Docstoc

CLOUD COMPUTING _ SECURE SOLUTIONS

Document Sample
CLOUD COMPUTING _ SECURE SOLUTIONS Powered By Docstoc
					            National Conference on Role of Cloud Computing Environment in Green Communication 2012                                                  14




     CLOUD COMPUTING & SECURE SOLUTIONS

                                            P.Suyambu Kesavan , R.Sundara Moorthy
                                              Department of Computer Science & Engineering,
                                                   Ponjesly College of Engineering,
                                                           Nagercoil-03,
                                                         Email:skVM23@gmail.com



        Abstract— In the last few years, cloud computing has grown from being a promising business concept to one of the fastest
              growing segments of the IT industry. Now, recession-hit companies are increasingly realizing that simply by tapping into the
             cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at
             negligible cost. But as more and more information on individuals and companies is placed in the cloud, concerns are beginning
            to grow about just how safe an environment it is. This paper discusses security issues, requirements and challenges that cloud
            service providers (CSP) face during cloud engineering. Recommended security standards and management models to address
            these are suggested for technical and business community.

            1. INTRODUCTION
             Cloud service providers (CSP) (e.g. Microsoft, Google,
             Amazon, Salesforce.com, GoGrid ) are leveraging
             virtualization technologies combin ed with self-service
             capabilities for computing resources via the Internet. In
             these service p rovider environments, virtual machines from
             multiple organizations have to be co-located on the same
             physical server in order to maximize the efficiencies of
             virtualization. Cloud service providers must learn from the
             managed service provider (MSP) model and ensure th at
             their customers’ applications and data are secure if they
             hope to retain their cu stomer base and competitiv eness.
             Today, enterprises are looking toward cloud computing                       Fig. 1: Results of IDC Ranking Security Challenges
             horizons to expand their o n-premises infrastructure, but
                                                                                   (3Q2 009 , n=263) Regardless of how the cloud evolves, it
             most cannot afford the risk of compromising the security of
                                                                                   needs some form of standardization (e.g. Information
             their applications and data.
                                                                                   Technology Infrastructure Lib rary -ITIL, ISO/IEC
             International Data Corporation (IDC) conducted a survey               27001/27002, Open Virtualization Format (OVF) [2][3][4])
             [1] (see Fig.1.) of 263 IT executives an d their line-of-             so that the market can evolve and thrive. Standards should
             business colleag ues to gauge their o pinions and understand          allow clouds to interoperate and communicate with each
             their companies’ use of IT cloud services. Security ranked            other no matter which v endor provides cloud services.
             first as the greatest challenge or issue of cloud computing.
                                                                                   This professional paper discusses security and privacy
             Corporations and in dividuals are concern ed about how                issues as challenges, and recommends co ntrol o bjectives to
             security and compliance integrity can be maintained in this           technical and business community. It also highly
             new environment. Even more concerning, though, is the                 recommends OVF standard as vendor and platform
             corp orations th at are jumping to cloud computing while              independent, open, secure, portable, efficient and extensible
             being oblivious to the implications of putting critical               format for the packaging and distribu tion of software to b e
             applications and sensitive data to a public and shared cloud          run in virtual machines (software stack that incorporates th e
                                                                                   target applications, lib raries, services, configuration,
                                                                                   relevant data, and operating system).

                                                                                   2. SECURITY IN THE CLOUD

                                                                                   2.1 Security Issues and Challenges
                                                                                   Heightened security threats must be overcome in order to
                                                                                   benefit fu lly from this new comp uting paradigm. Some
                                                                                   security concerns are listed and discussed below:




Department of CSE, Sun College of Engineering and Technology
            National Conference on Role of Cloud Computing Environment in Green Communication 2012                                                 15




             1) Security concern #1: With the cloud model control                   Data collected from computer devices (e.g. notebook,
                  physical security is lost because of sharing computing            smartphone, iPad ).
                  resources with other companies. No knowledge or                   Information uniquely traceable to a user device (e.g. IP
                  con trol of where the resources run.                              ad dress, Radio Frequency Identity (RFID) MAC
             2) Security concern #2: Company has violated the law                   ad dress).
                  (risk of data seizure by (foreign) government).
                                                                                Addition al considerations to be aware of:
             3) Security concern #3: Storage services provided by one
                                                                                    Access: Data subjects have a right to know what
                  cloud vendor may be incompatible with another
                  ven dor’s services if user d ecides to move from one to           personal information is held and, in some cases, can
                                                                                    make a request to stop processing it. If a data su bject
                  the oth er (e.g. Microsoft cloud is incompatible with
                                                                                    ex ercises this right to ask the organization to delete his
                  Google cloud). [5]
                                                                                    data, will it be possible to ensure that all of his
             4) Security concern #4: Who controls the encryption                    information has been deleted in th e cloud?
                  /decryption keys? Log ically it should b e the customer.          Complian ce: Wh at are the applicable laws, regulation s,
             5) Security concern #5: Ensuring the integrity of the data                ards,
                  (transfer, storag e, and retrieval) really means that it          information, and who is responsible for maintaining th e
                  changes only in response to authorized transactions. A            co mpliance? Clouds can cross multiple jurisdictions in
                  common standard to ensure data integrity does not y et            multiple states.
                  exist.                                                            Storage: Where is the data in the cloud stored? Was it
             6) Security concern #6: In case of Payment Card                        transferred to another data center in another country ?
                                                                                    Privacy laws in various countries place limitations on
                  Industry Data Security Standard (PCI DSS) data logs
                  must be provided to security managers and regulators.             the ability of organizations to transfer some types of
                                                                                    personal information to other countries.
                  [6][7][8]
                                                                                    Retention: How long is personal information (that is
             7) Security concern #7: Users must keep up to date with
                                                                                    transferred to the cloud) retained? Who enforces the
                  app lication impro vements to be sure they are                    retention policy in the cloud, and how are exceptions to
                  protected.                                                        this policy (such as litigation holds) managed?
             8) Security co ncern #8: Some government regulations                   Destruction: How can we know that the cloud service
                  hav e strict limits o n what data about its citizens can be       prov ider (CSP) didn’t retain additional copies? Did the
                  stored and for how long, and some b anking regu lato rs           CSP really d estroy the data, or just mak e it inaccessib le
                  require that customer’s financial data remain in their            to the org anization? Is the CSP keeping the in formation
                  home country.                                                     longer than necessary so that it can mine the data for its
             9) Security concern #9: The dynamic and fluid natu re of               own use?
                  virtual machines will make it difficult to maintain the           Audit and monitoring: How can organizations monitor
                  con sistency of security and ensu re the aud itab ility of        their CSP and prov ide assurance to relevant
                  records.                                                          stakeholders that privacy requirements are met when
                                                                                    their PII is in the cloud?
             10) Security concern #10: Customers may be able to sue
                  cloud service providers if their privacy rights are               Privacy breaches: How can we ensure that the cloud
                  violated, and in any case the cloud service providers             service provider (CSP) notifies us when a breach
                                                                                    occurs, and who is responsib le for managing the breach
                  may face damage to their reputation. Concerns arise
                  when it is not clear to individu als why their person al          notification pro cess (and costs associated with the
                                                                                    process)? If contracts include liability for breaches
                  information is requested or how it will be used or
                                                                                    resulting from negligence of the CSP, how is the
                  passed on to other parties.
                                                                                    co ntract enfo rced and how is it determined who is at
                                                                                    fault?
             2.2 Privacy Sensitiv e Information:
                 Personally identifiable information (PII [10]): any            2.3 Security Management Standards
                 information that could be used to identify or locate an
                                                                                Standard s that are relevant to security management
                 individual (e.g. state, name, address) or information that
                                                                                practices in the cloud are Information Technology
                 can be correlated with other information to indentify an
                                                                                Infrastructure Library (ITIL), ISO/IEC 2700 1/27002 and
                 individual (e.g. credit card number, In ternet protocol
                                                                                Open Virtualization Format (OVF).
                 (IP) address).
                 Information on religion, race, health, union                   2.3.1 Information Technology Infrastructure Library
                 membership, sexual orientation, job performance,                      (ITIL)
                 financial information, biometric information or any            It is set of best practices and guidelines that define an
                 other information that may be considered sensitive.            integrated, process-based approach for managing




Department of CSE, Sun College of Engineering and Technology
            National Conference on Role of Cloud Computing Environment in Green Communication 2012                                               16




             information technology services. ITIL can be applied across        System (ISMS). It is also a certification standard and uses
             almost every type of IT environment including cloud                ISO/IEC 27002 to indicate suitable in formation security
             operatin g environment. ITIL seeks to ensure that effective        controls within the ISMS.
             information security measures are taken at strategic,
             tactical, and operational levels. Information security is          Essentially, the ITIL, ISO/IEC 2 0000, and ISO/IEC
             considered an iterative process that must be controlled,           27001/27002 frameworks help IT organizations in ternalize
             planned, implemented, evaluated, and maintained.                   and respond to basic questions such as:

                 Improved IT services through the use of proven best                ―How d o I ensure that the current secu rity levels are
                 practice processes                                                 ap propriate for your needs? ―
                 Improved customer satisfaction through a more                      ―How d o I apply a security baseline throughout your
                 professio nal                                                      operation? ―
                 Approach to service delivery
                                                                                Simply to say, they help to respond to the question: ―how
                 Standards and guidance
                                                                                do I ensure that my services are secure?‖

                 Improved use of skills and experience                          2.3.3 Open Virtualizatio n Format
                 Improved delivery of third party services th rough the         OVF enables efficient, flexible, and secure distribution of
                 specification of ITIL or ISO 20000 as the standard for         enterprise software, facilitating the mobility of virtual
                 service delivery in services procurements                      machines and giving customers vendor and platform
                                                                                independence. Customers can deploy an OVF formatted
                 ITIL helps you separate administrative tasks and
                                                                                virtual machine on the virtualization platform of their
                 techn ical tasks so that you assign the most appropriate
                                                                                choice.
                 resou rces
                 better measure technical support performance                   With OVF, customers’ experien ce with virtualization is
                                                                                greatly enhanced, with more portability, platform
             The ITIL-process Security Management describ es the                independence, verification , sign ing, versioning, and
             structured fitting of information security in the management       licensing terms. OVF lets you:
             organization. It is based on the cod e of practice for
             information secu rity manag ement now known as ISO/IEC                 Improve your user experience with streamlin ed
             27002.                                                                 Installations
                                                                                    Offer customers virtualization platform independence
             ITIL breaks information security down into:                            an d flexibility
                 Policies: The overall objectives an organization is                Create complex pre-configured mu lti-tiered serv ices
                 attempting to achiev e                                             more easily
                 Processes: What has to happen to achieve th e objectives           Efficiently deliver en terprise software thro ugh portable
                                                                                    virtual machines
                 Procedures: Who does what and when to achieve the
                 objectives:                                                        Offer platform-specific enhan cements and easier
                                                                                    ad option of advances in virtualization through
                 Work instructions: Instructions for taking sp ecific
                 actions                                                            ex tensibility

                                                                                The rising investments to virtual app liances (IBM,
             A basic goal of security management is to ensure adequate
             information security. The primary goal o f information             Microsoft, Hewlett-Pack ard, Dell, VMware, and
                                                                                XenSource) not only simp lify the deployment of
             security, in turn, is to protect information assets against
             risks, and thus to maintain their v alue to the organization.      applications for individual users but also power next-
                                                                                generation cloud computing architectures. Rather than the
             This is commonly expressed in terms of ensuring their
             confidentiality, integrity and availability, along with related    considerable time required to build a specialized
                                                                                distribution with applications, most cloud computing
             properties or goals such as authenticity, accountability, non-
             repu diation and reliability.                                      infrastructures provide ready-to-deploy virtual appliances to
                                                                                satisfy any need. And because a virtual appliance is simply
             Note: Organizations and managemen t systems cannot be              a file with a wrapper (the XML description), it's easy to
             certified as ―ITIL-compliant.‖ Only practioners can be             replicate and distribute such appliances with all security
             certified.                                                         and privacy configurations.

             2.3.2 International Org anization for Sta ndardization             In the future, clouds that are en abled by a virtualization
                     (ISO) 27001/27002                                          layer will provide new go-to-market opportunities, and
                                                                                software appliances (software products that integrate
             ISO/IEC 27001 formally defines the mandatory
                                                                                operating system and layered software into an easily
             requ irements for an Information Security Management




Department of CSE, Sun College of Engineering and Technology
            National Conference on Role of Cloud Computing Environment in Green Communication 2012                                                 17




             managed composite packag e that can be deployed aboard                     vulnerable to a total failure. Ask your provider if it
             indu stry -standard client or server hardware, either on a                 has "the ability to do a complete restoration, and
             virtual machine or directly on the hardware) will help                     how long it will take."
             simplify this transitio n. Cloud computing, in conjunction                 Investigative support: In vestigating inappropriate or
             with software appliances, will also create n ew business                   illegal activity may be impossible in cloud
             mod els that will allow companies to sell a single product on              comp uting. Cloud services are especially difficult to
             premises, on demand, or in a hy brid deploy ment model.                    investigate, because logging and data for multiple
             While both of these technologies remain relativ ely                        customers may be co-located and may also be spread
             immature, it is necessary to start understanding the new                   across an ever-changing set of hosts and data
             dynamics that will start to emerge to sell so ftware and                   centers. If you cannot get a contractual commitment
             hard ware to end users.
                                                                                        to suppo rt specific forms of investigation, alon g with
                                                                                        evidence that the vendor has already successfully
             Note: Software appliances market should exceed revenue of
                                                                                        supported such activities, then only safe assu mption
             $360.9 million by the end of 2010, $1,184.4 billion by the
                                                                                        is that investigation and discovery requests will be
             end of 2 012 . [11]
                                                                                        impossible.
             2.3.2 Security Management Models                                           Long-term viability: Ideally, your cloud computing
             This section describes twenty recommended security                         provider will never go broke or get acquired and
             management models and their requirements for cloud                         swallowed up by a larger company. But you must b e
             computing that cloud service providers should definitely                   sure your data will remain available even after su ch
             consider as they develop or refine their compliance                        an event. Ask potential providers how y ou would get
             programs.                                                                  your data back and if it would be in a fo rmat that
                                                                                        you could import in to a rep lacement application.
             1) Software-as-a-Service (SaaS) security: SaaS is the                  To address the security issues listed above, SaaS
                 dominant cloud service model for the foreseeable future            prov iders will need to incorporate and enhance security
                 and the area where the most critical need for security             practices u sed by the managed service providers and
                 practices and oversight will reside. Just as with a                develop new ones as the cloud computing environment
                 managed service prov ider, corporations or end users               ev olves.
                 will need to research vendors’ policies .Th e technology
                 analy st and consulting firm Gartner lists [12] seven          2) Security management (People): One of the most
                 security risks which one should discuss with a cloud-              important actions for a security team is to develop a
                 computing vendor:                                                  formal charter for the security organization and
                                                                                    prog ram. The charter should be aligned with the
                     Privileged user a ccess: Get as much information as            strategic plan of the organization or company the
                     you can about the people who manage your data.
                                                                                    security team works for. Lack of clearly defined roles
                     Ask providers to supply specific information on the
                                                                                    an d responsibilities, and agreement on expectations, can
                     hiring and oversight of privileged administrators,
                                                                                    result in a general feeling of loss and confusion among
                     and the controls over th eir access.
                                                                                    the secu rity team about what is expected of them, how
                     Regulatory compliance: Make sure that the vendor is            their skills and experienced can be leveraged, and
                     willing to undergo external audits and/or security             meeting their performance goals.
                     certifications.
                                                                                3) Security governance: A security steering committee
                     Data location: Wh en yo u use the cloud, you
                                                                                    should be developed whose objective is to focus on
                     probably won't know exactly where your data is
                                                                                    prov iding guidance about security initiatives and
                     hosted. In fact, you might not even know what
                                                                                    alignment with business and IT strategies. This
                     coun try it will be stored in. Ask providers if they
                                                                                    co mmittee must clearly define the roles and
                     will commit to storing and processing data in
                                                                                    responsibilities of the security team and other groups
                     specific jurisdictions, and whether they will make a
                                                                                    involved in performing info rmation security functions.
                     contractual commitmen t to obey local privacy
                     requirements on behalf of their customers.                 4) Risk management: Risk management entails
                     Data segregation: Make sure that encryption is                identification of technology assets [13]; identification of
                     available at all stages, and that these encryption            data and its links to business processes, applications,
                     schemes were design ed and tested by experienced              an d data stores; and assignment of ownership and
                     professionals.                                                cu stodial responsibilities. Actions should also include
                                                                                   maintaining a repository of information assets. Owners
                     Recovery: Even if you don't know where your data
                                                                                   have authority and accountability for info rmation assets
                     is, a cloud provider should tell y ou what will happen
                                                                                   including pro tection requiremen ts, and custodians
                     to your data and service in case of a d isaster. Any
                                                                                   implement confidentiality, integrity, availability, and
                     offering that does not replicate the data and
                                                                                   privacy controls.
                     application infrastructure across multiple sites is




Department of CSE, Sun College of Engineering and Technology
            National Conference on Role of Cloud Computing Environment in Green Communication 2012                                                 18




             5) Risk assessment: Security risk assessment is critical to            image VMs also provide the ability to keep security up
                helping the in formation security organization make                 to date and reduce exposure by patch ing offline. Offlin e
                informed decisions when balancing the dueling                       VMs can be patched off-network, providing an easier,
                priorities of business utility and protection of assets             more cost-effective, and less prod uction-threatening
                [14][15]. A formal info rmation security risk                       way to test the impact of security changes.
                management process sh ould proactively assess
                                                                                12) Data governance: This framework should describe who
                information security risks as well as plan an d manage
                                                                                    can take what actions with what information, and when,
                them on a periodic or as-needed basis. More detailed
                                                                                    under what circumstances, and using what methods.
                and technical security risk assessments in the form of
                threat mo deling shou ld also be app lied to applications       13) Data security: Security will need to move to the data
                and infrastructure.                                                 level so that enterprises can be sure their data is
                                                                                    protected wherever it goes. For example, with data-level
             6) Security awa reness: People are the weak est lin k for
                                                                                    security, the enterprise can specify that this data is not
                 security. Knowledge and culture are among the few
                                                                                    allowed to go outside of the European Union . It can also
                 effective tools to manage risks related to people. Not
                                                                                    force encryption of certain types of data, and permit
                 providing proper awareness and training to the peop le
                                                                                    only specified users to access the data. It can provide
                 who may need them can expose the company to a
                                                                                    co mpliance with the Payment Card Industry Data
                 variety of security risks for which people, rather than
                                                                                    Security Standard (PCI DSS).
                 system or application vu lnerabilities, are the threats and
                 points of entry. Social en gineering attacks, lower            14) Application security: This is where the security features
                 reporting of and slower responses to potential security            an d requirements are defined and application security
                 incidents, and inadv ertent customer data leaks are all            test results are reviewed. Application security processes,
                 possible and probable risks that may be trig gered by              secure coding guidelines, train ing, and testing scripts
                 lack of an effective security awareness program.                   an d tools are typically a collaborative effort between th e
                                                                                    security and the development teams. Alth ough product
             7) Education and training: Programs should be developed
                                                                                    en gineering will likely focus on the application layer,
                that provide a baseline for p roviding fundamental
                                                                                    the security design of the application itself, and the
                security and risk management skills and knowled ge to
                                                                                    infrastructure layers interacting with the application, th e
                the securityteam and their internal partners. This entails
                                                                                    security team sho uld provide the security req uirements
                a formal process to assess and align skill sets to the
                                                                                    for the product development engineers to implement.
                needs of the security team and to provide adequate
                training and men torship-prov iding a broad base of             15) Virtual machin e security: In the cloud environment,
                fundamental security, inclusive o f data privacy, and risk          physical servers are consolidated to multiple virtual
                management kn owledge.                                              machine in stances on virtualized servers. Not only can
                                                                                    data center security teams replicate ty pical security
             8) Policies and standards: Many reso urces and templates
                                                                                    co ntrols for the data center at large to secure the virtual
                 are available to aid in the development of information
                                                                                    machines, they can also advise their customers on how
                 security policies and stan dard s. A cloud computing
                                                                                    to prepare these machines for migration to a cloud
                 security team should first identify the information
                                                                                    en vironment when appropriate.
                 security and business requirements unique to cloud
                 computing, SaaS, and co llab orative software application      16) Identity Access Management (IAM): identity and access
                 security. Policies should be dev eloped, documented, and           managemen t is a critical function for every
                 implemented, along with documentation for supporting               organization, and a fundamental ex pectation of SaaS
                 standards and guidelines. To maintain relevancy, these             cu stomers is that the ―principle of least privilege‖ is
                 policies, standards, and g uidelines sho uld be reviewed           granted to their data. The principle of least privilege
                 at regular intervals or when significant changes occur in          states that only the minimum access necessary to
                 the business or IT environment.                                    perform an operation should be g ranted , and that access
                                                                                    should be granted only for the minimum amount of time
             9) Third party risk management: Lack of a third-party risk
                                                                                    necessary.
                management prog ram may result in damage to the
                provider’s rep utation, revenue losses, and legal actions       17) Change management: The security team can create
                should the provider be found not to have performed due              security guidelines for standards and minor ch anges, to
                diligence on its third-party vendors.                               prov ide self-service capabilities for these changes and to
                                                                                    prioritize the security team’s time and resources on
             10) Vulnerability assessment: Classifies network assets to
                                                                                    more complex and important changes to production.
                 more efficiently prioritize vulnerability-mitigation
                 programs, su ch as patching and system up grading.             18) Physical security: Sin ce customers lose control over
                                                                                    physical assets, security model may need to be
             11) Security image testing: Virtualization-based cloud
                                                                                    reevaluated. The concept of the cloud can be misleading
                 computing provides the ability to create ―Test image‖
                                                                                    at times, and people forg et that everything is somewhere
                 VM secure builds and to clone multip le copies. Gold               actually tied to a physical location. The massive




Department of CSE, Sun College of Engineering and Technology
            National Conference on Role of Cloud Computing Environment in Green Communication 2012                                              19




                 investment required to build th e level of security                Security issues indicate potential problems which might
                 required for physical data centers is the prime reason             arise.
                 that companies don’t build their own data centers, and
                 one of several reasons why they are moving to cloud            REFERENCES
                 services in the first place. Some samples of controls
                 mech anisms:                                                   [1] International Data Corporation,
                                                                                        http://blogs.idc.com/ie/wp
                     24/7/365 onsite security.                                          content/u ploads/2009/12/idc_cloud_ challenges_200
                     Biometric hand geometry readers.                                   9.jpg, 2009
                                                                                [2] Information Technology Infrastructure Library,
                     Security cameras should monitor activity throughout
                                                                                        http://www.itil-officialsite.com/home/home.asp
                     the facility.
                                                                                [3] Distributed Management Task Force,
                     Heat, temperature, air flow, and humidity should all               http://www.dmtf.org/standards/published_document
                     be kept within optimum ranges for the computer                     s/DSP2 017_1.0.0.pdf, 22.02.2009
                     equipment.                                                 [4] M. Casassa-Mont, S. Pearson and P. Bramhall,
                                                                                        ―Towards Accountable Management of Identity and
                     Po licies, processes, and procedures are critical
                                                                                        Privacy: Sticky Policies and Enforceable Tracing
                     elements of successful physical security that can
                                                                                        Services‖, Proc. DEXA 2003, IEEE Co mputer
                     protect the equipment and d ata housed in the hosting
                                                                                        Society, 2003, pp. 377-382
                     center.
                                                                                [5] https://www.pcisecuritystandards.org/index.shtml
             19) Disaster recovery: In the SaaS environmen t, customers         [6] J. Salmon, ―Clou ded in uncertainty – the legal
                 rely heavily on 24/7/365 access to their services and any              pitfalls of cloud compu ting‖, Computing, 24 Sept
                 interruption in access can be catastrop hic. Using the                 2008,http://www.computing.co.uk/computing/featur
                 virtualization software virtual server can be copied,                  es/2226701/cl ouded-uncertainty-4229153
                 backed up, and moved just like a file (live migration).        [7] S. Pearson, ―Taking Account of Privacy when
                 Benefits are:                                                          Design ing Clo ud Computing Services‖, CLOUD’09,
                     Quickly reallocating computing resou rces without                  May 23, 2009, Vancouver, Canada
                     any downtime                                               [8] Wikipedia, 20 January
                                                                                        2010,http://en.wikipedia.org/wiki/Personally_identif
                     Ability to deliver on service-level agreements and                 iable_informat ion
                     provide high-quality service                               [9] International Data Corporation, B. Waldman,
             20) Data privacy: A privacy steering committee should also                 A.Gillen
                 be created to help make decisions related to data                      http://www.novell.com/rc/docrepository/public/37/b
                 privacy. The security compliance team, if one even                     asedocu men t.2009-07-28.4081031793/IDC
                 exists, will not have formalized training on data privacy.             The%20Market%20for%20Software%20Appliances
                 The answer is to hire a consu ltan t in this area, h ire a             _en.pdf , July 2009
                 privacy expert, or have o ne of your existing team             [10] Gartner: Seven cloud-computing security risks, 02
                 members trained properly. This will ensure th at your                  July 2008, http://www.infowo rld.com/d/security-
                 organization is p repared to meet the data privacy                     central/gartner-seven-cloud-computing-security-
                 demands of its customers and regu lato rs.                             risks-853 ?page=0,0
                                                                                [11] Wikipedia, 6 February 2010,
             3. CONCLUSION                                                              http://en.wikipedia.org/wiki/Risk_management
                                                                                [12] Wikipedia, 27 January 2010,
             We have argued that it is very important to take security                  http://en.wikipedia.org/wiki/Risk_assessment.asp
             and privacy into account when designing and using cloud            [13] D. Catteddu , Giles Hogben: European Network and
             services. In this paper security in cloud compu ting was                   Information Security Agency, November 2009,
             elaborated in a way that covers security issu es and                       http://www.enisa.europa.eu/act/rm/files/deliverables/
             challenges, security standards and security management                     cloud -computing-risk-assessment.asp
             Models.




Department of CSE, Sun College of Engineering and Technology

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:12
posted:7/26/2012
language:English
pages:6