Data Security in the Cloud

PROJECT SUMMARY
Gerardo Pineda Betancourth

Cloud computing, or computing as a utility, is a new computing paradigm. It allows third

party service providers (i.e. cloud service providers) to provide a centralized pool of
configurable computing resources to end-users. The end-users (individuals and enterprises)
could make on-demand accesses to these resources and use them to implement their
services according to their ever-changing requirements. In this way, the end-users do not
need to deploy and manage their own computing services thus enabling fast deployment
and minimum operational and management overheads.

National Institute of Standards and Technology (NIST) defines cloud computing as “A

model for enabling convenient, on-demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage, applications, and services) that can
be rapidly provisioned and released with minimal management effort or service provider
interaction” [1].
The term ‘Cloud’ is taken from the symbol used to represent the internet. The cloud denotes
a collection of servers and computers that can be accessed by the public through the
internet. These servers and computers are owned and operated by a third party in multiple
data center locations. These machines can run any number of operating systems. Cloud
computing delivers hosted services to the clients over the internet.

The services provided by the cloud are divided into three main categories:
SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a
Service).
Functionality such as storage, processing and other functionality is now offered on demand,
as a service and both freely and at cost [2], Data, that was once housed under a consumers
own administrative and security domain, has now been extracted and placed under the
domain of the Cloud Service Provider (CSP) [3].

The consumer has effectively lost control over how their data is being stored, shared and
used, and also over the security used to protect their data. Moreover, it can be the case that
a surreptitious employee of the service provider will have access to your data for legitimate
purposes but will abuse this power for their own means [4].
Users are no longer in full control over the security of their data and the protection offered
by the service provider is not absolute.

PROJECT GOAL
As Cloud Computing is one of the most talked about technologies now days and it has great
importance in enterprises because of the cost and computational promises it offers. I will
setup the goal of this PhD project to study, propose and implement novel Cloud Computing
methods and techniques to enable data security and data availability.

The main topics the researcher will tackle within the project are:

• Data Security and the Cloud. The initial stage sought to provide a clear definition for
Cloud Computing and the security issues therein, looking to identify precisely
where and when threats can occur to data and how these threats ought to be
mitigated.
• Comparative analysis includes cloud services delivery (SaaS, PaaS, IaaS) and
deployment models (private, public, and hybrid). Cloud computing paradigms are
discussed in the context of technical, business, and human factors, analyzing how
business and technology strategy could be impacted by the following aspects of
cloud computing: Architecture, Security, Costs, Hardware/software trends
(commodity vs. brands, open vs. closed-source), Organizational/human Factors.

PROJECT DESCRIPTION
In general, the transfer of information-related tasks to other parties obviously en-tails
security risks, in terms of confidentiality, integrity and availability of the data and services.
There are basically two ways to solve these: trust the provider, or put technical guarantees
in place that establish security properties even if the provider is not trustworthy. Usually,
only a combination of these is feasible, making cloud security an inherently socio-technical
problem.

This research is limited to data protection risks in the cases of storing and transferring
sensitive data between cloud providers.

Novelty: This project will study the design and evaluate a service which could provide
security functions for cloud users. In addition, to support the design of the service this
thesis will also identify the most important cloud storage specific risks and compare them
with traditional solutions, such as storage offered by a server-based model. The analysis of
both academic and industry related publications will enable a better and more complete
understanding of the technology.

Methodology: First the researcher will analyzed data protection requirements and security
policies. Based on this analysis an abstract design of security as a service architecture will
be proposed and will include an analysis and discussion of the proposed design, identifying
its potential and limitations. Through an extensive and detailed review of literature on the
subjects of: information security, privacy protection, cloud computing, and data security
and privacy protection legal frameworks across several jurisdictions, will resolve the
questions arriving at a recommendation on the subject of Data Security in the Cloud.

Relevance: This project will identify potential risks to the security of personal information
and examine ways to alleviate against those risks in the deployment of Enterprise System
Applications on the Software-as-a-Service platform in the course of deploying e-
Government solutions. First it will outline and define the concepts of the Cloud, e-
Government, and Enterprise System Applications. A discussion of the security of personal
information and privacy will follow, both on a high level of the concepts themselves and as
they relate to Cloud Computing.
Following this, the thesis will tackle the identification and explanation of the potential
threats to the information and privacy in cloud computing. Because many, if not most, of
the threats are common to multiple platforms of delivery of SaaS, the discussion will focus
on the general threats associated with Cloud computing; however all of the threats
identified are specifically tied to the SaaS platform among others.

REFERENCES
[1]. Peter Mell and Timothy Grance. The NIST De_nition of Cloud Computing. Special
Publication 800-145, National Institute of Standards and Technology, Information
Technology Laboratory, September 2011, http://csrc.nist.gov/publications/nistpubs/800-
145/ SP800-145.pdf
[2]. Michael Armbrust, Armando Fox et al. Above the Clouds: A Berkeley View of Cloud
Computing. Tech. rep. UCB/EECS-2009-28. Electrical Engineering and Computer
Sciences, University of California at Berkeley, Feb. 2009. url:
http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS- 2009-28.html.
[3]. Siani Pearson. “Taking account of privacy when designing cloud computing services”.
In: CLOUD '09: Proceedings of the 2009 ICSE Workshop on Software Engineering
Challenges of Cloud Computing. Washington, DC, USA: IEEE Computer Society, 2009,
pp. 44{52. isbn: 978-1-4244-3713-9. doi: http://dx.doi.org/10.1109/CLOUD.2009.5071532.
[4]. Phil Wong. Conversations About the Internet #5: Anonymous Facebook Employee.
English. The Rumpus. Jan. 2010. url: http://therumpus.net/2010/01/conversations- about-
the-internet-5-anonymous-facebook-employee.
[5]. Cloud Security Alliance. Security guidance for critical areas of focus in cloud
computing. Version 3. December 2011,
https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf