Cloud computing is known as a value-driven innovation because it saves costs along with advanced business process virtualization that is available globally. Organizations consider it a cost effective tool, as the requirement of maintaining a complex technology infrastructure along with resources is not essential. Likewise, risk factors are also being considered, as the risk, mentioned in the underpinning contract is now owned by a third party i.e. cloud computing vendors. Martin Sandler, head of the safety laboratory for HP systems, says, “People often think of virtualization as adding to security problems, but it is fundamentally the answer to a lot of those problems,” (Anthes 2010). In short, cloud computing also offers significant benefits, along with negative consequences. For instance, information of an organization needs to be protected and is the ultimate responsibility of the board of director for which they are also liable. Likewise, the distribution of information on the cloud means that it is no longer controlled by the company and any effect or loss of vendor-side data may pose a major threat to the organization. Therefore, information security is the part of due care and due diligence that is derived from the responsible employees of the organization.
Cloud Deployment Models
It is the prime responsibility of the ‘Business Cloud’ to protect intellectual property and confidential information that may be related to customer personal information, trade secrets, patents etc. Breach of any one of these classified information types can result in a permanent loss of business and ultimately bankruptcy that may result in legal and regulatory compliance. Likewise, it is important to examine cloud deployment and service models before making any strategy for moving critical applications to the cloud. The correct choice needs to be made in order to align business requirements to the correct deployment and service model without any unnecessary risk. ‘ Business Cloud ‘ should select the best way for implementing cloud computing according to their business needs and compatibility factors:
Also referred to as a neologism is the private cloud. The definition of this term, however, dates from 40 years of cloud computing. For organizations requiring advanced security and privacy measures, private clouds are recommended. The private cloud is administered exclusively for only a single organization, in order to maintain strict level of security (, Cloud Deployment Models ).
As compared to a private cloud, the community cloud is shared among many organizations having identical business requirements. Moreover, the required infrastructure is shared among all the organization that is connected to the cloud saving the cost and demonstrates one of the advantages of cloud computing (, Cloud Deployment Models ).
Public computing is a traditional approach that offers access to resources on the Internet. Third-party companies, known as cloud vendors, are hosting on the Web for these services. The services and resources on this cloud are accessible to the public and groups of various industries (, Cloud Deployment Models ).
A hybrid cloud comprises of a mixture of all types of clouds i.e. public, private and community. Most organizations are deploying this type of cloud as it offers a range of accessibility options. Problems such as PCI compliance (Cloud Deployment Models) can be eliminated by incorporating hybrid clouds.
Cloud Computing Service Models
Cloud computing consists of applications represented as web-based services and the provision of hardware / software services by data center companies. Similarly, the Internet services are referred to as ‘ SaaS ‘ (Software as a Service). There are few sellers who use the term (Infrastructure as a service) ‘IaaS’ and (Platform as a service) ‘PaaS’ in order to demonstrate their products and services. However, these terms are avoided and not accepted globally, due to variation (Armbrust, Stoica et al. 2010). The Commerce Department’s National Institute of Standards and Technology (NIST) have illustrated some helpful definitions that focus on three concepts (Ryan, Loeffler 2010):
- Cloud infrastructure as a service ‘IaaS’ consists of provisioning elementary computing resources.
- Cloud software as a service ‘SaaS’ access software application that operates on a cloud infrastructure.
- Cloud platform as a service (PaaS) provides the accessibility to users for implementing and developing applications with programming language and tools supported by the providers.
A cloud’s core components consist of hardware and software from the data center. When these tools are made publicly available, they are referred to as public clouds and the cloud service is referred to as utility computing. Moreover, private clouds are only available to private organizations and are not accessible by the public. Accordingly, cloud computing is the combination of ‘SaaS’ and utility computing (ARMBRUST et al., 2010).
There are three cloud computing service models available i.e. infrastructure as a service, platform as a service and software as a service (Wilshusen 2011). Infrastructure as a service (IaaS) is comprised of three components i.e. software, platform and infrastructure. Organizations only provide software and platform, and third-party cloud computing provider provides infrastructure. The second service models i.e. platform as a service (PaaS) also comprises of three components i.e. software, platform and infrastructure. Organizations only provide a software or application that will be executed on the third party or the vendor’s platform and infrastructure. The third service model also includes the similar three components as mentioned before and called as software as a service (SaaS). Organizations only use the vendors ‘ software in terms of applications that the Internet can access. These three components are the vendor’s assets, i.e. technology, platform and infrastructure (Wilshusen 2011). In figure 1.1, cloud deployment models are demonstrated
(Retreived from :Wilshusen, G. C. (2011). INFORMATION SECURITY: Additional guidance needed to address cloud computing concerns. GAO Reports, , 1.)
Cloud computing four service models are shown in Fig 1.2
(Retreived from :Wilshusen, G. C. (2011). INFORMATION SECURITY: Additional guidance needed to address cloud computing concerns. GAO Reports, , 1.)
‘ Business Cloud ‘ will choose the appropriate customer model as it will be proportional to business or consumer requirements and may vary from organization to organization and type of business. A private cloud is the sole property of the company i.e. the organization’s technology, network and infrastructure (Wilshusen 2011). The second service model is called as the community cloud that is accessible to several organizations that may be similar to business types and will focus on customer requiring a similar technology. The third model is the “Public Cloud” cloud. This form of service model is applicable to the community of the public or the global industry. Lastly, the forth service model is called as the ‘Hybrid cloud’. It considers to be combined with two or more infrastructures that may support two or more clouds. However, the interaction between different clouds is bound on a standardized approach and proprietary technology (Wilshusen 2011).
Cloud Computing Advantages and Challenges
Through ‘ Business Cloud, ‘ cloud computing can reap several useful benefits as discussed below. (Wu, Shen et al. 2011):
The first factor is justifiable, as there is no requirement of managing or maintaining software, hardware and infrastructure associated with network area storage (NAS) because cloud is taking care of the application as a whole. Secondly, the most important factor is the cost. For instance, an information security manager needs to sell security to the business by using an efficient business case. Total Cost of Ownership (TCO) is the core component of the business case that may justify the cost required for implementing security on the cloud. Therefore, low TCO enables information security managers to justify minimal expenses and more cost savings for getting approval on security projects. Likewise, availability of cloud services is also high resulting in value delivery i.e. low cost of ownership and high availability. Moreover, cloud services also eliminate the requirements of a high profile hot site that may involve a lot of cost. In case of unplanned service outage, cloud computing ensures reliable delivery of core business applications that eliminates the needs for off-site storage.
On the other hand, cloud computing also reflects significant risks, principal risks of cloud computing is associated with federal agencies and regulations. Any vulnerability found in the software, platform or infrastructure of the vendors will expose serious exposures, as information may be related to more than one organization. Moreover, employees working internally on the cloud computing premises of ‘Business Cloud’ may also expose a serious threat if no proper background employee checks were performed during recruitment procedures. Furthermore, if any governmental agencies for instance, military or other sensitive body is also using the same cloud from the same vendor is also most likely to be compromised, if any breach of any one of these fundamental concepts Confidentiality, Integrity and Availability is successful. In addition, the incident response function may not be efficient and effective if any incident occurs and affect the customer or employee. For instance, if a security incident affects the customer, the incident response function of the organization will trigger in a timely manner to isolate and investigate the root cause via root cause analysis. In a cloud computing scenario, it may be a different case and result in ambiguity, as from where the investigation should begin. If an incident is triggered from the vendor’s site, evidence is required to act accordingly and may consume more time that is always a critical success factor. Therefore, compliance of cloud computing vendors and implementing security controls as per the governmental information security requirements is the major concern of organizations associated with services on clouds. In addition, organizations also have concerns about the assessment of security controls and independent vendor audit and limitations, as data from many organizations are located on the vendor site, which may increase the risk of the CIA (Wilshusen 2011). Therefore, an agreement is in process for establishing an independent organization that may conduct security audits and assessment. In this way, organizations can select vendors who are approved by these independent organizations maintaining the required security controls and standards.
Cloud Computing Storage
The storage of cloud computing requires a lot of space, in fact humongous data centers where data is collected and managed. Such data centers face a number of threats and safety risks that could harm such data storage devices. The risk may emerge from a skilled hacker, as well as the cloud provider itself, if data is not adequately addressed. A minor security incident or mis configuration can lead to a system failure or unavailability. For instance, in 2008, only a tiny corrupted bit integrated with a message that was used by the servers of Amazon’s Simple Storage Service (S3) that provide services of online data storage imposed a system shutdown for many hours (Talbot 2010). Moreover, another security breach occurred in 2009, password of an employee working on Twitter was hacked that resulted in breaching the email security questions page that was located in the Google apps account (Talbot 2010). In relation to that, one more incident occurred when data was erased from one million T-mobile smart phones due to a server failure that was managing the data of these smart phones (Talbot 2010). As the National Institute of Standards and Technology (NIST) team leader Peter Mell says, public cloud computing models are more vulnerable to threats because every customer has access to a wide range of services and levels. Therefore, if any one of the services is breached, they gain access to all the data.
Cloud Computing Layers
Cloud computing is associated with five layers that works as an architecture. These layers contribute functionality with each other to support the features of cloud computing services. The hardware layer has no fault tolerance concluding that if the hardware fails, there is no alternate except to replace it with the new one. The redundancy and fault tolerance is managed by the applications. However, the risk can be minimized by providing alternative power supplies to the hardware etc. The level of virtualization consists of virtual machines (Cloud Computing, The Five Layers). However, these software applications use a single hardware platform but are presented in many instances. The mainstream server is virtualized by this method, and the vendors can provide Infrastructure as a service (IaaS) to the customers. VMware, Citrix, Microsoft are the popular ones (, The Five Layers within Cloud Computing).
The IaaS acts as a layer of the cloud computing technology by illustrating a mechanism to administer the services of Virtualization. Moreover, the API allows the users to construct templates, which can be deleted anytime. The administration of API facilitates the vendors to save cost (, The Five Layers within Cloud Computing). Furthermore, IaaS facilitates storage services that are administered by an API. For instance, Amazon has implemented IaaS storage services for its customers. The next layer is the PaaS layer that facilitates the IaaS layer by eliminating the management of specific virtual machine instances (, The Five Layers within Cloud Computing). PaaS also contributes in the deployment of an application in cloud computing. A programming interface is made available for the developer to develop API. One of the examples of PaaS is the Google application engine in which Google has demonstrated an API utilized for storage and database along with a platform. PaaS provides the platform for the developers to code a program and initialize it in the cloud. SaaS has its significance on organizations, which do not want to possess or maintain any application in their premises. Email services, customer relationship management (CRM) services is accessible online via the cloud. The storage and security is the responsibility of the vendor (, The Five Layers within Cloud Computing). However, user credentials are required to log in the application on the Internet or a VPN connection. In this way, organizations save the application maintenance cost, cost of physical security measures, security measures etc. (, The Five Layers within Cloud Computing).
Cloud Computing Security
When cloud computing use increases with its connection to the public via the Internet, hackers, cyber criminals, viruses and worms also have new opportunities. These threats will increase and focus on cloud computing enables services and applications for stealing classified data, denial of service attacks on data centers etc. ‘Google apps’ is the major player in the market for providing ‘SaaS’, it was attacked and hacked. The cyber forensics report showed that the attacks came from China (Bisong & Rahman, 2011). The security and privacy in cloud computing are associated with data storage and data protection. Moreover, monitoring the utilization of resources available on the cloud by the service providers is also included. In order to secure the data in the cloud, it can be stored internally in the organization’s premises. Moreover, the Sarbanes-Oxley Act (SOX) in the US and Data Protection directives along with the EU are only two compliances from many other compliance concerns related to data and application of cloud computing. Moreover, the EU has backed up with a legislative data protection for the entire member across the globe. However, the US data protection differs from the EU, as it varies in each state (, PLI: Seminars & Webcasts and Corporate & Securities). Moreover, the service provides incorporates the highest level of security in the clouds of their inbound technical intelligence, but these measures is affected due to government regulations country by country. For instance, if a cloud computing service providers is located within a country, the service provider is bound to slipshod provisions on privacy that may lead the involvement of the government enforcement agencies to peek in the hosted data of a particular organization (, Information Security Short Takes: Cloud Computing Data Protection World Map).
Open Source Licensing
Most of the open source applications are associated with the cloud and it is governed by various obligations included in the relevant open source license. Likewise complying with the software license is similar to any other compliance process, as an efficient compliance processes address issues and mitigate risks. Similarly, cloud computing services do not introduce any new risks but applications associated with these services introduce risks. However, applications that are operational in the cloud are distributed as compare to other software applications that are not shared. Likewise, there is less visibility and no evaluation or examination of the industry, therefore, cannot be categorized or fall under many obligations incorporating copyleft licenses.
Open Source and the Cloud
Cloud computing continues to benefit business by lowering down the cost associated with hardware, software and human resource. However, some of the debatable issues including personal privacy, lack of security control and sharing data are still seeking a solution. Likewise, providing superior benefits for ease of development, minimized costs, high scalability along with next generation architecture are facilitating Information technology to evaluate cost benefit analysis while doing risk assessment (, Cloud computing and open source face-off ). At the same time, open source has played a vital role in cloud computing and facilitated to enable low cost input that can also be considered as free of cost and rich features for cloud service providers. Moreover, buzz in the industry concludes that the cloud computing service will utilize the open source to gain power and control to establish next generation proprietary platform-as-a service that is similar to Web 2.0 (, Cloud computing and open source face-off ).
Moreover, if Linux operating systems are used for cloud computing, there will be no licensing cost as compare to a Microsoft operating system environment. IBM clearly states in the economics of scale that one of the primary drivers for expanding the cloud is open source. Moreover, software or application is considered as a component in a computing environment, though an expensive one. However, open source software is not always successful, as they only become partially in some organizations (, Cloud computing and open source face-off).
Workstations, Printers, Internet Connection and Network Justification
For accessing cloud computing online services via a web browser requires an updated or couple of years old workstation that supports all features of current Web browsers. However, a fast Internet connection with an updated operating system with all critical updates is required for a fast and rich experience of cloud computing applications. Likewise, upgrading old systems to Windows 7 will cost around £70, however, hardware compatibility issues must be addressed, as Windows 7 or Vista does not support all VGA drivers or chipset available in the old system. As ‘business cloud’ websites are text based and no significant multimedia capture or editing is required, a nominal Internet connection is required. Moreover, for addressing storage requirements, all the documents, critical files and other stuff can be stored online that will significantly save the cost of maintaining and installing large storage devices.
As shown in figure 1.1, only a generic overview of the network design is demonstrated. The network is built on a CAT 5 cable with a star topology. Likewise, 2 switches are adequate to connect the 11 staff members of ‘Business Cloud’. Moreover, printers are also connected to the network and can be shared among all the users connected. Furthermore, to avail cloud servicer, a WAN connection is required. In general, cloud computing service providers recommend bandwidth of the Internet connection required to establish fluent and robust connectivity between applications that are accessed from the cloud. We can assume that a broadband connection is used for establishing connectivity with the cloud service provider. Moreover, the router is connected with the two available switches. For security purpose, a firewall is installed after the DSL router or MODEM that will establish connectivity with the WAN. Furthermore, three servers are proposed that includes Customer Relationship Management Server, Email server and Application server.
We have calculated Cost of 11 workstations is calculated below (Prices are taken from Amazon.co.uk):
One HP Pavilion p6-2035 Desktop PC costs £392.65. Hardware specification for this desktop are PC (Intel Core i3-2120 3.3GHz Processor, RAM 4GB DDR3, HDD 500GB, Intel HD Graphics, Windows 7 Professional 64). If we calculate the cost of one workstation
- £392.65 x 11 = £ 4319.15 (Total Cost of 11 Workstations)
- Cost of High quality A3 Printer Canon PIXMA iX 6550 x 1 = £201.07
- Cost of High speed A4 Printer Brother HL3070CW x 1 = £204.30
For calculating price for a broadband connection following are the details that are included in a plan from ‘Talk Talk’ (, Broadband Providers Comparison for UK ADSL, Cable and Satellite ):
- £3.25 per month for up to 14Mb TalkTalk Broadband and calls
- 12 months half-price broadband (save £39)
- Unlimited evening & weekend calls to local & national UK landline numbers
- 40GB monthly usage allowance included (heavy user)
- Customize your broadband plan with Boosts – only £4 a month each
- Mega Download Boost increases usage allowance to 80GB
- Super Secure Boost adds F-Secure security protection for 3 PCs
- Special offer – now only £2 a month with 30-day free trial
- Landline Boosts also available
- £7.25 per month for up to 14Mb TalkTalk Plus Broadband and calls
- 6 months half-price broadband (save £43.50)
- Free anytime calls to UK landline numbers (including 0870/0845)
- Free wider-range wireless ‘N’ router
- Unlimited monthly usage allowance included
- Switch to TalkTalk phone line rental from £9.50 per month (required)
- No need to pay BT line rental or change phone number
- Only £9.50 a month when paying 12 months in advance (usually £13.80)
- Free connection for online orders – save £30
- Free wireless router – save £30
- 30 day trial – option to cancel the service within 30 days
- Free technical support calls from your TalkTalk phone
- Single bill for broadband and phone
- ANTHES, G., 2010. Security in the cloud Communications of the ACM, 53(11), pp. 16.
- ARMBRUST, M., STOICA, I., ZAHARIA, M., FOX, A., GRIFFITH, R., JOSEPH, A.D., KATZ, R., KONWINSKI, A., LEE, G., PATTERSON, D. and RABKIN, A., 2010. A view of cloud computing Communications of the ACM, 53(4), pp. 50.
- WILSHUSEN, G.C., 2011. INFORMATION SECURITY: Additional Guidance Needed to Address Cloud Computing Concerns. GAO Reports, , pp. 1.
- WU, J., SHEN, Q., WANG, T., ZHU, J. and ZHANG, J., 2011. Recent Advances in Cloud Security. Journal of Computers, 6(10), pp. 2156-2163.
- TALBOT, D., 2010. Security in the Ether. Technology review, 113(1), pp. 36.
- Cloud Deployment Models | BizCloud® Network . Available: http://bizcloudnetwork.com/defining-cloud-deployment-models [4/29/2012, 2012].
- RYAN, W.M. and LOEFFLER, C.M., 2010. Insights into Cloud Computing. Intellectual Property & Technology Law Journal, 22(11), pp. 22-28.
- The Five Layers within Cloud Computing | Cloud Computing Journal . Available: http://cloudcomputing.sys-con.com/node/1200642 [4/29/2012, 2012].
- Information Security Short Takes: Cloud Computing Data Protection World Map . Available: http://www.shortinfosec.net/2010/03/cloud-computing-data-protection-world.html [4/29/2012, 2012].
- PLI: Seminars & Webcasts and Corporate & Securities . Available: http://www.pli.edu/Content/_/N-3jZ7r?Ns=sort_date|0 [4/29/2012, 2012].
- Cloud computing and open source face-off | ZDNet . Available: http://www.zdnet.com/blog/hinchcliffe/cloud-computing-and-open-source-face-off/543 [4/29/2012, 2012].
- Broadband Providers Comparison for UK ADSL, Cable and Satellite . Available: http://www.broadbandchecker.co.uk/broadband-checker.html [4/29/2012, 2012].