute paradigm for scientific research.
4.0 -Cloud Computing and Security
Cloud computing raises a range of policy and security issues due to its virtual nature. Some of the important security issues are discussed below:
4.1 - User Access
User access is a critical issue because sensitive data is processed outside the enterprise in cloud. The outsourced services bypass the physical and logical personnel controls that are in place at enterprise environments. It is very important that complete information, including hiring and oversight of cloud service administrators and their controls over services, is obtained from the cloud service providers before hiring their services.
4.2 - Data Security and Integrity
Subscribers of cloud services are responsible for the security and integrity of their data. Cloud service providers should be subjected to audits and security compliance like the traditional service providers.
4.3 -Data Location
Data in a cloud can be stored anywhere in the world. Cloud service providers should be asked if they will commit to storing and processing data in according to specific policy and whether they will undergo privacy contracts on behalf of their customers.
4.4 - Data Isolation
Since the data hosting in cloud is shared with other customers, it raises serious concerns. Cloud service provider should provide detailed information on how the data is isolated including the encryption technology being used to encrypt the data.
4.5 - Disaster Recovery
It is very important to know what will happen to cloud services and data in case of a disaster and how long will it take to do a complete restoration of cloud services and data. A cloud service provider should replicate data and application infrastructure across multiple sites in order to avoid failure. An absence of disaster recovery feature is vulnerable to a total failure of cloud services.
4.6 - Legal Issues
An inappropriate or illegal activity is impossible to avoid in cloud services. It is difficult to investigate cloud services because logging and data for customers may be collocated and may also be spread among different hosts and data centers. A contractual commitment to support investigation in case of legal issues should be required from the cloud service provider.
4.7 - Escrow Services
It is very important to know what will happen in case a cloud service provider goes bankrupt or can no longer provide services to its clients. A cloud service provider should have a software escrow contract to handle this situation. Customer should ask for information on how they will get their data back and how it can be imported into a replacement application.
5.0 - Threats to Cloud Computing
The top threats that Cloud computing is currently facing are discussed in this section. These threats were released by the Cloud Security Alliance in March 2010.
5.1 - Abuse and Nefarious Use of Cloud Computing
Infrastructure as a Service (IaaS) providers often combine their services with a seamless registration process where anyone with a valid credit card can register and immediately start using the cloud services. Hackers, spammers, and malicious code authors can take advantage of this process and can launch attacks such as password and key cracking, Dynamic Denial of Service (DDoS), hosting malicious data, botnet command and control. Following are some recommendations to remediate this threat:
Use strict initial registration and validation process of cloud subscriber.
Use enhanced credit card fraud monitoring and detection systems.
Do comprehensive scan of customer network traffic.
5.2 - Insecure Interfaces and API
Cloud service providers provide interfaces and API to their subscribers so that they can use cloud services. Provisioning, management, orchestration, and monitoring of cloud services are all performed using these interfaces. Authentication, access control, and encryption should be a built-in feature of cloud service in order to prevent both accidental and malicious attempts to use cloud service. Following are some recommendations to remediate this threat:
The security model of the cloud service provider interface and API should be regulary analyzed.
Strong authentication and access controls should be implemented with encrypted transmission of data.
5.3 - Malicious Insiders
Malicious insiders are a known threat to most organization. The impact that malicious insiders can have on an organization is considerable, given their level of access and ability to infiltrate organizations and assets. Brand damage, financial impact, and productivity losses are just some of the ways a malicious insider can affect an operation This threat is a major concern in cloud services. It is important that consumers of cloud services understand what providers are doing to detect and defend against the malicious insider threat. Following are some recommendations to remediate this threat:
Strict policy chain management should be enforced. In addition, a comprehensive supplier assessment should be regularly performed.
Human resource requirements should be a part of legal agreement.
Information security and management practices should be transparent.
Security breach notification processes should be clearly determined.
5.4 - Shared Technology Issues
Recently, attacks targeting the shared technology inside Cloud Computing environments have surfaced. Disk partitions, CPU caches, GPUs, and other shared elements were never designed for strong compartmentalization. As a result, attackers focus on how to impact the operations of other cloud customers, and how to gain unauthorized access to data. Following are some recommendations to remediate this threat:
Implement security best practices of installation and configuration of hardware and software components in a cloud architecture.
Monitor the cloud environment for unauthorized changes and activities.
Promote strong authentication and access control for administrative access operations.
Enforce service level agreements for software and firmware patches.
Conduct security and vulnerability audits.
5.5 - Data loss of leakage
Data loss or leakage can have a devastating impact on a business and can cause a serious damage to brand and reputation, employees, partners, and customers. It can also have competitive financial and legal implications. Following are some recommendations to remediate this threat:
Stronger API access controls should be implemented.
Encrypt and protect data integrity in transmission.
Analyze data protection both at design and run time.
Demand service providers to wipe persistent media before it is released into the pool
Have data backup and retention strategies as a part of contract.
Conclusion
Cloud computing is getting popular day by day and is one of the reason that have made computers smaller, lighter, and smarter. It is normal for vendors to rush to grab market share without addressing the security issues because security is both difficult and costly to implement and can slow product release to the market. Many of the cloud services have been available for a while but the broader issues of data security are only now being addressed. With the passage of time, the technology will get mature and most of the security issues will have been addressed. The technology still requires lot of research and enterprise should be cautious about the capabilities and risks associated with the technology.
