JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617

HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 72

Understanding the Risks of Cloud Computing

Maximilian ROBU

Abstract— Last few years were marked by a major IT revolution, the extending world-wide, based on scale economy of the
major vendor resources, such as IBM or Google. The current economical crisis has affected the IT market as well. A solution
came from the Cloud Computing area by optimizing IT budgets and eliminating different types of expenses (servers, licences,
and so on). Cloud Computing is an exciting and interesting phenomenon, because of its relative novelty and exploding growth.
But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about
just how safe the environment is. Naturally, raises the issue of security: Is it safe to put our most important data in a cloud? This
paper analyzes the various security risks that can arise in the Cloud Computing area.

Keywords— cloud computing, risks, security, technology

1 INTRODUCTION

C loud Computing is a relatively new concept in the IT

field, which marks the evolution and innovation of
the way the information technology is provided. It
describes how the technology will be offered in the fu-
ture, “as a service”. Also, it can be considered a funda-
mental factor of the evolution of the Internet and how to
access information.
The freshness and boost of cloud computing makes it
an exciting subject for research. The concept is on the
front-stage of recent publications in the area of informa-
tion and communications technologies.
The cloud computing model allows access, via a net-
work, to a preconfigured number of informational re-
sources (applications, services, storage facilities, and so
on) which can be used with minimal effort and no interac-
tion with the supplier.
The problem appears when our dependency on cloud
computing increases: as any technology it has its vulner-
abilities and the more we use it the more we expose our-
selves to these risks.
The reminder of this paper is organised as follows.
First of all an overview of cloud computing concept is
given. Next the research presents some details about
cloud computing architecture and services delivered.
These are followed by a presentation of risks categories
that can appear in the cloud computing area. Finally,
some discussions and conclusion are drawn.
2 THE CLOUD COMPUTING CONCEPT
Literature doesn’t offer any universally accepted defi-
nition or a "founding father" of this topic, there are sever-
al approaches of the term.
One of the most frequently used definitions is the one
who described cloud computing as a style of computing
where massively scalable IT-related capabilities are pro-
vided “as a service” across the Internet to multiple exter-
nal customers [15]. This definition presents the cloud
computing concept referring to any computing capability
that is delivered as a service over the Internet.
National Institute for Standards and Technologies
(NIST) [21] and Cloud Security Alliance [2] presents
cloud computing as a model for enabling convenient, on-
demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provi-
sioned and released with minimal management effort or
service provider interaction. This approach leads to a
consumption basis way of pay for IT services just like it
now happens with electricity, gas or water.
Another interpretation explains cloud computing like
an on-demand service model for IT provision, often based
on virtualization and distributed computing technologies.
Cloud computing architectures have: highly abstracted
resources; near instant scalability and flexibility; near in-
stantaneous provisioning; shared resources (hardware,
database, memory, etc); “service on demand”, usually
with a “pay as you go” billing system; programmatic
management (e.g., through WS API) [3].
As you could probably deduce by now, cloud compu-
ting implies a service oriented architecture (SOA) through
offering software and platforms as services, reduced in-
formation technology overhead for the end-user, great
flexibility, reduced total cost of ownership(TCO) and of-
fers on demand services.
Basically, cloud computing represents the IT service,
offered via a network, that is designed to be scalable and
thus, better adjusted to the customers needs.
To conclude cloud computing it’s a result of the con-
tinuous expansion of the Internet, we are of course refer-
ring to the ease of access to both data and applications,
and a new concept that the IT market offers.

————————————————
Maximilian ROBU, PhD Student, Faculty of Economics and Business
Administration, “Alexandru Ioan Cuza” University of Iassy.
© 2010 Journal of Computing Press, NY, USA, ISSN 2151-9617
http://sites.google.com/site/journalofcomputing/
 JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
3 AN OVERVIEW OF CLOUD COMPUTING
ARCHITECTURE AND SERVICES
Since cloud computing is a very broad term, it makes
the architecture classification complicated. There isn’t any
universally accepted model. An example of cloud compu-
ting architecture is displayed in Figure 1. Customers con-
nect to the cloud from their own computers or portable
devices, over the Internet. To these individual users, the
cloud appears as a single application, device, or docu-
ment.
As you could notice the architecture contains compris-
es hardware and software designed by a cloud architect
who typically works for a cloud provider. Usually this
involves a number of cloud components that are commu-
Fig. 1. An example of cloud computing architecture.
source: http://www.smartcloudsw.com/
nicating with each other most often over web services.
This architecture will then be relayed to the client over
web browser thus enabling him to access the applications
from the cloud.
Applications of cloud computing can be split into
three types, known as cloud service delivery models [2], [3] :
1. Infrastructure as a Service (IaaS).
2. Platform as a Service (PaaS).
3. Software as a Service (SaaS).
Previously presented services can be integrated into
the architecture which is based on Internet, as you can see
in the Figure 2. For every level there are a set of sugges-
tive examples.
The first service from the list, Infrastructure as a Ser-
vice (IaaS), allows consumers to rent processing, storage,
networks, and other fundamental computing resources
that enables them to deploy and run arbitrary software,
73
like operating systems and applications. For example, it’s
worth mentioning various server hosting solutions like
Amazon Web services or BlueLock.
Platform as a Service (PaaS) is a service that enables
Fig. 2. Services that can be found into a cloud
source: Kraan, W, Yuan, L., “Cloud computing in institutions”, JISC
CETIS,2009,
http://wiki.cetis.ac.uk/images/1/11/Cloud_computing_web.pdfion.
the consumer to deploy into the cloud, infrastructure,
custom-created applications using a specific environment
and toolset supported by the provider. Google App En-
gine and Windows Azure are two of the most known
tools in this area.
Software-as-a-Service (SaaS) represents the ability of
the consumer to run applications into a cloud using a
simple interface such as a Web browser. These applica-
tions can be everything from Twitter or an important
web-based email, SalesForce.com or Google Mail.
4 MODELS OF CLOUD COMPUTING
When we speak about the cloud computing concept
the keyword that defines it is “cloud”. Cloud describes
the use of services, applications, information, and infra-
structure comprised of pools of compute, network, infor-
mation and storage resources. The scalability of the cloud:
up or down, addition of applications is done through
these components.
Specialized literature presents several cloud comput-
ing models. One of the most important classification
comes from ISACA (Information Systems Audit and Con-
trol Association) [4] and contains 4 major models that are
reproduced in Table no. 1.
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
When deciding what type of cloud to use companies
must take into consideration several factors and of course
their needs. It is good to know that public, private or hy-
brid do not point to location. It’s true that public clouds
are generally on the Internet and private ones on dedicat-
ed premises but a private cloud can also be hosted at a
colocation facility too. Because companies can rapidly
change their needs they can also choose to use two differ-
ent types of cloud if it best fits their interest. For example
if you need a certain application just for a limited period
of time you will most probably opt for a public cloud so
you won’t have to acquire any storage equipment. On the
other hand, if we are talking about important software
that will be used on a daily basis you will rather deploy it
in a private or hybrid cloud.
5 RISKS OF CLOUD COMPUTING
Moving informational resources to the clouds gives a
lot of flexibility and efficiency, but also has consequences
in a number of areas that require some thought.
Although the benefits of cloud computing are well
known, safety concerns have received less attention. Con-
cerning security an important aspect represents the study
of risks that arise from using this technology. Research
has identified three types of cloud computing risks: poli-
cy and organizational, technical, and legal [2], [3].
74
5.1 Policy and organizational risks
These are business-related risks that organizations may
face when considering to choose cloud computing service
providers. The most common risks that we can include in
this category are lock-in, loss of governance, compliance
challenges, loss of business reputation, and cloud service
termination or failure.
Lock-in refers to the inability of a customer to move
his applications and / or data away from a the cloud of a
vendor [5]. The problem found here is the possibility to
change your vendor when you find it necessary. It is
worth mentioning that interoperability has improved
among platforms, application programming interfaces for
cloud computing itself are still largely proprietary
According to European Network and Information Se-
curity Agency (ENISA) [3] currently there are few "tools,
procedures or standard data formats or services interfaces
that guarantee data, application or services portability"
and because of that it can be "difficult for the customer to
migrate from one provider to another or migrate data and
services back to an in-house IT environment".
Customers might be exposed to price increase, reliabil-
ity issues or the imminent bankruptcy of providers when
choosing customer lock-in. It is true that for the providers
might prove itself quite a deal. One of the motivating fac-
tors for lock-in that is the permanent desire of vendors to
increase the prices for the provided services.
One other thing worth mentioning is that customers
might be interested in portability from one cloud provid-
er to another without much fuss and, some others might
be interested in using multiple clouds at the same time
[11]. Because the cloud computing concept is so new and
didn’t reach maturity, not many users have faced this sort
of problems.
One of the top security risks is Loss of gover-
nance. Customers give the control to cloud computing
service providers on a number of issues that may impact
their security, mission, and goals. Cloud Security Alliance
[2] suggests that businesses are vulnerable when they
entrust their data to a third party, and many things can go
wrong.
Finnie [13] sees cloud computing as a "minefield"
when referring to CIOs and IT organizations concerning
to loss of control that can lead to low security levels. This
will result in the inability to satisfy some requirements
concerning the lack of confidentiality, integrity or the
availability of data.
Compliance challenges represent the third risk from
this category. Cloud Security Alliance [2] suggest that
lack of governance over audits and industry standard
assessments may leave cloud computing customers
“without a view into the processes, procedures, and prac-
tices of the provider in the areas of access, identity man-
agement, and segregation of duties non-inclusively leav-
ing control risks an unknown quantity”.
Cloud computing service providers need to be more
transparent, so customers can ensure they meet the ap-
propriate rules and regulations. If a company is trying to
get a certain certification, the acceptance might
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 75

be jeopardize by the fact that the cloud computing service and replay attacks [2].
provider can't offer data about their own compliance or Distributed Denial of Service (DDoS) attacks
might not accept an audit from one of their customers. represents another risk to using cloud computing servic-
Loss of business reputation is another important risk es. Douglis [11] launches an alarm in what concerns virus
that refers to one customer s bad behavior, one neighbor attacks as this technology grows heading to one single
from the cloud, that can affect negatively the reputation interface. It will help the transmission of viruses or one
of the cloud as a whole [5]. company that is a hack victim might affect other organi-
Cloud service termination or failure refers to the fi- zations that share the same cloud.
nancial viability of cloud service providers. When you
choose a vendor, the financials aspect is a critical issue 5.3 Legal risks
and should be evaluated [2] The last risk category is related to the legal nature of
ENISA [3] also states the possibility to terminate some operations from clouds, and can also have a negative im-
cloud computing serviced as a result of competitive or pact on an organization that uses cloud computing ser-
financial pressures. Because this sort of termination can vices. Legal risks include subpoena and e-discovery,
disturb your business and not only, the Cloud Security changes of jurisdiction, data privacy, and licensing.
Alliance [2] suggests an alternative location for the servic- Subpoena and e-discovery refers to the possibility of
es to be taken on for all cloud computing customers. This the confiscation of physical hardware as a result of sub-
location can be either another cloud computing service poena by law-enforcement agencies or civil suits. The
provider site or the costumers own data center. result can be the disclosure of client’s data to unwanted
parties.
5.2 Technical risks Changes of jurisdiction can be a high risk for the cus-
tomer’s data keep data in multiple jurisdictions. Because
When we speak about a subject like cloud computing it
jurisdictions apply their own laws, the issues and risks of
is inevitably that we have to speak about some specific
data being unintentionally disclosed will grow in com-
risk, the technical ones. Usually these risks have a direct,
plexity as cloud computing is more widely adopted [2].
technological impact on the cloud computing systems.
Gatewood [16] stated that the supplier's location and
Such risks include: availability of service, resource ex-
the data location might not be the same. Also, if that data
haustion, intercepting data in transit and distributed
is held in a country that does not honor international
denial of service.
laws, the underlined contracts might be disclosed. The
Availability of service describes availability of service
same applies to countries that are considered high-risk.
as the number one obstacle to the growth of cloud com-
Data privacy remains “one of the longest standing and
puting.
most important concerns with cloud computing”[16] .
When you use a single vendor for cloud computing
There are many aspects regarding this specific risk.
you expose yourself to the risk of single point failure. Af-
First of all it’s important to known the person respon-
ter all, the provider also has a business that can go wrong,
sible with data privacy is. Generally it's expectable that
depends on different network providers and can also go
the customer is also the person in charge on processing
out of business.
personal data, even when this type of data processing is
Resource exhaustion is another risk type that have to
being performed by the cloud provider.
be taken into consideration when we speak about to the
Companies have already been held liable for activities
technical side of cloud computing. Cloud computing ser-
performed by their subcontractors by government agen-
vices are considered on-demand, which suggests a level
cies in the US and European Union [2].
of calculated risk because resources of a cloud service are
Another aspect refers to the fact that information that
allocated to statistical projections [3].
belongs to an entity may be resident in several locations
It's true that the virtual machines that are used in
and coexist with another organization’s data [16]. Taking
cloud computing share CPUs and main memory but disk
into consideration data type and location you can get
I/O sharing proves to be more troublesome. Armbrust [5]
more legal issues concerning data privacy. The safety of
states that the main problem with virtual machines and
financial data, intellectual property or health must be tak-
operating systems is that they fail to offer a programmatic
en into consideration.
way in order to make sure that all the threads of an appli-
It can be difficult for the cloud customer (in its role of
cation run at the same time.
data controller) to effectively check the data processing
The Intercepting data in transit risk is the result of the
that the cloud provider carries out, and thus be sure that
distributed architecture, cloud computing implies more
the data is handled in a lawful way. Violation of the pro-
data is in transit than in traditional infrastructures.
visions on data security can bring administrative, civil
Data is viewed as a risk especially when it's in transit,
and also criminal sanctions, which varies from country to
so companies have to ensure that the data is encrypted in
country.
all the phases [7].
Licensing conditions is also a risk that organizations
Encryption should be strong and employ key man-
may pay more than desired to license software on sys-
agement that allows customers to keep data encrypted
tems hosted by cloud computing service providers. ENI-
and therefore private [2]. The threat sources that worth
SA [3] explains that “licensing conditions, such as per-
mention here, without proper encryption, include sniff-
seat agreements, and online licensing checks may be un-
ing, spoofing, man-in-the-middle attacks, side channel
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 76

workable in a cloud environment”. [9] Chonka, A., Yang, X., Zhou, W., Bonti, B., “Cloud security defence to
In the case of PaaS and IaaS services appears the possi- protect cloud computing against HTTP-DoS and XML-DoS attacks “
Journal of Network and Computer Applications, 2010, retrieved from
bility for creating original work in the cloud for example
http://www.sciencedirect.com
new software. In this point we can talk about the fact that [10] Coviello, A. - Securing cloud computing is industry responsibility,
there aren’t laws to protect new created products and the Infosecurity, Volume 7, Issue 2, March-April 2010, p. 11, retrieved from
original work may be at risk. www.infosecurity-magazine.com/.../rsa-securing-cloud-computing-
is- industry-responsibility-says-art-coviello
[11] Douglis, F. (2009). Staring at clouds. Internet Computing, IEEE, 13(3), 
6 CONCLUSION 4‐6.  
In the current economic environment, cloud compu- doi: http://doi.ieeecomputersociety.org/10.1109/MIC.2009.70 
[12] Everett, C., “Cloud computing, A question of trust”, Computer Fraud
ting is one of the top technology trends and intends to & Security, Volume 2009, Issue 6, June 2009, pp. 5-7, retrieved from
be the saving solution for optimizing the IT budgets. http://www.sciencedirect.com
Currently, cloud computing is considered the next [13] Finnie, S., “Peering behind the cloud”, Computerworld, 2008, p. 22.
retrieved from Academic Search Premier database:
best thing when in comes to optimize IT budgets in the
http://search.ebscohost.com.libproxy.uoregon.edu/login.aspx?direc
current economic environment. It's believed that it t=true&db=aph&AN=34703832&loginpage=Login.asp&site=ehost-
will become a key technology oriented at sharing in- live&scope=site
frastructure, software or business processes. [14] Fitz-Gerald, SJ – “Cloud Computing: Implementation, Management
and Security”, INTERNATIONAL JOURNAL OF INFORMATION
As cloud computing will be used more the risks it MANAGEMENT, Volume: 30 Issue: 5, 2010, pp. 472-472.
involves will arise according to Pearson. It will be wise [15] Gartner Research – “Definition of Cloud Computing. Cloud Compu-
to place data into a cloud as long as you know the per- ting: It's the destination, not the journey that is important”, DevCentral
Weblog, 2008, retrieved from
sons that have access to that information. http://devcentral.f5.com/weblogs/macvittie/archive/2008/11/03/
The novelty of the concept, the lack of international cloud-computing-its-the-destination-not-the-journey-that-is.aspx.
security specific standards and the immaturity of this [16] Gatewood, B., “Clouds on the information horizon: How to avoid the
storm”, Information Management (15352897), 43(4), 32-36, retrieved
technology have given way to many interpretations on from Academic Search Premier database:
how the application security should be treated in the http://search.ebscohost.com.libproxy.uoregon.edu/login.aspx?direc
cloud. t=true&db=aph&AN=43659227&loginpage=login.asp&site=ehost-
live&scope=site
[17] Kraan, W, Yuan, L., “Cloud computing in institutions”, JISC CETIS
REFERENCES 4A, 2009,
[1] ***, CPNI – “INFORMATION SECURITY BRIEFING 01/2010. http://wiki.cetis.ac.uk/images/1/11/Cloud_computing_web.pdf
CLOUD COMPUTING”, 2010, retrieved from [18] Jaeger, P. T. , Lin, J., Grimes, J. M. , “Cloud Computing and Informa-
http://www.cpni.gov.uk/Docs/cloud-computing-briefing.pdf . tion Policy: Computing in a Policy Cloud?”, Journal of Information
[2] ***, Cloud Security Alliance, “Security guidance for critical areas of Technology & Politics, Vol. 5 Issue 3, 2008, pp. 269 — 283, retrieved
focus in cloud computing”, 2009 retrieved from from http://citeseerx.ist.psu.edu.
http://www.cloudsecurityalliance.org/guidance/csaguide.pdf [19] Lillard, T. V., Garrison, C. P., Schiller, C.A., Steele, J. “Legal Implica-
[3] ***, ENISA, “Cloud computing: benefits, risks and recommendations tions and Considerations”, Digital Forensics for Network, Internet, and
for information security”, 2009 retrieved from Cloud Computing, 2010, pp. 275-299
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud- [20] Mansfield-Devine, S., “Danger in the clouds” , Network Security, Vo-
computing-risk-assessment/at_download/fullReport lume 2008, Issue 12, 2008, pp. 9-11
[4] ***, ISACA, “Cloud Computing: Business Benefits With Security, [21] Mell, P., Grance., T., “The NIST Definition of Cloud Compu-
Governance and Assurance Perspectives”, 2009, retrieved from ting”,Version 15, National Institute of Standards and Technology, In-
http://www.isaca.org/Knowledge- formation Technology Laboratory, 2009, retrieved from
Center/Research/Documents/Cloud-Computing-28Oct09- http://csrc.nist.gov/groups/SNS/cloud-computing.
Research.pdf [22] Paquette, S., Jaeger, P T., Susan C. Wilson, “Identifying the security
[5] Armbrust, M., Fox, A., Griffith, R., Joseph, A., Katz, R., Konwinski, A., risks associated with governmental use of cloud computing”, Gov-
et al, “Above the Clouds: A Berkeley view of cloud computing”, 2009, ernment Information Quarterly, Volume 27, Issue 3, 2010, pp. 245-253,
retrieved from retrieved from http://www.sciencedirect.com.
http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009- [23] Shipley, G. “CLOUD COMPUTING RISKS”, InformationWeek , Issue
28.pdf, 28.html 1262, 2010, pp. 20-24. retrieved from
[6] Barrett, D., Kipper, G., “Visions of the Future: Virtualization and http://www.informationweek.com .
Cloud Computing Virtualization and Forensics”, 2010, pp. 211-220, [24] Subashini, S., Kavitha, V. “A survey on security issues in service
retrieved from www.informationweek.com . delivery models of cloud computing”, Journal of Network and Comput-
[7] Brynko, B. (2008). “Cloud computing: Knowing the ground rules”. er Applications, In Press, 2010
Information Today, 25 (10), 23, retrieved from Business Source Premier [25] Svantesson, D., Clarke, R., “Privacy and consumer risks in cloud
database: computing” , Computer Law & Security Review, Volume 26, Issue 4,
http://search.ebscohost.com.libproxy.uoregon.edu/login.aspx?direc 2010, pp. 391-397, Taylor, M., Haggerty, M., Gresty, D., Hegarty, R. –
t=true&db=buh&AN=35126515&loginpage=login.asp&site=ehost- “Digital evidence in cloud computing systems”, Computer Law & Se-
live&scope=site . curity Review, Volume 26, Issue 3, 2010, pp. 304-308, retrieved from
[8] Cagle, K., “But what exactly “is” cloud computing?”, O’Reilly Broad- http://www.sciencedirect.com/.
cast, 2008, retrieved from [26] Walsh, P.,J., “The brightening future of cloud security”, Network
http://broadcast.oreilly.com/2008/12/but-what-exactly-is-cloud- Security, Volume 2009, Issue 10, 2009, pp. 7-10, retrieved from
comp.html . http://linkinghub.elsevier.com/retrieve/pii/S1353485809701096
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 77
[27] Walter, S. – “Cloud security: is it really an issue for SMBs?” , Computer
Fraud & Security, Volume 2010, Issue 10, 2010, pp. 14-15

Robu Maximilian – Currently trying to get my PhD in Economic

Computer Science at “Al. I Cuza” University Iassy, Romania. I’m an
information technology enthusiast who's interested in what's new
and exciting in today's computer business. I’ve have a Postuniversi-
tary degree in Business Administration System (2010) and an Eco-
nomic Computer Science degree achived in 2008 both achieved at
the “Al. I Cuza” University Iassy, Romania . Cloud computing, green
computing, ERP systems and their practical implementations are
interests of mine, so it was only normal to place my research in
these areas.