Cloud computing is an emerging technology, arguably undefined, nevertheless gaining momentum in the information technology industry because of its

many benefits to a company. Cloud computing is an emerging technology, arguably undefined, nevertheless gaining momentum in the information technology industry because of its many benefits to a company. Where is my data?

For Better or Worse

Is the Marriage of Information Systems and Cloud Computing Secure?

Ivory S. Banks

Cloud computing is an emerging technology, arguably undefined, nevertheless gaining momentum in the information technology industry because of its many benefits to a company. Cloud computing offers the advantages of accessible information systems from anywhere where there is a connection to the Internet. The most attractive benefit is its cost effective service model which allows a company to pay only for the services used. In addition, a cloud eliminates the financial burden of owning and maintaining an infrastructure all while offering an organization limitless scalability. Unfortunately, some organizations are still resistant to the adoption of cloud computing because it is believed that the information security risks, threats, and vulnerabilities have not been fully tested and resolved and therefore outweigh the advantages of implementation. Cloud computing invokes a new way of thinking on how to design and maintain information systems while at the same time enforcing information security. Where would one go to retrieve data if a physical server does not exist? Where is the data? Such companies Amazon, Microsoft, SalesForce, Autonomy, and Google have not only experienced some of these security issues but also resolved them and ultimately launched successful cloud platforms. Essentially, the risks, threats, and vulnerabilities we face with cloud computing environments are the same as those of a traditional infrastructure. Organizations should work hand-in-hand with CSPs (cloud service providers) to put in place policies, establish procedures, and concise SLAs which will govern the storage and management of its data in the cloud.

Data integrity, security, and information accessibility are all valid concerns, but are they substantial enough to prevent an organization from going to the cloud? There are those skeptics who do not view cloud computing as a standardized technology but instead as a marketing buzzword (Hayes, 2010). It is a broad subject used to describe the overall concept of capturing, managing, and storing data in a virtualized environment. Over the past few years, it has gained popularity because of what some technology industry professionals view as its advantages to managing information and providing IT services to customers. Some of those advantages include, easily accessible service over the Internet or a private network location, reduced expenses for maintaining a computer infrastructure, and a new pay as you use concept (Loeffler & Ryan, 2010). Each of these advantages target specific groups with vested interest in the realm of information technology use and management. For example, the CEO of an organization may see the reduction in costs for maintaining an infrastructure and only paying for the services the company uses as the major advantage. On the other hand, IT strategists and business analysts may view the advantage of easily accessible service as the major advantage. Regardless of why an organization chooses to invest in a cloud computing environment, the fact is the decision to do so majorly impacts the way information systems are designed and maintained. The underlying issue remains that there is cloud of doubt that exists when it comes to information security in a cloud-based infrastructure. How will the security risks associated with cloud computing impact organizations and their ability to deliver information systems as a service? Can organizations which use cloud services trust their data integrity will be maintained? Are they willing to give up transparency and control of their information for the benefit of a cloud-based infrastructure? There are experts who theorize a cloud environment is not a secure enterprise environment for information systems, primarily software applications. The prevalence of cloud computing as an alternative to physical data centers affect not only how information systems are designed but also how the data is maintained. This is a major concern as organizations struggle with how to address the issue of securing data. The key security issues include identity management, data leakage (caused by multiple tenants sharing physical resources), access control, virtual machine (VM) protection, persistent client-data security, and the prevention of cross-VM side-channel attacks (Khan & Malluhi, 2010). What is cloud computing? Is it a new face on an old concept? Has cloud computing earned the right to be called a platform? These are the questions some critics are asking and most adopters of cloud computing are answering. It can be described as a new technology platform based on an old concept which is continually evolving. In the 1960s and 70s it began with application hosting (Cusumano, 2010). Then in the 1980s and 90s emerged firms began to deliver applications such as electronic mail (E-mail), calendars, and word processing applications over the Internet (Cusumano, 2010). Whether one agrees with the idea of it being a legitimate technology or not, an old technology or a new one, cloud computing is defined by most experts and industry professionals as both an application and a platform. As an application, cloud computing is defined as software which has been extended to be accessible via the Internet (Talib, 2010). The Internet is

leveraged to transport information between the client and as server located somewhere in cyberspace as opposed to residing on a physical server in a data center (Katzan, 2010). Cloud computing as a platform is described as a cumulative of application, architecture, and infrastructure services. It includes the provisioning, configuration, and de-provisioning of servers as needed (Talib, 2010). CSPs who provide the full-scale of cloud services provision resources for storage area networks (SANs), network equipment, and security devices such as firewalls (Talib, 2010). Whether used as a platform or an application, together CSPs and organizations must agree on a type of deployment model best suited for its purpose. Deployment models There are variances in ways to provide a cloud computing service that meets the clients needs for data storage, manipulation, access, and development while at the same time giving the organization more or less desired control. Ultimately, the variances of deployment are derived from the three basic types of cloud service models; IaaS, SaaS, and PaaS, as previously defined in the literature review section of this paper. Also previously defined are the types of environments; public cloud, private cloud, and a hybrid cloud which CSPs offer as options to their clients. The most attractive option to organizations seems to be the private cloud because control of the data remains within as they manage the infrastructure. In this case, the CSP is simply the provider much like a utility company is the provider of electricity but the consumer supplies the light bulbs. Why is this more attractive? If one considers the way data centers are typically set up the answer is obvious. Data centers may house many servers all belonging to multiple customers. Data is segregated because the information is stored on separate machines. In a cloud environment there is no physical separation of data. What that means is CSPs have to provide a technically secure means to protect a companys data. A private cloud provisions this technological segregation of data for IaaS or Saas. In addition, a private cloud affords an organization all of the benefits of a public cloud such as scalability and flexibility while ensuring unique security custom-design to fit its needs. Innovators in the industry of cloud computing have leveraged these approaches to deployment to provide services to their clients and catapult the cloud computing industry. Though the skepticism has hindered adoption on a global scale, many CSPs are proving adoption is on the rise in many respects.

Current status of the industry For example, such companies as Salesforce, Autonomy, Amazon, Google, and Microsoft are among the major providers which have all built cloud environments. Clearly, if wellestablished, profitable corporations such as the aforementioned are in the business of cloud computing, then certainly there is a market and this is not just a fleeting technology like the laser disc player of the early 1990s. The common trend is it is many of the smaller companies who are taking a chance on cloud computing and fairing very well in doing so.

Autonomy Corporation provides private cloud services and is a self-proclaimed leader in private cloud applications. Its proclamation is not without substantiated support by customers willing to entrust their data in Autonomys environment. It now manages over 17 Petabytes of email, documents, and multimedia data on 6,500 servers in 8 data centers around the world (Anonymous, 2010). Salesforce, extended its platform with an application called AppExchange, an open integration platform (Cusumano, 2010). Salesforce took a huge leap by opening up its platform and allowing other application providers to utilize the features of its cloud for their services for development and deployment (Cusumano, 2010). Arguably one of the biggest success stories of successful cloud adoption is that of Amazon. A company called, Animoto Corporation recently ascertain the services and benefits of Amazons powerful cloud infrastructure. Animoto is an online video slideshow maker which allows customers to create personal movies online (Bisong & Rahman, 2011). When Animoto made the decision to move its service to the Internet, over the course of three-days, registration increased from 25, 000 to 250, 000 users which caused them to increase their Amazon cloud computers from 24 machines to nearly 5,000; a capability that would not have been possible otherwise (Bisong & Rahman, 2011). Cloud computing security concerns and risks Concerns Who has my data? Where is my data? Who can see my data? As with any new or unfamiliar emerging technology there are associated risks. There is also the human factor of fear of the unknown. When new technology is introduced it is a change from the familiar course of business and or traditional processes. Therefore, the immediate reaction from most is either reluctance or complete dismissal. Cloud computing has stirred both reactions in many organizations today. IT executives would agree that there are many security concerns when it comes to the idea of actually trusting their data to exist in a cloud environment or allowing the development of applications in a cloud. It is a huge leap in trust for an organization to relinquish control of their data to a third party and assume its integrity in a non-physical environment such as the cloud. The issue of trust is a resounding concern as organizations move into the cloud because in a traditional infrastructure the provider may own the servers but the organization owns and therefore controls the data that exists on those servers. The organization is also responsible for its backups and security and such is not the case in the cloud.

Risks Can you prevent a security breach? Is my data protected from malicious attacks? These questions sound very familiar. They are practically identical to the questions asked by organizations with the introduction of the Internet, web-based applications, and many emerging technologies. To an organization, loss of control of its data means opening the door to such risks as data leakage due to comingling of data, (Ginovsky, 2010), increased vulnerability to viruses, worms, and hackers, (Bisong & Rahman, 2011), trust violations, general security for

multiple clients as opposed to separate services for different clients, and lack of transparency to data (Khan & Malluhi, 2010). Are these risks any different from the risks we face today in traditional infrastructures and software applications? The answer is yes and no. The risks are the same, however the environment in which they exist is different and so are the tenants of said environment. Also, the fact of the matter is organizations have had a few decades to overcome their skepticisms while service providers developed strategies, policies, and technological safety measures. The adoption of technology, of housing data on physical servers in a particular location and making information available via any electronic means came with the price of working through all of the aforementioned issues. Organizations needed to be assured of data security. Today, in a cloud environment the concept of sharing data space is a new concern for organizations. CSPs provide a cloud environment for several hundred or maybe a few thousand customers. Therein lies a conflict for the service provider because the ideal infrastructure would provision a single trust relationship for all customers to the same environment. In other words, the CSP would prefer a decentralized solution for all its customers as opposed to establishing a trust with each one (Katzan, 2010). It raises a concern to the organization because it now shares a space with others that may result in comingling of data. Again, the point that these are not new or unknown risks technology experts faced before is reiterated in this scenario. The questions of whether data can be protected from malicious attacks or data leakage had to be answered before people decided it was okay to store and retrieve information via the Internet. Today, it is a two-fold strategy to design an infrastructure which allows an organization to get to its information as it should while restricting the data to those who should not have access. Cloud computing providers, even in what is considered today as early development phase have risk mitigating strategies in place. These concerns do not stem from a distrust of the CSP, but instead lies in how the cloud computing technology works. Though these risks are similar in nature to the ones we experienced with the onset of any new technology, the concerns they generate in the minds of CIOs et al are enough to cause the critics to question whether cloud computing is a safe and reputable platform. So, how have these CSPs built trust among their customers? Establishing trust between the CSP and its clients Cloud computing criticisms and rebuttal One of the major concerns raised by organizations and critics of the technology is, of course, data security. Critics argue that data is more vulnerable in a cloud environment and subject to more hacking, viruses, worms, and data leakage. The fact of the matter is a cloud environment is not any more vulnerable to malicious attacks of data than a traditional environment (Bisong & Rahman, 2011). However, to say the data cannot be protected has been proven untrue by many of the organizations currently providing these services. Martin Sadler, director of HPs Systems Security Lab, argued that virtualization of data is a fundamental solution to data security because the options for encrypting and securing data are greater in a virtual environment (Anthens, 2010). IBM researchers found that VM security can

determine the operating system of a guest VM and begin monitoring, VMs cannot be configured by hackers to do anything against a virus scan because VMs have no way of detecting it (Anthens, 2010). IBM researchers also tested a third virtual intrusion detection system which runs inside the physical machine to monitor traffic among guest VMs (Anthens, 2010). Well, one-size security does not fit all, so how can CSPs ensure custom data security when they are hosting thousands of client data in a single environment? Critics raise this question often as do organizations which have a valid concern over the co-mingling of data. Autonomy addressed this issue in the structure of their cloud environment. Autonomy says its data centers are under around the clock surveillance, two fully synchronized, geographically separated systems provide complete data and system redundancy and parallel processing of all tasks (Anonymous, 2010). What is not often mentioned by the critics is the essential steps the organizations must set to ensure there is an agreement with the CSP that there data is protected in the manner suitable to their needs. Unfortunately, Amazons EC2 customers were subject to a detrimental outage for eight long hours when its Simple Storage Service lost connectivity (Bisong & Rahman, 2011). However, researchers believed that this risk could be mitigated in the future if customers would insist that their cloud machines be placed on physical machines that only they have access to or a trusted third party (Bisong & Rahman, 2011). The trend here is much time and effort has been spent developing security methodologies and new technologies to combat all of the identified security risks. Beyond the technical solutions to ensuring the security of data in a cloud computing environment is one that is not often mentioned by the critics and that is the responsibility which lies with the organization. The solution to building trust does not lie in the technology itself. Trust is not a technical solution, it is a human one. It is also related more to preventing a trust violation than solving one once it has occurred (Khan & Malluhi, 2010). As a result of these facts, organizations have a responsibility to one, set policies and procedures in place for their data, its security, how it will be managed, who will have access to it and then ensure the CSP agrees in writing to adhere to all of their desired rules and guidelines. Particularly, service level agreements (SLA), policies and standard procedures established by the organization consuming the cloud services and agreed upon by the CSP providing them are a determining factor in the success of a cloud deployment. Since privacy is another major concern of cloud users and the risks can vary in a cloud as the location of information within the cloud varies (Katzan, Jr., 2010) it would behoove an organization to establish a clear policy about the privacy rights of its data. The NIST supports this recommendation in two documents proposed in February 2010 about guidelines for security and privacy in the cloud in which entities should carefully plan these aspects before engaging in a cloud computing solution (Ginovsky, 2011). An organization should have a well-defined list of questions to set expectations with the CSP on how the organizations cloud should be set up including back-up servers, encryption and other issues (Buttell, 2010). Part of these agreements are set up during the contractual process which may contain such promises by the CSP to the company as how information is shared, with whom

and the level of security provided to such information (Loeffler & Ryan, Insights into cloud computing, 2010). Though the data is housed in a location unknown, so to speak, to the consumer of cloud services, the power to dictate how that information is managed still lies with the consumer. When entering into a contractual agreement with CSP, identifying and studying the cloud environment and all its limitations beforehand would assist in establishing guidelines and privacy policies which can be written into the SLA. Many in the industry address the issue of data security with technical solutions and new security methodologies for dealing with them. But organizations must remember just as with traditional infrastructures, those technical solutions are negated if proper policies are not established and adhered to by the managers of the cloud. Cloud computing is a continually emerging technology garnering acclaim from successful CSPs and their customers. Reputable technology firms such as Amazon, Google, and Microsoft, to name a few, are among the many companies providing cloud services to a rapidly growing number of customers. Conversely, some CIOs and industry experts have yet to embrace cloud computing as a trusted platform. Amid skepticism, they are demanding more proof that their data will be secure and that they can trust the environment does not subject its company data to malicious attacks, viruses, and/or the comingling of its data with that of other organizations. So why then would a company consider migrating its information systems to a cloud environment? A cloud environment is conducive to unlimited scalability. An organization is not forced to pay for infrastructure management services it does not use. In addition, the cost of buying and maintaining physical servers is eliminated. Cloud computing increases the mobility of data in that users can access information from anywhere there is an Internet connection. Developers can build cloud-based applications leveraging tools provided by CSPs. Data in a cloud environment is subject to the same risks, threats, and vulnerabilities that exist in a physical infrastructure. Companies protect their systems with virus scans, sophisticated intrusion detections systems to prevent malicious attacks or extraction of sensitive data, and routine server back-ups to prevent loss of data. These are the technical steps taken to ensure data security and integrity in a physical environment. CSPs provision the same data security management techniques within a cloud environment and with more sophistication because of the nature of the cloud infrastructure. But, organizations must establish policies and procedures as to how they want its data managed, stored, secured. The must clearly outline privacy standards with the CSP upfront and put them in writing in an SLA that governs the CSP to adhere to the companys guidelines. Essentially, hosting information systems in a cloud environment does not create new risks and vulnerabilities. CSPs have already provisioned their environments to mitigate existing security risks. The benefits of cost, scalability, mobility, and management of data in the cloud clearly outweigh the risks associated. So, the question of whether the marriage of information systems and the cloud is secure is yes with the caveat that the responsibility of data security lies with both the CSP as well as the client consuming the services.

REFERENCES Anonymous. (2010). Autonomy private cloud hits 17 petabytes. International Journal of Micrographics & Optical Technology, 28(3), 1-2 . Anthens, G. (2010, November). Security in the cloud. Communications of the ACM, 53(11), pp. 16-18. DOI: 10.1145/1839676.1839683 Aslam, U., Ullah, I., & Ansari, S. (2010, November 1). Open source private cloud computing. Institute of Interdisciplinary Business Research, 2(7), pp. 399-407. Bisong, A., & Rahman, S. M. (2011, January). An overview of the security concerns in enterprise cloud computing. International Journal of Network Security & Its Applications, 3(1), 30-44. DOI: 10.5121/ijnsa.2011.3103 Bromage, D., & Stuart, K. (2010). Current state of play: records management and the cloud. Records Management Journal, 20(2), 217-225. DOI 10.1108/09565691011064340 Buttell, A. E. (2010, January/February). 6 reasons to switch to cloud computing. Practice Management Solutions. Cusumano, M. (2010, April). Cloud computing and SaaS as new computing platforms. Communication of the ACM, 53(4), pp. 27-30. Ginovsky, J. (2011, April). Clouds in that cloud? ABA Banking Journal, 20-24. Hayes, J. (2010). Cloud's caveats. Energy & Technology Magazine, pp. 46-48. DOI: 10.1049/et.2010.1209 Katzan, Jr., H. (2010). On the privacy of cloud computing. International Journal of Management & Information Systems, 14(2), 1-12. DOI: 10.1145/1866739.1866751 Khan, K. M., & Malluhi, Q. (2010, September/October). Establishing trust in cloud computing. 20-26. IEEE Computer Society. DOI: 10.1109/MITP.2010.128 Loeffler, C. M., & Ryan, W. M. (2010, November). Insights into cloud computing. Intellectual Property & Technology Law Journal, 22(11), 22-28. Ryan, M. D. (2011, January). Cloud computing privacy concerns on our doorstep. Communications of the ACM, 54(11), pp. 36-38. DOI: 10.1145/1866739.1866751 Wright, A. (2009). Contemporary approaches to fault tolerance. Communications of the ACM, 52(7), 13-15.