J ÖNKÖP I NG I NT E R NAT I ONAL BUS I NE S S SCHOOL

JÖNKÖPING UNIVERSITY

Cl oud Comput i ng
-Security Risks, SLA and Trust-
Paper within Bachelor thesis in Informatics
Author: William Ambrose,
Niclas Dagland,
Samuel Athley
Tutor: Wolfram Webers
Jönköping June 2010


i
BacheIor's Thesis in Informatics
Title: Cloud Computing: -Security Risk, SLA and Trust-
Author: William Ambrose
Samuel Athley
Niclas Dagland

Tutor: Wolfram Webers

Date: 2010 - 06 - 07

Keywords: Cloud Computing, Security Risks, Service Level Agreement, Trust,
Software as a Service (SaaS) Platform as a Service (PaaS)
Infrastructure as a Service
______________________________________________________________________
Abstract
With Cloud Computing becoming a popular term on the Information Technology (IT)
market, security and accountability has become important issues to highlight. In our
research we review these concepts by focusing on security risks with Cloud Computing and
the associated services; Software, Platform and Infrastructure (SPI) and connecting them
with a social study of trust.
The method that was conducted during our research was reviewing secondary literature,
interviewing different experts regarding Cloud Computing and relating standards already
established by ENISA, NIST, and CSA to the interviews.
The result of this study shows connections between the specific SPIs, both how they
compare, but also how they differ. In the end we were also able to rank the top security
risks from interviews with experts and see which SPI could be the most insecure one and
what countermeasures could be applied.
This was further related to trust and Service Level Agreement (SLA) in Cloud Computing
to show how the security risks we discuss are related to these two specific areas. By
highlighting this we wanted to present useable information for both clients and providers
in how to create a better Cloud Computing environment.




ii
Acknowledgements
First, we would like to thank the instructors that provided help and guidance during our
research, without them we would have veered off the path.
x Wolfram Webers: For providing us great insight and steering to ensure that we
stayed on path during our research, we thank you.
x Ulf Larsson: Provided us with valuable information and multiple articles in our
research which we were very grateful to receive.
x Jörgen Lindh: Helped ensuring that our thesis was properly structured and
provided a different perspective in our thesis and for this we express our
appreciation.
x Projectplace.com: We thank you for allowing us to use your platform during our
research. We found the platform most helpful when documenting our work.
We would also like to thank all of the people that participated in the interview which
helped us in our findings and providing us with valuable information. Further, we would
like to thank each individual member of the group who made this research possible and
memorable.



iii
Table of Contents
Bachelor's Thesis in Ìnformatics........................................................................... i
Abstract ................................................................................................................ i
Acknowledgements ............................................................................................. ii
1 Introduction .......................................................................... 1
1.1 Background ............................................................................................ 2
1.2 Problem .................................................................................................. 4
1.3 Purpose .................................................................................................. 5
1.4 Perspective ............................................................................................. 5
1.5 Delimitation ............................................................................................. 5
1.6 Definitions ............................................................................................... 6
2 Methodology ........................................................................ 8
2.1 Research philosophy .............................................................................. 8
2.1.1 Epistemology .......................................................................................... 8
2.1.2 Ontology ................................................................................................. 9
2.1.3 Axiology .................................................................................................. 9
3 Theoretical Framework ..................................................... 10
3.1 Cloud Computing .................................................................................. 10
3.2 Cloud Computing Overview model ....................................................... 11
3.3 Cloud Computing Characteristics ......................................................... 12
3.4 SPI Overview Model ............................................................................. 13
3.5 Software as a Service ........................................................................... 14
3.5.1 Division of Responsibility in SaaS ........................................................ 15
3.6 Platform as a Service ........................................................................... 16
3.6.1 Division of Responsibility in PaaS ........................................................ 17
3.7 Infrastructure as a Service .................................................................... 18
3.7.1 Division of Responsibility in IaaS .......................................................... 19
3.8 Cloud Deployment Models ................................................................... 20
3.9 Cloud Computing Vendors Model ......................................................... 21
3.10 Multi-tenancy ........................................................................................ 22
3.10.1 Separate Database............................................................................... 22
3.10.2 Shared Database and Separate Schemes ........................................... 22
3.10.3 Shared Database and Shared Schemes .............................................. 22
3.10.4 Choosing an Approach ......................................................................... 23
3.11 Service Level Agreement ..................................................................... 23
3.12 Risk definition ....................................................................................... 25
3.13 Security ................................................................................................ 27
3.13.1 Security risks tied to information security ............................................. 28
3.14 Trust ..................................................................................................... 31
4 Research Questions .......................................................... 33
5 Method ................................................................................ 33
5.1 Research approach .............................................................................. 33
5.2 Credibility .............................................................................................. 35
5.2.1 Reliability .............................................................................................. 35
5.2.2 Validity .................................................................................................. 35


iv
5.3 Interview questions ............................................................................... 36
5.4 Analysis Method ................................................................................... 36
6 Empirical Findings............................................................. 37
6.1 IT-Consultant Interview Summary ........................................................ 37
6.2 Senior Business Consultant Interview Summary .................................. 38
6.3 CEO Interview Summary ...................................................................... 38
6.4 Computer Consultant Interview Summary ............................................ 38
6.4.1 CIO I Interview Summary ..................................................................... 39
6.4.2 CIO II Interview Summary .................................................................... 39
6.5 Security Risks ....................................................................................... 40
6.5.1 Security Risk List .................................................................................. 40
6.6 SLA summaries .................................................................................... 41
6.6.1 Amazon ................................................................................................ 41
6.6.2 Microsoft ............................................................................................... 41
6.6.3 Google Apps ......................................................................................... 42
6.6.3.1 Google App Engine .................................................................................................. 42
6.7 Security Risks ....................................................................................... 43
7 Analysis .............................................................................. 45
7.1 Major security risks within Cloud Computing ........................................ 45
7.1.1 Clients expectation of SLAs in regarding security ................................ 47
7.2 Trust related Security Risks in Cloud Computing ................................. 49
7.2.1 Is trust important? ................................................................................. 49
7.3 Security risks associated with trust in Cloud Computing ...................... 50
7.3.1 Quality of Service ................................................................................. 51
7.3.2 Ownership ............................................................................................ 51
7.3.3 Provider ................................................................................................ 52
7.4 How to avoid security risks associated with trust? ................................ 52
8 Conclusion ......................................................................... 54
9 Discussion .......................................................................... 55
9.1 Critique of method ................................................................................ 56
9.2 Future research proposals .................................................................... 56
10 References.......................................................................... 57
Appendix 1 Interview Questions .................................................. 60
Appendix 2 Interviews with experts ............................................. 60
10.1 IT-Consultant ........................................................................................ 60
10.2 Senior Business Consultant ................................................................. 64
10.3 CIO I .................................................................................................... 66
10.4 Computer Consultant ............................................................................ 68
10.5 CEO ...................................................................................................... 70
10.6 CIO II .................................................................................................... 72




v
List of Figures
Figure 3.1 Cloud Computing Overview Model ...................................................11
Figure 3.2 SPI Overview Model.........................................................................13
Figure 3 3 Cloud Taxonomy Model ...................................................................21
Figure 3.5 Reputation - Trust - Reciprocity > Net Benefit (Mui, 2002) ..............32
Figure 9.1 Cloud Computing Triangle ...............................................................55

List of Tables
Table 3.1 Division of Responsibility in SaaS .....................................................15
Table 3.2 Division of Responsibility in PaaS .....................................................17
Table 3.3 Division of Responsibility in IaaS ......................................................19
Table 3.4 Security Risks tied to Information Security .......................................30
Table 6.1 Security Risks ...................................................................................44
Table 6.2 Interview Security Risk Analysis ........................................................46
Table 6.3 Security Risks from Interviews ..........................................................47









1
1 Introduction
On the information technology (IT) market there has emerged a new buzzword called Cloud
Computing. It is described as the future and that everyone should move into the so called Cloud.
There are many different definitions for Cloud Computing which has created confusion about
what this phenomena really is. For this research two definitions has been selected which are
stated below. Forrester defines Cloud in their article ívter¡ri.e reb 2.0 ívvaavevtat. as:
. ¡oot of .catabte c ab.tractea ivfra.trvctvre tbat bo.t eva v.er a¡¡ticatiov., bittea b, cov.vv¡tiov.
In the article Cloud Computing will be as influential as E-bv.ive.. by Gartner, Cloud Computing is
defined as:

. .t,te of cov¡vtivg rbev va..iret, .catabte í1 retatea ca¡abititie. are ¡roriaed "as a Service" using
Internet technologies to vvtti¡te e·tervat cv.tover..

These definitions will be a guide through the research as they help to understand what type of
information is focused upon. Due to this new buzzword Cloud Computing, issues regarding
security has been raised. On November 20 2009, the European Network and Information
Security Agency (ENISA) published a report called Ctova Cov¡vtivg - Benefits, risks and
recovvevaatiov. for ivforvatiov .ecvrit, which gives a detailed description of the security risks and
benefits of Cloud Computing. ENISA is a European Union (EU) agency that works with aiding
and giving recommendations concerning issues related to network and information security.
The research focuses on technology in Cloud Computing (SPIs - Software, Platform, and
Infrastructure - as a service) and the associated risks. The areas we will go through in this
research are listed below:

x Cloud Computing
x Cloud Deployment Models
x Cloud Computing Characteristics
x SPIs and associated Security Risks
x Service Level Agreement (SLA), Web SLA and Cloud SLA
x Trust





2
1.1 Background
In present day, we link Cloud Computing with fuzziness and hype, but also with new business
models, emerging markets and new IT solutions. In our research about Cloud Computing we
have viewed this emerging technology as something that has evolved from previous solutions.
The characteristics of Cloud Computing can be seen in the networking solutions of grid
computing and distributed systems and the online part of Cloud Computing can also be found in
Application Service Providers (ASPs)(Computer Weekly, 2009).
In newspapers, articles, interviews and other sources that we present in this work there are a
general attitude that Cloud Computing is very new even if the technology is old. The emergence
of Cloud Computing has also introduced interesting results regarding predictions of how IT
would be in the future. According to Computer Weekly and an article about the history of Cloud
Computing published in 2009, visions about the future are quite similar to our concept of the
Cloud. In 1969, J.C.R. Licklider shared his vision of an intergalactic computer network where
people would be globally connected. Before him in 1961, John McCarthy was one of the first to
propose utility consumption and payment in the context of Computers and IT (Wikipedia, 2010).
It was in the 90`s that a signiíicant increase of bandwidth enabled new possibilities for Internet
based solutions and a more globally connected world, but it would take time for Cloud
Computing to reach out into the world. It was in 1999 with the arrival of Salesforce.com that
revolutionized how we use solutions connected to the Internet. Amazon soon followed in 2002
with their Web service and after this more followed expanding Cloud oriented solutions from
only being applications, or Software as a Service, to also include Platform as a Service and
Infrastructure as a Service. One important factor that has made Cloud Computing popular is the
fact that the experts within the field of IT solutions, such as Microsoft, are providing applications
that are good enough to compete with in-house developed solutions that are costly and hard to
justiíy. \ith the rise oí these killer apps` (Computer World, 2009), important security issues arise
as this phenomenon we call Cloud Computing continuously evolve and becomes more of a
business model and solution.
In the introduction we presented two definitions for Cloud and Cloud Computing. The
information about what Cloud Computing consists of is mostly derived from ENISA, NIST and
CSA. The three main Cloud Services that we will present in this thesis are the ones below, each
with a definition from ENISA;
x Software as a Service (SaaS): is software offered by a third party provider, available on-demand,
usually via the Internet configurable remotely. Examples include online word processing and spreadsheet
tools, CRM services and web content delivery services. (ENISA, 2009)
x Platform as a Service (PaaS): allows customer to develop new applications using APIs deployed
and configurable remotely. The platforms offered include development tools, configuration management,
deployment platforms. Examples are Microsoft Azure, Force and Google App engine`. (ENISA,
2009)
x Infrastructure as a Service (IaaS): provides virtual machines and other abstract hardware and
operating systems which may be controlled through a service API. Examples include Amazon EC2 and
S3, Terremark Enterprise Cloud, Windows Live Skydrive and Rackspace Cloud`. (ENISA, 2009)
These types of services are mature and have been provided by service oriented companies before
Cloud Computing. Salesforce.com is an example of SaaS which provides the customer with a web
based Customer Relationship Management solution. Force.com is an example of a PaaS and
provides a platform to build multi-tenancy applications. IaaS is more complex and gives more
control over the hardware, and an example of that is Amazon S3. Other than these three there
are other types of -as a services and clients buy and use them over the internet and do not need
to allocate physical or virtual space for it is being offered as a service over the Internet.


3
With Cloud Computing, new challenges has emerged and among them we consider security as
the most important one. In this thesis we discuss security risks that we have found from ENISA,
NIST, CSA and experts we have interviewed. Examples of security risks from ENISA (2009) are:
x Data protection
x Isolation failure
x Management interface compromise
x Insecure or incomplete data deletion
x Malicious intruder
Even if there seem to be numerous threats, ENISA also identifies benefits with Cloud
Computing, and examples of these are:
x Benefits of scale
x Security as a market differentiator
x Standardized interfaces for managed security services
x Rapid, smart scaling of resources
x Audit and evidence gathering
Throughout this thesis we will review different security risks with Cloud Computing in a general
context and then focusing on linking those risks with a client perspective. The empirical data
used for this research is from secondary literature such as books, articles, magazines and web
publications such as blogs. The primary data was gathered from experts in the field via
interviews. We may provide benefits with Cloud Computing as we stated above, but the main
focus is on the security risks. For us it is very interesting to see fruition of old visions being
realized because of evolution in IT.





4
1.2 Problem
The new emerging concept of Cloud Computing has created an intriguing buzzword for old
technology. Clients are now starting to look towards the Cloud to see if this is something for
them. Cloud Solutions main focus area is to utilize a company`s expertise to pro·ide a ser·ice íor
another company that have deemed it beneficial to let the experts handle their IT. The extent to
how much a Cloud Provider, as with both web services and outsourcing, handles, is entirely up to
the client signing an agreement with the provider.

The idea of experts providing their expertise for a fee sounds very interesting, and we believe this
will evolve to a very good solution for clients who lack the in-house knowledge to solve their
problems on their own. What could be a frightening fact is that the client could give up control
to a provider of information and processes vital to the organization. Security risks could arise
with letting someone doing that. This is the reason we feel it so important to look at the security
risks before investing into the Cloud.

If one does not know what security risks can be associated with Cloud Computing, risks can
appear because of negligence of understanding Cloud Services and its legal documents. It could
also prove to be harmful to not know how the process of selecting a provider works, or should
work, within Cloud Computing, as with any new technology.

In this thesis, we want to prove that Cloud Computing does have security risks, but not because
we seek to alarm people not to use Cloud Computing, but rather because we want it to evolve
into to what it could become in the future; a very good solution to problems when a client does
not have the skills to solve a specific problem on their own. This is one of the reasons why it is
important to know about security risks in the context of Cloud Computing.

To understand which security risks are associated with Cloud Computing from a client
perspective, we have looked into three big publications from three respected groups to get a
good understanding of security risks and Cloud Computing itself. Next, we used interviews with
experts to gather more information for the research.

From the discussion, numerous questions could be asked. However, we decided to focus on this
particular theme in our thesis, and could therefore be said to be preliminary research questions
that the reader should bear in mind while reading the thesis.

x What are the security risks with Cloud Computing and the associated technologies?
o Are there other implications with Cloud Computing in addition to the technology
e.g. Social?
These questions are quite general and we will present more specific research questions in section
4 - Research questions.


5
1.3 Purpose
The purpose of this research is to clarify the security risks that clients could encounter with
Cloud Computing. It is important for a company to understand how their data is handled and
how confidential it will remain due to the fact that it will be on the Internet and can be accessed
globally. Clients should understand that their information is vital which is why they should review
the recovery process if their data is accessed, altered, or lost. With this ever-growing catchphrase
of Cloud Computing most companies may start looking to the Clouds for possible options. With
this research, clients should be able to make a more sound decision whether or not to make this
type of investment.
Also, this will enable an understanding to most clients about which SPI would benefit them the
most. Software as a Service (SaaS) might be beneficial to some clients due to the financial
limitations, but larger companies may look into Infrastructure as a Service. All the SPIs have
security risks and this research should provide a guide on what security risks that exists and help a
client put pressure on providers to reduce these security risks.
One way of doing this is to bring forth the importance of trust in the context of negotiation of
SLAs with a Cloud providers.
1.4 Perspective
For this research we will be looking at the problem from a client point of view to show what the
potential buyer should look for in a vendor that provides Cloud Computing or Cloud Services.
We selected this view as we think it is more important to help potential clients to understand
what Cloud Computing could be and what security risks that may be involved in different
solutions instead oí choosing to íocus on a pro·ider`s perspecti·e. Ií we íocus on a client
perspective we could bring new insights to the table and help clients in what they should know
and what they should expect from providers when entering agreements.
1.5 Delimitation
The focus in this thesis are on security risks with Cloud Computing and the technology that build
up Cloud Computing, the three SPIs. We will not focus on benefits in our analysis even though
we have presented a few where we talk about Cloud Computing in general. The technical focus
will be the SPIs which we will methodically review to show how they differ and compare against
each other and potential security risks. There are more kinds of service solutions but we will only
consider the SPIs mentioned earlier.
The raw data that we will gather will be qualitative which means that we will not put focus on
gathering a wide variety of sources to be able to generalize with statistical data. Instead we will
use qualitative data to gain insight and see what the main concerns could be if a client may
consider to move to the Cloud. This will be achieved through semi-structured interviews with
experts.


6
1.6 Definitions
Application Programming Interface (API)
Collection of software routines, protocols, and tools which provide a programmer with all the building blocks for
developing an application program for a specific platform (environment). An API also provides an interface that
allows a program to communicate with other programs, running in the same environment.
(Businessdictionary.com)
Application Service Provider (ASP)
Firm that sells usage of computer programs via internet. An ASP (equipped with all required software,
hardware, and trained employees) guarantees trouble-free availability of the application programs on a continuous
basis. Customers use the programs they need, for a fixed monthly fee or usage based charges. The data generated by
those programs can either be stored on the customer's computer or on the disk space rented out by the ASP on its
storage devices. (Businessdictionary.com)
Denial of Service (DOS)
Deliberate attempt to thwart authorized users' access to a computer system or website, by corrupting its stored
data or disrupting its normal functions with a denial of service attack. (Businessdictionary.com)
Distributed system
Computer networking scheme in which several inter-connected systems service their local needs and use their idle or
spare capacity to attend to common workload. (Businessdictionary.com)
Hypervisor
In virtualization technology, hypervisor is a software program that manages multiple operating systems (or
multiple instances of the same operating system) on a single computer system. The hypervisor manages the system's
processor, memory, and other resources to allocate what each operating system requires. Hypervisors are designed for
a particular processor architecture and may also be called virtualization managers. (Webopedia.com, 2006)
Cloud
. ¡oot of .catabte c ab.tractea ivfra.trvctvre tbat bo.t eva v.er a¡¡ticatiov., bittea b, cov.vv¡tiov.
(Bouchard & Sankar, 2009)
Cloud Computing
. .t,te of cov¡vtivg rbev va..iret, .catabte í1 retatea ca¡abititie. are ¡roriae ¨a. a Service" using
ívtervet tecbvotogie. to vvtti¡te e·tervat cv.tover.. (Gartner, 2008)
Flexibility
Ability of a system, such as a manufacturing process, to cost effectively vary its output within a certain range and
given timeframe. (Businessdictionary.com)
Information Security
Safe-gvaraivg av orgavi¸atiov`. aata frov vvavtbori¸ea acce.. or voaificatiov to ev.vre it. araitabitit,,
covfiaevtiatit,, ava ivtegrit, ;Cí.). (Businessdictionary.com)



7
Infrastructure as a Service
Proriae. rirtvat vacbive. ava otber abstract hardware and operating systems which may be controlled
through a service API. Examples include Amazon EC2 and S3, Terremark Enterprise Cloud, Windows
íire ´/,arire ava Rac/.¡ace Ctova. (ENISA, 2009)
Platform as a Service
.ttor. cv.tover to aerelop new applications using APIs deployed and configurable remotely. The platforms
offered include development tools, configuration management, deployment platforms. Examples are Microsoft
Azure, Force and Google App engine. (ENISA, 2009)
Risk
(1) Indication of an approaching or imminent menace. (2) Negative event that can cause a risk to become a loss,
expressed as an aggregate of risk, consequences of risk, and the likelihood of the occurrence of the event.
(Businessdictionary.com)
Scalability
´,.tev ae.igvea to bavale proportionally very small to very large usage and service levels almost instantly, and
with no significant drop in cost effectiveness, functionality, performance, or reliability. Scalable systems employ
technologies such as automatic load balancing, clustering, and parallel processing. (Businessdictionary.com)
Security
íreeaov frov ri./ or aavger; .afet, (Thefreedictionary.com, 2009)
Software as a Service
ís software offered by a third party provider, available on-demand, usually via the Internet configurable
remotely. Examples include online word processing and spreadsheet tools, CRM services and web content
delivery services.` (ENISA, 2009)
Threat (Computer Security)
Action or potential occurrence (whether or not malicious) to breach the security of the system by exploiting its
known or unknown vulnerabilities. It may be caused by (1) gaining unauthorized access to stored information, (2)
denial of service to the authorized users, or (3) introduction of false information to mislead the users or to cause
incorrect system behavior (called spoofing) (Businessdictionary.com)
Lock-in
Vendor lock-in, or just lock-in, is the situation in which customers are dependent on a single manufacturer
or supplier for some product (i.e., a good or service), or products, and cannot move to another vendor without
substantial costs and/or inconvenience. (Linux Information Project, 2006)




8
2 Methodology
In this section we are going to bring forward what scientific approach we took in our research
and what methodology we applied to the work within this thesis.
2.1 Research philosophy
Research philosophies are a help to guide researchers in their work by helping them understand
how they and other researchers approach their work. It also helps researchers understand how
the researcher came to their conclusion by describing what personal beliefs and assumptions the
researcher had while conducting the research and collecting the data. The following discussions
are comprised of what approaches this thesis is taking regarding research philosophies.
2.1.1 Epistemology
According to Saunders et al. (2007), epistemology is concerned with what is considered
acceptable knowledge in a field of study. In the epistemological philosophical branch, we have
the positivist and the interpretive assumptions. The positivist is concerned with that valid
knowledge is data that can be observed and measured. As a positivist you will be:
ror/ivg ritb av ob.errabte .ociat reatit, ava tbat tbe eva ¡roavct of .vcb re.earcb cav be tar-like generalizations
similar to those produced b, tbe ¡b,.icat ava vatvrat .cievti.t. (Saunders et al., 2007)
The interpretive stance advocates:
tbat it i. vece..ar, for tbe re.earcber to vvaer.tava aifferevce. betreev bvvav. iv ovr rote a. .ociat actor.
(Saunders et al., 2007)
In other words it highlights the importance to differentiate between making research among
people and other objects. Our standpoint is within an interpretive viewpoint because we think it
is important to differentiate between each individual. Due to that, we do not think that law like
generalizations can be created for individuals. So it is important to realize that the research itself
is affecting the reality that is being investigated. We are not trying to measure the reality; we are
more concerned with finding meaning with the reality we are investigating. The area of Cloud
Computing is still fuzzy and it is the users who will form Cloud Computing to what it is going to
become. We will conduct semi-structured interviews with several different people and the results
will differ because of different viewpoints, experiences and world views by the people.



9
2.1.2 Ontology
Ontology is about what the nature of knowledge is. It includes objectivism and subjectivism
where the objectivist is concerned with that:
.ociat evtitie. e·i.t iv reatit, e·tervat to .ociat actor. covcervea ritb tbeir e·i.tevce, (Saunders et al., 2007)
while the subjectivist holds that:
social phenomena are created from the perceptions and consequent actions of those social actors concerned with their
e·i.tevce (Saunders et al., 2007)
To understand and to be able to correctly observe a reality, we argue that you have to be involved
in that reality by being subjective. By observing it objectively, you may not be able to understand
the reality to its full extent and what is actually creating the reality. On the other hand, by being
subjective, the knowledge created might be biased by the fact that the researcher is directly
involved with the reality. This research will mainly be subjective by being in contact with both
providers and clients in the Cloud Computing environment.
2.1.3 Axiology
In Saunders et al (2007) Axiology is:
a bravcb of ¡bito.o¡b, tbat .tvaie. ;vagvevt. abovt ratve .
It means among others that the philosophical approach taken, determines which type of data
collection techniques are chosen. Conducting semi-structured interviews would add more value
to the results by allowing more in-depth discussions, but still relying upon a foundation
consisting of carefully evaluated questions that aims at answering the research questions. The aim
of this thesis is to provide knowledge about security risks with Cloud Computing, and this would
be of value for both the researchers and others that are considering moving into the Cloud
environment.


10
3 Theoretical Framework
In this section we will present background information about Cloud Computing that will be used
throughout the thesis as a cornerstone on what Cloud Computing and its associated security risks
are about. We will also present definitions and explain key concepts that will help the reader to
understand our train of thought. First we will introduce Cloud Computing and characteristics of
Cloud Computing. This will give the reader an overview of what Cloud Computing is and the
technology it consists of. Then we will present the three SPIs and after that we present different
Cloud deployment models we have found and multi-tenancy. Before we move on from specific
Cloud topics we will also present a model that shows different services for the SPIs and who is
offering them. We will then present information regarding three kinds of SLA. After that we will
present risks from ENISA, CSA and NIST, followed by our topic on security and counter
measures then we will discuss the topic of trust.
3.1 Cloud Computing
In this section we will talk about Cloud Computing more generally before we move into each SPI
more deeply. ENISA (ENISA 2009) describe Cloud Computing to be highly abstract, scalable
and flexible where resources are shared and fees are determined by the usage. CSA calls Cloud
Computing an evolving term and add information separation to the picture. That means that
applications, information sources, and the infrastructure are separated (CSA 2009). CSA also adds
the collaboration perspective to the picture that comes with virtualization and flexibility.
OpenCrowd.com agrees on this and calls it ...e·trevet, efficievt, va..iret, .catabte vvtti-tenant data
centers offering organizations an alternative way of building, deploying and selling IT services at a significantly
lorer ¡rice ¡oivt and we can begin to see key patterns in the characteristics in the Cloud.
x On-demand
x Broad network access
x Resource pooling
x Rapid elasticity
x Measureable
These characteristics will be explored later in the text in the paragraph Cloud Computing
characteristics. To understand what we and our sources of information mean when we say
scalable and flexible we thought it would be a good thing to add two more definitions to this
thesis. Scalability in the context of a system can be defined like this:
´,.tev ae.igvea to bavate ¡ro¡ortiovatt, rer, .vatt to rer, targe usage and service levels almost instantly, and
with no significant drop in cost effectiveness, functionality, performance, or reliability. Scalable systems employ
technologies such as automatic load balancing, clustering, and parallel processing` ,Businessdictionary.com,
Flexibility is the other reoccurring phrase when one talk about Cloud Computing, and we decided
to use a definition from the same website as we found the definition for scalability, business
dictionary.com, for flexibility.
Ability of a system, such as a manufacturing process, to cost effectively vary its output within a certain range and
given timeframe. (Businessdictionary.com)




11
3.2 Cloud Computing Overview model
This model was presented by National Institute of Standards and Technology (NIST) to create a
conceptual model of what they believe Cloud Computing includes. The reasons for using this
model in the thesis are because this model summarize what we believe Cloud Computing to
consist of.




























The figure 3.1 gives an overview of how we will present information regarding Cloud Computing
as we will start at the top with characteristics and end with Cloud deployment models before we
look into SLAs, security risks and trust.
Figure 3.1 Cloud Computing Overview Model


12
3.3 Cloud Computing Characteristics
NIST offers a list of components of what comprises Cloud Computing.

x On-demand self-service.

´A consumer can unilaterally provision computing capabilities such as server time and network storage as
needed automatically, without requiring human interaction with a service provider. (NIST 2009)

x Broad network access.

Capabilities are available over the network and accessed through standard mechanisms that promote use by
heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs) as well as other
traditional or Cloud based software services. (NIST 2009)

x Resource pooling.

1be ¡roriaer`. cov¡vtivg re.ovrce. are ¡ootea to .erre vvtti¡te cov.vvers using a multi-tenant model, with
different physical and virtual resources dynamically assigned and reassigned according to consumer demand.
There is a degree of location independence in that the customer generally has no control or knowledge over the
exact location of the provided resources, but may be able to specify location at a higher level of abstraction (e.g.,
country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth,
and virtual machines. Even private Clouds tend to pool resources between different parts of the same
organization. (NIST 2009)

x Rapid elasticity.

Capabilities can be rapidly and elastically provisioned - in some cases automatically - to quickly scale
out; and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often
appear to be unlimited and can be purchased in any quantity at any time.` ,NIS1 2009,

x Measured service.

Cloud systems automatically control and optimize resource usage by leveraging a metering capability at some
level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, or active user
accounts). Resource usage can be monitored, controlled, and reported - providing transparency for both the
provider and consumer of the service. (NIST 2009)



13
3.4 SPI Overview Model
The Figure 3.2 was presented by CSA (CSA 2009) and we present it to give the reader a
conceptual aid in different SPIs that we will discuss in the following paragraphs.















































Figure 3.2 SPI Overview Model


14
3.5 Software as a Service
According to ENISA Software as a Service (SaaS) is:

Software offered by a third party provider, available on demand, usually via the Internet configurable remotely.
Examples include online word processing and spreadsheets tools, CRM Services and web content delivery services
(Salesforce CRM, Google Docs, etc) (ENISA, 2009).

SaaS has become very popular within the IT world due to its ability to be flexible and not require
as much of IT knowledge. This service is customizable to fit the consumer and the provider
controls the infrastructure, platform, and application.
According to the website MSDN and the authors Carraro & Chong (2006), SaaS architectures
have become four different levels of maturity based on three different key attributes
configurability, multi-tenant efficiency, and scalability.
x Level 1 Ad-Hoc/Custom: This level requires the lowest level of development effort but
offers the lowest level of offers. At this level each time that the application is run it
creates an instance on the server of the provider.
x Level 2 Configurable: Second level of maturity host a separate instance of the
application for each customer. It differs from level 1 by all instances use the same code
and the vendor meets customers needs by providing detailed configurations options.
x Level 3 Configurable, Multi-tenant Efficient: The vendor runs a single instance that
serves every customer that provides a unique user experience and feature set for each
one. The disadvantage with this level is that the scalability is limited.
x Level 4: Scalable, Configurable, Multi ² tenant Efficient: At this level the vendor
handles multiple customers on a load balanced farm of identical instances, with each
customer`s data being separated.
It is important to understand that the last level is not always the desirable place to be. Where the
application is placed in the maturity level depends on business, architectural, operation needs and
on customer considerations. By understanding where the application should be in the maturity
level it will also help in deciding if a client really needs Software as a Service.
According to ENISA, certain security risks have a high impact on SaaS and other SPIs and clients
must understand the impacts. One risk that effects all of the SPIs is Lock-in. Lock-in is defined
as:
Vendor lock-in, or just lock-in, is the situation in which customers are dependent on a single manufacturer or
supplier for some product (i.e., a good or service), or products, and cannot move to another vendor without
substantial costs and/or inconvenience. (The Linux Information Project, 2006)
SaaS providers develop the different applications that are tailor made for that customer which
does bind the customer to that provider. According to Hoffman (2006), in his article Top 10
SaaS Traps, not many service providers of SaaS offer an SLA or might even charge for the SLA.
It is now very important that a customer does in fact ask for an SLA or locate a different vendor
that will provide one.



15
There are multiple benefits in deploying SaaS but just because you can, does not mean it is right
for you. With the economy in a downturn clients are looking for a better solution for their IT
issues and be able to make a quick return on their investment. Salesforce.com has listed these
benefits to SaaS (which may be biased):
x High Adoption: Applications that are available anywhere from any computer or device
x Lower Initial Costs: Subscription based payments and no license fees
x Painless upgrades: Provider manages all updates and upgrades
x Seamless Integration: Vendors that are multi-tenant architectures can scale indefinitely to
meet customers demand
3.5.1 Division of Responsibility in SaaS
In this division of responsibility we will focus on how customers and managers should work
within an SaaS environment. The reason for this, according to ENISA, is !itb re.¡ect to .ecvrit,
incidents, there needs to be a clear definition and understanding between the customer and the provider of security-
relevant roles ana re.¡ov.ibititie.. The result of this should be a clear understanding of the roles and
responsibilities customers and providers have to one another.


Table 3.1 Division of Responsibility in SaaS


16
3.6 Platform as a Service
PaaS is the layer in between where you not only get access to the software, but also the
underlying platform which the software is running on. What is not included is the control of the
actual infrastructure that the platform is running on. ENISA defines PaaS as following:
.llows customer to develop new applications using APIs deployed and configurable remotely. The
platforms offered include development tools, configuration management, deployment platforms. Examples are
Micro.oft .¸vre, íorce ava Coogte .¡¡ evgive. ;í^í´., 200·)
There are still different opinions about what PaaS is. Overall, PaaS is seen as a platform where
software can be deployed and configured and made available through a web browser. The
application that is made available does not require any installation or the need to download
anything to the computer for the user that wants to access it. It can be seen as a web hotel where
a company or individual can develop and deploy a web site and make it available through a web
browser. The web hotel provides access to different tools and the possibility to configure the
platform, which the web site is running on. The web hotel is usually supporting a set of different
web development languages as for example ASP.NET and PHP that can be used to develop the
web site. (Whatis.techtarget.com 2008)
PaaS however, mostly offers more configuration possibilities than a web hotel. For example, PaaS
can give the possibility to configure and update the operating system (OS) that is used for the
platform. Also, more advanced applications than just a web site can be developed and run on the
platform. The type of applications that can be run on the platform is limited to what OS and
development language the PaaS vendor offers. Therefore applications that are developed on a
specific platform, as with Force.com that uses Apex as a development language, cannot be
moved to another platform because of Apex being specific and limited to the platform by
Force.com (Rådmark, 2010) PaaS increases in other words the risk of lock-in if the service
provider uses proprietary service interfaces or development languages.
PaaS has some main benefits such as scalability and flexibility. Providers of PaaS have also listed
a set of other benefits of PaaS which may be biased.
A few that www.salesforce.com lists are:
x Faster results - the need for acquiring and setting up the infrastructure you need to be
able to developing software is gone. By signing up for a PaaS you can instantly start with
developing the programs you want and get results.
x Lower costs - because of not having to acquire the needed equipment and only pay for
what you use, you will be able to lower your costs significantly.
x Simplified deployment - the software developed can be made available instantly
through the web, and as mentioned, before the developers do not need to worry about
the infrastructure and can thus focus on the development.
x Lower risk - without the need to build up an infrastructure for the development, the
risks are lowered when it comes to investments.
x No more software upgrades - patching and upgrading of the system is handled by the
PaaS provider as well as regular system maintenance.




17
www.zoho.com lists some as:
x Minimize operational costs - because you only pay for what you use you do not need
to worry about servers standing unused and you do not have to worry about maintenance
costs.
x Zero infrastructure - the only equipment you need to start using the Cloud is a
computer that is hooked up to the Internet.
x Integration with other web services - the Cloud provider will have to have more
standardized interfaces to be able to offer a complete interface that can be integrated
easily with other web services.
3.6.1 Division of Responsibility in PaaS
In this division of responsibility we will focus on how customers and managers should work
within a PaaS environment. The reason for this, according to ENISA, is !itb re.¡ect to .ecvrit,
incidents, there needs to be a clear definition and understanding between the customer and the provider of security-
relevant roles and responsibititie.. The result of this should be a clear understanding of the roles and
responsibilities customers and providers have to one another.

Table 3.2 Division of Responsibility in PaaS


18
3.7 Infrastructure as a Service
Compared to SaaS and PaaS that focus on being as virtual and service oriented as possible, IaaS
also focus on computing. Because of the focus on computing, there are people who find IaaS to
be true Cloud Computing while the other SaaS are considered Cloud Services. In this thesis we
agree on this, but we also consider all three SPIs to be part of the Cloud and Cloud Computing.
ENISA, European Network and Information Security Agency define IaaS as:
Provides virtual machines and other abstract hardware and operating systems which may be controlled through a
service API. Examples include Amazon EC2 & S3, Terremark Enterprise Cloud, Windows Live Skydrive
ava Rac/.¡ace Ctova. ;í^í´., 200·)
This definition will be used in this thesis to identify security risks and threats with IaaS, and to
assess them in the context of clients to determine what clients of Cloud Computing and IaaS
should know and expect from their Service Providers (SP) in terms of Service Level Agreement
(SLA).
As Cloud Component can be decomposed into the three different SPIs, IaaS can also be
decomposed into components. The article The Rise of Service Oriented IT and the Birth of Infrastructure
as a Service` (Leach 2007) concludes that IaaS consists of three major components:
x Equipment - includes
o Enterprise servers: is a computer system that provides essential service across
network, to private users inside a large organization or to public users via internet
o Storage: comprise computer components and devices that records, saves and
store media and data for an organization.
o Network: is a collection of computers and devices that communicates through
channels that facilitates communication among users
o Security devices: Devices and applications to provide a secure environment for
your organization
x Facilities ² that house, protects and powers equipment
o Data centers: is a facility used to house computer systems and associated
components, such as telecommunications and storage systems. It generally
includes redundant or backup power supplies, redundant data communications
connections, environmental controls (e.g., air conditioning, fire suppression) and
security devices.
x Management systems
o Monitoring systems to manage onsite and offsite
In a more technical aspect, the scalability of IaaS could be said to offer building blocks
(Opencrowd.com) on which a client can have a customizable infrastructure. Using IaaS as a
foundation, you can add the other -as a services that are available and keep building on your
virtual environment. The building blocks are scalable, which means that CPU, memory, storage
networking and security (Lew, 2009) can be increased or decreased depending on the pressure of
the system and you pay for what you use.

Benefits that we have discovered have been found on vendor sites, which could be biased, and
more neutral sites focusing on academic articles about Cloud Computing. Benefits associated
with IaaS are according to GNI.com (2009) are:


19
x Dynamic scaling
x Usage-based pricing
x Reduced capital and personnel costs
x Access to superior IT resources
The website Clouddb.info and their article Defining Cloud Computing: Part 6 - IaaS` acknowledges
the same kind of benefits using similar or the same words as GNI.com. What is interesting is that
Clouddb.info includes the perspective of clients when identifying these benefits and clearly seems
to think IaaS will be beneficial for clients specifically because of the mentioned benefits. Even
though these are great benefits for clients looking for a Cloud based solution, there are also risks
associated with IaaS.
3.7.1 Division of Responsibility in IaaS
In this division of responsibility we will focus on how customers and managers should work
within an IaaS environment. The reason for this, according to ENISA, is With respect to security
incidents, there needs to be a clear definition and understanding between the customer and the provider of security-relevant roles
and responsibilities. The result of this should be a clear understanding of the roles and responsibilities
customers and providers have to one another.


Table 3.3 Division of Responsibility in IaaS


20
3.8 Cloud Deployment Models
According to a report made by the Cloud Security Alliance (CSA) that was published in December
2009, there are four different kinds of deployment models when it comes to Cloud Computing.
These models are not dependent on what kind of SPI that is deployed in the Cloud. The four
different models are describe like this by CSA
x Private Cloud:

The Cloud infrastructure is operated solely for a single organization. It may be managed by the organization
or a third party, and may exist on-premises or off premises. (CSA, 2009)

x Public Cloud:

The Cloud infrastructure is made available to the general public or a large
industry group and is owned by an organization selling Cloud services. (CSA, 2009)

x Community Cloud:

The Cloud infrastructure is shared by several organizations and supports a specific community that has
shared concerns (e.g., mission, security requirements, policy, or compliance considerations). It may be managed
by the organizations or a third party and may exist on-premises or off-premises. (CSA, 2009)

x Hybrid Cloud:

The Cloud infrastructure is a composition of two or more Clouds (private, community, or public) that remain
unique entities but are bound together by standardized or proprietary technology that enables data and
application portability (e.g., Cloud bursting for load-balancing between Clouds). (CSA, 2009)




21
3.9 Cloud Computing Vendors Model
According to the website Opencrowd.com, there are a few landscape models circling the Internet
focusing on showing what vendors have to offer. Since it is vendor based, it is also biased, and so
Open Crowd did their own and that is the one we are presenting below to give you an overview
of who is offering what kind of service.
Open Crowd decided to divide the Cloud into four areas compared to our idea of using only
three. The reason for this is that they regard Cloud Software, which they define as:
´Cloud software is off-the-shelf software that can be used to create an internal Cloud or in some cases can be used
to customize infrastructure services to mold a custom Cloud solution.
to be a part of Cloud Computing services offered by vendors.
We decided not to expand our thesis scope when we found out about Cloud Software as the
focus of this thesis are towards clients that may or may not move to a Cloud Solution because
they lack in-house skills for IT solutions.



















Figure 3 3 Cloud Taxonomy Model


22
3.10 Multi-tenancy
According to Salesforce.com, multi-tenancy is an architectural approach that is a single instance
applications but run by multiple tenants. Unlike isolated instances, that are deployed in a silo
structure, multi-tenancy is a large community which is hosted by the provider. This could only be
practical when the applications are stable, reliable, customizable, secure, and upgradeable which
the provider usually handles. It can be viewed in two different perspectives, the client and the
provider.
The clients could use a public Cloud service or actually be part of the organization that is hosting
the Cloud, but would still be part of the infrastructure. The provider view is that multi-tenancy
will allow for providers to enable economies of scale, availability, operational efficiency and use
of applications to multiple users.
There are three distinct approaches in multi-tenancy and they are separate databases, shared
databases separate schemes, shared databases and shared schemes. Each different approach is
important to review and it is also critical for an organization to decide which approach is
appropriate for them. (Carraro, Chong & Wolter, 2006)
3.10.1 Separate Database
Separate Database is the simplest approach of Data isolation
o Highest maintenance and backup cost
o Highest hardware costs
o Premium approach for sensitive data (e.g. Medical, or financial information)
3.10.2 Shared Database and Separate Schemes
Housing multiple tenants in the same database with each tenant having their own set of tables
grouped into a scheme
o Easy to implement
o Easy to extend database like the first approach, separate databases
o A moderate degree of separation and isolation of data for security
o Harder to restore in an event of a failure
¾ Restoring the entire database would overwrite every tenant in the same
database
o Use this approach when dealing with a relatively small amount of table per tenant
3.10.3 Shared Database and Shared Schemes
Shared Database and Shared Schemes uses the same Database and Schemes for multiple tenants
o Lowest hardware and backup cost because of large number of tenants
o With multiple tenants will need to put more focus on security to ensure that other
tenants cannot access other tenants data even if there is a bug or an attack
happens



23
3.10.4 Choosing an Approach
Choosing the right approach will be crucial for the organization and there are multiple
considerations to take into account when deciding.
Economics: Applications that are designed for shared approach will have more of a
development cost, which will result in high initial cost but might have lower operational costs.
Security: It is vital to choose the right approach depending on the data requirements and
sensitivity of the information. Customers will have a high expectation on security and the
SLA between the vendor and the consumer will need to provide strong security practices to
ensure that data is secured.
Tenants: The number of tenants that the client could expect will greatly depend upon which
approach the client chooses.
Regulator: The external environment (e.g. government and laws) will be need to be
investigated to see how regulations could affect security and record storage needs.
Skill Set: Single instance multiple tenants is still a new skill set so expertise will be difficult to
come by. An isolated approach may allow your staff to use more of its own knowledge for
the application.
Going through the above list will help an organization in deciding which type of multi-tenant
architecture is best suited for them and their infrastructure.
3.11 Service Level Agreement
A Service Level Agreement (SLA) is in general a legal binding agreement about a service a client
is buying from a Service Provider (SP). The agreement is a part of a much bigger contract
between two partners that define the purchased service. The levels included are a frame of how
the service should be delivered and failure to follow this agreement is usually followed by penalty,
which should also be defined in the agreement. According to SLA information zone (SLA-zone,
2009), a regular SLA usually includes:
x Service delivered - describes the services and how they are delivered. This
information should be very detailed and accurate so you get information about
what exactly is going to be delivered.
x Performance - deals with how monitoring and measuring the service level
performance is performed.
x Problem management - how to deal with unplanned incidents and how to solve
them, also including how to actively prevent such events.
x Customer duties - explains what relationship the customer and provider has and
the responsibilities that the customer has regarding the service delivery process.
x Warrant & remedies - covers topics such as service quality, third part claims,
exclusions and force majeure.
x Security - the most critical feature of any SLA where which security approaches
must be followed and respected.
x Disaster recovery - usually included in the security section and sometimes also in
the problem management area.
x Termination - covers topics as for example termination at end of initial term, for
convenience, for cause, and payments regarding termination.


24
The performance levels set in the agreement often measures up to a percentage level and if that
level is not met, a response is also decided on. An example of this is in Amazon EC2 SLA where
they state the following:
AWS will use commercially reasonable efforts to make Amazon EC2 available with an Annual Uptime
Percentage (defined below) of at least 99.95% during the Service Year. In the event Amazon EC2 does not meet
the .vvvat |¡tive Percevtage covvitvevt, ,ov ritt be etigibte to receire a ´errice Creait a. ae.cribea betor
Creating a good SLA is not a trivial task, but a task that is of utter importance when buying
and/or providing services and errors in SLAs could enforce legal penalties.

x Web Service Level Agreement
In addition to a regular SLA, there are additional SLAs that deal with different kinds of services.
One of these services are Web Service Level Agreement (WSLA) and to a certain point it is very
similar to a regular SLA, but since we add technology to the picture, and most often, a third party
management/monitoring provider more information has to be included in the WSLA. The
\SLA should according to IBM`s report WSLA Language Specification (Dan, Frank, Ludwig,
Keller, King, V1.0, 2003) not only include the SLA components mentioned in our SLA part, but
also include:
. a..ertiov. of a .errice ¡roriaer to ¡erforv a .errice accoraivg to agreea gvaravtee. for í1-level and business
process level service parameters such as response time and throughput, and measures to be taken in case of
deviation and failure to meet the asserted service guarantees, for example, a notification of the service customer.

What IBM indicate, and what others agree to (Patel, Ranabahu & Sheth 2009) is that WSLA
needs to focus even more on metrics to measure if the service bought and received measure up
to the levels agreed upon. This puts focus onto Quality of Service (QoS) and how this is
measured. According to Patel et al. (2009) an example of WSLA measures is transactions per
hour. By providing that kind of information, a company can make a statistical analysis to
determine the QoS and if the SLA has been breached.
x Cloud Service Level Agreement
If we take the two previous SLAs we have mentioned into consideration and compare it to the
dynamic and scalable nature of Cloud Computing, significant changes need to be made to the
SLA to be aligned with the Cloud environment. While WSLA is closer to the solution than a
standardized SLA, the measurements have to be different. Because the environment is dynamic,
the measures have to be dynamic as well. Patel et al (2009) propose that the parties add these
measures to the picture; usage and cost. When the Cloud services are in use, these measures have
to be adapted according to usage, i.e. when the services increases in scale, the measures have to
be adapted to that. This is the thinking one has to apply to make a more appropriate SLA for the
Cloud Computing environment.






25
3.12 Risk definition
The top risks we are discussing in this thesis are from the European Network and Information
Security Agency (ENISA 2009), Computer Security Alliance (CSA 2010) and National Institute
of Standards and Technology (NIST) and they are:
ENISA 2009
x Loss of Governance: The Client ceding control to a Cloud Provider on multiple issues
x Lock In: The difficulty of a customer moving from one Cloud provider to another.
x Isolations Failure: The failure of hardware separating storage, memory, routing and
even reputation between different tenants.
x Compliance Risk: Investment in achieving certification may be put at risk by moving to
the Cloud.
x Management Interface Compromise: Customers management interfaces of a Public
Cloud provider are accessible through the Internet and mediate access to larger sets of
resources, which pose an increased risk.
x Data Protection: The ability of the customer to check the data handling practices of the
Cloud provider and to ensure that the data is treated in a lawful manner.
x Insecure or incomplete data deletion: Customer requesting that their data is deleted
and it is not completely removed or deleted due to duplication.
x Malicious Insider: Damage caused by a person that has access to the Cloud.
CSA 2010
x Abuse and Nefarious Use of Cloud Computing: Easy access and lack of control of
who is using Cloud Computing can provide entrance for malicious people
x Insecure Interfaces and APIs: Authentication and reusable aces tokens/passwords
have to be properly managed or security issues will rise.
x Malicious Insider: Lack of insight at the Cloud pro·ider`s employees can trigger risks if
employees have malicious intent and access to information he/she should not have.
x Shared Technology Issues: With scalability come shared technology issues since the
provider is using their own resources to provide more for the clients during peaks. With
sharing technology the risk of hypervisors appear since hypervisors work in between
different clients.
x Data Loss and Leakage: Improper deletion or backup of data records can lead to
unwanted duplication of data that becomes available when it should not exist
x Account or Service Hijacking: Phishing for credentials to get access to sensitive data
x Unknown Risk Profile: No insight in what the provider do to keep your data safe or
doing updates, patches etc.



26
NIST 2009

x Data dispersal and International Privacy Law
o EU Data Protection Directive and US Safe Harbor Program
o Exposure of data to foreign government and data subpoenas
o Data retention issues
x Need for Isolation Management
x Multi-tenancy
x Logging Challenges
x Data ownership issues
x Quality of Service Guarantees
x Dependence on secure hypervisors
x Attraction to hackers (high value target)
x Security of virtual OSs in the Cloud
x Possibility for massive outages
x Encryption needs for Cloud Computing
o Encrypting access to the Cloud resource control interface
o Encrypting administrative access to OS instances
o Encrypting access to applications
o Encrypting application data at rest
x Public Cloud vs. internal Cloud security
x Lack of public SaaS version control

If these risks occur in an organization, it will be the operations of the organization that will
suffer. Therefore we have concluded that the risk definition we use in this thesis focus on
probability. A common probability risk definition is:
(1) Indication of an approaching or imminent menace. (2) Negative event that can cause a risk to become a loss,
expressed as an aggregate of risk, consequences of risk, and the likelihood of the occurrence of the event



27
3.13 Security
Security is deíined as Freedom from risk or danger; .afet,, while information security is defined as
Safe-gvaraivg av orgavi¸atiov`. aata frov vvavtbori¸ea acce.. or voaificatiov to ev.vre it. araitabitit,,
covfiaevtiatit,, ava ivtegrit, ;Cí.). The three principles are the main concerns when dealing with
information security and each principle requires different security mechanisms to be able to be
enforced. For Cloud Computing to be considered to be secure, these principles are what it has to
live up to. The Committee on National Security Systems (2010) defines the three areas as:
x Confidentiality - Assurance that iníormation is not disclosed to unauthorized
indi·iduals, processes, or de·ices.`
x Integrity - .in a formal security mode, integrity is interpreted more narrowly to mean
protection against unauthorized modiíication or destruction oí iníormation.`
x Availability - 1imely, reliable access to data and iníormation ser·ices íor authorized
users.`
To enforce these principles there are different mechanisms that can be applied. The mechanisms
are retrieved from a blog called Continuity Disaster Recovery (Phoenix 2010). Confidentiality is
sometimes referred to as privacy and to enforce it you can apply:
x Access control ² with access control you can control how and what information users
can access. How could be by authentication through passwords and/or biometrics.
x Passwords ² password is the basic authentication method and to make it even more
secure it can be used alongside smart cards or biometrics.
x Biometric ² biometrics concerns the use of humans physical characteristics for
identification and authentication. It could be for example fingerprint scanning, retina
scanning or face recognition.
x Encryption ² by encrypting information from plain text to be unreadable prevents
unauthorized users to access information. Encryption is performed through a
mathematical algorithm to alter the information.
x Ethics ² through policies employees can get the necessary guidance to know how to
behave and prevent unethical use of for example an information system.
To maintain the integrity of information you can use:
x Configuration Management ² this is how you manage change when it comes to the
information technology environment.
x Configuration Audit ² this mechanism controls that information that is altered is
allowed to be performed. The auditing can be done by monitor log changes either
manually or through an automated system.



28
Availability should always be ensured so the authorized users can access desired information
whenever they want. To ensure that data is always kept available and safely stored you should
consider:
x Data Backup Plan ² to have a plan of how you backup your information is always
important. It includes what information is being backed up and at which time interval.
This depends on what type of business you run and how often information is altered.
x Disaster Recovery Plan (DRP) ² this includes the procedures for how a quick backup
is performed with minimum impact on the business.
x Business Continuity Plan or Business Resumption Design ² this is a part of the
DRP and documents of how a business gets back to normal after a disaster has struck.
3.13.1 Securit y risks tied to information securit y
Cloud Computing is about availability, that is having access to information whenever and from
wherever. Some of the risks presented by ENISA, CSA and NIST are security risks that could
compromise this aspect as well as the principles confidentiality and integrity. The risks are listed
in the table below together with how they could affect the CIA principles. How the principles
could be affected are derived from the report 1o¡ 1breat. to Ctova Cov¡vtivg 11.0 by CSA.
Insecure or incomplete data deletion (ENISA)
Confidentiality
When a customer requests that certain information should be deleted, copies of
the information could still reside somewhere in the Cloud due to backups or some
other redundant reason. The risk could be that this information is left unprotected
on a hard-drive that is shared with some other company.
Integrity
If the service does not control the authentication and authorization properly by
having weak control mechanisms, there is a risk that information can be affected
by unauthorized change or deletion.
Availability
-
Abuse and Nefarious Use of Cloud Computing (CSA)
Confidentiality
When not having control of who is using the Cloud, by for example providing the
possibility to be anonymous when registering for a Cloud service, criminals could
get the possibility to exploit Clouds by applying malicious software that can give
them access to information they should not have. This is mostly applicable to PaaS
and IaaS where customers have the possibility to develop and run software.
Integrity
If malicious software is executed in the Cloud, it could affect the integrity if the
intent is to alter or delete information.



29
Availability
If there is a lack of control of what kind of software that is being run in the Cloud,
the risk of malicious software being run is high and could cause Cloud services
going down.
Insecure Interfaces and APIs (CSA)
Management Interface Compromise (ENISA)
Confidentiality
A weak interface that for example transmit information in clear-text or allows
anonymous access lead to that information can be easily acquired by unauthorized
users.
Integrity
If an interface has weak security controls, it could provide access to malicious
attackers with the intent to alter or delete information.
Availability
Interfaces needs to be secure so they can withstand malicious attacks that could
compromise the availability of the service.
Malicious Insiders (CSA/ENISA)
Attraction to hackers (NIST)
Confidentiality
When a Cloud provider hires their Cloud employees, there are matters as hiring
standards and practices, as well as how they grant their employees access to virtual
and physical assets and if the employees are monitored in their work. If the Cloud
provider does not consider these matters important, there could be a big risk that
they hire someone that have a criminal intent such as someone that is involved in
organized crime and wants to have access to confidential information.
Integrity
If a Cloud provider has employed persons with a criminal intent, such as hackers
or people involved in organized crime, because of poor hiring standards and
practices, important information could be changed or deleted. The risk is even
greater if there are no monitoring processes set up for the Cloud employees.
Availability
People with a malicious intent that are working at a Cloud provider could cause
the service to go down.
Shared Technology Issues (CSA)
Isolations Failure (ENISA)
Dependence on secure hypervisors (NIST)
Multi-tenancy (NIST)
Confidentiality
By sharing the same infrastructure there is a risk that the multi-tenant architecture
fails to isolate the information so that customers get access to each other`s
information. This could happen in the way that a guest operating system user gains
inappropriate levels of control and access that are granted from a hypervisor.



30
Integrity
If a hypervisor that controls the virtualization of the infrastructure fails to control
the levels of authorization of users in the Cloud, users could get an inappropriate
level of control that could lead to alteration or deletion of information.
Availability
-
Data Loss and Leakage (CSA)
Confidentiality
Leakage of data is a risk for that unauthorized users gets hold of sensitive
information.
Integrity
Loss of data is a risk that directly impacts the integrity.
Availability
For data to be available it cannot in any way be lost.
Account or Service Hijacking (CSA)
Confidentiality
By using attacks such as phishing or exploitation of software, credentials could be
acquired that can be used for getting access to sensitive information.
Integrity
If an unauthorized party gets hold of credentials by for example phishing,
information runs a risk of being changed or deleted by that party.
Availability
If an account gets hijacked, there is a risk that the service availability can get
compromised.
Encryption needs for Cloud Computing (NIST)
Confidentiality
The need to encrypt information is very important when it comes to Cloud due to
the use of the services through Internet. When running an IT infrastructure in-
house, the need to encrypt transmitted information is not as important as
encrypting the hard-drives and databases. But by using a Cloud service, everything
needs to be encrypted to ensure safety, both the transmitting and storing of
information.
Integrity
Information that is not encrypted when it is transmitted can easily be altered so the
message that is received does not correspond to the original message.





Table 3.4 Security Risks tied to Information Security


31
3.14 Trust
Reading through security aspects regarding Cloud Computing and reviewing information
regarding how the service is provided along with SLAs that defines how the service should be
supplied, we have concluded that trust and authority is a vital issue in Cloud Computing security.
In this chapter we will present what trust is considered to be from a psychology perspective
(social science) and how one can systematically look at trust. The next step is to present different
versions of trust such as authority, reputation and confidence. We will use material from the
book Influence - The Psychology of Persuasion` by Robert B. Cialdini (Cialdini 2007) a computational
trust model theory by Lik Mui (Mui 2002) and trust definitions from Wikipedia and James S
Coleman`s Foundations of Social Theory to describe trust, which is also available on Wikipedia.
According to Coleman, trust is built up by four parts (Wikipedia 2010):
1. Placement of trust allows actions that otherwise are not possible (i.e. trust allows actions
to be conducted based on incomplete information on the case in hand).
2. If the person in whom trust is placed (trustee) is trustworthy, then the trustor will be
better off than if he or she had not trusted. Conversely, if the trustee is not trustworthy,
then the trustor will be worse off than if he or she had not trusted (this is reminiscent of
the classical prisoner's dilemma).
3. Trust is an action that involves a voluntary transfer of resources (physical, financial,
intellectual, or temporal) from the truster to the trustee with no real commitment from
the trustee (again prisoner's dilemma).
4. A time lag exists between the extension of trust and the result of the trusting behavior.
Another definition of trust is by Gambetta (1988):
.trv.t ;or, .,vvetricatt,, ai.trv.t) i. a ¡articvtar teret of tbe .vb;ectire ¡robabitit, ritb rbicb av agevt a..e..e.
that another agent or group of agents will perform a particular action, both before he can monitor such action (or
independently of his capacity ever to be able to monitor it) and in a context in which it affects his own action

Basically these two definitions from Coleman and Gambetta states that trust is the possibility for
e.g. a person or company to live up to the bargain set in e.g. a SLA.

Cialdini (Cialdini 2007) talks about influence and discusses a click and whirr` theory that is set off
by a trigger feature`. In his book, Cialdini talks about influences and most importantly, authority.
click and whirr` is his term for humans automatic responses due to a specific trigger feature when a
person experience what he calls brain strain`, we use a rule of thumb when we are unsure and
because we cannot know everything about everything, e.g. expensive equals good. In essence, this
click & whirr` effect provides a shortcut in our daily lives. In the authority chapter Cialdini cites
different studies done and they vary from people giving out electrical shocks that cause pain,
medical employees using the wrong dosage and military train operators running people over
because someone higher than them in the perceived or real hierarchy told them this is how it is,
trv.t ve, í`v tbe e·¡ert`. Authority comes írom such things as titles, clothes, appearance and other
personal items and characteristics, and the negligence to question the authority.

Another shape of trust is confidence which in social science is considered to be easier to measure
as trust itself is viewed as a mental state and confidence reflects actions around that trust. Since
trust is considered a mental state, it is hard to evaluate trust, Mui (Mui 2002) proposes a more
mathematical approach to solve this. Mui`s approach will not be discussed in detail other than
comparing how a mathematical, or systematical, approach differs from a mental one. In his work


32
he presents that trust is connected with reputation and reciprocity. Reputation and reciprocity is
the product of social networks and norms where the reputation is:

Reputation is a social quantity calculated based on actions by a given agent ai and observations made by others in
av evbeaaea .ociat vetror/ iv rbicb ai resides ai`. re¡vtatiov cteart, affect. tbe avovvt of trust that others have
toward it. (Granovetter, 1985)

Reciprocity is according to both Cialdini and Mui a social norm that is created through trust and
interactions. Following this norm is of essence to create trust and a positive reputation.
Reciprocity is the act where dept is created and repaid through genuine actions.








The danger of psychological trust is that it is a mental state, and not systematically conducted but
rather obtained through communications networks and inner evaluation. The model above
depicts how reputation, trust and reciprocity works together and creates net benefit for those
involved. The reason for having this part in our thesis is because one way of avoiding a serious
pitfall caused by trust is to understand this process and what the net benefit is created for the
counterpart a person interact with, i.e. what does the person/company I interact with get from
me for trusting him/her/them. This will be discussed further in the analysis when we add raw
data to the picture.
In the beginning of this section, it is stated that trust is considered to be very important in Cloud
Computing security and that we would like to see how people we interview evaluate trust, or even
if they consider trust to be important for that matter. In the interviews we would like to see how
people view trust in regarding Cloud Computing to understand if they use a systematical (fact
based) or internal (mental based) method. In the analysis we will present our findings, connect it
with Cloud Computing security risks and discuss what kind of pitfalls have been found and how
to prevent them.

Figure 3.5 Reputation - Trust - Reciprocity > Net Benefit (Mui, 2002)


33
4 Research Questions
The research questions that we have decided upon reflects what we think is most important to
research in, both to help identifying the problems and/or solve them as we reflected on them in
our problem paragraph. These questions have also been selected as we strongly think we can
contribute to the field of Cloud Computing if we answer them properly and underline what the
next area of study should be to make Cloud Computing more mature.
x What are the major security risks for clients using SPIs (SaaS, PaaS, IaaS) in Cloud Computing?
o What should clients expect from Service Providers in the SLA regarding Cloud
Computing?
x What possible trust issues are associated with security risks in Cloud Computing and SLA?
o If so, how can clients avoid security risks associated with trust?
5 Method
5.1 Research approach
When doing deductive research you start with creating a hypothesis and test it by gathering data
and examine it. If it is necessary, the theory is modified so it matches the findings better. In
inductive research you do it the other way around. You go out in the world and gather data, and
from the data you formulate a theory.
To answer our research questions we take an inductive approach by gathering data to then
formulate a theoretical framework. The term Cloud Computing is rather new so we think that the
inductive approach suits best for our research. In Saunders et al. (2007), induction emphasizes
collection of qualitative data and is less concerned with the need to generalize. We have tried to
gather as much information as we can about security issues and service level agreements, and
through qualitative interviews with experts to get a more professional view of the problem. The
purpose of our research is to contribute more to the understanding of what to think about and
take into consideration when it comes to Cloud Computing, and not to generalize our findings to
any particular setting.
This research was conducted because of the new phenomenon called Cloud Computing is
assumed to become a future solution to modern information technology (IT) problems. Due to
this assumption about Cloud Computing, we decided to investigate the associated security risks.
Our perspective on Cloud Computing is that it consists of old technology, rather than being
something brand new. The research focused on risk assessment on three different kinds of SPI:
x Software as a service
x Platform as a Service
x Infrastructure as a Service
The risk assessment will also look into Service Level Agreement (SLA) from major Cloud
Computing companies:
x Google
x Microsoft
x Amazon
During the research a critical review of the researched subject was performed from a client
perspective and its associated risks. One of our strong opinions is that Cloud Computing is
consisting of old technology products and services offered to clients in a new way. Because of
this opinion, we felt it wise to use an exploratory approach to gather the empirical information


34
we need for this thesis. Exploratory approach is about investigating previously studied material
i.e. secondary data, to explain a new phenomenon or bring an understanding to a specific topic.
The exploratory approach enables us to focus on finding new insights and understanding this
phenomenon called Cloud Computing. As opposed to a descriptive study, which we find
inadequate because of a too narrow focus and because it is seen as a forerunner to exploratory
research, and explanatory study, which focus too much on quantitative data, we think a
qualitative focus can give us deeper knowledge and therefore be more appropriate for us. The
methods we are going to focus on in this thesis are:
x Secondary literature study
x Interviewing experts in the field
In the following paragraphs we will cover secondary and primary data that we will use to draw
conclusions from regarding Cloud Computing security risks and SLAs from a client perspective.
The sources for information we will use are:
x Cloud Computing vendors SLAs
We will look into the major vendors on the field of Cloud Computing, which in our opinion are
Google, Microsoft and Amazon. When we review their SLAs we will focus on issues dealing with
security. Since we are focusing on security we will also look at their security policies to see if they
are coherent in their overall security policy towards a client.
x Searching literature regarding Cloud Computing
By focusing on Cloud Computing as being derived from old technology, we have decided to
focus on literature, articles and other publications that share our opinion. We have also spent
time reviewing literature that contradicts our old technology perspective but after extensive
reading we have concluded that such articles are not of importance to us. Literature sources that
we have reviewed are:
x Magazines
x Books
x Articles and publications
x Blogs

x Interviewing experts in the field
We will focus on interviewing people with knowledge and experience in the field of IT. The
interviews were semi-structured to create discussions instead of direct questions with a yes or no
response since we consider qualitative information to be valuable to our research than
quantitative. Criteria for which we decide is appropriate to use as a source of knowledge are:
o Working with IT on a management level
o Are currently supplying and/or buying IT services
o Are involved with Cloud Computing and/or related technology
(ex: Software as a service, Platform as a service and/or infrastructure as a service)



35
5.2 Credibility
In Saunders et al. (2007) it is argued that having a good research design is very important if the
research shall live up to a good credibility. You can never know if your results are completely
correct, but aiming for having a good reliability and validity will increase the chances that the
findings will be credible.
5.2.1 Reliability
In Saunders et al. (2007), reliability is reíerred to the extent to which your data collection techniques or
analysis procedures will yield consistent findings`. So reliability is concerned with
x if the same results would be reached if the research was done at another time,
x if the observations would be accomplished in the same way if others would do it,
x and if the conclusions made from the results are transparent.
To make the data in this thesis reliable, it will be collected from several different reliable sources,
such as established agencies and institutes, and then compare the data against results from
interviews conducted with experts in the field.
5.2.2 Validity
Validity is in Saunders et al. (2007) concerned with whether the findings are really about what they
appear to be about`. The validity of the data in this thesis is relying on recently published material
within the area of Cloud Computing and by gathering information from experts in the field.
Since we are focusing on researching security risks for clients using Cloud Computing, we have
concluded that there will be factors that can make our gathered data biased, unclear or
misleading. The factors that we have discovered are:
Secondary literature: Since we are focusing on reviewing secondary literature about the
different kinds of SPIs, there is a chance that we could miss new information, but it is our
opinion that the secondary literatures we have reviewed are sufficient for our research.
Experts in the field: Besides secondary literature we will also interview experts in the field that
fits to the requirements we have stated earlier. The danger of interviews is biased opinions.
Interviewing vendors of Cloud Computing could provide an optimistic version of Cloud
Computing where as an expert that is a client of Cloud Computing could project a skewed image
of Cloud Computing. This creates a problem in how to evaluate the information that we have
acquired in a neutral way. To further increase the validity of our findings we will send the
summaries we made from the interviews to the interviewees to get a confirmation that the
information we got out from the interviews are valid.



36
5.3 Interview questions
The questions that we have decided to use for our semi-structured interviews are a combination
of questions that cover topics that are directly related to our research questions. The questions
can also give us new insights to what the research questions could mean and/or how we should
analyze them to make an appropriate contribution. Overall, the questions can be divided into
groups where some are directly focusing on our research questions and where other are included
creating a discussion around a specific topic to indirectly give us new information to use when we
answer our research questions.
The questions in the interviews also helped us to expand our perspective on Cloud Computing as
we have added questions to the first list we made, and thus we had to get back to some of the
people we interviewed to get some more answers.
Finally, the questions that we have chosen have helped us to compare that information with the
information we have gathered from secondary sources. This has helped us to do a thorough
analysis and discover new areas that could be studied in the future. The interview questions can
be found in Appendix 1.
5.4 Analysis Method
The method we used in the analysis was comparing the concepts that we present in our
theoretical framework with the results in the empirical findings. The combination of the
secondary data and the primary raw data is analyzed by comparing them and putting them in the
context of our research questions. For the analysis we also used the table 3.4 constructed from
secondary data.



37
6 Empirical Findings
From the interviews we have summarized the most relevant parts that we are going to use for our
analysis. In this section we will present our results regarding security risks and SLA, which we will
also use in the analysis part.
6.1 IT-Consultant Interview Summary
Quite early in the interview the issue with risk assessment becomes apparent. Security,
terminology, and the possibility to integrate with other systems when using the Cloud is his top
three concerns. Regarding security risks he raises the issue of not having control when it comes
to maintenance and troubleshooting, and communication if something goes wrong (customer
service). He talks about trust being essential when you consider accountability, and that you
should aim for a long-term relationship. However, where the IT-Consultant work they do not
review the SLA, and the argument is that they cannot really affect it anyway because of it being a
standard agreement which they use for their customers as well.
For the SLA, he states that availability, processes and routines for security (e.g. how data is
encrypted) are very important to include in the SLA. He says that it is important to state what
security really means because of the naivety regarding security among companies. If companies
manage to apply good understanding to that issue, they add value to their service for the
customer. Also, worst case scenario should be covered in the SLA, together with how you can
exit the Cloud.
He also mentions that there are also benefits with the Cloud, as with getting rid of the security
risk with running around with a USB flash memory which could be dropped or stolen. He says
that Cloud providers will probably become experts in the security area. From the interview we
drew out three security risks:
x Hacker syndicates that are working solely with stealing information
x To not have control
x Quality of service





38
6.2 Senior Business Consultant Interview Summary
During the interview it became apparent that the characteristics that the senior business
consultant had found with Cloud Computing were flexibility, scalability and accessibility. These
characteristics were also seen when we discussed areas of Cloud Computing that the company
could be interested in or what the benefits with Cloud Computing was perceived to be. When the
subject touched upon what processes the person could consider to move to the Cloud the
conclusion was that the Cloud enables multiple possibilities. The consultant perceived the Cloud
to be to unsafe to use for more than basic processes to save money and this was to be placed in a
private Cloud. As for the SLA part, it was considered very important and multiple hours was
spent on getting it right as the company could not think of acceptable loss to be part of the
evaluation of the provider. As for accountability, the suggestion was to create an understanding
of how providers can work together with the customer, maybe through a SLA. The security
issues that the senior business consultant mentioned were:
x Multi-tenancy
x Stability of Supplier
x Long term focus
6.3 CEO Interview Summary
The top concerns with Cloud according to the CEO were trust and accessibility. For him who
travels frequently he needs to have the information locally stored at his laptop to be able have
access to it whenever he wants. But as the connectivity gets better and better, the need for storing
it locally becomes less important. The CEO does view physical security issues (e.g. laptop, cell
phones, USB memories) more important than the actual security issues with Cloud Computing.
He brings up the security issues with the physical vulnerability with laptops and cell phones. He
says that companies that are considering to move in to the Cloud needs to evaluate where it is
more secure to store their information. To be proactive he says that you have to educate your
employees when it comes to security, for example that they should think about not using weak
passwords. The three aspects you have to think about when it comes to security risks are:
x Trust
x Intellectual Property
x Legislation
6.4 Computer Consultant Interview Summary
The possibilities of integration with the Cloud were something that the computer consultant was
emphasizing together with the importance of accessibility. Regarding accountability he says that it
is impossible to solve at the moment, so to trust the Cloud provider is the only option. For this
interview there were some question left out because he did not feel that he could answer them,
for example if their company was currently looking for any Cloud solutions. After asking our
questions we had a general discussion about security regarding the Cloud. From the discussion,
an issue about what laws exists for the protection of data when it is stored in different geographic
locations were raised. Also, how can you be sure that the Cloud provider is logging everything,
and if they do, that you get notified about everything bad that happens? From the interview we
have drawn out three security risks that we are going to use for the analysis:
x Data protection and laws
x Backups
x Log files


39
6.4.1 CIO I Interview Summary
It became apparent quite early that the CIO considered Cloud Computing to be interesting as a
tool for becoming efficient and to be used as a cost saver. The CIO did not like the idea to move
core processes to the Cloud as it was too valuable and sensitive for the company. The processes
that the CIO thought were ok to move to the Cloud were the basic office processes e.g. email.
1he CIO`s íirst impression of Cloud Computing was that it seemed suitable for mainstream
processes and cost savings, if someone else do it for them it meant they would need a smaller IT
department.
The reason for considering Cloud Computing for mainstream processes was because of the
concerns with security, uptime and backup. As for SLA issues the CIO deemed it very important
to control and review each of them and integrate them into the IT departments every-day-
business. As their systems and business could not suffer from downtime or lose data, they could
not evaluate a provider from a loss perspective. If a provider could not supply what they needed,
they moved on. In the context of trust the CIO used personal networks and references before
doing a systematic review of the company to see if the particular provider met the requirements
before signing an agreement. The top three security risks the CIO mentioned where:
x Other companies can access our information
x Uptime - dependent on the provider
x Backup
6.4.2 CIO II Interview Summary
The interviewee first stated that the term Cloud Computing was a Cloudy` term in itself and was
a hyped up market term. The big risks that were stated during the interview were the actual
integration of the different Clouds and the individual business units, the intellectual property and
finally security. Another concern with Cloud Computing was stealing information, SLAs and if
the vendor would notify the company if something would happen to the service that the
organization was paying for.
1he respondent`s organization actually re·iewed the SLA ·ery extensi·ely and sent out the parts
of the SLA to employed lawyers and the IT departments to review it to ensure that the document
met the requirements of the organization. The interviewee also stated that trust is very important.
They stated that they evaluate different vendors that fit their requirements and it was very
important to have face to face meetings to gain a relationship between the organizations.
x Multi-tenancy
x Intellectual property
x Communication with provider



40
6.5 Security Risks
In this paragraph we will present the security risks we have found during our research. The
security risks are from ENISA, CSA, NIST and interviews with experts. In this list we have
compiled the security related risks from the overall risk lists we have reviewed. Some of the risks
we have found are similar, just written in different words, which is why some of them have been
given a tag to identify their specific kind of risk e.g. Malevolence or Interface. In this list we also
state where the risks have been identified. The main reason for this list is to help us in the
analysis when we are answering our first research question and to contribute to the field of study
by listing security risks specifically instead of general risks;
x What are the major security risks for clients using SPIs (SaaS, PaaS, IaaS) in Cloud
Computing?
6.5.1 Securit y Risk List
x Abuse and Nefarious Use of Cloud Computing (CSA/ Experts)
x Interface
o Insecure Interfaces and APIs (CSA)
o Management Interface Compromise (ENISA)
x Malevolence
o Malicious Insiders (CSA/ENISA/Experts)
o Attraction to hackers (NIST)
x Isolation Failure
o Isolation Failure (ENISA)
o Shared Technology (CSA)
o Dependency on secure hypervisors (NIST/Experts)
o Multi-tenancy (NIST/Experts)
x Encryption needs for Cloud Computing (NIST)
x Data Loss or Leakage (CSA/Experts)
x Accounting and Service Hijacking (CSA)
x Unknown Risks Profile (CSA/Experts
x Insecure or incomplete data deletion (ENISA/Experts)



41
6.6 SLA summaries
6.6.1 Amazon
Amazon Cloud system is called EC2 and it provides resizable capacity in the Cloud. According to
Amazon the EC2 includes:
x Interfaces to configure firewall settings
x Selectable IP range that will connect to the existing infrastructure using encrypted IPSec
VPN
Their service comment states that they are not responsible for any factor outside of their control.
We view that the SLA states that Amazon is not liable for anything that happens as soon as the
customer accesses the Cloud or decides to put an application on there. EC2 has a clause that
states that removes them accountability for anything that happens in the Cloud if it is by you or
any third party and from equipment that is not theirs.
If EC2 is not up for the stated uptime, which is 99.95% is upon the customer to monitor this and
report to Amazon. If Amazon does find itself at fault they will issue a credit back to the customer
but it is up to the customer to monitor the up time for the whole year.
6.6.2 Microsoft
Microsoít`s íirst step towards the Cloud Computing market comes in the shape oí Microsoft
Azure which is a platform with Azure as the OS operating in the platform environment. On this
platform that Microsoft run through their datacenters the customers should be able to have
applications and tools for building applications.
In the SLAs that co·ers Microsoít`s diííerent Azure ser·ices (Microsoft 2010) they specify what
they are providing and what will happen if they do not provide it, how they calculate the bill and
in what situations they are not responsible. In essence Microsoft puts a lot of responsibility on
the customer which means a lot of the possible errors that could occur are in the hands of the
customer.
If the service does not follow the uptime directives Microsoft follow a credit system which
governs how much the customer should pay even if the service percentage is not met. The
different Cloud services that Microsoft offers are not connected when billing is calculated or
service credits are given.



42
6.6.3 Google Apps
Google Apps is Google`s SaaS solution and it includes ·arious web applications such as Gmail
and Docs. Google Docs is web based word processing, presentation, spreadsheet and form
applications. Google Apps has some different editions where The Standard Edition is free to use
and has a limited amount of storage, while the Premium Edition offers more storage for a fee.
There is also an Educational Edition which is also free and combines functions from the Premium
and Standard Edition.
Google promises an uptime of 99.9 %, but if that uptime is not met, the customer receives
credits in form of free days for using the service. For example, if the uptime goes down to less
than 99 % but still more than 95 %, seven days of service is added to the end of the service term
at no charge. However, the customer have to notify Google about the downtime within thirty
days, or else the customer will not receive any service credits. The service credits added cannot
exceed fifteen days per month and they cannot be converted to monetary amounts.
Google disaffiliates themselves from performance issues that are caused by factors that is outside
oí Google`s reasonable control, or that is caused by the customer`s or third party equipment.
In the SLA, Google state that they have scheduled downtime where the service will go down for
a period of time. The customer will be notified about it five days prior to the downtime, and that
scheduled downtime will not exceed twelve hours per calendar year. Scheduled downtime is
furthermore not considered as regular downtime periods and will not affect the uptime
percentage. (Google, 2010)
6. 6. 3.1 Google App Engine
Google App Lngine is Google`s contribution to the Cloud environment in the platform as a
service market. It pro·ides the possibility to create, store and run applications on Google`s
servers using development languages as Java and Python. As it should be with a Cloud service,
you only pay for what you use and there are no installation costs and no other recurring fees. You
are billed by consumption regarding storage and bandwidth (measured by gigabyte). If you have a
specific budget you have to follow, you can control the maximum amount of usage by setting a
limit. However, Google App Engine lacks a service level agreement. The only thing you can find
online is terms of service. In other words, Google has not stated a certain uptime percentage so
you are not guaranteed payback if the service goes down (Jackson, 2009).




43
6.7 Security Risks
Table 6.1 presents the security risks that we have found from NIST, CSA, or ENISA. Most of
the risks that we found come from CSA but NIST and ENISA also state similar security risks
and we have added them into the chart. The security risks column describes the risks and also
what organization we found them from. The Impact column describes how it can affect the
organization. The SPI model columns reveals what domain it affects. As you can see most of the
risks actually concern all the domains but there are a few that only affects one or two SPIs. The
countermeasure column described some steps that the organization can take to help minimize the
security risks. The countermeasures that are stated are directly gathered from CSA, NIST, and
ENISA. It is also important to state that there are plenty of countermeasures that can actually be
implemented by having certain clauses in the SLA, as in demanding providers wipe persistent
media before it is released and conducting vulnerabilities scans. We have grouped together certain
security risks due to the fact that they are very similar. The definitions of the different security
risks in the isolation group are below:
x Shared technologies: Hypervisors having flaws that allow guest operating systems to gain
inappropriate levels of control or influence on the underlying infrastructure (CSA)
x Isolation Failure: Failure of mechanisms separating storage, memory, routing, and even
reputations between different tenants (ENISA)
x Dependence on Secure Hypervisor: An organization dependence on the reliable and
secure hypervisor (NIST)
x Multi-tenancy: The multiple organizations that have access to the infrastructure and the
ability of the different organization ability to view others data or control the infrastructure
(NIST)






44
Security Risks Impact SPI Models Countermeasures
Abuse and Nefarious use
of Cloud Computing
(CSA/Experts)
Due to weak registration systems allow
anonymity and providers fraud detection
capabilities are limited so criminals can use this to
expand their reach and improve their
effectiveness.
x IaaS
x PaaS
x Stricter Initial registration and validation
process
x Enhanced credit card fraud monitoring
and coordination
x Extensive monitoring of customer
network traffic
x Monitoring public blacklists íor one`s own
network
Insecure Interfaces
(CSA)
Management Interface
Compromise (ENISA)
Depending on a weak set of interfaces and
applications exposes the organization to multiple
set of security risks related to Confidential,
Integrity, and Availability.
x IaaS
x PaaS
x SaaS
x Analyze the security model of the
provider
x Ensure strong authentication and access
controls are implemented along with
encrypted transmissions
x Understand the dependency chain
associated with the API
Malicious Insiders
(CSA/ENISA/Experts)
Attraction to Hackers
(NIST)
Malicious insiders can impact an organization is
related directly with their level in the
organizations and their ability to infiltrate.
Human element is a vital issue when employing
services in the Cloud so it is of vital importance
that the customer understand what the provider
are going to do to detect and defend against
malicious insider.
x IaaS
x PaaS
x SaaS
x Enforce strict supply chain management
and conduct a comprehensive supplier
assessment
x Require transparency into overall
information security and management
practices
x Determine security breach notification
processes
Isolation Failure
Group
Shared Technology
Issues (CSA)
Isolation Failure
(ENISA)
Dependence on secure
hypervisor
(NIST/Experts)
Multi-tenancy
(NIST/Experts)
Hackers will attempt to gain access to shared
elements (e.g. Disk Partitions, CPU Caches and
GPUs) because of the fact that they were never
designed for strong compartmentalization.
x IaaS x Implement security best practices for
installation and configuration
x Monitor environment for unauthorized
changes/activity
x Strong authentication and access control
for administrative access and operations
x Enforce SLAs for patches and
vulnerability
x Conduct vulnerability scanning and
configuration audits
Data Loss or Leakage
(CSA/Experts)
Data that is lost or leaked can have different
impacts on the organization. The data could have
competitive or financial information that is vital
to maintain a competitive edge or can lead to
compliance violations and legal ramifications.
x IaaS,
x PaaS
x SaaS
x Strong API access control
x Encrypt data in transit
x Analyzes data protection at both design
and runtimes
x Strong key generation, storage and
management, and destruction practices
x Demand providers wipe persistent media
before it is released
x Demand providers backup and retention
strategies
Account or Service
Hijacking (CSA)
Hackers that have stolen credentials can access
critical areas of a deployed Cloud which will
endanger the organization. Account or Service
Hijacking remains a top threat to Cloud
Computing.
x IaaS
x PaaS
x SaaS
x Prohibit the sharing of account credentials
between users and services
x Use two strong factor authentication
techniques
x Employ proactive monitoring to detect
unauthorized activity
x Understand the providers security policies
and SLAs
Unknown Risks Profile
(CSA)
Customers often leave certain areas overlooked
(e.g. what information will the provider disclose
in an event of a security event, how is the data or
related logs stored, or even internal security)
when deciding to invest in the Cloud.
x IaaS
x PaaS
x SaaS
x Disclosure of applicable logs and data
x Partial/full disclosure of infrastructure
details
x Monitoring and alerting on necessary
information
Insecure or Incomplete
Data Deletion
(ENISA/Experts)
The information that is not completely deleted
could still reside in insecure locations. It may be
impossible to fully delete information since full
data deletion is only possible by destroying the
hard drive that might be shared by multiple
organizations.
x IaaS
x PaaS
x SaaS
x Ensure that the provider has effective
encryption

Table 6.1 Security Risks


45
7 Analysis
In this paragraph we will present data obtained through semi-structured interviews conducted
with what we deem to be experts in the field. This data will be compared and analyzed together
with concepts and models from our theoretical framework to evaluate the security risk we have
found in the secondary literature study together with the new information from our primary
interview study.
7.1 Major security risks within Cloud Computing
From our empirical study we have found different risks with Cloud Computing, and from them
we have selected those risks that are considered to be security risks.
Table 6.2 describes what the different interviewees said that and how the organizations view the
concept of Cloud Computing. The column Top Three Concerns displays the concerns that
organizations have with Cloud Computing and it is important to note that most of the
interviewees said that security was one of the top three concerns dealing with Cloud Computing.
The top three security risks allowed for us to see what the organization saw as a security risk
dealing with Cloud Computing and was vital for their business. We had different types of
responses when we asked if the organization reviewed SLAs, and if they did, what part did that
organization focus on. We view that the most surprising point was the fact that the CLO`s
organization never reviewed the SLA and expected things to work. The CEO stated if a certain
vendor had a horrible SLA, that vendor would have no business and be bankrupt. The Senior
Business Consultant`s organization that actually wrote their own SLAs and reviewed the vendor`s
SLA closely to ensure that the SLA covers the areas that they thought was important. The
column of trust was to see how the company gained trust in a specific vendor and what they did
to see if that vendor was right for their company. No organization actually systematically
evaluated trust from the start. Instead reputation was often used, which could have influenced
what company they decided to systematically review.
The next column is the Security Risks that are evaluated directly from the interview. As we
reviewed the interviews we clearly related them to risks that were stated by CSA, ENISA, or
NIST. The interview with the senior business consultant directly stated multi-tenancy to be a
security threat. Also, CIO I stated who can access our data as a security risks which is related to
the hypervisor being able to keep the data separate for each organization. Five out of six of the
companies viewed that Isolation failure group was the most important security risk.




.







46
Interview
Top Three
Concerns
Risk
Review
SLAs
Trust Security Risks
IT Consultant
x Security
x Uptime
x Multi-tenancy
x Loss of
Governance
x Communication
x Maintenance
Not
extensively
x References
x Thorough
review of the
company

x Insecure or
Incomplete Data
Deletion
x Isolation Failure*
(ENISA, CSA,
NIST)
Senior Business
Consultant
x Security
x Flexible
x SLA
x Security
x Flexible
x SLA
Yes and they
write their own
x Reference
x Company
history
x Data Loss or
Leakage (CSA
x Isolation Failure*
(ENISA, CSA,
NIST)
CIO
x Security
x Backup
x Uptime
x Other companies
accessing data
x Uptime
x Backup
Distribute
SLAs to
employees for
a better
understanding
x Friends in
similar field
of work
x Company
history
x Isolation Failure*
(ENISA, CSA,
NIST)
Computer
Consultant
x Security
x Connectivity
x Integration
between
service
x Data protection
and laws
x Backups
x Log files

N/A
x Review
Companies
history
x References
x Data Loss or
Leakage (CSA)
x Isolation Failure*
(ENISA, CSA,
NIST)
x Unknown Risks
Profile (CSA)
x Malicious
Insiders (CSA,
ENISA)
CEO
x Trust
x Accessibility
x Trust
x Intellectual
Property
x Legislation
No and they
just expect
things to work
x Best
practices
x References
x Reputation
x Abuse and
Nefarious use of
Cloud Computing
(CSA)
CIO
x Interruptions
of service
control
x Stealing
information
x SLAs
x Integration
between different
Clouds and
business units
x Intellectual
property of data
x Security
Yes
extensively,
and they send
parts to
lawyers and IT
department to
compare to our
requirements
x References
x Size
x history
x reputation
x performance

x Isolation Failure*
(ENISA, CSA,
NIST)







*Isolation Failure describes a group of security risks that include Shared Technology Issues (CSA), Isolation Failure
(ENISA), Dependence on secure hypervisor (NIST), Multi-tenancy (NIST)

Table 6.2 Interview Security Risk Analysis


47

The ranking of all security risks that we have gathered from the interviews are below
Security Risks from Interviews Ranks
Isolation Failures 5
Data Loss or leakage 2
Insecure or Incomplete Data Deletion 1
Unknown Risks Profile 1
Malicious Insiders 1
Abuse and Nefarious use of Cloud Computing 1


From our interviews that we conducted we have found that the Isolation Failure Group (Shared
Technology Issues, Isolation Failure, Dependence on Secure Hypervisor, Multi-tenancy) is the
highest ranked security threat to organizations. The Isolation Failure group only affects the IaaS
domain and we consider that domain to be most vulnerable or insecure at the moment. There are
countermeasures for this specific security risk and they should be clearly stated in the SLA.
7.1.1 Clients expectation of SLAs in regarding security
As we have stated earlier in the thesis most of the big vendors of Cloud Computing have stated
that they are not responsible for any event that happens in the Cloud that is not of their control.
This is very disturbing due to the fact that most companies are searching for some type of Cloud
solution.
There are countermeasures that can reduce these certain security risks listed above can be solved
with having proper SLAs with both vendor and customer. The SLA is vital for an agreement in
between multiple organizations but it is critical to review what is actually in the document due to
the íact that your business` iníormation will be relying on another company being secure and
reliable. More than half of the interviewees actually displays that dependence of secure hypervisor
was an important security issue, which is very interesting. Multi-tenancy could be directly related
to dependence on secure hypervisor because the hypervisor is the program that separates the data
and ensures that the different organizations` data remains separated.
Ií a ·endor`s SLA would incorporate certain countermeasures to ensure that the Isolation failure
group of security risks are included in the SLA, it would improve the trust that the client would
gain from the vendor. Vendors having a clause in the SLA to improve the accountability of the
events in the Cloud might provide more customers, because the clients could feel more confident
and move more business processes to the Cloud.
According to ENISA, a countermeasure to most of the Isolation Failure group is a vulnerability
scanning and configuration risk. The vendor would increase trust values by allowing the client to
conduct a vulnerability scan a couple times a year at an undefined time. Another countermeasure
that could be stated is that patches and vulnerability will be enforced and clearly stated in the
SLA.
Table 6.3 Security Risks from Interviews


48
The next highest ranked security risk that interviewees have stated is Data Loss or Leakage. Data
Loss could result in the loss of competitive edge or even legal ramifications due to the sensitivity
of the data. The countermeasure for Data loss that should be mentioned in the SLA is that
providers will wipe persistent media before it is released back into the pool. Another
countermeasure is to demand to see what the provider`s backup and retention strategies are. The
client would be able to see what happens to the data by reviewing what the pro·ider`s retention
and backup strategies are and will be able to see if the vendor strategies match the client`s
organization.
If the vendor were to have add these clauses to their SLAs, the clients might be more willing to
move to the Cloud and feel that their data is actually protected.




49
7.2 Trust related Security Risks in Cloud Computing
In this paragraph we will focus on the concept of trust and trust within the context of Cloud
Computing together with associated security risks. We will present information from our
interviews and show how the interviewees view trust and Cloud Computing and then analyze if
their trust analysis is conducted mentally or mathematically. In the end we will link our train of
thought to the second research question:
x What possible trust issues are associated with security risks in Cloud Computing and
SLA?
7.2.1 Is t rust i mportant?
In our interview with the IT Consultant he stated this in the context of accountability:
1rv.t i. e..evtiat. íf ,ov are goivg to v.e a ¡roriaer ,ov .bovta aiv for a tovg-term relationship. Both parts have
to go all the way. The dependency that you get with a provider, if you are not happy, how do you do then? You may
switch provider, but the one you got can make it a hard time for you. They could oppose you. How do you know
that get out all the data? And in what forvat. Cav ,ov iv¡ort tbe ivforvatiov to otber .,.tev..
This clearly shows how important trust is in the business agreement and when we talked with the
CIO about the subject of security issues with moving to a Cloud we got the response:
Ovr bigge.t .ecvrity issue would be the loss of control and who can access information that could be deemed as
.ev.itire to ovr cov¡av, ava ovr ctievt..
This view was further backed up by the choice of Cloud deployment model:
If we would move to a Cloud solution it would be to a private Cloud so that we can control the SLA more and
the access of the information.
A CEO from a company we interviewed also stated that
1rv.t i. ove of tbe vo.t iv¡ortavt tbivg. for ve
Lastly we want to mention the opinion of a Computer Consultant regarding our questions of
being proactive and reactive to solve security risks.
1rv.t i. of /e, iv¡ortavce, b, barivg trv.t í cav be reactire, if í aov`t, í bare to be ¡roactire. íf í bare vo
knowledge about what the provider does with the data and physical equipment, can I be proactive?
These statements prove to some extent that we were correct when we concluded that trust was
of key importance in the context of Cloud Computing security risks. Since we have not covered
the whole population of our targeted group, we cannot generalize beyond patterns, but we are
quite certain that the people we have interviewed are not the only ones to agree with us since so
far our response have proven to be 100% positive to that trust is very important. Therefore we
want to say that trust is very important and that our data supports this, but we cannot generalize
this information.



50
7.3 Security risks associated with trust in Cloud Computing
As what has been stated before in the thesis, Cloud Computing is fuzzy and a buzzword that
creates confusion of what Cloud Computing really is. This is something we want to disprove by
presenting information about what Cloud Computing really is on a technical level, a service level
and business model level. This does nevertheless mean that the public and the academic world
agree on a single view of Cloud Computing, which is why the security risks we have presented
exist and why some of them are connected to the issue of trust.
Ií we look at Cialdini`s ·iew on iníluence and why we act as we do in different situations we
discover that the main reason for automatic responses is lack of knowledge. This triggers his so
called Ctic/ ava !birr` action which basically tells us that Cloud Computing can be an automatic
response to a problem where people with lack of knowledge agree to trust people with
knowledge to help them solve a specific problem.
If we expand the lack of knowledge theory and look at Cloud Computing, we see security risks
that are directly connected with lack of knowledge and that many derives from the different
shapes of trust; reputation, reciprocity and confidence. The security risks that we have identified
to be connected to trust from ENISA, CSA, NIST and our interviews with experts are:
x Unknown Risk Profile (CSA/Experts)
x Shared Technology Issues (CSA)
x Compliance Risk (Experts)
x Lock In/Stability of the Provider (ENISA/Experts)
x Loss of Governance (ENISA/Experts)
x Logging Challenges (Experts)
x Data Ownership Issues (Experts)
x Quality of Service Guarantees (Experts)
x Dependence on Secure Hypervisors (NIST/Experts)
x Service Level Agreement/Accountability (Experts)
x Physically Security (Experts)
This list of risk is then divided into categories to show how they are related to security risks and
trust as well as explain how to avoid them. These categories are used to highlight three parts of
Cloud Computing that we have discovered to be critical to the business. The categories are based
on our own assumptions on how the security risks derive themselves from each other. The
categories are:
x Quality of Service
x Provider
x Ownership




51
7.3.1 Qualit y of Service
When a customer enters into a Cloud Computing solution, agreements are signed, and one of
those is SLA. SLA determines the framework of how the service should be delivered and who is
accountable for what and, as we have mentioned, the reason for a customer to sign it is because
of the degree of confidence the customer has that the provider will deliver the agreed level of
service. The security risks in this category are:
x Logging Challenges (Experts)
x Dependence on Secure Hypervisors (NIST/Experts)
x Shared Technologies Issues (CSA)
x Service Level Agreement/Accountability (Experts)
x Quality of Service Guarantees (Experts)

The security risks in this list are connected to trust because, as we said, if you sign an agreement
you most certainly trust the provider to live up to their side of the bargain. If trust have been
mentally evaluated and created there is a risk that factors such as title, appearance, reputation and
reciprocity have biased the reason why trust is established and a contract signed.
If trust has not been systematically evaluated either through a serious review of how the provider
work and provides information about the service e.g. log information, or systematically as Mui
presents, there is a chance that the biased trust can let you enter into agreements where the
provider provides a service that puts your company in a position where;
x Data is insecure
x Cannot track what is happening to your information
x An insecure hypervisor can create openings into your part of the storage
The SLA may also have been insufficient regarding what it covers, and from what we have seen
in SLAs from bigger providers are that they push the responsibility onto you, and if a person or
company does not review this properly and only use trust, that person or company could be in
serious trouble when service related problems appear since the accountability part was not
reviewed.
7.3.2 Ownership
The security risks in the ownership category are related to the issues with who is owning the data,
the control functions around the data, which should be accountable for the service and leaving a
Cloud Provider.
x Loss of Governance (ENISA/Experts)
x Data Ownership Issues (Experts)
x Lock in/Stability of the Provider (ENISA/Experts)
x Service Level Agreement/Accountability (Experts)
The security risks associated with trusting a provider too much regarding the control mechanism
and the data, i.e. a company decides they lack sufficient knowledge to have their own IT
department and decide that they should acquire IaaS to solve this, are very serious and should not
be overlooked. It is also important to understand that complete trust could mean that
assumptions are made that once the customer do not need the service, or do not want to work
with the provider anymore, that it is just to pull the plug on the collaboration.


52
What we have seen in literature and from interviews is that Cloud Computing is supposed to be
very easy to enter into, but leaving a provider is something else. If trust is put into the wrong
provider this could create serious lock-in related security issues if a company have a hard time
leaving a provider that does not let the customer control their own data, or even let them own
the data after the agreement is signed and data is moved to the Cloud.
7.3.3 Provider
The third and final category we have decided to use to highlight what kind of trust related
security issues exist in the Cloud Computing environment is Provider. This part deals with how
trust in the wrong place can affect what you get from the provider, how to work with the
provider, how the provider work and physical or real world related security issues can damage
your company.
x Unknown Risk Profile (CSA/Experts)
x Compliance Risk (Experts)
x Lock-in/Stability of the Provider (ENISA/Experts)
x Physical Security (Experts)
This final part of the trust related security risks are focusing on the provider and how the
pro·ider`s own business work. In Unknown risk proíile the idea is that it is hard to know what
the provider`s processes are on keeping data secure. This goes all the way to employee level,
which means, how to know ií the pro·ider`s employees are trustable? Of course this information
is hard to obtain, but should still be an important question in the process of deciding if you
should use a provider or not. If mental trust is used there can be risks that good faith results in
bad support and no flexibility in how the provider work and that someone who should not have
access to your data have access to it because a employee has access to it.
This part of the trust related security risks also takes the physical security of the company and the
equipment used into consideration. It is very important to review if the provider is stable or
under economical pressure that could result in less spending on equipment and security for that
equipment. If a provider goes bankrupt it is also important to have decided what will happen
with information put into the Cloud, meaning, who owns it?
7.4 How to avoid security risks associated with trust?
To avoid the risk of entering into an agreement where the provider does not lives up to what they
say is not as simple as one might think. Genuine trust, and a correctly placed one, is very hard to
obtain. Misplaced trust generally comes from lack of knowledge, so basically the first step is to
obtain information to see if the person is trustworthy. In our interviews we saw that trust was
very important, yet the overall method to evaluate trust was to use opinions from a personal
network, which means that for the most part, the evaluation was done mentally. Of course this
was not the only thing the people interviewed did, but from our results the mental process
seemed more important and only backed up by systematical reviews when a provider was deemed
to be worth the effort.



53
What was quite interesting to see from our interviews was that there seemed to be two sides
about how to review a SLA. One organization decided to trust standard versions of SLA and the
IT Consultant said:
!bev re bv, a .errice re get it ovt-of-the-box. We do not really review the SLA. We cannot really affect it. It is
a .tavaara agreevevt ava re v.e it for ovr cv.tover. a. rett.
The other organization seemed more concerned with getting precisely what they want in the SLA
and focus a lot on reviewing SLA. The CIO said this:
í carefvtt, rerier tbe ´í. ava va/e .vre tbat botb cov¡avie. mean tbe .ave for cov¡ticatea rora..
Of course this does not mean one side is reckless and one side is wise, because we have to take
their background into consideration and understand that the consultant has probably worked
with a provider for a long time and already done the review whereas the CIO is seeking a new
provider. What is dangerous though is the thinking that just because I have worked with them
before and it turned out well, it will work again. If a person takes that kind of decision he/she is
clearly not using systematic approach that suppose to measure if a person/company can be
trustworthy. In the discussion with the IT Consultant on what is most important in the SLA
review he said:
...1bere i. a vairet, rbev it cove. to .ecvrit,. !bat aoe. .ecvrit, reatt, veav. !bo aoe. rbat. íf ,ov cav aefive
what is included when it comes to security you add value to what you are selling. And adding value to your
cv.tover i. rer, iv¡ortavt.
It is this naivety that is based in lack of knowledge that could be so devastating for a person or a
company that decides to use a Cloud solution. As we have stated in the analysis of the three
categories the risks occur on different levels of the Cloud solution, Quality of Service, Ownership
and Pro·ider but they are triggered by the same `trigger featvre` as Cialdini calls it. 1he trigger feature`
is lack oí knowledge and the Ctic/ ava !birr` is the signing of the agreement. This leads us to the
conclusion of how to avoid the trust related security risks and more importantly, our research
question:
x What possible trust issues are associated with security risks in Cloud Computing and
SLA?
The avoidance of the automatic response comes from perseverance in understanding your
surroundings, if you want to work with Cloud Computing you have to understand it and not take
proíessionals word íor it but rather ask why`· In other words, knowledge is the key. It is not a
simple solution but a necessary one. The connection to our research questions is quite clear,
clients have to systematically and mentally evaluate a provider before a SLA is signed, or the
provider will control the decision of the service. From our point of view it is a seller`s market and
clients have to understand what they are getting into or the security issues discussed in research
question one could occur. If we recommend just one, it would be the systematical approach. The
raw data from the interviews state that while reputation and word to mouth is important to find
providers, a systematical approach should follow to see if the reputation is deserved or not.





54
8 Conclusion
In the analysis we discussed the area of major security risks in Cloud Computing and how trust is
connected to those. What we had not expected to find was how big this particular area of study
was and that will further be explored in our discussion of what the next step in this field of study
could be. The questions that we set out to answer were:
x What are the major security risks for clients using SPIs (SaaS, PaaS, IaaS) in Cloud Computing?
o What should clients expect from Service Providers in the SLA regarding Cloud
Computing?
x What possible trust issues are associated with security risks in Cloud Computing and SLA?
o If so, how can clients avoid security risks associated with trust?
We have found that the isolation failure group that was stated earlier is the biggest risk to
organizations. The isolation failure group has a heavy reliance on the hypervisors to be stable and
secure. The Isolation Group domain is primarily related to IaaS and we view that this is the most
unsecure area of Cloud Computing for the moment. It is of utmost importance that the client
does a thorough review of the SLA and also demands some clauses be included as well. A solid
SLA (e.g. proper data deletion procedures, the vendor will provide upgrades and maintenance)
between the client and provider will decrease the chance of the security risk from happening, but
it is not fool proof.
In the analysis we could conclude that the risks in the categories quality of service, ownership,
and provider are related to trust and that many of them exist because of misplaced trust which
derives from lack of knowledge. Our sub question was stated to see if we could offer
countermeasures to apply to avoid possible security risks we could find. Since we did find this
connection we analyzed how this connection between trust and security risks could be broken.
Our conclusion to that question is simple as we have said, but very hard to achieve. The solution
is to know about the connection and gain knowledge to avoid using an automatic response, or
the Ctic/ c !birr` response which we also use to discuss what happens. If this knowledge gap is
achieved, trust related security risks can be avoided or reduced to the benefit of the client.
The answer was both unexpected and reasonable and we hope that we have contributed to the
field of study by answering them. In the second research question we focused on the security
risks connected to trust and Cloud Computing, and what we discovered was three groups to
categories the security risks into and they are:
x Quality of Service
o Logging Challenges (Experts)
o Dependence on Secure Hypervisors (NIST/Experts)
o Shared Technologies Issues (CSA)
o Service Level Agreement/Accountability (Experts)
o Quality of Service Guarantees (Experts)
x Ownership
o Loss of Governance (ENISA/Experts)
o Data Ownership Issues (Experts)
o Lock in/Stability of the Provider (ENISA/Experts)
o Service Level Agreement/Accountability (Experts)
x Provider
o Unknown Risk Profile (CSA/Experts)
o Compliance Risk (Experts)
o Lock-in/Stability of the Provider (ENISA/Experts)
o Physical Security (Experts)


55
Trust
Security
Cloud
Computing
Knowledge
9 Discussion
As the Cloud Computing term becomes older, more and more as a Ser·ices` are likely to come
along. An example of this is McAfee, who has made a vulnerability scan available that vendors
can do to better secure their Cloud. If the vendor does pass the vulnerability scan McAfee will
provide them a certificate to display on their website to say that they are considered secure.
McAfee also provides Security as a Service which provides a overall security which will aim to
decrease the amount of spam and email based threats (McAfee 2004).
During our research we discovered three key concepts regarding Cloud Computing:
x Trust
x Security
x Knowledge
Therefore we would like to present a rather simple model of the connections between those
concepts.










To ensure that Cloud Computing is the proper investment to make for an organization it is
important to understand the different areas of the diagram. The triangle which is the Cloud itself
is surrounded by Trust, Security and Knowledge. It is absolutely important to know that the
Cloud is secure and that the provider will do everything possible to ensure that it will remain
secure. The Knowledge aspect is to know what should be in the SLA, the knowledge of the risks
that Cloud Computing enable, and what solution is applicable to the organization. Both Security
and Knowledge will build upon the trust that the organization gains from the provider and
should build a relationship that should benefit both companies.
Both, the organization and the provider should be able to develop a flexible but reliable SLA so
accountability issues of the Cloud can be solved. The provider now, states that they are not
responsible for the events that happen in the Cloud and immediate say that the customer is liable.
Most providers have an uptime of 99.95% stated in their SLA, but the monitoring processes of
that uptime is left to the client.
Figure 9.1 Cloud Computing Triangle


56
9.1 Critique of method
While doing this research, Cloud Computing has evolved due to being such a new concept. With
this in mind, Cloud Computing could change very quickly which would make our research
obsolete. Due to the evolution of Cloud Computing, the main security risks could change by
making the ones that were brought to light in this research less important while new security risks
arises. If the research would have focused more on conceptualizing the concepts of trust, security
and knowledge, it could have resulted in a more sustainable research by providing an abstracted
view of Cloud Computing.
9.2 Future research proposals
Looking at our model presented in the discussion paragraph, we estimate that providers in the
future will use these key concepts to differentiate themselves once Cloud Computing have
become more adopted and standardized. Therefore we believe that further research into trust,
knowledge, and security in the context of Cloud Computing is important for speeding up the
process of approval. Areas for future research could be:
x Trust building
x Overall standardization of Cloud Computing
x Security standards for Cloud Computing




57
10 References
Amazon (2008, October 23). Amazon EC2 Service Level Agreement. Retrieved 2010-04-24, from
http://aws.amazon.com/ec2-sla/
Bouchard A, S. Sankar K.. (2009) Enterprise web 2.0 Fundamentals
Indianapolis: Cisco Press
Businessdictionary.com (N/A) Definition: Application Programming Interface (API).
Retrieved 2010-05-23 , from http://www.businessdictionary.com/definition/application-
programming-interface-API.html
Businessdictionary.com (N/A) Definition: Application Service Provider (ASP). Retrieved 2010-05-23,
from http://www.businessdictionary.com/definition/application-service-provider-ASP.html
Businessdictionary.com (N/A) Definition: Denial of Service (DoS). Retrieved 2010-05-23 , from
http://www.businessdictionary.com/definition/denial-of-service-DOS.html
Businessdictionary.com (N/A) Definition: Distributed Systems. Retrieved 2010-05-23 , from
http://www.businessdictionary.com/definition/distributed-systems.html
Businessdictionary.com (N/A) Definition: Flexibility. Retrieved 2010-05-06, from
http://www.businessdictionary.com/definition/flexibility.html
Webopedia.com (2006, December 19) Definition: Hypervisor. Retrieved 2010-05-, from
http://www.webopedia.com/TERM/H/hypervisor.html
Businessdictionary.com (N/A) Definition: Information Security. Retrieved 2010-05-23 , from
http://www.businessdictionary.com/definition/information-security.html
Businessdictionary.com (N/A) Definition: Risk. Retrieved 2010-05-, from
http://www.businessdictionary.com/definition/threat.html
Businessdictionary.com (N/A) Definition: Scalability. Retrieved 2010-05-6 , from
http://www.businessdictionary.com/definition/scalable.html
Businessdictionary.com (N/A) Definition: Threat. Retrieved 2010-05-22 , from
http://www.businessdictionary.com/definition/threat.html
Cialdini, B. R (2007) The Psychology of Persuasion (1
st
Collins Business Essential ed.).
New York: HarperCollins Publishers
Lew (2009, February 23) Infrastructure as a Service. Retrieved 2010-02-28, from
http://Clouddb.info/2009/02/23/defining-Cloud-computing-part-6-iaas/
Committee on National Security Systems (2010, April 26) National Information Assurance glossary
Retrieved 2010-03-17, from http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf
Computerweekly.com (2009, March 17) A history of Cloud Computing. Retrieved 2010-05-14, from
http://www.computerweekly.com/Articles/2009/06/10/235429/A-history-of-Cloud-
computing.htm
Computerworld.com (2006, June 12) Top 10 SaaS Traps: Watch Out For Hidden Snags.
Retrieved 2010-03-17, from
http://www.computerworld.com/s/article/111510/Top_10_SaaS_Traps_Watch_Out_For_Hid
den_Snags


58
CSA (2009 December) Security guidance for critical areas of focus in Cloud Computing v2.1
Cloud Security Alliance

CSA (2010 March) Top Threats to Cloud Computing v1.0
Cloud Security Alliance

Dan, A., Keller, A., Ludwig, H., Richard., F., Richard,P. (2003, January 28) Web Service Level
Agreement (WSLA) Language Specification, IBM Corporation
ENISA (2009 November) Cloud Computing: Benefits, Risks and recommendations for Information security
European Network and Information Security Agency

Gartner (2008 June 26) Gartner Says Cloud Computing Will Be As Influential As E-business
Retrieved: 2010-02-18 from
http://www.gartner.com/it/page.jsp?id=707508

GNi (N\A) Infrastructure as a Service Retrieved 2010-03-16, from
http://www.gni.com/services/iaas
GCN (2009, March 03) Revving up Google App Engine Retrieved 2010-03 17, from
http://gcn.com/blogs/tech-blog/2009/03/google-app-engine.aspx
Google (N\A) Google Apps Service Level Agreement Retrieved 2010-03-22, from
http://www.google.com/apps/intl/en/terms/sla.html
IBM (N/A). Web Service Level Agreements (WSLA). Retrieved 2010-04-02, from
http://www.research.ibm.com/wsla/
H. Rådmark (2010-01-26) 5 saker du måste veta om molnplattformar. Retrieved 2010-01-30, from
http://www.idg.se/2.1085/1.288641/5-saker-du-maste-veta-om-molnplattformar
Knoesis Center Wright State University (N\A) Service Level Agreement in Cloud Computing. Retrieved
2010-03-07, from http://knoesis.wright.edu/library/download/OOPSLA_Cloud_wsla_v3.pdf
McAfee (N\A) Retrived 2010-04-22
From http://www.mcafee.com/us/small/security_insights/security_as_a_service.html

Microsoft (N/A). Service Level Agreements. Retrieved 2010-04-20, from
http://www.microsoft.com/windowsazure/sla/
MSDN (2006, April) Architecture Strategies for Catching the Long Tail. Retrieved: 2010-03-15, from
http://msdn.microsoft.com/en-us/library/aa479069.aspx
MSDN (2006, June) Multi tenancy Data Architecture Retrieved 2010-03-19, from
http://msdn.microsoft.com/en-us/library/aa479086.aspx
Mui, L. & Phil, M. (2002 December 20) Computation Models of Trust and Reputation. Massachusetts
Institute of Technology
NIST (2009-10-7) Effectively and Securely Using the Cloud Computing Paradigm Retrieved: 2010-02-14
from http://csrc.nist.gov/groups/SNS/Cloud-computing/Cloud-computing-v26.ppt.

OpenCrowd.com (N/A) Cloud Computing. Retrieved 2010-04-12,
From http://www.opencrowd.com/views/Cloud.php


59
Open Crowd (2010, May 13). Cloud Taxonomy. Retrieved 2010-05-14 from
http://www.opencrowd.com/views/Cloud.php
Phoenix (2010, March 18)Confidentiality, Integrity, Availability and what it means for you
Retrieved 2010-03-22, from http://continuitydisasterrecovery.phoenix-
blogs.com/confidentiality-integrity-availability-and-what-it-means-for-you/
Salesforce (N\A) Multitenant kernel 2010-03-19, from
http://www.salesforce.com/platform/Cloud-infrastructure/kernel.jsp
Saunders. M, Thornhill. A and Lewis. P, Research Methods for Business Students, 2007 Fourth
Edition, Pearson Education Limited

Service Level Agreement and SLA Guide (N/A). The SLA Guide. Retrieved 2010-04-01, from
http://www.service-level-agreement.net/sla-guide.htm

SLA Information Zone (N/A). The Service Level Agreement. Retrieved 2010-04-01, from
http://www.sla-zone.co.uk
TheFreeDictionary.com (2009) Definition: Security. Retrieved 2010-05-02 , from
http://www.thefreedictionary.com/security
The Linux Information Project (2006, April 29). Vendor lock-in definition. Retrieved 2010-03-17,
from http://www.linfo.org/vendor_lockin.html
Whatis.techtarget.com (2008, December 14) What is Platform as a Service (PaaS)?
Retrieved 2010-03-12, from
http://whatis.techtarget.com/definition/platform-as-a-service--paas-.html
Wikipedia (2010-05-13). Authority. Retrieved 2010-05-15, from
http://en.wikipedia.org/wiki/Authority
Wikipedia.org (2010 May 8) John McCarthy (computer scientist). Retrieved 2010-04-, from
http://en.wikipedia.org/wiki/John_McCarthy_%28computer_scientist%29
Wikipedia (2010-03-13) Trust (Social Sciences) Retrieved 2010-04-10, from
http://en.wikipedia.org/wiki/Trust_%28social_sciences%29







60
Appendix 1 Interview Questions
1. What is your position in the company?
2. What are your first impressions of Cloud Computing?
3. If your company is looking for solutions in the Cloud, what are your biggest concerns?
4. What are your top three concerns with Cloud Computing?
5. What risks do you consider to be in the top three with Cloud Computing?
6. What are the major advantages of Cloud Computing that your company can benefit
from?
7. Is your company currently looking for different solutions in Cloud Computing?
Why or why not?
8. What business process would your company be willing to relocate into the Cloud?
9. What would be the security issue with relocating to the Cloud?
10. Do you review your SLAs properly, and how?
11. What areas of the SLA does your company mainly focus on?
12. Do you evaluate security from an acceptable loss perspective (e.g. loss of data or
downtime)?
13. What type of Cloud deployment model would your company be interested and why (e.g.
public, private, hybrid and communities?
14. How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?
15. How can one solve the accountability that arises with Cloud Computing in your opinion?
16. How does your company evaluate trust?
Appendix 2 Interviews with experts
In this section we will present the information we obtained through semi-structured interviews
with various experts in the field. The people we have interviewed will be kept anonymous and
will only be referred to by their professional title e.g. Consultant, Senior management etc.
10.1 IT-Consultant
On the 22
nd
of April 2010 we interviewed an IT-consultant that works at a consultancy firm. The
interview lasted for 1 ½ hour and was a semi-structured interview, and the interview questions in
section 17.1 was used as a basis.
x What are your first impressions of Cloud Computing?
The first thing that came to my mind was that as a company you are freed from the management
of the servers. That is the big advantage that you can focus more on the core competence in your
company. You let someone else manage the servers, which have got the expertise for it.
Cloud Computing feels like a development of something that has been under way for a long time,
but it is not until now that you go all out with it. Then it comes to this with the risk assessment,
and how does it feel to let someone else take care of everything. Sure it is very good that
someone takes care of it, but what if it is business critical information?
x Do you evaluate security from an acceptable loss perspective (e.g. loss of data or
downtime)?


61
This depends from customer to customer. I would say that it is extremely customer specific. If
you work with a system that deals with patient information, as for example a care center does,
and the thought of putting out that information on the Internet and you would lose information.
That is not in any way acceptable.
On the other hand if you work with adverts, as for example on blocket.se, the loss of information
is not that critical. So it is totally dependent on what type of business you are conducting. If you
are a bank and lose a transaction, which cannot just happen. They have problem with that today,
and it is their main security concern. They have to deal with redundant data and to log
everything. To some information is critical, to some it is not.
x Is your company currently looking for different solutions in Cloud Computing?
We have been discussing that a little bit when it comes to invoice handling. We develop that kind
of service for our customers, but we let one of our subcontractors handle the management of the
servers. We sell the service to the customer, but we let a third party take of it to ease the pressure
on us. Then I would think that we would profit a lot from putting out our internal system, for
example our external web service, into the Cloud. That is something that we do not need to
manage ourselves.
x What type of Cloud deployment model would your company be interested and why (e.g.
public, private, hybrid and communities?
Hybrid is something we have discussed, but it is not something that we are currently focusing on.
But I think it would definitely be something that we could profit from.
x We have been using a platform online for uploading our files on the Internet. What do
you think of that type of service?
The question is what type of information that you want to put up there. You have to take
responsibility to not give out your login information. It is very dependent on the individual. Some
people do not have any judgment at all when it comes to those matters. Some users share the
same account, and uploading critical data is something you consider twice.
x What are your top three concerns with Cloud Computing?
The security aspect is one. As a provider you have promised a certain uptime, and it is not
unusual that security updates are released that has to be installed. What happens to uptime then?
That affects the SLA and could mean a lot of costs. Also, the time from when the vulnerability is
discovered and that it is fixed is dangerous. So when it comes to the Cloud the security aspects
are very exciting, even though you have a lot of external security. There are hacker syndicates that
are working solely with stealing information.
As a comparison, when you have it in-house, you have got a whole different possibility to isolate
the servers. But when you are sharing a server with someone else that has not got the same
system, and you need to update your system by restarting the server, you got a problem.
With this new business model using old technology you got new problems that need to be
solved. Companies take different services that they repack and call Cloud Computing which can
create security risks that they did not have before.
There is a problem with not having a universal definition of Cloud. The terminology is very
unclear. So we got the security aspects, terminology and the possibility to integrate with other
systems. Scalability and flexibility are parts that are beneficial with the Cloud. It is cost effective in


62
the way that you can measure what you use. But it is still hard to calculate the benefits of Cloud.
It depends on who does the calculation and in what way. Some argue that you will make huge
savings by putting everything in the Cloud, while some others say that you need to keep some
infrastructure in-house.
x What risks do you consider to be in the top three with Cloud Computing?
Generally when you are buying a service you buy a completely configured system. You as a
provider need to know exactly how the system shall work. And there are problems before you
have a fully functioning application up and running. The provider needs to understand the
customer. The customer does not have the possibility to monitor the system, to troubleshoot or
to manage it. And how much can you affect this out-of-the-box solution, there is no standard
version that works for everyone. It is not unusual that something goes wrong. Human error is
common. To not have control is an issue. It is one thing to buy something straight up. But as a
service, how shall it be configured? If you have it in-house it goes relatively quick to solve a
problem. If you have it as a service, the lead time from when something goes wrong and it gets
fixed is longer. The quality of customer service is important and you should aim for a long time
relationship with the provider. So communication, control, maintenance and the possibility to
troubleshoot are important aspects.
x How can one solve the accountability that arises with Cloud Computing in your opinion?
Trust is essential. If you are going to use a provider you should aim for a long-term relationship.
Both parts have to go all the way. The dependency that you get with a provider, if you are not
happy, how do you do then? You may switch provider, but the one you got can make it a hard
time for you. They could oppose you. How do you know that get out all the data? And in what
format? Can you import the information to other systems?
x Do you review your SLAs properly, and how?
When we buy a service we get it out-of-the-box. We do not really review the SLA. We cannot
really affect it. It is a standard agreement and we use it for our customers as well.
x What areas of the SLA does your company mainly focus on?
Availability is of utmost importance. The processes and routines regarding security has to be in
there. How is the data encrypted, who has got access to the data, backup routines, has a third
party access to the data? There is a naivety when it comes to security. What does security really
mean? Who does what? If you can define what is included when it comes to security you add
value to what you are selling. And adding value to your customer is very important.
x How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?
You have to know who you are; who your customer is, what is your focus and what type of
business are you running. lrom that you can put out demands. \ou ha·e to think what ií` and
even get help to do that. Based on our demands we can work actively with evaluating what could
happen and can absolutely not happen. How can you work with putting up counter measures for
emerging threats? Worst case scenario. That has to exist in the SLA and you should actively work
with renewing it to be able to cope with the new threats that are coming every day. The Cloud
business model is so new so the SLA has to be constantly updated with emerging issues that are
arising all the time.


63
x Then who is responsible? How can you integrate accountability solutions?
Somewhere you have to start with a requirement model. You want to achieve something. You
buy a service that may be situated in the Cloud. In the SLA the demands should be incorporated.
From that it should be the service provider and or the Cloud provider. So you will get SLA on
SLA. It should state who does what and you got to have some kind of error-handling. A logging
function should be installed that does not lower the performance. That should also be regulated
in the SLA. Maybe a master SLA. There is no easy technical solution for the accountability, which
is probably why the Cloud providers liberate themselves from this.
There are not only security risks with the Cloud, there are benefits as well. People are running
around with USB flash memories which they sometimes drop or lose. Cell phones are containing
a lot of different information today that is important for some organizations. A Cloud provider
can offer a pretty solid security solution which you as a small company may not be able to afford.
The Cloud is probably going to be an expert in the area too.
Some other issues though would be if get bought up as a company. What happens to the data
then? Or if a company goes bankrupt. Also, how can you get out of the Cloud? That should be in
the SLA. Many companies may just go for the Cloud because it is profitable and just ignore the
risks.



64
10.2 Senior Business Consultant
We interviewed a Senior Business Consultant and the company offers professional IT Services
and had a third party that provided Cloud Computing to customers. We interviewed the said
person on the 24
th
of April 2010 and it lasted for about 30 minutes. The questions we used can be
find in 17.1
1. What is your position in the company?
Senior Business Consultant.
2. What are your first impressions of Cloud Computing?
Outsourcing.
3. If your company is looking for solutions in the Cloud, what are your biggest concerns?
x Flexibility
x Security
x Accessible

4. What are your top three concerns with Cloud Computing?
x Security
x Flexible
x SLA needs to be waterproof

5. What risks do you consider to be in the top three with Cloud Computing?
x Security
x Flexible
x SLA needs to be waterproof

6. What are the major advantages of Cloud Computing that your company can benefit
from?
Startup cost and the flexibility as well as scalability.
7. Is your company currently looking for different solutions in Cloud Computing?
Why or why not?
No solution but using an internal private Cloud.
8. What business process would your company be willing to relocate into the Cloud?
Non-critical business process would be the first step then possibly more critical process (e.g.
Decision process, production processes)
9. What would be the security issue with relocating to the Cloud?
x Multi-tenancy
x Stability of Supplier
x Long term focus + track


65

10. Do you review your SLAs properly, and how?
Yes they had consultants write SLAs so they have personal review the SLAs.
11. What areas of the SLA does your company mainly focus on?
Review mostly the startup relations, communications, support, and uptimes on different
applications and how to terminate the contracts.
12. Do you evaluate security from an acceptable loss perspective (e.g. loss of data or
downtime)?
Important not to lose critical data.
13. What type of Cloud deployment model would your company be interested and why (e.g.
public, private, hybrid and communities?
Private.
14. How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?
Proactive: Help in establishing the standards and be knowledgeable in being reactive in security
threats.
15. How can one solve the accountability that arises with Cloud Computing in your opinion?
Understanding a clear line on where the border is between partners accountability, Supplier A to
B how, when and what data.
Using a kind of integrated platform, log how it is being done, sent, and stored and what issues
you take when it does not come through, another words ensure that there are clear
responsibilities established.
16. How does your company evaluate trust?
Does research on the company and looks for negative reports so reputation plays a big part in it.
Example, one company required a customer to sign a gag order for some reason so the said
person from the company went elsewhere.


66
10.3 CIO I
On the 28
th
of April 2010 we interviewed a CIO at a distribution company. The interview lasted
for 20min and the interview was conducted via a speaker telephone. The interview was semi-
structured and the questions we used to establish a theme was the ones in section 17.1 .
1. What is your position in the company?
I`m the CIO oí our company.
2. What are your first impressions of Cloud Computing?
My first impression was that Cloud Computing could be useful for mainstream applications in
the office, and that I would not like to connect it to our business critical systems.
3. If your company is looking for solutions in the Cloud, what are your biggest concerns?
Our concern is the security aspects. We lose control of who can access our information even if
the agreement say we are the only ones, someone could still access it in theory. We are also
concerned about creating a waterproof SLA about access and control over data since information
relocated into the Cloud could be sensitive.
4. What are your top three concerns with Cloud Computing?
x Security - Who can access our data?
x Uptime - stable access to the service, cannot have downtime or lose data
x Backup - beyond our control, what happens if the system crashes?

5. What risks do you consider to be in the top three with Cloud Computing?
x Other companies can access our information
x Uptime - dependent on the provider
x Backup

6. What are the major advantages of Cloud Computing that your company can benefit
from?
x Scalability - in the sense that applications are not affected because of peaks in usage.
x Lower IT costs
x Smaller IT department, fewer IT employees = lower costs

7. Is your company currently looking for different solutions in Cloud Computing?
Why or why not?
No we are not looking for a Cloud solution at the moment. We have recently invested in WM
ware solutions to run internally since we consider IT advantage is possible through in-house
development and that such an advantage is important in our business. So we will probably not
look for a Cloud solution in the next years.
8. What business process would your company be willing to relocate into the Cloud?
The business process we could consider is office applications that are not connected to critical
business systems. We want to have control over them ourselves.


67

9. What would be the security issue with relocating to the Cloud?
Our biggest security issue would be the loss of control and who can access information that
could be deemed as sensitive to our company and our clients.
10. Do you review your SLAs properly, and how?
We use to distribute them on our meetings within the IT department so that everyone at the IT
department understands them.
11. What areas of the SLA does your company mainly focus on?
The part that is most important for us when we agree to and SLA is the uptime, we have to make
sure that the provider can provide their service at a level that means we can keep working e.g.
Internet provider cannot our Internet connection be down too much.
12. Do you evaluate security from an acceptable loss perspective (e.g. loss of data or
downtime)?
Since we deem it is unacceptable to lose data we cannot use that when we measure the providers,
but the Internet downtime is different. We do have a specific time we can allow Internet to be
down so we measure against that.
13. What type of Cloud deployment model would your company be interested and why (e.g.
public, private, hybrid and communities?
If we would move to a Cloud solution it would be to a private Cloud so that we can control the
SLA more and the access of the information.
14. How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?
I do not have enough experience or knowledge about the Cloud to answer this question in a valid
way.
15. How can one solve the accountability that arises with Cloud Computing in your opinion?
This issue could be solved through carefully writing the SLAs. I think the public Clouds can have
the most problem with this since they appear to be more standardized than the private Cloud
SLA.
16. How does your company evaluate trust?
I use connections and references from friends and colleges in my field of work together with
reading about the provider. Then I carefully review the SLA and make sure that both companies
mean the same for complicated words.




68
10.4 Computer Consultant
On May 7
th
2010 we interviewed another Computer Consultant at a distribution company. The
interview lasted for 40 min and the interview was conducted via teleconference. The interview
was semi-structured and the questions we used to establish a theme was the ones in section 17.1.
1. What is your position in the company?
Computer consultant at different companies, industries, SP.
2. What are your first impressions of Cloud Computing?
What I thought was that finally people have realized what can be done when it comes to
virtualization. It helps the environment by optimizing the utilization of resources by only using
what you need.
3. If your company is looking for solutions in the Cloud, what are your biggest concerns?
That you do not know who customers are, integration, how do you store data and integrate with
their systems? We do not want to put everything in the Cloud, only some parts. Specific service
e.g. email could be something. Also how to integrate these different services is important.
Because as it is now, Cloud is hard to integrate. Manageability is an issue, how to start using it,
how to make it available for the right time. How to design what to be used in the services
bought? The connectivity is important. In Sweden it is good, but when you travel elsewhere it
could become an issue. Security, loss of governance, you have no control over where information
is. You have to think about monitoring, like how to monitor applications bought through
internet. Traditionally, someone notice that the application is not working, and that someone
contacts helpdesk.
4. What are your top three concerns with Cloud Computing?
Security, connectivity, integration between services, both external and internal.
5. What are the major advantages of Cloud Computing that your company can benefit
from?
The environment of Cloud. You are buying a service which means less responsibility. You say
bye bye to infrastructure which also means less need for resources like employees and less
associated problems.
6. Is your company currently looking for different solutions in Cloud Computing?
Don`t know, I am not a part oí that process in the company. \e pro·ide consultancy íor those
who want to relocate into the Cloud. Services are awesome, easy to buy, so we should.
7. What business process would your company be willing to relocate into the Cloud?
Simple stuff, things that are not really hard to integrate into systems in your environment. The
reporting platform for example or a traveling template generator to standardize traveling bills in
the company instead of using the systems.
8. How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?


69
Trust is oí key importance, by ha·ing trust I can be reacti·e, ií I don`t, I ha·e to be proacti·e. Ií I
have no knowledge about what the provider do with the data and physical equipment, can I be
proactive?
9. How can one solve the accountability that arises with Cloud Computing in your opinion?
Right now it is not impossible. Trust is the only current solution, but trust is hard to create when
all information is not shared as well as goals of what wants to be done. For example how to hold
someone accountable for e.g. fraud or copying of data.
10. How does your company evaluate trust?
Have do you evaluate trust? Maybe by looking at track records or talk to people?
General discussion about security
Where is my data? What laws governs my data? How can I trace if my data is being copied in a
safe way? Where are backups stored? How can I be sure that my data is not being manipulated in
the wrong way? When data gets redundant by being stored in two different geographic locations,
what law is protecting my data when the data is in these two different places? E.g. Sweden and
Poland.
You will have a hard time to find out where information was manipulated wrongly. With
backups, how can I monitor my physical storage of data on e.g. a tape where I make big storage
backups and where does it go? How do I know I get the data about the service they provide me
(for instance log files) is the raw data or changed to look good and to keep you unknowing as a
client?
How can I know that everything is being logged since I cannot access that information? Will
someone tell you if the provider screws up? They need systems to monitor everything so that
they can prevent bad things to happen by monitoring customers` activity and activity around the
customers` data. Pre-programmed triggers to alert if something bad happens exist. But this issue
is very complicated. There are risks as industrial espionage and idea stealing.






70
10.5 CEO
On the 6
th
of April 2010 we interviewed a CEO at an IT company. The interview lasted for 30
min and the interview was conducted in person. The interview was semi-structured and the
questions we used to establish a theme was the ones in section 17.1.
1. What is your position in the company?
CEO at an IT company.
2. What are your first impressions of Cloud Computing?
Necessary. It is not possible to move to next level of business with the old way of handling.
Because we don`t ha·e enough resources or money to spend on IT in the companies. We need to
have Cloud solutions and it is also easier to apply best practices in the Cloud. It is like with the
importance with internet. Terminals back in 1984 connected to a mainframe. Then you could not
afford personal computers.
From a technical perspective it is more complex to have it in the Cloud. But you get so much
more power and functionality with the Cloud.
3. If your company is looking for solutions in the Cloud, what are your biggest concerns?
We are not supplying Cloud solutions. We have many systems in the Cloud. A company runs all
the finance for us. When I look for suppliers I`m not only looking for one. But I did not look for
solutions abroad, I prefer to have it in Sweden.
4. What are your top three concerns with Cloud Computing?
Top concern for Cloud is trust. Accessibility is second. Right now I am storing everything on my
computer, even though I have it in the Cloud. This is because I travel a lot and need access to the
information all the time. Maybe in the future when the accessibility is better I will only have it in
the Cloud. It`s not the computer power that will change in the future. It is the speed and
availability of connectivity. If we understand the strategy of Cloud, it`s easier to adapt to it.
5. What risks do you consider to be in the top three with Cloud Computing?
Business model, that you are not able to make profit of it. If you not make profit, the
development will not increase.
Then of course the trust and intellectual property. Secret information cannot be placed in the
Cloud. In most countries you are not allowed to keep your book keeping outside the country.
That means that the information needs to be stored locally. Legislation is definitely not updated
for the Cloud.
6. What are the major advantages of Cloud Computing that your company can benefit
from?
Speed and flexibility. That you can increase the business efficiency and development.
7. What business process would your company be willing to relocate into the Cloud? Is
there any part that you wouldn`t mo·e to the Cloud?
Not for me. But I am not representative in that perspective. People think it`s more secure if you
have it on your own laptop. If you travel it`s the most insecure place for information. You have a


71
lot of information on your phone today. Your information is more secure in the Cloud. It`s an
illusion that it is more secure on your laptop. Big files are however a problem with the Cloud. But
with the technology today it shouldn`t be a problem.
Using Cloud as a backup is more secure. It's a question of privacy. But ií you`re honest, why is it
a problem with the Cloud?
8. What would be the security issue with relocating to the Cloud?
It`s saíer in the Cloud. Where is it more secure? That is something that you have to evaluate.
Where is the weak link? Devices as laptop and cell phone certainly are. Is storing or using
information my concern. What is the long term strategy on this?
9. Do you review your SLAs properly, and how?
No. I just expect that everything should work, all the time. The competition will be about the
SLAs. If you a have poor SLA, you will very quickly loose the competitive edge.
10. What areas of the SLA does your company mainly focus on?
It`s not uptime, which is obvious. It should just be there just as with announcement of downtime
etc. The physical support is important, where I can get someone on the line to talk to me. You
don`t want to email somebody when something goes wrong. Then we have an issue with the
service area. It is not only technical issues with Cloud, it is a matter of service as well.
11. Do you evaluate security from an acceptable loss perspective (e.g. loss of data or
downtime)?
I ha·en`t thought of it, because I don`t calculate that way. But it is always a part of it, you have to
realize that.
12. What type of Cloud deployment model would your company be interested and why (e.g.
public, private, hybrid and communities?
In the past I was a big fan of private internet. We didn`t want to be public with our information.
Because of more security. But it`s better, more efficient, faster and in the long run probably more
reliable if it is in the public. The damage is much higher if something goes wrong in the Cloud.
13. How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?
Security, behavior, educate people that they need to think about security. Stop using secret` as
our normal password and so on. Communication and education.
14. How can one solve the accountability that arises with Cloud Computing in your opinion?
If you are a small player, it is maybe a lower cost but higher risk. If you are doing things that you
can`t stand up for, is that Google`s fault? Cloud is not a new service, it's a new behavior.
15. How does your company evaluate trust?
For me trust is more than everything else. I use a combination of applying best practices,
references, and reputation.


72

10.6 CIO II
On May 15
th
2010 we interviewed another Computer Consultant at a distribution company. The
interview lasted for 40 min and the interview was conducted via teleconference. The interview
was semi-structured and the questions we used to establish a theme was the ones in section 17.1.
1. What is your position in the company?
CIO
2. What are your first impressions of Cloud Computing?
The term itself, Cloudy concept. Hyped up market term
3. If your company is looking for solutions in the Cloud, what are your biggest concerns?
Ownership of the actual data and the Cloud
4. What are your top three concerns with Cloud Computing?
Interruptions of service control, will the provider notify you if there is an issue with your Cloud
or do you have to keep track of it yourself. The other risk are stealing information, and SLA`s
5. What risks do you consider to be in the top three with Cloud Computing?
My biggest concerns are the actual integration between the different Clouds and business units.
Also, another issues that I see are Intellectual property of the data, security.
6. What are the major advantages of Cloud Computing that your company can benefit
from?
Scale of economy, and being able to use the different experts from vendors.
7. Is your company currently looking for different solutions in Cloud Computing?
Why or why not? Have a partial Cloud internally
8. What business process would your company be willing to relocate into the Cloud?
I view that the non critical business processes like ASP solutions, salary systems and supporting
systems can be moved to the Cloud.
9. Do you review your SLAs properly, and how?
We review the SLAs very extensively by sending them to our lawyers and IT departments for
them to review and discuss the items that they dislike.
10. Do you evaluate security from an acceptable loss perspective (e.g. loss of data or
downtime)?
We evaluate from an acceptable loss perspective by the sense that we see the cost of downtime,
and data loss.


73
11. What type of Cloud deployment model would your company be interested and why (e.g.
public, private, hybrid and communities?
Most likely private but very confident about moving core business processes to the Cloud.
12. How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?
It is important to have a face to face meeting with the vendor to provide confidence and to get a
secure feeling from the vendor to be able to develop a long lasting relationship
13. How can one solve the accountability that arises with Cloud Computing in your opinion?
This is a challenge because we have three members we meet monthly to have discussions on how
the partnership is going. I don`t want the other members get used to us and continue thinking
that we will always come back to them. We want them to work for our partnership. Also, having
a modifiable SLA so if something does change all of us can sit and discuss the new changes. It is
important to establish a balance between the customer and the vendor. If the power becomes
unbalanced to the vendor can change its view and the customer has to except it, example
Amazon said no to the IRS when asked to do a C&A risk assessment,
14. How does your company evaluate trust?
We review the references, size, history, reputation, performance of the company to build a
partnership. We evaluate different vendor that fit our requirements and conduct meetings with
the vendor. It is a six month process that requires plenty of planning and meetings to build the
relationship.

Title: Author:

Cloud Computing: -Security Risk, SLA and TrustWilliam Ambrose Samuel Athley Niclas Dagland Wolfram Webers 2010 06 07

Tutor: Date: Keywords:

Cloud Computing, Security Risks, Service Level Agreement, Trust, Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service ______________________________________________________________________

Abstract
With Cloud Computing becoming a popular term on the Information Technology (IT) market, security and accountability has become important issues to highlight. In our research we review these concepts by focusing on security risks with Cloud Computing and the associated services;; Software, Platform and Infrastructure (SPI) and connecting them with a social study of trust. The method that was conducted during our research was reviewing secondary literature, interviewing different experts regarding Cloud Computing and relating standards already established by ENISA, NIST, and CSA to the interviews. The result of this study shows connections between the specific SPIs, both how they compare, but also how they differ. In the end we were also able to rank the top security risks from interviews with experts and see which SPI could be the most insecure one and what countermeasures could be applied. This was further related to trust and Service Level Agreement (SLA) in Cloud Computing to show how the security risks we discuss are related to these two specific areas. By highlighting this we wanted to present useable information for both clients and providers in how to create a better Cloud Computing environment.

i

Acknowledgements
First, we would like to thank the instructors that provided help and guidance during our research, without them we would have veered off the path. Wolfram Webers: For providing us great insight and steering to ensure that we stayed on path during our research, we thank you. Ulf Larsson: Provided us with valuable information and multiple articles in our research which we were very grateful to receive. Jörgen Lindh: Helped ensuring that our thesis was properly structured and provided a different perspective in our thesis and for this we express our appreciation. Projectplace.com: We thank you for allowing us to use your platform during our research. We found the platform most helpful when documenting our work. We would also like to thank all of the people that participated in the interview which helped us in our findings and providing us with valuable information. Further, we would like to thank each individual member of the group who made this research possible and memorable.

ii

.......5............ 33   Research approach ....................................................................................................................................... 25   Security ......................................................................... 8   Research philosophy ............................................................................................................................................................... 10   Cloud Computing .................................... 21   Multi-tenancy ....................2   3............................................................................................................... 13   Software as a Service........................................... ii   1   1...............................3   3............................................................................ 35   Validity .............................................................2   2....1   2....10................... 17   Infrastructure as a Service ....................................... 11   Cloud Computing Characteristics .....................................................................10   3..................................................................................................................................................7   3.................................................13   3........ 31   4   5   5.....................................2   1.....................................................2   5.......................................................1..........Table of Contents ....7...............................1   3.................................1.........1   3................................................................. 8   Ontology .......................................................................8   3.......................................................10.................................1   3............1. 5   Delimitation............................................... 27   Security risks tied to information security .............................................................1   2.....6   Introduction ..3   1.............................4   1........1   3................................................................................................................. 22   Separate Database.....................1   3.........................................................................................................................2.............2   Research Questions ................................1   1...................................................................................................................................................................3   3......................................................... 9   Axiology .............................2...................................... 28   Trust ...........................................................................................6........................... i   Acknowledgements ................ 6   2   2........................... 5   Definitions.................................. 2   Problem ....................................5   3..... 14   Division of Responsibility in SaaS ............ 35   iii ............4   3........................................... 23   Service Level Agreement .............. 22   Choosing an Approach ........1   3.. i   Abstract ..1   5.. 33   Credibility...............................................2   3.......................... 23   Risk definition .... 10   Cloud Computing Overview model ............................... 9   3   3............ 22   Shared Database and Shared Schemes ......................................................................................10.........................................1   5....................9   3................11   3........................................... 8   Epistemology ....... 20   Cloud Computing Vendors Model ................................ 4   Purpose ..................... 12   SPI Overview Model .................. 22   Shared Database and Separate Schemes .............. 33   Method .................5   1....... 16   Division of Responsibility in PaaS ........ 35   Reliability ........................14   Theoretical Framework ...................................................................................................... 15   Platform as a Service ..................................... 19   Cloud Deployment Models .........13.................... 18   Division of Responsibility in IaaS ....................................3   Methodology ......................4   3.......................................................10........ 1   Background ..........6   3............ 5   Perspective ...................................12   3............

..................................4.1   7.............................5........... 39   Security Risks...................................................................................................................................................1   6..........3   7...... 66   Computer Consultant................................... 56   Future research proposals..3   6........................1......................... 54   Discussion . 37   Senior Business Consultant Interview Summary ............................. 50   Quality of Service ..........................1   9....................................1   7.............. 36   Analysis Method .......................................................................................3   5.................................... 38   CEO Interview Summary ............................... 41   Amazon .............................. 40   Security Risk List .......................6   IT-Consultant .................. 49   Is trust important? ............ 56   10   References........4.. 38   Computer Consultant Interview Summary .. 60   10..............................3   6....................................................................................... 36   6   6........................................ 55   Critique of method ...........1   7.........2   7.......................6   6.3..............3   10.......................4   10.......................................................... 60   Appendix 2 Interviews with experts ..............................................3.............................. 45   Major security risks within Cloud Computing .....2...........6.............................. 60   Senior Business Consultant ................................................................... 39   CIO II Interview Summary ........ 68   CEO.......3...................... 45   Clients expectation of SLAs in regarding security ..........6................................1   10..........................................................................................6...........................................6.........................1   6................2   Conclusion ....................1   6............................5   6................2   6..............................................................................3   7..............................................................................5   10..............7   Empirical Findings.. 41   Microsoft .................................................2   6..........................................1   6....................................................................................2   6............................................................... 47   Trust related Security Risks in Cloud Computing ...................... 57   Appendix 1 Interview Questions ................... 42   Security Risks................................ 51   Provider ..................................2   7...................... 42   7   7..................3.............................................. 72   iv ............................................................... 49   Security risks associated with trust in Cloud Computing ......... 41   Google Apps ...... 52   8   9   9.............................. 37   IT-Consultant Interview Summary ..................................................4   Analysis .......................................................................................1   7.4   Interview questions ...................................... 64   CIO I ............ 40   SLA summaries ..........................................................................2   10....... 51   Ownership ............. 43   6..................................................................... 38   CIO I Interview Summary ..................1   Google App Engine ...........................................................................................................4   6.................................................... 70   CIO II ............................................................................................................................................................................. 52   How to avoid security risks associated with trust? ....5..............

.........47   v ..........................................................17   Table 3...1 Division of Responsibility in SaaS ...............1 Cloud Computing Overview Model ...............21   Figure 3.........................................4 Security Risks tied to Information Security ..............5 Reputation ....................30   Table 6.....55   List of Tables Table 3.........44   Table 6.3 Security Risks from Interviews ..................................1 Security Risks ....................19   Table 3............Reciprocity > Net Benefit (Mui..................1 Cloud Computing Triangle .............................................Trust ........46   Table 6...13   Figure 3 3 Cloud Taxonomy Model ..........................................................................................3 Division of Responsibility in IaaS ..................15   Table 3.....................................2 Interview Security Risk Analysis ........2 SPI Overview Model........................11   Figure 3......32   Figure 9............................................................................. 2002) .......List of Figures Figure 3.........................................................................2 Division of Responsibility in PaaS .........

issues regarding security has been raised. the European Network and Information Security Agency (ENISA) published a report called Benefits. On November 20 2009. It is described as the future and that everyone should move into the so called Cloud. Due to this new buzzword Cloud Computing. risks and which gives a detailed description of the security risks and benefits of Cloud Computing. and Infrastructure as a service) and the associated risks. Cloud Computing is d "as a Service" using These definitions will be a guide through the research as they help to understand what type of information is focused upon. The research focuses on technology in Cloud Computing (SPIs Software. There are many different definitions for Cloud Computing which has created confusion about what this phenomena really is. ENISA is a European Union (EU) agency that works with aiding and giving recommendations concerning issues related to network and information security.1 Introduction On the information technology (IT) market there has emerged a new buzzword called Cloud Computing. Web SLA and Cloud SLA Trust 1 . Forrester defines Cloud in their article as: In the article Cloud Computing will be as influential as Edefined as: Internet technologies by Gartner. The areas we will go through in this research are listed below: Cloud Computing Cloud Deployment Models Cloud Computing Characteristics SPIs and associated Security Risks Service Level Agreement (SLA). Platform. For this research two definitions has been selected which are stated below.

are providing applications that are good enough to compete with in-house developed solutions that are costly and hard to (Computer World. One important factor that has made Cloud Computing popular is the fact that the experts within the field of IT solutions. The three main Cloud Services that we will present in this thesis are the ones below. but also with new business models. Amazon soon followed in 2002 with their Web service and after this more followed expanding Cloud oriented solutions from only being applications. to also include Platform as a Service and Infrastructure as a Service. available on-demand. (ENISA. but it would take time for Cloud Computing to reach out into the world. articles.; Software as a Service (SaaS): is software offered by a third party provider. 2010). In newspapers.com is an example of SaaS which provides the customer with a web based Customer Relationship Management solution.1.com that revolutionized how we use solutions connected to the Internet. Examples are Microsoft Azure. Salesforce.com is an example of a PaaS and provides a platform to build multi-tenancy applications. NIST and CSA. important security issues arise as this phenomenon we call Cloud Computing continuously evolve and becomes more of a business model and solution. Examples include online word processing and spreadsheet tools. John McCarthy was one of the first to propose utility consumption and payment in the context of Computers and IT (Wikipedia. Terremark Enterprise Cloud.R. J. and an example of that is Amazon S3. 2 . 2009) Platform as a Service (PaaS): allows customer to develop new applications using APIs deployed and configurable remotely. configuration management. It was in 1999 with the arrival of Salesforce. (ENISA. we link Cloud Computing with fuzziness and hype. Other than these three there are other types of -as a services and clients buy and use them over the internet and do not need to allocate physical or virtual space for it is being offered as a service over the Internet. In the introduction we presented two definitions for Cloud and Cloud Computing. According to Computer Weekly and an article about the history of Cloud Computing published in 2009. (ENISA. The emergence of Cloud Computing has also introduced interesting results regarding predictions of how IT would be in the future. The information about what Cloud Computing consists of is mostly derived from ENISA. increase of bandwidth enabled new possibilities for Internet based solutions and a more globally connected world. usually via the Internet configurable remotely. Force and Google App engine . Examples include Amazon EC2 and S3. In our research about Cloud Computing we have viewed this emerging technology as something that has evolved from previous solutions.1 Background In present day. 2009) Infrastructure as a Service (IaaS): provides virtual machines and other abstract hardware and operating systems which may be controlled through a service API. CRM services and web content delivery services . such as Microsoft.C. deployment platforms. 2009) These types of services are mature and have been provided by service oriented companies before Cloud Computing. Before him in 1961. interviews and other sources that we present in this work there are a general attitude that Cloud Computing is very new even if the technology is old. The characteristics of Cloud Computing can be seen in the networking solutions of grid computing and distributed systems and the online part of Cloud Computing can also be found in Application Service Providers (ASPs)(Computer Weekly. visions about the future are quite similar to our concept of the Cloud. Windows Live Skydrive and Rackspace Cloud . The platforms offered include development tools. Licklider shared his vision of an intergalactic computer network where people would be globally connected. In 1969. emerging markets and new IT solutions. or Software as a Service. 2009). each with a definition from ENISA. Force. IaaS is more complex and gives more control over the hardware. 2009).

The primary data was gathered from experts in the field via interviews. Examples of security risks from ENISA (2009) are: Data protection Isolation failure Management interface compromise Insecure or incomplete data deletion Malicious intruder Even if there seem to be numerous threats. In this thesis we discuss security risks that we have found from ENISA. For us it is very interesting to see fruition of old visions being realized because of evolution in IT. smart scaling of resources Audit and evidence gathering Throughout this thesis we will review different security risks with Cloud Computing in a general context and then focusing on linking those risks with a client perspective.With Cloud Computing. and examples of these are: Benefits of scale Security as a market differentiator Standardized interfaces for managed security services Rapid. CSA and experts we have interviewed. ENISA also identifies benefits with Cloud Computing. We may provide benefits with Cloud Computing as we stated above. 3 . new challenges has emerged and among them we consider security as the most important one. articles. NIST. but the main focus is on the security risks. magazines and web publications such as blogs. The empirical data used for this research is from secondary literature such as books.

Research questions. we have looked into three big publications from three respected groups to get a good understanding of security risks and Cloud Computing itself. To understand which security risks are associated with Cloud Computing from a client perspective. is entirely up to the client signing an agreement with the provider. but not because we seek to alarm people not to use Cloud Computing. but rather because we want it to evolve into to what it could become in the future. or should work. However. Security risks could arise with letting someone doing that. we decided to focus on this particular theme in our thesis. Social? These questions are quite general and we will present more specific research questions in section 4 . This is one of the reasons why it is important to know about security risks in the context of Cloud Computing. and we believe this will evolve to a very good solution for clients who lack the in-house knowledge to solve their problems on their own. we used interviews with experts to gather more information for the research. 4 .2 Problem The new emerging concept of Cloud Computing has created an intriguing buzzword for old technology. Clients are now starting to look towards the Cloud to see if this is something for them.g. From the discussion. numerous questions could be asked. This is the reason we feel it so important to look at the security risks before investing into the Cloud. The extent to how much a Cloud Provider.1. What are the security risks with Cloud Computing and the associated technologies? o Are there other implications with Cloud Computing in addition to the technology e. and could therefore be said to be preliminary research questions that the reader should bear in mind while reading the thesis. risks can appear because of negligence of understanding Cloud Services and its legal documents. What could be a frightening fact is that the client could give up control to a provider of information and processes vital to the organization. Next. within Cloud Computing. as with any new technology. we want to prove that Cloud Computing does have security risks. If one does not know what security risks can be associated with Cloud Computing.; a very good solution to problems when a client does not have the skills to solve a specific problem on their own. Cloud Solutions main focus area another company that have deemed it beneficial to let the experts handle their IT. In this thesis. It could also prove to be harmful to not know how the process of selecting a provider works. handles. as with both web services and outsourcing. The idea of experts providing their expertise for a fee sounds very interesting.

1. Software as a Service (SaaS) might be beneficial to some clients due to the financial limitations. altered. With this research. All the SPIs have security risks and this research should provide a guide on what security risks that exists and help a client put pressure on providers to reduce these security risks. Also.4 Perspective For this research we will be looking at the problem from a client point of view to show what the potential buyer should look for in a vendor that provides Cloud Computing or Cloud Services.5 Delimitation The focus in this thesis are on security risks with Cloud Computing and the technology that build up Cloud Computing. Instead we will use qualitative data to gain insight and see what the main concerns could be if a client may consider to move to the Cloud. 5 . Clients should understand that their information is vital which is why they should review the recovery process if their data is accessed. 1. this will enable an understanding to most clients about which SPI would benefit them the most. clients should be able to make a more sound decision whether or not to make this type of investment. We will not focus on benefits in our analysis even though we have presented a few where we talk about Cloud Computing in general. 1. but larger companies may look into Infrastructure as a Service. With this ever-growing catchphrase of Cloud Computing most companies may start looking to the Clouds for possible options. The raw data that we will gather will be qualitative which means that we will not put focus on gathering a wide variety of sources to be able to generalize with statistical data. There are more kinds of service solutions but we will only consider the SPIs mentioned earlier.3 Purpose The purpose of this research is to clarify the security risks that clients could encounter with Cloud Computing. the three SPIs. or lost. One way of doing this is to bring forth the importance of trust in the context of negotiation of SLAs with a Cloud providers. We selected this view as we think it is more important to help potential clients to understand what Cloud Computing could be and what security risks that may be involved in different perspective we could bring new insights to the table and help clients in what they should know and what they should expect from providers when entering agreements. The technical focus will be the SPIs which we will methodically review to show how they differ and compare against each other and potential security risks. It is important for a company to understand how their data is handled and how confidential it will remain due to the fact that it will be on the Internet and can be accessed globally. This will be achieved through semi-structured interviews with experts.

An ASP (equipped with all required software.1. The hypervisor manages the system's processor. by corrupting its stored data or disrupting its normal functions with a denial of service attack. (Businessdictionary.com) Information Security Safe(Businessdictionary. (Webopedia. and other resources to allocate what each operating system requires. hardware. 2008) Flexibility Ability of a system. (Businessdictionary. 2006) Cloud (Bouchard & Sankar. An API also provides an interface that allows a program to communicate with other programs.com) Distributed system Computer networking scheme in which several inter-connected systems service their local needs and use their idle or spare capacity to attend to common workload.com. running in the same environment.com) Hypervisor In virtualization technology. for a fixed monthly fee or usage based charges. (Businessdictionary.6 Definitions Application Programming Interface (API) Collection of software routines. and tools which provide a programmer with all the building blocks for developing an application program for a specific platform (environment). memory.com) a Service" using 6 . such as a manufacturing process. 2009) Cloud Computing (Gartner. protocols. The data generated by those programs can either be stored on the customer's computer or on the disk space rented out by the ASP on its storage devices. hypervisor is a software program that manages multiple operating systems (or multiple instances of the same operating system) on a single computer system. Hypervisors are designed for a particular processor architecture and may also be called virtualization managers. to cost effectively vary its output within a certain range and given timeframe. and trained employees) guarantees trouble-free availability of the application programs on a continuous basis. Customers use the programs they need. (Businessdictionary. (Businessdictionary.com) Denial of Service (DOS) Deliberate attempt to thwart authorized users' access to a computer system or website.com) Application Service Provider (ASP) Firm that sells usage of computer programs via internet.

e. Terremark Enterprise Cloud.com. Examples include online word processing and spreadsheet tools. clustering. usually via the Internet configurable remotely. a good or service). (Businessdictionary. deployment platforms. Scalable systems employ technologies such as automatic load balancing. Windows (ENISA. available on-demand. configuration management. 2009) Software as a Service s software offered by a third party provider..com) Lock-in Vendor lock-in. CRM services and web content delivery services. 2006) 7 . Force and Google App engine.com) Scalability le proportionally very small to very large usage and service levels almost instantly. and parallel processing. It may be caused by (1) gaining unauthorized access to stored information. expressed as an aggregate of risk. or (3) introduction of false information to mislead the users or to cause incorrect system behavior (called spoofing) (Businessdictionary. (Businessdictionary. or reliability. (ENISA. or just lock-in. performance. (Linux Information Project. and cannot move to another vendor without substantial costs and/or inconvenience. The platforms offered include development tools. or products. 2009) Platform as a Service lop new applications using APIs deployed and configurable remotely.com) Security (Thefreedictionary. is the situation in which customers are dependent on a single manufacturer or supplier for some product (i. consequences of risk.Infrastructure as a Service abstract hardware and operating systems which may be controlled through a service API. Examples are Microsoft Azure. (2) denial of service to the authorized users. 2009) Threat (Computer Security) Action or potential occurrence (whether or not malicious) to breach the security of the system by exploiting its known or unknown vulnerabilities. and with no significant drop in cost effectiveness. and the likelihood of the occurrence of the event. 2009) Risk (1) Indication of an approaching or imminent menace. (ENISA. Examples include Amazon EC2 and S3. functionality. (2) Negative event that can cause a risk to become a loss.

we have the positivist and the interpretive assumptions. We will conduct semi-structured interviews with several different people and the results will differ because of different viewpoints. Due to that. It also helps researchers understand how the researcher came to their conclusion by describing what personal beliefs and assumptions the researcher had while conducting the research and collecting the data..; we are more concerned with finding meaning with the reality we are investigating. As a positivist you will be: similar to those produced The interpretive stance advocates: (Saunders et al. (2007). 2. So it is important to realize that the research itself is affecting the reality that is being investigated. The positivist is concerned with that valid knowledge is data that can be observed and measured. 2. we do not think that law like generalizations can be created for individuals. experiences and world views by the people. 2007) In other words it highlights the importance to differentiate between making research among people and other objects. In the epistemological philosophical branch. 2007) -like generalizations 8 . epistemology is concerned with what is considered acceptable knowledge in a field of study. (Saunders et al.1 Epistemology According to Saunders et al.2 Methodology In this section we are going to bring forward what scientific approach we took in our research and what methodology we applied to the work within this thesis. The area of Cloud Computing is still fuzzy and it is the users who will form Cloud Computing to what it is going to become..1. The following discussions are comprised of what approaches this thesis is taking regarding research philosophies. We are not trying to measure the reality.1 Research philosophy Research philosophies are a help to guide researchers in their work by helping them understand how they and other researchers approach their work. Our standpoint is within an interpretive viewpoint because we think it is important to differentiate between each individual.

The aim of this thesis is to provide knowledge about security risks with Cloud Computing.1. and this would be of value for both the researchers and others that are considering moving into the Cloud environment. determines which type of data collection techniques are chosen. (Saunders et al. It includes objectivism and subjectivism where the objectivist is concerned with that: . we argue that you have to be involved in that reality by being subjective. It means among others that the philosophical approach taken.. you may not be able to understand the reality to its full extent and what is actually creating the reality. 2007) while the subjectivist holds that: social phenomena are created from the perceptions and consequent actions of those social actors concerned with their (Saunders et al.2 Ontology Ontology is about what the nature of knowledge is.1. In Saunders et al (2007) Axiology is: 9 .3 Axiology . Conducting semi-structured interviews would add more value to the results by allowing more in-depth discussions. the knowledge created might be biased by the fact that the researcher is directly involved with the reality. By observing it objectively. 2007) To understand and to be able to correctly observe a reality. On the other hand. 2. This research will mainly be subjective by being in contact with both providers and clients in the Cloud Computing environment. by being subjective..2. but still relying upon a foundation consisting of carefully evaluated questions that aims at answering the research questions.

com agrees on this and calls it -tenant data centers offering organizations an alternative way of building. Ability of a system. and parallel processing Flexibility is the other reoccurring phrase when one talk about Cloud Computing. performance. Before we move on from specific Cloud topics we will also present a model that shows different services for the SPIs and who is offering them. (Businessdictionary.com. and the infrastructure are separated (CSA 2009).1 Cloud Computing In this section we will talk about Cloud Computing more generally before we move into each SPI more deeply. functionality. to cost effectively vary its output within a certain range and given timeframe. ENISA (ENISA 2009) describe Cloud Computing to be highly abstract. and with no significant drop in cost effectiveness.com) 10 . We will then present information regarding three kinds of SLA. or reliability.3 Theoretical Framework In this section we will present background information about Cloud Computing that will be used throughout the thesis as a cornerstone on what Cloud Computing and its associated security risks are about. CSA calls Cloud Computing an evolving term and add information separation to the picture. First we will introduce Cloud Computing and characteristics of Cloud Computing. To understand what we and our sources of information mean when we say scalable and flexible we thought it would be a good thing to add two more definitions to this thesis. information sources. Then we will present the three SPIs and after that we present different Cloud deployment models we have found and multi-tenancy. such as a manufacturing process. clustering. and we decided to use a definition from the same website as we found the definition for scalability. That means that applications. Scalability in the context of a system can be defined like this: usage and service levels almost instantly. business dictionary. This will give the reader an overview of what Cloud Computing is and the technology it consists of. OpenCrowd. 3. followed by our topic on security and counter measures then we will discuss the topic of trust. Scalable systems employ technologies such as automatic load balancing. After that we will present risks from ENISA. We will also present definitions and explain key concepts that will help the reader to understand our train of thought. CSA and NIST. scalable and flexible where resources are shared and fees are determined by the usage. for flexibility. deploying and selling IT services at a significantly lo and we can begin to see key patterns in the characteristics in the Cloud. On-demand Broad network access Resource pooling Rapid elasticity Measureable These characteristics will be explored later in the text in the paragraph Cloud Computing characteristics. CSA also adds the collaboration perspective to the picture that comes with virtualization and flexibility.

2 Cloud Computing Overview model This model was presented by National Institute of Standards and Technology (NIST) to create a conceptual model of what they believe Cloud Computing includes. security risks and trust. The reasons for using this model in the thesis are because this model summarize what we believe Cloud Computing to consist of. 11 .3.1 gives an overview of how we will present information regarding Cloud Computing as we will start at the top with characteristics and end with Cloud deployment models before we look into SLAs. Figure 3.1 Cloud Computing Overview Model The figure 3.

without requiring human interaction with a service provider. and virtual machines. but may be able to specify location at a higher level of abstraction (e. storage. controlled. Measured service.g. bandwidth.. s using a multi-tenant model. with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. country.g. network bandwidth. laptops. There is a degree of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.3 Cloud Computing Characteristics NIST offers a list of components of what comprises Cloud Computing. mobile phones. Examples of resources include storage. state. and PDAs) as well as other traditional or Cloud based software services. On-demand self-service. processing. memory. (NIST 2009) Rapid elasticity. Cloud systems automatically control and optimize resource usage by leveraging a metering capability at some level of abstraction appropriate to the type of service (e. Even private Clouds tend to pool resources between different parts of the same organization. A consumer can unilaterally provision computing capabilities such as server time and network storage as needed automatically. To the consumer.g.3.. the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. Capabilities can be rapidly and elastically provisioned in some cases automatically to quickly scale out. or active user accounts). processing. or datacenter).. and reported providing transparency for both the provider and consumer of the service. (NIST 2009) Resource pooling.; and rapidly released to quickly scale in. (NIST 2009) 12 . Resource usage can be monitored. (NIST 2009) Broad network access.

4 SPI Overview Model The Figure 3.2 SPI Overview Model 13 . Figure 3.2 was presented by CSA (CSA 2009) and we present it to give the reader a conceptual aid in different SPIs that we will discuss in the following paragraphs.3.

According to ENISA. Where the application is placed in the maturity level depends on business. Lock-in is defined as: Vendor lock-in. certain security risks have a high impact on SaaS and other SPIs and clients must understand the impacts. is the situation in which customers are dependent on a single manufacturer or supplier for some product (i. and cannot move to another vendor without substantial costs and/or inconvenience. in his article Top 10 SaaS Traps. By understanding where the application should be in the maturity level it will also help in deciding if a client really needs Software as a Service. multi-tenant efficiency. SaaS has become very popular within the IT world due to its ability to be flexible and not require as much of IT knowledge. not many service providers of SaaS offer an SLA or might even charge for the SLA. According to the website MSDN and the authors Carraro & Chong (2006). One risk that effects all of the SPIs is Lock-in. usually via the Internet configurable remotely. SaaS architectures have become four different levels of maturity based on three different key attributes configurability. According to Hoffman (2006). etc) (ENISA. and scalability. operation needs and on customer considerations. 2009).e. available on demand. Configurable. Multi-tenant Efficient: The vendor runs a single instance that serves every customer that provides a unique user experience and feature set for each one.. Level 4: Scalable. CRM Services and web content delivery services (Salesforce CRM. Multi tenant Efficient: At this level the vendor handles multiple customers on a load balanced farm of identical instances. It is now very important that a customer does in fact ask for an SLA or locate a different vendor that will provide one. Level 1 Ad-Hoc/Custom: This level requires the lowest level of development effort but offers the lowest level of offers. with each rated. Google Docs. architectural. (The Linux Information Project. a good or service).3. platform. The disadvantage with this level is that the scalability is limited. At this level each time that the application is run it creates an instance on the server of the provider. This service is customizable to fit the consumer and the provider controls the infrastructure. or products. It differs from level 1 by all instances use the same code and the vendor meets customers needs by providing detailed configurations options.5 Software as a Service According to ENISA Software as a Service (SaaS) is: Software offered by a third party provider. and application. 2006) SaaS providers develop the different applications that are tailor made for that customer which does bind the customer to that provider. Level 3 Configurable. Examples include online word processing and spreadsheets tools. Level 2 Configurable: Second level of maturity host a separate instance of the application for each customer. 14 . It is important to understand that the last level is not always the desirable place to be. or just lock-in.

com has listed these benefits to SaaS (which may be biased): High Adoption: Applications that are available anywhere from any computer or device Lower Initial Costs: Subscription based payments and no license fees Painless upgrades: Provider manages all updates and upgrades Seamless Integration: Vendors that are multi-tenant architectures can scale indefinitely to meet customers demand 3.1 Division of Responsibility in SaaS 15 .5. Table 3. The reason for this.1 Divisio n of Responsibility in SaaS In this division of responsibility we will focus on how customers and managers should work within an SaaS environment. does not mean it is right for you.There are multiple benefits in deploying SaaS but just because you can. there needs to be a clear definition and understanding between the customer and the provider of securityrelevant roles an The result of this should be a clear understanding of the roles and responsibilities customers and providers have to one another. Salesforce. With the economy in a downturn clients are looking for a better solution for their IT issues and be able to make a quick return on their investment. is incidents. according to ENISA.

It can be seen as a web hotel where a company or individual can develop and deploy a web site and make it available through a web browser.techtarget. Lower risk without the need to build up an infrastructure for the development. 2010) PaaS increases in other words the risk of lock-in if the service provider uses proprietary service interfaces or development languages. Therefore applications that are developed on a specific platform.com 2008) PaaS however. By signing up for a PaaS you can instantly start with developing the programs you want and get results.com (Rådmark. Overall.salesforce. Lower costs because of not having to acquire the needed equipment and only pay for what you use. you will be able to lower your costs significantly. For example. and as mentioned. A few that www. PaaS can give the possibility to configure and update the operating system (OS) that is used for the platform. Also. (Whatis. No more software upgrades patching and upgrading of the system is handled by the PaaS provider as well as regular system maintenance. the risks are lowered when it comes to investments. 16 .com that uses Apex as a development language. The platforms offered include development tools. ENISA defines PaaS as following: llows customer to develop new applications using APIs deployed and configurable remotely. configuration management. mostly offers more configuration possibilities than a web hotel. The web hotel provides access to different tools and the possibility to configure the platform. Providers of PaaS have also listed a set of other benefits of PaaS which may be biased. The type of applications that can be run on the platform is limited to what OS and development language the PaaS vendor offers. PaaS is seen as a platform where software can be deployed and configured and made available through a web browser.NET and PHP that can be used to develop the web site.com lists are: Faster results the need for acquiring and setting up the infrastructure you need to be able to developing software is gone.6 Platform as a Service PaaS is the layer in between where you not only get access to the software. PaaS has some main benefits such as scalability and flexibility. Examples are There are still different opinions about what PaaS is. Simplified deployment the software developed can be made available instantly through the web. which the web site is running on.3. The web hotel is usually supporting a set of different web development languages as for example ASP. cannot be moved to another platform because of Apex being specific and limited to the platform by Force. The application that is made available does not require any installation or the need to download anything to the computer for the user that wants to access it. What is not included is the control of the actual infrastructure that the platform is running on. but also the underlying platform which the software is running on. before the developers do not need to worry about the infrastructure and can thus focus on the development. more advanced applications than just a web site can be developed and run on the platform. deployment platforms. as with Force.

there needs to be a clear definition and understanding between the customer and the provider of securityrelevant roles and respons The result of this should be a clear understanding of the roles and responsibilities customers and providers have to one another. according to ENISA.6.www.1 Divisio n of Responsibility in PaaS In this division of responsibility we will focus on how customers and managers should work within a PaaS environment. is incidents. 3.com lists some as: Minimize operational costs because you only pay for what you use you do not need to worry about servers standing unused and you do not have to worry about maintenance costs. Zero infrastructure the only equipment you need to start using the Cloud is a computer that is hooked up to the Internet. Table 3.zoho.2 Division of Responsibility in PaaS 17 . Integration with other web services the Cloud provider will have to have more standardized interfaces to be able to offer a complete interface that can be integrated easily with other web services. The reason for this.

air conditioning. In this thesis we agree on this. ENISA. It generally includes redundant or backup power supplies. Management systems o Monitoring systems to manage onsite and offsite In a more technical aspect. redundant data communications connections. environmental controls (e.includes o Enterprise servers: is a computer system that provides essential service across network.. Windows Live Skydrive This definition will be used in this thesis to identify security risks and threats with IaaS. the scalability of IaaS could be said to offer building blocks (Opencrowd. 2009) can be increased or decreased depending on the pressure of the system and you pay for what you use.7 Infrastructure as a Service Compared to SaaS and PaaS that focus on being as virtual and service oriented as possible. Examples include Amazon EC2 & S3. storage networking and security (Lew. to private users inside a large organization or to public users via internet o Storage: comprise computer components and devices that records. Benefits associated with IaaS are according to GNI. but we also consider all three SPIs to be part of the Cloud and Cloud Computing.com) on which a client can have a customizable infrastructure. Terremark Enterprise Cloud. Using IaaS as a foundation. Because of the focus on computing.g. and more neutral sites focusing on academic articles about Cloud Computing.3. European Network and Information Security Agency define IaaS as: rovides virtual machines and other abstract hardware and operating systems which may be controlled through a service API. there are people who find IaaS to be true Cloud Computing while the other SaaS are considered Cloud Services. As Cloud Component can be decomposed into the three different SPIs. which means that CPU. IaaS also focus on computing. o Network: is a collection of computers and devices that communicates through channels that facilitates communication among users o Security devices: Devices and applications to provide a secure environment for your organization Facilities that house. The article The Rise of Service Oriented IT and the Birth of Infrastructure as a Service (Leach 2007) concludes that IaaS consists of three major components: Equipment . Benefits that we have discovered have been found on vendor sites. saves and store media and data for an organization. fire suppression) and security devices. you can add the other as a services that are available and keep building on your virtual environment.com (2009) are: 18 . such as telecommunications and storage systems. The building blocks are scalable. IaaS can also be decomposed into components. and to assess them in the context of clients to determine what clients of Cloud Computing and IaaS should know and expect from their Service Providers (SP) in terms of Service Level Agreement (SLA). protects and powers equipment o Data centers: is a facility used to house computer systems and associated components. which could be biased. memory.

Dynamic scaling Usage-based pricing Reduced capital and personnel costs Access to superior IT resources The website Clouddb.7. The reason for this.info includes the perspective of clients when identifying these benefits and clearly seems to think IaaS will be beneficial for clients specifically because of the mentioned benefits.1 Divisio n of Responsibility in Iaa S In this division of responsibility we will focus on how customers and managers should work within an IaaS environment.com. Table 3. according to ENISA. there needs to be a clear definition and understanding between the customer and the provider of security-relevant roles and responsibilities. Even though these are great benefits for clients looking for a Cloud based solution. 3. is With respect to security incidents. What is interesting is that Clouddb. The result of this should be a clear understanding of the roles and responsibilities customers and providers have to one another. there are also risks associated with IaaS.info Defining Cloud Computing: Part 6 IaaS s the same kind of benefits using similar or the same words as GNI.3 Division of Responsibility in IaaS 19 .

2009) Public Cloud: The Cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling Cloud services. (CSA. Cloud bursting for load-balancing between Clouds). community. 2009) Community Cloud: The Cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e. or compliance considerations).g. The four different models are describe like this by CSA Private Cloud: The Cloud infrastructure is operated solely for a single organization. 2009) Hybrid Cloud: The Cloud infrastructure is a composition of two or more Clouds (private. (CSA. (CSA. there are four different kinds of deployment models when it comes to Cloud Computing. 2009) 20 . policy.3.g. (CSA. mission.8 Cloud Deployment Models According to a report made by the Cloud Security Alliance (CSA) that was published in December 2009. It may be managed by the organizations or a third party and may exist on-premises or off-premises.. or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e. and may exist on-premises or off premises.. It may be managed by the organization or a third party. security requirements. These models are not dependent on what kind of SPI that is deployed in the Cloud.

9 Cloud Computing Vendors Model According to the website Opencrowd. which they define as: Cloud software is off-the-shelf software that can be used to create an internal Cloud or in some cases can be used to customize infrastructure services to mold a custom Cloud solution. Figure 3 3 Cloud Taxonomy Model 21 . it is also biased. Open Crowd decided to divide the Cloud into four areas compared to our idea of using only three.com. The reason for this is that they regard Cloud Software. Since it is vendor based.3. and so Open Crowd did their own and that is the one we are presenting below to give you an overview of who is offering what kind of service. to be a part of Cloud Computing services offered by vendors. there are a few landscape models circling the Internet focusing on showing what vendors have to offer. We decided not to expand our thesis scope when we found out about Cloud Software as the focus of this thesis are towards clients that may or may not move to a Cloud Solution because they lack in-house skills for IT solutions.

Unlike isolated instances. operational efficiency and use of applications to multiple users.com. Chong & Wolter. Each different approach is important to review and it is also critical for an organization to decide which approach is appropriate for them.1 Separate Database o Highest maintenance and backup cost o Highest hardware costs o Premium approach for sensitive data (e. (Carraro. Medical. but would still be part of the infrastructure.3.10. 2006) 3. separate databases A moderate degree of separation and isolation of data for security Harder to restore in an event of a failure Restoring the entire database would overwrite every tenant in the same database o Use this approach when dealing with a relatively small amount of table per tenant o o o o 3. shared databases separate schemes. shared databases and shared schemes. The clients could use a public Cloud service or actually be part of the organization that is hosting the Cloud. that are deployed in a silo structure. This could only be practical when the applications are stable. customizable. availability. secure. the client and the provider. The provider view is that multi-tenancy will allow for providers to enable economies of scale.g. and upgradeable which the provider usually handles. There are three distinct approaches in multi-tenancy and they are separate databases.10. multi-tenancy is a large community which is hosted by the provider. reliable.10.10 Multi-tenancy According to Salesforce. multi-tenancy is an architectural approach that is a single instance applications but run by multiple tenants.3 Sha red Database and Shared Sche mes o Lowest hardware and backup cost because of large number of tenants o With multiple tenants will need to put more focus on security to ensure that other tenants cannot access other tenants data even if there is a bug or an attack happens Shared Database and Shared Schemes uses the same Database and Schemes for multiple tenants 22 . or financial information) 3.2 Sha red Database and Separate Sche mes Separate Database is the simplest approach of Data isolation Housing multiple tenants in the same database with each tenant having their own set of tables grouped into a scheme Easy to implement Easy to extend database like the first approach. It can be viewed in two different perspectives.

Disaster recovery usually included in the security section and sometimes also in the problem management area. which should also be defined in the agreement.3. The levels included are a frame of how the service should be delivered and failure to follow this agreement is usually followed by penalty.4 Choosing a n Approach Choosing the right approach will be crucial for the organization and there are multiple considerations to take into account when deciding. exclusions and force majeure. 3. for cause. Termination covers topics as for example termination at end of initial term. This information should be very detailed and accurate so you get information about what exactly is going to be delivered. Tenants: The number of tenants that the client could expect will greatly depend upon which approach the client chooses. Customer duties explains what relationship the customer and provider has and the responsibilities that the customer has regarding the service delivery process. third part claims. Performance deals with how monitoring and measuring the service level performance is performed. Security: It is vital to choose the right approach depending on the data requirements and sensitivity of the information. Going through the above list will help an organization in deciding which type of multi-tenant architecture is best suited for them and their infrastructure. Skill Set: Single instance multiple tenants is still a new skill set so expertise will be difficult to come by. The agreement is a part of a much bigger contract between two partners that define the purchased service. Warrant & remedies covers topics such as service quality. Security the most critical feature of any SLA where which security approaches must be followed and respected. Economics: Applications that are designed for shared approach will have more of a development cost. also including how to actively prevent such events. which will result in high initial cost but might have lower operational costs. 2009). Customers will have a high expectation on security and the SLA between the vendor and the consumer will need to provide strong security practices to ensure that data is secured.10. Regulator: The external environment (e. for convenience. 23 . and payments regarding termination. a regular SLA usually includes: Service delivered describes the services and how they are delivered. government and laws) will be need to be investigated to see how regulations could affect security and record storage needs. According to SLA information zone (SLA-zone. Problem management how to deal with unplanned incidents and how to solve them.11 Service Level Agreement A Service Level Agreement (SLA) is in general a legal binding agreement about a service a client is buying from a Service Provider (SP).g. An isolated approach may allow your staff to use more of its own knowledge for the application.

for example. An example of this is in Amazon EC2 SLA where they state the following: AWS will use commercially reasonable efforts to make Amazon EC2 available with an Annual Uptime Percentage (defined below) of at least 99. and measures to be taken in case of deviation and failure to meet the asserted service guarantees. but since we add technology to the picture. While WSLA is closer to the solution than a standardized SLA. but a task that is of utter importance when buying and/or providing services and errors in SLAs could enforce legal penalties. Because the environment is dynamic. there are additional SLAs that deal with different kinds of services. By providing that kind of information. a response is also decided on. V1. (2009) an example of WSLA measures is transactions per hour.; usage and cost. Ranabahu & Sheth 2009) is that WSLA needs to focus even more on metrics to measure if the service bought and received measure up to the levels agreed upon.e. a notification of the service customer. i. According to Patel et al. a third party management/monitoring provider more information has to be included in the WSLA. This puts focus onto Quality of Service (QoS) and how this is measured. Cloud Service Level Agreement If we take the two previous SLAs we have mentioned into consideration and compare it to the dynamic and scalable nature of Cloud Computing. Web Service Level Agreement In addition to a regular SLA. Patel et al (2009) propose that the parties add these measures to the picture. a company can make a statistical analysis to determine the QoS and if the SLA has been breached. Frank. The WSLA Language Specification (Dan. 24 . In the event Amazon EC2 does not meet the Creating a good SLA is not a trivial task. and what others agree to (Patel. the measurements have to be different.The performance levels set in the agreement often measures up to a percentage level and if that level is not met. the measures have to be adapted to that.95% during the Service Year. significant changes need to be made to the SLA to be aligned with the Cloud environment. the measures have to be dynamic as well. What IBM indicate. King. When the Cloud services are in use. One of these services are Web Service Level Agreement (WSLA) and to a certain point it is very similar to a regular SLA. 2003) not only include the SLA components mentioned in our SLA part. when the services increases in scale. Keller.0. these measures have to be adapted according to usage. but also include: -level and business process level service parameters such as response time and throughput. and most often. This is the thinking one has to apply to make a more appropriate SLA for the Cloud Computing environment. Ludwig.

3. Malicious Insider: Lack of insight at the Cloud employees can trigger risks if employees have malicious intent and access to information he/she should not have. CSA 2010 Abuse and Nefarious Use of Cloud Computing: Easy access and lack of control of who is using Cloud Computing can provide entrance for malicious people Insecure Interfaces and APIs: Authentication and reusable aces tokens/passwords have to be properly managed or security issues will rise. Isolations Failure: The failure of hardware separating storage. which pose an increased risk. Data Protection: The ability of the customer to check the data handling practices of the Cloud provider and to ensure that the data is treated in a lawful manner. Computer Security Alliance (CSA 2010) and National Institute of Standards and Technology (NIST) and they are: ENISA 2009 Loss of Governance: The Client ceding control to a Cloud Provider on multiple issues Lock In: The difficulty of a customer moving from one Cloud provider to another. Malicious Insider: Damage caused by a person that has access to the Cloud.12 Risk definition The top risks we are discussing in this thesis are from the European Network and Information Security Agency (ENISA 2009). Insecure or incomplete data deletion: Customer requesting that their data is deleted and it is not completely removed or deleted due to duplication. routing and even reputation between different tenants. Data Loss and Leakage: Improper deletion or backup of data records can lead to unwanted duplication of data that becomes available when it should not exist Account or Service Hijacking: Phishing for credentials to get access to sensitive data Unknown Risk Profile: No insight in what the provider do to keep your data safe or doing updates. Shared Technology Issues: With scalability come shared technology issues since the provider is using their own resources to provide more for the clients during peaks. Compliance Risk: Investment in achieving certification may be put at risk by moving to the Cloud. 25 . memory. With sharing technology the risk of hypervisors appear since hypervisors work in between different clients. Management Interface Compromise: Customers management interfaces of a Public Cloud provider are accessible through the Internet and mediate access to larger sets of resources. patches etc.

internal Cloud security Lack of public SaaS version control If these risks occur in an organization. consequences of risk. it will be the operations of the organization that will suffer. and the likelihood of the occurrence of the event 26 . A common probability risk definition is: (1) Indication of an approaching or imminent menace. (2) Negative event that can cause a risk to become a loss. expressed as an aggregate of risk. Therefore we have concluded that the risk definition we use in this thesis focus on probability.NIST 2009 Data dispersal and International Privacy Law o EU Data Protection Directive and US Safe Harbor Program o Exposure of data to foreign government and data subpoenas o Data retention issues Need for Isolation Management Multi-tenancy Logging Challenges Data ownership issues Quality of Service Guarantees Dependence on secure hypervisors Attraction to hackers (high value target) Security of virtual OSs in the Cloud Possibility for massive outages Encryption needs for Cloud Computing o Encrypting access to the Cloud resource control interface o Encrypting administrative access to OS instances o Encrypting access to applications o Encrypting application data at rest Public Cloud vs.

The auditing can be done by monitor log changes either manually or through an automated system. Ethics through policies employees can get the necessary guidance to know how to behave and prevent unethical use of for example an information system. The Committee on National Security Systems (2010) defines the three areas as: Confidentiality Integrity n a formal security mode.3. 27 . Confidentiality is sometimes referred to as privacy and to enforce it you can apply: Access control with access control you can control how and what information users can access. integrity is interpreted more narrowly to mean protection against u Availability To enforce these principles there are different mechanisms that can be applied.13 Security Freedom from risk or dang Safe. these principles are what it has to live up to. Configuration Audit this mechanism controls that information that is altered is allowed to be performed. Encryption is performed through a mathematical algorithm to alter the information. For Cloud Computing to be considered to be secure. Encryption by encrypting information from plain text to be unreadable prevents unauthorized users to access information. Passwords password is the basic authentication method and to make it even more secure it can be used alongside smart cards or biometrics. The mechanisms are retrieved from a blog called Continuity Disaster Recovery (Phoenix 2010). To maintain the integrity of information you can use: Configuration Management this is how you manage change when it comes to the information technology environment. while information security is defined as The three principles are the main concerns when dealing with information security and each principle requires different security mechanisms to be able to be enforced. How could be by authentication through passwords and/or biometrics. Biometric biometrics concerns the use of humans physical characteristics for identification and authentication. retina scanning or face recognition. It could be for example fingerprint scanning.

If malicious software is executed in the Cloud.13. CSA and NIST are security risks that could compromise this aspect as well as the principles confidentiality and integrity. Some of the risks presented by ENISA.Availability should always be ensured so the authorized users can access desired information whenever they want. Confidentiality Integrity 28 .   Insecure or incomplete data deletion (ENISA) Confidentiality When a customer requests that certain information should be deleted. it could affect the integrity if the intent is to alter or delete information. The risk could be that this information is left unprotected on a hard-drive that is shared with some other company. there is a risk that information can be affected by unauthorized change or deletion. - Integrity Availability Abuse and Nefarious Use of Cloud Computing (CSA) When not having control of who is using the Cloud. To ensure that data is always kept available and safely stored you should consider: Data Backup Plan to have a plan of how you backup your information is always important. criminals could get the possibility to exploit Clouds by applying malicious software that can give them access to information they should not have. This depends on what type of business you run and how often information is altered. Business Continuity Plan or Business Resumption Design this is a part of the DRP and documents of how a business gets back to normal after a disaster has struck. How the principles could be affected are derived from the report by CSA. 3. that is having access to information whenever and from wherever. It includes what information is being backed up and at which time interval.1 Securit y risks tied to information se curit y Cloud Computing is about availability. copies of the information could still reside somewhere in the Cloud due to backups or some other redundant reason. If the service does not control the authentication and authorization properly by having weak control mechanisms. by for example providing the possibility to be anonymous when registering for a Cloud service. The risks are listed in the table below together with how they could affect the CIA principles. Disaster Recovery Plan (DRP) this includes the procedures for how a quick backup is performed with minimum impact on the business. This is mostly applicable to PaaS and IaaS where customers have the possibility to develop and run software.

such as hackers or people involved in organized crime. because of poor hiring standards and practices. Integrity Availability Malicious Insiders (CSA/ENISA) Attraction to hackers (NIST) When a Cloud provider hires their Cloud employees. Interfaces needs to be secure so they can withstand malicious attacks that could compromise the availability of the service. People with a malicious intent that are working at a Cloud provider could cause the service to go down. If a Cloud provider has employed persons with a criminal intent. If the Cloud provider does not consider these matters important. Confidentiality Integrity Availability Shared Technology Issues (CSA) Isolations Failure (ENISA) Dependence on secure hypervisors (NIST) Multi-tenancy (NIST) Confidentiality By sharing the same infrastructure there is a risk that the multi-tenant architecture fails to isolate the information so that customers get access to each information. there could be a big risk that they hire someone that have a criminal intent such as someone that is involved in organized crime and wants to have access to confidential information. The risk is even greater if there are no monitoring processes set up for the Cloud employees. Insecure Interfaces and APIs (CSA) Management Interface Compromise (ENISA) Confidentiality A weak interface that for example transmit information in clear-text or allows anonymous access lead to that information can be easily acquired by unauthorized users.Availability If there is a lack of control of what kind of software that is being run in the Cloud. the risk of malicious software being run is high and could cause Cloud services going down. This could happen in the way that a guest operating system user gains inappropriate levels of control and access that are granted from a hypervisor. as well as how they grant their employees access to virtual and physical assets and if the employees are monitored in their work. it could provide access to malicious attackers with the intent to alter or delete information. If an interface has weak security controls. 29 . there are matters as hiring standards and practices. important information could be changed or deleted.

- Data Loss and Leakage (CSA) Confidentiality Integrity Availability Leakage of data is a risk for that unauthorized users gets hold of sensitive information. information runs a risk of being changed or deleted by that party. there is a risk that the service availability can get compromised.4 Security Risks tied to Information Security 30 . When running an IT infrastructure inhouse. For data to be available it cannot in any way be lost. Encryption needs for Cloud Computing (NIST) The need to encrypt information is very important when it comes to Cloud due to the use of the services through Internet. Account or Service Hijacking (CSA) Confidentiality Integrity Availability By using attacks such as phishing or exploitation of software. Confidentiality Integrity Table 3.Integrity Availability If a hypervisor that controls the virtualization of the infrastructure fails to control the levels of authorization of users in the Cloud. If an account gets hijacked. both the transmitting and storing of information. the need to encrypt transmitted information is not as important as encrypting the hard-drives and databases. users could get an inappropriate level of control that could lead to alteration or deletion of information. Loss of data is a risk that directly impacts the integrity. But by using a Cloud service. everything needs to be encrypted to ensure safety. Information that is not encrypted when it is transmitted can easily be altered so the message that is received does not correspond to the original message. If an unauthorized party gets hold of credentials by for example phishing. credentials could be acquired that can be used for getting access to sensitive information.

Mui (Mui 2002) proposes a more mathematical approach to solve this approach will not be discussed in detail other than comparing how a mathematical. A time lag exists between the extension of trust and the result of the trusting behavior. In his work 31 . In this chapter we will present what trust is considered to be from a psychology perspective (social science) and how one can systematically look at trust. If the person in whom trust is placed (trustee) is trustworthy. if the trustee is not trustworthy. Cialdini (Cialdini 2007) talks about influence and discusses click and whirr set off by a trigger feature . 2. lick and whirr is his term for humans automatic responses due to a specific trigger feature when a brain strain we use a rule of thumb when we are unsure and because we cannot know everything about everything. which is also available on Wikipedia. Another shape of trust is confidence which in social science is considered to be easier to measure as trust itself is viewed as a mental state and confidence reflects actions around that trust. a person or company to live up to the bargain set in e. Since trust is considered a mental state. approach differs from a mental one. We will use material from the Influence The Psychology of Persuasion by Robert B. Trust is an action that involves a voluntary transfer of resources (physical. or systematical. medical employees using the wrong dosage and military train operators running people over because someone higher than them in the perceived or real hierarchy told them this is how it is. intellectual.e.g. rt and other personal items and characteristics.g. we have concluded that trust and authority is a vital issue in Cloud Computing security. 3. it is hard to evaluate trust. Cialdini talks about influences and most importantly. then the trustor will be better off than if he or she had not trusted. expensive equals good. In essence. financial. The next step is to present different versions of trust such as authority. e. Placement of trust allows actions that otherwise are not possible (i. then the trustor will be worse off than if he or she had not trusted (this is reminiscent of the classical prisoner's dilemma). In the authority chapter Cialdini cites different studies done and they vary from people giving out electrical shocks that cause pain.14 Trust Reading through security aspects regarding Cloud Computing and reviewing information regarding how the service is provided along with SLAs that defines how the service should be supplied. trust is built up by four parts (Wikipedia 2010): 1. According to Coleman. authority. Cialdini (Cialdini 2007) a computational trust model theory by Lik Mui (Mui 2002) and trust definitions from Wikipedia and James S Foundations of Social Theory to describe trust. or temporal) from the truster to the trustee with no real commitment from the trustee (again prisoner's dilemma). trust allows actions to be conducted based on incomplete information on the case in hand). this lick & whirr effect provides a shortcut in our daily lives. both before he can monitor such action (or independently of his capacity ever to be able to monitor it) and in a context in which it affects his own action Basically these two definitions from Coleman and Gambetta states that trust is the possibility for e. 4. Conversely. In his book. and the negligence to question the authority.3. a SLA. reputation and confidence.g. Another definition of trust is by Gambetta (1988): that another agent or group of agents will perform a particular action.

Following this norm is of essence to create trust and a positive reputation. Figure 3. (Granovetter.Trust .e. 32 . This will be discussed further in the analysis when we add raw data to the picture. or even if they consider trust to be important for that matter.5 Reputation . In the interviews we would like to see how people view trust in regarding Cloud Computing to understand if they use a systematical (fact based) or internal (mental based) method. it is stated that trust is considered to be very important in Cloud Computing security and that we would like to see how people we interview evaluate trust. and not systematically conducted but rather obtained through communications networks and inner evaluation. The reason for having this part in our thesis is because one way of avoiding a serious pitfall caused by trust is to understand this process and what the net benefit is created for the counterpart a person interact with. Reciprocity is the act where dept is created and repaid through genuine actions. The model above depicts how reputation. trust and reciprocity works together and creates net benefit for those involved. connect it with Cloud Computing security risks and discuss what kind of pitfalls have been found and how to prevent them. In the beginning of this section.he presents that trust is connected with reputation and reciprocity. 1985)   Reciprocity is according to both Cialdini and Mui a social norm that is created through trust and interactions. what does the person/company I interact with get from me for trusting him/her/them. 2002) The danger of psychological trust is that it is a mental state. i.Reciprocity > Net Benefit (Mui. Reputation and reciprocity is the product of social networks and norms where the reputation is: Reputation is a social quantity calculated based on actions by a given agent ai and observations made by others in ai resides ai of trust that others have toward it. In the analysis we will present our findings.

rather than being something brand new. and through qualitative interviews with experts to get a more professional view of the problem. We have tried to gather as much information as we can about security issues and service level agreements. Because of this opinion. The term Cloud Computing is rather new so we think that the inductive approach suits best for our research. In Saunders et al. If it is necessary. how can clients avoid security risks associated with trust? 5 5. both to help identifying the problems and/or solve them as we reflected on them in our problem paragraph. we felt it wise to use an exploratory approach to gather the empirical information 33 . the theory is modified so it matches the findings better. The purpose of our research is to contribute more to the understanding of what to think about and take into consideration when it comes to Cloud Computing. induction emphasizes collection of qualitative data and is less concerned with the need to generalize.1 Method Research approach When doing deductive research you start with creating a hypothesis and test it by gathering data and examine it. and not to generalize our findings to any particular setting. and from the data you formulate a theory. we decided to investigate the associated security risks. This research was conducted because of the new phenomenon called Cloud Computing is assumed to become a future solution to modern information technology (IT) problems. Due to this assumption about Cloud Computing. One of our strong opinions is that Cloud Computing is consisting of old technology products and services offered to clients in a new way. You go out in the world and gather data. In inductive research you do it the other way around. PaaS.4 Research Questions The research questions that we have decided upon reflects what we think is most important to research in. These questions have also been selected as we strongly think we can contribute to the field of Cloud Computing if we answer them properly and underline what the next area of study should be to make Cloud Computing more mature. Our perspective on Cloud Computing is that it consists of old technology. What are the major security risks for clients using SPIs (SaaS. (2007). IaaS) in Cloud Computing? o What should clients expect from Service Providers in the SLA regarding Cloud Computing? What possible trust issues are associated with security risks in Cloud Computing and SLA? o If so. The research focused on risk assessment on three different kinds of SPI: Software as a service Platform as a Service Infrastructure as a Service The risk assessment will also look into Service Level Agreement (SLA) from major Cloud Computing companies: Google Microsoft Amazon During the research a critical review of the researched subject was performed from a client perspective and its associated risks. To answer our research questions we take an inductive approach by gathering data to then formulate a theoretical framework.

we think a qualitative focus can give us deeper knowledge and therefore be more appropriate for us.e. Platform as a service and/or infrastructure as a service) 34 . Literature sources that we have reviewed are: Magazines Books Articles and publications Blogs Interviewing experts in the field We will focus on interviewing people with knowledge and experience in the field of IT.we need for this thesis. The methods we are going to focus on in this thesis are: Secondary literature study Interviewing experts in the field In the following paragraphs we will cover secondary and primary data that we will use to draw conclusions from regarding Cloud Computing security risks and SLAs from a client perspective. we have decided to focus on literature. Criteria for which we decide is appropriate to use as a source of knowledge are: o Working with IT on a management level o Are currently supplying and/or buying IT services o Are involved with Cloud Computing and/or related technology (ex: Software as a service. Since we are focusing on security we will also look at their security policies to see if they are coherent in their overall security policy towards a client. which in our opinion are Google. The sources for information we will use are: Cloud Computing vendors SLAs We will look into the major vendors on the field of Cloud Computing. and explanatory study. Microsoft and Amazon. We have also spent time reviewing literature that contradicts our old technology perspective but after extensive reading we have concluded that such articles are not of importance to us. When we review their SLAs we will focus on issues dealing with security. articles and other publications that share our opinion. to explain a new phenomenon or bring an understanding to a specific topic. The interviews were semi-structured to create discussions instead of direct questions with a yes or no response since we consider qualitative information to be valuable to our research than quantitative. The exploratory approach enables us to focus on finding new insights and understanding this phenomenon called Cloud Computing. which we find inadequate because of a too narrow focus and because it is seen as a forerunner to exploratory research. As opposed to a descriptive study. Exploratory approach is about investigating previously studied material i. secondary data. Searching literature regarding Cloud Computing By focusing on Cloud Computing as being derived from old technology. which focus too much on quantitative data.

reliability the extent to which your data collection techniques or analysis procedures will yield consistent findings So reliability is concerned with if the same results would be reached if the research was done at another time. (2007). To make the data in this thesis reliable.5. 5.2 Validity Validity is in Saunders et al. (2007) it is argued that having a good research design is very important if the research shall live up to a good credibility. Experts in the field: Besides secondary literature we will also interview experts in the field that fits to the requirements we have stated earlier. such as established agencies and institutes. (2007) concerned with whether the findings are really about what they appear to be about .1 Reliability In Saunders et al. 5. The validity of the data in this thesis is relying on recently published material within the area of Cloud Computing and by gathering information from experts in the field. Since we are focusing on researching security risks for clients using Cloud Computing. we have concluded that there will be factors that can make our gathered data biased. and if the conclusions made from the results are transparent. The danger of interviews is biased opinions.2. You can never know if your results are completely correct. if the observations would be accomplished in the same way if others would do it. but it is our opinion that the secondary literatures we have reviewed are sufficient for our research. This creates a problem in how to evaluate the information that we have acquired in a neutral way. To further increase the validity of our findings we will send the summaries we made from the interviews to the interviewees to get a confirmation that the information we got out from the interviews are valid. there is a chance that we could miss new information. Interviewing vendors of Cloud Computing could provide an optimistic version of Cloud Computing where as an expert that is a client of Cloud Computing could project a skewed image of Cloud Computing. unclear or misleading. The factors that we have discovered are: Secondary literature: Since we are focusing on reviewing secondary literature about the different kinds of SPIs.2. but aiming for having a good reliability and validity will increase the chances that the findings will be credible. and then compare the data against results from interviews conducted with experts in the field. it will be collected from several different reliable sources.2 Credibility In Saunders et al. 35 .

Overall. 5. 36 . the questions that we have chosen have helped us to compare that information with the information we have gathered from secondary sources.4 Analysis Method The method we used in the analysis was comparing the concepts that we present in our theoretical framework with the results in the empirical findings. The questions in the interviews also helped us to expand our perspective on Cloud Computing as we have added questions to the first list we made. The questions can also give us new insights to what the research questions could mean and/or how we should analyze them to make an appropriate contribution. The interview questions can be found in Appendix 1. This has helped us to do a thorough analysis and discover new areas that could be studied in the future.3 Interview questions The questions that we have decided to use for our semi-structured interviews are a combination of questions that cover topics that are directly related to our research questions. For the analysis we also used the table 3.5. and thus we had to get back to some of the people we interviewed to get some more answers. the questions can be divided into groups where some are directly focusing on our research questions and where other are included creating a discussion around a specific topic to indirectly give us new information to use when we answer our research questions.4 constructed from secondary data. The combination of the secondary data and the primary raw data is analyzed by comparing them and putting them in the context of our research questions. Finally.

Also. terminology. he states that availability. and communication if something goes wrong (customer service). If companies manage to apply good understanding to that issue. For the SLA.6 Empirical Findings From the interviews we have summarized the most relevant parts that we are going to use for our analysis. 6. processes and routines for security (e. they add value to their service for the customer. worst case scenario should be covered in the SLA. how data is encrypted) are very important to include in the SLA. and the argument is that they cannot really affect it anyway because of it being a standard agreement which they use for their customers as well.g. However. Regarding security risks he raises the issue of not having control when it comes to maintenance and troubleshooting. In this section we will present our results regarding security risks and SLA. Security.1 IT-Consultant Interview Summary Quite early in the interview the issue with risk assessment becomes apparent. together with how you can exit the Cloud. He says that it is important to state what security really means because of the naivety regarding security among companies. From the interview we drew out three security risks: Hacker syndicates that are working solely with stealing information To not have control Quality of service 37 . and that you should aim for a long-term relationship. where the IT-Consultant work they do not review the SLA. He talks about trust being essential when you consider accountability. which we will also use in the analysis part. He says that Cloud providers will probably become experts in the security area. He also mentions that there are also benefits with the Cloud. as with getting rid of the security risk with running around with a USB flash memory which could be dropped or stolen. and the possibility to integrate with other systems when using the Cloud is his top three concerns.

2 Senior Business Consultant Interview Summary During the interview it became apparent that the characteristics that the senior business consultant had found with Cloud Computing were flexibility. the suggestion was to create an understanding of how providers can work together with the customer. scalability and accessibility. The consultant perceived the Cloud to be to unsafe to use for more than basic processes to save money and this was to be placed in a private Cloud.6. The three aspects you have to think about when it comes to security risks are: Trust Intellectual Property Legislation 6. After asking our questions we had a general discussion about security regarding the Cloud. cell phones. From the discussion. The security issues that the senior business consultant mentioned were: Multi-tenancy Stability of Supplier Long term focus 6. for example that they should think about not using weak passwords. Regarding accountability he says that it is impossible to solve at the moment. For him who travels frequently he needs to have the information locally stored at his laptop to be able have access to it whenever he wants. the need for storing it locally becomes less important. that you get notified about everything bad that happens? From the interview we have drawn out three security risks that we are going to use for the analysis: Data protection and laws Backups Log files 38 . When the subject touched upon what processes the person could consider to move to the Cloud the conclusion was that the Cloud enables multiple possibilities.g.4 Computer Consultant Interview Summary The possibilities of integration with the Cloud were something that the computer consultant was emphasizing together with the importance of accessibility. how can you be sure that the Cloud provider is logging everything. maybe through a SLA. an issue about what laws exists for the protection of data when it is stored in different geographic locations were raised. But as the connectivity gets better and better. As for accountability. and if they do. it was considered very important and multiple hours was spent on getting it right as the company could not think of acceptable loss to be part of the evaluation of the provider.3 CEO Interview Summary The top concerns with Cloud according to the CEO were trust and accessibility. As for the SLA part. laptop. To be proactive he says that you have to educate your employees when it comes to security. For this interview there were some question left out because he did not feel that he could answer them. These characteristics were also seen when we discussed areas of Cloud Computing that the company could be interested in or what the benefits with Cloud Computing was perceived to be. He brings up the security issues with the physical vulnerability with laptops and cell phones. USB memories) more important than the actual security issues with Cloud Computing. so to trust the Cloud provider is the only option. for example if their company was currently looking for any Cloud solutions. The CEO does view physical security issues (e. He says that companies that are considering to move in to the Cloud needs to evaluate where it is more secure to store their information. Also.

The reason for considering Cloud Computing for mainstream processes was because of the concerns with security.1 CIO I Inte rview Summa ry It became apparent quite early that the CIO considered Cloud Computing to be interesting as a tool for becoming efficient and to be used as a cost saver. The CIO did not like the idea to move core processes to the Cloud as it was too valuable and sensitive for the company. As their systems and business could not suffer from downtime or lose data.2 CIO II Inte rview Summa ry The interviewee first stated that the term Cloud Computing was a Cloudy term in itself and was a hyped up market term.4. uptime and backup.4. if someone else do it for them it meant they would need a smaller IT department. The top three security risks the CIO mentioned where: Other companies can access our information Uptime dependent on the provider Backup 6. Multi-tenancy Intellectual property Communication with provider   39 . The interviewee also stated that trust is very important. They stated that they evaluate different vendors that fit their requirements and it was very important to have face to face meetings to gain a relationship between the organizations. email. the parts of the SLA to employed lawyers and the IT departments to review it to ensure that the document met the requirements of the organization. the intellectual property and finally security. If a provider could not supply what they needed. SLAs and if the vendor would notify the company if something would happen to the service that the organization was paying for. they moved on. As for SLA issues the CIO deemed it very important to control and review each of them and integrate them into the IT departments every-daybusiness. Another concern with Cloud Computing was stealing information.6. The big risks that were stated during the interview were the actual integration of the different Clouds and the individual business units. ression of Cloud Computing was that it seemed suitable for mainstream processes and cost savings. The processes that the CIO thought were ok to move to the Cloud were the basic office processes e. In the context of trust the CIO used personal networks and references before doing a systematic review of the company to see if the particular provider met the requirements before signing an agreement. they could not evaluate a provider from a loss perspective.g.

which is why some of them have been given a tag to identify their specific kind of risk e. CSA. just written in different words. The main reason for this list is to help us in the analysis when we are answering our first research question and to contribute to the field of study by listing security risks specifically instead of general risks.1 Securit y Risk List Abuse and Nefarious Use of Cloud Computing (CSA/ Experts) Interface o Insecure Interfaces and APIs (CSA) o Management Interface Compromise (ENISA) Malevolence o Malicious Insiders (CSA/ENISA/Experts) o Attraction to hackers (NIST) Isolation Failure o Isolation Failure (ENISA) o Shared Technology (CSA) o Dependency on secure hypervisors (NIST/Experts) o Multi-tenancy (NIST/Experts) Encryption needs for Cloud Computing (NIST) Data Loss or Leakage (CSA/Experts) Accounting and Service Hijacking (CSA) Unknown Risks Profile (CSA/Experts Insecure or incomplete data deletion (ENISA/Experts) 40 . In this list we have compiled the security related risks from the overall risk lists we have reviewed. PaaS.; What are the major security risks for clients using SPIs (SaaS. IaaS) in Cloud Computing? 6. NIST and interviews with experts. In this list we also state where the risks have been identified.5 Security Risks In this paragraph we will present the security risks we have found during our research.g.6. The security risks are from ENISA. Some of the risks we have found are similar. Malevolence or Interface.5.

95% is upon the customer to monitor this and report to Amazon.6.6 SLA summaries Amazon 6.6. The different Cloud services that Microsoft offers are not connected when billing is calculated or service credits are given. In essence Microsoft puts a lot of responsibility on the customer which means a lot of the possible errors that could occur are in the hands of the customer. If EC2 is not up for the stated uptime.6. which is 99. 41 .2 Microsoft oft Azure which is a platform with Azure as the OS operating in the platform environment. If the service does not follow the uptime directives Microsoft follow a credit system which governs how much the customer should pay even if the service percentage is not met. According to Amazon the EC2 includes: Interfaces to configure firewall settings Selectable IP range that will connect to the existing infrastructure using encrypted IPSec VPN Their service comment states that they are not responsible for any factor outside of their control. If Amazon does find itself at fault they will issue a credit back to the customer but it is up to the customer to monitor the up time for the whole year. On this platform that Microsoft run through their datacenters the customers should be able to have applications and tools for building applications. We view that the SLA states that Amazon is not liable for anything that happens as soon as the customer accesses the Cloud or decides to put an application on there. how they calculate the bill and in what situations they are not responsible.1 Amazon Cloud system is called EC2 and it provides resizable capacity in the Cloud. In the SLAs (Microsoft 2010) they specify what they are providing and what will happen if they do not provide it. 6. EC2 has a clause that states that removes them accountability for anything that happens in the Cloud if it is by you or any third party and from equipment that is not theirs.

For example. but if that uptime is not met. 2010) 6. The service credits added cannot exceed fifteen days per month and they cannot be converted to monetary amounts. Google Docs is web based word processing. As it should be with a Cloud service. However.6. the customer receives credits in form of free days for using the service. while the Premium Edition offers more storage for a fee.6. The customer will be notified about it five days prior to the downtime. presentation. 42 . seven days of service is added to the end of the service term at no charge.6. In other words. Google Apps has some different editions where The Standard Edition is free to use and has a limited amount of storage.1 Google App Eng ine Cloud environment in the platform as a service m servers using development languages as Java and Python. There is also an Educational Edition which is also free and combines functions from the Premium and Standard Edition. Google has not stated a certain uptime percentage so you are not guaranteed payback if the service goes down (Jackson. spreadsheet and form applications. (Google.9 %. Google App Engine lacks a service level agreement. or else the customer will not receive any service credits. if the uptime goes down to less than 99 % but still more than 95 %. The only thing you can find online is terms of service. you only pay for what you use and there are no installation costs and no other recurring fees. Google disaffiliates themselves from performance issues that are caused by factors that is outside In the SLA. you can control the maximum amount of usage by setting a limit. the customer have to notify Google about the downtime within thirty days. If you have a specific budget you have to follow.3. Scheduled downtime is furthermore not considered as regular downtime periods and will not affect the uptime percentage. and that scheduled downtime will not exceed twelve hours per calendar year. You are billed by consumption regarding storage and bandwidth (measured by gigabyte). Google promises an uptime of 99. However. 2009).3 Google Apps and Docs. Google state that they have scheduled downtime where the service will go down for a period of time.

The Impact column describes how it can affect the organization.1 presents the security risks that we have found from NIST. It is also important to state that there are plenty of countermeasures that can actually be implemented by having certain clauses in the SLA. as in demanding providers wipe persistent media before it is released and conducting vulnerabilities scans. CSA. The security risks column describes the risks and also what organization we found them from. The SPI model columns reveals what domain it affects. NIST.7 Security Risks Table 6. and even reputations between different tenants (ENISA) Dependence on Secure Hypervisor: An organization dependence on the reliable and secure hypervisor (NIST) Multi-tenancy: The multiple organizations that have access to the infrastructure and the ability of the different organization ability to view others data or control the infrastructure (NIST) 43 . We have grouped together certain security risks due to the fact that they are very similar. memory. and ENISA. Most of the risks that we found come from CSA but NIST and ENISA also state similar security risks and we have added them into the chart. The countermeasure column described some steps that the organization can take to help minimize the security risks. The definitions of the different security risks in the isolation group are below: Shared technologies: Hypervisors having flaws that allow guest operating systems to gain inappropriate levels of control or influence on the underlying infrastructure (CSA) Isolation Failure: Failure of mechanisms separating storage.6. routing. or ENISA. The countermeasures that are stated are directly gathered from CSA. As you can see most of the risks actually concern all the domains but there are a few that only affects one or two SPIs.

Disk Partitions. CPU Caches and GPUs) because of the fact that they were never designed for strong compartmentalization. The data could have competitive or financial information that is vital to maintain a competitive edge or can lead to compliance violations and legal ramifications.g. Human element is a vital issue when employing services in the Cloud so it is of vital importance that the customer understand what the provider are going to do to detect and defend against malicious insider. IaaS PaaS SaaS Isolation Failure Group Shared Technology Issues (CSA) Isolation Failure (ENISA) Dependence on secure hypervisor (NIST/Experts) Multi-tenancy (NIST/Experts) Data Loss or Leakage (CSA/Experts) IaaS Data that is lost or leaked can have different impacts on the organization.1 Security Risks 44 . or even internal security) when deciding to invest in the Cloud. storage and management. and destruction practices Demand providers wipe persistent media before it is released Demand providers backup and retention strategies Prohibit the sharing of account credentials between users and services Use two strong factor authentication techniques Employ proactive monitoring to detect unauthorized activity Understand the providers security policies and SLAs Disclosure of applicable logs and data Partial/full disclosure of infrastructure details Monitoring and alerting on necessary information Ensure that the provider has effective encryption Table 6. The information that is not completely deleted could still reside in insecure locations. Integrity. Account or Service Hijacking remains a top threat to Cloud Computing. and Availability. what information will the provider disclose in an event of a security event. It may be impossible to fully delete information since full data deletion is only possible by destroying the hard drive that might be shared by multiple organizations. how is the data or related logs stored. Hackers will attempt to gain access to shared elements (e.Security Risks Abuse and Nefarious use of Cloud Computing (CSA/Experts) Impact Due to weak registration systems allow anonymity and providers fraud detection capabilities are limited so criminals can use this to expand their reach and improve their effectiveness. PaaS SaaS Account or Service Hijacking (CSA) Hackers that have stolen credentials can access critical areas of a deployed Cloud which will endanger the organization.g. IaaS PaaS SaaS Malicious Insiders (CSA/ENISA/Experts) Attraction to Hackers (NIST) Malicious insiders can impact an organization is related directly with their level in the organizations and their ability to infiltrate. IaaS. SPI Models IaaS PaaS Countermeasures Stricter Initial registration and validation process Enhanced credit card fraud monitoring and coordination Extensive monitoring of customer network traffic network Analyze the security model of the provider Ensure strong authentication and access controls are implemented along with encrypted transmissions Understand the dependency chain associated with the API Enforce strict supply chain management and conduct a comprehensive supplier assessment Require transparency into overall information security and management practices Determine security breach notification processes Implement security best practices for installation and configuration Monitor environment for unauthorized changes/activity Strong authentication and access control for administrative access and operations Enforce SLAs for patches and vulnerability Conduct vulnerability scanning and configuration audits Insecure Interfaces (CSA) Management Interface Compromise (ENISA) Depending on a weak set of interfaces and applications exposes the organization to multiple set of security risks related to Confidential. IaaS PaaS SaaS IaaS PaaS SaaS Insecure or Incomplete Data Deletion (ENISA/Experts) Strong API access control Encrypt data in transit Analyzes data protection at both design and runtimes Strong key generation. IaaS PaaS SaaS Unknown Risks Profile (CSA) Customers often leave certain areas overlooked (e.

and if they did. and from them we have selected those risks that are considered to be security risks. Table 6. which could have influenced what company they decided to systematically review. Five out of six of the companies viewed that Isolation failure group was the most important security risk. that vendor would have no business and be bankrupt. The CEO stated if a certain vendor had a horrible SLA. what part did that organization focus on. The next column is the Security Risks that are evaluated directly from the interview. This data will be compared and analyzed together with concepts and models from our theoretical framework to evaluate the security risk we have found in the secondary literature study together with the new information from our primary interview study. Instead reputation was often used. CIO I stated who can access our data as a security risks which is related to the hypervisor being able to keep the data separate for each organization. The top three security risks allowed for us to see what the organization saw as a security risk dealing with Cloud Computing and was vital for their business. As we reviewed the interviews we clearly related them to risks that were stated by CSA. Also. The interview with the senior business consultant directly stated multi-tenancy to be a security threat.7 Analysis In this paragraph we will present data obtained through semi-structured interviews conducted with what we deem to be experts in the field. .1 Major security risks within Cloud Computing From our empirical study we have found different risks with Cloud Computing. We had different types of responses when we asked if the organization reviewed SLAs. The column of trust was to see how the company gained trust in a specific vendor and what they did to see if that vendor was right for their company. The Senior organization that actually wrote their own SLAs and reviewed the vendor s SLA closely to ensure that the SLA covers the areas that they thought was important. 7. 45 . or NIST. ENISA. No organization actually systematically evaluated trust from the start. The column Top Three Concerns displays the concerns that organizations have with Cloud Computing and it is important to note that most of the interviewees said that security was one of the top three concerns dealing with Cloud Computing.2 describes what the different interviewees said that and how the organizations view the concept of Cloud Computing. We view that the most surprising point was the fact that organization never reviewed the SLA and expected things to work.

NIST) Data Loss or Leakage (CSA Isolation Failure* (ENISA. ENISA) Abuse and Nefarious use of Cloud Computing (CSA) Isolation Failure* (ENISA. Multi-tenancy (NIST) 46 .Interview IT Consultant Top Three Concerns Security Uptime Multi-tenancy Risk Loss of Governance Communication Maintenance Security Flexible SLA Other companies accessing data Uptime Backup Data protection and laws Backups Log files Review SLAs Not extensively Trust References Thorough review of the company Reference Company history Friends in similar field of work Company history Review Companies history References Security Risks Insecure or Incomplete Data Deletion Isolation Failure* (ENISA. CSA. and they send parts to lawyers and IT department to compare to our requirements Best practices References Reputation References Size history reputation performance Data Loss or Leakage (CSA) Isolation Failure* (ENISA.2 Interview Security Risk Analysis *Isolation Failure describes a group of security risks that include Shared Technology Issues (CSA). CSA. NIST) Table 6. Dependence on secure hypervisor (NIST). NIST) Senior Business Consultant Security Flexible SLA Security Backup Uptime Yes and they write their own CIO Distribute SLAs to employees for a better understanding N/A Computer Consultant Security Connectivity Integration between service CEO Trust Accessibility CIO Interruptions of service control Stealing information SLAs Trust Intellectual Property Legislation Integration between different Clouds and business units Intellectual property of data Security No and they just expect things to work Yes extensively. NIST) Unknown Risks Profile (CSA) Malicious Insiders (CSA. NIST) Isolation Failure* (ENISA. CSA. Isolation Failure (ENISA). CSA. CSA.

More than half of the interviewees actually displays that dependence of secure hypervisor was an important security issue.1 Clients expectation of SL As in regarding security As we have stated earlier in the thesis most of the big vendors of Cloud Computing have stated that they are not responsible for any event that happens in the Cloud that is not of their control. This is very disturbing due to the fact that most companies are searching for some type of Cloud solution. According to ENISA. The Isolation Failure group only affects the IaaS domain and we consider that domain to be most vulnerable or insecure at the moment.The ranking of all security risks that we have gathered from the interviews are below Security Risks from Interviews Isolation Failures Data Loss or leakage Insecure or Incomplete Data Deletion Unknown Risks Profile Malicious Insiders Abuse and Nefarious use of Cloud Computing   Table 6. The SLA is vital for an agreement in between multiple organizations but it is critical to review what is actually in the document due to ther company being secure and reliable. There are countermeasures that can reduce these certain security risks listed above can be solved with having proper SLAs with both vendor and customer. There are countermeasures for this specific security risk and they should be clearly stated in the SLA. Vendors having a clause in the SLA to improve the accountability of the events in the Cloud might provide more customers. Dependence on Secure Hypervisor. Multi-tenancy could be directly related to dependence on secure hypervisor because the hypervisor is the program that separates the data and ensures that the different organizations data remains separated. s to ensure that the Isolation failure group of security risks are included in the SLA. Isolation Failure. because the clients could feel more confident and move more business processes to the Cloud.3 Security Risks from Interviews Ranks 5 2 1 1 1 1 From our interviews that we conducted we have found that the Isolation Failure Group (Shared Technology Issues. Multi-tenancy) is the highest ranked security threat to organizations.1. which is very interesting. a countermeasure to most of the Isolation Failure group is a vulnerability scanning and configuration risk. it would improve the trust that the client would gain from the vendor. The vendor would increase trust values by allowing the client to conduct a vulnerability scan a couple times a year at an undefined time. 7. Another countermeasure that could be stated is that patches and vulnerability will be enforced and clearly stated in the SLA. 47 .

Another countermeasure is to demand to see what the provider s backup and retention strategies are. the clients might be more willing to move to the Cloud and feel that their data is actually protected. 48 . The client would be able to see what happens to the data by reviewing what the retention and backup strategies are and will be able to see if the vendor strategies match the organization. If the vendor were to have add these clauses to their SLAs.The next highest ranked security risk that interviewees have stated is Data Loss or Leakage. The countermeasure for Data loss that should be mentioned in the SLA is that providers will wipe persistent media before it is released back into the pool. Data Loss could result in the loss of competitive edge or even legal ramifications due to the sensitivity of the data.

but the one you got can make it a hard time for you. but we cannot generalize this information. A CEO from a company we interviewed also stated that Lastly we want to mention the opinion of a Computer Consultant regarding our questions of being proactive and reactive to solve security risks. but we are quite certain that the people we have interviewed are not the only ones to agree with us since so far our response have proven to be 100% positive to that trust is very important. we cannot generalize beyond patterns. if you are not happy. 49 . how do you do then? You may switch provider. In the end we will link our train of thought to the second research question: What possible trust issues are associated with security risks in Cloud Computing and SLA? 7. Therefore we want to say that trust is very important and that our data supports this.2 Trust related Security Risks in Cloud Computing In this paragraph we will focus on the concept of trust and trust within the context of Cloud Computing together with associated security risks. knowledge about what the provider does with the data and physical equipment. They could oppose you. can I be proactive? These statements prove to some extent that we were correct when we concluded that trust was of key importance in the context of Cloud Computing security risks.7. Both parts have to go all the way.2. The dependency that you get with a provider. We will present information from our interviews and show how the interviewees view trust and Cloud Computing and then analyze if their trust analysis is conducted mentally or mathematically.1 Is t rust i mportant? In our interview with the IT Consultant he stated this in the context of accountability: -term relationship. Since we have not covered the whole population of our targeted group. How do you know that get out all the data? And in what for This clearly shows how important trust is in the business agreement and when we talked with the CIO about the subject of security issues with moving to a Cloud we got the response: y issue would be the loss of control and who can access information that could be deemed as This view was further backed up by the choice of Cloud deployment model: If we would move to a Cloud solution it would be to a private Cloud so that we can control the SLA more and the access of the information.

as we do in different situations we discover that the main reason for automatic responses is lack of knowledge. This triggers his so action which basically tells us that Cloud Computing can be an automatic response to a problem where people with lack of knowledge agree to trust people with knowledge to help them solve a specific problem. reciprocity and confidence.; reputation. NIST and our interviews with experts are: Unknown Risk Profile (CSA/Experts) Shared Technology Issues (CSA) Compliance Risk (Experts) Lock In/Stability of the Provider (ENISA/Experts) Loss of Governance (ENISA/Experts) Logging Challenges (Experts) Data Ownership Issues (Experts) Quality of Service Guarantees (Experts) Dependence on Secure Hypervisors (NIST/Experts) Service Level Agreement/Accountability (Experts) Physically Security (Experts) This list of risk is then divided into categories to show how they are related to security risks and trust as well as explain how to avoid them. This does nevertheless mean that the public and the academic world agree on a single view of Cloud Computing.7. This is something we want to disprove by presenting information about what Cloud Computing really is on a technical level. Cloud Computing is fuzzy and a buzzword that creates confusion of what Cloud Computing really is. If we expand the lack of knowledge theory and look at Cloud Computing. These categories are used to highlight three parts of Cloud Computing that we have discovered to be critical to the business. The categories are based on our own assumptions on how the security risks derive themselves from each other. which is why the security risks we have presented exist and why some of them are connected to the issue of trust. The categories are: Quality of Service Provider Ownership 50 . The security risks that we have identified to be connected to trust from ENISA. CSA. we see security risks that are directly connected with lack of knowledge and that many derives from the different shapes of trust.3 Security risks associated with trust in Cloud Computing As what has been stated before in the thesis. a service level and business model level.

If trust have been mentally evaluated and created there is a risk that factors such as title. reputation and reciprocity have biased the reason why trust is established and a contract signed. 7.; Data is insecure Cannot track what is happening to your information An insecure hypervisor can create openings into your part of the storage The SLA may also have been insufficient regarding what it covers. Loss of Governance (ENISA/Experts) Data Ownership Issues (Experts) Lock in/Stability of the Provider (ENISA/Experts) Service Level Agreement/Accountability (Experts) The security risks associated with trusting a provider too much regarding the control mechanism and the data. that person or company could be in serious trouble when service related problems appear since the accountability part was not reviewed.7. that it is just to pull the plug on the collaboration. as we said.3. i. It is also important to understand that complete trust could mean that assumptions are made that once the customer do not need the service.1 Qualit y of Service When a customer enters into a Cloud Computing solution. there is a chance that the biased trust can let you enter into agreements where the provider provides a service that puts your company in a position where. SLA determines the framework of how the service should be delivered and who is accountable for what and.e. and one of those is SLA. the reason for a customer to sign it is because of the degree of confidence the customer has that the provider will deliver the agreed level of service. and if a person or company does not review this properly and only use trust. 51 .2 Owners hip The security risks in the ownership category are related to the issues with who is owning the data. a company decides they lack sufficient knowledge to have their own IT department and decide that they should acquire IaaS to solve this. as we have mentioned. or systematically as Mui presents. and from what we have seen in SLAs from bigger providers are that they push the responsibility onto you.3. if you sign an agreement you most certainly trust the provider to live up to their side of the bargain. are very serious and should not be overlooked. the control functions around the data. which should be accountable for the service and leaving a Cloud Provider. The security risks in this category are: Logging Challenges (Experts) Dependence on Secure Hypervisors (NIST/Experts) Shared Technologies Issues (CSA) Service Level Agreement/Accountability (Experts) Quality of Service Guarantees (Experts) The security risks in this list are connected to trust because. If trust has not been systematically evaluated either through a serious review of how the provider work and provides information about the service e. log information. agreements are signed. appearance.g. or do not want to work with the provider anymore.

What we have seen in literature and from interviews is that Cloud Computing is supposed to be very easy to enter into. If trust is put into the wrong provider this could create serious lock-in related security issues if a company have a hard time leaving a provider that does not let the customer control their own data. If mental trust is used there can be risks that good faith results in bad support and no flexibility in how the provider work and that someone who should not have access to your data have access to it because a employee has access to it. which means that for the most part. This goes all the way to employee level. Genuine trust. 7. trustable? Of course this information is hard to obtain. so basically the first step is to obtain information to see if the person is trustworthy. In our interviews we saw that trust was very important.4 How to avoid security risks associated with trust? To avoid the risk of entering into an agreement where the provider does not lives up to what they say is not as simple as one might think. how to work with the provider. who owns it? 7. the evaluation was done mentally. and a correctly placed one.3 Pro vider The third and final category we have decided to use to highlight what kind of trust related security issues exist in the Cloud Computing environment is Provider. is very hard to obtain. If a provider goes bankrupt it is also important to have decided what will happen with information put into the Cloud. Unknown Risk Profile (CSA/Experts) Compliance Risk (Experts) Lock-in/Stability of the Provider (ENISA/Experts) Physical Security (Experts) This final part of the trust related security risks are focusing on the provider and how the what the provider on keeping data secure. This part of the trust related security risks also takes the physical security of the company and the equipment used into consideration. how the provider work and physical or real world related security issues can damage your company. This part deals with how trust in the wrong place can affect what you get from the provider. Of course this was not the only thing the people interviewed did. but leaving a provider is something else. It is very important to review if the provider is stable or under economical pressure that could result in less spending on equipment and security for that equipment. Misplaced trust generally comes from lack of knowledge. or even let them own the data after the agreement is signed and data is moved to the Cloud. 52 . yet the overall method to evaluate trust was to use opinions from a personal network.3. but should still be an important question in the process of deciding if you should use a provider or not. but from our results the mental process seemed more important and only backed up by systematical reviews when a provider was deemed to be worth the effort. meaning.

or the provider will control the decision of the service. One organization decided to trust standard versions of SLA and the IT Consultant said: t-of-the-box. Ownership trigger feature is the signing of the agreement. a systematical approach should follow to see if the reputation is deserved or not. it would be the systematical approach. The raw data from the interviews state that while reputation and word to mouth is important to find providers. This leads us to the conclusion of how to avoid the trust related security risks and more importantly. The CIO said this: mean Of course this does not mean one side is reckless and one side is wise. If we recommend just one. Quality of Service. We do not really review the SLA. because we have to take their background into consideration and understand that the consultant has probably worked with a provider for a long time and already done the review whereas the CIO is seeking a new provider. if you want to work with Cloud Computing you have to understand it and not take simple solution but a necessary one. If a person takes that kind of decision he/she is clearly not using systematic approach that suppose to measure if a person/company can be trustworthy. In the discussion with the IT Consultant on what is most important in the SLA review he said: what is included when it comes to security you add value to what you are selling. our research question: What possible trust issues are associated with security risks in Cloud Computing and SLA? The avoidance of the automatic response comes from perseverance in understanding your surroundings. it will work again. And adding value to your It is this naivety that is based in lack of knowledge that could be so devastating for a person or a company that decides to use a Cloud solution. From our point of view it is clients have to understand what they are getting into or the security issues discussed in research question one could occur. We cannot really affect it. As we have stated in the analysis of the three categories the risks occur on different levels of the Cloud solution.What was quite interesting to see from our interviews was that there seemed to be two sides about how to review a SLA. The connection to our research questions is quite clear. clients have to systematically and mentally evaluate a provider before a SLA is signed. What is dangerous though is the thinking that just because I have worked with them before and it turned out well. It is The other organization seemed more concerned with getting precisely what they want in the SLA and focus a lot on reviewing SLA. 53 .

how can clients avoid security risks associated with trust? We have found that the isolation failure group that was stated earlier is the biggest risk to organizations. proper data deletion procedures. In the analysis we could conclude that the risks in the categories quality of service. The questions that we set out to answer were: What are the major security risks for clients using SPIs (SaaS. IaaS) in Cloud Computing? o What should clients expect from Service Providers in the SLA regarding Cloud Computing? What possible trust issues are associated with security risks in Cloud Computing and SLA? o If so. Our sub question was stated to see if we could offer countermeasures to apply to avoid possible security risks we could find. but very hard to achieve. Since we did find this connection we analyzed how this connection between trust and security risks could be broken. ownership. Our conclusion to that question is simple as we have said. The answer was both unexpected and reasonable and we hope that we have contributed to the field of study by answering them. It is of utmost importance that the client does a thorough review of the SLA and also demands some clauses be included as well. A solid SLA (e. The solution is to know about the connection and gain knowledge to avoid using an automatic response. The isolation failure group has a heavy reliance on the hypervisors to be stable and secure.g.8 Conclusion In the analysis we discussed the area of major security risks in Cloud Computing and how trust is connected to those. PaaS. and provider are related to trust and that many of them exist because of misplaced trust which derives from lack of knowledge. trust related security risks can be avoided or reduced to the benefit of the client. and what we discovered was three groups to categories the security risks into and they are: Quality of Service o Logging Challenges (Experts) o Dependence on Secure Hypervisors (NIST/Experts) o Shared Technologies Issues (CSA) o Service Level Agreement/Accountability (Experts) o Quality of Service Guarantees (Experts) Ownership o Loss of Governance (ENISA/Experts) o Data Ownership Issues (Experts) o Lock in/Stability of the Provider (ENISA/Experts) o Service Level Agreement/Accountability (Experts) Provider o Unknown Risk Profile (CSA/Experts) o Compliance Risk (Experts) o Lock-in/Stability of the Provider (ENISA/Experts) o Physical Security (Experts) 54 . In the second research question we focused on the security risks connected to trust and Cloud Computing. If this knowledge gap is achieved. The Isolation Group domain is primarily related to IaaS and we view that this is the most unsecure area of Cloud Computing for the moment. the vendor will provide upgrades and maintenance) between the client and provider will decrease the chance of the security risk from happening. or response which we also use to discuss what happens. but it is not fool proof. What we had not expected to find was how big this particular area of study was and that will further be explored in our discussion of what the next step in this field of study could be.

who has made a vulnerability scan available that vendors can do to better secure their Cloud. Trust Cloud   Computing Security Knowledge Figure 9. Both Security and Knowledge will build upon the trust that the organization gains from the provider and should build a relationship that should benefit both companies. the organization and the provider should be able to develop a flexible but reliable SLA so accountability issues of the Cloud can be solved. but the monitoring processes of that uptime is left to the client. Both. The triangle which is the Cloud itself is surrounded by Trust. The Knowledge aspect is to know what should be in the SLA. and what solution is applicable to the organization. Security and Knowledge. An example of this is McAfee.9 Discussion As the Cloud Computing term becomes older.1 Cloud Computing Triangle To ensure that Cloud Computing is the proper investment to make for an organization it is important to understand the different areas of the diagram. Most providers have an uptime of 99. states that they are not responsible for the events that happen in the Cloud and immediate say that the customer is liable.95% stated in their SLA. 55 . the knowledge of the risks that Cloud Computing enable. McAfee also provides Security as a Service which provides a overall security which will aim to decrease the amount of spam and email based threats (McAfee 2004). During our research we discovered three key concepts regarding Cloud Computing: Trust Security Knowledge   Therefore we would like to present a rather simple model of the connections between those concepts. If the vendor does pass the vulnerability scan McAfee will provide them a certificate to display on their website to say that they are considered secure. It is absolutely important to know that the Cloud is secure and that the provider will do everything possible to ensure that it will remain secure. The provider now. more and more along.

Cloud Computing could change very quickly which would make our research obsolete.9. the main security risks could change by making the ones that were brought to light in this research less important while new security risks arises. knowledge. it could have resulted in a more sustainable research by providing an abstracted view of Cloud Computing.1 Critique of method While doing this research. Cloud Computing has evolved due to being such a new concept. Areas for future research could be: Trust building Overall standardization of Cloud Computing Security standards for Cloud Computing 56 . With this in mind. Due to the evolution of Cloud Computing. Therefore we believe that further research into trust. 9. and security in the context of Cloud Computing is important for speeding up the process of approval. we estimate that providers in the future will use these key concepts to differentiate themselves once Cloud Computing have become more adopted and standardized.2 Future research proposals Looking at our model presented in the discussion paragraph. If the research would have focused more on conceptualizing the concepts of trust. security and knowledge.

businessdictionary. Retrieved 2010-05-06. from http://www.com/definition/flexibility.webopedia.html Businessdictionary. S.com (N/A) Definition: Distributed Systems.com/s/article/111510/Top_10_SaaS_Traps_Watch_Out_For_Hid den_Snags   57 .gov/Assets/pdf/cnssi_4009.com (N/A) Definition: Information Security. Retrieved 2010-05-6 .cnss.com/definition/distributed-systems.com/definition/applicationprogramming-interface-API.).businessdictionary. B.html   Businessdictionary. from http://www.com (N/A) Definition: Threat.businessdictionary. from http://www.com/definition/threat.html Businessdictionary.html Businessdictionary. Retrieved 2010-05-23 . Amazon EC2 Service Level Agreement.com/definition/denial-of-service-DOS.computerworld.com/definition/information-security. Retrieved 2010-05-. from http://Clouddb.businessdictionary.com/ec2-sla/ Bouchard A. from http://www.html Webopedia. Retrieved 2010-05-23 . from http://www. Retrieved 2010-04-24.computerweekly.businessdictionary. June 12) Top 10 SaaS Traps: Watch Out For Hidden Snags. from http://www.html Businessdictionary.com/definition/scalable. from http://www. February 23) Infrastructure as a Service.businessdictionary. Retrieved 2010-02-28. October 23). R (2007) The Psychology of Persuasion (1st Collins Business Essential ed.html Cialdini.html Businessdictionary.com (N/A) Definition: Denial of Service (DoS).htm Computerworld. from http://www.com (N/A) Definition: Scalability.html Businessdictionary.0 Fundamentals Indianapolis: Cisco Press Businessdictionary.com/TERM/H/hypervisor. Retrieved 2010-05-.com (N/A) Definition: Application Service Provider (ASP). (2009) Enterprise web 2.com/definition/threat. Retrieved 2010-05-14. Retrieved 2010-05-23. April 26) National Information Assurance glossary Retrieved 2010-03-17. from http://www.amazon.html   Businessdictionary. from http://www.pdf Computerweekly. Retrieved 2010-05-23 .com (N/A) Definition: Risk. Retrieved 2010-05-23 . from http://www. from http://www. December 19) Definition: Hypervisor.com/definition/application-service-provider-ASP.com (N/A) Definition: Flexibility.com/Articles/2009/06/10/235429/A-history-of-Cloudcomputing.com (N/A) Definition: Application Programming Interface (API).com (2006. from http://www.businessdictionary.10 References Amazon (2008..com (2009. March 17) A history of Cloud Computing.businessdictionary. New York: HarperCollins Publishers Lew (2009. Retrieved 2010-05-22 .businessdictionary.com (2006. Sankar K.info/2009/02/23/defining-Cloud-computing-part-6-iaas/ Committee on National Security Systems (2010. Retrieved 2010-03-17. from http://aws.

Retrieved 2010-04-12. from http://www.com/apps/intl/en/terms/sla.com/views/Cloud.jsp?id=707508 GNi (N\A) Infrastructure as a Service Retrieved 2010-03-16.. F.gartner. Rådmark (2010-01-26) 5 saker du måste veta om molnplattformar..com/us/small/security_insights/security_as_a_service. & Phil.mcafee.html IBM (N/A).gni. from http://www. OpenCrowd. June) Multi tenancy Data Architecture Retrieved 2010-03-19. from http://www.wright. Risks and recommendations for Information security European Network and Information Security Agency Gartner (2008 June 26) Gartner Says Cloud Computing Will Be As Influential As E-business Retrieved: 2010-02-18 from http://www.com/it/page.. IBM Corporation ENISA (2009 November) Cloud Computing: Benefits.nist. March 03) Revving up Google App Engine Retrieved 2010-03 17.idg.ibm. (2003.aspx MSDN (2006. from http://msdn. Retrieved: 2010-03-15.com/wsla/ H. A.html Microsoft (N/A). Retrieved 2010-04-20. Service Level Agreements. (2002 December 20) Computation Models of Trust and Reputation.microsoft.aspx Google (N\A) Google Apps Service Level Agreement Retrieved 2010-03-22.CSA (2009 December) Security guidance for critical areas of focus in Cloud Computing v2. Richard. Ludwig.se/2. Retrieved 2010-04-02.com/windowsazure/sla/ MSDN (2006.288641/5-saker-du-maste-veta-om-molnplattformar Knoesis Center Wright State University (N\A) Service Level Agreement in Cloud Computing.edu/library/download/OOPSLA_Cloud_wsla_v3. From http://www.0 Cloud Security Alliance Dan.microsoft. H. from http://www.com/services/iaas GCN (2009.research.P.1 Cloud Security Alliance CSA (2010 March) Top Threats to Cloud Computing v1. L.microsoft.gov/groups/SNS/Cloud-computing/Cloud-computing-v26. Keller.. from http://www. from http://msdn.com/en-us/library/aa479086.php 58 . M. Retrieved 2010-03-07..google.1085/1. A. from http://knoesis. Web Service Level Agreements (WSLA).com/en-us/library/aa479069.pdf McAfee (N\A) Retrived 2010-04-22 From http://www. Retrieved 2010-01-30. from http://gcn.ppt.aspx Mui. April) Architecture Strategies for Catching the Long Tail.com (N/A) Cloud Computing. Massachusetts Institute of Technology NIST (2009-10-7) Effectively and Securely Using the Cloud Computing Paradigm Retrieved: 2010-02-14 from http://csrc.com/blogs/tech-blog/2009/03/google-app-engine. January 28) Web Service Level Agreement (WSLA) Language Specification. Richard.opencrowd.

Open Crowd (2010, May 13). Cloud Taxonomy. Retrieved 2010-05-14 from http://www.opencrowd.com/views/Cloud.php Phoenix (2010, March 18)Confidentiality, Integrity, Availability and what it means for you Retrieved 2010-03-22, from http://continuitydisasterrecovery.phoenixblogs.com/confidentiality-integrity-availability-and-what-it-means-for-you/ Salesforce (N\A) Multitenant kernel 2010-03-19, from http://www.salesforce.com/platform/Cloud-infrastructure/kernel.jsp Saunders. M, Thornhill. A and Lewis. P, Research Methods for Business Students, 2007 Fourth Edition, Pearson Education Limited Service Level Agreement and SLA Guide (N/A). The SLA Guide. Retrieved 2010-04-01, from http://www.service-level-agreement.net/sla-guide.htm SLA Information Zone (N/A). The Service Level Agreement. Retrieved 2010-04-01, from http://www.sla-zone.co.uk TheFreeDictionary.com (2009) Definition: Security. Retrieved 2010-05-02 , from http://www.thefreedictionary.com/security The Linux Information Project (2006, April 29). Vendor lock-in definition. Retrieved 2010-03-17, from http://www.linfo.org/vendor_lockin.html Whatis.techtarget.com (2008, December 14) What is Platform as a Service (PaaS)? Retrieved 2010-03-12, from http://whatis.techtarget.com/definition/platform-as-a-service--paas-.html Wikipedia (2010-05-13). Authority. Retrieved 2010-05-15, from http://en.wikipedia.org/wiki/Authority Wikipedia.org (2010 May 8) John McCarthy (computer scientist). Retrieved 2010-04-, from http://en.wikipedia.org/wiki/John_McCarthy_%28computer_scientist%29 Wikipedia (2010-03-13) Trust (Social Sciences) Retrieved 2010-04-10, from http://en.wikipedia.org/wiki/Trust_%28social_sciences%29

59

Appendix 1 Interview Questions
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. What is your position in the company? What are your first impressions of Cloud Computing? If your company is looking for solutions in the Cloud, what are your biggest concerns? What are your top three concerns with Cloud Computing? What risks do you consider to be in the top three with Cloud Computing? What are the major advantages of Cloud Computing that your company can benefit from? Is your company currently looking for different solutions in Cloud Computing? Why or why not? What business process would your company be willing to relocate into the Cloud? What would be the security issue with relocating to the Cloud? Do you review your SLAs properly, and how? What areas of the SLA does your company mainly focus on? Do you evaluate security from an acceptable loss perspective (e.g. loss of data or downtime)? What type of Cloud deployment model would your company be interested and why (e.g. public, private, hybrid and communities? How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? How can one solve the accountability that arises with Cloud Computing in your opinion? How does your company evaluate trust?

Appendix 2 Interviews with experts
In this section we will present the information we obtained through semi-structured interviews with various experts in the field. The people we have interviewed will be kept anonymous and will only be referred to by their professional title e.g. Consultant, Senior management etc.

10.1 IT-Consultant
On the 22nd of April 2010 we interviewed an IT-consultant that works at a consultancy firm. The interview lasted for 1 ½ hour and was a semi-structured interview, and the interview questions in section 17.1 was used as a basis. What are your first impressions of Cloud Computing? The first thing that came to my mind was that as a company you are freed from the management of the servers. That is the big advantage that you can focus more on the core competence in your company. You let someone else manage the servers, which have got the expertise for it. Cloud Computing feels like a development of something that has been under way for a long time, but it is not until now that you go all out with it. Then it comes to this with the risk assessment, and how does it feel to let someone else take care of everything. Sure it is very good that someone takes care of it, but what if it is business critical information? Do you evaluate security from an acceptable loss perspective (e.g. loss of data or downtime)?

60

This depends from customer to customer. I would say that it is extremely customer specific. If you work with a system that deals with patient information, as for example a care center does, and the thought of putting out that information on the Internet and you would lose information. That is not in any way acceptable. On the other hand if you work with adverts, as for example on blocket.se, the loss of information is not that critical. So it is totally dependent on what type of business you are conducting. If you are a bank and lose a transaction, which cannot just happen. They have problem with that today, and it is their main security concern. They have to deal with redundant data and to log everything. To some information is critical, to some it is not. Is your company currently looking for different solutions in Cloud Computing? We have been discussing that a little bit when it comes to invoice handling. We develop that kind of service for our customers, but we let one of our subcontractors handle the management of the servers. We sell the service to the customer, but we let a third party take of it to ease the pressure on us. Then I would think that we would profit a lot from putting out our internal system, for example our external web service, into the Cloud. That is something that we do not need to manage ourselves. What type of Cloud deployment model would your company be interested and why (e.g. public, private, hybrid and communities? Hybrid is something we have discussed, but it is not something that we are currently focusing on. But I think it would definitely be something that we could profit from. We have been using a platform online for uploading our files on the Internet. What do you think of that type of service? The question is what type of information that you want to put up there. You have to take responsibility to not give out your login information. It is very dependent on the individual. Some people do not have any judgment at all when it comes to those matters. Some users share the same account, and uploading critical data is something you consider twice. What are your top three concerns with Cloud Computing? The security aspect is one. As a provider you have promised a certain uptime, and it is not unusual that security updates are released that has to be installed. What happens to uptime then? That affects the SLA and could mean a lot of costs. Also, the time from when the vulnerability is discovered and that it is fixed is dangerous. So when it comes to the Cloud the security aspects are very exciting, even though you have a lot of external security. There are hacker syndicates that are working solely with stealing information. As a comparison, when you have it in-house, you have got a whole different possibility to isolate the servers. But when you are sharing a server with someone else that has not got the same system, and you need to update your system by restarting the server, you got a problem. With this new business model using old technology you got new problems that need to be solved. Companies take different services that they repack and call Cloud Computing which can create security risks that they did not have before. There is a problem with not having a universal definition of Cloud. The terminology is very unclear. So we got the security aspects, terminology and the possibility to integrate with other systems. Scalability and flexibility are parts that are beneficial with the Cloud. It is cost effective in

61

Both parts have to go all the way. That has to exist in the SLA and you should actively work with renewing it to be able to cope with the new threats that are coming every day. It is one thing to buy something straight up. while some others say that you need to keep some infrastructure in-house. If you have it as a service. It is a standard agreement and we use it for our customers as well. 62 . The provider needs to understand the customer. Some argue that you will make huge savings by putting everything in the Cloud.; who your customer is. The quality of customer service is important and you should aim for a long time relationship with the provider. has a third party access to the data? There is a naivety when it comes to security. So communication. What risks do you consider to be in the top three with Cloud Computing? Generally when you are buying a service you buy a completely configured system. And how much can you affect this out-of-the-box solution. They could oppose you. What does security really mean? Who does what? If you can define what is included when it comes to security you add value to what you are selling. maintenance and the possibility to troubleshoot are important aspects. what is your focus and what type of even get help to do that. How can one solve the accountability that arises with Cloud Computing in your opinion? Trust is essential. there is no standard version that works for everyone. The processes and routines regarding security has to be in there. But it is still hard to calculate the benefits of Cloud. We cannot really affect it. but the one you got can make it a hard time for you. and how? When we buy a service we get it out-of-the-box. How can you work with putting up counter measures for emerging threats? Worst case scenario. The customer does not have the possibility to monitor the system. The Cloud business model is so new so the SLA has to be constantly updated with emerging issues that are arising all the time. the lead time from when something goes wrong and it gets fixed is longer. How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? You have to know who you are. if you are not happy. And adding value to your customer is very important. Human error is common. What areas of the SLA does your company mainly focus on? Availability is of utmost importance. Based on our demands we can work actively with evaluating what could happen and can absolutely not happen. how shall it be configured? If you have it in-house it goes relatively quick to solve a problem. who has got access to the data. We do not really review the SLA. The dependency that you get with a provider. You as a provider need to know exactly how the system shall work. To not have control is an issue. If you are going to use a provider you should aim for a long-term relationship. It is not unusual that something goes wrong. And there are problems before you have a fully functioning application up and running. to troubleshoot or to manage it. backup routines. How do you know that get out all the data? And in what format? Can you import the information to other systems? Do you review your SLAs properly.the way that you can measure what you use. control. It depends on who does the calculation and in what way. How is the data encrypted. But as a service. how do you do then? You may switch provider.

You buy a service that may be situated in the Cloud. 63 . which is probably why the Cloud providers liberate themselves from this. That should also be regulated in the SLA. there are benefits as well. In the SLA the demands should be incorporated. Many companies may just go for the Cloud because it is profitable and just ignore the risks. You want to achieve something. Maybe a master SLA. A logging function should be installed that does not lower the performance. People are running around with USB flash memories which they sometimes drop or lose. The Cloud is probably going to be an expert in the area too. how can you get out of the Cloud? That should be in the SLA. A Cloud provider can offer a pretty solid security solution which you as a small company may not be able to afford. It should state who does what and you got to have some kind of error-handling. Cell phones are containing a lot of different information today that is important for some organizations. Also.Then who is responsible? How can you integrate accountability solutions? Somewhere you have to start with a requirement model. So you will get SLA on SLA. What happens to the data then? Or if a company goes bankrupt. Some other issues though would be if get bought up as a company. There is no easy technical solution for the accountability. There are not only security risks with the Cloud. From that it should be the service provider and or the Cloud provider.

What are the major advantages of Cloud Computing that your company can benefit from? Startup cost and the flexibility as well as scalability. what are your biggest concerns? Flexibility Security Accessible   4. The questions we used can be find in 17. If your company is looking for solutions in the Cloud.1 1. Decision process. 8. What is your position in the company? Senior Business Consultant. 3. What are your top three concerns with Cloud Computing? Security Flexible SLA needs to be waterproof   5. 2. We interviewed the said person on the 24th of April 2010 and it lasted for about 30 minutes.g. 7. What would be the security issue with relocating to the Cloud? Multi-tenancy Stability of Supplier Long term focus + track 64 . production processes) 9. What are your first impressions of Cloud Computing? Outsourcing. Is your company currently looking for different solutions in Cloud Computing? Why or why not? No solution but using an internal private Cloud.2 Senior Business Consultant We interviewed a Senior Business Consultant and the company offers professional IT Services and had a third party that provided Cloud Computing to customers.10. What risks do you consider to be in the top three with Cloud Computing? Security Flexible SLA needs to be waterproof   6. What business process would your company be willing to relocate into the Cloud? Non-critical business process would be the first step then possibly more critical process (e.

How can one solve the accountability that arises with Cloud Computing in your opinion? Understanding a clear line on where the border is between partners accountability.g. one company required a customer to sign a gag order for some reason so the said person from the company went elsewhere. Using a kind of integrated platform. when and what data. and stored and what issues you take when it does not come through. 15.   10. What areas of the SLA does your company mainly focus on? Review mostly the startup relations. and how? Yes they had consultants write SLAs so they have personal review the SLAs.g. communications. and uptimes on different applications and how to terminate the contracts. sent. 65 . private. loss of data or downtime)? Important not to lose critical data. log how it is being done. public. support. 14. How does your company evaluate trust? Does research on the company and looks for negative reports so reputation plays a big part in it. 12. Example. another words ensure that there are clear responsibilities established. Do you review your SLAs properly. How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? Proactive: Help in establishing the standards and be knowledgeable in being reactive in security threats. 11. 16. hybrid and communities? Private. Supplier A to B how. Do you evaluate security from an acceptable loss perspective (e. What type of Cloud deployment model would your company be interested and why (e. 13.

If your company is looking for solutions in the Cloud. What are your first impressions of Cloud Computing? My first impression was that Cloud Computing could be useful for mainstream applications in the office. fewer IT employees = lower costs 7. cannot have downtime or lose data Backup beyond our control. The interview lasted for 20min and the interview was conducted via a speaker telephone. What business process would your company be willing to relocate into the Cloud? The business process we could consider is office applications that are not connected to critical business systems.in the sense that applications are not affected because of peaks in usage. what happens if the system crashes? 5.1 . 1. What are the major advantages of Cloud Computing that your company can benefit from? Scalability . 4. We are also concerned about creating a waterproof SLA about access and control over data since information relocated into the Cloud could be sensitive. So we will probably not look for a Cloud solution in the next years. We have recently invested in WM ware solutions to run internally since we consider IT advantage is possible through in-house development and that such an advantage is important in our business. 3. The interview was semistructured and the questions we used to establish a theme was the ones in section 17.10. We lose control of who can access our information even if the agreement say we are the only ones. 66 . someone could still access it in theory. Lower IT costs Smaller IT department. What are your top three concerns with Cloud Computing? Security Who can access our data? Uptime stable access to the service. what are your biggest concerns? Our concern is the security aspects. Is your company currently looking for different solutions in Cloud Computing? Why or why not? No we are not looking for a Cloud solution at the moment. What risks do you consider to be in the top three with Cloud Computing? Other companies can access our information Uptime dependent on the provider Backup   6. What is your position in the company? 2. and that I would not like to connect it to our business critical systems. We want to have control over them ourselves.3 CIO I On the 28th of April 2010 we interviewed a CIO at a distribution company. 8.

Internet provider cannot our Internet connection be down too much. How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? I do not have enough experience or knowledge about the Cloud to answer this question in a valid way. 16. and how? We use to distribute them on our meetings within the IT department so that everyone at the IT department understands them.g. Do you evaluate security from an acceptable loss perspective (e. What type of Cloud deployment model would your company be interested and why (e. Then I carefully review the SLA and make sure that both companies mean the same for complicated words.9. 14. We do have a specific time we can allow Internet to be down so we measure against that.g.   67 . 10. we have to make sure that the provider can provide their service at a level that means we can keep working e. loss of data or downtime)? Since we deem it is unacceptable to lose data we cannot use that when we measure the providers. How can one solve the accountability that arises with Cloud Computing in your opinion? This issue could be solved through carefully writing the SLAs. Do you review your SLAs properly. 11. How does your company evaluate trust? I use connections and references from friends and colleges in my field of work together with reading about the provider. but the Internet downtime is different. What areas of the SLA does your company mainly focus on? The part that is most important for us when we agree to and SLA is the uptime.g. public. What would be the security issue with relocating to the Cloud? Our biggest security issue would be the loss of control and who can access information that could be deemed as sensitive to our company and our clients. I think the public Clouds can have the most problem with this since they appear to be more standardized than the private Cloud SLA. 13. 12. hybrid and communities? If we would move to a Cloud solution it would be to a private Cloud so that we can control the SLA more and the access of the information. private. 15.

industries. 5. 7.g.4 Computer Consultant On May 7th 2010 we interviewed another Computer Consultant at a distribution company. someone notice that the application is not working. Services are awesome. email could be something. You say bye bye to infrastructure which also means less need for resources like employees and less associated problems. What are your top three concerns with Cloud Computing? Security. What business process would your company be willing to relocate into the Cloud? Simple stuff.10. and that someone contacts helpdesk. In Sweden it is good. Manageability is an issue. 6. Security. Cloud is hard to integrate. What are your first impressions of Cloud Computing? What I thought was that finally people have realized what can be done when it comes to virtualization. The interview was semi-structured and the questions we used to establish a theme was the ones in section 17. 1. The interview lasted for 40 min and the interview was conducted via teleconference. 2. You have to think about monitoring. what are your biggest concerns? That you do not know who customers are. loss of governance. Also how to integrate these different services is important. but when you travel elsewhere it could become an issue.1. Is your company currently looking for different solutions in Cloud Computing?   who want to relocate into the Cloud. Because as it is now. how to make it available for the right time. 4. integration between services. things that are not really hard to integrate into systems in your environment. SP. If your company is looking for solutions in the Cloud. how do you store data and integrate with their systems? We do not want to put everything in the Cloud. how to start using it. The reporting platform for example or a traveling template generator to standardize traveling bills in the company instead of using the systems. both external and internal. How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? 68 . What is your position in the company? Computer consultant at different companies. It helps the environment by optimizing the utilization of resources by only using what you need. 8. connectivity. You are buying a service which means less responsibility. What are the major advantages of Cloud Computing that your company can benefit from? The environment of Cloud. you have no control over where information is. How to design what to be used in the services bought? The connectivity is important. only some parts. so we should. Traditionally. Specific service e. integration. easy to buy. 3. like how to monitor applications bought through internet.

69 . but trust is hard to create when all information is not shared as well as goals of what wants to be done. How does your company evaluate trust? Have do you evaluate trust? Maybe by looking at track records or talk to people? General discussion about security Where is my data? What laws governs my data? How can I trace if my data is being copied in a safe way? Where are backups stored? How can I be sure that my data is not being manipulated in the wrong way? When data gets redundant by being stored in two different geographic locations.g.g.Tru have no knowledge about what the provider do with the data and physical equipment. a tape where I make big storage backups and where does it go? How do I know I get the data about the service they provide me (for instance log files) is the raw data or changed to look good and to keep you unknowing as a client? How can I know that everything is being logged since I cannot access that information? Will someone tell you if the provider screws up? They need systems to monitor everything so that they can prevent bad things to happen by monitoring activity and activity around the data.g. For example how to hold someone accountable for e. You will have a hard time to find out where information was manipulated wrongly. how can I monitor my physical storage of data on e. There are risks as industrial espionage and idea stealing. Trust is the only current solution. 10. How can one solve the accountability that arises with Cloud Computing in your opinion? Right now it is not impossible. fraud or copying of data. Sweden and Poland. what law is protecting my data when the data is in these two different places? E. can I be proactive? 9. But this issue is very complicated. With backups. Pre-programmed triggers to alert if something bad happens exist.

Secret information cannot be placed in the Cloud. If your company is looking for solutions in the Cloud. The interview was semi-structured and the questions we used to establish a theme was the ones in section 17. It s not the computer power that will change in the future. But I did not look for solutions abroad. But you get so much more power and functionality with the Cloud. That you can increase the business efficiency and development. A company runs all the finance for us. If you not make profit. If we understand the strategy of Cloud. it s easier to adapt to it. In most countries you are not allowed to keep your book keeping outside the country. 6. You have a 70 . People think it s more secure if you have it on your own laptop.10. It is the speed and availability of connectivity. I prefer to have it in Sweden. what are your biggest concerns? We are not supplying Cloud solutions. What are your top three concerns with Cloud Computing? Top concern for Cloud is trust. that you are not able to make profit of it. 2. 7. 3.  What is your position in the company? CEO at an IT company. This is because I travel a lot and need access to the information all the time. Then you could not afford personal computers. What business process would your company be willing to relocate into the Cloud? Is Cloud? Not for me. Then of course the trust and intellectual property. What are your first impressions of Cloud Computing? Necessary. even though I have it in the Cloud. It is not possible to move to next level of business with the old way of handling. Because we don to spend on IT in the companies. the development will not increase. 5. When I look for suppliers I m not only looking for one. We have many systems in the Cloud. Accessibility is second. The interview lasted for 30 min and the interview was conducted in person. Legislation is definitely not updated for the Cloud. That means that the information needs to be stored locally. From a technical perspective it is more complex to have it in the Cloud.5 CEO On the 6th of April 2010 we interviewed a CEO at an IT company.1. Maybe in the future when the accessibility is better I will only have it in the Cloud. What are the major advantages of Cloud Computing that your company can benefit from? Speed and flexibility. 1. 4. Right now I am storing everything on my computer. What risks do you consider to be in the top three with Cloud Computing? Business model. Terminals back in 1984 connected to a mainframe. It is like with the importance with internet. If you travel it s the most insecure place for information. But I am not representative in that perspective. We need to have Cloud solutions and it is also easier to apply best practices in the Cloud.

Because of more security. If you are doing things that you can stand up for. What would be the security issue with relocating to the Cloud? Cloud. and reputation. educate people that they need to think about security. Is storing or using information my concern.lot of information on your phone today. How does your company evaluate trust? For me trust is more than everything else. 71 .g. public. Do you evaluate security from an acceptable loss perspective (e. it's a new behavior. Where is it more secure? That is something that you have to evaluate. Using Cloud as a backup is more secure. Where is the weak link? Devices as laptop and cell phone certainly are. loss of data or downtime)?   thought of it. Communication and education. where I can get someone on the line to talk to me. Do you review your SLAs properly. But be a problem. 11. Big files are however a problem with the Cloud.g. 14. I just expect that everything should work. The competition will be about the SLAs. references. you have to is it 12. How can one solve the accountability that arises with Cloud Computing in your opinion? If you are a small player. hybrid and communities? In the past I was a big fan of private internet. It is not only technical issues with Cloud. But it is always a part of it. The damage is much higher if something goes wrong in the Cloud. which is obvious. Your information is more secure in the Cloud. and how? No. Stop using secret as our normal password and so on. It should just be there just as with announcement of downtime etc. 10. But i a problem with the Cloud? 8. I use a combination of applying best practices. It's a question of privacy. behavior. faster and in the long run probably more reliable if it is in the public. What is the long term strategy on this? 9. You don t want to email somebody when something goes wrong. Then we have an issue with the service area. We didn t want to be public with our information. The physical support is important. private. more efficient. it is a matter of service as well. because I realize that. you will very quickly loose the competitive edge. It s an illusion that it is more secure on your laptop. 15. If you a have poor SLA. all the time. it is maybe a lower cost but higher risk. But i better. What areas of the SLA does your company mainly focus on? It s not uptime. What type of Cloud deployment model would your company be interested and why (e. 13. is that G fault? Cloud is not a new service. How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? Security.

6 CIO II On May 15th 2010 we interviewed another Computer Consultant at a distribution company. What are your first impressions of Cloud Computing? The term itself. What are the major advantages of Cloud Computing that your company can benefit from? Scale of economy. security. If your company is looking for solutions in the Cloud. What are your top three concerns with Cloud Computing? Interruptions of service control.g. Hyped up market term 3. What business process would your company be willing to relocate into the Cloud? I view that the non critical business processes like ASP solutions. 10. what are your biggest concerns? Ownership of the actual data and the Cloud 4. 9. salary systems and supporting systems can be moved to the Cloud. Also. The interview was semi-structured and the questions we used to establish a theme was the ones in section 17. Is your company currently looking for different solutions in Cloud Computing? Why or why not? Have a partial Cloud internally 8. Do you review your SLAs properly.1. and data loss. What risks do you consider to be in the top three with Cloud Computing? My biggest concerns are the actual integration between the different Clouds and business units. an 5. Cloudy concept. another issues that I see are Intellectual property of the data. The other risk are stealing information. 7. and being able to use the different experts from vendors. 72 .10. What is your position in the company? CIO 2. will the provider notify you if there is an issue with your Cloud or do you have to keep track of it yourself. The interview lasted for 40 min and the interview was conducted via teleconference. and how? We review the SLAs very extensively by sending them to our lawyers and IT departments for them to review and discuss the items that they dislike. Do you evaluate security from an acceptable loss perspective (e. loss of data or downtime)? We evaluate from an acceptable loss perspective by the sense that we see the cost of downtime. 6. 1.

14. size.11. How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? It is important to have a face to face meeting with the vendor to provide confidence and to get a secure feeling from the vendor to be able to develop a long lasting relationship 13. reputation. having a modifiable SLA so if something does change all of us can sit and discuss the new changes. public. If the power becomes unbalanced to the vendor can change its view and the customer has to except it. history.g. How can one solve the accountability that arises with Cloud Computing in your opinion? This is a challenge because we have three members we meet monthly to have discussions on how that we will always come back to them. 73 . performance of the company to build a partnership. How does your company evaluate trust? We review the references. hybrid and communities? Most likely private but very confident about moving core business processes to the Cloud. example Amazon said no to the IRS when asked to do a C&A risk assessment. It is important to establish a balance between the customer and the vendor. private. What type of Cloud deployment model would your company be interested and why (e. We want them to work for our partnership. 12. We evaluate different vendor that fit our requirements and conduct meetings with the vendor. It is a six month process that requires plenty of planning and meetings to build the relationship. Also.

Sign up to vote on this title
UsefulNot useful