Understanding Risks to Cloud Computing
A major concern with the cloud is that the cloud provider offers the software, platform and infrastructure to the user. On top of that, the actual data/information of the user also resides with the provider. The risk with this model of service is that users risk having their information abused, stolen, unlawfully distributed, compromised or harmed. What is the guarantee that the user’s information/data is not sold to her competitor? What ethical constraints exist to prohibit, prevent or protect the user in this new model of service? Another important risk to consider when using the cloud is with the ownership of the information or data residing on the provider’s system. When a user puts her information in the hands of the provider, what control has the user over the data? Its confidentiality or integrity.
When we consider small to medium-sized organisations or end users, one can discuss risks associated with cloud services pretty easily. What happens to the government, the enterprise in relation to the cloud? Can the cloud be used for government marked information? For example, ‘strictest in confidence’ document, say for the CIA, MI5 or the MoD. I certainly do not think so, especially at this current stage of the cloud. In this respect, maybe cloud computing is not ideal for all facets of the society. Certainly, I can’t imagine any organisation with security in mind who would hand strictest in confidence, on ‘in confidence’ information to the cloud, without a second thought.
Again, whose security policies are used for operating the cloud? Is that of the enterprise, the government or the MCSP? If the policy is the end users’ then how would the MCSP marry diverse security policies from myriad heterogeneous users of very diverse background, from diverse countries and of very diverse legal and socio-cultural value systems.
What of data location? The data an end user had created on an MCSP’s system, where does this data reside? Location of end user data is of great importance. For example, the EU Border legislation (Safe Harbour) stipulates countries where EU private and personal data can and can not reside, which borders it can and can not traverse. With the infrastructure as a service, the cloud provider can use dynamically localised infrastructures that exist outside the EU or US terrorises. This may contravene or abuse fundamental privacy and legislative issues, especially if the end user was not away of where her information is stored. This applies specifically to EU and US customers, SMEs, government and Enterprise who may wish to use the cloud for delivering service, and I believe other countries have other legislation that should be considered when using the cloud. Some kind of information can be easily abused with cloud computing, for instance personal medical data (health record data) are subjected to strict compliance act such as HIPPA. A significant concern is that personal medical data can be easily circumvented with SaaS or IaaS models of the cloud. These highlights some inherent risks that exist with cloud computing.
When we consider small to medium-sized organisations or end users, one can discuss risks associated with cloud services pretty easily. What happens to the government, the enterprise in relation to the cloud? Can the cloud be used for government marked information? For example, ‘strictest in confidence’ document, say for the CIA, MI5 or the MoD. I certainly do not think so, especially at this current stage of the cloud. In this respect, maybe cloud computing is not ideal for all facets of the society. Certainly, I can’t imagine any organisation with security in mind who would hand strictest in confidence, on ‘in confidence’ information to the cloud, without a second thought.
Again, whose security policies are used for operating the cloud? Is that of the enterprise, the government or the MCSP? If the policy is the end users’ then how would the MCSP marry diverse security policies from myriad heterogeneous users of very diverse background, from diverse countries and of very diverse legal and socio-cultural value systems.
What of data location? The data an end user had created on an MCSP’s system, where does this data reside? Location of end user data is of great importance. For example, the EU Border legislation (Safe Harbour) stipulates countries where EU private and personal data can and can not reside, which borders it can and can not traverse. With the infrastructure as a service, the cloud provider can use dynamically localised infrastructures that exist outside the EU or US terrorises. This may contravene or abuse fundamental privacy and legislative issues, especially if the end user was not away of where her information is stored. This applies specifically to EU and US customers, SMEs, government and Enterprise who may wish to use the cloud for delivering service, and I believe other countries have other legislation that should be considered when using the cloud. Some kind of information can be easily abused with cloud computing, for instance personal medical data (health record data) are subjected to strict compliance act such as HIPPA. A significant concern is that personal medical data can be easily circumvented with SaaS or IaaS models of the cloud. These highlights some inherent risks that exist with cloud computing.
posted by Cyril at 12:51 PM
2 Comments:
i agree with u. i would like to add the usage of digital signature for data confidentially and data integrity will play an imp. role in this new era of Saas and cloud computing.
That's true, but what happens with the security of PaaS and IaaS offerings?
I reckon a new and novel approach of delivering service in IaaS and PaaS is required, hence why I've started this thread to engage us into thinking possible ways to delivery secure services in general to the Cloud!
Post a Comment
<< Home