Fariborz Farahmand, Ph.D.
Many companies today are paying attention to cloud computing and new aspects of large-scale, distributed computing. This emerging paradigm of the information age offers exciting benefits to companies and users, but cloud computing, like any other innovation, faces challenges such as security and privacy risks.
How do different stakeholders perceive these risks and the effectiveness of the mitigations? And, how are these reflected in their trust in the cloud? The answers to these questions can affect the outcome of policy debates, and the allocation of resources in controlling security issues of cloud environments.
This article presents an introduction to the cloud and some of its advantages and disadvantages. It discusses the role of risk perception and trust in security and privacy challenges of the cloud. It also makes recommendations addressing these challenges.
Just as clouds can take different shapes and be viewed differently, so too is cloud computing perceived differently. To some, the cloud looks like web-based applications—a revival of the thin client. To others, the cloud looks like utility computing—a grid that charges metered rates for processing time. To some, the cloud could be parallel computing, designed to scale complex processes for improved efficiency.1, 2 Interestingly, cloud services are also wildly different. Amazon’s Elastic Compute Cloud offers full Linux machines with root access and the opportunity to run whatever apps the user chooses. Google’s App Engine will also let users run any program they want—as long as the user specifies it in a limited version of Python and uses Google’s database.3
The National Institute of Standards and Technology (NIST) defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”4
It is important to remember that the Internet is in fact a primitive transport cloud. People place something on the path with an expectation that it will get to the proper destination, in a reasonable time, with all parties respecting the privacy and security of the artifact.
Cloud computing brings many advantages to users and vendors. One of its biggest advantages is that a user may no longer have to be tethered to a traditional computer to use an application, or have to buy a version of an application that is specifically configured for a phone, personal digital assistant (PDA) or other device. It is likely that, at some point, any device that can access the Internet will be able to run a cloud-based application. Application services are available independent of the user’s devices and network interfaces. Regardless of the device being used, users also face fewer maintenance issues. Users will not have to worry about storage capacity, compatibility or other similar concerns.
From a technical standpoint, these benefits are the result of the distributed nature of the web, which necessitates a clear separation between application and interaction logic. This is because application logic and user data reside mostly on the web cloud and manifest themselves in the form of tangible user interfaces at the point of interaction, e.g., within a web browser or mobile web client.5
Cloud computing also seems to be beneficial for vendors. Businesses frequently find themselves using the vast majority of their computing capacity in a small percentage of time, leaving expensive equipment often idle. Cloud computing can act as a utility grid for vendors and optimize the use of their resources.
Consider, for example, a web-based application running in Amazon’s cloud. Suppose there is a sudden surge in visitors as a result of media coverage, for example. Today, many web applications fail under the load of big traffic spikes. But in the cloud, assuming that the web application has been designed intelligently, additional machine instances can be launched on demand. The application dynamically and gracefully scales up. When traffic slows down, the application can scale down, terminating the extra instances.
For small businesses, this means that new storage and processing capacity can be added incrementally, instead of necessitating the purchase of a whole new server at a time. For larger and distributed companies, where the team members all work from their own homes or different locations, it makes coordination, document sharing and collaboration a lot easier. Amazon, Google and EMC are examples of large vendors that have welcomed cloud computing and have invested in developing the IT infrastructure that the cloud computing environment requires.
However, there are some downsides to the cloud. The problems that the IT community has experienced with large, distributed systems may apply to cloud environments as well. For example, a cloud’s use is contingent on accessing the Internet and the cloud servers. What should users do if some servers fail to operate and data are not accessible, e.g., when Amazon’s cloud services suffered a service outage for several hours and did not return to normal until about eight hours after the problem first occurred in early July 2009? What are the chances of similar outages in the future? This highlights the current immaturity of cloud computing. How long will it take to identify the problem, analyze it and respond to it? What liability does a company face when there has been a security breach in the cloud? Considering these potential problems, how can users trust the cloud?
Some security managers believe that security and privacy issues over cloud computing are not very different from those surrounding any sort of IT outsourcing,6 but others believe that there are specific security and privacy risks to cloud computing. For example, Siani Pearson explains that “cloud computing enables new services to be made available in the cloud by combining other services. For example, a ‘print on demand’ service could be provided by combining a printing service with a storage service. This procedure of service combination is typically under less control than previous service combinations carried out within traditional multiparty enterprise scenarios.”7
The results of a recent survey indicate that many business and IT managers see potential value in the cloud, but fears over security and control are holding them back.8 By a five-to-one margin, managers who participated in this survey felt that their own IT systems are more secure than the cloud. These results clearly indicate that fears about security and control of data are limiting the cloud’s broad adoption.
In addition, there have been some notable security incidents in cloud environments that may make potential cloud users think twice before adopting cloud computing. For example, in March 2009, a system error within Google Docs allowed the contents of private documents to be exposed to the public for a brief period of time. As a result, the Electronic Privacy Information Center (EPIC) filed a complaint with the US Federal Trade Commission, requested an injunction against Google and claimed Google’s inadequate security is a deceptive business practice.9
Currently, there are two broad categories of cloud computing:
How do users trust this new computing environment?
Distrust is one of the main constraints on online environments, particularly in terms of consumer protection. Although the elements that contribute to building trust can be identified in broad terms, there are still many uncertainties in defining and establishing trust in online environments.
Why should users trust cloud environments to store their personal information and to share their privacy in such a large and segregated environment?
This question can be answered only by investigating these uncertainties and by exploring the relationship between trust and the way in which the risk is perceived by stakeholders.
Users are assumed to be willing to disclose personal information and have that information used subsequently to store their personal data or to create consumer profiles for business use when they perceive that fair procedures are in place to protect their individual privacy. Individuals are less likely to be dissatisfied even with unfavorable outcomes if they believe that the procedures used to derive those outcomes are fair.
In general, individuals are less likely to perceive information collection procedures as privacy-invasive when:
Creating a willingness in consumers to disclose personal information, then, requires that organizations manage the second exchange strategically. Consumers should continue to disclose personal information on cloud environments as long as they perceive that they receive benefits that exceed the current or future risks of disclosure. Creating willingness in consumers to disclose personal information requires that the second exchange be based on a fair social contract.
How do users perceive security and privacy risks in cloud environments?
Whereas technologically sophisticated analysts employ risk assessment to evaluate hazards, the majority of citizens rely on intuitive risk judgments, typically called “risk perceptions.” For those people, experience with hazards tends to come from news media, which rather thoroughly document mishaps and threats occurring throughout the world.10
As experience shapes user perceptions, they become proxies of actual risk that may be good predictors of risk in the absence of better methods. Even if this is not a precise process, sound management practice dictates that user perceptions of risk be addressed as part of a total risk management approach. Traditional methods of IT risk assessment do not consider risk perception as either a predictor of risk nor as a factor that should be addressed in preventing misuse.
Cloud privacy risks are also perceived differently by different cloud stakeholders. Pearson categorizes four types of perspectives for privacy risks in cloud environments:11
Baruch Fischoff and his colleagues investigated perceptions of technology risks, and particularly ways to determine when a product is acceptably safe. Their model can be adapted by companies that are considering operating in clouds to define risk perception of their users, and includes:12
It has been shown that unknown risk and fear can be used to account for about 80 percent of the results generated by using all nine variables that were originally introduced by Fischoff and his colleagues.13 The author of this article formulated a model based on the models of risk perception developed by Fischoff, Slovic and others, in which characteristics of a risk are correlated with its acceptance. The model was modified to condense Fischoff’s nine variables of risk, by considering understanding (familiarity and experience) and consequences (scope, duration and impact) to the stakeholder, into the two principal characteristics of information security and privacy risks, as shown in figure 1.
For the first dimension of the model, addressing consequences of the breach, scenarios can be posited to explore the fear cloud users have of the potential effects of the risk of information security losses. By exploring the fear cloud users have of the potential effect to them of perpetrating IT misuse, the consequences of the breach can be modeled. To model this, three categories of questions are considered, as described in figure 2.
Analyzing these questions enables one to assign a simple metric to this dimension of the model. The five levels of consequence are as follows:
The level definitions (“trivial,” “serious,” etc.) are based on those published by NIST.14 Level 5 and level 1 represent the highest and lowest level of consequences to stakeholders, respectively.
For the second dimension, understanding, the factors motivating cloud users to consider certain risks while dismissing others can be explored. These questions are intended to identify effective factors that influence users’ cognitive understanding of cause and effect. This results into two main categories of questions as described in figure 3.
This framework for categorizing understanding is based on the work of Bloom and Krathwhol.15 The goal is to understand the risk causes and effects using the cognitive domain and what adds to cloud users’ motivation to increase the understanding using the affective domain. The following six levels were obtained for the understanding dimension of the model:
Level 6 and level 1 represent the lowest and the highest level of understanding, respectively. The perceived risk in the model is a function of consequence and understanding. An approximate perceived risk score may be constructed from the consequence metric and the inverse of the understanding metric. The perceived risk score, therefore, increases whenever the consequences are more severe for stakeholders and decreases as stakeholders gain a deeper understanding of the nature and limits of the risk. Some cases may not match this model exactly, but this score is nonetheless a good match for many case studies and the experiences of the experts interviewed in the author’s validation study.
For example, imagine that the identity of a cloud user has been stolen as a result of being in a cloud environment. As the first incident occurs, the cloud user’s understanding is low at first—levels 5 and 4 of the U dimension. Understanding increases with time and reaches a maximum—levels 2 and 1. Thereafter, there is little increase for subsequent incidents. Typically, there may be a sudden increase in consequences— from level 2 to level 4 of the C dimension, which may either grow or decrease with time depending on the kind of fraud perpetrated. Privacy loss may increase with time as the victim is required to expose more details to recover, but eventually the loss subsides to a steady state of lasting privacy loss.
Research findings also indicate that perceived benefit lowers the perceived risk of electronic activities; when one stands to gain a great deal from a certain activity, one is likely to underestimate the risks involved in the activity.16
“If you’re a large enterprise, somebody in your organization is using cloud computing, but they’re not telling you,” says James Staten, principal analyst at IT adviser Forrester Research. “So there’s a good chance that in the next five years, you’re going to inherit things that were born in the cloud anyway, and now you’ll have to manage them.”17
Merrill Lynch estimates that within the next five years, the annual global market for cloud computing will surge to US $95 billion. In a May 2008 report, Merrill Lynch estimated that 12 percent of the worldwide software market would go to the cloud in that period.18
These statistics should come as no surprise. Well over 90 percent of information currently produced is created in a digital format, and this percentage is anticipated to increase substantially in the future.19
Dealing with such a vast amount of information in such a format requires means of large-scale, distributed computing such as cloud. But, the missing piece is the legal infrastructure and management that will provide the incentives to make such access economically viable. This missing piece is a source for concern for managers regarding compliance with regulations, e.g., the US Sarbanes-Oxley Act, which governs corporate financial reporting, and the US Health Insurance Portability and Accountability Act (HIPAA), which sets rules for security and privacy of health records. For example, ITricity, a European provider of cloud computing capacity, previously could not offer services to companies that required compliance with financial and health care regulations.
Risk mitigation in cloud environments is not simple. It depends on complex technical and human factors. Despite this complexity, it is possible to sufficiently understand risk causes and controls in order to apply cost-effective controls.
Understanding Technical VulnerabilitiesTechnical controls continue to be important, especially when an organization is coping with outsider attacks and unexpected failures. Collaboration among experts from industry, academia and government would result in providing better security solutions. For example, a solution that was recently discussed among a panel of academic and industry experts was to enable security and reliability services by virtue of being located in the cloud.20 As described by John Oberheide, Evan Cooke and Farnam Jahanian, providers and implementers can use a cloud-based antivirus solution that can not only utilize multiple vendors to provide better coverage, but also compares data blocks across users to improve efficiency and provide an archival service for forensic analysis.21
ISACA considers addressing transparency, privacy, compliance, transborder information flow and certification key assurance issues for cloud computing.22 ISACA also argues that standards (existing or new ones that may be developed for the cloud computing paradigm) should be consulted to address the relevant areas, and businesses should look to adjust their existing control frameworks. A literature review identifies some efforts in developing best practices and standards for cloud computing made by NIST and the Cloud Security Alliance.23
At the time of writing, there is no comprehensive and commonly accepted standard to address the technical risks in cloud environments. There does exist, however, a hierarchy of approaches such as checklists and scenario generation techniques that require the user to have only a minimum knowledge of information systems security. To have a well-defined scope for the checklist, cloud managers can follow the formats that are provided by British Standards or the US National Security Agency (NSA). The NSA suggests using 18 areas for information security assessment, which is more comprehensive than the British Standards. It is suggested to follow the NIST’s guidelines for ranking threats, use NSA’s 18 areas of information security assessment, and use checklists for vulnerability assessments that can lead an organization to estimate probabilities of the occurrence of incidents and quantify information security risks.24
Stakeholder InvolvementControl security issues and economic decision making about cloud environments without consideration of trust and risk is not likely to be optimal. High trust can result in lower cost, higher efficiency, minimal contracting and minimum transaction monitoring. Indeed, a high level of trust enables a high level of risk taking, because trust is the mirror image of risk; high trust suggests low perceived risks.25 For example, long-term trading partner relationships can be sustained via positive trust. However, the use of power among trading partners may influence trust for only a short period of time. Thus, cloud managers can acquire and use power effectively and positively to meet goals and improve the likelihood of success, at least for maintaining trading partner relationships, particularly online.
Alongside the consulting standards and technical analysis of options available to reduce cloud risks, cloud managers should take explicit steps to involve the stakeholders—to understand what they are concerned about and why and to communicate good information about risk, targeted to the needs of stakeholders. For example, in the UK, Her Majesty’s Treasury uses a framework for understanding people’s concerns about different technologies so they can be considered in policy development and in the development of related consultation arrangements and communication strategies.26 This model is based on the risk perception models that were discussed previously, in which characteristics of risk are correlated with its acceptance. For example, risks that are undertaken voluntarily are generally considered more acceptable than risks that are imposed without consent. Similarly, risks that cause fear are also considered to be less acceptable.
Cloud managers can learn from this analysis of previous research on users’ perceptions of risk of different technologies by being aware of the likely effects of risk perception on the acceptance and implementation of proposed policies. At the same time, cloud managers can acknowledge the active role of users in online environments—a role that differentiates information technology from many other technologies. In cloud environments, users actually operate the technology. This hands-on aspect of online interaction affects key aspects of risk, such as knowledge and control. For these reasons, cloud managers should consider user perceptions of risk when establishing trust with their customers.
The Gartner Group has specified seven cloud computing security risks to users:27
To establish trust with users in the cloud environment, organizations should address these risks. They also need to align their users’ perceptions with their policies. Efforts should be made to develop a standardized approach to trust and risk across different domains to reduce the burden on consumers who seek to better understand and compare policies and practices across these organizations. This standardized approach will also aid organizations that engage in contractual sharing of consumer information, making it easier to assess risks across organizations and monitor practices for compliance with contracts, policies and law.
Individual customers expect a given activity in which they participate to be conducted fairly and to address their privacy concerns. By ensuring this fairness and respecting privacy, organizations give their customers the confidence to disclose personal information on the cloud and to allow that information subsequently to be used to create consumer profiles for business use.
Thus, organizations that understand the roles of trust and risk should monitor user perceptions to understand their relation to risk aversion and risk management. Managers should not rely solely on technical control measures. Security researchers have tended to focus on the hard issues of cryptography and system design. By contrast, issues revolving around the use of computers by lay users and the creation of incentives to avoid fraud have been relatively neglected. Many studies have shown that human errors are the main cause of information security incidents.28
Piecemeal approaches to control security issues of cloud environments fail simply because they are usually driven by a haphazard occurrence, the most recent incident or the most recently publicized threat. In other words, managing information security in cloud environments requires collaboration among experts from different disciplines, including computer scientists, engineers, economists, lawyers and policy makers, to forge common approaches.
1 Hoover, J. N.; R. Martin; “Demystifying the Cloud,” InformationWeek, June 20082 Weiss, A.; “Computing in the Clouds,” netWorker, vol. 11, issue 4, 2007, p.16-253 Wayner, P.; “Cloud Versus Cloud: A Guided Tour of Amazon, Google, AppNexus, and GoGrid,” InfoWorld, July 20084 National Institute of Standards and Technology, “Cloud Computing,” NIST definition, http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc5 Raman, T. V.; “Cloud Computing and Equal Access for All,” The 17th International World Wide Web Conference, 2008, p. 21-226 Vijayan, B.; “Twitter Breach Revives Security Issues With Cloud Computing,” www.computerworld.com/s/article/9135893/Twitter_breach_revives_securityissues_with_cloud_computing7 Pearson, S.; “Taking Account of Privacy when Designing Cloud Computing Services,” ICSE Workshop on Software Engineering Challenges of Cloud Computing, 2009, p. 44-528 Foley, J.; “Survey: Fear Slows Cloud Computing Adoption,” www.informationweek.com/cloud-computing/blog/archives/2009/02/survey_fear_slo.html9 Hana, S.; “A Security Analysis of Cloud Computing,” http://cloudcomputing.sys-con.com/node/120394310 Slovic, P.; “Perceptions of Risk,” Science, 236, 1978, p. 280-28511 Op cit, Pearson12 Fischoff, B.; P. Slovic; S. Lichtenstein; S. Read; B. Combs; “How Safe Is Safe Enough? A Psychometric Study of Attitudes Towards Technological Risks and Benefits,” Policy Sciences, 9(2), 1978, p. 127-15213 Johnson, E. J.; A. Tversky; “Representations of Perceptions of Risks,” Journal of Experimental Psychology, General, vol. 113, no. 1, 1984, p. 55-7014 Stonebruner, G.; A. Gougen; A. Feringa; “Risk Management Guide for Information Technology Systems,” NIST SP 800-30, 200215 Bloom, B. S.; D. R. Krathwohl; “Taxonomy of Educational Objectives: The Classification of Educational Goals, by a Committee of College and University Examiners,” Handbook 1: Cognitive Domain, Longmans, USA, 195616 Farahmand, F.; E. H. Spafford; “Insider Behavior: An Analysis of Decision Under Risk,” First International Workshop on Managing Insider Security Threats, International Federation for Information Processing (IFIP) International Conference on Trust Management, Purdue University, USA, 200917 Kontzer, T.; “Cloud Computing: Anything As a Service,” CIO Insight, 5 August 200818 King, R.; “How Cloud Computing Is Changing the World,” CRM Daily, 5 August 200819 Varian, H.; “Universal Access to Information,” Communications of the ACM, vol. 48, no. 10, 2005, p. 65-6620 Joshi, K. R.; “Dependability in the Cloud: Challenges and Opportunities,” IEEE/IFIP International Conference on Dependable Systems and Networks, 2009, p.103-10421 Oberheide, J.; E. Cooke; F. Jahanian; “CloudAV: NVersion Antivirus in the Network Cloud,” 17th USENIX Security Symposium, July 200822 ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, USA, 200923 Farahmand, F.; S. B. Navathe; G. P. Sharp; H. Philip; P. H. Enslow; “A Management Perspective on Risk of Security Threats to Information Systems,” Journal of Information Technology & Management, Springer Publications, vol. 6, April 2005, p. 203-22524 Ibid.25 Pauline R.; “Risks in Low Trust Among Trading Partners in Electronic Commerce,” Computers & Security, 1999, p. 587-59226 Her Majesty’s Treasury, “Managing Risks to the Public: An Appraisal Guidance,” UK, 200527 Heiser, J.; M. Nicolett; “Assessing the Security Risks of Cloud Computing,” Gartner Group, June 200828 Rezmierski, V. E.; D. M. Rothschild; A. S. Kazanis; R. D. Rivas; “Computer Incident Analysis Factor Analysis and Categorization (CIFAC) Project, vol. I and II,” University of Michigan, 2005
ISACA recently released the Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives white paper. It is available to the public as a complimentary PDF download from www.isaca.org/cloud. To learn more about ISACA research projects in development, please visit www.isaca.org/research.
The 2010 Information Security and Risk Management Conference, held in both Las Vegas, Nevada, USA and Vienna, Austria, will offer multiple sessions related to cloud computing. Learn more about these opportunities at www.isaca.org/isrm.
Fariborz Farahmand, Ph.D.is a faculty fellow and a research assistant professor at the Center for Education and Research in Information Assurance and Security at Purdue University (Indiana, USA). He has received several awards for scholarship and education, including a fellowship from the Institution for Information Infrastructure Protection (I3P). He has also served as a reviewer for many journals and conferences. His research interests are in behavioral economics and its applications in information systems, security and privacy of information systems, vulnerability and risk assessment of information systems, and cost-benefit analysis of IT investments. He can be reached at email@example.com.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.