CLOUD COMPUTING IN THE RISK SOCIETY: ITS ISSUES AND HAZARDS

Volume 8, Issue 11, November 2019, ISSN: 2278 – 1323

Abstract:Cloud Computing (CC) as an emerging

Index Terms –Cloud, Risks, Risk Society SompurnaBhadra

PhD Scholar

Department of Computer Science and Engineering Techno India University

Kolkata, West Bengal 700091

1: INTRODUCTION

CC is, as NIST defines, ‘a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction’. NIST also enumerates five characteristics: On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, and Measured Service[1]. Different layers of cloud services which CC service providers provide to the customers are predominantly of three different types. First, there is Infrastructure as a Service (IaaS) which provides resources such as servers, virtual machines, data centre space and operating system.Second, there is what is called Platform as a Service (PaaS) which enables the customer to execute the software such as operative system, database, server and programming language environment etc. In the Third dominant service model, the Software as a Service (SaaS), the delivery of application as a service is available on demand and paid for on usage basis[2],[3]. There are various cloud models deployed to meet up the needs of diverse end user environments in managing the computing hardware and software. There are mainly of four types. The first one is PrivateCloud. This cloud infrastructure offers services only for an organization located inside its network or outside it. Second, in the Public Cloud service deployment model, the service provider offers both hardware and software needed

for customer usage on pay-as-you go basis. In the third place, Hybrid Cloud infrastructure consists of two or more clouds which remains separate but allows portability of data and application between them.Finally, there is the Community Cloud in which Infrastructure is shared by different organizations with shared purposes [3].[4], [5]. In the light of this brief discussion I examine different issues and hazards of CC which toughens the RS in our times.

2.CLOUD COMPUTING ISSUES AND PROBLEMS

2.1.

Even though there are advantages of CC, as mentioned above as characteristics said above, it does not mean that it does not have disadvantages. Cloud computing is changing the way organizations use, store, share data application and workloads and disadvantages have origins in them. Bhowmik defines threat as ‘an event that can cause harm to a system. It can damage the system’s reliability and demote confidentiality, availability or integrity of information stored in the system. Threats can be malicious such as deliberate alteration of sensitive data or can be accidental such as unintentional deletion of a file or problem arisen from erroneous calculation [6].’ The Cloud Security Alliance in its 2017 Report, based on industry experts, outlines as many as 12 biggest threats to Cloud Computing in order of severity. They are (1) Data Breaches; (2) Insufficient Identity, Credential and Access Management; (3) Insecure Interface and APIs; (4) System Vulnerabilities; (5) MaliciousInsiders;

(6) Account Hijacking;(7)Advanced Persistent

Threats(APTs); (8) Data Loss; (9) Insufficient Due Diligence; (10)Abuse and Nefarious Use of Cloud Services; (11) Denial of Service; and (12) Shared Technology Vulnerabilities [7].Another adds one more (13) Bonus Threat: Spectre and Meltdown [8]. Important security attacks in CC are four and they are as follows: Denial of Service (DoS), Hypervisor Attack, Resource Freeing Attack (RFA), Side-Channels Attacks(SCAs).

2.2.CC VULNERABILITIES

NIST in its Glossary of Key Information Security Terms defines vulnerability as ‘weakness in an information system, system security procedures, internal controls, or

implementation that could be exploited or triggered by a threat source.’ [9]

CLOUD COMPUTING IN THE RISK SOCIETY:

ITS ISSUES AND HAZARDS

Volume 8, Issue 11, November 2019, ISSN: 2278 – 1323 Gorbauer [10] and Dahbur and others [11] thus lay down the

following features of Cloud Specific Vulnerabilities. 1.The vulnerability should be intrinsic to or prevent in a core technology of cloud computing such as virtualization, service oriented architecture and cryptography; 2. It must have root cause in one of the essential cloud characteristics such as on-demand self-service, ubiquitous network access, resource pooling, rapid elasticity, and measured service; 3. A could specific vulnerability is triggered when cloud innovations make tried and tested security control difficult or impossible to implement, for example, an earlier management procedure created for a fixed hardware structure do not port correctly to virtual machines now; and finally, 4. It is prevalent in established state of the art of cloud services. Gorbauer gives an essentially cloud specific vulnerability, such as unauthorized access to management interface, internet protocol vulnerabilities, data recovery vulnerability and metering and billing evasion [10]). In Table 1Suryatejaprovides a list and vulnerabilities in CC[12].

Table 1.THREATS AND VULNERAABILITIES

No THREAT NAME POSSIBLE

VULNERABILITIES 1 Data Breaches 1. Targeted Attack 2. Simple

Human Errors

3 Application Vulnerabilities 4. Poor Security Policies 2 Data Loss 1. Natural Disasters 2. Simple

Human Errors.

3. Hard Drive Failures. 4. Power Failures 5.Malware infection

3 Malicious Insiders 1. Former Employee 2. System Administrator 3. Third Party Contractor 4. Business Partner

4 Denial of

Service(DoS) 1. Weak Network Architecture2. Insecure Network Protocol 3.Vulnerable Application 5 Vulnerable

Systems and APIs 1. Weak API Credentials 2.Key Management 3. Operating System Bugs 4. Hypervisor Bugs 5.Unpatched Software

6 Weak

Authentication and Identity Management

1. Social Engineering Attacks 2.Man in the Middle Attack 3. Malware Infection

7 Account

Hijacking 1. Social Engineering Attacks2.Man in the Middle Attack 3. Malware Infection

8 Shared Technology Vulnerabilities

1. VM Vulnerability

2.Hypervisor Vulnerabilities 3.Third Party S/W

Vulnerabilities 9 Lacking Due

Diligence 1. No Auditing 2 Service LevelAgreement 10. Advanced

Persistent 1.Spear Phishing orWhaling2.Direct Hacking 3.

Threats(APTs) USB Malware4. Net work Penetration

11. Abuse of Cloud

Services 1. No. Cloud ServiceMonitoring 2.Service Level Management

12. A Lack of

Responsibility 1. Human Negligence 2.Service Level Agreement 13. Insufficient

Security Tools

--14. Human Error 1. Human Negligence 2. No or Insufficient Training

15. Ransomware 1. Infrastructure Vulnerability 2. Platform Vulnerabilities 3. Application Vulnerabilities 16. Spectre and

Meltdown 1. Hardware Design

2.3. RISKS IN CLOUD COMPUTING

A simple definition of risk is ‘the probability that something bad is going to happen’ [4]. Vulnerability can be exploited by a threat which may cause damages or compromises, and hence risks to assets or resources. Risk equation is as follows: Risk = Threats x Vulnerabilities[4]. Other researchers state that a risk is ‘the likelihood of a threat agent taking advantage of vulnerability and the corresponding business impact. For example, if users are not educated on processes and procedures, there is a higher likelihood that an employee will make an intentional or unintentional mistake that may destroy data.Riskties the vulnerability, threat, andlikelihood of exploitation to the resulting business impact’ [11]. Indeed, this conception of risk is more illustrative and proposes this equation: Risk = Vulnerability x Threat x Impact x Likelihood. Risk is the result of a successful exploitation. Threat stands for an action or situation that may exploit vulnerability. Vulnerability is a flaw or weakness. Impact can low, medium or high. Likelihood stands for how many times it may happen.

ENISA, in its recommendations in Cloud Computing: Benefits, Risks, and Recommendations for Information Security in 2010, identifies the top eight security risks based on likelihood and impact such as Loss of governance, Lock-in, Isolation failure, Compliance risk, Management interface failure, Data protection, Malicious insider, andInsecure or incomplete data deletion [13].One aspect of dealing with cloud security necessitates what is termed as risk management. An organization has four choices when faced with risks: Risk Avoidance, Risk Acceptance, Risk Transference, and Risk Mitigation [4].

2.4. TRUST AND CLOUD COMPUTING

Volume 8, Issue 11, November 2019, ISSN: 2278 – 1323 providers? Moreover who is there to monitor, measure,assess,

or validate cloud attributes? Further, the CC consumers do not know where the data are stored and where the document really is [14][15]. The importance trust in cloud computing can be understood if traditional technology is compared with the Cloud as an innovative change of computingconcept. Earlier the centre of computations was a client computer and a local area network. The internet was used just as a source of useful information or useful software applications that could be downloadedfrom the internet and installed onthe client computer. ‘Now, with cloud computing, the cloud (part of the Internet) becomes itself a powerful tool of organizing and performing computations, and the client computer (via a Web browser) is used as a tool to control the computations and to visualize the results’ [16]. Cloud has now many novel features such as remarkable scalability and huge stock of resources possessed by separate service provider and which are entirely distributed, homogenized and completely virtualized. So traditional technological mechanisms like identity verification authentication or authorization no longer holds good for the CC. Hence, the importanceof trust especially along security threats and risks.

No wonder, Manuel argues that ‘the biggest cloud computing issue is trust. Trust plays an important role in all commercial cloud environments and trust managementis an integral part of commercial aspects of cloud technology’ [17]. What is then trust which is a crucial component of CC? Simply put, trust is a complex and multidimensional concept. It does not have any all-accepted single definition. [18]. Cho and others advance the following definition: ‘Trust is the willingness of the trustor (evaluator) to take risk based on a subjective belief that a trustee (evaluatee) will exhibit reliable behaviour to maximize the trustor’sinterest under uncertainty (e.g., ambiguity due to conflicting evidence and/or ignorancecaused by complete lack of evidence) of a given situation based on the cognitive assessment ofpast experience with the trustee‘[19].What are characteristics of trust? Noor and others have provided a list offeatures of trust, while analyzing cloud services from the aspect of trust among some of the CC service providers such as IBM,Microsoft, and Amazon. Theydefine a set of trust characteristics, such as authentication, security, privacy responsibility, virtualizationand cloud service consumer’saccessibility [20].

2.5. PRIVACY IN THE CLOUD

In spite of the tremendous growth and popularity of CC, privacy and along with it data security has remained a neglected issue and is often a barrier to its further development [21]. The reason is not far to seek. The more information the serviceprovider has of an individual or organization, the less it becomes interested to protect privacy in view of its opportunity to create more direct advertising. But the truth of thematter is that privacy is an essential ingredient of cloud computing. The users, without knowing the physical location of the server or the configuration of the processing of personal data, store their sensitive data in cloud infrastructure their biographical, biological, historical, locational, relational, computational and other information, and eventually end up revealing their identities for no fault

of their own. No wonder, itis argued that ‘current cloud services pose an inherent challenge to data privacy because theytypically result in data being exposed in an unencrypted form on a machine owned and operated by a different organization from the data owner. The major privacy issues relate to trust (e.g. whether there is unauthorized

secondary usage of personal Identity Information(PII), uncertainty (ensuring that data has been properly destroyed, who controls retention of data, how to know that privacy breaches have occurred and how to determine fault in such cases) and compliance (in environments with data proliferation and global, dynamic flows and addressing the difficulty in complying with transborder data flow requirements.’[2]. There is another aspect concerning multi-tenancy which embodies privacy risk since it can serve separate customers by dividing resources on the logical level from the same instance of software for maximizing gain by reducing usage of resources. This gain by the provider is not possible ‘without risking the leakage of confidential or sensitive data. There is no means to verify whether a tenant data were accessed, copied or logged by another tenant’ [22]. As MeglenaKuneva, European Commission Commissioner, caustically said: “Personal data is the new oil of the internet and the new currency of the digital world’ [23].

Volume 8, Issue 11, November 2019, ISSN: 2278 – 1323

In 2013OECD recommended eight principles in its guidelines governing the Protection of Privacy and Transborder Flows of Personal Data which were initially framed 1980. These are as follows: Collection Limitation Principle, Data Quality Principle,Purpose Specification Principle,Use Limitation Principle, Security Safeguards Principle, Openness Principle,Individual Participation Principle, and Accountability Principle.The Guidelinesdefine, inter alia, important concepts: Personal data means any information relating to an identified oridentifiable individual (data subject). Data controller means a party who, according to national law, is competent to decide about the contents and use of personal data regardless of whether or not such data are collected, stored, processed or disseminated by that party or by an agent on its behalf. Finally, Transborder flows of personal data” means movements of personal data across national borders [25].These may be suitably included in theService Level Agreement (SLA) between the service users and service providers.

3. THE RISK SOCIETY

Ulrich Beck indeed not only broke out of ‘the iron cage of conventional and orthodox social science and politics’ and championed the need for ‘a new sociological imagination’ in responding to the concrete paradoxes and challenges of the late modernity of the contemporary industrial society. He also took up the challenge of confronting the questions pertaining to ‘ecological blindness’ which the other socialscientists including sociologists were not keen to pursue by introducing the new paradigm of the RS[26, 27]. Beck could write ‘the risk society is thus not a revolutionary society, but more than that, a catastrophic society. In it the state of emergencythreatens to become the normal state’ [28].

For Beck what is true of the role of science is also true of technology, although two are not exactly and necessarily

distinct categories. The large-scale nuclear,

chemical,ecological and genetic hazards, which (a) ‘cannot be delimited spatially, temporally, or socially’, (b) which smashes to the ground ‘the established rules of attribution and liability – causality and guilt’, (c) which can only be minimized but never ruled out, and (d) for which there is a lack of provision in the worst catastrophic case scenario, are precisely the ‘hazards of technologically advanced civilization.’Elsewhere he says that ‘technology and natural science have become one economic enterprise on a large industrial scale, without truth or enlightenment, comparable to the secular power of them medieval Church without God.[28]. Since the mid-twentieth century, Beck writes that ‘the social institutions of industrial society have been confronted with the historicallyunprecedented possibility of destruction through decision-making of all life in this planet. This distinguishes our epoch not only from the early phase of the industrial revolution, but also from all other cultures and social forms, no matter how diverse and contradictory these may have been in detail. If a fire breaks out, the fire brigade comes; if a traffic accident occurs, the insurance pays. This interplay between beforehand and afterwards,

precautions have been taken even for the worst imaginable case, has been revoked in the age of nuclear, chemical and genetic technology. In all the brilliance of their perfection,nuclear power plants have suspended the principle of insurance not only in the economic, but also in the medical, psychological, cultural and religious sense. The residual risk society has become an uninsured society, with protection paradoxically diminishing as the danger grows.’ [29]This grim description does not portray sustainable society but describes the onset of the risk society.

The word ‘risk’ is derived from the French word risqué and it first appeared in anglicized form in the early nineteenth century. [30]. For Beck, the risk society is a kind of society that systematically produces, defines and distributes ‘techno-scientifically produced risks’.Accordingly, (risk) problems and conflicts in such a society arise ‘from the production, definition and distribution of techno-scientifically produced risks’ [31]. Elsewhere Beck argues that the term ‘risk society’ is used “for those societies that are confronted by the challenges of the self-created possibility, hidden at first, then increasingly apparent, of the self-destruction of all life on this earth’ [27]. ‘The transition from the industrialto the risk epoch of modernity occurs unintentionally, unseen, compulsively, in the course of a dynamic of modernization which has made itself autonomous, on the pattern of latent side-effects…. Risk society is not an optionwhich could be chosen or rejected in the course of political debate. It arises

through the automatic operation of autonomous

Volume 8, Issue 11, November 2019, ISSN: 2278 – 1323

4. CONCLUSION

Having outlined very briefly the concept of RS, I need to stress how CC and RS are not mutually exclusive but rather complementary. Both emphasize how they are embedded in science and technology, and how both are pointing to the troublesome hazards in the society. One is a techno-scientific risk in the computing domain and the other is a techno-scientifically produced social risk in the social domain. Both are global in nature, while both are in the process of mitigation of risks in their respective domains. Both are concerned with issues such as threats, vulnerabilities, trusts, privacy, identity, freedom andsurveillance acrossnational boundaries for both the individual and the organization in our networked knowledge society. Both are perpetrated by insider in the society and in the short term uncontrollable. A study of the CC in relation to RS is needed in view of this optimistic but cautionary note whichShafieian and others provide in regard to public cloud specific attacks. ‘The Cloud should be monitored for new attacks. As the Cloud is yet a new andevolving environment, new Cloud-specific attacks may always be discovered bycarefully investigating the underlying interactions between different componentsin the architecture. There are attacks in the Cloud that require new solutions andcountermeasures, or improvements to the current countermeasures. This is especiallytrue for EDoSattacks which are the Cloud-specific variant of DDoS attacks.These attacks are capable of making the Cloud services unsustainable for the victimconsumer. Consequently, designing appropriate detection and prevention mechanismsmay help the potential victims to become more resilient against these attacks.This is particularly due to the fact that most solutions and countermeasures haveonly been experimented in controlled lab environments, or have been only proposedwithout undergoing any experimental validation as a proof of concept’ [33].

Thus, I think that there is a need to do full-fledged research works on theme of the role of cloud computing in the currently emerging risk society in late modernity. Research method applicable to this kind of research work is known as exploratory study. Its scope is as follows: “Exploratory studies consist of collecting, analyzing, and interpreting observations about known designs, systems, or models, or about abstract theories or subjects. These studies are largely an inductive process to gain understanding. ...Exploratory studies observe specific phenomena to look for patterns and arrive at a general theory of behaviour. The emphasis is onevaluation or analysis of data, not on creating new designs or models. The emphasis is on perspective and relative importance [34].”

BIBLIOGRAPHY

[1] Badger, L., T. Grance, R. Patt-Corner, and J. Voas, “NIST Cloud Computing Synopsis and

Recommendations.Special Publication 800-146”,

Department of Commerce, USA, Gaithersburg, MD 20899-8930, May 2012.

[2] Pearson, S. and G. Yee, “Privacy and Security in Cloud Computing”, London, Springer. 2013, pp. 3-42.

[3]Srinivasan, S., “Cloud Computing Basics”, New York: Springer, 2014.

[4] Kim, D. and M. Solomon., “Fundamentals of Information Systems Security”, Burlington, MA, Jones and Bartlett Learning, 2018.

[5]Stair, R. M., and G.W. Reynolds, “Principles of Information Systems”, Australia,Cenage Learning, 2018. [6]Bhowmik, S., “Cloud Computing. Cambridge”, p. 272, Cambridge, Cambridge Press, 2017.

[7]Cloud Security Alliance, “The Treacherous 12 - Top Threats to Cloud Computing + Industry Insights”, https://cloudsecurityalliance.org/group/top-threats/, 2017. [8] Violina, Bob. “The Dirty Dozen: 12 Top Cloud Security Threats”,

https://www.csoonline.com/article/3043030/the-dirty-dozen-12-top-cloud-security-threats.html, 2019.

[9] NIST, Kissel, R(ed.).,“Glossaryof Key Information Security Terms”, p.212,

http://dx.doi.org/10.6028/NIST.IR7298r2.

[10] Grobauer, B, T, Walloschek, and E, Stocker, “Understanding Cloud Computing Vulnerabilities”, IEEE Security & Privacy, DOI: 10.1109/MSP.2010.115, vol. 9, issue 2, pp.50-57, 2011.

[11]. Dahbur, K., B. Mohammad, and A.B. Tarakji, “A Survey of Risks, Threats, and Vulnerabilities in Cloud Computing”, ACM 978-1-4503-0474-0/04/2011, 2011. [12] Suryateja, P. S.,“Threats and Vulnerabilities of Cloud Computing: A Review”,International Journal of Computer Science and Engineering, vol.6, no.3, p.301, 2018

.

[13] O’Hara, B.T., and B. Malisow, “CCSP(ISC)2_Certified

Cloud SecurityProfessional Official Study Guide”. p.293, Indianapolis, Indiana, Wiley, 2017.

Volume 8, Issue 11, November 2019, ISSN: 2278 – 1323 [15] Govindaraj , P., and N. Jaisankar, “A Review of

Various Trust Models in Cloud Environments”, Journal of Engineering Science and Technology Review, vol. 10, no.2, pp. 213, 2017.

[16] Safonov, V.O., “Trustworthy Cloud Computing”,p. xvii, Hoboken, New Jersey, Wiley, 2016.

[17] Manuel, P., “A trust model of cloud computing based on Quality of Service”,Annals of Operations Research, vol.233, p. 28, 2015.

[18] Corritore, C.L., S. Wiedenbeck, and B. Krecher, “The Elements of Online Trust”,CHI 2001, p. 504, 2001.

[19] Cho, Jin-Hee, K. Chan, and S. Adali, “A Survey on Trust Modelling”,ACM Computing Surveys, vol. 48, issue 2, p.28-5, 2015.

[20] Noor, T.H., Q. Z. Sheng, S. Zeadally, and J. Yu., “Trust Management of Services in Cloud Environments obstacles and Solutions”, ACM Computing Surveys (CSUR), vol.45, issue 1, pp. 24-5, October 2013.

[21] Sun, Y., J. Zhang, Y. Xiong, and G Zhu, “Data Security and Privacy in Cloud Computing”, International Journal of Distributed Sensor Networks, p. 7, http://dx.doi.org/10.1155/2014/190903, 2014.

[22] Ghorbel, A., M. Ghorbel, and M. Jmaiel, “Privacy in cloud computing environments: a survey and research challenges,” Journal of Supercomputer,vol. 73, pp. 2763– 2800, 2017

.

[23] Patrignani, N., D. Whitehouse, and M. Gemo, “Forget About Privacy … or Not?”in (eds.) M. Hansen, E. Kosta, I. Nai-Fovino, S. Fischer-Huebner, “Privacy and Identity Management: The Smart Revolution”, p

.

[24] Mather, T. S,,S. Kumaraswamy, and S. Latif, “Cloud Security and Privacy”, p. 146,Beijing,O’Reilly.

[25] OECD, “OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data.” PDF, 11-5, 2013.

[26] Beck, U., “Risk Society Revisited: Theory Politics and Research Programmes”, in (eds.) B. Adam, U. Beck andJ.V. Loon, “TheRisk Society and Beyond: Critical Issues for Social Theory”,p.212, London, Sage Publications. 2000. [27] Beck, U., “Ecological Politics in an Age of Risk”,pp. 13, 41, 67 Cambridge, Polity Press. 1995.

[28] Beck, U., “Risk Society: Towards a New Modernity”, pp. 78-9, 129, London, Sage, 1996.

[29] Beck, U., “World Risk Society”, p. 53, 77, London, Polity Press, 1999

.

[30] Moldrup, C., andJ. M. Morgall, “Risk Society-Reconsidered in a drug context”,Health, Risk & Society, vol. 3, no.1, p.61, 2001.

[31] Beck, U., “Risk Society: Towards a New Modernity”, p.19, London, Sage.

[32] Beck, U., “Risk Society and the Provident State”, in (eds.) S. Lash, B. Szerszynski , and B. Wynne, “Risk Environment and Modernity”, p. 213, London, Sage Publications. 1996.

[33] Shafieian, S., M. Zulkermine, and A. Haque, “Attacks in Public Clouds: Can They Hinder the Rise of the Cloud?”,in (ed.) Mahmood, Z.,‘Cloud Computing: Challenges, Limitations and R&D Solutions’,p.19,Heidelberg, Springer, 2014.