Risks in E-learning and Cloud Computing

Download (0)

Full text


E-learning and Security

Problems in Claud Computing Environment


Teacher Training Faculty University of Belgrade, SERBIA

VLADIMIR UROSEVIC Ministry of interior, SERBIA

MIHAJLO TIJANIC Ministry of interior, SERBIA

danimir.mandic@uf.bg.ac.rs http://www.uf.bg.ac.rs Abstract:

Cloud computing has emerged as one of the fastest-growing segments of the information technology industry. The ability to leverage economies of scale, geographic distribution, open source software and automated systems to drive down costs makes cloud computing an attractive option for education. Development of information technology and constantly innovating educational technology causes changes in the methods and forms of teaching and organization that would be optimal in the era of mass application of Internet and electronic sources of knowledge. Many of the advantages of cloud computing are accompanied by collateral legal, reputational and security risks having on mind e-learning material that represents intellectual property on the Internet. In contrast to traditional solutions, where the IT services are under proper physical, logical and personnel controls, cloud computing moves the application software and databases to the large data centers, where the management of the data and services may not be fully trustworthy. Cyber criminals that targets intellectual property over the Internet also see this opportunity as a way to expand their illegal activities. It is a great opportunity for them to relocate criminal resources and to hide evidence in order to invoade detection during process of stilling objects of another’s intellectual efforts. Authors of this article are trying to give a preview of possible risks that cloud computing can bring to the area of e-learning, with a preview of possible risk of intellectual property that can emerge in Serbia.

Key-Words: cloud computing, e-learning, cyber crime, intellectual property crime, Internet

1. Introduction

Considering the complex regulatory issues surrounding data protection across various jurisdictions, the inability to know where one’s data is located, or, if and when the data may be moved to another state or country, implies a good deal of potential legal risk. Republic of Serbia is a part of European continent, central country of Western Balkan region, and is a part of large Internet network structure with 2.000.000 Internet connections in 2009. As example, some studies suggest that Serbia has first position as a country in the region when using of Facebook (up to 2 064 960 users) is in question. It is a great number, having on mind a fact that a whole population of Serbia was estimated on 7.334.935 people in 2009. With such information infrastructure and large population that

use the Internet it is a very interesting space for criminals and criminal groups from the region of Western Balkans, as well as for criminals and criminal groups from whole world to act. New opportunities that cloud computing bring in our On line space are therefore very significant. Cloud computing is now a big issue in the Republic of Serbia. New way of thinking will produce a need for new regulatory acts regarding jurisdictions. Problems with electronic data and evidence location in cloud environment for cases like intellectual property violation will be prevalent when suppression of cyber crime in this field is in question. Migration of the data and evidence from another state or country will imply a good deal of potential legal risk (We can say that there are already a legal risks caused by using new Cloud Computing services on the Internet for storing


unprotected education material in electronic shape).New idea and useful structure, acceleration of Internet services and greater storage capacity offered by providers are great opportunities for E-learning and for expending physical borders of Serbian education resources, but it also raise a huge concern over one question: What are future security problems that can appear from cloud computing in the Republic of Serbia when intellectual property is endangered?

2. Claud computing

Claud computing became a significant technology trend in 2009. Now there is a wide spread consensus amongst industry observers that it is ready for noticeable deployment in 2010. It is expected to reshape IT process and IT marketplaces in the next years. Cloud computing is a new way of delivering computing resources, not a new technology. Computing services ranging from data storage and processing to software, such as email handling, are now available instantly, commitment-free and on-demand. Since we are in a time of belt-tightening, this new economic model for computing has found fertile ground and is seeing massive global investment. Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid. As example Mell & Grance define it as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [7]. It is a paradigm shift following the shift from mainframe to client–server that preceded it in the early 1980s. Details are abstracted from the users who no longer have need of expertise in, or control over the technology infrastructure "in the cloud" that supports them. Cloud computing describes a new supplement, consumption and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet. The term "cloud" is used as a metaphor for the Internet, based on the cloud drawing used in the past to represent the telephone network and later to depict the Internet in computer network diagrams as

an abstraction of the underlying infrastructure it represents. Typical cloud computing providers deliver common business applications online which are accessed from another web service or software like a web browser, while the software and data are stored on servers. The Cloud system dynamically allocates computational resources in response to customers’ resource reservation requests and in accordance with customers’ predesigned quality of service. Risk coming with opportunity, the problem of data security in Cloud computing become bottleneck of cloud computing [8]. Most cloud computing infrastructure consists of reliable services delivered through portals and built on servers. Clouds often appear as single points of access for all consumers' computing needs. Commercial offerings are generally expected to meet quality of service (QoS) requirements of customers and typically offer SLAs. The major cloud service providers include HP, IBM, VMware, Amazon, Google and Microsoft. Foundation elements of cloud computing comprise of, interalia, primary technologies, such as virtualization, grid computing, service oriented architectures, distributed computing, broadband networks, browser as a platform, Free&Open source software and other technologies such as Autonomic systems, Web 2.0, Web application framework and Service level agreements. Therefore, it would not be an exaggeration to say that cloud computing is next natural step of integration of current diverse technologies&applications. Cloud computing is an on-demand service model for IT provision, often based on virtualization and distributed computing technologies. Cloud computing architectures have: - Highly abstracted resources

- Near instant scalability and flexibility - Near instantaneous provisioning

- Shared resources (hardware, database, etc)

- “Service on demand”, usually with a “pay as you go” billing system

- programmatic management (eg, through WS API). Services provided by cloud computing can be broadly grouped into three major categories:

a) Software as a Service (SaaS) comprises end-user applications delivered as a service, rather than a traditional, on-premises software. SaaS has the broadest market.

b) Platform as a Service (PaaS) provides an independent platform or middleware as a service on


which developers can build and deploy customer application. Common solutions provided in this tier from APIs and tools to database and business process management system, to security integration, allowing developers to build applications and run them on the infrastructure that claud vendors owns and maintains.

c) Infrastructure as a Service (IaaS) primarly compasses the hardware and technology for computing power, storage, operating systems or other infrastructure, delivered as off-premises, on-demand services rather than dedicated as on site resources. Because customers can pay for exactly the amount of service they use, like for electricity or water, this service is also called utility computing.1 Generally there are four cloud deployment models:

Private (cloud enterprise owned or leased)

Private cloud and internal cloud are neologisms that some vendors have recently used to describe offerings that emulate cloud computing on private networks. These (typically virtualization automation) products claim to "deliver some benefits of cloud computing without the pitfalls", capitalizing on data security, corporate governance, and reliability concerns. They have been criticized on the basis that users "still have to buy, build, and manage them" and as such do not benefit from lower up-front capital costs and less hands-on management, essentially the economic model that makes cloud computing such an intriguing concept".

Community cloud (shared infrastructure for specific community)

A community cloud may be established where several organizations have similar requirements and seek to share infrastructure so as to realize some of the benefits of cloud computing. With the costs spread over fewer users than a public cloud (but more than a single tenant) this option is more expensive but may offer a higher level of privacy, security and/or policy compliance. Examples of community cloud include Google's "Gov Cloud".

Public cloud (sold to public/any user, large scale infrastructure)

Public cloud or external cloud describes cloud computing in the traditional mainstream sense, whereby resources are dynamically provisioned on


GTSI Corp.:Cloud Computing Building a Framework for Successful Transition, p.3, SAD, 2009.

a fine-grained, self-service basis over the Internet, via web applications/web services, from an off-site third-party provider who shares resources and bills on a fine-grained utility computing basis.

Hybrid cloud (composition of two or more models)

A hybrid cloud environment consisting of multiple internal and/or external providers "will be typical for most enterprises". By integrating multiple cloud services users may be able to ease the transition to public cloud services while avoiding issues such as PCI compliance. Another perspective on deploying a web application in the cloud is using Hybrid Web Hosting, where the hosting infrastructure is a mix between Cloud Hosting for the web server, and Managed dedicated server for the database server. The main idea in Cloud Computing is that it covers all the range of users, from home users that use Cloud Computing to approve their works better and IT staffs and enterprise managers that use Cloud Computing for optimizing, planning and implementing their enterprises. So we can face it that Cloud Computing has the big roles in our life in the future [2]. Republic of Serbia is in the process of information structure developing, and use of Internet services that allows new space for data storage and more working space are very well accepted. Main concern of safety agencies in the Republic of Serbia is a nature of a cloud computing regarding electronic data that can be a possible evidence in criminal cases on this territory. Cyber crime is very adjustable type of criminal threat. There are numerous ways that criminals can use such technical opportunity that represent cloud computing in all cloud deployment models. Some of them can only be predicted as a threat, and some of them are already shown their shape in this new environment.


Cyber crime and intelectual property

crimes in cloud computing environment

First kind of a threat can be described as Abuse and Nefarious Use of Cloud Computing. IaaS providers offer their customers the illusion of unlimited compute, network, and storage capacity - often coupled with a ‘frictionless’ registration process where anyone with a valid credit card can register and immediately begin using cloud services. Some providers even offer free limited trial periods. By abusing the relative anonymity behind these


registration and usage models, spammers, malicious code authors, and other criminals have been able to conduct their activities with relative impunity Future areas of concern include password and key cracking, DDOS, launching dynamic attack points, hosting malicious data, botnet command and control, building rainbow tables, and CAPTCHA solving farms. This type of crime can impact on this fragile structure because criminals continue to leverage new technologies to improve their reach, avoid detection, and improve the effectiveness of their activities. Cloud Computing providers are actively being targeted, partially because their relatively weak registration systems facilitate anonymity, and providers’ fraud detection capabilities are limited. Spam continues to be a problem - as a defensive measure, entire blocks of IaaS network addresses have been publicly blacklist. As it was mentioned above, old ways of conducting criminal offences are now enchased, and there are a numerous opportunities for hide evidence in cloud environment. In Serbia cybercriminals are increasingly focusing on Adobe PDF and Flash files, to infect victims with malware. In addition, they use rich content applications such as Flash files to distribute malicious code. Flash-based ads on the Web, because their binary file format, enable the cybercriminals to hide their malicious code and later exploit end-user browsers to install malware [8]

Some solutions for this type of threats involve stricter initial registration and validation processes, enhanced credit card fraud monitoring and coordination, comprehensive introspection of customer network traffic and monitoring public blacklists for one’s own network blocks. Intellectual property crimes on the Internet are very spread on whole globe, and in the Republic of Serbia were detected cases with Internet sites that are spreading copyrighted material without consents of copyright owners (such as E-books, learning materials, manuals in PDF etc) for gaining a material benefit from this illegal activity. Criminals were selling this material threw P2P networks, FTP servers etc. Main sources of copyright material were portals and Internet sites with weak protection, but in some cases they were using user name and passwords for stilling such material. There are some examples that they use correct password, but illegally resell the materials. While most providers strive to ensure

security is well integrated into their service models, it is critical for consumers of those services to understand the security implications associated with the usage, management, orchestration and monitoring of cloud services. Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability. Anonymous access and/or reusable tokens or passwords, clear-text authentication or transmission of content, inflexible access controls or improper authorizations, limited monitoring and logging capabilities, unknown service or API dependencies, are only some of this type of attacks. This problem rise a concern because education material on the Internet can be compromised and stolen, and then reused by copyright thefts. There are several proposals for this kind of attack like analyzing the security model of cloud provider interfaces, ensuring strong authentication and access controls are implemented in concert with encrypted transmission and understand the dependency chain associated with the API. The threat of a malicious insider is well-known to most organizations. This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. For example, a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance. To complicate matters, there is often little or no visibility into the hiring standards and practices for cloud employees. This kind of situation clearly creates an attractive opportunity for an adversary - ranging from the hobbyist hacker, to organized crime, to corporate espionage, or even nation-state sponsored intrusion. The level of access granted could enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection. The impact that malicious insiders can have on an organization is considerable, given their level of access and ability to infiltrate organizations and assets. Brand damage, financial impact, and productivity losses are just some of the ways a malicious insider can affect an operation. As organizations adopt cloud services, the human element takes on an even more profound


importance. It is critical therefore those consumers of cloud services understand what providers are doing to detect and defend against the malicious insider threat. Storing of copyrighted material for education in On-line environment carries a grate risk for the owner, especially in cloud computing environment. Preventive method of protection for this material is not enough effective for this. Remediation for this type of cyber crime attacks can involve enforcing stricter supplying chain management and conducing a comprehensive supplier assessment, specifying human resource requirements as part of legal contracts, requiring transparency into overall information security and management practices, as well as compliance reporting and determine security breach notification processes. IaaS vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture. To address this gap, a virtualization hypervisor mediates access between guest operating systems and the physical compute resources. Still, even hypervisors have exhibited flaws that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform. A defence in depth strategy is recommended, and should include compute, storage, and network security enforcement and monitoring. Strong compartmentalization should be employed to ensure that individual customers do not impact the operations of other tenants running on the same cloud provider. Customers such as copyright owners should not have access to any other tenant’s actual or residual data, network traffic, etc. Remediation for this type of cyber crime attacks can involve implementation security best practices for installation/configuration, monitoring environment for unauthorized changes/activity, promoting strong authentication and access control for administrative access and operations, enforcing service level agreements for patching and vulnerability remediation and conducting vulnerability scanning and configuration audits. There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example. Unlinking a record from a larger context may render it unrecoverable, as can storage on unreliable media.

Loss of an encoding key may result in effective destruction. Finally, unauthorized parties must be prevented from gaining access to sensitive data (such as user names, passwords of people that are using E-learning system for educational purposes). The threat of data compromise increases in the cloud, due to the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment. Attacks have surfaced in recent years that target the shared technology inside Cloud Computing environments. Disk partitions, CPU caches, GPUs, and other shared elements were never designed for strong compartmentalization. As a result, attackers focus on how to impact the operations of other cloud customers, and how to gain unauthorized access to data. Some of examples for this type of crime are insufficient authentication, authorization, and audit (AAA) controls; inconsistent use of encryption and software keys; operational failures; persistence and remanence challenges: disposal challenges; risk of association; jurisdiction and political issues; data center reliability; and disaster recovery. Remediation for this type of cyber crime attacks can involve

implementation of strong API access control, encryption and protection of integrity of data in transit, analyzes data protection at both design and run time, implementation of strong key generation, storage and management, and destruction practices, contractual demanding for providers to wipe persistent media before it is released into the pool, and contract specifying provider backup and retention strategies. Account or service hijacking is not new type of threat but in cloud computing it can be a fast developing problem. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Credentials and passwords are often reused, which amplifies the impact of such attacks. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. E-learning is a process in which people are using education resources on the Internet such as e-books, lections, etc. E-portals are protected with user names and passwords and if they are stolen perpatretor of a crime can easily


copy material and reused it for copyright crimes (such as parallel Internet sites for E-learning, sheering of copyrighted material on P2P networks, selling pirated material to „dark markets“ etc). Data loss or leakage can have a devastating impact on a business. Beyond the damage to one’s brand and reputation, a loss could significantly impact employee, partner, and customer morale and trust. Compromised material for education material can be used in inadequate manner, and it can be used in exchange for other illegal material on the Internet. Identity theft is a serious crime, which in the past has disabled and disrupted millions of consumers credit ratings and their overall financial well-being.2 Loss of core intellectual property could have competitive and financial implications. Worse still, depending upon the data that is lost or leaked, there might be compliance violations and legal ramifications. Contrary to traditional computing paradigms, in a cloud computing environment, data and the application is controlled by the service provider. This leads to a natural concern about data safety and also its protection from internal as well as external threats.



Given the rapidly evolving legal landscape in this area, providing guidance to companies venturing into the cloud is a complex matter. Legislatures and regulatory bodies around the world are grappling with the privacy and data security implications of cloud computing, but they have yet to promulgate any actionable requirements or recommendations. In addition, a host of non-privacy law questions (related to e-discovery obligations, for example), not to mention non-legal concerns such as the difficulties associated with migrating to a cloud provider’s architecture and the possibility of service gaps caused by outages, must be explored prior to committing to the use of cloud technology. Companies seeking to implement cloud computing solutions should do so with caution and closely monitor global developments in this area. Cloud computing has experienced rapid growth in recent years. While mainly the result of rapid technological innovation and increased high-speed


http://www.creditguard.org/Identity_Theft.pdf , aveilable on 15.06.2010. at 8:42 AM

broadband offerings, the recent financial crisis has accelerated deployment as companies seek to trim the large overhead costs associated with in-house IT. Cloud computing puts pressure on many different areas of policy, and action is necessary to create the optimal environment for innovation and growth. Broadband deployment, privacy, security, competition policy, and intellectual property reform are just a few areas that must be addressed to foster rapid innovation and adoption of cloud computing. Although policymakers must be vigilant to guard against abuses and bottlenecks in the innovation process, policy should focus on clearing the way for cloud computing instead of actively managing it. In fact, the very nature of cloud computing raises the stakes for policymakers; providers of cloud services will relocate to the countries and regions that create the optimal legal frameworks for it to thrive


[1] Bumbova, A; Gavendova, H;Oulehla, H..:What Can Multimedia Add to the Optimization of Students' Study Habits?, 6th WSEAS International Conference (EDU'07), Venice, 2007.

[2] Mehrdad Mahdavi Boroujerdi, Soheil Nazem: Cloud Computing: Changing Cogitation about Computing, World Academy of Science, Engineering and Technology 58, p.1112-1116, Italy, 2009.

[5] Mandic, D.: Knowledge Based Multimedia System for Teacher’s Education, in the book 9th WSEAS Intenational (AIKED ’10), , University of Cambridge, Cambridge, United Kingdom, 2010, pp.221-226. [6] Mandic, D, Lalic, N., Bandjur, V..: Managing Innovations in Education, in the book 9th WSEAS Intenational Conference (AIKED ’10), Cambridge, United Kingdom, 2010, pp.231-237.

[7] Mell, P. & Grance, T. (2009.) The NIST definition of

cloud computing. Retrieved from


[8] Milovanovic, G., Barac, Nada., Andjelkovic, Aleksandra: Cybercrime - A Treat for Serbian economy, ConferinŃa InternaŃională, ediŃia a VII-a, 15-16 aprilie 2010,, Nis, Republic of Serbia, 2010. [9] Yuefa, D. et all: Data Security Model for Cloud Computing, Proceedings of International Workshop on Information Security and Application (IWISA 2009), Academy publisher, p. 141-144, China, 2009.