Professional Documents
Culture Documents
computing
IEEE
Prototy
pe
A digital m
agazine
in support
of
the IEEE C
loud
Computin
g Initiative
What's Special?
3
Fraudulent
Resource
Consumption
14
May/June 2013
cloud
computing
IEEE
Technical Cosponsors
Jennifer Schopf
Doug Zuckerman
Angela Burgess
Robin Baldwin
Marian Anderson
Executive Director
Evan Butterfield
Sandra Brown
cloud@computer.org
Cloud
Computing:
Transforming
Information
Technology
Jon Rokne University of Calgary
he migration of information
and processes to the cloud is
transforming not only where
computing is done but, fundamentally,
how it is done. Cloud computing solves
many conventional computing problems, including handling peak loads,
installing software updates, and utilizing excess computing cycles, but the
2013 IEEE
Taking Initiative
In this Issue
An Invitation
author Greg Goth explores cloud computings attraction for the financially
strapped public sector. In The Insecurity of Cloud Utility Models, Joseph
Idziorek, Mark Tannian, and Doug
Jacobson examine an issue that isnt
immediately obvious: in the pay-asyou-go cloud billing process, fraudulent
consumptionby a botnet, for examplecan lead to significant financial
harm for legitimate users. From there,
we move on to Matthew Greens discussion of the security risks associated
with running cryptographic services in
cloud-based virtual machines in The
Threat in the Cloud. In our last article,
Implementing Effective Controls in a
Mobile, Agile, Cloud-Enabled Enterprise, Dave Martin dissects the technical and cultural changes required
of IT security teams as businesses
increasingly rely on mobile and cloudbased activities.
Whats Special
About Cloud
Security?
Peter Mell US National Institute of Standards and Technology
Cloud provider
Cloud
broker
Cloud orchestration
Cloud
consumer
Cloud service
management
Service layer
SaaS
Security
audit
Privacy
impact audit
Provisioning/
configuration
Service
aggregation
Service
arbitrage
Portability/
interoperability
Hardware
Performance
audit
Privacy
IaaS
Security
PaaS
Cloud
auditor
Service
intermediation
Business
support
Facility
Cloud carrier
Figure 1. NIST cloud computing reference architecture. It outlines five major roles: cloud consumer, provider, broker, auditor, and carrier.
Derivation of
Cloud Security Issues
To show the existence of these security issues,
I list a sampling derived from the initial cloud
4
Cloud Brokers
This reference architecture actor implies
security composition challenges within composed clouds, such as a SaaS built on an IaaS.
On-Demand Delivery
This cloud characteristic suggests security
challenges associated with the business user
being able to easily and instantly obtain
new computing resources that must be presecured on delivery.
Resource Pooling
This cloud characteristic guides customers
toward a put all your eggs in one basket
approach that might let users concentrate
security resources on a single basket but
that also heightens the need for backup and
Service Models
The cloud definition service models reveal
challenges with multitenancy in a resource
pooled environment. All service models
have data multitenancy, while PaaS and IaaS
additionally have processing multitenancy in
which user processes might attack each other
and the cloud itself.
Infrastructure as a Service
This service model reveals challenges with
using virtualization as a frontline security
defense perimeter to protect against malicious cloud users.
Measured Service
This cloud characteristic reveals the need to
measure cloud usage to promote overall cloud
availability.
Acknowledgments
Certain products or organizations are identified
in this document, but such identification does
not imply recommendation by the US National
Institute of Standards and Technology (NIST)
or other agencies of the US government, nor
does it imply that the products or organizations
identified are necessarily the best available for
the purpose. This article reflects the authors
References
1. IT Cloud Services User Survey, Part 2,
IDC Enterprise Panel, Aug. 2008; www.
clavister.com/documents/resources/
white-papers/clavister-whp-security-in
-the-cloud-gb.pdf.
2. Cloud Computing: Benefits, Risks, and
Recommendations for information Security, European Network and Information
Security Agency, Nov. 2009; www.enisa.
europa.eu/act/rm/files/deliverables/
cloud-computing-r i sk-assessment/
at_download/fullReport.
3. Final Version of NIST Cloud Computing Definition Published, NIST Tech
Beat, 25 Oct. 2011; www.nist.gov/itl/csd/
cloud-102511.cfm.
4. F. Liu et al., NIST Cloud Computing Reference Architecture, NIST recommendation, Sept. 2011; http://collaborate.nist.
gov/twiki-cloud-computing/pub/Cloud
Computing/R eferenceArchitecture
Ta x o n o m y / N I S T _ S P _ 5 0 0 - 2 9 2 _
-_090611.pdf.
Get Involved
Follow us on
@ieeecloud
IEEE Cloud
Computing
IEEECloudComputing
Get involved
The CCI offers many opportunities to
participate, influence, and contribute
to this technology.
Contact us
cloudcomputing@ieee.org
Current opportunities
Submit a paper or help organize at
one of our conferences. Contribute
an article to our new Transactions on
Cloud Computing publication. Be a
part of the P2302 standards working
group for intercloud interoperability
and federation.
Save the Date
Cloud Computing for Emerging
Markets (CCEM), 1618 October 2013,
Bangalore, India (cloudcomputing.
ieee.org/ccem)
Check out
the Cloud Web Portal for the latest
information on the CCIs activities.
cloudcomputing.ieee.org
Toward
Accountability
in the Cloud
Siani Pearson HP Labs
must address two primary barriers: lack of consumer trust and the complexity of compliance.
Here, I argue that the concept of accountability is key to addressing these issues.
2013 IEEE
What Is Accountability?
For several years, computer science has used
the term accountability to refer to a narrow
and imprecise requirement thats met by
reporting and auditing mechanisms. Here,
however, I use the term in the context of corporate data governance. Accountability (for
complying with measures that give effect to
practices articulated in given guidelines) has
been present in many core frameworks for
privacy protection, most notably the Organization for Economic Cooperation and
Development (OECD)s privacy guidelines
(1980),4 Canadas Personal Information
Protection and Electronic Documents Act
(2000),5 and Asia Pacific Economic Cooperation (APEC)s Privacy Framework (2005).6
More recently, region block governance models are evolving to incorporate
accountability and responsible information use, and regulators are increasingly
requiring that companies prove theyre
accountable. In particular, legislative
May/June 2013
Another mechanism were researching is and auditing. By these means, the accountwho can read or modify a file or database,
or network and host firewalls that block all the use of sticky policies, in which machine- able organizations can ensure that all who
but allowable activity). The cloud is a spe- readable policies (defining allowed usage and process data observe their obligations to procial example of how businesses must assess associated obligations) are attached to data tect it, irrespective of where that processing
and manage risk better.13 Preventive controls within the cloud and travel with it. Other occurs.
for the cloud include risk analysis and deci- mechanisms include risk assessment, decision support tools, policy enforcement (for sion support, obfuscation in the cloud, and Moving Forward
example, machine-readable policies, privacy- policy translation from higher-level policies Current regulatory structure places too much
enhanced access control, and obligations), to machine-readable ones that are enforced emphasis on recovering and not enough on
trust assessment, obfuscation techniques, and audited. We dont have the space here to trying to get organizations to proactively
describe all this work, so Ill just briefly out- reduce privacy and security risks. New data
and identity management.
Organizations can use detective controls line three examples of our research.
governance models for accountability can
First, weve worked with the HP Privacy provide a basis for providing data protection
to identify privacy or security risks that go
against policies and procedures (for example, Office to develop and deploy a tool called when people use cloud computing. Accountintrusion-detection systems, polability is becoming more integrated
icy-aware transaction logs, language Accountability places a legal responsibility into our self-regulatory programs as
frameworks, and reasoning tools).
well as future privacy and data proon an organization to ensure that the
Detective controls for the cloud
tection frameworks globally. If CSPs
include auditing, tracking, reporting,
contracted partners to whom it supplies dont think beyond mere compliand monitoring. In addition, correcance and demonstrate a capacity for
data are compliant.
tive controls are necessary (such as
accountability, regulations will likely
an incident management plan or disdevelop that could be difficult to folpute resolution) that can help fix an
low and might stifle innovation; a
undesired outcome thats already occurred. the HP Privacy Advisor that takes employees backlash might also arise from data subjects.
These controls complement each other: a through a series of dynamically generated
Strengthening
an
accountability
combination would ideally be required for contextual questions and outputs the risk approach and making it more workable
for privacy compliance in any new product, by developing intelligent ways to apply
accountability.
Provision of accountability wouldnt occur service, or program. It encodes HPs privacy accountability and information stewardonly via procedural means, especially for the rulebook and other sources and provides ship is a growing challenge. It goes beyond
cloud, which is an automated and dynamic privacy by design guidance. An associated traditional approaches to protect data (such
environment: technology can play an impor- workflow with privacy managers ensures as security and the avoidance of liability) in
tant role in enhancing solutions by enforcing that employees address the suggested actions that it includes complying with and upholdpolicies and providing decision support, assur- mitigating these risks.
ing values and obligations, and enhancing
The Cloud Stewardship Economics proj- trust. Hewlett-Packard is actively working in
ance, security, and so on.
Procedural measures for accountabil- ect is defining mathematical and economic this area to produce practical solutions, both
ity include determining CSPs capabilities models of the cloud ecosystem and the dif- on the policy (HP Privacy Office) and techbefore selecting one, negotiating con- ferent choices cloud stakeholders face. The nical fronts (HP Labs).
tracts and service-level agreements (SLAs), goal is to help cloud consumers, providers,
At present were just starting to see some
restricting the transfer of confidential data to regulators, and other stakeholders explore technical work emerging from other parties
CSPs, and buying insurance. Organizations and predict the consequences of different in this area. The CSAa non-profit orgashould also appoint a data-protection officer, policies, assurance mechanisms, or even ways nization formed to promote the use of best
regularly perform privacy impact assessments of regulating accountability. This can facili- practices for providing security assurance
on new products and services, and put tate consumer choice; as chains of providers within cloud computinghas a Govermechanisms in place to allow quick response become more complex, the models can high- nance, Risk Management, and Compliance
light how and why evidence sharing is likely (GRC) stack that includes two very relto data subject access and deletion requests.
Technical measures for accountability can to provide necessary assurance.
evant activities: CloudAudit, which aims
Finally, were working to achieve account- to provide a technical foundation to enable
include encryption for data security mitigation, privacy infomediaries, and agents to help ability using contractual assurances along transparency and trust in private and pubincrease trust. We must also be able to rely on the service provision chain from CSPs to lic cloud systems, and the Trusted Cloud
infrastructure to maintain appropriate separa- accountable organizations, enhanced on Initiative, which is working toward certifytions, enforce policies, and report information the technical side by enforcement of corre- ing trusted clouds. HyTrust Appliance is a
accurately. At HP Labs, were investigating sponding machine-readable policies propa- hypervisor consolidated log report and polhow to build and exploit trusted virtualized gated with (references to) data through the icy-enforcement tool that logs from a system
cloud, integrated risk assessment, assurance, perspective. The Commonwealth Scientific
platforms with precisely these properties.
References
1. R. Gellman, Privacy in the Clouds: Risks
10
org/Groups/Committee-on-Trade-and
-Investment/~/media/Files/Groups/
ECSG/05_ecsg_privacyframewk.ashx.
7. The Future of Privacy: Joint Contribution to the Consultation of the European
Commission on the Legal Framework
for the Fundamental Right to Protection
of Personal Data, EU Article 29 Working Party, WP168, Dec. 2009; http://
ec.auropa.eu/justice/policies/privacy/
docs/wpdocs/2009/wp168_en.pdf.
8. Opinion 3/2010 on the Principle of
Accountability, EU Article 29 Working Party, WP173, July 2010; http://
ec.europa.eu/justice/policies/privacy/
docs/wpdocs/2010/wp173_en.pdf.
9. Galway Project Plenary Session Introduction,
Galway Project, 28 Apr. 2009, p. 5.
10. D. Weitzner et al., Information Accountability, Comm. ACM, vol. 51, no. 6, 2008,
pp. 8287.
11. S. Pearson and A. Charlesworth,
Accountability as a Way Forward for Privacy Protection in the Cloud, Proc. 1st Intl
Conf. Cloud Computing, LNCS 5931, M.G.
Jaatun, G. Zhao, and C. Rong, eds., 2009,
pp. 131144.
12. D. Pym and M. Sadler, Information Stewardship in Cloud Computing, Intl J. Service
Science, Management, Engineering and Technology, vol. 1, no. 1, 2010, pp. 5067.
13. A. Baldwin and S. Shiu, Managing Digital Risk: Trends, Issues, and Implications
for Business, tech. report, Lloyds 360 Risk
Insight, 2010.
Siani Pearson is a senior researcher in the
Cloud and Security Research Lab at HP
Labs Bristol. Her current research focus is
on privacy-enhancing technologies, accountability, and the cloud. Pearson has a PhD in
artificial intelligence from the University of
Edinburgh. Shes a technical lead on regulatory compliance projects with the HP Privacy Office and HP Enterprise Services and
on the collaborative TSB-funded Ensuring
Consent and Revocation project. Contact
her at siani.pearson@hp.com.
This article originally appeared in
IEEE Internet Computing, July/August
2011; http://doi.ieeecomputersociety.
org/10.1109/MIC.2011.98.
May/June 2013
SUBMIT
NOW
IEEE TRANSACTIONS ON
Cloud Computing
The IEEE Transactions on Cloud Computing will publish peer reviewed articles that provide
innovative research ideas and applications results in all areas relating to cloud computing.
Topics relating to novel theory, algorithms, performance analyses and applications of
techniques relating to all areas of cloud computing will be considered for the transactions.
The transactions will consider submissions specifically in the areas of cloud security, trade-offs
between privacy and utility of cloud, cloud standards, the architecture of cloud computing,
cloud development tools, cloud software, cloud backup and recovery, cloud interoperability,
cloud applications management, cloud data analytics, cloud communications protocols,
mobile cloud, liability issues for data loss on clouds, data integration on clouds, big data on
clouds, cloud education, cloud skill sets, cloud energy consumption, cloud applications in
commerce, education and industry. This title will also consider submissions on Infrastructure
as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), and Business
Process as a Service (BPaaS).
TCC EDITor-In-CHIEF
Rajkumar Buyya
Director, Cloud Computing and Distributed Systems (CLOUDS) Lab, The University of Melbourne
www.computer.org/cloud
11
Public Sector
Clouds Beginning
to Blossom
Efficiency, New Culture
Trumping Security Fears
Greg Goth
12
2013 IEEE
A Common Path
The latest trends on government clouds
seem to be following the agency-byagency scenario: while the British governments top-level G-Cloud initiative
seems to have stalled out in a change of government, the UKs National Health Service
quietly signed an agreement with Zscaler
to provide the NHS with its product.
The thing that really helped us was, it was
just a massive environment, and very disparate, Sutton says. Different hospitals would
have their own IT departments, and it was
spread like that through the entire country.
An offering like Zscaler was very desirable
to them because it didnt require deploying
new hardware, and they didnt have to deal
with certain pieces of hardware and software
not working with everything. You could
www.computer.org/cloud
aha Kass-Hout, the CDCs program manager for the BioSense program, says the new collaborative approach
will better mirror how local and regional
public health agencies deal with possible
outbreaks of disease or attack.
Biosurveillance is really about the local
context anyway, Kass-Hout says, and in
redesigning BioSense, we had to be cognizant
not just of legal issues such as data use agreements but also of respecting business logic at
the various levels and the best practice procedures theyve instituted. Data should flow
from providers to local departments and
upward, but it should also flow horizontally.
Local and state health departments have the
best relationship with providers, they understand the context in which an event has
happened, and they understand their
population more than anybody else. If we
can make sure they have ownership of that
data and the initial vetting of it is there, that
would be the basis to truly start stitching a
regional and national picture.
The Insecurity
of Cloud Utility
Models
Joseph Idziorek, Mark F. Tannian, and Doug Jacobson Iowa State
University
14
Fraudulent Resource
Consumption
To better understand the FRC attack, consider the time-series visualization of a Web
server log shown in Figure 2.1,2 The y-axis
depicts the number of requests per second,
and as the x-axis shows, the time series covers a two-week period. As is common, the
modeled Web server capacity is sufficiently
over-provisionedthis represents a conservative estimate, given the capacity of CSP
Web servers. Superimposed on top of normal Web activity are serviced requests from
an FRC attack.
As Figure 2 shows, initial attack intensity beyond normal activity is in the nuisance activity region, because the resultant
costs are insignificant to the cloud consumer.
2013 IEEE
Control
Attack
clients
$
Botmaster
(Bots)
Internet
$
$
$
Cloud consumer
$
Legitimate
clients
Cloud-based
Web applicaiton
CSP access
point
Public internet
CSP network
Figure 1. A cloud network-attack diagram. Botnets can exploit the cloud utility model to perform fraudulent resource consumption (FRC),
making consumers incur unexpected costs from dishonest use.
FRC Risk
Adopting the public cloud model brings
with it new and old security risks. Here, we
focus on the risk introduced by the utility
pricing model by discussing the likelihood
and effects of an FRC attack.
The likelihood of a cloud consumer
130
FRC attack
110
J1
Nuisance activity
Normal activity
90
70
50
30
Probability of detection
150
J2
FRC attack region
J1
10
0
7
Days
10
11
12
13
14
Figure 2. Malicious-requests behavior. The initial attack intensity (labeled J1) results in insignificant costs for the cloud consumer. However,
as malicious activity intensifies beyond this nuisance activity region, the cost to the consumer starts to become a matter of concern. Yet
distributed denial-of-service detection schemes arent effective at this lower intensity level (below J2).
enumerate one end of the extreme, a weeklong DDoS attack launched from a 250,000
node botnet in 2011 peaked at 45 Gbps.8 If the
aforementioned attack peak was sustained on
a cloud instance at $0.12/Gbyte, the resultant
costs would have been $0.675 per second
which adds up to $411,264 per week.
On the other end of the FRC attack
region, consider the website modeled in Figure 2. At an average normal request rate of
three requests per second, a 250,000-node
botnet could double the data usage costs if
each bot client generated just two requests
per day. Clearly, given the capacity of modern-day networks and computers, the bot
clients in this example could significantly
increase their daily request quota and multiply the attack cost by orders of magnitude.
However, once a bot clients usage footprint
eclipses the expected behavior of legitimate
clients, the risk of being identified as malicious greatly increases.
Defending Against
an FRC Attack
Defending against an FRC attack is a significant challenge to the cloud consumer,
owing to the atypical and unassuming
nature of the attack. As is the case with most
attack risks, the cloud consumer has four
primary objectives: prevention, detection,
attribution, and mitigation.
Prevention
A common way to prevent the exploitation
of a vulnerability is to download and apply
a patch for it. However, in the context of this
16
Detection
FRC detection aims to identify malicious
traffic consumption. Because an FRC
attack is subtle, previous application-layer
DDoS solutions that focus on high request
Attribution
Mitigation
Reactive solutions rely on accurate detection
and attribution. We must consider the potential for legitimate clients being errantly classified as malicious. As a result, approaches like
blacklisting first-time offenders might prove
heavy-handed. Less absolute mitigation
strategies include imposing a back-off timeout to anomalous clients in which requests
Actual cost
Legitimate
resource use
Billing period
from an IP address arent all serviced. Similarly, suspicious clients could also be served
a graphical puzzle to prove that the client is
indeed a human.
These reactive approaches are available
today, and each has its own tradeoffs. However, with limited detection and attribution
solutions available, the deployment and maintenance of such solutions will be challenging.
References
Change we are leading is the theme of CLOUD 2013. Cloud computing has become a scalable
services consumption and delivery platform in the eld of services computing. The technical
foundations of cloud computing include service-oriented architecture (SOA) and virtualizations
of hardware and software. The goal of cloud computing is to share resources among the cloud
service consumers, cloud partners, and cloud vendors in the cloud value chain.
Register today!
http://www.thecloudcomputing.org/2013
18
May/June 2013
Focus on
Your Job Search
IEEE Computer Society Jobs helps you easily find
a new job in IT, software development, computer engineering, research, programming, architecture, cloud
computing, consulting, databases, and many other
computer-related areas.
New feature: Find jobs recommending or requiring the
IEEE CS CSDA or CSDP certifications!
Visit www.computer.org/jobs to search technical job
openings, plus internships, from employers worldwide.
http://www.computer.org/jobs
The IEEE Computer Society is a partner in the AIP Career Network, a collection of online job sites for scientists, engineers, and computing professionals. Other partners include Physics Today, the American Association of Physicists in Medicine (AAPM), American
Association of Physics Teachers (AAPT), American Physical Society (APS), AVS Science and Technology, and the Society of Physics
Students (SPS) and Sigma Pi Sigma.
Side Channels
The Threat
in the Cloud
Matthew Green Johns Hopkins University
2013 IEEE
SquareMult(x, e, N):
let en, , e1 be the bits
y 1
for i = n down to 1 {
y Square(y)
y ModReduce(y, N)
if ei = 1 then {
y Mult(y, z)
y ModReduce(y, N)
}
}
return y
of e
(S)
(R)
(M)
(R)
References
S1: SRSRMRSMRSRSRSMR
S2:
MRSRSRSRMR**SRMRSR
S3:
SRMRSRSR
S4:
MRSRSRSR**SRMRSR
S5:
MR*RSRMRSRMRSR
S6:
MRSRSRMRSRSRSRMR
-----------------------------------------------SRSRMRSRMRSRSRSMRSRSRMRSRSRSRMRSRMRSRSRMRSRMRSR
Figure 2. Reconstructing six fragments to form a single spanning sequence. This process
can recover the private key. In the fragments and recreated sequence, M, R, and S stand for
multiplication, modular-reduce, and square calls. Bold letters indicate overlapping instruction
sequences.
The Outcome
With everything in place, the researchers
attacked a 4,096-bit Elgamal public key, which
(owing to an optimization in libgcrypt) had
a 457-bit private key e. After several hours of
data collection, they obtained about 1,000
key-related fragments, of which 330 were long
enough to be useful for key reconstruction.
These let the attackers reconstruct the full key
with only a few missing bits, which they could
guess using brute force.
And that, as they say, is the ballgame.
May/June 2013
Implementing
Effective Controls
in a Mobile, Agile,
Cloud-Enabled
Enterprise
Dave Martin EMC
s security professionals, we
attend meetings and pronounce that security is everyones responsibility, and everyone nods
in agreement. But in reality, everyone still
believes that the security team still has the
ball. Another favorite clich is that security
should be built in, not bolted on; however,
finding tangible examples of fully integrated
or built-in security is difficult.
As security practitioners, its hard not
to blame ourselves for these realities
weve done little to really push these
agendas forward. After all, were all paid
paranoids with trust issues that lead us
2013 IEEE
legitimate use cases for Web application firewalls, theyre often used to address unknown
vulnerabilities in underlying infrastructure
and application layers or to provide security
log visibility. Other network-based controls,
such as network data loss prevention, can
be effective, but they add complexity and
cost, reduce agility, and introduce additional
points of failure to critical operating environments. Vulnerability-scanning services
provide critical health data about our environments to address weaknesses in our asset
and configuration management systems, but
having the application platform and hosts
report on the operating environments configuration and patch levels would be more
useful. We continue to leverage controls ineffectively, partly by habit and partly because
weve failed to address the fundamental
issues by often assuming that processes and
infrastructure cannot be made inherently
more secure and that they require complex
bolted on layers of security.
Given the current environments forcing
functions, agility, mobility, virtualization,
evolving threats, and cost, we must look for
new ways to build our infrastructure and
systems. Maintaining existing layers of complexity will involve large amounts of automation, configuration, and change management.
Trying to ensure that an application stack
remains protected using bolted-on layers of
security as it moves from datacenter to datacenter will become a huge challenge. We
must plan now, not by eliminating controls
(although we should take this opportunity to
review them), but by examining the controls
we need and how theyre applied.
We must foster a stronger relationship
with the application development teams to
ensure they have adequate training on security and threats and follow a solid software
development life cycle (SDLC). These teams
are vital in integrating our controls directly
into the application stack. We must empower
them to use integration APIs to many of our
common controls and fully embed them into
the protected application. For example, where
better to deliver data loss prevention than in
the application itself? An API call can validate when its acceptable for the application
to transmit data given the context of user, role,
device, and so forth. The application is better
able to make this decision than, say, a bump
IEEE Cloud Computing
23
s with any modifications in environments with legacy technology, processes and people wont change overnight. We
must act with sponsorship across IT leadership, picking targets to demonstrate the benefits of this approach. By measuring benefits
over time and applying these concepts when
applications are re-platformed, we can complete the transition, creating an infrastructure
that is simpler, more agile, and cheaper and
that has more effective integrated controls.
BOARD OF GOVERNORS
Term Expiring 2013: Pierre Bourque, Dennis J.
Frailey, Atsuhiro Goto, Andr Ivanov, Dejan S.
Milojicic, Paolo Montuschi, Jane Chu Prey, Charlene
(Chuck) J. Walrad
Term Expiring 2014: Jose Ignacio Castillo
Velazquez, David. S. Ebert, Hakan Erdogmus, Gargi
Keeni, Fabrizio Lombardi, Hironori Kasahara, Arnold
N. Pears
Term Expiring 2015: Ann DeMarle, Cecilia Metra,
Nita Patel, Diomidis Spinellis, Phillip Laplante, JeanLuc Gaudiot, Stefano Zanero
EXECUTIVE STAFF
Executive Director: Angela R. Burgess; Associate
Executive Director & Director, Governance:
Anne Marie Kelly; Director, Finance &
Accounting: John Miller; Director, Information
Technology & Services: Ray Kahn; Director,
Membership Development: Violet S. Doan;
Director, Products & Services: Evan Butterfield;
Director, Sales & Marketing: Chris Jensen
May/June 2013
25 December 2013
Register today!
http://2013.cloudcom.org