It is important to understand that the extent and nature of lock-in varies according to the cloud type: SaaS Lock-in
Customer data is typically stored in a custom database schema designed by the SaaS provider. Most SaaS providers offer API calls to read (and thereby ‘export’) data records. However, if the provider does not offer a readymade data ‘export’ routine, the customer will need to develop a program to extract their data and write it to file ready for import to another provider. It should be noted that there are few formal agreements on the structure of business records (e.g., a customer record at one SaaS provider may have different fields than at another provider), although there are common underlying file formats for the export and import of data, e.g., XML. The new provider can normally help with this work at a negotiated cost. However, if the data is to be brought back in-house, the customer will need to write import routines that take care of any required data mapping unless the CP offers such a routine. As customers will evaluate this aspect before making important migration decisions, it is in the long-term business interest of CPs to make data portability as easy, complete and cost-effective as possible.
The malicious activities of an insider could potentially have an impact on: the confidentiality, integrity and availability of all kind of data, IP, all kind of services and therefore indirectly on the organization’s reputation, customer trust and the experiences of employees. This can be considered especially important in the case of cloudcomputing due to the fact that cloud architectures necessitate certain roles which are extremely high-risk. Examples of such roles include CP system administrators and auditors and managed security service providers dealing with intrusion detection reports and incident response. As cloud use increases, employees of cloud providers increasingly become targets for criminal gangs (as has been witnessed in the financial services industry with call centre workers (13), (14)).
Cloudcomputing is a new way of delivering computing resources, not a new technology. Computing services ranging from data storage and processing to software, such as email handling, are now available instantly, commitment-free and on-demand. This new economic model for computing has found fertile ground and is seeing massive global investment. According to IDC’s analysis, the worldwide forecast for cloud services in 2009 will be in the order of $17.4bn. The estimation for 2013 amounts to $44.2bn, with the European market ranging from €971m in 2008 to €6,005m in 2013. For cloudcomputing to reach the full potential promised by the technology, it must offer solid informationsecurity, and therefore, proper consideration and management of risks.
VII. It is important to differentiate between the case of a small to medium sized organisation, which would make a choice between different contracts offered on the market, and a larger organisation, which would be in a position to negotiate clauses. It is foreseeable that the main commercial benefit of cloudcomputing will come from the fact that cloudcomputing will likely be a bulk or commodity service that can be bought at short notice or on a pay-per use basis (e.g., case A: large cloud provider - SME customer). This assumes standardisation of services and thus of legal conditions. Therefore, in the legal analysis of this paper, we describe the issues primarily from the perspective of the small-to-medium organisation which is assessing different contracts, SLAs, etc, offered on the market.
This report discusses a wide range of potential risks that customers need to mitigate through the use of contractual agreements. Yet the current user agreements for most of the prominent cloudcomputing services give no such assurances. According to the terms of service for Google Apps, for example, the services might be interrupted; untimely, insecure, erroneous, give inaccurate or untimely results, but Google and partners would have no liability to you. 26 Amazon Web Services state in their general customer agreement that “We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.” 27 These disclaimers provide little assurance for organisations seeking the benefits of vendor clouds. There is also the added problem of cloud providers outsource their services, is likely to increase legal complexity and muddy the risk, particularly if those service provides are registered in another offshore jurisdiction.
information he receives wirelessly comes from the cloud, via application servers hosted by an external cloud service provider. Is he exposing his company to an unacceptable level of security risk?
Without question, cloudcomputing has the potential to be the most revolutionary trend in the information and communications technology (ICT) industry in the next several years. Forecasts generally see revenues growing almost four times as fast for the cloud services market as for other IT markets through 2013. That’s because the cloud has enormous potential not just to save IT costs, thanks to standardization and scale benefits, but also to provide the business with better service, anytime access, and faster time to market. Yet virtually every discussion of cloudcomputing inevitably raises the same question: Will my data be safe? This is the question that has vexed CIOs and chief informationsecurity officers ever since the advent of cloudcomputing. The data called up by the sales manager no longer sits within his company’s trusted networks behind a protected security perimeter, and the sales manager no longer accesses this data from a defined end-user device that follows tightly controlled access restrictions. This raises several critical issues about the securityrisks involved in putting this information in the cloud and giving him access to it from anywhere.
Risks and Security Concerns With CloudComputing
Many of the risks frequently associated with cloudcomputing are not new, and can be found in enterprises today. Well planned risk management activities will be crucial in ensuring that information is simultaneously available and protected. Business processes and procedures need to account for security, and informationsecurity managers may need to adjust their enterprise’s policies and procedures to meet the business’s needs. Given the dynamic business environment and focus on globalization, there are very few enterprises that do not outsource some part of their business. Engaging in a relationship with a third party will mean that the business is not only using the services and technology of the cloud provider, but also must deal with the way the provider runs its organization, the architecture the provider has in place, and the provider’s organizational culture and policies. Some examples of cloudcomputingrisks for the enterprise that need to be managed include:
5.3.3 Centralized Management and Data
For public and outsourced scenarios, the SaaS service model implies that the majority of the data
managed by an application resides on the servers of the cloud provider. The provider may store this data in a decentralized manner for redundancy and reliability, but it is centralized from the point of view of consumers. This logical centralization of data has important implications for consumers. One implication is that, for public and outsourced scenarios, the SaaS provider can supply professional management of the data, including for example, compliance checking, security scanning, backup, and disaster recovery. When these services are provided away from the consumer's premises in public and outsourced scenarios, SaaS management of data gives consumers protection against the possibility of a single catastrophe destroying both the consumer's facility and data. This benefit, however, is contingent upon the SaaS provider protecting its facilities from catastrophic attack or other undesirable events. For on-site private and community SaaS clouds, the benefits of centralized management are similar however there is less resilience against catastrophic losses unless consumers explicitly plan for those contingencies. The “on demand” network access of SaaS applications also relieves consumers from the need to carry their data with them in some settings, thus potentially reducing risks from loss or theft. When supported by the application's logic, remote data management also facilitates sharing among other consumers.
obtain that competence is ethically required to retain an expert consultant who does have such competence. 89
Attorneys will likely be held responsible for keeping reasonably informed about rapidly developing technology and securityrisks; just being aware of current technological security issues is not enough. 90 They are expected to “stay current with the technological advances” to ensure that the provider’s security procedures are adequate. 91 The duty of competence extends not only to attorneys, but also to the supervision of non-attorney staff. 92 They too must make reasonable efforts to use technology in a secure manner. Moreover, lawyers must recognize the risks inherent with new communications and advise their clients accordingly. 93
“Two Thirds of Firms Are Using CloudComputing, Despite Risks”
Computerweekly.com, Nov 2008 • Cloudcomputing is a new way of delivering computing resources, not a new technology
• Virtualization + Web 2.0 + Distributed parallel computing (Hadoop & MapReduce) • Infinite pool of additional capacity available on demand – payable by the usage
Computing power is provided to cloud subscribers for a fraction of what it would cost to produce on their own. And, like the electric grid, few companies can afford the computing capacity that a cloud provider, practicing economies of scale, can offer. So the cloud eliminates the need to invest in standalone servers and software that are capital intensive but not in use a majority of the time. The cloud can also help eliminate or reduce such overhead costs as management, IT personnel, data storage, real estate, bandwidth and power. It is important to note that cost saving can vary depending on the deployment and delivery model selected. For example, infrastructure savings are generally greater when leveraging public cloud implementations as opposed to private cloud implementations. Another cost savings occurs in the area of upgrades. As computing resources become obsolete they must be replaced, in order to ensure operational efficiency. Additional cost savings occur through cloud providers absorbing the expenses associated with software upgrades, hardware upgrades and the replacement of obsolete network and security devices. Maintaining a computing infrastructure requires repetitive capital investment, as the cycle of obsolescence repeats itself, and does so — essentially — forever. The cloud can reduce the costs associated with obsolescence by transferring some of those costs to the cloud provider.
Cloudcomputing has changed the information technology (IT) services in the several ways: development, deployment, scalability, update, maintenance, and payment. The expense of computing has increased in an organization due to increase of complexity of management, infrastructure of information architecture, and distributed data and software. Cloudcomputing is able different services for information technology and reduce the cost for small and medium companies that are unable to deploy and use many cutting-edge IT services. Gartner research expects that investment in cloudcomputing will be the $150 billion. One survey on six datacentre showed that servers used only 10-30% of their computing power, while desktop computers utilized less than 5%. Organizations and companies spend about two-third of IT staffing budget on support and maintenance activities, which seems unnecessary in the age of globalization.
Takabi et al.  argue that although clouds allow customers to avoid start-up costs, reduce oper- ating costs, and increase their agility by immediately acquiring services and infrastructural resources when needed, their unique architectural features also raise various security and privacy concerns. They note that cloudcomputing environments are multidomain environments in which each domain can use different security, privacy, and trust requirements and potentially employ various mechanisms, inter- faces, and semantics. They identified six security and privacy challenges, namely: authentication and identity management, access control accounting, trust management and policy integration, secure-ser- vice management, privacy and data protection, and organization security management.
CloudComputingRisks and Limitations
• Security is number one barrier to adoption
“Harris Corporation is selling its super-secure data center in Harrisonburg, Virginia and leaving the “cloudcomputing” business, saying that both its government and commercial customers prefer hosting “mission-critical information” on their own premises rather than in the proverbial cloud.” (Wired, 2012)
Negotiate terms that specify your organization’s requirements for computing resources, including physical security, access rights to your environment and data, data handling, and outage recovery. Make sure that the contract provides, at the very least, for immediate notification of breaches in data security and if PII is involved, your contract will most likely need to provide for the engagement of a third party forensics team to help determine the full scope of your obligations under breach notification laws. Without such protections in place, you may end up either over-disclosing (subjecting your organization to all the attendant reputational, litigation and expense risks) or under-disclosing in violation of state law. In addition, ensure that your contract contemplates data transfers, creation of derivative works from the data being processed by the provider, change of control of the provider, and what happens if law enforcement demands access to such data. Lastly, understand that the laws of the jurisdiction where your data resides, which could impact access rights and even ownership of your data.
the Cloud is too expensive:
Internal management of data is more cost-effective.
not true! Adopting a cloudcomputing solution can represent a significant reduction in cost. in some cases, savings of up to 50% on costs related to the operation, maintenance and updating of information systems!
The domain compliance brings together all the regulatory issues which may impact the protection goals. The legal framework of data protection laws and legal requirements of companies regarding data storage and processing in cloudcomputing systems are briefly discussed in the following. A risk management process is also discussed which can be used by cloud consumers to contain the risks involved in using cloud services. Important security guidelines, certificates and standards which a cloud vendor ought to have are also discussed in the context of governance. In general it is the case that compliance monitoring procedures for Internet based services such as cloud services must be extended if they are about to cover applications, users and activities in cloudcomputing systems effectively .
Cloudcomputing providers‘ and customers‘ services are not only exposed to existing securityrisks, but, due to multi-tenancy, outsourcing the application and data, and virtualization, they are exposed to the emergent, as well. Therefore, both the cloud providers and customers must establish informationsecurity system and trustworthiness each other, as well as end users. In this paper we analyze main international and industrial standards targeting informationsecurity and their conformity with cloudcomputingsecurity challenges. We evaluate that almost all main cloud service providers (CSPs) are ISO 27001:2005 certified, at minimum. As a result, we propose an extension to the ISO 27001:2005 standard with new control objective about virtualization, to retain generic, regardless of company’s type, size and nature, that is, to be applicable for cloud systems, as well, where virtualization is its baseline. We also define a quantitative metric and evaluate the importance factor of ISO 27001:2005 control objectives if customer services are hosted on-premise or in cloud. The conclusion is that obtaining the ISO 27001:2005 certificate (or if already obtained) will further improve CSP and CC informationsecurity systems, and introduce mutual trust in cloud services but will not cover all relevant issues. In this paper we also continue our efforts in business continuity detriments cloudcomputing produces, and propose some solutions that mitigate the risks.
The majority of the benefits listed above relate to the scale benefits that are gained by the cloud service provider by having a significantly larger scale IT operation than any single consumer enterprise would reasonably be able to attain on its own. These benefits include the ability to attract and employ more highly skilled IT professionals, implement better continuation and security controls, diversifying physical location of data and back-up centres, providing better support as well as the ability and need to continually upgrade the hardware and software which is utilised to provide the IT capabilities. These benefits are subsequently passed on to the consumer enterprise in terms of a better IT service than the consumer could have provided for itself. A portion of the cost benefits is also passed on to the consumer enterprise.
must be met, to ensure compliance with legislation such as the Sarbanes-Oxley Act and the Health and Human Services Health Insurance Portability and Accountability Act (HIPAA). These Acts establish security procedures that must be provided for in order to move corporate data to the cloud. Some researchers believe that there are no fundamental obstacles to making a cloud-computing environment as secure as the vast majority of in-house IT environments, and that many of the obstacles can be overcome immediately with well-understood technologies such as encrypted storage, Virtual Local Area Networks, and network middleboxes (e.g. firewalls, packet filters). For example, encrypting data before placing it in a Cloud may be even more secure than unencrypted data in a local data center. This is one of the recommendations most frequently made by security professionals, but as indicated in the Verizon® paper (and others), seems to be grossly underutilized, which is surprising, since it is also one of the least expensive methods of achieving data security. One scholarly offering is that auditability could be added as an additional layer beyond the reach of the virtualized guest OS (or virtualized application environment), providing facilities arguably more secure than those built into the applications themselves and centralizing the software responsibilities related to confidentiality and auditability into a single logical layer. Such a new feature reinforces the CloudComputing perspective of changing the focus from specific hardware to the virtualized capabilities being provided (Armbrust, et al., 2009).