J ÖNKÖP I NG I NT E R NAT I ONAL BUS I NE S S SCHOOL

JÖNKÖPING UNIVERSITY

Cl oud Comput i ng
-Security Risks, SLA and Trust-
Paper within Bachelor thesis in Informatics
Author: William Ambrose,
Niclas Dagland,
Samuel Athley
Tutor: Wolfram Webers
Jönköping June 2010


i
BacheIor's Thesis in Informatics
Title: Cloud Computing: -Security Risk, SLA and Trust-
Author: William Ambrose
Samuel Athley
Niclas Dagland

Tutor: Wolfram Webers

Date: 2010 - 06 - 07

Keywords: Cloud Computing, Security Risks, Service Level Agreement, Trust,
Software as a Service (SaaS) Platform as a Service (PaaS)
Infrastructure as a Service
______________________________________________________________________
Abstract
With Cloud Computing becoming a popular term on the Information Technology (IT)
market, security and accountability has become important issues to highlight. In our
research we review these concepts by focusing on security risks with Cloud Computing and
the associated services; Software, Platform and Infrastructure (SPI) and connecting them
with a social study of trust.
The method that was conducted during our research was reviewing secondary literature,
interviewing different experts regarding Cloud Computing and relating standards already
established by ENISA, NIST, and CSA to the interviews.
The result of this study shows connections between the specific SPIs, both how they
compare, but also how they differ. In the end we were also able to rank the top security
risks from interviews with experts and see which SPI could be the most insecure one and
what countermeasures could be applied.
This was further related to trust and Service Level Agreement (SLA) in Cloud Computing
to show how the security risks we discuss are related to these two specific areas. By
highlighting this we wanted to present useable information for both clients and providers
in how to create a better Cloud Computing environment.




ii
Acknowledgements
First, we would like to thank the instructors that provided help and guidance during our
research, without them we would have veered off the path.
x Wolfram Webers: For providing us great insight and steering to ensure that we
stayed on path during our research, we thank you.
x Ulf Larsson: Provided us with valuable information and multiple articles in our
research which we were very grateful to receive.
x Jörgen Lindh: Helped ensuring that our thesis was properly structured and
provided a different perspective in our thesis and for this we express our
appreciation.
x Projectplace.com: We thank you for allowing us to use your platform during our
research. We found the platform most helpful when documenting our work.
We would also like to thank all of the people that participated in the interview which
helped us in our findings and providing us with valuable information. Further, we would
like to thank each individual member of the group who made this research possible and
memorable.



iii
Table of Contents
Bachelor's Thesis in Ìnformatics........................................................................... i
Abstract ................................................................................................................ i
Acknowledgements ............................................................................................. ii
1 Introduction .......................................................................... 1
1.1 Background ............................................................................................ 2
1.2 Problem .................................................................................................. 4
1.3 Purpose .................................................................................................. 5
1.4 Perspective ............................................................................................. 5
1.5 Delimitation ............................................................................................. 5
1.6 Definitions ............................................................................................... 6
2 Methodology ........................................................................ 8
2.1 Research philosophy .............................................................................. 8
2.1.1 Epistemology .......................................................................................... 8
2.1.2 Ontology ................................................................................................. 9
2.1.3 Axiology .................................................................................................. 9
3 Theoretical Framework ..................................................... 10
3.1 Cloud Computing .................................................................................. 10
3.2 Cloud Computing Overview model ....................................................... 11
3.3 Cloud Computing Characteristics ......................................................... 12
3.4 SPI Overview Model ............................................................................. 13
3.5 Software as a Service ........................................................................... 14
3.5.1 Division of Responsibility in SaaS ........................................................ 15
3.6 Platform as a Service ........................................................................... 16
3.6.1 Division of Responsibility in PaaS ........................................................ 17
3.7 Infrastructure as a Service .................................................................... 18
3.7.1 Division of Responsibility in IaaS .......................................................... 19
3.8 Cloud Deployment Models ................................................................... 20
3.9 Cloud Computing Vendors Model ......................................................... 21
3.10 Multi-tenancy ........................................................................................ 22
3.10.1 Separate Database............................................................................... 22
3.10.2 Shared Database and Separate Schemes ........................................... 22
3.10.3 Shared Database and Shared Schemes .............................................. 22
3.10.4 Choosing an Approach ......................................................................... 23
3.11 Service Level Agreement ..................................................................... 23
3.12 Risk definition ....................................................................................... 25
3.13 Security ................................................................................................ 27
3.13.1 Security risks tied to information security ............................................. 28
3.14 Trust ..................................................................................................... 31
4 Research Questions .......................................................... 33
5 Method ................................................................................ 33
5.1 Research approach .............................................................................. 33
5.2 Credibility .............................................................................................. 35
5.2.1 Reliability .............................................................................................. 35
5.2.2 Validity .................................................................................................. 35


iv
5.3 Interview questions ............................................................................... 36
5.4 Analysis Method ................................................................................... 36
6 Empirical Findings............................................................. 37
6.1 IT-Consultant Interview Summary ........................................................ 37
6.2 Senior Business Consultant Interview Summary .................................. 38
6.3 CEO Interview Summary ...................................................................... 38
6.4 Computer Consultant Interview Summary ............................................ 38
6.4.1 CIO I Interview Summary ..................................................................... 39
6.4.2 CIO II Interview Summary .................................................................... 39
6.5 Security Risks ....................................................................................... 40
6.5.1 Security Risk List .................................................................................. 40
6.6 SLA summaries .................................................................................... 41
6.6.1 Amazon ................................................................................................ 41
6.6.2 Microsoft ............................................................................................... 41
6.6.3 Google Apps ......................................................................................... 42
6.6.3.1 Google App Engine .................................................................................................. 42
6.7 Security Risks ....................................................................................... 43
7 Analysis .............................................................................. 45
7.1 Major security risks within Cloud Computing ........................................ 45
7.1.1 Clients expectation of SLAs in regarding security ................................ 47
7.2 Trust related Security Risks in Cloud Computing ................................. 49
7.2.1 Is trust important? ................................................................................. 49
7.3 Security risks associated with trust in Cloud Computing ...................... 50
7.3.1 Quality of Service ................................................................................. 51
7.3.2 Ownership ............................................................................................ 51
7.3.3 Provider ................................................................................................ 52
7.4 How to avoid security risks associated with trust? ................................ 52
8 Conclusion ......................................................................... 54
9 Discussion .......................................................................... 55
9.1 Critique of method ................................................................................ 56
9.2 Future research proposals .................................................................... 56
10 References.......................................................................... 57
Appendix 1 Interview Questions .................................................. 60
Appendix 2 Interviews with experts ............................................. 60
10.1 IT-Consultant ........................................................................................ 60
10.2 Senior Business Consultant ................................................................. 64
10.3 CIO I .................................................................................................... 66
10.4 Computer Consultant ............................................................................ 68
10.5 CEO ...................................................................................................... 70
10.6 CIO II .................................................................................................... 72




v
List of Figures
Figure 3.1 Cloud Computing Overview Model ...................................................11
Figure 3.2 SPI Overview Model.........................................................................13
Figure 3 3 Cloud Taxonomy Model ...................................................................21
Figure 3.5 Reputation - Trust - Reciprocity > Net Benefit (Mui, 2002) ..............32
Figure 9.1 Cloud Computing Triangle ...............................................................55

List of Tables
Table 3.1 Division of Responsibility in SaaS .....................................................15
Table 3.2 Division of Responsibility in PaaS .....................................................17
Table 3.3 Division of Responsibility in IaaS ......................................................19
Table 3.4 Security Risks tied to Information Security .......................................30
Table 6.1 Security Risks ...................................................................................44
Table 6.2 Interview Security Risk Analysis ........................................................46
Table 6.3 Security Risks from Interviews ..........................................................47









1
1 Introduction
On the information technology (IT) market there has emerged a new buzzword called Cloud
Computing. It is described as the future and that everyone should move into the so called Cloud.
There are many different definitions for Cloud Computing which has created confusion about
what this phenomena really is. For this research two definitions has been selected which are
stated below. Forrester defines Cloud in their article ívter¡ri.e reb 2.0 ívvaavevtat. as:
. ¡oot of .catabte c ab.tractea ivfra.trvctvre tbat bo.t eva v.er a¡¡ticatiov., bittea b, cov.vv¡tiov.
In the article Cloud Computing will be as influential as E-bv.ive.. by Gartner, Cloud Computing is
defined as:

. .t,te of cov¡vtivg rbev va..iret, .catabte í1 retatea ca¡abititie. are ¡roriaed "as a Service" using
Internet technologies to vvtti¡te e·tervat cv.tover..

These definitions will be a guide through the research as they help to understand what type of
information is focused upon. Due to this new buzzword Cloud Computing, issues regarding
security has been raised. On November 20 2009, the European Network and Information
Security Agency (ENISA) published a report called Ctova Cov¡vtivg - Benefits, risks and
recovvevaatiov. for ivforvatiov .ecvrit, which gives a detailed description of the security risks and
benefits of Cloud Computing. ENISA is a European Union (EU) agency that works with aiding
and giving recommendations concerning issues related to network and information security.
The research focuses on technology in Cloud Computing (SPIs - Software, Platform, and
Infrastructure - as a service) and the associated risks. The areas we will go through in this
research are listed below:

x Cloud Computing
x Cloud Deployment Models
x Cloud Computing Characteristics
x SPIs and associated Security Risks
x Service Level Agreement (SLA), Web SLA and Cloud SLA
x Trust





2
1.1 Background
In present day, we link Cloud Computing with fuzziness and hype, but also with new business
models, emerging markets and new IT solutions. In our research about Cloud Computing we
have viewed this emerging technology as something that has evolved from previous solutions.
The characteristics of Cloud Computing can be seen in the networking solutions of grid
computing and distributed systems and the online part of Cloud Computing can also be found in
Application Service Providers (ASPs)(Computer Weekly, 2009).
In newspapers, articles, interviews and other sources that we present in this work there are a
general attitude that Cloud Computing is very new even if the technology is old. The emergence
of Cloud Computing has also introduced interesting results regarding predictions of how IT
would be in the future. According to Computer Weekly and an article about the history of Cloud
Computing published in 2009, visions about the future are quite similar to our concept of the
Cloud. In 1969, J.C.R. Licklider shared his vision of an intergalactic computer network where
people would be globally connected. Before him in 1961, John McCarthy was one of the first to
propose utility consumption and payment in the context of Computers and IT (Wikipedia, 2010).
It was in the 90`s that a signiíicant increase of bandwidth enabled new possibilities for Internet
based solutions and a more globally connected world, but it would take time for Cloud
Computing to reach out into the world. It was in 1999 with the arrival of Salesforce.com that
revolutionized how we use solutions connected to the Internet. Amazon soon followed in 2002
with their Web service and after this more followed expanding Cloud oriented solutions from
only being applications, or Software as a Service, to also include Platform as a Service and
Infrastructure as a Service. One important factor that has made Cloud Computing popular is the
fact that the experts within the field of IT solutions, such as Microsoft, are providing applications
that are good enough to compete with in-house developed solutions that are costly and hard to
justiíy. \ith the rise oí these killer apps` (Computer World, 2009), important security issues arise
as this phenomenon we call Cloud Computing continuously evolve and becomes more of a
business model and solution.
In the introduction we presented two definitions for Cloud and Cloud Computing. The
information about what Cloud Computing consists of is mostly derived from ENISA, NIST and
CSA. The three main Cloud Services that we will present in this thesis are the ones below, each
with a definition from ENISA;
x Software as a Service (SaaS): is software offered by a third party provider, available on-demand,
usually via the Internet configurable remotely. Examples include online word processing and spreadsheet
tools, CRM services and web content delivery services. (ENISA, 2009)
x Platform as a Service (PaaS): allows customer to develop new applications using APIs deployed
and configurable remotely. The platforms offered include development tools, configuration management,
deployment platforms. Examples are Microsoft Azure, Force and Google App engine`. (ENISA,
2009)
x Infrastructure as a Service (IaaS): provides virtual machines and other abstract hardware and
operating systems which may be controlled through a service API. Examples include Amazon EC2 and
S3, Terremark Enterprise Cloud, Windows Live Skydrive and Rackspace Cloud`. (ENISA, 2009)
These types of services are mature and have been provided by service oriented companies before
Cloud Computing. Salesforce.com is an example of SaaS which provides the customer with a web
based Customer Relationship Management solution. Force.com is an example of a PaaS and
provides a platform to build multi-tenancy applications. IaaS is more complex and gives more
control over the hardware, and an example of that is Amazon S3. Other than these three there
are other types of -as a services and clients buy and use them over the internet and do not need
to allocate physical or virtual space for it is being offered as a service over the Internet.


3
With Cloud Computing, new challenges has emerged and among them we consider security as
the most important one. In this thesis we discuss security risks that we have found from ENISA,
NIST, CSA and experts we have interviewed. Examples of security risks from ENISA (2009) are:
x Data protection
x Isolation failure
x Management interface compromise
x Insecure or incomplete data deletion
x Malicious intruder
Even if there seem to be numerous threats, ENISA also identifies benefits with Cloud
Computing, and examples of these are:
x Benefits of scale
x Security as a market differentiator
x Standardized interfaces for managed security services
x Rapid, smart scaling of resources
x Audit and evidence gathering
Throughout this thesis we will review different security risks with Cloud Computing in a general
context and then focusing on linking those risks with a client perspective. The empirical data
used for this research is from secondary literature such as books, articles, magazines and web
publications such as blogs. The primary data was gathered from experts in the field via
interviews. We may provide benefits with Cloud Computing as we stated above, but the main
focus is on the security risks. For us it is very interesting to see fruition of old visions being
realized because of evolution in IT.





4
1.2 Problem
The new emerging concept of Cloud Computing has created an intriguing buzzword for old
technology. Clients are now starting to look towards the Cloud to see if this is something for
them. Cloud Solutions main focus area is to utilize a company`s expertise to pro·ide a ser·ice íor
another company that have deemed it beneficial to let the experts handle their IT. The extent to
how much a Cloud Provider, as with both web services and outsourcing, handles, is entirely up to
the client signing an agreement with the provider.

The idea of experts providing their expertise for a fee sounds very interesting, and we believe this
will evolve to a very good solution for clients who lack the in-house knowledge to solve their
problems on their own. What could be a frightening fact is that the client could give up control
to a provider of information and processes vital to the organization. Security risks could arise
with letting someone doing that. This is the reason we feel it so important to look at the security
risks before investing into the Cloud.

If one does not know what security risks can be associated with Cloud Computing, risks can
appear because of negligence of understanding Cloud Services and its legal documents. It could
also prove to be harmful to not know how the process of selecting a provider works, or should
work, within Cloud Computing, as with any new technology.

In this thesis, we want to prove that Cloud Computing does have security risks, but not because
we seek to alarm people not to use Cloud Computing, but rather because we want it to evolve
into to what it could become in the future; a very good solution to problems when a client does
not have the skills to solve a specific problem on their own. This is one of the reasons why it is
important to know about security risks in the context of Cloud Computing.

To understand which security risks are associated with Cloud Computing from a client
perspective, we have looked into three big publications from three respected groups to get a
good understanding of security risks and Cloud Computing itself. Next, we used interviews with
experts to gather more information for the research.

From the discussion, numerous questions could be asked. However, we decided to focus on this
particular theme in our thesis, and could therefore be said to be preliminary research questions
that the reader should bear in mind while reading the thesis.

x What are the security risks with Cloud Computing and the associated technologies?
o Are there other implications with Cloud Computing in addition to the technology
e.g. Social?
These questions are quite general and we will present more specific research questions in section
4 - Research questions.


5
1.3 Purpose
The purpose of this research is to clarify the security risks that clients could encounter with
Cloud Computing. It is important for a company to understand how their data is handled and
how confidential it will remain due to the fact that it will be on the Internet and can be accessed
globally. Clients should understand that their information is vital which is why they should review
the recovery process if their data is accessed, altered, or lost. With this ever-growing catchphrase
of Cloud Computing most companies may start looking to the Clouds for possible options. With
this research, clients should be able to make a more sound decision whether or not to make this
type of investment.
Also, this will enable an understanding to most clients about which SPI would benefit them the
most. Software as a Service (SaaS) might be beneficial to some clients due to the financial
limitations, but larger companies may look into Infrastructure as a Service. All the SPIs have
security risks and this research should provide a guide on what security risks that exists and help a
client put pressure on providers to reduce these security risks.
One way of doing this is to bring forth the importance of trust in the context of negotiation of
SLAs with a Cloud providers.
1.4 Perspective
For this research we will be looking at the problem from a client point of view to show what the
potential buyer should look for in a vendor that provides Cloud Computing or Cloud Services.
We selected this view as we think it is more important to help potential clients to understand
what Cloud Computing could be and what security risks that may be involved in different
solutions instead oí choosing to íocus on a pro·ider`s perspecti·e. Ií we íocus on a client
perspective we could bring new insights to the table and help clients in what they should know
and what they should expect from providers when entering agreements.
1.5 Delimitation
The focus in this thesis are on security risks with Cloud Computing and the technology that build
up Cloud Computing, the three SPIs. We will not focus on benefits in our analysis even though
we have presented a few where we talk about Cloud Computing in general. The technical focus
will be the SPIs which we will methodically review to show how they differ and compare against
each other and potential security risks. There are more kinds of service solutions but we will only
consider the SPIs mentioned earlier.
The raw data that we will gather will be qualitative which means that we will not put focus on
gathering a wide variety of sources to be able to generalize with statistical data. Instead we will
use qualitative data to gain insight and see what the main concerns could be if a client may
consider to move to the Cloud. This will be achieved through semi-structured interviews with
experts.


6
1.6 Definitions
Application Programming Interface (API)
Collection of software routines, protocols, and tools which provide a programmer with all the building blocks for
developing an application program for a specific platform (environment). An API also provides an interface that
allows a program to communicate with other programs, running in the same environment.
(Businessdictionary.com)
Application Service Provider (ASP)
Firm that sells usage of computer programs via internet. An ASP (equipped with all required software,
hardware, and trained employees) guarantees trouble-free availability of the application programs on a continuous
basis. Customers use the programs they need, for a fixed monthly fee or usage based charges. The data generated by
those programs can either be stored on the customer's computer or on the disk space rented out by the ASP on its
storage devices. (Businessdictionary.com)
Denial of Service (DOS)
Deliberate attempt to thwart authorized users' access to a computer system or website, by corrupting its stored
data or disrupting its normal functions with a denial of service attack. (Businessdictionary.com)
Distributed system
Computer networking scheme in which several inter-connected systems service their local needs and use their idle or
spare capacity to attend to common workload. (Businessdictionary.com)
Hypervisor
In virtualization technology, hypervisor is a software program that manages multiple operating systems (or
multiple instances of the same operating system) on a single computer system. The hypervisor manages the system's
processor, memory, and other resources to allocate what each operating system requires. Hypervisors are designed for
a particular processor architecture and may also be called virtualization managers. (Webopedia.com, 2006)
Cloud
. ¡oot of .catabte c ab.tractea ivfra.trvctvre tbat bo.t eva v.er a¡¡ticatiov., bittea b, cov.vv¡tiov.
(Bouchard & Sankar, 2009)
Cloud Computing
. .t,te of cov¡vtivg rbev va..iret, .catabte í1 retatea ca¡abititie. are ¡roriae ¨a. a Service" using
ívtervet tecbvotogie. to vvtti¡te e·tervat cv.tover.. (Gartner, 2008)
Flexibility
Ability of a system, such as a manufacturing process, to cost effectively vary its output within a certain range and
given timeframe. (Businessdictionary.com)
Information Security
Safe-gvaraivg av orgavi¸atiov`. aata frov vvavtbori¸ea acce.. or voaificatiov to ev.vre it. araitabitit,,
covfiaevtiatit,, ava ivtegrit, ;Cí.). (Businessdictionary.com)



7
Infrastructure as a Service
Proriae. rirtvat vacbive. ava otber abstract hardware and operating systems which may be controlled
through a service API. Examples include Amazon EC2 and S3, Terremark Enterprise Cloud, Windows
íire ´/,arire ava Rac/.¡ace Ctova. (ENISA, 2009)
Platform as a Service
.ttor. cv.tover to aerelop new applications using APIs deployed and configurable remotely. The platforms
offered include development tools, configuration management, deployment platforms. Examples are Microsoft
Azure, Force and Google App engine. (ENISA, 2009)
Risk
(1) Indication of an approaching or imminent menace. (2) Negative event that can cause a risk to become a loss,
expressed as an aggregate of risk, consequences of risk, and the likelihood of the occurrence of the event.
(Businessdictionary.com)
Scalability
´,.tev ae.igvea to bavale proportionally very small to very large usage and service levels almost instantly, and
with no significant drop in cost effectiveness, functionality, performance, or reliability. Scalable systems employ
technologies such as automatic load balancing, clustering, and parallel processing. (Businessdictionary.com)
Security
íreeaov frov ri./ or aavger; .afet, (Thefreedictionary.com, 2009)
Software as a Service
ís software offered by a third party provider, available on-demand, usually via the Internet configurable
remotely. Examples include online word processing and spreadsheet tools, CRM services and web content
delivery services.` (ENISA, 2009)
Threat (Computer Security)
Action or potential occurrence (whether or not malicious) to breach the security of the system by exploiting its
known or unknown vulnerabilities. It may be caused by (1) gaining unauthorized access to stored information, (2)
denial of service to the authorized users, or (3) introduction of false information to mislead the users or to cause
incorrect system behavior (called spoofing) (Businessdictionary.com)
Lock-in
Vendor lock-in, or just lock-in, is the situation in which customers are dependent on a single manufacturer
or supplier for some product (i.e., a good or service), or products, and cannot move to another vendor without
substantial costs and/or inconvenience. (Linux Information Project, 2006)




8
2 Methodology
In this section we are going to bring forward what scientific approach we took in our research
and what methodology we applied to the work within this thesis.
2.1 Research philosophy
Research philosophies are a help to guide researchers in their work by helping them understand
how they and other researchers approach their work. It also helps researchers understand how
the researcher came to their conclusion by describing what personal beliefs and assumptions the
researcher had while conducting the research and collecting the data. The following discussions
are comprised of what approaches this thesis is taking regarding research philosophies.
2.1.1 Epistemology
According to Saunders et al. (2007), epistemology is concerned with what is considered
acceptable knowledge in a field of study. In the epistemological philosophical branch, we have
the positivist and the interpretive assumptions. The positivist is concerned with that valid
knowledge is data that can be observed and measured. As a positivist you will be:
ror/ivg ritb av ob.errabte .ociat reatit, ava tbat tbe eva ¡roavct of .vcb re.earcb cav be tar-like generalizations
similar to those produced b, tbe ¡b,.icat ava vatvrat .cievti.t. (Saunders et al., 2007)
The interpretive stance advocates:
tbat it i. vece..ar, for tbe re.earcber to vvaer.tava aifferevce. betreev bvvav. iv ovr rote a. .ociat actor.
(Saunders et al., 2007)
In other words it highlights the importance to differentiate between making research among
people and other objects. Our standpoint is within an interpretive viewpoint because we think it
is important to differentiate between each individual. Due to that, we do not think that law like
generalizations can be created for individuals. So it is important to realize that the research itself
is affecting the reality that is being investigated. We are not trying to measure the reality; we are
more concerned with finding meaning with the reality we are investigating. The area of Cloud
Computing is still fuzzy and it is the users who will form Cloud Computing to what it is going to
become. We will conduct semi-structured interviews with several different people and the results
will differ because of different viewpoints, experiences and world views by the people.



9
2.1.2 Ontology
Ontology is about what the nature of knowledge is. It includes objectivism and subjectivism
where the objectivist is concerned with that:
.ociat evtitie. e·i.t iv reatit, e·tervat to .ociat actor. covcervea ritb tbeir e·i.tevce, (Saunders et al., 2007)
while the subjectivist holds that:
social phenomena are created from the perceptions and consequent actions of those social actors concerned with their
e·i.tevce (Saunders et al., 2007)
To understand and to be able to correctly observe a reality, we argue that you have to be involved
in that reality by being subjective. By observing it objectively, you may not be able to understand
the reality to its full extent and what is actually creating the reality. On the other hand, by being
subjective, the knowledge created might be biased by the fact that the researcher is directly
involved with the reality. This research will mainly be subjective by being in contact with both
providers and clients in the Cloud Computing environment.
2.1.3 Axiology
In Saunders et al (2007) Axiology is:
a bravcb of ¡bito.o¡b, tbat .tvaie. ;vagvevt. abovt ratve .
It means among others that the philosophical approach taken, determines which type of data
collection techniques are chosen. Conducting semi-structured interviews would add more value
to the results by allowing more in-depth discussions, but still relying upon a foundation
consisting of carefully evaluated questions that aims at answering the research questions. The aim
of this thesis is to provide knowledge about security risks with Cloud Computing, and this would
be of value for both the researchers and others that are considering moving into the Cloud
environment.


10
3 Theoretical Framework
In this section we will present background information about Cloud Computing that will be used
throughout the thesis as a cornerstone on what Cloud Computing and its associated security risks
are about. We will also present definitions and explain key concepts that will help the reader to
understand our train of thought. First we will introduce Cloud Computing and characteristics of
Cloud Computing. This will give the reader an overview of what Cloud Computing is and the
technology it consists of. Then we will present the three SPIs and after that we present different
Cloud deployment models we have found and multi-tenancy. Before we move on from specific
Cloud topics we will also present a model that shows different services for the SPIs and who is
offering them. We will then present information regarding three kinds of SLA. After that we will
present risks from ENISA, CSA and NIST, followed by our topic on security and counter
measures then we will discuss the topic of trust.
3.1 Cloud Computing
In this section we will talk about Cloud Computing more generally before we move into each SPI
more deeply. ENISA (ENISA 2009) describe Cloud Computing to be highly abstract, scalable
and flexible where resources are shared and fees are determined by the usage. CSA calls Cloud
Computing an evolving term and add information separation to the picture. That means that
applications, information sources, and the infrastructure are separated (CSA 2009). CSA also adds
the collaboration perspective to the picture that comes with virtualization and flexibility.
OpenCrowd.com agrees on this and calls it ...e·trevet, efficievt, va..iret, .catabte vvtti-tenant data
centers offering organizations an alternative way of building, deploying and selling IT services at a significantly
lorer ¡rice ¡oivt and we can begin to see key patterns in the characteristics in the Cloud.
x On-demand
x Broad network access
x Resource pooling
x Rapid elasticity
x Measureable
These characteristics will be explored later in the text in the paragraph Cloud Computing
characteristics. To understand what we and our sources of information mean when we say
scalable and flexible we thought it would be a good thing to add two more definitions to this
thesis. Scalability in the context of a system can be defined like this:
´,.tev ae.igvea to bavate ¡ro¡ortiovatt, rer, .vatt to rer, targe usage and service levels almost instantly, and
with no significant drop in cost effectiveness, functionality, performance, or reliability. Scalable systems employ
technologies such as automatic load balancing, clustering, and parallel processing` ,Businessdictionary.com,
Flexibility is the other reoccurring phrase when one talk about Cloud Computing, and we decided
to use a definition from the same website as we found the definition for scalability, business
dictionary.com, for flexibility.
Ability of a system, such as a manufacturing process, to cost effectively vary its output within a certain range and
given timeframe. (Businessdictionary.com)




11
3.2 Cloud Computing Overview model
This model was presented by National Institute of Standards and Technology (NIST) to create a
conceptual model of what they believe Cloud Computing includes. The reasons for using this
model in the thesis are because this model summarize what we believe Cloud Computing to
consist of.




























The figure 3.1 gives an overview of how we will present information regarding Cloud Computing
as we will start at the top with characteristics and end with Cloud deployment models before we
look into SLAs, security risks and trust.
Figure 3.1 Cloud Computing Overview Model


12
3.3 Cloud Computing Characteristics
NIST offers a list of components of what comprises Cloud Computing.

x On-demand self-service.

´A consumer can unilaterally provision computing capabilities such as server time and network storage as
needed automatically, without requiring human interaction with a service provider. (NIST 2009)

x Broad network access.

Capabilities are available over the network and accessed through standard mechanisms that promote use by
heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs) as well as other
traditional or Cloud based software services. (NIST 2009)

x Resource pooling.

1be ¡roriaer`. cov¡vtivg re.ovrce. are ¡ootea to .erre vvtti¡te cov.vvers using a multi-tenant model, with
different physical and virtual resources dynamically assigned and reassigned according to consumer demand.
There is a degree of location independence in that the customer generally has no control or knowledge over the
exact location of the provided resources, but may be able to specify location at a higher level of abstraction (e.g.,
country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth,
and virtual machines. Even private Clouds tend to pool resources between different parts of the same
organization. (NIST 2009)

x Rapid elasticity.

Capabilities can be rapidly and elastically provisioned - in some cases automatically - to quickly scale
out; and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often
appear to be unlimited and can be purchased in any quantity at any time.` ,NIS1 2009,

x Measured service.

Cloud systems automatically control and optimize resource usage by leveraging a metering capability at some
level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, or active user
accounts). Resource usage can be monitored, controlled, and reported - providing transparency for both the
provider and consumer of the service. (NIST 2009)



13
3.4 SPI Overview Model
The Figure 3.2 was presented by CSA (CSA 2009) and we present it to give the reader a
conceptual aid in different SPIs that we will discuss in the following paragraphs.















































Figure 3.2 SPI Overview Model


14
3.5 Software as a Service
According to ENISA Software as a Service (SaaS) is:

Software offered by a third party provider, available on demand, usually via the Internet configurable remotely.
Examples include online word processing and spreadsheets tools, CRM Services and web content delivery services
(Salesforce CRM, Google Docs, etc) (ENISA, 2009).

SaaS has become very popular within the IT world due to its ability to be flexible and not require
as much of IT knowledge. This service is customizable to fit the consumer and the provider
controls the infrastructure, platform, and application.
According to the website MSDN and the authors Carraro & Chong (2006), SaaS architectures
have become four different levels of maturity based on three different key attributes
configurability, multi-tenant efficiency, and scalability.
x Level 1 Ad-Hoc/Custom: This level requires the lowest level of development effort but
offers the lowest level of offers. At this level each time that the application is run it
creates an instance on the server of the provider.
x Level 2 Configurable: Second level of maturity host a separate instance of the
application for each customer. It differs from level 1 by all instances use the same code
and the vendor meets customers needs by providing detailed configurations options.
x Level 3 Configurable, Multi-tenant Efficient: The vendor runs a single instance that
serves every customer that provides a unique user experience and feature set for each
one. The disadvantage with this level is that the scalability is limited.
x Level 4: Scalable, Configurable, Multi ² tenant Efficient: At this level the vendor
handles multiple customers on a load balanced farm of identical instances, with each
customer`s data being separated.
It is important to understand that the last level is not always the desirable place to be. Where the
application is placed in the maturity level depends on business, architectural, operation needs and
on customer considerations. By understanding where the application should be in the maturity
level it will also help in deciding if a client really needs Software as a Service.
According to ENISA, certain security risks have a high impact on SaaS and other SPIs and clients
must understand the impacts. One risk that effects all of the SPIs is Lock-in. Lock-in is defined
as:
Vendor lock-in, or just lock-in, is the situation in which customers are dependent on a single manufacturer or
supplier for some product (i.e., a good or service), or products, and cannot move to another vendor without
substantial costs and/or inconvenience. (The Linux Information Project, 2006)
SaaS providers develop the different applications that are tailor made for that customer which
does bind the customer to that provider. According to Hoffman (2006), in his article Top 10
SaaS Traps, not many service providers of SaaS offer an SLA or might even charge for the SLA.
It is now very important that a customer does in fact ask for an SLA or locate a different vendor
that will provide one.



15
There are multiple benefits in deploying SaaS but just because you can, does not mean it is right
for you. With the economy in a downturn clients are looking for a better solution for their IT
issues and be able to make a quick return on their investment. Salesforce.com has listed these
benefits to SaaS (which may be biased):
x High Adoption: Applications that are available anywhere from any computer or device
x Lower Initial Costs: Subscription based payments and no license fees
x Painless upgrades: Provider manages all updates and upgrades
x Seamless Integration: Vendors that are multi-tenant architectures can scale indefinitely to
meet customers demand
3.5.1 Division of Responsibility in SaaS
In this division of responsibility we will focus on how customers and managers should work
within an SaaS environment. The reason for this, according to ENISA, is !itb re.¡ect to .ecvrit,
incidents, there needs to be a clear definition and understanding between the customer and the provider of security-
relevant roles ana re.¡ov.ibititie.. The result of this should be a clear understanding of the roles and
responsibilities customers and providers have to one another.


Table 3.1 Division of Responsibility in SaaS


16
3.6 Platform as a Service
PaaS is the layer in between where you not only get access to the software, but also the
underlying platform which the software is running on. What is not included is the control of the
actual infrastructure that the platform is running on. ENISA defines PaaS as following:
.llows customer to develop new applications using APIs deployed and configurable remotely. The
platforms offered include development tools, configuration management, deployment platforms. Examples are
Micro.oft .¸vre, íorce ava Coogte .¡¡ evgive. ;í^í´., 200·)
There are still different opinions about what PaaS is. Overall, PaaS is seen as a platform where
software can be deployed and configured and made available through a web browser. The
application that is made available does not require any installation or the need to download
anything to the computer for the user that wants to access it. It can be seen as a web hotel where
a company or individual can develop and deploy a web site and make it available through a web
browser. The web hotel provides access to different tools and the possibility to configure the
platform, which the web site is running on. The web hotel is usually supporting a set of different
web development languages as for example ASP.NET and PHP that can be used to develop the
web site. (Whatis.techtarget.com 2008)
PaaS however, mostly offers more configuration possibilities than a web hotel. For example, PaaS
can give the possibility to configure and update the operating system (OS) that is used for the
platform. Also, more advanced applications than just a web site can be developed and run on the
platform. The type of applications that can be run on the platform is limited to what OS and
development language the PaaS vendor offers. Therefore applications that are developed on a
specific platform, as with Force.com that uses Apex as a development language, cannot be
moved to another platform because of Apex being specific and limited to the platform by
Force.com (Rådmark, 2010) PaaS increases in other words the risk of lock-in if the service
provider uses proprietary service interfaces or development languages.
PaaS has some main benefits such as scalability and flexibility. Providers of PaaS have also listed
a set of other benefits of PaaS which may be biased.
A few that www.salesforce.com lists are:
x Faster results - the need for acquiring and setting up the infrastructure you need to be
able to developing software is gone. By signing up for a PaaS you can instantly start with
developing the programs you want and get results.
x Lower costs - because of not having to acquire the needed equipment and only pay for
what you use, you will be able to lower your costs significantly.
x Simplified deployment - the software developed can be made available instantly
through the web, and as mentioned, before the developers do not need to worry about
the infrastructure and can thus focus on the development.
x Lower risk - without the need to build up an infrastructure for the development, the
risks are lowered when it comes to investments.
x No more software upgrades - patching and upgrading of the system is handled by the
PaaS provider as well as regular system maintenance.




17
www.zoho.com lists some as:
x Minimize operational costs - because you only pay for what you use you do not need
to worry about servers standing unused and you do not have to worry about maintenance
costs.
x Zero infrastructure - the only equipment you need to start using the Cloud is a
computer that is hooked up to the Internet.
x Integration with other web services - the Cloud provider will have to have more
standardized interfaces to be able to offer a complete interface that can be integrated
easily with other web services.
3.6.1 Division of Responsibility in PaaS
In this division of responsibility we will focus on how customers and managers should work
within a PaaS environment. The reason for this, according to ENISA, is !itb re.¡ect to .ecvrit,
incidents, there needs to be a clear definition and understanding between the customer and the provider of security-
relevant roles and responsibititie.. The result of this should be a clear understanding of the roles and
responsibilities customers and providers have to one another.

Table 3.2 Division of Responsibility in PaaS


18
3.7 Infrastructure as a Service
Compared to SaaS and PaaS that focus on being as virtual and service oriented as possible, IaaS
also focus on computing. Because of the focus on computing, there are people who find IaaS to
be true Cloud Computing while the other SaaS are considered Cloud Services. In this thesis we
agree on this, but we also consider all three SPIs to be part of the Cloud and Cloud Computing.
ENISA, European Network and Information Security Agency define IaaS as:
Provides virtual machines and other abstract hardware and operating systems which may be controlled through a
service API. Examples include Amazon EC2 & S3, Terremark Enterprise Cloud, Windows Live Skydrive
ava Rac/.¡ace Ctova. ;í^í´., 200·)
This definition will be used in this thesis to identify security risks and threats with IaaS, and to
assess them in the context of clients to determine what clients of Cloud Computing and IaaS
should know and expect from their Service Providers (SP) in terms of Service Level Agreement
(SLA).
As Cloud Component can be decomposed into the three different SPIs, IaaS can also be
decomposed into components. The article The Rise of Service Oriented IT and the Birth of Infrastructure
as a Service` (Leach 2007) concludes that IaaS consists of three major components:
x Equipment - includes
o Enterprise servers: is a computer system that provides essential service across
network, to private users inside a large organization or to public users via internet
o Storage: comprise computer components and devices that records, saves and
store media and data for an organization.
o Network: is a collection of computers and devices that communicates through
channels that facilitates communication among users
o Security devices: Devices and applications to provide a secure environment for
your organization
x Facilities ² that house, protects and powers equipment
o Data centers: is a facility used to house computer systems and associated
components, such as telecommunications and storage systems. It generally
includes redundant or backup power supplies, redundant data communications
connections, environmental controls (e.g., air conditioning, fire suppression) and
security devices.
x Management systems
o Monitoring systems to manage onsite and offsite
In a more technical aspect, the scalability of IaaS could be said to offer building blocks
(Opencrowd.com) on which a client can have a customizable infrastructure. Using IaaS as a
foundation, you can add the other -as a services that are available and keep building on your
virtual environment. The building blocks are scalable, which means that CPU, memory, storage
networking and security (Lew, 2009) can be increased or decreased depending on the pressure of
the system and you pay for what you use.

Benefits that we have discovered have been found on vendor sites, which could be biased, and
more neutral sites focusing on academic articles about Cloud Computing. Benefits associated
with IaaS are according to GNI.com (2009) are:


19
x Dynamic scaling
x Usage-based pricing
x Reduced capital and personnel costs
x Access to superior IT resources
The website Clouddb.info and their article Defining Cloud Computing: Part 6 - IaaS` acknowledges
the same kind of benefits using similar or the same words as GNI.com. What is interesting is that
Clouddb.info includes the perspective of clients when identifying these benefits and clearly seems
to think IaaS will be beneficial for clients specifically because of the mentioned benefits. Even
though these are great benefits for clients looking for a Cloud based solution, there are also risks
associated with IaaS.
3.7.1 Division of Responsibility in IaaS
In this division of responsibility we will focus on how customers and managers should work
within an IaaS environment. The reason for this, according to ENISA, is With respect to security
incidents, there needs to be a clear definition and understanding between the customer and the provider of security-relevant roles
and responsibilities. The result of this should be a clear understanding of the roles and responsibilities
customers and providers have to one another.


Table 3.3 Division of Responsibility in IaaS


20
3.8 Cloud Deployment Models
According to a report made by the Cloud Security Alliance (CSA) that was published in December
2009, there are four different kinds of deployment models when it comes to Cloud Computing.
These models are not dependent on what kind of SPI that is deployed in the Cloud. The four
different models are describe like this by CSA
x Private Cloud:

The Cloud infrastructure is operated solely for a single organization. It may be managed by the organization
or a third party, and may exist on-premises or off premises. (CSA, 2009)

x Public Cloud:

The Cloud infrastructure is made available to the general public or a large
industry group and is owned by an organization selling Cloud services. (CSA, 2009)

x Community Cloud:

The Cloud infrastructure is shared by several organizations and supports a specific community that has
shared concerns (e.g., mission, security requirements, policy, or compliance considerations). It may be managed
by the organizations or a third party and may exist on-premises or off-premises. (CSA, 2009)

x Hybrid Cloud:

The Cloud infrastructure is a composition of two or more Clouds (private, community, or public) that remain
unique entities but are bound together by standardized or proprietary technology that enables data and
application portability (e.g., Cloud bursting for load-balancing between Clouds). (CSA, 2009)




21
3.9 Cloud Computing Vendors Model
According to the website Opencrowd.com, there are a few landscape models circling the Internet
focusing on showing what vendors have to offer. Since it is vendor based, it is also biased, and so
Open Crowd did their own and that is the one we are presenting below to give you an overview
of who is offering what kind of service.
Open Crowd decided to divide the Cloud into four areas compared to our idea of using only
three. The reason for this is that they regard Cloud Software, which they define as:
´Cloud software is off-the-shelf software that can be used to create an internal Cloud or in some cases can be used
to customize infrastructure services to mold a custom Cloud solution.
to be a part of Cloud Computing services offered by vendors.
We decided not to expand our thesis scope when we found out about Cloud Software as the
focus of this thesis are towards clients that may or may not move to a Cloud Solution because
they lack in-house skills for IT solutions.



















Figure 3 3 Cloud Taxonomy Model


22
3.10 Multi-tenancy
According to Salesforce.com, multi-tenancy is an architectural approach that is a single instance
applications but run by multiple tenants. Unlike isolated instances, that are deployed in a silo
structure, multi-tenancy is a large community which is hosted by the provider. This could only be
practical when the applications are stable, reliable, customizable, secure, and upgradeable which
the provider usually handles. It can be viewed in two different perspectives, the client and the
provider.
The clients could use a public Cloud service or actually be part of the organization that is hosting
the Cloud, but would still be part of the infrastructure. The provider view is that multi-tenancy
will allow for providers to enable economies of scale, availability, operational efficiency and use
of applications to multiple users.
There are three distinct approaches in multi-tenancy and they are separate databases, shared
databases separate schemes, shared databases and shared schemes. Each different approach is
important to review and it is also critical for an organization to decide which approach is
appropriate for them. (Carraro, Chong & Wolter, 2006)
3.10.1 Separate Database
Separate Database is the simplest approach of Data isolation
o Highest maintenance and backup cost
o Highest hardware costs
o Premium approach for sensitive data (e.g. Medical, or financial information)
3.10.2 Shared Database and Separate Schemes
Housing multiple tenants in the same database with each tenant having their own set of tables
grouped into a scheme
o Easy to implement
o Easy to extend database like the first approach, separate databases
o A moderate degree of separation and isolation of data for security
o Harder to restore in an event of a failure
¾ Restoring the entire database would overwrite every tenant in the same
database
o Use this approach when dealing with a relatively small amount of table per tenant
3.10.3 Shared Database and Shared Schemes
Shared Database and Shared Schemes uses the same Database and Schemes for multiple tenants
o Lowest hardware and backup cost because of large number of tenants
o With multiple tenants will need to put more focus on security to ensure that other
tenants cannot access other tenants data even if there is a bug or an attack
happens



23
3.10.4 Choosing an Approach
Choosing the right approach will be crucial for the organization and there are multiple
considerations to take into account when deciding.
Economics: Applications that are designed for shared approach will have more of a
development cost, which will result in high initial cost but might have lower operational costs.
Security: It is vital to choose the right approach depending on the data requirements and
sensitivity of the information. Customers will have a high expectation on security and the
SLA between the vendor and the consumer will need to provide strong security practices to
ensure that data is secured.
Tenants: The number of tenants that the client could expect will greatly depend upon which
approach the client chooses.
Regulator: The external environment (e.g. government and laws) will be need to be
investigated to see how regulations could affect security and record storage needs.
Skill Set: Single instance multiple tenants is still a new skill set so expertise will be difficult to
come by. An isolated approach may allow your staff to use more of its own knowledge for
the application.
Going through the above list will help an organization in deciding which type of multi-tenant
architecture is best suited for them and their infrastructure.
3.11 Service Level Agreement
A Service Level Agreement (SLA) is in general a legal binding agreement about a service a client
is buying from a Service Provider (SP). The agreement is a part of a much bigger contract
between two partners that define the purchased service. The levels included are a frame of how
the service should be delivered and failure to follow this agreement is usually followed by penalty,
which should also be defined in the agreement. According to SLA information zone (SLA-zone,
2009), a regular SLA usually includes:
x Service delivered - describes the services and how they are delivered. This
information should be very detailed and accurate so you get information about
what exactly is going to be delivered.
x Performance - deals with how monitoring and measuring the service level
performance is performed.
x Problem management - how to deal with unplanned incidents and how to solve
them, also including how to actively prevent such events.
x Customer duties - explains what relationship the customer and provider has and
the responsibilities that the customer has regarding the service delivery process.
x Warrant & remedies - covers topics such as service quality, third part claims,
exclusions and force majeure.
x Security - the most critical feature of any SLA where which security approaches
must be followed and respected.
x Disaster recovery - usually included in the security section and sometimes also in
the problem management area.
x Termination - covers topics as for example termination at end of initial term, for
convenience, for cause, and payments regarding termination.


24
The performance levels set in the agreement often measures up to a percentage level and if that
level is not met, a response is also decided on. An example of this is in Amazon EC2 SLA where
they state the following:
AWS will use commercially reasonable efforts to make Amazon EC2 available with an Annual Uptime
Percentage (defined below) of at least 99.95% during the Service Year. In the event Amazon EC2 does not meet
the .vvvat |¡tive Percevtage covvitvevt, ,ov ritt be etigibte to receire a ´errice Creait a. ae.cribea betor
Creating a good SLA is not a trivial task, but a task that is of utter importance when buying
and/or providing services and errors in SLAs could enforce legal penalties.

x Web Service Level Agreement
In addition to a regular SLA, there are additional SLAs that deal with different kinds of services.
One of these services are Web Service Level Agreement (WSLA) and to a certain point it is very
similar to a regular SLA, but since we add technology to the picture, and most often, a third party
management/monitoring provider more information has to be included in the WSLA. The
\SLA should according to IBM`s report WSLA Language Specification (Dan, Frank, Ludwig,
Keller, King, V1.0, 2003) not only include the SLA components mentioned in our SLA part, but
also include:
. a..ertiov. of a .errice ¡roriaer to ¡erforv a .errice accoraivg to agreea gvaravtee. for í1-level and business
process level service parameters such as response time and throughput, and measures to be taken in case of
deviation and failure to meet the asserted service guarantees, for example, a notification of the service customer.

What IBM indicate, and what others agree to (Patel, Ranabahu & Sheth 2009) is that WSLA
needs to focus even more on metrics to measure if the service bought and received measure up
to the levels agreed upon. This puts focus onto Quality of Service (QoS) and how this is
measured. According to Patel et al. (2009) an example of WSLA measures is transactions per
hour. By providing that kind of information, a company can make a statistical analysis to
determine the QoS and if the SLA has been breached.
x Cloud Service Level Agreement
If we take the two previous SLAs we have mentioned into consideration and compare it to the
dynamic and scalable nature of Cloud Computing, significant changes need to be made to the
SLA to be aligned with the Cloud environment. While WSLA is closer to the solution than a
standardized SLA, the measurements have to be different. Because the environment is dynamic,
the measures have to be dynamic as well. Patel et al (2009) propose that the parties add these
measures to the picture; usage and cost. When the Cloud services are in use, these measures have
to be adapted according to usage, i.e. when the services increases in scale, the measures have to
be adapted to that. This is the thinking one has to apply to make a more appropriate SLA for the
Cloud Computing environment.






25
3.12 Risk definition
The top risks we are discussing in this thesis are from the European Network and Information
Security Agency (ENISA 2009), Computer Security Alliance (CSA 2010) and National Institute
of Standards and Technology (NIST) and they are:
ENISA 2009
x Loss of Governance: The Client ceding control to a Cloud Provider on multiple issues
x Lock In: The difficulty of a customer moving from one Cloud provider to another.
x Isolations Failure: The failure of hardware separating storage, memory, routing and
even reputation between different tenants.
x Compliance Risk: Investment in achieving certification may be put at risk by moving to
the Cloud.
x Management Interface Compromise: Customers management interfaces of a Public
Cloud provider are accessible through the Internet and mediate access to larger sets of
resources, which pose an increased risk.
x Data Protection: The ability of the customer to check the data handling practices of the
Cloud provider and to ensure that the data is treated in a lawful manner.
x Insecure or incomplete data deletion: Customer requesting that their data is deleted
and it is not completely removed or deleted due to duplication.
x Malicious Insider: Damage caused by a person that has access to the Cloud.
CSA 2010
x Abuse and Nefarious Use of Cloud Computing: Easy access and lack of control of
who is using Cloud Computing can provide entrance for malicious people
x Insecure Interfaces and APIs: Authentication and reusable aces tokens/passwords
have to be properly managed or security issues will rise.
x Malicious Insider: Lack of insight at the Cloud pro·ider`s employees can trigger risks if
employees have malicious intent and access to information he/she should not have.
x Shared Technology Issues: With scalability come shared technology issues since the
provider is using their own resources to provide more for the clients during peaks. With
sharing technology the risk of hypervisors appear since hypervisors work in between
different clients.
x Data Loss and Leakage: Improper deletion or backup of data records can lead to
unwanted duplication of data that becomes available when it should not exist
x Account or Service Hijacking: Phishing for credentials to get access to sensitive data
x Unknown Risk Profile: No insight in what the provider do to keep your data safe or
doing updates, patches etc.



26
NIST 2009

x Data dispersal and International Privacy Law
o EU Data Protection Directive and US Safe Harbor Program
o Exposure of data to foreign government and data subpoenas
o Data retention issues
x Need for Isolation Management
x Multi-tenancy
x Logging Challenges
x Data ownership issues
x Quality of Service Guarantees
x Dependence on secure hypervisors
x Attraction to hackers (high value target)
x Security of virtual OSs in the Cloud
x Possibility for massive outages
x Encryption needs for Cloud Computing
o Encrypting access to the Cloud resource control interface
o Encrypting administrative access to OS instances
o Encrypting access to applications
o Encrypting application data at rest
x Public Cloud vs. internal Cloud security
x Lack of public SaaS version control

If these risks occur in an organization, it will be the operations of the organization that will
suffer. Therefore we have concluded that the risk definition we use in this thesis focus on
probability. A common probability risk definition is:
(1) Indication of an approaching or imminent menace. (2) Negative event that can cause a risk to become a loss,
expressed as an aggregate of risk, consequences of risk, and the likelihood of the occurrence of the event



27
3.13 Security
Security is deíined as Freedom from risk or danger; .afet,, while information security is defined as
Safe-gvaraivg av orgavi¸atiov`. aata frov vvavtbori¸ea acce.. or voaificatiov to ev.vre it. araitabitit,,
covfiaevtiatit,, ava ivtegrit, ;Cí.). The three principles are the main concerns when dealing with
information security and each principle requires different security mechanisms to be able to be
enforced. For Cloud Computing to be considered to be secure, these principles are what it has to
live up to. The Committee on National Security Systems (2010) defines the three areas as:
x Confidentiality - Assurance that iníormation is not disclosed to unauthorized
indi·iduals, processes, or de·ices.`
x Integrity - .in a formal security mode, integrity is interpreted more narrowly to mean
protection against unauthorized modiíication or destruction oí iníormation.`
x Availability - 1imely, reliable access to data and iníormation ser·ices íor authorized
users.`
To enforce these principles there are different mechanisms that can be applied. The mechanisms
are retrieved from a blog called Continuity Disaster Recovery (Phoenix 2010). Confidentiality is
sometimes referred to as privacy and to enforce it you can apply:
x Access control ² with access control you can control how and what information users
can access. How could be by authentication through passwords and/or biometrics.
x Passwords ² password is the basic authentication method and to make it even more
secure it can be used alongside smart cards or biometrics.
x Biometric ² biometrics concerns the use of humans physical characteristics for
identification and authentication. It could be for example fingerprint scanning, retina
scanning or face recognition.
x Encryption ² by encrypting information from plain text to be unreadable prevents
unauthorized users to access information. Encryption is performed through a
mathematical algorithm to alter the information.
x Ethics ² through policies employees can get the necessary guidance to know how to
behave and prevent unethical use of for example an information system.
To maintain the integrity of information you can use:
x Configuration Management ² this is how you manage change when it comes to the
information technology environment.
x Configuration Audit ² this mechanism controls that information that is altered is
allowed to be performed. The auditing can be done by monitor log changes either
manually or through an automated system.



28
Availability should always be ensured so the authorized users can access desired information
whenever they want. To ensure that data is always kept available and safely stored you should
consider:
x Data Backup Plan ² to have a plan of how you backup your information is always
important. It includes what information is being backed up and at which time interval.
This depends on what type of business you run and how often information is altered.
x Disaster Recovery Plan (DRP) ² this includes the procedures for how a quick backup
is performed with minimum impact on the business.
x Business Continuity Plan or Business Resumption Design ² this is a part of the
DRP and documents of how a business gets back to normal after a disaster has struck.
3.13.1 Securit y risks tied to information securit y
Cloud Computing is about availability, that is having access to information whenever and from
wherever. Some of the risks presented by ENISA, CSA and NIST are security risks that could
compromise this aspect as well as the principles confidentiality and integrity. The risks are listed
in the table below together with how they could affect the CIA principles. How the principles
could be affected are derived from the report 1o¡ 1breat. to Ctova Cov¡vtivg 11.0 by CSA.
Insecure or incomplete data deletion (ENISA)
Confidentiality
When a customer requests that certain information should be deleted, copies of
the information could still reside somewhere in the Cloud due to backups or some
other redundant reason. The risk could be that this information is left unprotected
on a hard-drive that is shared with some other company.
Integrity
If the service does not control the authentication and authorization properly by
having weak control mechanisms, there is a risk that information can be affected
by unauthorized change or deletion.
Availability
-
Abuse and Nefarious Use of Cloud Computing (CSA)
Confidentiality
When not having control of who is using the Cloud, by for example providing the
possibility to be anonymous when registering for a Cloud service, criminals could
get the possibility to exploit Clouds by applying malicious software that can give
them access to information they should not have. This is mostly applicable to PaaS
and IaaS where customers have the possibility to develop and run software.
Integrity
If malicious software is executed in the Cloud, it could affect the integrity if the
intent is to alter or delete information.



29
Availability
If there is a lack of control of what kind of software that is being run in the Cloud,
the risk of malicious software being run is high and could cause Cloud services
going down.
Insecure Interfaces and APIs (CSA)
Management Interface Compromise (ENISA)
Confidentiality
A weak interface that for example transmit information in clear-text or allows
anonymous access lead to that information can be easily acquired by unauthorized
users.
Integrity
If an interface has weak security controls, it could provide access to malicious
attackers with the intent to alter or delete information.
Availability
Interfaces needs to be secure so they can withstand malicious attacks that could
compromise the availability of the service.
Malicious Insiders (CSA/ENISA)
Attraction to hackers (NIST)
Confidentiality
When a Cloud provider hires their Cloud employees, there are matters as hiring
standards and practices, as well as how they grant their employees access to virtual
and physical assets and if the employees are monitored in their work. If the Cloud
provider does not consider these matters important, there could be a big risk that
they hire someone that have a criminal intent such as someone that is involved in
organized crime and wants to have access to confidential information.
Integrity
If a Cloud provider has employed persons with a criminal intent, such as hackers
or people involved in organized crime, because of poor hiring standards and
practices, important information could be changed or deleted. The risk is even
greater if there are no monitoring processes set up for the Cloud employees.
Availability
People with a malicious intent that are working at a Cloud provider could cause
the service to go down.
Shared Technology Issues (CSA)
Isolations Failure (ENISA)
Dependence on secure hypervisors (NIST)
Multi-tenancy (NIST)
Confidentiality
By sharing the same infrastructure there is a risk that the multi-tenant architecture
fails to isolate the information so that customers get access to each other`s
information. This could happen in the way that a guest operating system user gains
inappropriate levels of control and access that are granted from a hypervisor.



30
Integrity
If a hypervisor that controls the virtualization of the infrastructure fails to control
the levels of authorization of users in the Cloud, users could get an inappropriate
level of control that could lead to alteration or deletion of information.
Availability
-
Data Loss and Leakage (CSA)
Confidentiality
Leakage of data is a risk for that unauthorized users gets hold of sensitive
information.
Integrity
Loss of data is a risk that directly impacts the integrity.
Availability
For data to be available it cannot in any way be lost.
Account or Service Hijacking (CSA)
Confidentiality
By using attacks such as phishing or exploitation of software, credentials could be
acquired that can be used for getting access to sensitive information.
Integrity
If an unauthorized party gets hold of credentials by for example phishing,
information runs a risk of being changed or deleted by that party.
Availability
If an account gets hijacked, there is a risk that the service availability can get
compromised.
Encryption needs for Cloud Computing (NIST)
Confidentiality
The need to encrypt information is very important when it comes to Cloud due to
the use of the services through Internet. When running an IT infrastructure in-
house, the need to encrypt transmitted information is not as important as
encrypting the hard-drives and databases. But by using a Cloud service, everything
needs to be encrypted to ensure safety, both the transmitting and storing of
information.
Integrity
Information that is not encrypted when it is transmitted can easily be altered so the
message that is received does not correspond to the original message.





Table 3.4 Security Risks tied to Information Security


31
3.14 Trust
Reading through security aspects regarding Cloud Computing and reviewing information
regarding how the service is provided along with SLAs that defines how the service should be
supplied, we have concluded that trust and authority is a vital issue in Cloud Computing security.
In this chapter we will present what trust is considered to be from a psychology perspective
(social science) and how one can systematically look at trust. The next step is to present different
versions of trust such as authority, reputation and confidence. We will use material from the
book Influence - The Psychology of Persuasion` by Robert B. Cialdini (Cialdini 2007) a computational
trust model theory by Lik Mui (Mui 2002) and trust definitions from Wikipedia and James S
Coleman`s Foundations of Social Theory to describe trust, which is also available on Wikipedia.
According to Coleman, trust is built up by four parts (Wikipedia 2010):
1. Placement of trust allows actions that otherwise are not possible (i.e. trust allows actions
to be conducted based on incomplete information on the case in hand).
2. If the person in whom trust is placed (trustee) is trustworthy, then the trustor will be
better off than if he or she had not trusted. Conversely, if the trustee is not trustworthy,
then the trustor will be worse off than if he or she had not trusted (this is reminiscent of
the classical prisoner's dilemma).
3. Trust is an action that involves a voluntary transfer of resources (physical, financial,
intellectual, or temporal) from the truster to the trustee with no real commitment from
the trustee (again prisoner's dilemma).
4. A time lag exists between the extension of trust and the result of the trusting behavior.
Another definition of trust is by Gambetta (1988):
.trv.t ;or, .,vvetricatt,, ai.trv.t) i. a ¡articvtar teret of tbe .vb;ectire ¡robabitit, ritb rbicb av agevt a..e..e.
that another agent or group of agents will perform a particular action, both before he can monitor such action (or
independently of his capacity ever to be able to monitor it) and in a context in which it affects his own action

Basically these two definitions from Coleman and Gambetta states that trust is the possibility for
e.g. a person or company to live up to the bargain set in e.g. a SLA.

Cialdini (Cialdini 2007) talks about influence and discusses a click and whirr` theory that is set off
by a trigger feature`. In his book, Cialdini talks about influences and most importantly, authority.
click and whirr` is his term for humans automatic responses due to a specific trigger feature when a
person experience what he calls brain strain`, we use a rule of thumb when we are unsure and
because we cannot know everything about everything, e.g. expensive equals good. In essence, this
click & whirr` effect provides a shortcut in our daily lives. In the authority chapter Cialdini cites
different studies done and they vary from people giving out electrical shocks that cause pain,
medical employees using the wrong dosage and military train operators running people over
because someone higher than them in the perceived or real hierarchy told them this is how it is,
trv.t ve, í`v tbe e·¡ert`. Authority comes írom such things as titles, clothes, appearance and other
personal items and characteristics, and the negligence to question the authority.

Another shape of trust is confidence which in social science is considered to be easier to measure
as trust itself is viewed as a mental state and confidence reflects actions around that trust. Since
trust is considered a mental state, it is hard to evaluate trust, Mui (Mui 2002) proposes a more
mathematical approach to solve this. Mui`s approach will not be discussed in detail other than
comparing how a mathematical, or systematical, approach differs from a mental one. In his work


32
he presents that trust is connected with reputation and reciprocity. Reputation and reciprocity is
the product of social networks and norms where the reputation is:

Reputation is a social quantity calculated based on actions by a given agent ai and observations made by others in
av evbeaaea .ociat vetror/ iv rbicb ai resides ai`. re¡vtatiov cteart, affect. tbe avovvt of trust that others have
toward it. (Granovetter, 1985)

Reciprocity is according to both Cialdini and Mui a social norm that is created through trust and
interactions. Following this norm is of essence to create trust and a positive reputation.
Reciprocity is the act where dept is created and repaid through genuine actions.








The danger of psychological trust is that it is a mental state, and not systematically conducted but
rather obtained through communications networks and inner evaluation. The model above
depicts how reputation, trust and reciprocity works together and creates net benefit for those
involved. The reason for having this part in our thesis is because one way of avoiding a serious
pitfall caused by trust is to understand this process and what the net benefit is created for the
counterpart a person interact with, i.e. what does the person/company I interact with get from
me for trusting him/her/them. This will be discussed further in the analysis when we add raw
data to the picture.
In the beginning of this section, it is stated that trust is considered to be very important in Cloud
Computing security and that we would like to see how people we interview evaluate trust, or even
if they consider trust to be important for that matter. In the interviews we would like to see how
people view trust in regarding Cloud Computing to understand if they use a systematical (fact
based) or internal (mental based) method. In the analysis we will present our findings, connect it
with Cloud Computing security risks and discuss what kind of pitfalls have been found and how
to prevent them.

Figure 3.5 Reputation - Trust - Reciprocity > Net Benefit (Mui, 2002)


33
4 Research Questions
The research questions that we have decided upon reflects what we think is most important to
research in, both to help identifying the problems and/or solve them as we reflected on them in
our problem paragraph. These questions have also been selected as we strongly think we can
contribute to the field of Cloud Computing if we answer them properly and underline what the
next area of study should be to make Cloud Computing more mature.
x What are the major security risks for clients using SPIs (SaaS, PaaS, IaaS) in Cloud Computing?
o What should clients expect from Service Providers in the SLA regarding Cloud
Computing?
x What possible trust issues are associated with security risks in Cloud Computing and SLA?
o If so, how can clients avoid security risks associated with trust?
5 Method
5.1 Research approach
When doing deductive research you start with creating a hypothesis and test it by gathering data
and examine it. If it is necessary, the theory is modified so it matches the findings better. In
inductive research you do it the other way around. You go out in the world and gather data, and
from the data you formulate a theory.
To answer our research questions we take an inductive approach by gathering data to then
formulate a theoretical framework. The term Cloud Computing is rather new so we think that the
inductive approach suits best for our research. In Saunders et al. (2007), induction emphasizes
collection of qualitative data and is less concerned with the need to generalize. We have tried to
gather as much information as we can about security issues and service level agreements, and
through qualitative interviews with experts to get a more professional view of the problem. The
purpose of our research is to contribute more to the understanding of what to think about and
take into consideration when it comes to Cloud Computing, and not to generalize our findings to
any particular setting.
This research was conducted because of the new phenomenon called Cloud Computing is
assumed to become a future solution to modern information technology (IT) problems. Due to
this assumption about Cloud Computing, we decided to investigate the associated security risks.
Our perspective on Cloud Computing is that it consists of old technology, rather than being
something brand new. The research focused on risk assessment on three different kinds of SPI:
x Software as a service
x Platform as a Service
x Infrastructure as a Service
The risk assessment will also look into Service Level Agreement (SLA) from major Cloud
Computing companies:
x Google
x Microsoft
x Amazon
During the research a critical review of the researched subject was performed from a client
perspective and its associated risks. One of our strong opinions is that Cloud Computing is
consisting of old technology products and services offered to clients in a new way. Because of
this opinion, we felt it wise to use an exploratory approach to gather the empirical information


34
we need for this thesis. Exploratory approach is about investigating previously studied material
i.e. secondary data, to explain a new phenomenon or bring an understanding to a specific topic.
The exploratory approach enables us to focus on finding new insights and understanding this
phenomenon called Cloud Computing. As opposed to a descriptive study, which we find
inadequate because of a too narrow focus and because it is seen as a forerunner to exploratory
research, and explanatory study, which focus too much on quantitative data, we think a
qualitative focus can give us deeper knowledge and therefore be more appropriate for us. The
methods we are going to focus on in this thesis are:
x Secondary literature study
x Interviewing experts in the field
In the following paragraphs we will cover secondary and primary data that we will use to draw
conclusions from regarding Cloud Computing security risks and SLAs from a client perspective.
The sources for information we will use are:
x Cloud Computing vendors SLAs
We will look into the major vendors on the field of Cloud Computing, which in our opinion are
Google, Microsoft and Amazon. When we review their SLAs we will focus on issues dealing with
security. Since we are focusing on security we will also look at their security policies to see if they
are coherent in their overall security policy towards a client.
x Searching literature regarding Cloud Computing
By focusing on Cloud Computing as being derived from old technology, we have decided to
focus on literature, articles and other publications that share our opinion. We have also spent
time reviewing literature that contradicts our old technology perspective but after extensive
reading we have concluded that such articles are not of importance to us. Literature sources that
we have reviewed are:
x Magazines
x Books
x Articles and publications
x Blogs

x Interviewing experts in the field
We will focus on interviewing people with knowledge and experience in the field of IT. The
interviews were semi-structured to create discussions instead of direct questions with a yes or no
response since we consider qualitative information to be valuable to our research than
quantitative. Criteria for which we decide is appropriate to use as a source of knowledge are:
o Working with IT on a management level
o Are currently supplying and/or buying IT services
o Are involved with Cloud Computing and/or related technology
(ex: Software as a service, Platform as a service and/or infrastructure as a service)



35
5.2 Credibility
In Saunders et al. (2007) it is argued that having a good research design is very important if the
research shall live up to a good credibility. You can never know if your results are completely
correct, but aiming for having a good reliability and validity will increase the chances that the
findings will be credible.
5.2.1 Reliability
In Saunders et al. (2007), reliability is reíerred to the extent to which your data collection techniques or
analysis procedures will yield consistent findings`. So reliability is concerned with
x if the same results would be reached if the research was done at another time,
x if the observations would be accomplished in the same way if others would do it,
x and if the conclusions made from the results are transparent.
To make the data in this thesis reliable, it will be collected from several different reliable sources,
such as established agencies and institutes, and then compare the data against results from
interviews conducted with experts in the field.
5.2.2 Validity
Validity is in Saunders et al. (2007) concerned with whether the findings are really about what they
appear to be about`. The validity of the data in this thesis is relying on recently published material
within the area of Cloud Computing and by gathering information from experts in the field.
Since we are focusing on researching security risks for clients using Cloud Computing, we have
concluded that there will be factors that can make our gathered data biased, unclear or
misleading. The factors that we have discovered are:
Secondary literature: Since we are focusing on reviewing secondary literature about the
different kinds of SPIs, there is a chance that we could miss new information, but it is our
opinion that the secondary literatures we have reviewed are sufficient for our research.
Experts in the field: Besides secondary literature we will also interview experts in the field that
fits to the requirements we have stated earlier. The danger of interviews is biased opinions.
Interviewing vendors of Cloud Computing could provide an optimistic version of Cloud
Computing where as an expert that is a client of Cloud Computing could project a skewed image
of Cloud Computing. This creates a problem in how to evaluate the information that we have
acquired in a neutral way. To further increase the validity of our findings we will send the
summaries we made from the interviews to the interviewees to get a confirmation that the
information we got out from the interviews are valid.



36
5.3 Interview questions
The questions that we have decided to use for our semi-structured interviews are a combination
of questions that cover topics that are directly related to our research questions. The questions
can also give us new insights to what the research questions could mean and/or how we should
analyze them to make an appropriate contribution. Overall, the questions can be divided into
groups where some are directly focusing on our research questions and where other are included
creating a discussion around a specific topic to indirectly give us new information to use when we
answer our research questions.
The questions in the interviews also helped us to expand our perspective on Cloud Computing as
we have added questions to the first list we made, and thus we had to get back to some of the
people we interviewed to get some more answers.
Finally, the questions that we have chosen have helped us to compare that information with the
information we have gathered from secondary sources. This has helped us to do a thorough
analysis and discover new areas that could be studied in the future. The interview questions can
be found in Appendix 1.
5.4 Analysis Method
The method we used in the analysis was comparing the concepts that we present in our
theoretical framework with the results in the empirical findings. The combination of the
secondary data and the primary raw data is analyzed by comparing them and putting them in the
context of our research questions. For the analysis we also used the table 3.4 constructed from
secondary data.



37
6 Empirical Findings
From the interviews we have summarized the most relevant parts that we are going to use for our
analysis. In this section we will present our results regarding security risks and SLA, which we will
also use in the analysis part.
6.1 IT-Consultant Interview Summary
Quite early in the interview the issue with risk assessment becomes apparent. Security,
terminology, and the possibility to integrate with other systems when using the Cloud is his top
three concerns. Regarding security risks he raises the issue of not having control when it comes
to maintenance and troubleshooting, and communication if something goes wrong (customer
service). He talks about trust being essential when you consider accountability, and that you
should aim for a long-term relationship. However, where the IT-Consultant work they do not
review the SLA, and the argument is that they cannot really affect it anyway because of it being a
standard agreement which they use for their customers as well.
For the SLA, he states that availability, processes and routines for security (e.g. how data is
encrypted) are very important to include in the SLA. He says that it is important to state what
security really means because of the naivety regarding security among companies. If companies
manage to apply good understanding to that issue, they add value to their service for the
customer. Also, worst case scenario should be covered in the SLA, together with how you can
exit the Cloud.
He also mentions that there are also benefits with the Cloud, as with getting rid of the security
risk with running around with a USB flash memory which could be dropped or stolen. He says
that Cloud providers will probably become experts in the security area. From the interview we
drew out three security risks:
x Hacker syndicates that are working solely with stealing information
x To not have control
x Quality of service





38
6.2 Senior Business Consultant Interview Summary
During the interview it became apparent that the characteristics that the senior business
consultant had found with Cloud Computing were flexibility, scalability and accessibility. These
characteristics were also seen when we discussed areas of Cloud Computing that the company
could be interested in or what the benefits with Cloud Computing was perceived to be. When the
subject touched upon what processes the person could consider to move to the Cloud the
conclusion was that the Cloud enables multiple possibilities. The consultant perceived the Cloud
to be to unsafe to use for more than basic processes to save money and this was to be placed in a
private Cloud. As for the SLA part, it was considered very important and multiple hours was
spent on getting it right as the company could not think of acceptable loss to be part of the
evaluation of the provider. As for accountability, the suggestion was to create an understanding
of how providers can work together with the customer, maybe through a SLA. The security
issues that the senior business consultant mentioned were:
x Multi-tenancy
x Stability of Supplier
x Long term focus
6.3 CEO Interview Summary
The top concerns with Cloud according to the CEO were trust and accessibility. For him who
travels frequently he needs to have the information locally stored at his laptop to be able have
access to it whenever he wants. But as the connectivity gets better and better, the need for storing
it locally becomes less important. The CEO does view physical security issues (e.g. laptop, cell
phones, USB memories) more important than the actual security issues with Cloud Computing.
He brings up the security issues with the physical vulnerability with laptops and cell phones. He
says that companies that are considering to move in to the Cloud needs to evaluate where it is
more secure to store their information. To be proactive he says that you have to educate your
employees when it comes to security, for example that they should think about not using weak
passwords. The three aspects you have to think about when it comes to security risks are:
x Trust
x Intellectual Property
x Legislation
6.4 Computer Consultant Interview Summary
The possibilities of integration with the Cloud were something that the computer consultant was
emphasizing together with the importance of accessibility. Regarding accountability he says that it
is impossible to solve at the moment, so to trust the Cloud provider is the only option. For this
interview there were some question left out because he did not feel that he could answer them,
for example if their company was currently looking for any Cloud solutions. After asking our
questions we had a general discussion about security regarding the Cloud. From the discussion,
an issue about what laws exists for the protection of data when it is stored in different geographic
locations were raised. Also, how can you be sure that the Cloud provider is logging everything,
and if they do, that you get notified about everything bad that happens? From the interview we
have drawn out three security risks that we are going to use for the analysis:
x Data protection and laws
x Backups
x Log files


39
6.4.1 CIO I Interview Summary
It became apparent quite early that the CIO considered Cloud Computing to be interesting as a
tool for becoming efficient and to be used as a cost saver. The CIO did not like the idea to move
core processes to the Cloud as it was too valuable and sensitive for the company. The processes
that the CIO thought were ok to move to the Cloud were the basic office processes e.g. email.
1he CIO`s íirst impression of Cloud Computing was that it seemed suitable for mainstream
processes and cost savings, if someone else do it for them it meant they would need a smaller IT
department.
The reason for considering Cloud Computing for mainstream processes was because of the
concerns with security, uptime and backup. As for SLA issues the CIO deemed it very important
to control and review each of them and integrate them into the IT departments every-day-
business. As their systems and business could not suffer from downtime or lose data, they could
not evaluate a provider from a loss perspective. If a provider could not supply what they needed,
they moved on. In the context of trust the CIO used personal networks and references before
doing a systematic review of the company to see if the particular provider met the requirements
before signing an agreement. The top three security risks the CIO mentioned where:
x Other companies can access our information
x Uptime - dependent on the provider
x Backup
6.4.2 CIO II Interview Summary
The interviewee first stated that the term Cloud Computing was a Cloudy` term in itself and was
a hyped up market term. The big risks that were stated during the interview were the actual
integration of the different Clouds and the individual business units, the intellectual property and
finally security. Another concern with Cloud Computing was stealing information, SLAs and if
the vendor would notify the company if something would happen to the service that the
organization was paying for.
1he respondent`s organization actually re·iewed the SLA ·ery extensi·ely and sent out the parts
of the SLA to employed lawyers and the IT departments to review it to ensure that the document
met the requirements of the organization. The interviewee also stated that trust is very important.
They stated that they evaluate different vendors that fit their requirements and it was very
important to have face to face meetings to gain a relationship between the organizations.
x Multi-tenancy
x Intellectual property
x Communication with provider



40
6.5 Security Risks
In this paragraph we will present the security risks we have found during our research. The
security risks are from ENISA, CSA, NIST and interviews with experts. In this list we have
compiled the security related risks from the overall risk lists we have reviewed. Some of the risks
we have found are similar, just written in different words, which is why some of them have been
given a tag to identify their specific kind of risk e.g. Malevolence or Interface. In this list we also
state where the risks have been identified. The main reason for this list is to help us in the
analysis when we are answering our first research question and to contribute to the field of study
by listing security risks specifically instead of general risks;
x What are the major security risks for clients using SPIs (SaaS, PaaS, IaaS) in Cloud
Computing?
6.5.1 Securit y Risk List
x Abuse and Nefarious Use of Cloud Computing (CSA/ Experts)
x Interface
o Insecure Interfaces and APIs (CSA)
o Management Interface Compromise (ENISA)
x Malevolence
o Malicious Insiders (CSA/ENISA/Experts)
o Attraction to hackers (NIST)
x Isolation Failure
o Isolation Failure (ENISA)
o Shared Technology (CSA)
o Dependency on secure hypervisors (NIST/Experts)
o Multi-tenancy (NIST/Experts)
x Encryption needs for Cloud Computing (NIST)
x Data Loss or Leakage (CSA/Experts)
x Accounting and Service Hijacking (CSA)
x Unknown Risks Profile (CSA/Experts
x Insecure or incomplete data deletion (ENISA/Experts)



41
6.6 SLA summaries
6.6.1 Amazon
Amazon Cloud system is called EC2 and it provides resizable capacity in the Cloud. According to
Amazon the EC2 includes:
x Interfaces to configure firewall settings
x Selectable IP range that will connect to the existing infrastructure using encrypted IPSec
VPN
Their service comment states that they are not responsible for any factor outside of their control.
We view that the SLA states that Amazon is not liable for anything that happens as soon as the
customer accesses the Cloud or decides to put an application on there. EC2 has a clause that
states that removes them accountability for anything that happens in the Cloud if it is by you or
any third party and from equipment that is not theirs.
If EC2 is not up for the stated uptime, which is 99.95% is upon the customer to monitor this and
report to Amazon. If Amazon does find itself at fault they will issue a credit back to the customer
but it is up to the customer to monitor the up time for the whole year.
6.6.2 Microsoft
Microsoít`s íirst step towards the Cloud Computing market comes in the shape oí Microsoft
Azure which is a platform with Azure as the OS operating in the platform environment. On this
platform that Microsoft run through their datacenters the customers should be able to have
applications and tools for building applications.
In the SLAs that co·ers Microsoít`s diííerent Azure ser·ices (Microsoft 2010) they specify what
they are providing and what will happen if they do not provide it, how they calculate the bill and
in what situations they are not responsible. In essence Microsoft puts a lot of responsibility on
the customer which means a lot of the possible errors that could occur are in the hands of the
customer.
If the service does not follow the uptime directives Microsoft follow a credit system which
governs how much the customer should pay even if the service percentage is not met. The
different Cloud services that Microsoft offers are not connected when billing is calculated or
service credits are given.



42
6.6.3 Google Apps
Google Apps is Google`s SaaS solution and it includes ·arious web applications such as Gmail
and Docs. Google Docs is web based word processing, presentation, spreadsheet and form
applications. Google Apps has some different editions where The Standard Edition is free to use
and has a limited amount of storage, while the Premium Edition offers more storage for a fee.
There is also an Educational Edition which is also free and combines functions from the Premium
and Standard Edition.
Google promises an uptime of 99.9 %, but if that uptime is not met, the customer receives
credits in form of free days for using the service. For example, if the uptime goes down to less
than 99 % but still more than 95 %, seven days of service is added to the end of the service term
at no charge. However, the customer have to notify Google about the downtime within thirty
days, or else the customer will not receive any service credits. The service credits added cannot
exceed fifteen days per month and they cannot be converted to monetary amounts.
Google disaffiliates themselves from performance issues that are caused by factors that is outside
oí Google`s reasonable control, or that is caused by the customer`s or third party equipment.
In the SLA, Google state that they have scheduled downtime where the service will go down for
a period of time. The customer will be notified about it five days prior to the downtime, and that
scheduled downtime will not exceed twelve hours per calendar year. Scheduled downtime is
furthermore not considered as regular downtime periods and will not affect the uptime
percentage. (Google, 2010)
6. 6. 3.1 Google App Engine
Google App Lngine is Google`s contribution to the Cloud environment in the platform as a
service market. It pro·ides the possibility to create, store and run applications on Google`s
servers using development languages as Java and Python. As it should be with a Cloud service,
you only pay for what you use and there are no installation costs and no other recurring fees. You
are billed by consumption regarding storage and bandwidth (measured by gigabyte). If you have a
specific budget you have to follow, you can control the maximum amount of usage by setting a
limit. However, Google App Engine lacks a service level agreement. The only thing you can find
online is terms of service. In other words, Google has not stated a certain uptime percentage so
you are not guaranteed payback if the service goes down (Jackson, 2009).




43
6.7 Security Risks
Table 6.1 presents the security risks that we have found from NIST, CSA, or ENISA. Most of
the risks that we found come from CSA but NIST and ENISA also state similar security risks
and we have added them into the chart. The security risks column describes the risks and also
what organization we found them from. The Impact column describes how it can affect the
organization. The SPI model columns reveals what domain it affects. As you can see most of the
risks actually concern all the domains but there are a few that only affects one or two SPIs. The
countermeasure column described some steps that the organization can take to help minimize the
security risks. The countermeasures that are stated are directly gathered from CSA, NIST, and
ENISA. It is also important to state that there are plenty of countermeasures that can actually be
implemented by having certain clauses in the SLA, as in demanding providers wipe persistent
media before it is released and conducting vulnerabilities scans. We have grouped together certain
security risks due to the fact that they are very similar. The definitions of the different security
risks in the isolation group are below:
x Shared technologies: Hypervisors having flaws that allow guest operating systems to gain
inappropriate levels of control or influence on the underlying infrastructure (CSA)
x Isolation Failure: Failure of mechanisms separating storage, memory, routing, and even
reputations between different tenants (ENISA)
x Dependence on Secure Hypervisor: An organization dependence on the reliable and
secure hypervisor (NIST)
x Multi-tenancy: The multiple organizations that have access to the infrastructure and the
ability of the different organization ability to view others data or control the infrastructure
(NIST)






44
Security Risks Impact SPI Models Countermeasures
Abuse and Nefarious use
of Cloud Computing
(CSA/Experts)
Due to weak registration systems allow
anonymity and providers fraud detection
capabilities are limited so criminals can use this to
expand their reach and improve their
effectiveness.
x IaaS
x PaaS
x Stricter Initial registration and validation
process
x Enhanced credit card fraud monitoring
and coordination
x Extensive monitoring of customer
network traffic
x Monitoring public blacklists íor one`s own
network
Insecure Interfaces
(CSA)
Management Interface
Compromise (ENISA)
Depending on a weak set of interfaces and
applications exposes the organization to multiple
set of security risks related to Confidential,
Integrity, and Availability.
x IaaS
x PaaS
x SaaS
x Analyze the security model of the
provider
x Ensure strong authentication and access
controls are implemented along with
encrypted transmissions
x Understand the dependency chain
associated with the API
Malicious Insiders
(CSA/ENISA/Experts)
Attraction to Hackers
(NIST)
Malicious insiders can impact an organization is
related directly with their level in the
organizations and their ability to infiltrate.
Human element is a vital issue when employing
services in the Cloud so it is of vital importance
that the customer understand what the provider
are going to do to detect and defend against
malicious insider.
x IaaS
x PaaS
x SaaS
x Enforce strict supply chain management
and conduct a comprehensive supplier
assessment
x Require transparency into overall
information security and management
practices
x Determine security breach notification
processes
Isolation Failure
Group
Shared Technology
Issues (CSA)
Isolation Failure
(ENISA)
Dependence on secure
hypervisor
(NIST/Experts)
Multi-tenancy
(NIST/Experts)
Hackers will attempt to gain access to shared
elements (e.g. Disk Partitions, CPU Caches and
GPUs) because of the fact that they were never
designed for strong compartmentalization.
x IaaS x Implement security best practices for
installation and configuration
x Monitor environment for unauthorized
changes/activity
x Strong authentication and access control
for administrative access and operations
x Enforce SLAs for patches and
vulnerability
x Conduct vulnerability scanning and
configuration audits
Data Loss or Leakage
(CSA/Experts)
Data that is lost or leaked can have different
impacts on the organization. The data could have
competitive or financial information that is vital
to maintain a competitive edge or can lead to
compliance violations and legal ramifications.
x IaaS,
x PaaS
x SaaS
x Strong API access control
x Encrypt data in transit
x Analyzes data protection at both design
and runtimes
x Strong key generation, storage and
management, and destruction practices
x Demand providers wipe persistent media
before it is released
x Demand providers backup and retention
strategies
Account or Service
Hijacking (CSA)
Hackers that have stolen credentials can access
critical areas of a deployed Cloud which will
endanger the organization. Account or Service
Hijacking remains a top threat to Cloud
Computing.
x IaaS
x PaaS
x SaaS
x Prohibit the sharing of account credentials
between users and services
x Use two strong factor authentication
techniques
x Employ proactive monitoring to detect
unauthorized activity
x Understand the providers security policies
and SLAs
Unknown Risks Profile
(CSA)
Customers often leave certain areas overlooked
(e.g. what information will the provider disclose
in an event of a security event, how is the data or
related logs stored, or even internal security)
when deciding to invest in the Cloud.
x IaaS
x PaaS
x SaaS
x Disclosure of applicable logs and data
x Partial/full disclosure of infrastructure
details
x Monitoring and alerting on necessary
information
Insecure or Incomplete
Data Deletion
(ENISA/Experts)
The information that is not completely deleted
could still reside in insecure locations. It may be
impossible to fully delete information since full
data deletion is only possible by destroying the
hard drive that might be shared by multiple
organizations.
x IaaS
x PaaS
x SaaS
x Ensure that the provider has effective
encryption

Table 6.1 Security Risks


45
7 Analysis
In this paragraph we will present data obtained through semi-structured interviews conducted
with what we deem to be experts in the field. This data will be compared and analyzed together
with concepts and models from our theoretical framework to evaluate the security risk we have
found in the secondary literature study together with the new information from our primary
interview study.
7.1 Major security risks within Cloud Computing
From our empirical study we have found different risks with Cloud Computing, and from them
we have selected those risks that are considered to be security risks.
Table 6.2 describes what the different interviewees said that and how the organizations view the
concept of Cloud Computing. The column Top Three Concerns displays the concerns that
organizations have with Cloud Computing and it is important to note that most of the
interviewees said that security was one of the top three concerns dealing with Cloud Computing.
The top three security risks allowed for us to see what the organization saw as a security risk
dealing with Cloud Computing and was vital for their business. We had different types of
responses when we asked if the organization reviewed SLAs, and if they did, what part did that
organization focus on. We view that the most surprising point was the fact that the CLO`s
organization never reviewed the SLA and expected things to work. The CEO stated if a certain
vendor had a horrible SLA, that vendor would have no business and be bankrupt. The Senior
Business Consultant`s organization that actually wrote their own SLAs and reviewed the vendor`s
SLA closely to ensure that the SLA covers the areas that they thought was important. The
column of trust was to see how the company gained trust in a specific vendor and what they did
to see if that vendor was right for their company. No organization actually systematically
evaluated trust from the start. Instead reputation was often used, which could have influenced
what company they decided to systematically review.
The next column is the Security Risks that are evaluated directly from the interview. As we
reviewed the interviews we clearly related them to risks that were stated by CSA, ENISA, or
NIST. The interview with the senior business consultant directly stated multi-tenancy to be a
security threat. Also, CIO I stated who can access our data as a security risks which is related to
the hypervisor being able to keep the data separate for each organization. Five out of six of the
companies viewed that Isolation failure group was the most important security risk.




.







46
Interview
Top Three
Concerns
Risk
Review
SLAs
Trust Security Risks
IT Consultant
x Security
x Uptime
x Multi-tenancy
x Loss of
Governance
x Communication
x Maintenance
Not
extensively
x References
x Thorough
review of the
company

x Insecure or
Incomplete Data
Deletion
x Isolation Failure*
(ENISA, CSA,
NIST)
Senior Business
Consultant
x Security
x Flexible
x SLA
x Security
x Flexible
x SLA
Yes and they
write their own
x Reference
x Company
history
x Data Loss or
Leakage (CSA
x Isolation Failure*
(ENISA, CSA,
NIST)
CIO
x Security
x Backup
x Uptime
x Other companies
accessing data
x Uptime
x Backup
Distribute
SLAs to
employees for
a better
understanding
x Friends in
similar field
of work
x Company
history
x Isolation Failure*
(ENISA, CSA,
NIST)
Computer
Consultant
x Security
x Connectivity
x Integration
between
service
x Data protection
and laws
x Backups
x Log files

N/A
x Review
Companies
history
x References
x Data Loss or
Leakage (CSA)
x Isolation Failure*
(ENISA, CSA,
NIST)
x Unknown Risks
Profile (CSA)
x Malicious
Insiders (CSA,
ENISA)
CEO
x Trust
x Accessibility
x Trust
x Intellectual
Property
x Legislation
No and they
just expect
things to work
x Best
practices
x References
x Reputation
x Abuse and
Nefarious use of
Cloud Computing
(CSA)
CIO
x Interruptions
of service
control
x Stealing
information
x SLAs
x Integration
between different
Clouds and
business units
x Intellectual
property of data
x Security
Yes
extensively,
and they send
parts to
lawyers and IT
department to
compare to our
requirements
x References
x Size
x history
x reputation
x performance

x Isolation Failure*
(ENISA, CSA,
NIST)







*Isolation Failure describes a group of security risks that include Shared Technology Issues (CSA), Isolation Failure
(ENISA), Dependence on secure hypervisor (NIST), Multi-tenancy (NIST)

Table 6.2 Interview Security Risk Analysis


47

The ranking of all security risks that we have gathered from the interviews are below
Security Risks from Interviews Ranks
Isolation Failures 5
Data Loss or leakage 2
Insecure or Incomplete Data Deletion 1
Unknown Risks Profile 1
Malicious Insiders 1
Abuse and Nefarious use of Cloud Computing 1


From our interviews that we conducted we have found that the Isolation Failure Group (Shared
Technology Issues, Isolation Failure, Dependence on Secure Hypervisor, Multi-tenancy) is the
highest ranked security threat to organizations. The Isolation Failure group only affects the IaaS
domain and we consider that domain to be most vulnerable or insecure at the moment. There are
countermeasures for this specific security risk and they should be clearly stated in the SLA.
7.1.1 Clients expectation of SLAs in regarding security
As we have stated earlier in the thesis most of the big vendors of Cloud Computing have stated
that they are not responsible for any event that happens in the Cloud that is not of their control.
This is very disturbing due to the fact that most companies are searching for some type of Cloud
solution.
There are countermeasures that can reduce these certain security risks listed above can be solved
with having proper SLAs with both vendor and customer. The SLA is vital for an agreement in
between multiple organizations but it is critical to review what is actually in the document due to
the íact that your business` iníormation will be relying on another company being secure and
reliable. More than half of the interviewees actually displays that dependence of secure hypervisor
was an important security issue, which is very interesting. Multi-tenancy could be directly related
to dependence on secure hypervisor because the hypervisor is the program that separates the data
and ensures that the different organizations` data remains separated.
Ií a ·endor`s SLA would incorporate certain countermeasures to ensure that the Isolation failure
group of security risks are included in the SLA, it would improve the trust that the client would
gain from the vendor. Vendors having a clause in the SLA to improve the accountability of the
events in the Cloud might provide more customers, because the clients could feel more confident
and move more business processes to the Cloud.
According to ENISA, a countermeasure to most of the Isolation Failure group is a vulnerability
scanning and configuration risk. The vendor would increase trust values by allowing the client to
conduct a vulnerability scan a couple times a year at an undefined time. Another countermeasure
that could be stated is that patches and vulnerability will be enforced and clearly stated in the
SLA.
Table 6.3 Security Risks from Interviews


48
The next highest ranked security risk that interviewees have stated is Data Loss or Leakage. Data
Loss could result in the loss of competitive edge or even legal ramifications due to the sensitivity
of the data. The countermeasure for Data loss that should be mentioned in the SLA is that
providers will wipe persistent media before it is released back into the pool. Another
countermeasure is to demand to see what the provider`s backup and retention strategies are. The
client would be able to see what happens to the data by reviewing what the pro·ider`s retention
and backup strategies are and will be able to see if the vendor strategies match the client`s
organization.
If the vendor were to have add these clauses to their SLAs, the clients might be more willing to
move to the Cloud and feel that their data is actually protected.




49
7.2 Trust related Security Risks in Cloud Computing
In this paragraph we will focus on the concept of trust and trust within the context of Cloud
Computing together with associated security risks. We will present information from our
interviews and show how the interviewees view trust and Cloud Computing and then analyze if
their trust analysis is conducted mentally or mathematically. In the end we will link our train of
thought to the second research question:
x What possible trust issues are associated with security risks in Cloud Computing and
SLA?
7.2.1 Is t rust i mportant?
In our interview with the IT Consultant he stated this in the context of accountability:
1rv.t i. e..evtiat. íf ,ov are goivg to v.e a ¡roriaer ,ov .bovta aiv for a tovg-term relationship. Both parts have
to go all the way. The dependency that you get with a provider, if you are not happy, how do you do then? You may
switch provider, but the one you got can make it a hard time for you. They could oppose you. How do you know
that get out all the data? And in what forvat. Cav ,ov iv¡ort tbe ivforvatiov to otber .,.tev..
This clearly shows how important trust is in the business agreement and when we talked with the
CIO about the subject of security issues with moving to a Cloud we got the response:
Ovr bigge.t .ecvrity issue would be the loss of control and who can access information that could be deemed as
.ev.itire to ovr cov¡av, ava ovr ctievt..
This view was further backed up by the choice of Cloud deployment model:
If we would move to a Cloud solution it would be to a private Cloud so that we can control the SLA more and
the access of the information.
A CEO from a company we interviewed also stated that
1rv.t i. ove of tbe vo.t iv¡ortavt tbivg. for ve
Lastly we want to mention the opinion of a Computer Consultant regarding our questions of
being proactive and reactive to solve security risks.
1rv.t i. of /e, iv¡ortavce, b, barivg trv.t í cav be reactire, if í aov`t, í bare to be ¡roactire. íf í bare vo
knowledge about what the provider does with the data and physical equipment, can I be proactive?
These statements prove to some extent that we were correct when we concluded that trust was
of key importance in the context of Cloud Computing security risks. Since we have not covered
the whole population of our targeted group, we cannot generalize beyond patterns, but we are
quite certain that the people we have interviewed are not the only ones to agree with us since so
far our response have proven to be 100% positive to that trust is very important. Therefore we
want to say that trust is very important and that our data supports this, but we cannot generalize
this information.



50
7.3 Security risks associated with trust in Cloud Computing
As what has been stated before in the thesis, Cloud Computing is fuzzy and a buzzword that
creates confusion of what Cloud Computing really is. This is something we want to disprove by
presenting information about what Cloud Computing really is on a technical level, a service level
and business model level. This does nevertheless mean that the public and the academic world
agree on a single view of Cloud Computing, which is why the security risks we have presented
exist and why some of them are connected to the issue of trust.
Ií we look at Cialdini`s ·iew on iníluence and why we act as we do in different situations we
discover that the main reason for automatic responses is lack of knowledge. This triggers his so
called Ctic/ ava !birr` action which basically tells us that Cloud Computing can be an automatic
response to a problem where people with lack of knowledge agree to trust people with
knowledge to help them solve a specific problem.
If we expand the lack of knowledge theory and look at Cloud Computing, we see security risks
that are directly connected with lack of knowledge and that many derives from the different
shapes of trust; reputation, reciprocity and confidence. The security risks that we have identified
to be connected to trust from ENISA, CSA, NIST and our interviews with experts are:
x Unknown Risk Profile (CSA/Experts)
x Shared Technology Issues (CSA)
x Compliance Risk (Experts)
x Lock In/Stability of the Provider (ENISA/Experts)
x Loss of Governance (ENISA/Experts)
x Logging Challenges (Experts)
x Data Ownership Issues (Experts)
x Quality of Service Guarantees (Experts)
x Dependence on Secure Hypervisors (NIST/Experts)
x Service Level Agreement/Accountability (Experts)
x Physically Security (Experts)
This list of risk is then divided into categories to show how they are related to security risks and
trust as well as explain how to avoid them. These categories are used to highlight three parts of
Cloud Computing that we have discovered to be critical to the business. The categories are based
on our own assumptions on how the security risks derive themselves from each other. The
categories are:
x Quality of Service
x Provider
x Ownership




51
7.3.1 Qualit y of Service
When a customer enters into a Cloud Computing solution, agreements are signed, and one of
those is SLA. SLA determines the framework of how the service should be delivered and who is
accountable for what and, as we have mentioned, the reason for a customer to sign it is because
of the degree of confidence the customer has that the provider will deliver the agreed level of
service. The security risks in this category are:
x Logging Challenges (Experts)
x Dependence on Secure Hypervisors (NIST/Experts)
x Shared Technologies Issues (CSA)
x Service Level Agreement/Accountability (Experts)
x Quality of Service Guarantees (Experts)

The security risks in this list are connected to trust because, as we said, if you sign an agreement
you most certainly trust the provider to live up to their side of the bargain. If trust have been
mentally evaluated and created there is a risk that factors such as title, appearance, reputation and
reciprocity have biased the reason why trust is established and a contract signed.
If trust has not been systematically evaluated either through a serious review of how the provider
work and provides information about the service e.g. log information, or systematically as Mui
presents, there is a chance that the biased trust can let you enter into agreements where the
provider provides a service that puts your company in a position where;
x Data is insecure
x Cannot track what is happening to your information
x An insecure hypervisor can create openings into your part of the storage
The SLA may also have been insufficient regarding what it covers, and from what we have seen
in SLAs from bigger providers are that they push the responsibility onto you, and if a person or
company does not review this properly and only use trust, that person or company could be in
serious trouble when service related problems appear since the accountability part was not
reviewed.
7.3.2 Ownership
The security risks in the ownership category are related to the issues with who is owning the data,
the control functions around the data, which should be accountable for the service and leaving a
Cloud Provider.
x Loss of Governance (ENISA/Experts)
x Data Ownership Issues (Experts)
x Lock in/Stability of the Provider (ENISA/Experts)
x Service Level Agreement/Accountability (Experts)
The security risks associated with trusting a provider too much regarding the control mechanism
and the data, i.e. a company decides they lack sufficient knowledge to have their own IT
department and decide that they should acquire IaaS to solve this, are very serious and should not
be overlooked. It is also important to understand that complete trust could mean that
assumptions are made that once the customer do not need the service, or do not want to work
with the provider anymore, that it is just to pull the plug on the collaboration.


52
What we have seen in literature and from interviews is that Cloud Computing is supposed to be
very easy to enter into, but leaving a provider is something else. If trust is put into the wrong
provider this could create serious lock-in related security issues if a company have a hard time
leaving a provider that does not let the customer control their own data, or even let them own
the data after the agreement is signed and data is moved to the Cloud.
7.3.3 Provider
The third and final category we have decided to use to highlight what kind of trust related
security issues exist in the Cloud Computing environment is Provider. This part deals with how
trust in the wrong place can affect what you get from the provider, how to work with the
provider, how the provider work and physical or real world related security issues can damage
your company.
x Unknown Risk Profile (CSA/Experts)
x Compliance Risk (Experts)
x Lock-in/Stability of the Provider (ENISA/Experts)
x Physical Security (Experts)
This final part of the trust related security risks are focusing on the provider and how the
pro·ider`s own business work. In Unknown risk proíile the idea is that it is hard to know what
the provider`s processes are on keeping data secure. This goes all the way to employee level,
which means, how to know ií the pro·ider`s employees are trustable? Of course this information
is hard to obtain, but should still be an important question in the process of deciding if you
should use a provider or not. If mental trust is used there can be risks that good faith results in
bad support and no flexibility in how the provider work and that someone who should not have
access to your data have access to it because a employee has access to it.
This part of the trust related security risks also takes the physical security of the company and the
equipment used into consideration. It is very important to review if the provider is stable or
under economical pressure that could result in less spending on equipment and security for that
equipment. If a provider goes bankrupt it is also important to have decided what will happen
with information put into the Cloud, meaning, who owns it?
7.4 How to avoid security risks associated with trust?
To avoid the risk of entering into an agreement where the provider does not lives up to what they
say is not as simple as one might think. Genuine trust, and a correctly placed one, is very hard to
obtain. Misplaced trust generally comes from lack of knowledge, so basically the first step is to
obtain information to see if the person is trustworthy. In our interviews we saw that trust was
very important, yet the overall method to evaluate trust was to use opinions from a personal
network, which means that for the most part, the evaluation was done mentally. Of course this
was not the only thing the people interviewed did, but from our results the mental process
seemed more important and only backed up by systematical reviews when a provider was deemed
to be worth the effort.



53
What was quite interesting to see from our interviews was that there seemed to be two sides
about how to review a SLA. One organization decided to trust standard versions of SLA and the
IT Consultant said:
!bev re bv, a .errice re get it ovt-of-the-box. We do not really review the SLA. We cannot really affect it. It is
a .tavaara agreevevt ava re v.e it for ovr cv.tover. a. rett.
The other organization seemed more concerned with getting precisely what they want in the SLA
and focus a lot on reviewing SLA. The CIO said this:
í carefvtt, rerier tbe ´í. ava va/e .vre tbat botb cov¡avie. mean tbe .ave for cov¡ticatea rora..
Of course this does not mean one side is reckless and one side is wise, because we have to take
their background into consideration and understand that the consultant has probably worked
with a provider for a long time and already done the review whereas the CIO is seeking a new
provider. What is dangerous though is the thinking that just because I have worked with them
before and it turned out well, it will work again. If a person takes that kind of decision he/she is
clearly not using systematic approach that suppose to measure if a person/company can be
trustworthy. In the discussion with the IT Consultant on what is most important in the SLA
review he said:
...1bere i. a vairet, rbev it cove. to .ecvrit,. !bat aoe. .ecvrit, reatt, veav. !bo aoe. rbat. íf ,ov cav aefive
what is included when it comes to security you add value to what you are selling. And adding value to your
cv.tover i. rer, iv¡ortavt.
It is this naivety that is based in lack of knowledge that could be so devastating for a person or a
company that decides to use a Cloud solution. As we have stated in the analysis of the three
categories the risks occur on different levels of the Cloud solution, Quality of Service, Ownership
and Pro·ider but they are triggered by the same `trigger featvre` as Cialdini calls it. 1he trigger feature`
is lack oí knowledge and the Ctic/ ava !birr` is the signing of the agreement. This leads us to the
conclusion of how to avoid the trust related security risks and more importantly, our research
question:
x What possible trust issues are associated with security risks in Cloud Computing and
SLA?
The avoidance of the automatic response comes from perseverance in understanding your
surroundings, if you want to work with Cloud Computing you have to understand it and not take
proíessionals word íor it but rather ask why`· In other words, knowledge is the key. It is not a
simple solution but a necessary one. The connection to our research questions is quite clear,
clients have to systematically and mentally evaluate a provider before a SLA is signed, or the
provider will control the decision of the service. From our point of view it is a seller`s market and
clients have to understand what they are getting into or the security issues discussed in research
question one could occur. If we recommend just one, it would be the systematical approach. The
raw data from the interviews state that while reputation and word to mouth is important to find
providers, a systematical approach should follow to see if the reputation is deserved or not.





54
8 Conclusion
In the analysis we discussed the area of major security risks in Cloud Computing and how trust is
connected to those. What we had not expected to find was how big this particular area of study
was and that will further be explored in our discussion of what the next step in this field of study
could be. The questions that we set out to answer were:
x What are the major security risks for clients using SPIs (SaaS, PaaS, IaaS) in Cloud Computing?
o What should clients expect from Service Providers in the SLA regarding Cloud
Computing?
x What possible trust issues are associated with security risks in Cloud Computing and SLA?
o If so, how can clients avoid security risks associated with trust?
We have found that the isolation failure group that was stated earlier is the biggest risk to
organizations. The isolation failure group has a heavy reliance on the hypervisors to be stable and
secure. The Isolation Group domain is primarily related to IaaS and we view that this is the most
unsecure area of Cloud Computing for the moment. It is of utmost importance that the client
does a thorough review of the SLA and also demands some clauses be included as well. A solid
SLA (e.g. proper data deletion procedures, the vendor will provide upgrades and maintenance)
between the client and provider will decrease the chance of the security risk from happening, but
it is not fool proof.
In the analysis we could conclude that the risks in the categories quality of service, ownership,
and provider are related to trust and that many of them exist because of misplaced trust which
derives from lack of knowledge. Our sub question was stated to see if we could offer
countermeasures to apply to avoid possible security risks we could find. Since we did find this
connection we analyzed how this connection between trust and security risks could be broken.
Our conclusion to that question is simple as we have said, but very hard to achieve. The solution
is to know about the connection and gain knowledge to avoid using an automatic response, or
the Ctic/ c !birr` response which we also use to discuss what happens. If this knowledge gap is
achieved, trust related security risks can be avoided or reduced to the benefit of the client.
The answer was both unexpected and reasonable and we hope that we have contributed to the
field of study by answering them. In the second research question we focused on the security
risks connected to trust and Cloud Computing, and what we discovered was three groups to
categories the security risks into and they are:
x Quality of Service
o Logging Challenges (Experts)
o Dependence on Secure Hypervisors (NIST/Experts)
o Shared Technologies Issues (CSA)
o Service Level Agreement/Accountability (Experts)
o Quality of Service Guarantees (Experts)
x Ownership
o Loss of Governance (ENISA/Experts)
o Data Ownership Issues (Experts)
o Lock in/Stability of the Provider (ENISA/Experts)
o Service Level Agreement/Accountability (Experts)
x Provider
o Unknown Risk Profile (CSA/Experts)
o Compliance Risk (Experts)
o Lock-in/Stability of the Provider (ENISA/Experts)
o Physical Security (Experts)


55
Trust
Security
Cloud
Computing
Knowledge
9 Discussion
As the Cloud Computing term becomes older, more and more as a Ser·ices` are likely to come
along. An example of this is McAfee, who has made a vulnerability scan available that vendors
can do to better secure their Cloud. If the vendor does pass the vulnerability scan McAfee will
provide them a certificate to display on their website to say that they are considered secure.
McAfee also provides Security as a Service which provides a overall security which will aim to
decrease the amount of spam and email based threats (McAfee 2004).
During our research we discovered three key concepts regarding Cloud Computing:
x Trust
x Security
x Knowledge
Therefore we would like to present a rather simple model of the connections between those
concepts.










To ensure that Cloud Computing is the proper investment to make for an organization it is
important to understand the different areas of the diagram. The triangle which is the Cloud itself
is surrounded by Trust, Security and Knowledge. It is absolutely important to know that the
Cloud is secure and that the provider will do everything possible to ensure that it will remain
secure. The Knowledge aspect is to know what should be in the SLA, the knowledge of the risks
that Cloud Computing enable, and what solution is applicable to the organization. Both Security
and Knowledge will build upon the trust that the organization gains from the provider and
should build a relationship that should benefit both companies.
Both, the organization and the provider should be able to develop a flexible but reliable SLA so
accountability issues of the Cloud can be solved. The provider now, states that they are not
responsible for the events that happen in the Cloud and immediate say that the customer is liable.
Most providers have an uptime of 99.95% stated in their SLA, but the monitoring processes of
that uptime is left to the client.
Figure 9.1 Cloud Computing Triangle


56
9.1 Critique of method
While doing this research, Cloud Computing has evolved due to being such a new concept. With
this in mind, Cloud Computing could change very quickly which would make our research
obsolete. Due to the evolution of Cloud Computing, the main security risks could change by
making the ones that were brought to light in this research less important while new security risks
arises. If the research would have focused more on conceptualizing the concepts of trust, security
and knowledge, it could have resulted in a more sustainable research by providing an abstracted
view of Cloud Computing.
9.2 Future research proposals
Looking at our model presented in the discussion paragraph, we estimate that providers in the
future will use these key concepts to differentiate themselves once Cloud Computing have
become more adopted and standardized. Therefore we believe that further research into trust,
knowledge, and security in the context of Cloud Computing is important for speeding up the
process of approval. Areas for future research could be:
x Trust building
x Overall standardization of Cloud Computing
x Security standards for Cloud Computing




57
10 References
Amazon (2008, October 23). Amazon EC2 Service Level Agreement. Retrieved 2010-04-24, from
http://aws.amazon.com/ec2-sla/
Bouchard A, S. Sankar K.. (2009) Enterprise web 2.0 Fundamentals
Indianapolis: Cisco Press
Businessdictionary.com (N/A) Definition: Application Programming Interface (API).
Retrieved 2010-05-23 , from http://www.businessdictionary.com/definition/application-
programming-interface-API.html
Businessdictionary.com (N/A) Definition: Application Service Provider (ASP). Retrieved 2010-05-23,
from http://www.businessdictionary.com/definition/application-service-provider-ASP.html
Businessdictionary.com (N/A) Definition: Denial of Service (DoS). Retrieved 2010-05-23 , from
http://www.businessdictionary.com/definition/denial-of-service-DOS.html
Businessdictionary.com (N/A) Definition: Distributed Systems. Retrieved 2010-05-23 , from
http://www.businessdictionary.com/definition/distributed-systems.html
Businessdictionary.com (N/A) Definition: Flexibility. Retrieved 2010-05-06, from
http://www.businessdictionary.com/definition/flexibility.html
Webopedia.com (2006, December 19) Definition: Hypervisor. Retrieved 2010-05-, from
http://www.webopedia.com/TERM/H/hypervisor.html
Businessdictionary.com (N/A) Definition: Information Security. Retrieved 2010-05-23 , from
http://www.businessdictionary.com/definition/information-security.html
Businessdictionary.com (N/A) Definition: Risk. Retrieved 2010-05-, from
http://www.businessdictionary.com/definition/threat.html
Businessdictionary.com (N/A) Definition: Scalability. Retrieved 2010-05-6 , from
http://www.businessdictionary.com/definition/scalable.html
Businessdictionary.com (N/A) Definition: Threat. Retrieved 2010-05-22 , from
http://www.businessdictionary.com/definition/threat.html
Cialdini, B. R (2007) The Psychology of Persuasion (1
st
Collins Business Essential ed.).
New York: HarperCollins Publishers
Lew (2009, February 23) Infrastructure as a Service. Retrieved 2010-02-28, from
http://Clouddb.info/2009/02/23/defining-Cloud-computing-part-6-iaas/
Committee on National Security Systems (2010, April 26) National Information Assurance glossary
Retrieved 2010-03-17, from http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf
Computerweekly.com (2009, March 17) A history of Cloud Computing. Retrieved 2010-05-14, from
http://www.computerweekly.com/Articles/2009/06/10/235429/A-history-of-Cloud-
computing.htm
Computerworld.com (2006, June 12) Top 10 SaaS Traps: Watch Out For Hidden Snags.
Retrieved 2010-03-17, from
http://www.computerworld.com/s/article/111510/Top_10_SaaS_Traps_Watch_Out_For_Hid
den_Snags


58
CSA (2009 December) Security guidance for critical areas of focus in Cloud Computing v2.1
Cloud Security Alliance

CSA (2010 March) Top Threats to Cloud Computing v1.0
Cloud Security Alliance

Dan, A., Keller, A., Ludwig, H., Richard., F., Richard,P. (2003, January 28) Web Service Level
Agreement (WSLA) Language Specification, IBM Corporation
ENISA (2009 November) Cloud Computing: Benefits, Risks and recommendations for Information security
European Network and Information Security Agency

Gartner (2008 June 26) Gartner Says Cloud Computing Will Be As Influential As E-business
Retrieved: 2010-02-18 from
http://www.gartner.com/it/page.jsp?id=707508

GNi (N\A) Infrastructure as a Service Retrieved 2010-03-16, from
http://www.gni.com/services/iaas
GCN (2009, March 03) Revving up Google App Engine Retrieved 2010-03 17, from
http://gcn.com/blogs/tech-blog/2009/03/google-app-engine.aspx
Google (N\A) Google Apps Service Level Agreement Retrieved 2010-03-22, from
http://www.google.com/apps/intl/en/terms/sla.html
IBM (N/A). Web Service Level Agreements (WSLA). Retrieved 2010-04-02, from
http://www.research.ibm.com/wsla/
H. Rådmark (2010-01-26) 5 saker du måste veta om molnplattformar. Retrieved 2010-01-30, from
http://www.idg.se/2.1085/1.288641/5-saker-du-maste-veta-om-molnplattformar
Knoesis Center Wright State University (N\A) Service Level Agreement in Cloud Computing. Retrieved
2010-03-07, from http://knoesis.wright.edu/library/download/OOPSLA_Cloud_wsla_v3.pdf
McAfee (N\A) Retrived 2010-04-22
From http://www.mcafee.com/us/small/security_insights/security_as_a_service.html

Microsoft (N/A). Service Level Agreements. Retrieved 2010-04-20, from
http://www.microsoft.com/windowsazure/sla/
MSDN (2006, April) Architecture Strategies for Catching the Long Tail. Retrieved: 2010-03-15, from
http://msdn.microsoft.com/en-us/library/aa479069.aspx
MSDN (2006, June) Multi tenancy Data Architecture Retrieved 2010-03-19, from
http://msdn.microsoft.com/en-us/library/aa479086.aspx
Mui, L. & Phil, M. (2002 December 20) Computation Models of Trust and Reputation. Massachusetts
Institute of Technology
NIST (2009-10-7) Effectively and Securely Using the Cloud Computing Paradigm Retrieved: 2010-02-14
from http://csrc.nist.gov/groups/SNS/Cloud-computing/Cloud-computing-v26.ppt.

OpenCrowd.com (N/A) Cloud Computing. Retrieved 2010-04-12,
From http://www.opencrowd.com/views/Cloud.php


59
Open Crowd (2010, May 13). Cloud Taxonomy. Retrieved 2010-05-14 from
http://www.opencrowd.com/views/Cloud.php
Phoenix (2010, March 18)Confidentiality, Integrity, Availability and what it means for you
Retrieved 2010-03-22, from http://continuitydisasterrecovery.phoenix-
blogs.com/confidentiality-integrity-availability-and-what-it-means-for-you/
Salesforce (N\A) Multitenant kernel 2010-03-19, from
http://www.salesforce.com/platform/Cloud-infrastructure/kernel.jsp
Saunders. M, Thornhill. A and Lewis. P, Research Methods for Business Students, 2007 Fourth
Edition, Pearson Education Limited

Service Level Agreement and SLA Guide (N/A). The SLA Guide. Retrieved 2010-04-01, from
http://www.service-level-agreement.net/sla-guide.htm

SLA Information Zone (N/A). The Service Level Agreement. Retrieved 2010-04-01, from
http://www.sla-zone.co.uk
TheFreeDictionary.com (2009) Definition: Security. Retrieved 2010-05-02 , from
http://www.thefreedictionary.com/security
The Linux Information Project (2006, April 29). Vendor lock-in definition. Retrieved 2010-03-17,
from http://www.linfo.org/vendor_lockin.html
Whatis.techtarget.com (2008, December 14) What is Platform as a Service (PaaS)?
Retrieved 2010-03-12, from
http://whatis.techtarget.com/definition/platform-as-a-service--paas-.html
Wikipedia (2010-05-13). Authority. Retrieved 2010-05-15, from
http://en.wikipedia.org/wiki/Authority
Wikipedia.org (2010 May 8) John McCarthy (computer scientist). Retrieved 2010-04-, from
http://en.wikipedia.org/wiki/John_McCarthy_%28computer_scientist%29
Wikipedia (2010-03-13) Trust (Social Sciences) Retrieved 2010-04-10, from
http://en.wikipedia.org/wiki/Trust_%28social_sciences%29







60
Appendix 1 Interview Questions
1. What is your position in the company?
2. What are your first impressions of Cloud Computing?
3. If your company is looking for solutions in the Cloud, what are your biggest concerns?
4. What are your top three concerns with Cloud Computing?
5. What risks do you consider to be in the top three with Cloud Computing?
6. What are the major advantages of Cloud Computing that your company can benefit
from?
7. Is your company currently looking for different solutions in Cloud Computing?
Why or why not?
8. What business process would your company be willing to relocate into the Cloud?
9. What would be the security issue with relocating to the Cloud?
10. Do you review your SLAs properly, and how?
11. What areas of the SLA does your company mainly focus on?
12. Do you evaluate security from an acceptable loss perspective (e.g. loss of data or
downtime)?
13. What type of Cloud deployment model would your company be interested and why (e.g.
public, private, hybrid and communities?
14. How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?
15. How can one solve the accountability that arises with Cloud Computing in your opinion?
16. How does your company evaluate trust?
Appendix 2 Interviews with experts
In this section we will present the information we obtained through semi-structured interviews
with various experts in the field. The people we have interviewed will be kept anonymous and
will only be referred to by their professional title e.g. Consultant, Senior management etc.
10.1 IT-Consultant
On the 22
nd
of April 2010 we interviewed an IT-consultant that works at a consultancy firm. The
interview lasted for 1 ½ hour and was a semi-structured interview, and the interview questions in
section 17.1 was used as a basis.
x What are your first impressions of Cloud Computing?
The first thing that came to my mind was that as a company you are freed from the management
of the servers. That is the big advantage that you can focus more on the core competence in your
company. You let someone else manage the servers, which have got the expertise for it.
Cloud Computing feels like a development of something that has been under way for a long time,
but it is not until now that you go all out with it. Then it comes to this with the risk assessment,
and how does it feel to let someone else take care of everything. Sure it is very good that
someone takes care of it, but what if it is business critical information?
x Do you evaluate security from an acceptable loss perspective (e.g. loss of data or
downtime)?


61
This depends from customer to customer. I would say that it is extremely customer specific. If
you work with a system that deals with patient information, as for example a care center does,
and the thought of putting out that information on the Internet and you would lose information.
That is not in any way acceptable.
On the other hand if you work with adverts, as for example on blocket.se, the loss of information
is not that critical. So it is totally dependent on what type of business you are conducting. If you
are a bank and lose a transaction, which cannot just happen. They have problem with that today,
and it is their main security concern. They have to deal with redundant data and to log
everything. To some information is critical, to some it is not.
x Is your company currently looking for different solutions in Cloud Computing?
We have been discussing that a little bit when it comes to invoice handling. We develop that kind
of service for our customers, but we let one of our subcontractors handle the management of the
servers. We sell the service to the customer, but we let a third party take of it to ease the pressure
on us. Then I would think that we would profit a lot from putting out our internal system, for
example our external web service, into the Cloud. That is something that we do not need to
manage ourselves.
x What type of Cloud deployment model would your company be interested and why (e.g.
public, private, hybrid and communities?
Hybrid is something we have discussed, but it is not something that we are currently focusing on.
But I think it would definitely be something that we could profit from.
x We have been using a platform online for uploading our files on the Internet. What do
you think of that type of service?
The question is what type of information that you want to put up there. You have to take
responsibility to not give out your login information. It is very dependent on the individual. Some
people do not have any judgment at all when it comes to those matters. Some users share the
same account, and uploading critical data is something you consider twice.
x What are your top three concerns with Cloud Computing?
The security aspect is one. As a provider you have promised a certain uptime, and it is not
unusual that security updates are released that has to be installed. What happens to uptime then?
That affects the SLA and could mean a lot of costs. Also, the time from when the vulnerability is
discovered and that it is fixed is dangerous. So when it comes to the Cloud the security aspects
are very exciting, even though you have a lot of external security. There are hacker syndicates that
are working solely with stealing information.
As a comparison, when you have it in-house, you have got a whole different possibility to isolate
the servers. But when you are sharing a server with someone else that has not got the same
system, and you need to update your system by restarting the server, you got a problem.
With this new business model using old technology you got new problems that need to be
solved. Companies take different services that they repack and call Cloud Computing which can
create security risks that they did not have before.
There is a problem with not having a universal definition of Cloud. The terminology is very
unclear. So we got the security aspects, terminology and the possibility to integrate with other
systems. Scalability and flexibility are parts that are beneficial with the Cloud. It is cost effective in


62
the way that you can measure what you use. But it is still hard to calculate the benefits of Cloud.
It depends on who does the calculation and in what way. Some argue that you will make huge
savings by putting everything in the Cloud, while some others say that you need to keep some
infrastructure in-house.
x What risks do you consider to be in the top three with Cloud Computing?
Generally when you are buying a service you buy a completely configured system. You as a
provider need to know exactly how the system shall work. And there are problems before you
have a fully functioning application up and running. The provider needs to understand the
customer. The customer does not have the possibility to monitor the system, to troubleshoot or
to manage it. And how much can you affect this out-of-the-box solution, there is no standard
version that works for everyone. It is not unusual that something goes wrong. Human error is
common. To not have control is an issue. It is one thing to buy something straight up. But as a
service, how shall it be configured? If you have it in-house it goes relatively quick to solve a
problem. If you have it as a service, the lead time from when something goes wrong and it gets
fixed is longer. The quality of customer service is important and you should aim for a long time
relationship with the provider. So communication, control, maintenance and the possibility to
troubleshoot are important aspects.
x How can one solve the accountability that arises with Cloud Computing in your opinion?
Trust is essential. If you are going to use a provider you should aim for a long-term relationship.
Both parts have to go all the way. The dependency that you get with a provider, if you are not
happy, how do you do then? You may switch provider, but the one you got can make it a hard
time for you. They could oppose you. How do you know that get out all the data? And in what
format? Can you import the information to other systems?
x Do you review your SLAs properly, and how?
When we buy a service we get it out-of-the-box. We do not really review the SLA. We cannot
really affect it. It is a standard agreement and we use it for our customers as well.
x What areas of the SLA does your company mainly focus on?
Availability is of utmost importance. The processes and routines regarding security has to be in
there. How is the data encrypted, who has got access to the data, backup routines, has a third
party access to the data? There is a naivety when it comes to security. What does security really
mean? Who does what? If you can define what is included when it comes to security you add
value to what you are selling. And adding value to your customer is very important.
x How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?
You have to know who you are; who your customer is, what is your focus and what type of
business are you running. lrom that you can put out demands. \ou ha·e to think what ií` and
even get help to do that. Based on our demands we can work actively with evaluating what could
happen and can absolutely not happen. How can you work with putting up counter measures for
emerging threats? Worst case scenario. That has to exist in the SLA and you should actively work
with renewing it to be able to cope with the new threats that are coming every day. The Cloud
business model is so new so the SLA has to be constantly updated with emerging issues that are
arising all the time.


63
x Then who is responsible? How can you integrate accountability solutions?
Somewhere you have to start with a requirement model. You want to achieve something. You
buy a service that may be situated in the Cloud. In the SLA the demands should be incorporated.
From that it should be the service provider and or the Cloud provider. So you will get SLA on
SLA. It should state who does what and you got to have some kind of error-handling. A logging
function should be installed that does not lower the performance. That should also be regulated
in the SLA. Maybe a master SLA. There is no easy technical solution for the accountability, which
is probably why the Cloud providers liberate themselves from this.
There are not only security risks with the Cloud, there are benefits as well. People are running
around with USB flash memories which they sometimes drop or lose. Cell phones are containing
a lot of different information today that is important for some organizations. A Cloud provider
can offer a pretty solid security solution which you as a small company may not be able to afford.
The Cloud is probably going to be an expert in the area too.
Some other issues though would be if get bought up as a company. What happens to the data
then? Or if a company goes bankrupt. Also, how can you get out of the Cloud? That should be in
the SLA. Many companies may just go for the Cloud because it is profitable and just ignore the
risks.



64
10.2 Senior Business Consultant
We interviewed a Senior Business Consultant and the company offers professional IT Services
and had a third party that provided Cloud Computing to customers. We interviewed the said
person on the 24
th
of April 2010 and it lasted for about 30 minutes. The questions we used can be
find in 17.1
1. What is your position in the company?
Senior Business Consultant.
2. What are your first impressions of Cloud Computing?
Outsourcing.
3. If your company is looking for solutions in the Cloud, what are your biggest concerns?
x Flexibility
x Security
x Accessible

4. What are your top three concerns with Cloud Computing?
x Security
x Flexible
x SLA needs to be waterproof

5. What risks do you consider to be in the top three with Cloud Computing?
x Security
x Flexible
x SLA needs to be waterproof

6. What are the major advantages of Cloud Computing that your company can benefit
from?
Startup cost and the flexibility as well as scalability.
7. Is your company currently looking for different solutions in Cloud Computing?
Why or why not?
No solution but using an internal private Cloud.
8. What business process would your company be willing to relocate into the Cloud?
Non-critical business process would be the first step then possibly more critical process (e.g.
Decision process, production processes)
9. What would be the security issue with relocating to the Cloud?
x Multi-tenancy
x Stability of Supplier
x Long term focus + track


65

10. Do you review your SLAs properly, and how?
Yes they had consultants write SLAs so they have personal review the SLAs.
11. What areas of the SLA does your company mainly focus on?
Review mostly the startup relations, communications, support, and uptimes on different
applications and how to terminate the contracts.
12. Do you evaluate security from an acceptable loss perspective (e.g. loss of data or
downtime)?
Important not to lose critical data.
13. What type of Cloud deployment model would your company be interested and why (e.g.
public, private, hybrid and communities?
Private.
14. How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?
Proactive: Help in establishing the standards and be knowledgeable in being reactive in security
threats.
15. How can one solve the accountability that arises with Cloud Computing in your opinion?
Understanding a clear line on where the border is between partners accountability, Supplier A to
B how, when and what data.
Using a kind of integrated platform, log how it is being done, sent, and stored and what issues
you take when it does not come through, another words ensure that there are clear
responsibilities established.
16. How does your company evaluate trust?
Does research on the company and looks for negative reports so reputation plays a big part in it.
Example, one company required a customer to sign a gag order for some reason so the said
person from the company went elsewhere.


66
10.3 CIO I
On the 28
th
of April 2010 we interviewed a CIO at a distribution company. The interview lasted
for 20min and the interview was conducted via a speaker telephone. The interview was semi-
structured and the questions we used to establish a theme was the ones in section 17.1 .
1. What is your position in the company?
I`m the CIO oí our company.
2. What are your first impressions of Cloud Computing?
My first impression was that Cloud Computing could be useful for mainstream applications in
the office, and that I would not like to connect it to our business critical systems.
3. If your company is looking for solutions in the Cloud, what are your biggest concerns?
Our concern is the security aspects. We lose control of who can access our information even if
the agreement say we are the only ones, someone could still access it in theory. We are also
concerned about creating a waterproof SLA about access and control over data since information
relocated into the Cloud could be sensitive.
4. What are your top three concerns with Cloud Computing?
x Security - Who can access our data?
x Uptime - stable access to the service, cannot have downtime or lose data
x Backup - beyond our control, what happens if the system crashes?

5. What risks do you consider to be in the top three with Cloud Computing?
x Other companies can access our information
x Uptime - dependent on the provider
x Backup

6. What are the major advantages of Cloud Computing that your company can benefit
from?
x Scalability - in the sense that applications are not affected because of peaks in usage.
x Lower IT costs
x Smaller IT department, fewer IT employees = lower costs

7. Is your company currently looking for different solutions in Cloud Computing?
Why or why not?
No we are not looking for a Cloud solution at the moment. We have recently invested in WM
ware solutions to run internally since we consider IT advantage is possible through in-house
development and that such an advantage is important in our business. So we will probably not
look for a Cloud solution in the next years.
8. What business process would your company be willing to relocate into the Cloud?
The business process we could consider is office applications that are not connected to critical
business systems. We want to have control over them ourselves.


67

9. What would be the security issue with relocating to the Cloud?
Our biggest security issue would be the loss of control and who can access information that
could be deemed as sensitive to our company and our clients.
10. Do you review your SLAs properly, and how?
We use to distribute them on our meetings within the IT department so that everyone at the IT
department understands them.
11. What areas of the SLA does your company mainly focus on?
The part that is most important for us when we agree to and SLA is the uptime, we have to make
sure that the provider can provide their service at a level that means we can keep working e.g.
Internet provider cannot our Internet connection be down too much.
12. Do you evaluate security from an acceptable loss perspective (e.g. loss of data or
downtime)?
Since we deem it is unacceptable to lose data we cannot use that when we measure the providers,
but the Internet downtime is different. We do have a specific time we can allow Internet to be
down so we measure against that.
13. What type of Cloud deployment model would your company be interested and why (e.g.
public, private, hybrid and communities?
If we would move to a Cloud solution it would be to a private Cloud so that we can control the
SLA more and the access of the information.
14. How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?
I do not have enough experience or knowledge about the Cloud to answer this question in a valid
way.
15. How can one solve the accountability that arises with Cloud Computing in your opinion?
This issue could be solved through carefully writing the SLAs. I think the public Clouds can have
the most problem with this since they appear to be more standardized than the private Cloud
SLA.
16. How does your company evaluate trust?
I use connections and references from friends and colleges in my field of work together with
reading about the provider. Then I carefully review the SLA and make sure that both companies
mean the same for complicated words.




68
10.4 Computer Consultant
On May 7
th
2010 we interviewed another Computer Consultant at a distribution company. The
interview lasted for 40 min and the interview was conducted via teleconference. The interview
was semi-structured and the questions we used to establish a theme was the ones in section 17.1.
1. What is your position in the company?
Computer consultant at different companies, industries, SP.
2. What are your first impressions of Cloud Computing?
What I thought was that finally people have realized what can be done when it comes to
virtualization. It helps the environment by optimizing the utilization of resources by only using
what you need.
3. If your company is looking for solutions in the Cloud, what are your biggest concerns?
That you do not know who customers are, integration, how do you store data and integrate with
their systems? We do not want to put everything in the Cloud, only some parts. Specific service
e.g. email could be something. Also how to integrate these different services is important.
Because as it is now, Cloud is hard to integrate. Manageability is an issue, how to start using it,
how to make it available for the right time. How to design what to be used in the services
bought? The connectivity is important. In Sweden it is good, but when you travel elsewhere it
could become an issue. Security, loss of governance, you have no control over where information
is. You have to think about monitoring, like how to monitor applications bought through
internet. Traditionally, someone notice that the application is not working, and that someone
contacts helpdesk.
4. What are your top three concerns with Cloud Computing?
Security, connectivity, integration between services, both external and internal.
5. What are the major advantages of Cloud Computing that your company can benefit
from?
The environment of Cloud. You are buying a service which means less responsibility. You say
bye bye to infrastructure which also means less need for resources like employees and less
associated problems.
6. Is your company currently looking for different solutions in Cloud Computing?
Don`t know, I am not a part oí that process in the company. \e pro·ide consultancy íor those
who want to relocate into the Cloud. Services are awesome, easy to buy, so we should.
7. What business process would your company be willing to relocate into the Cloud?
Simple stuff, things that are not really hard to integrate into systems in your environment. The
reporting platform for example or a traveling template generator to standardize traveling bills in
the company instead of using the systems.
8. How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?


69
Trust is oí key importance, by ha·ing trust I can be reacti·e, ií I don`t, I ha·e to be proacti·e. Ií I
have no knowledge about what the provider do with the data and physical equipment, can I be
proactive?
9. How can one solve the accountability that arises with Cloud Computing in your opinion?
Right now it is not impossible. Trust is the only current solution, but trust is hard to create when
all information is not shared as well as goals of what wants to be done. For example how to hold
someone accountable for e.g. fraud or copying of data.
10. How does your company evaluate trust?
Have do you evaluate trust? Maybe by looking at track records or talk to people?
General discussion about security
Where is my data? What laws governs my data? How can I trace if my data is being copied in a
safe way? Where are backups stored? How can I be sure that my data is not being manipulated in
the wrong way? When data gets redundant by being stored in two different geographic locations,
what law is protecting my data when the data is in these two different places? E.g. Sweden and
Poland.
You will have a hard time to find out where information was manipulated wrongly. With
backups, how can I monitor my physical storage of data on e.g. a tape where I make big storage
backups and where does it go? How do I know I get the data about the service they provide me
(for instance log files) is the raw data or changed to look good and to keep you unknowing as a
client?
How can I know that everything is being logged since I cannot access that information? Will
someone tell you if the provider screws up? They need systems to monitor everything so that
they can prevent bad things to happen by monitoring customers` activity and activity around the
customers` data. Pre-programmed triggers to alert if something bad happens exist. But this issue
is very complicated. There are risks as industrial espionage and idea stealing.






70
10.5 CEO
On the 6
th
of April 2010 we interviewed a CEO at an IT company. The interview lasted for 30
min and the interview was conducted in person. The interview was semi-structured and the
questions we used to establish a theme was the ones in section 17.1.
1. What is your position in the company?
CEO at an IT company.
2. What are your first impressions of Cloud Computing?
Necessary. It is not possible to move to next level of business with the old way of handling.
Because we don`t ha·e enough resources or money to spend on IT in the companies. We need to
have Cloud solutions and it is also easier to apply best practices in the Cloud. It is like with the
importance with internet. Terminals back in 1984 connected to a mainframe. Then you could not
afford personal computers.
From a technical perspective it is more complex to have it in the Cloud. But you get so much
more power and functionality with the Cloud.
3. If your company is looking for solutions in the Cloud, what are your biggest concerns?
We are not supplying Cloud solutions. We have many systems in the Cloud. A company runs all
the finance for us. When I look for suppliers I`m not only looking for one. But I did not look for
solutions abroad, I prefer to have it in Sweden.
4. What are your top three concerns with Cloud Computing?
Top concern for Cloud is trust. Accessibility is second. Right now I am storing everything on my
computer, even though I have it in the Cloud. This is because I travel a lot and need access to the
information all the time. Maybe in the future when the accessibility is better I will only have it in
the Cloud. It`s not the computer power that will change in the future. It is the speed and
availability of connectivity. If we understand the strategy of Cloud, it`s easier to adapt to it.
5. What risks do you consider to be in the top three with Cloud Computing?
Business model, that you are not able to make profit of it. If you not make profit, the
development will not increase.
Then of course the trust and intellectual property. Secret information cannot be placed in the
Cloud. In most countries you are not allowed to keep your book keeping outside the country.
That means that the information needs to be stored locally. Legislation is definitely not updated
for the Cloud.
6. What are the major advantages of Cloud Computing that your company can benefit
from?
Speed and flexibility. That you can increase the business efficiency and development.
7. What business process would your company be willing to relocate into the Cloud? Is
there any part that you wouldn`t mo·e to the Cloud?
Not for me. But I am not representative in that perspective. People think it`s more secure if you
have it on your own laptop. If you travel it`s the most insecure place for information. You have a


71
lot of information on your phone today. Your information is more secure in the Cloud. It`s an
illusion that it is more secure on your laptop. Big files are however a problem with the Cloud. But
with the technology today it shouldn`t be a problem.
Using Cloud as a backup is more secure. It's a question of privacy. But ií you`re honest, why is it
a problem with the Cloud?
8. What would be the security issue with relocating to the Cloud?
It`s saíer in the Cloud. Where is it more secure? That is something that you have to evaluate.
Where is the weak link? Devices as laptop and cell phone certainly are. Is storing or using
information my concern. What is the long term strategy on this?
9. Do you review your SLAs properly, and how?
No. I just expect that everything should work, all the time. The competition will be about the
SLAs. If you a have poor SLA, you will very quickly loose the competitive edge.
10. What areas of the SLA does your company mainly focus on?
It`s not uptime, which is obvious. It should just be there just as with announcement of downtime
etc. The physical support is important, where I can get someone on the line to talk to me. You
don`t want to email somebody when something goes wrong. Then we have an issue with the
service area. It is not only technical issues with Cloud, it is a matter of service as well.
11. Do you evaluate security from an acceptable loss perspective (e.g. loss of data or
downtime)?
I ha·en`t thought of it, because I don`t calculate that way. But it is always a part of it, you have to
realize that.
12. What type of Cloud deployment model would your company be interested and why (e.g.
public, private, hybrid and communities?
In the past I was a big fan of private internet. We didn`t want to be public with our information.
Because of more security. But it`s better, more efficient, faster and in the long run probably more
reliable if it is in the public. The damage is much higher if something goes wrong in the Cloud.
13. How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?
Security, behavior, educate people that they need to think about security. Stop using secret` as
our normal password and so on. Communication and education.
14. How can one solve the accountability that arises with Cloud Computing in your opinion?
If you are a small player, it is maybe a lower cost but higher risk. If you are doing things that you
can`t stand up for, is that Google`s fault? Cloud is not a new service, it's a new behavior.
15. How does your company evaluate trust?
For me trust is more than everything else. I use a combination of applying best practices,
references, and reputation.


72

10.6 CIO II
On May 15
th
2010 we interviewed another Computer Consultant at a distribution company. The
interview lasted for 40 min and the interview was conducted via teleconference. The interview
was semi-structured and the questions we used to establish a theme was the ones in section 17.1.
1. What is your position in the company?
CIO
2. What are your first impressions of Cloud Computing?
The term itself, Cloudy concept. Hyped up market term
3. If your company is looking for solutions in the Cloud, what are your biggest concerns?
Ownership of the actual data and the Cloud
4. What are your top three concerns with Cloud Computing?
Interruptions of service control, will the provider notify you if there is an issue with your Cloud
or do you have to keep track of it yourself. The other risk are stealing information, and SLA`s
5. What risks do you consider to be in the top three with Cloud Computing?
My biggest concerns are the actual integration between the different Clouds and business units.
Also, another issues that I see are Intellectual property of the data, security.
6. What are the major advantages of Cloud Computing that your company can benefit
from?
Scale of economy, and being able to use the different experts from vendors.
7. Is your company currently looking for different solutions in Cloud Computing?
Why or why not? Have a partial Cloud internally
8. What business process would your company be willing to relocate into the Cloud?
I view that the non critical business processes like ASP solutions, salary systems and supporting
systems can be moved to the Cloud.
9. Do you review your SLAs properly, and how?
We review the SLAs very extensively by sending them to our lawyers and IT departments for
them to review and discuss the items that they dislike.
10. Do you evaluate security from an acceptable loss perspective (e.g. loss of data or
downtime)?
We evaluate from an acceptable loss perspective by the sense that we see the cost of downtime,
and data loss.


73
11. What type of Cloud deployment model would your company be interested and why (e.g.
public, private, hybrid and communities?
Most likely private but very confident about moving core business processes to the Cloud.
12. How do you think a company can be proactive/reactive when it comes to security issues
in Cloud Computing?
It is important to have a face to face meeting with the vendor to provide confidence and to get a
secure feeling from the vendor to be able to develop a long lasting relationship
13. How can one solve the accountability that arises with Cloud Computing in your opinion?
This is a challenge because we have three members we meet monthly to have discussions on how
the partnership is going. I don`t want the other members get used to us and continue thinking
that we will always come back to them. We want them to work for our partnership. Also, having
a modifiable SLA so if something does change all of us can sit and discuss the new changes. It is
important to establish a balance between the customer and the vendor. If the power becomes
unbalanced to the vendor can change its view and the customer has to except it, example
Amazon said no to the IRS when asked to do a C&A risk assessment,
14. How does your company evaluate trust?
We review the references, size, history, reputation, performance of the company to build a
partnership. We evaluate different vendor that fit our requirements and conduct meetings with
the vendor. It is a six month process that requires plenty of planning and meetings to build the
relationship.

Title: Author:

Cloud Computing: -Security Risk, SLA and TrustWilliam Ambrose Samuel Athley Niclas Dagland Wolfram Webers 2010 06 07

Tutor: Date: Keywords:

Cloud Computing, Security Risks, Service Level Agreement, Trust, Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service ______________________________________________________________________

Abstract
With Cloud Computing becoming a popular term on the Information Technology (IT) market, security and accountability has become important issues to highlight. In our research we review these concepts by focusing on security risks with Cloud Computing and the associated services;; Software, Platform and Infrastructure (SPI) and connecting them with a social study of trust. The method that was conducted during our research was reviewing secondary literature, interviewing different experts regarding Cloud Computing and relating standards already established by ENISA, NIST, and CSA to the interviews. The result of this study shows connections between the specific SPIs, both how they compare, but also how they differ. In the end we were also able to rank the top security risks from interviews with experts and see which SPI could be the most insecure one and what countermeasures could be applied. This was further related to trust and Service Level Agreement (SLA) in Cloud Computing to show how the security risks we discuss are related to these two specific areas. By highlighting this we wanted to present useable information for both clients and providers in how to create a better Cloud Computing environment.

i

Acknowledgements
First, we would like to thank the instructors that provided help and guidance during our research, without them we would have veered off the path. Wolfram Webers: For providing us great insight and steering to ensure that we stayed on path during our research, we thank you. Ulf Larsson: Provided us with valuable information and multiple articles in our research which we were very grateful to receive. Jörgen Lindh: Helped ensuring that our thesis was properly structured and provided a different perspective in our thesis and for this we express our appreciation. Projectplace.com: We thank you for allowing us to use your platform during our research. We found the platform most helpful when documenting our work. We would also like to thank all of the people that participated in the interview which helped us in our findings and providing us with valuable information. Further, we would like to thank each individual member of the group who made this research possible and memorable.

ii

............................ 22   Separate Database................................................................................... 35   iii ................................................... 33   Research approach ...................... i   Acknowledgements ......................... 10   Cloud Computing Overview model .................................................................13   3............1...5   3.......... 5   Perspective .................................................................. 12   SPI Overview Model ............................................2..........................................2...........2   3................................. 19   Cloud Deployment Models .......... ii   1   1.....1.. 28   Trust ................................................................................5............. 23   Service Level Agreement ................1   3...............................2   5.....................................................................................................................................................................................................................................................10........................................... 35   Validity ...................1   3............................................................................................................................6   3... 1   Background .................................................... 27   Security risks tied to information security ........... 9   3   3................................................................7..........................4   3...3   Methodology .10   3........................ 22   Shared Database and Shared Schemes ..................................... 18   Division of Responsibility in IaaS .......... 10   Cloud Computing ......................................................................1   2.................................1   5........................... 8   Ontology ........3   3........................................ 11   Cloud Computing Characteristics .......................................8   3..................................................................................................... 13   Software as a Service........................................................................................................................................................................................................................................................................................ 31   4   5   5................1   3................................................11   3.................. 35   Reliability .....12   3.................................................6   Introduction ............................. 5   Definitions....... 16   Division of Responsibility in PaaS .................5   1...................................2   3................... 17   Infrastructure as a Service ....2   2................................................1   2..... i   Abstract .............10........ 23   Risk definition ...............................................................................1   3.................................................... 20   Cloud Computing Vendors Model ...........................................................................................2   1.. 15   Platform as a Service ..............................................................6.... 22   Choosing an Approach .............10...................2   Research Questions ................................................................................................................................ 5   Delimitation........................10........3   1.................................................. 33   Credibility............................................. 2   Problem ........................................................................................................................1...................................9   3....................1   1......................7   3... 4   Purpose ....................................... 25   Security .......... 21   Multi-tenancy ................. 22   Shared Database and Separate Schemes ........................................13................................... 9   Axiology ................................................................14   Theoretical Framework ... 8   Research philosophy .........1   3.......................................3   3.............................................. 8   Epistemology ..............4   3.1   3......................1   5..... 14   Division of Responsibility in SaaS ....................Table of Contents ...................4   1................ 6   2   2......................... 33   Method .......................................

........................................ 51   Provider ..........................2   Conclusion .................... 49   Security risks associated with trust in Cloud Computing .........................1   6.................................................................... 52   How to avoid security risks associated with trust? .....................................................................................................................4..................4..............................3.................... 42   7   7...........................................................3   10..... 43   6.......1   6.............................................2   7.................................................................................................... 56   Future research proposals...... 37   IT-Consultant Interview Summary ............4   Interview questions ..........1   6.......................................4   Analysis ....................... 40   SLA summaries ........... 60   10...........6.................................... 41   Amazon ............................................................... 38   CIO I Interview Summary ............. 36   Analysis Method .....................................................................................3   5......... 39   CIO II Interview Summary .............................3....................3   6............................ 49   Is trust important? ........................ 45   Clients expectation of SLAs in regarding security ..................................................................................................................................................1   7........ 72   iv .. 55   Critique of method ................ 45   Major security risks within Cloud Computing .................. 40   Security Risk List .................5.3.....................................................................................4   6...................................................................................3........... 60   Senior Business Consultant ...................................................................1   10.......................2   6....................1   9........3   6....................................................... 47   Trust related Security Risks in Cloud Computing .................................. 42   Security Risks.....................................5   10.................1   7................................................................................... 38   Computer Consultant Interview Summary ......................................................6.......................................................1   7................................6....2   10......................... 70   CIO II ......................3   7............................... 51   Ownership ...................... 64   CIO I .............1..................... 50   Quality of Service ..............3   7........1   7..............6   IT-Consultant ..................5..................................................7   Empirical Findings.................................................. 52   8   9   9......6   6..................................2............................4   10..................................... 41   Google Apps ...... 39   Security Risks.... 66   Computer Consultant.................. 37   Senior Business Consultant Interview Summary ......................2   6...........................................................................................................................................2   7.... 57   Appendix 1 Interview Questions ..........................1   6.....................5   6...................................................................................... 36   6   6.....................................................................................2   6........................ 38   CEO Interview Summary .... 60   Appendix 2 Interviews with experts ............6................... 54   Discussion ................................................................................. 56   10   References...............................1   Google App Engine ... 68   CEO....................................... 41   Microsoft ...................

..........................................................................................32   Figure 9...30   Table 6..... 2002) ........................................17   Table 3..........15   Table 3......................................44   Table 6........................2 SPI Overview Model.1 Cloud Computing Triangle .....47   v ..................1 Division of Responsibility in SaaS ................2 Interview Security Risk Analysis ..............................................................................1 Security Risks .....List of Figures Figure 3.................1 Cloud Computing Overview Model ...............Reciprocity > Net Benefit (Mui......3 Security Risks from Interviews .........................................................Trust ...........................................2 Division of Responsibility in PaaS .13   Figure 3 3 Cloud Taxonomy Model .46   Table 6..........................................................................5 Reputation .......3 Division of Responsibility in IaaS ....................55   List of Tables Table 3.........................19   Table 3.................................................4 Security Risks tied to Information Security ......11   Figure 3...........21   Figure 3..............

Forrester defines Cloud in their article as: In the article Cloud Computing will be as influential as Edefined as: Internet technologies by Gartner. The areas we will go through in this research are listed below: Cloud Computing Cloud Deployment Models Cloud Computing Characteristics SPIs and associated Security Risks Service Level Agreement (SLA). Platform. risks and which gives a detailed description of the security risks and benefits of Cloud Computing. the European Network and Information Security Agency (ENISA) published a report called Benefits.1 Introduction On the information technology (IT) market there has emerged a new buzzword called Cloud Computing. ENISA is a European Union (EU) agency that works with aiding and giving recommendations concerning issues related to network and information security. issues regarding security has been raised. and Infrastructure as a service) and the associated risks. Cloud Computing is d "as a Service" using These definitions will be a guide through the research as they help to understand what type of information is focused upon. For this research two definitions has been selected which are stated below. The research focuses on technology in Cloud Computing (SPIs Software. There are many different definitions for Cloud Computing which has created confusion about what this phenomena really is. It is described as the future and that everyone should move into the so called Cloud. Web SLA and Cloud SLA Trust 1 . On November 20 2009. Due to this new buzzword Cloud Computing.

1. usually via the Internet configurable remotely. such as Microsoft. (ENISA. are providing applications that are good enough to compete with in-house developed solutions that are costly and hard to (Computer World. each with a definition from ENISA. NIST and CSA. but it would take time for Cloud Computing to reach out into the world.C. The emergence of Cloud Computing has also introduced interesting results regarding predictions of how IT would be in the future. but also with new business models. Examples include Amazon EC2 and S3. and an example of that is Amazon S3. In newspapers. In 1969. The information about what Cloud Computing consists of is mostly derived from ENISA. 2 . 2010). It was in 1999 with the arrival of Salesforce.com is an example of a PaaS and provides a platform to build multi-tenancy applications. 2009) Infrastructure as a Service (IaaS): provides virtual machines and other abstract hardware and operating systems which may be controlled through a service API. CRM services and web content delivery services . Force and Google App engine .1 Background In present day. The platforms offered include development tools. Terremark Enterprise Cloud. According to Computer Weekly and an article about the history of Cloud Computing published in 2009. Force.com is an example of SaaS which provides the customer with a web based Customer Relationship Management solution. 2009). Amazon soon followed in 2002 with their Web service and after this more followed expanding Cloud oriented solutions from only being applications. (ENISA. 2009). Licklider shared his vision of an intergalactic computer network where people would be globally connected. John McCarthy was one of the first to propose utility consumption and payment in the context of Computers and IT (Wikipedia. emerging markets and new IT solutions. Before him in 1961. 2009) These types of services are mature and have been provided by service oriented companies before Cloud Computing. articles. available on-demand. important security issues arise as this phenomenon we call Cloud Computing continuously evolve and becomes more of a business model and solution.R. deployment platforms. In our research about Cloud Computing we have viewed this emerging technology as something that has evolved from previous solutions. Examples include online word processing and spreadsheet tools. Other than these three there are other types of -as a services and clients buy and use them over the internet and do not need to allocate physical or virtual space for it is being offered as a service over the Internet. 2009) Platform as a Service (PaaS): allows customer to develop new applications using APIs deployed and configurable remotely. In the introduction we presented two definitions for Cloud and Cloud Computing. visions about the future are quite similar to our concept of the Cloud.; Software as a Service (SaaS): is software offered by a third party provider. Salesforce. interviews and other sources that we present in this work there are a general attitude that Cloud Computing is very new even if the technology is old. One important factor that has made Cloud Computing popular is the fact that the experts within the field of IT solutions. increase of bandwidth enabled new possibilities for Internet based solutions and a more globally connected world. to also include Platform as a Service and Infrastructure as a Service. configuration management. IaaS is more complex and gives more control over the hardware. (ENISA. The three main Cloud Services that we will present in this thesis are the ones below. Examples are Microsoft Azure. The characteristics of Cloud Computing can be seen in the networking solutions of grid computing and distributed systems and the online part of Cloud Computing can also be found in Application Service Providers (ASPs)(Computer Weekly. Windows Live Skydrive and Rackspace Cloud .com that revolutionized how we use solutions connected to the Internet. we link Cloud Computing with fuzziness and hype. or Software as a Service. J.

3 . ENISA also identifies benefits with Cloud Computing. The empirical data used for this research is from secondary literature such as books. but the main focus is on the security risks. The primary data was gathered from experts in the field via interviews. NIST. magazines and web publications such as blogs. In this thesis we discuss security risks that we have found from ENISA. new challenges has emerged and among them we consider security as the most important one. For us it is very interesting to see fruition of old visions being realized because of evolution in IT. smart scaling of resources Audit and evidence gathering Throughout this thesis we will review different security risks with Cloud Computing in a general context and then focusing on linking those risks with a client perspective. Examples of security risks from ENISA (2009) are: Data protection Isolation failure Management interface compromise Insecure or incomplete data deletion Malicious intruder Even if there seem to be numerous threats. We may provide benefits with Cloud Computing as we stated above. articles.With Cloud Computing. and examples of these are: Benefits of scale Security as a market differentiator Standardized interfaces for managed security services Rapid. CSA and experts we have interviewed.

or should work.Research questions. but rather because we want it to evolve into to what it could become in the future. Social? These questions are quite general and we will present more specific research questions in section 4 . In this thesis. as with any new technology. 4 . Clients are now starting to look towards the Cloud to see if this is something for them. handles. as with both web services and outsourcing. but not because we seek to alarm people not to use Cloud Computing. we decided to focus on this particular theme in our thesis. Security risks could arise with letting someone doing that. If one does not know what security risks can be associated with Cloud Computing.1.2 Problem The new emerging concept of Cloud Computing has created an intriguing buzzword for old technology. numerous questions could be asked. Next. and we believe this will evolve to a very good solution for clients who lack the in-house knowledge to solve their problems on their own. and could therefore be said to be preliminary research questions that the reader should bear in mind while reading the thesis. What are the security risks with Cloud Computing and the associated technologies? o Are there other implications with Cloud Computing in addition to the technology e. However. This is one of the reasons why it is important to know about security risks in the context of Cloud Computing. This is the reason we feel it so important to look at the security risks before investing into the Cloud. From the discussion. we have looked into three big publications from three respected groups to get a good understanding of security risks and Cloud Computing itself. we used interviews with experts to gather more information for the research. It could also prove to be harmful to not know how the process of selecting a provider works.g. within Cloud Computing. Cloud Solutions main focus area another company that have deemed it beneficial to let the experts handle their IT. The idea of experts providing their expertise for a fee sounds very interesting. we want to prove that Cloud Computing does have security risks. What could be a frightening fact is that the client could give up control to a provider of information and processes vital to the organization. is entirely up to the client signing an agreement with the provider. risks can appear because of negligence of understanding Cloud Services and its legal documents.; a very good solution to problems when a client does not have the skills to solve a specific problem on their own. The extent to how much a Cloud Provider. To understand which security risks are associated with Cloud Computing from a client perspective.

or lost.1. The raw data that we will gather will be qualitative which means that we will not put focus on gathering a wide variety of sources to be able to generalize with statistical data. The technical focus will be the SPIs which we will methodically review to show how they differ and compare against each other and potential security risks. this will enable an understanding to most clients about which SPI would benefit them the most. clients should be able to make a more sound decision whether or not to make this type of investment.4 Perspective For this research we will be looking at the problem from a client point of view to show what the potential buyer should look for in a vendor that provides Cloud Computing or Cloud Services.5 Delimitation The focus in this thesis are on security risks with Cloud Computing and the technology that build up Cloud Computing. We will not focus on benefits in our analysis even though we have presented a few where we talk about Cloud Computing in general. 1. One way of doing this is to bring forth the importance of trust in the context of negotiation of SLAs with a Cloud providers. 1. the three SPIs. but larger companies may look into Infrastructure as a Service. With this ever-growing catchphrase of Cloud Computing most companies may start looking to the Clouds for possible options. This will be achieved through semi-structured interviews with experts. It is important for a company to understand how their data is handled and how confidential it will remain due to the fact that it will be on the Internet and can be accessed globally. There are more kinds of service solutions but we will only consider the SPIs mentioned earlier.3 Purpose The purpose of this research is to clarify the security risks that clients could encounter with Cloud Computing. 5 . altered. Clients should understand that their information is vital which is why they should review the recovery process if their data is accessed. With this research. All the SPIs have security risks and this research should provide a guide on what security risks that exists and help a client put pressure on providers to reduce these security risks. Also. We selected this view as we think it is more important to help potential clients to understand what Cloud Computing could be and what security risks that may be involved in different perspective we could bring new insights to the table and help clients in what they should know and what they should expect from providers when entering agreements. Software as a Service (SaaS) might be beneficial to some clients due to the financial limitations. Instead we will use qualitative data to gain insight and see what the main concerns could be if a client may consider to move to the Cloud.

6 Definitions Application Programming Interface (API) Collection of software routines. (Webopedia.com) Denial of Service (DOS) Deliberate attempt to thwart authorized users' access to a computer system or website. (Businessdictionary. hardware. The hypervisor manages the system's processor.com) Distributed system Computer networking scheme in which several inter-connected systems service their local needs and use their idle or spare capacity to attend to common workload. 2009) Cloud Computing (Gartner. protocols. memory. (Businessdictionary. Hypervisors are designed for a particular processor architecture and may also be called virtualization managers.com) Application Service Provider (ASP) Firm that sells usage of computer programs via internet. and trained employees) guarantees trouble-free availability of the application programs on a continuous basis.com) a Service" using 6 .com.com) Information Security Safe(Businessdictionary. Customers use the programs they need. (Businessdictionary. 2006) Cloud (Bouchard & Sankar. such as a manufacturing process. An ASP (equipped with all required software. (Businessdictionary.com) Hypervisor In virtualization technology. The data generated by those programs can either be stored on the customer's computer or on the disk space rented out by the ASP on its storage devices.1. 2008) Flexibility Ability of a system. and other resources to allocate what each operating system requires. by corrupting its stored data or disrupting its normal functions with a denial of service attack. and tools which provide a programmer with all the building blocks for developing an application program for a specific platform (environment). for a fixed monthly fee or usage based charges. hypervisor is a software program that manages multiple operating systems (or multiple instances of the same operating system) on a single computer system. (Businessdictionary. running in the same environment. An API also provides an interface that allows a program to communicate with other programs. to cost effectively vary its output within a certain range and given timeframe.

Examples include Amazon EC2 and S3. and parallel processing. available on-demand.com) Lock-in Vendor lock-in. CRM services and web content delivery services. Examples include online word processing and spreadsheet tools. or products. or reliability. (ENISA. clustering. Force and Google App engine. functionality. consequences of risk.e.Infrastructure as a Service abstract hardware and operating systems which may be controlled through a service API. expressed as an aggregate of risk. (Businessdictionary. 2009) Software as a Service s software offered by a third party provider. and with no significant drop in cost effectiveness. (ENISA. (Linux Information Project. Scalable systems employ technologies such as automatic load balancing. or (3) introduction of false information to mislead the users or to cause incorrect system behavior (called spoofing) (Businessdictionary. It may be caused by (1) gaining unauthorized access to stored information. and the likelihood of the occurrence of the event. 2009) Risk (1) Indication of an approaching or imminent menace. (Businessdictionary. 2009) Threat (Computer Security) Action or potential occurrence (whether or not malicious) to breach the security of the system by exploiting its known or unknown vulnerabilities. configuration management. (2) denial of service to the authorized users. (2) Negative event that can cause a risk to become a loss. usually via the Internet configurable remotely.. deployment platforms. and cannot move to another vendor without substantial costs and/or inconvenience. The platforms offered include development tools. Terremark Enterprise Cloud.com) Security (Thefreedictionary. 2009) Platform as a Service lop new applications using APIs deployed and configurable remotely. a good or service). 2006) 7 . performance. Windows (ENISA. or just lock-in. is the situation in which customers are dependent on a single manufacturer or supplier for some product (i.com. Examples are Microsoft Azure.com) Scalability le proportionally very small to very large usage and service levels almost instantly.

we have the positivist and the interpretive assumptions.1. 2.1 Epistemology According to Saunders et al. It also helps researchers understand how the researcher came to their conclusion by describing what personal beliefs and assumptions the researcher had while conducting the research and collecting the data. Due to that. The positivist is concerned with that valid knowledge is data that can be observed and measured. experiences and world views by the people. In the epistemological philosophical branch. The following discussions are comprised of what approaches this thesis is taking regarding research philosophies. 2007) -like generalizations 8 . (2007)..2 Methodology In this section we are going to bring forward what scientific approach we took in our research and what methodology we applied to the work within this thesis. So it is important to realize that the research itself is affecting the reality that is being investigated. epistemology is concerned with what is considered acceptable knowledge in a field of study. We will conduct semi-structured interviews with several different people and the results will differ because of different viewpoints. We are not trying to measure the reality. 2007) In other words it highlights the importance to differentiate between making research among people and other objects.. we do not think that law like generalizations can be created for individuals.1 Research philosophy Research philosophies are a help to guide researchers in their work by helping them understand how they and other researchers approach their work. The area of Cloud Computing is still fuzzy and it is the users who will form Cloud Computing to what it is going to become. (Saunders et al. Our standpoint is within an interpretive viewpoint because we think it is important to differentiate between each individual. As a positivist you will be: similar to those produced The interpretive stance advocates: (Saunders et al.; we are more concerned with finding meaning with the reality we are investigating. 2.

you may not be able to understand the reality to its full extent and what is actually creating the reality. This research will mainly be subjective by being in contact with both providers and clients in the Cloud Computing environment. It includes objectivism and subjectivism where the objectivist is concerned with that: . and this would be of value for both the researchers and others that are considering moving into the Cloud environment.2. by being subjective.. The aim of this thesis is to provide knowledge about security risks with Cloud Computing. (Saunders et al.2 Ontology Ontology is about what the nature of knowledge is. By observing it objectively. the knowledge created might be biased by the fact that the researcher is directly involved with the reality. but still relying upon a foundation consisting of carefully evaluated questions that aims at answering the research questions..3 Axiology . 2. Conducting semi-structured interviews would add more value to the results by allowing more in-depth discussions. we argue that you have to be involved in that reality by being subjective. determines which type of data collection techniques are chosen. It means among others that the philosophical approach taken.1. In Saunders et al (2007) Axiology is: 9 . 2007) To understand and to be able to correctly observe a reality.1. On the other hand. 2007) while the subjectivist holds that: social phenomena are created from the perceptions and consequent actions of those social actors concerned with their (Saunders et al.

com. CSA also adds the collaboration perspective to the picture that comes with virtualization and flexibility. functionality. Before we move on from specific Cloud topics we will also present a model that shows different services for the SPIs and who is offering them. CSA calls Cloud Computing an evolving term and add information separation to the picture. clustering. Ability of a system. We will also present definitions and explain key concepts that will help the reader to understand our train of thought. and we decided to use a definition from the same website as we found the definition for scalability.com) 10 . information sources. to cost effectively vary its output within a certain range and given timeframe. Then we will present the three SPIs and after that we present different Cloud deployment models we have found and multi-tenancy. followed by our topic on security and counter measures then we will discuss the topic of trust. scalable and flexible where resources are shared and fees are determined by the usage.1 Cloud Computing In this section we will talk about Cloud Computing more generally before we move into each SPI more deeply. Scalable systems employ technologies such as automatic load balancing.com agrees on this and calls it -tenant data centers offering organizations an alternative way of building. CSA and NIST. On-demand Broad network access Resource pooling Rapid elasticity Measureable These characteristics will be explored later in the text in the paragraph Cloud Computing characteristics. That means that applications. such as a manufacturing process.3 Theoretical Framework In this section we will present background information about Cloud Computing that will be used throughout the thesis as a cornerstone on what Cloud Computing and its associated security risks are about. for flexibility. or reliability. To understand what we and our sources of information mean when we say scalable and flexible we thought it would be a good thing to add two more definitions to this thesis. Scalability in the context of a system can be defined like this: usage and service levels almost instantly. First we will introduce Cloud Computing and characteristics of Cloud Computing. This will give the reader an overview of what Cloud Computing is and the technology it consists of. and parallel processing Flexibility is the other reoccurring phrase when one talk about Cloud Computing. OpenCrowd. We will then present information regarding three kinds of SLA. 3. deploying and selling IT services at a significantly lo and we can begin to see key patterns in the characteristics in the Cloud. performance. and with no significant drop in cost effectiveness. After that we will present risks from ENISA. (Businessdictionary. business dictionary. ENISA (ENISA 2009) describe Cloud Computing to be highly abstract. and the infrastructure are separated (CSA 2009).

2 Cloud Computing Overview model This model was presented by National Institute of Standards and Technology (NIST) to create a conceptual model of what they believe Cloud Computing includes. Figure 3.1 gives an overview of how we will present information regarding Cloud Computing as we will start at the top with characteristics and end with Cloud deployment models before we look into SLAs.3. security risks and trust. 11 .1 Cloud Computing Overview Model The figure 3. The reasons for using this model in the thesis are because this model summarize what we believe Cloud Computing to consist of.

but may be able to specify location at a higher level of abstraction (e. mobile phones.g. state. (NIST 2009) 12 . On-demand self-service. and reported providing transparency for both the provider and consumer of the service. or datacenter). controlled. s using a multi-tenant model. or active user accounts). processing. and PDAs) as well as other traditional or Cloud based software services. A consumer can unilaterally provision computing capabilities such as server time and network storage as needed automatically. Measured service. (NIST 2009) Rapid elasticity. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e. storage.g. (NIST 2009) Resource pooling.. country. with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. (NIST 2009) Broad network access. memory. bandwidth. There is a degree of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources. network bandwidth. processing. Even private Clouds tend to pool resources between different parts of the same organization. laptops. the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.3. and virtual machines.. Resource usage can be monitored.; and rapidly released to quickly scale in. Examples of resources include storage. Capabilities can be rapidly and elastically provisioned in some cases automatically to quickly scale out. To the consumer. without requiring human interaction with a service provider. Cloud systems automatically control and optimize resource usage by leveraging a metering capability at some level of abstraction appropriate to the type of service (e..g.3 Cloud Computing Characteristics NIST offers a list of components of what comprises Cloud Computing.

Figure 3.4 SPI Overview Model The Figure 3.2 SPI Overview Model 13 .2 was presented by CSA (CSA 2009) and we present it to give the reader a conceptual aid in different SPIs that we will discuss in the following paragraphs.3.

etc) (ENISA. Multi tenant Efficient: At this level the vendor handles multiple customers on a load balanced farm of identical instances. 2009). Level 1 Ad-Hoc/Custom: This level requires the lowest level of development effort but offers the lowest level of offers.e. Lock-in is defined as: Vendor lock-in. Google Docs. At this level each time that the application is run it creates an instance on the server of the provider. in his article Top 10 SaaS Traps.5 Software as a Service According to ENISA Software as a Service (SaaS) is: Software offered by a third party provider. Level 2 Configurable: Second level of maturity host a separate instance of the application for each customer. By understanding where the application should be in the maturity level it will also help in deciding if a client really needs Software as a Service. SaaS architectures have become four different levels of maturity based on three different key attributes configurability. According to the website MSDN and the authors Carraro & Chong (2006). and scalability. 14 . Level 4: Scalable. or just lock-in. not many service providers of SaaS offer an SLA or might even charge for the SLA. It is important to understand that the last level is not always the desirable place to be. SaaS has become very popular within the IT world due to its ability to be flexible and not require as much of IT knowledge. operation needs and on customer considerations. Multi-tenant Efficient: The vendor runs a single instance that serves every customer that provides a unique user experience and feature set for each one. The disadvantage with this level is that the scalability is limited. (The Linux Information Project. According to Hoffman (2006). One risk that effects all of the SPIs is Lock-in. It differs from level 1 by all instances use the same code and the vendor meets customers needs by providing detailed configurations options. is the situation in which customers are dependent on a single manufacturer or supplier for some product (i. This service is customizable to fit the consumer and the provider controls the infrastructure.. multi-tenant efficiency. According to ENISA. or products. Level 3 Configurable. Examples include online word processing and spreadsheets tools. Where the application is placed in the maturity level depends on business. and application. CRM Services and web content delivery services (Salesforce CRM.3. a good or service). Configurable. with each rated. available on demand. It is now very important that a customer does in fact ask for an SLA or locate a different vendor that will provide one. certain security risks have a high impact on SaaS and other SPIs and clients must understand the impacts. architectural. 2006) SaaS providers develop the different applications that are tailor made for that customer which does bind the customer to that provider. platform. and cannot move to another vendor without substantial costs and/or inconvenience. usually via the Internet configurable remotely.

5. Salesforce. The reason for this. Table 3. does not mean it is right for you.com has listed these benefits to SaaS (which may be biased): High Adoption: Applications that are available anywhere from any computer or device Lower Initial Costs: Subscription based payments and no license fees Painless upgrades: Provider manages all updates and upgrades Seamless Integration: Vendors that are multi-tenant architectures can scale indefinitely to meet customers demand 3. is incidents. according to ENISA. there needs to be a clear definition and understanding between the customer and the provider of securityrelevant roles an The result of this should be a clear understanding of the roles and responsibilities customers and providers have to one another.There are multiple benefits in deploying SaaS but just because you can.1 Divisio n of Responsibility in SaaS In this division of responsibility we will focus on how customers and managers should work within an SaaS environment. With the economy in a downturn clients are looking for a better solution for their IT issues and be able to make a quick return on their investment.1 Division of Responsibility in SaaS 15 .

For example. The platforms offered include development tools. the risks are lowered when it comes to investments. Providers of PaaS have also listed a set of other benefits of PaaS which may be biased.com that uses Apex as a development language. By signing up for a PaaS you can instantly start with developing the programs you want and get results. configuration management. Also. (Whatis.salesforce. ENISA defines PaaS as following: llows customer to develop new applications using APIs deployed and configurable remotely.com (Rådmark.NET and PHP that can be used to develop the web site. mostly offers more configuration possibilities than a web hotel. The web hotel provides access to different tools and the possibility to configure the platform. PaaS is seen as a platform where software can be deployed and configured and made available through a web browser.com 2008) PaaS however.3. cannot be moved to another platform because of Apex being specific and limited to the platform by Force. 16 .techtarget. Lower costs because of not having to acquire the needed equipment and only pay for what you use. It can be seen as a web hotel where a company or individual can develop and deploy a web site and make it available through a web browser. No more software upgrades patching and upgrading of the system is handled by the PaaS provider as well as regular system maintenance. before the developers do not need to worry about the infrastructure and can thus focus on the development.6 Platform as a Service PaaS is the layer in between where you not only get access to the software. A few that www. Therefore applications that are developed on a specific platform. but also the underlying platform which the software is running on. Examples are There are still different opinions about what PaaS is. you will be able to lower your costs significantly. more advanced applications than just a web site can be developed and run on the platform. as with Force. What is not included is the control of the actual infrastructure that the platform is running on. Overall. The web hotel is usually supporting a set of different web development languages as for example ASP. 2010) PaaS increases in other words the risk of lock-in if the service provider uses proprietary service interfaces or development languages. Simplified deployment the software developed can be made available instantly through the web. The type of applications that can be run on the platform is limited to what OS and development language the PaaS vendor offers. deployment platforms. Lower risk without the need to build up an infrastructure for the development. which the web site is running on.com lists are: Faster results the need for acquiring and setting up the infrastructure you need to be able to developing software is gone. PaaS has some main benefits such as scalability and flexibility. and as mentioned. PaaS can give the possibility to configure and update the operating system (OS) that is used for the platform. The application that is made available does not require any installation or the need to download anything to the computer for the user that wants to access it.

according to ENISA. is incidents. Zero infrastructure the only equipment you need to start using the Cloud is a computer that is hooked up to the Internet. Integration with other web services the Cloud provider will have to have more standardized interfaces to be able to offer a complete interface that can be integrated easily with other web services.www. Table 3. 3. there needs to be a clear definition and understanding between the customer and the provider of securityrelevant roles and respons The result of this should be a clear understanding of the roles and responsibilities customers and providers have to one another.1 Divisio n of Responsibility in PaaS In this division of responsibility we will focus on how customers and managers should work within a PaaS environment. The reason for this.2 Division of Responsibility in PaaS 17 .zoho.6.com lists some as: Minimize operational costs because you only pay for what you use you do not need to worry about servers standing unused and you do not have to worry about maintenance costs.

which could be biased. but we also consider all three SPIs to be part of the Cloud and Cloud Computing.com (2009) are: 18 . The building blocks are scalable. there are people who find IaaS to be true Cloud Computing while the other SaaS are considered Cloud Services. 2009) can be increased or decreased depending on the pressure of the system and you pay for what you use. Benefits associated with IaaS are according to GNI. Management systems o Monitoring systems to manage onsite and offsite In a more technical aspect. redundant data communications connections. environmental controls (e. the scalability of IaaS could be said to offer building blocks (Opencrowd. storage networking and security (Lew. such as telecommunications and storage systems. The article The Rise of Service Oriented IT and the Birth of Infrastructure as a Service (Leach 2007) concludes that IaaS consists of three major components: Equipment .3. IaaS can also be decomposed into components. saves and store media and data for an organization. Terremark Enterprise Cloud.g. Because of the focus on computing. ENISA. and to assess them in the context of clients to determine what clients of Cloud Computing and IaaS should know and expect from their Service Providers (SP) in terms of Service Level Agreement (SLA). and more neutral sites focusing on academic articles about Cloud Computing. to private users inside a large organization or to public users via internet o Storage: comprise computer components and devices that records.. which means that CPU. As Cloud Component can be decomposed into the three different SPIs. Using IaaS as a foundation. memory. air conditioning. Windows Live Skydrive This definition will be used in this thesis to identify security risks and threats with IaaS.includes o Enterprise servers: is a computer system that provides essential service across network. fire suppression) and security devices. European Network and Information Security Agency define IaaS as: rovides virtual machines and other abstract hardware and operating systems which may be controlled through a service API. Benefits that we have discovered have been found on vendor sites. In this thesis we agree on this.7 Infrastructure as a Service Compared to SaaS and PaaS that focus on being as virtual and service oriented as possible. IaaS also focus on computing. you can add the other as a services that are available and keep building on your virtual environment. It generally includes redundant or backup power supplies. o Network: is a collection of computers and devices that communicates through channels that facilitates communication among users o Security devices: Devices and applications to provide a secure environment for your organization Facilities that house.com) on which a client can have a customizable infrastructure. protects and powers equipment o Data centers: is a facility used to house computer systems and associated components. Examples include Amazon EC2 & S3.

Dynamic scaling Usage-based pricing Reduced capital and personnel costs Access to superior IT resources The website Clouddb. is With respect to security incidents. 3. there are also risks associated with IaaS. Even though these are great benefits for clients looking for a Cloud based solution. there needs to be a clear definition and understanding between the customer and the provider of security-relevant roles and responsibilities.com. What is interesting is that Clouddb.info includes the perspective of clients when identifying these benefits and clearly seems to think IaaS will be beneficial for clients specifically because of the mentioned benefits.3 Division of Responsibility in IaaS 19 . according to ENISA.info Defining Cloud Computing: Part 6 IaaS s the same kind of benefits using similar or the same words as GNI. The result of this should be a clear understanding of the roles and responsibilities customers and providers have to one another.7. Table 3. The reason for this.1 Divisio n of Responsibility in Iaa S In this division of responsibility we will focus on how customers and managers should work within an IaaS environment.

(CSA.g. 2009) Public Cloud: The Cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling Cloud services. 2009) Hybrid Cloud: The Cloud infrastructure is a composition of two or more Clouds (private. (CSA. The four different models are describe like this by CSA Private Cloud: The Cloud infrastructure is operated solely for a single organization. there are four different kinds of deployment models when it comes to Cloud Computing. It may be managed by the organization or a third party.. These models are not dependent on what kind of SPI that is deployed in the Cloud. community.. Cloud bursting for load-balancing between Clouds). or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e. mission. security requirements.8 Cloud Deployment Models According to a report made by the Cloud Security Alliance (CSA) that was published in December 2009.g. policy. 2009) 20 . and may exist on-premises or off premises. It may be managed by the organizations or a third party and may exist on-premises or off-premises. (CSA. or compliance considerations).3. (CSA. 2009) Community Cloud: The Cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.

Figure 3 3 Cloud Taxonomy Model 21 . We decided not to expand our thesis scope when we found out about Cloud Software as the focus of this thesis are towards clients that may or may not move to a Cloud Solution because they lack in-house skills for IT solutions.com. which they define as: Cloud software is off-the-shelf software that can be used to create an internal Cloud or in some cases can be used to customize infrastructure services to mold a custom Cloud solution. The reason for this is that they regard Cloud Software. Since it is vendor based. to be a part of Cloud Computing services offered by vendors.3. it is also biased. and so Open Crowd did their own and that is the one we are presenting below to give you an overview of who is offering what kind of service. Open Crowd decided to divide the Cloud into four areas compared to our idea of using only three. there are a few landscape models circling the Internet focusing on showing what vendors have to offer.9 Cloud Computing Vendors Model According to the website Opencrowd.

There are three distinct approaches in multi-tenancy and they are separate databases. 2006) 3. but would still be part of the infrastructure. multi-tenancy is a large community which is hosted by the provider.10 Multi-tenancy According to Salesforce. Chong & Wolter.g. secure. shared databases separate schemes. reliable. availability.10. or financial information) 3. shared databases and shared schemes. The clients could use a public Cloud service or actually be part of the organization that is hosting the Cloud. operational efficiency and use of applications to multiple users. The provider view is that multi-tenancy will allow for providers to enable economies of scale.10. Unlike isolated instances.1 Separate Database o Highest maintenance and backup cost o Highest hardware costs o Premium approach for sensitive data (e.2 Sha red Database and Separate Sche mes Separate Database is the simplest approach of Data isolation Housing multiple tenants in the same database with each tenant having their own set of tables grouped into a scheme Easy to implement Easy to extend database like the first approach.com. Medical. and upgradeable which the provider usually handles.10. (Carraro. This could only be practical when the applications are stable. It can be viewed in two different perspectives.3. that are deployed in a silo structure. separate databases A moderate degree of separation and isolation of data for security Harder to restore in an event of a failure Restoring the entire database would overwrite every tenant in the same database o Use this approach when dealing with a relatively small amount of table per tenant o o o o 3. multi-tenancy is an architectural approach that is a single instance applications but run by multiple tenants. the client and the provider.3 Sha red Database and Shared Sche mes o Lowest hardware and backup cost because of large number of tenants o With multiple tenants will need to put more focus on security to ensure that other tenants cannot access other tenants data even if there is a bug or an attack happens Shared Database and Shared Schemes uses the same Database and Schemes for multiple tenants 22 . Each different approach is important to review and it is also critical for an organization to decide which approach is appropriate for them. customizable.

a regular SLA usually includes: Service delivered describes the services and how they are delivered. and payments regarding termination. exclusions and force majeure. Disaster recovery usually included in the security section and sometimes also in the problem management area. government and laws) will be need to be investigated to see how regulations could affect security and record storage needs.3.4 Choosing a n Approach Choosing the right approach will be crucial for the organization and there are multiple considerations to take into account when deciding.11 Service Level Agreement A Service Level Agreement (SLA) is in general a legal binding agreement about a service a client is buying from a Service Provider (SP). 23 . Warrant & remedies covers topics such as service quality. Security: It is vital to choose the right approach depending on the data requirements and sensitivity of the information. The levels included are a frame of how the service should be delivered and failure to follow this agreement is usually followed by penalty. The agreement is a part of a much bigger contract between two partners that define the purchased service. Customers will have a high expectation on security and the SLA between the vendor and the consumer will need to provide strong security practices to ensure that data is secured. Tenants: The number of tenants that the client could expect will greatly depend upon which approach the client chooses. which will result in high initial cost but might have lower operational costs. According to SLA information zone (SLA-zone. 3. Going through the above list will help an organization in deciding which type of multi-tenant architecture is best suited for them and their infrastructure. for cause. Performance deals with how monitoring and measuring the service level performance is performed. An isolated approach may allow your staff to use more of its own knowledge for the application. which should also be defined in the agreement. for convenience.g. 2009). Skill Set: Single instance multiple tenants is still a new skill set so expertise will be difficult to come by. Security the most critical feature of any SLA where which security approaches must be followed and respected. Termination covers topics as for example termination at end of initial term. Regulator: The external environment (e. third part claims. Problem management how to deal with unplanned incidents and how to solve them. Economics: Applications that are designed for shared approach will have more of a development cost. This information should be very detailed and accurate so you get information about what exactly is going to be delivered.10. Customer duties explains what relationship the customer and provider has and the responsibilities that the customer has regarding the service delivery process. also including how to actively prevent such events.

a notification of the service customer. V1. An example of this is in Amazon EC2 SLA where they state the following: AWS will use commercially reasonable efforts to make Amazon EC2 available with an Annual Uptime Percentage (defined below) of at least 99. Cloud Service Level Agreement If we take the two previous SLAs we have mentioned into consideration and compare it to the dynamic and scalable nature of Cloud Computing. significant changes need to be made to the SLA to be aligned with the Cloud environment. a response is also decided on. a company can make a statistical analysis to determine the QoS and if the SLA has been breached. Ranabahu & Sheth 2009) is that WSLA needs to focus even more on metrics to measure if the service bought and received measure up to the levels agreed upon. In the event Amazon EC2 does not meet the Creating a good SLA is not a trivial task.; usage and cost. the measures have to be adapted to that. and most often. and what others agree to (Patel. Patel et al (2009) propose that the parties add these measures to the picture. By providing that kind of information. these measures have to be adapted according to usage. when the services increases in scale. Frank. Because the environment is dynamic. Keller. Ludwig. a third party management/monitoring provider more information has to be included in the WSLA.0. but since we add technology to the picture. While WSLA is closer to the solution than a standardized SLA. the measures have to be dynamic as well. This is the thinking one has to apply to make a more appropriate SLA for the Cloud Computing environment. the measurements have to be different. and measures to be taken in case of deviation and failure to meet the asserted service guarantees. for example. (2009) an example of WSLA measures is transactions per hour.The performance levels set in the agreement often measures up to a percentage level and if that level is not met. The WSLA Language Specification (Dan. 24 . but a task that is of utter importance when buying and/or providing services and errors in SLAs could enforce legal penalties. What IBM indicate. One of these services are Web Service Level Agreement (WSLA) and to a certain point it is very similar to a regular SLA.e. 2003) not only include the SLA components mentioned in our SLA part. This puts focus onto Quality of Service (QoS) and how this is measured. but also include: -level and business process level service parameters such as response time and throughput. Web Service Level Agreement In addition to a regular SLA. King. there are additional SLAs that deal with different kinds of services. i. When the Cloud services are in use. According to Patel et al.95% during the Service Year.

Computer Security Alliance (CSA 2010) and National Institute of Standards and Technology (NIST) and they are: ENISA 2009 Loss of Governance: The Client ceding control to a Cloud Provider on multiple issues Lock In: The difficulty of a customer moving from one Cloud provider to another. patches etc. Isolations Failure: The failure of hardware separating storage. which pose an increased risk. Data Loss and Leakage: Improper deletion or backup of data records can lead to unwanted duplication of data that becomes available when it should not exist Account or Service Hijacking: Phishing for credentials to get access to sensitive data Unknown Risk Profile: No insight in what the provider do to keep your data safe or doing updates. Management Interface Compromise: Customers management interfaces of a Public Cloud provider are accessible through the Internet and mediate access to larger sets of resources. Data Protection: The ability of the customer to check the data handling practices of the Cloud provider and to ensure that the data is treated in a lawful manner. CSA 2010 Abuse and Nefarious Use of Cloud Computing: Easy access and lack of control of who is using Cloud Computing can provide entrance for malicious people Insecure Interfaces and APIs: Authentication and reusable aces tokens/passwords have to be properly managed or security issues will rise. Compliance Risk: Investment in achieving certification may be put at risk by moving to the Cloud. Malicious Insider: Lack of insight at the Cloud employees can trigger risks if employees have malicious intent and access to information he/she should not have. With sharing technology the risk of hypervisors appear since hypervisors work in between different clients. Shared Technology Issues: With scalability come shared technology issues since the provider is using their own resources to provide more for the clients during peaks. Insecure or incomplete data deletion: Customer requesting that their data is deleted and it is not completely removed or deleted due to duplication. memory.3. 25 . Malicious Insider: Damage caused by a person that has access to the Cloud. routing and even reputation between different tenants.12 Risk definition The top risks we are discussing in this thesis are from the European Network and Information Security Agency (ENISA 2009).

internal Cloud security Lack of public SaaS version control If these risks occur in an organization. and the likelihood of the occurrence of the event 26 .NIST 2009 Data dispersal and International Privacy Law o EU Data Protection Directive and US Safe Harbor Program o Exposure of data to foreign government and data subpoenas o Data retention issues Need for Isolation Management Multi-tenancy Logging Challenges Data ownership issues Quality of Service Guarantees Dependence on secure hypervisors Attraction to hackers (high value target) Security of virtual OSs in the Cloud Possibility for massive outages Encryption needs for Cloud Computing o Encrypting access to the Cloud resource control interface o Encrypting administrative access to OS instances o Encrypting access to applications o Encrypting application data at rest Public Cloud vs. A common probability risk definition is: (1) Indication of an approaching or imminent menace. expressed as an aggregate of risk. consequences of risk. it will be the operations of the organization that will suffer. Therefore we have concluded that the risk definition we use in this thesis focus on probability. (2) Negative event that can cause a risk to become a loss.

To maintain the integrity of information you can use: Configuration Management this is how you manage change when it comes to the information technology environment.3. The mechanisms are retrieved from a blog called Continuity Disaster Recovery (Phoenix 2010). retina scanning or face recognition. while information security is defined as The three principles are the main concerns when dealing with information security and each principle requires different security mechanisms to be able to be enforced. 27 . Encryption is performed through a mathematical algorithm to alter the information. Encryption by encrypting information from plain text to be unreadable prevents unauthorized users to access information. Configuration Audit this mechanism controls that information that is altered is allowed to be performed. integrity is interpreted more narrowly to mean protection against u Availability To enforce these principles there are different mechanisms that can be applied. Confidentiality is sometimes referred to as privacy and to enforce it you can apply: Access control with access control you can control how and what information users can access. It could be for example fingerprint scanning. The Committee on National Security Systems (2010) defines the three areas as: Confidentiality Integrity n a formal security mode. For Cloud Computing to be considered to be secure. How could be by authentication through passwords and/or biometrics. Ethics through policies employees can get the necessary guidance to know how to behave and prevent unethical use of for example an information system. The auditing can be done by monitor log changes either manually or through an automated system. these principles are what it has to live up to. Passwords password is the basic authentication method and to make it even more secure it can be used alongside smart cards or biometrics. Biometric biometrics concerns the use of humans physical characteristics for identification and authentication.13 Security Freedom from risk or dang Safe.

that is having access to information whenever and from wherever. there is a risk that information can be affected by unauthorized change or deletion. If the service does not control the authentication and authorization properly by having weak control mechanisms. This depends on what type of business you run and how often information is altered. Confidentiality Integrity 28 . This is mostly applicable to PaaS and IaaS where customers have the possibility to develop and run software.Availability should always be ensured so the authorized users can access desired information whenever they want. It includes what information is being backed up and at which time interval. copies of the information could still reside somewhere in the Cloud due to backups or some other redundant reason. How the principles could be affected are derived from the report by CSA. criminals could get the possibility to exploit Clouds by applying malicious software that can give them access to information they should not have. Business Continuity Plan or Business Resumption Design this is a part of the DRP and documents of how a business gets back to normal after a disaster has struck.1 Securit y risks tied to information se curit y Cloud Computing is about availability. - Integrity Availability Abuse and Nefarious Use of Cloud Computing (CSA) When not having control of who is using the Cloud. To ensure that data is always kept available and safely stored you should consider: Data Backup Plan to have a plan of how you backup your information is always important. If malicious software is executed in the Cloud. The risks are listed in the table below together with how they could affect the CIA principles.13. Disaster Recovery Plan (DRP) this includes the procedures for how a quick backup is performed with minimum impact on the business. it could affect the integrity if the intent is to alter or delete information.   Insecure or incomplete data deletion (ENISA) Confidentiality When a customer requests that certain information should be deleted. by for example providing the possibility to be anonymous when registering for a Cloud service. Some of the risks presented by ENISA. 3. CSA and NIST are security risks that could compromise this aspect as well as the principles confidentiality and integrity. The risk could be that this information is left unprotected on a hard-drive that is shared with some other company.

as well as how they grant their employees access to virtual and physical assets and if the employees are monitored in their work. This could happen in the way that a guest operating system user gains inappropriate levels of control and access that are granted from a hypervisor. If a Cloud provider has employed persons with a criminal intent. The risk is even greater if there are no monitoring processes set up for the Cloud employees. there are matters as hiring standards and practices. If an interface has weak security controls. Integrity Availability Malicious Insiders (CSA/ENISA) Attraction to hackers (NIST) When a Cloud provider hires their Cloud employees. there could be a big risk that they hire someone that have a criminal intent such as someone that is involved in organized crime and wants to have access to confidential information. important information could be changed or deleted. the risk of malicious software being run is high and could cause Cloud services going down. Confidentiality Integrity Availability Shared Technology Issues (CSA) Isolations Failure (ENISA) Dependence on secure hypervisors (NIST) Multi-tenancy (NIST) Confidentiality By sharing the same infrastructure there is a risk that the multi-tenant architecture fails to isolate the information so that customers get access to each information. 29 . such as hackers or people involved in organized crime. it could provide access to malicious attackers with the intent to alter or delete information.Availability If there is a lack of control of what kind of software that is being run in the Cloud. because of poor hiring standards and practices. If the Cloud provider does not consider these matters important. Interfaces needs to be secure so they can withstand malicious attacks that could compromise the availability of the service. People with a malicious intent that are working at a Cloud provider could cause the service to go down. Insecure Interfaces and APIs (CSA) Management Interface Compromise (ENISA) Confidentiality A weak interface that for example transmit information in clear-text or allows anonymous access lead to that information can be easily acquired by unauthorized users.

- Data Loss and Leakage (CSA) Confidentiality Integrity Availability Leakage of data is a risk for that unauthorized users gets hold of sensitive information. users could get an inappropriate level of control that could lead to alteration or deletion of information. information runs a risk of being changed or deleted by that party.4 Security Risks tied to Information Security 30 . If an unauthorized party gets hold of credentials by for example phishing. But by using a Cloud service. Account or Service Hijacking (CSA) Confidentiality Integrity Availability By using attacks such as phishing or exploitation of software. Loss of data is a risk that directly impacts the integrity. If an account gets hijacked. both the transmitting and storing of information. the need to encrypt transmitted information is not as important as encrypting the hard-drives and databases. When running an IT infrastructure inhouse. everything needs to be encrypted to ensure safety. credentials could be acquired that can be used for getting access to sensitive information. Confidentiality Integrity Table 3. Information that is not encrypted when it is transmitted can easily be altered so the message that is received does not correspond to the original message. Encryption needs for Cloud Computing (NIST) The need to encrypt information is very important when it comes to Cloud due to the use of the services through Internet.Integrity Availability If a hypervisor that controls the virtualization of the infrastructure fails to control the levels of authorization of users in the Cloud. there is a risk that the service availability can get compromised. For data to be available it cannot in any way be lost.

e. 3. reputation and confidence.g. and the negligence to question the authority. trust allows actions to be conducted based on incomplete information on the case in hand). if the trustee is not trustworthy. Trust is an action that involves a voluntary transfer of resources (physical. 4. expensive equals good. Cialdini (Cialdini 2007) a computational trust model theory by Lik Mui (Mui 2002) and trust definitions from Wikipedia and James S Foundations of Social Theory to describe trust. The next step is to present different versions of trust such as authority. this lick & whirr effect provides a shortcut in our daily lives. In his work 31 . trust is built up by four parts (Wikipedia 2010): 1.g. lick and whirr is his term for humans automatic responses due to a specific trigger feature when a brain strain we use a rule of thumb when we are unsure and because we cannot know everything about everything. Mui (Mui 2002) proposes a more mathematical approach to solve this approach will not be discussed in detail other than comparing how a mathematical. medical employees using the wrong dosage and military train operators running people over because someone higher than them in the perceived or real hierarchy told them this is how it is. a SLA. 2. it is hard to evaluate trust. Since trust is considered a mental state. or systematical. which is also available on Wikipedia. In the authority chapter Cialdini cites different studies done and they vary from people giving out electrical shocks that cause pain. then the trustor will be worse off than if he or she had not trusted (this is reminiscent of the classical prisoner's dilemma).e. authority. intellectual. Cialdini (Cialdini 2007) talks about influence and discusses click and whirr set off by a trigger feature . If the person in whom trust is placed (trustee) is trustworthy. Another definition of trust is by Gambetta (1988): that another agent or group of agents will perform a particular action.g. A time lag exists between the extension of trust and the result of the trusting behavior. rt and other personal items and characteristics. a person or company to live up to the bargain set in e. we have concluded that trust and authority is a vital issue in Cloud Computing security. In this chapter we will present what trust is considered to be from a psychology perspective (social science) and how one can systematically look at trust. financial. Cialdini talks about influences and most importantly. We will use material from the Influence The Psychology of Persuasion by Robert B. then the trustor will be better off than if he or she had not trusted.3. Conversely. According to Coleman. In essence. Placement of trust allows actions that otherwise are not possible (i. approach differs from a mental one. Another shape of trust is confidence which in social science is considered to be easier to measure as trust itself is viewed as a mental state and confidence reflects actions around that trust.14 Trust Reading through security aspects regarding Cloud Computing and reviewing information regarding how the service is provided along with SLAs that defines how the service should be supplied. both before he can monitor such action (or independently of his capacity ever to be able to monitor it) and in a context in which it affects his own action Basically these two definitions from Coleman and Gambetta states that trust is the possibility for e. In his book. or temporal) from the truster to the trustee with no real commitment from the trustee (again prisoner's dilemma).

The reason for having this part in our thesis is because one way of avoiding a serious pitfall caused by trust is to understand this process and what the net benefit is created for the counterpart a person interact with. Reciprocity is the act where dept is created and repaid through genuine actions. 2002) The danger of psychological trust is that it is a mental state. it is stated that trust is considered to be very important in Cloud Computing security and that we would like to see how people we interview evaluate trust. Following this norm is of essence to create trust and a positive reputation. Figure 3. what does the person/company I interact with get from me for trusting him/her/them. (Granovetter. and not systematically conducted but rather obtained through communications networks and inner evaluation. In the analysis we will present our findings. 1985)   Reciprocity is according to both Cialdini and Mui a social norm that is created through trust and interactions. In the beginning of this section.e. This will be discussed further in the analysis when we add raw data to the picture. or even if they consider trust to be important for that matter.5 Reputation . connect it with Cloud Computing security risks and discuss what kind of pitfalls have been found and how to prevent them. 32 .Reciprocity > Net Benefit (Mui. Reputation and reciprocity is the product of social networks and norms where the reputation is: Reputation is a social quantity calculated based on actions by a given agent ai and observations made by others in ai resides ai of trust that others have toward it. trust and reciprocity works together and creates net benefit for those involved. The model above depicts how reputation. In the interviews we would like to see how people view trust in regarding Cloud Computing to understand if they use a systematical (fact based) or internal (mental based) method.Trust . i.he presents that trust is connected with reputation and reciprocity.

In inductive research you do it the other way around.4 Research Questions The research questions that we have decided upon reflects what we think is most important to research in. The term Cloud Computing is rather new so we think that the inductive approach suits best for our research. we decided to investigate the associated security risks. The research focused on risk assessment on three different kinds of SPI: Software as a service Platform as a Service Infrastructure as a Service The risk assessment will also look into Service Level Agreement (SLA) from major Cloud Computing companies: Google Microsoft Amazon During the research a critical review of the researched subject was performed from a client perspective and its associated risks. One of our strong opinions is that Cloud Computing is consisting of old technology products and services offered to clients in a new way. To answer our research questions we take an inductive approach by gathering data to then formulate a theoretical framework. You go out in the world and gather data. and not to generalize our findings to any particular setting. In Saunders et al. These questions have also been selected as we strongly think we can contribute to the field of Cloud Computing if we answer them properly and underline what the next area of study should be to make Cloud Computing more mature. Because of this opinion. If it is necessary. The purpose of our research is to contribute more to the understanding of what to think about and take into consideration when it comes to Cloud Computing. Due to this assumption about Cloud Computing.1 Method Research approach When doing deductive research you start with creating a hypothesis and test it by gathering data and examine it. both to help identifying the problems and/or solve them as we reflected on them in our problem paragraph. This research was conducted because of the new phenomenon called Cloud Computing is assumed to become a future solution to modern information technology (IT) problems. how can clients avoid security risks associated with trust? 5 5. IaaS) in Cloud Computing? o What should clients expect from Service Providers in the SLA regarding Cloud Computing? What possible trust issues are associated with security risks in Cloud Computing and SLA? o If so. What are the major security risks for clients using SPIs (SaaS. PaaS. we felt it wise to use an exploratory approach to gather the empirical information 33 . rather than being something brand new. induction emphasizes collection of qualitative data and is less concerned with the need to generalize. We have tried to gather as much information as we can about security issues and service level agreements. and from the data you formulate a theory. the theory is modified so it matches the findings better. (2007). Our perspective on Cloud Computing is that it consists of old technology. and through qualitative interviews with experts to get a more professional view of the problem.

secondary data. The methods we are going to focus on in this thesis are: Secondary literature study Interviewing experts in the field In the following paragraphs we will cover secondary and primary data that we will use to draw conclusions from regarding Cloud Computing security risks and SLAs from a client perspective. we have decided to focus on literature. which in our opinion are Google. Microsoft and Amazon. articles and other publications that share our opinion. Searching literature regarding Cloud Computing By focusing on Cloud Computing as being derived from old technology. The sources for information we will use are: Cloud Computing vendors SLAs We will look into the major vendors on the field of Cloud Computing. to explain a new phenomenon or bring an understanding to a specific topic.e.we need for this thesis. we think a qualitative focus can give us deeper knowledge and therefore be more appropriate for us. The interviews were semi-structured to create discussions instead of direct questions with a yes or no response since we consider qualitative information to be valuable to our research than quantitative. The exploratory approach enables us to focus on finding new insights and understanding this phenomenon called Cloud Computing. We have also spent time reviewing literature that contradicts our old technology perspective but after extensive reading we have concluded that such articles are not of importance to us. Since we are focusing on security we will also look at their security policies to see if they are coherent in their overall security policy towards a client. As opposed to a descriptive study. Criteria for which we decide is appropriate to use as a source of knowledge are: o Working with IT on a management level o Are currently supplying and/or buying IT services o Are involved with Cloud Computing and/or related technology (ex: Software as a service. When we review their SLAs we will focus on issues dealing with security. Exploratory approach is about investigating previously studied material i. and explanatory study. Literature sources that we have reviewed are: Magazines Books Articles and publications Blogs Interviewing experts in the field We will focus on interviewing people with knowledge and experience in the field of IT. Platform as a service and/or infrastructure as a service) 34 . which we find inadequate because of a too narrow focus and because it is seen as a forerunner to exploratory research. which focus too much on quantitative data.

You can never know if your results are completely correct.2. if the observations would be accomplished in the same way if others would do it. This creates a problem in how to evaluate the information that we have acquired in a neutral way.1 Reliability In Saunders et al. but it is our opinion that the secondary literatures we have reviewed are sufficient for our research.2 Credibility In Saunders et al. 5. Experts in the field: Besides secondary literature we will also interview experts in the field that fits to the requirements we have stated earlier. Interviewing vendors of Cloud Computing could provide an optimistic version of Cloud Computing where as an expert that is a client of Cloud Computing could project a skewed image of Cloud Computing. Since we are focusing on researching security risks for clients using Cloud Computing. The danger of interviews is biased opinions. reliability the extent to which your data collection techniques or analysis procedures will yield consistent findings So reliability is concerned with if the same results would be reached if the research was done at another time. and then compare the data against results from interviews conducted with experts in the field. unclear or misleading. The validity of the data in this thesis is relying on recently published material within the area of Cloud Computing and by gathering information from experts in the field. 5. (2007) it is argued that having a good research design is very important if the research shall live up to a good credibility. (2007). it will be collected from several different reliable sources. To make the data in this thesis reliable.2 Validity Validity is in Saunders et al. but aiming for having a good reliability and validity will increase the chances that the findings will be credible. we have concluded that there will be factors that can make our gathered data biased. and if the conclusions made from the results are transparent. such as established agencies and institutes. The factors that we have discovered are: Secondary literature: Since we are focusing on reviewing secondary literature about the different kinds of SPIs. there is a chance that we could miss new information.5. 35 . To further increase the validity of our findings we will send the summaries we made from the interviews to the interviewees to get a confirmation that the information we got out from the interviews are valid.2. (2007) concerned with whether the findings are really about what they appear to be about .

4 constructed from secondary data.3 Interview questions The questions that we have decided to use for our semi-structured interviews are a combination of questions that cover topics that are directly related to our research questions.4 Analysis Method The method we used in the analysis was comparing the concepts that we present in our theoretical framework with the results in the empirical findings. and thus we had to get back to some of the people we interviewed to get some more answers. The questions in the interviews also helped us to expand our perspective on Cloud Computing as we have added questions to the first list we made. 5. the questions that we have chosen have helped us to compare that information with the information we have gathered from secondary sources. the questions can be divided into groups where some are directly focusing on our research questions and where other are included creating a discussion around a specific topic to indirectly give us new information to use when we answer our research questions. This has helped us to do a thorough analysis and discover new areas that could be studied in the future. 36 . The questions can also give us new insights to what the research questions could mean and/or how we should analyze them to make an appropriate contribution. The interview questions can be found in Appendix 1. Overall. The combination of the secondary data and the primary raw data is analyzed by comparing them and putting them in the context of our research questions. Finally.5. For the analysis we also used the table 3.

He talks about trust being essential when you consider accountability. For the SLA. worst case scenario should be covered in the SLA. and the argument is that they cannot really affect it anyway because of it being a standard agreement which they use for their customers as well. In this section we will present our results regarding security risks and SLA.1 IT-Consultant Interview Summary Quite early in the interview the issue with risk assessment becomes apparent. terminology. From the interview we drew out three security risks: Hacker syndicates that are working solely with stealing information To not have control Quality of service 37 . He says that it is important to state what security really means because of the naivety regarding security among companies. and that you should aim for a long-term relationship. he states that availability. Regarding security risks he raises the issue of not having control when it comes to maintenance and troubleshooting. If companies manage to apply good understanding to that issue. how data is encrypted) are very important to include in the SLA. Security. they add value to their service for the customer. Also. 6. He says that Cloud providers will probably become experts in the security area.6 Empirical Findings From the interviews we have summarized the most relevant parts that we are going to use for our analysis. and communication if something goes wrong (customer service). together with how you can exit the Cloud. where the IT-Consultant work they do not review the SLA. which we will also use in the analysis part.g. processes and routines for security (e. However. He also mentions that there are also benefits with the Cloud. as with getting rid of the security risk with running around with a USB flash memory which could be dropped or stolen. and the possibility to integrate with other systems when using the Cloud is his top three concerns.

The CEO does view physical security issues (e. for example that they should think about not using weak passwords.2 Senior Business Consultant Interview Summary During the interview it became apparent that the characteristics that the senior business consultant had found with Cloud Computing were flexibility. He says that companies that are considering to move in to the Cloud needs to evaluate where it is more secure to store their information.4 Computer Consultant Interview Summary The possibilities of integration with the Cloud were something that the computer consultant was emphasizing together with the importance of accessibility. laptop. As for accountability. He brings up the security issues with the physical vulnerability with laptops and cell phones. For this interview there were some question left out because he did not feel that he could answer them. cell phones. These characteristics were also seen when we discussed areas of Cloud Computing that the company could be interested in or what the benefits with Cloud Computing was perceived to be. an issue about what laws exists for the protection of data when it is stored in different geographic locations were raised. The consultant perceived the Cloud to be to unsafe to use for more than basic processes to save money and this was to be placed in a private Cloud. For him who travels frequently he needs to have the information locally stored at his laptop to be able have access to it whenever he wants. USB memories) more important than the actual security issues with Cloud Computing.g. To be proactive he says that you have to educate your employees when it comes to security. for example if their company was currently looking for any Cloud solutions. and if they do. that you get notified about everything bad that happens? From the interview we have drawn out three security risks that we are going to use for the analysis: Data protection and laws Backups Log files 38 . the need for storing it locally becomes less important. As for the SLA part. scalability and accessibility. When the subject touched upon what processes the person could consider to move to the Cloud the conclusion was that the Cloud enables multiple possibilities. Also. maybe through a SLA. But as the connectivity gets better and better. After asking our questions we had a general discussion about security regarding the Cloud. Regarding accountability he says that it is impossible to solve at the moment. the suggestion was to create an understanding of how providers can work together with the customer.3 CEO Interview Summary The top concerns with Cloud according to the CEO were trust and accessibility. The security issues that the senior business consultant mentioned were: Multi-tenancy Stability of Supplier Long term focus 6. The three aspects you have to think about when it comes to security risks are: Trust Intellectual Property Legislation 6. so to trust the Cloud provider is the only option.6. From the discussion. how can you be sure that the Cloud provider is logging everything. it was considered very important and multiple hours was spent on getting it right as the company could not think of acceptable loss to be part of the evaluation of the provider.

g. In the context of trust the CIO used personal networks and references before doing a systematic review of the company to see if the particular provider met the requirements before signing an agreement. The top three security risks the CIO mentioned where: Other companies can access our information Uptime dependent on the provider Backup 6. As their systems and business could not suffer from downtime or lose data. The reason for considering Cloud Computing for mainstream processes was because of the concerns with security. the parts of the SLA to employed lawyers and the IT departments to review it to ensure that the document met the requirements of the organization.4. The interviewee also stated that trust is very important. they could not evaluate a provider from a loss perspective. The processes that the CIO thought were ok to move to the Cloud were the basic office processes e. the intellectual property and finally security. If a provider could not supply what they needed.4.1 CIO I Inte rview Summa ry It became apparent quite early that the CIO considered Cloud Computing to be interesting as a tool for becoming efficient and to be used as a cost saver.6. SLAs and if the vendor would notify the company if something would happen to the service that the organization was paying for. they moved on.2 CIO II Inte rview Summa ry The interviewee first stated that the term Cloud Computing was a Cloudy term in itself and was a hyped up market term. ression of Cloud Computing was that it seemed suitable for mainstream processes and cost savings. Multi-tenancy Intellectual property Communication with provider   39 . The big risks that were stated during the interview were the actual integration of the different Clouds and the individual business units. The CIO did not like the idea to move core processes to the Cloud as it was too valuable and sensitive for the company. As for SLA issues the CIO deemed it very important to control and review each of them and integrate them into the IT departments every-daybusiness. if someone else do it for them it meant they would need a smaller IT department. email. uptime and backup. They stated that they evaluate different vendors that fit their requirements and it was very important to have face to face meetings to gain a relationship between the organizations. Another concern with Cloud Computing was stealing information.

Some of the risks we have found are similar. PaaS. In this list we have compiled the security related risks from the overall risk lists we have reviewed.1 Securit y Risk List Abuse and Nefarious Use of Cloud Computing (CSA/ Experts) Interface o Insecure Interfaces and APIs (CSA) o Management Interface Compromise (ENISA) Malevolence o Malicious Insiders (CSA/ENISA/Experts) o Attraction to hackers (NIST) Isolation Failure o Isolation Failure (ENISA) o Shared Technology (CSA) o Dependency on secure hypervisors (NIST/Experts) o Multi-tenancy (NIST/Experts) Encryption needs for Cloud Computing (NIST) Data Loss or Leakage (CSA/Experts) Accounting and Service Hijacking (CSA) Unknown Risks Profile (CSA/Experts Insecure or incomplete data deletion (ENISA/Experts) 40 . just written in different words. Malevolence or Interface. The security risks are from ENISA.; What are the major security risks for clients using SPIs (SaaS.g. In this list we also state where the risks have been identified. The main reason for this list is to help us in the analysis when we are answering our first research question and to contribute to the field of study by listing security risks specifically instead of general risks. NIST and interviews with experts.5 Security Risks In this paragraph we will present the security risks we have found during our research. IaaS) in Cloud Computing? 6.5. which is why some of them have been given a tag to identify their specific kind of risk e. CSA.6.

6. In essence Microsoft puts a lot of responsibility on the customer which means a lot of the possible errors that could occur are in the hands of the customer.1 Amazon Cloud system is called EC2 and it provides resizable capacity in the Cloud. In the SLAs (Microsoft 2010) they specify what they are providing and what will happen if they do not provide it. If EC2 is not up for the stated uptime. 41 .6 SLA summaries Amazon 6. On this platform that Microsoft run through their datacenters the customers should be able to have applications and tools for building applications.6.95% is upon the customer to monitor this and report to Amazon. 6. how they calculate the bill and in what situations they are not responsible. According to Amazon the EC2 includes: Interfaces to configure firewall settings Selectable IP range that will connect to the existing infrastructure using encrypted IPSec VPN Their service comment states that they are not responsible for any factor outside of their control. If the service does not follow the uptime directives Microsoft follow a credit system which governs how much the customer should pay even if the service percentage is not met. If Amazon does find itself at fault they will issue a credit back to the customer but it is up to the customer to monitor the up time for the whole year. We view that the SLA states that Amazon is not liable for anything that happens as soon as the customer accesses the Cloud or decides to put an application on there.2 Microsoft oft Azure which is a platform with Azure as the OS operating in the platform environment.6. which is 99. The different Cloud services that Microsoft offers are not connected when billing is calculated or service credits are given. EC2 has a clause that states that removes them accountability for anything that happens in the Cloud if it is by you or any third party and from equipment that is not theirs.

For example. spreadsheet and form applications. seven days of service is added to the end of the service term at no charge.6. Scheduled downtime is furthermore not considered as regular downtime periods and will not affect the uptime percentage. (Google.1 Google App Eng ine Cloud environment in the platform as a service m servers using development languages as Java and Python. or else the customer will not receive any service credits. However. while the Premium Edition offers more storage for a fee. you only pay for what you use and there are no installation costs and no other recurring fees.9 %. if the uptime goes down to less than 99 % but still more than 95 %.6. As it should be with a Cloud service.3 Google Apps and Docs.6. In other words. The only thing you can find online is terms of service. You are billed by consumption regarding storage and bandwidth (measured by gigabyte). Google Apps has some different editions where The Standard Edition is free to use and has a limited amount of storage. Google App Engine lacks a service level agreement. 2009). you can control the maximum amount of usage by setting a limit. Google Docs is web based word processing. There is also an Educational Edition which is also free and combines functions from the Premium and Standard Edition. and that scheduled downtime will not exceed twelve hours per calendar year. The service credits added cannot exceed fifteen days per month and they cannot be converted to monetary amounts. The customer will be notified about it five days prior to the downtime. Google promises an uptime of 99. Google state that they have scheduled downtime where the service will go down for a period of time. but if that uptime is not met. Google disaffiliates themselves from performance issues that are caused by factors that is outside In the SLA. the customer receives credits in form of free days for using the service. If you have a specific budget you have to follow. Google has not stated a certain uptime percentage so you are not guaranteed payback if the service goes down (Jackson. presentation.3. the customer have to notify Google about the downtime within thirty days. 2010) 6. However. 42 .

The Impact column describes how it can affect the organization. The countermeasure column described some steps that the organization can take to help minimize the security risks. CSA. memory. as in demanding providers wipe persistent media before it is released and conducting vulnerabilities scans. The definitions of the different security risks in the isolation group are below: Shared technologies: Hypervisors having flaws that allow guest operating systems to gain inappropriate levels of control or influence on the underlying infrastructure (CSA) Isolation Failure: Failure of mechanisms separating storage. The SPI model columns reveals what domain it affects. We have grouped together certain security risks due to the fact that they are very similar.7 Security Risks Table 6.6. It is also important to state that there are plenty of countermeasures that can actually be implemented by having certain clauses in the SLA.1 presents the security risks that we have found from NIST. The countermeasures that are stated are directly gathered from CSA. routing. Most of the risks that we found come from CSA but NIST and ENISA also state similar security risks and we have added them into the chart. and even reputations between different tenants (ENISA) Dependence on Secure Hypervisor: An organization dependence on the reliable and secure hypervisor (NIST) Multi-tenancy: The multiple organizations that have access to the infrastructure and the ability of the different organization ability to view others data or control the infrastructure (NIST) 43 . NIST. and ENISA. As you can see most of the risks actually concern all the domains but there are a few that only affects one or two SPIs. or ENISA. The security risks column describes the risks and also what organization we found them from.

1 Security Risks 44 . The information that is not completely deleted could still reside in insecure locations. or even internal security) when deciding to invest in the Cloud. and Availability. IaaS PaaS SaaS Unknown Risks Profile (CSA) Customers often leave certain areas overlooked (e. Integrity. The data could have competitive or financial information that is vital to maintain a competitive edge or can lead to compliance violations and legal ramifications. SPI Models IaaS PaaS Countermeasures Stricter Initial registration and validation process Enhanced credit card fraud monitoring and coordination Extensive monitoring of customer network traffic network Analyze the security model of the provider Ensure strong authentication and access controls are implemented along with encrypted transmissions Understand the dependency chain associated with the API Enforce strict supply chain management and conduct a comprehensive supplier assessment Require transparency into overall information security and management practices Determine security breach notification processes Implement security best practices for installation and configuration Monitor environment for unauthorized changes/activity Strong authentication and access control for administrative access and operations Enforce SLAs for patches and vulnerability Conduct vulnerability scanning and configuration audits Insecure Interfaces (CSA) Management Interface Compromise (ENISA) Depending on a weak set of interfaces and applications exposes the organization to multiple set of security risks related to Confidential. IaaS PaaS SaaS Isolation Failure Group Shared Technology Issues (CSA) Isolation Failure (ENISA) Dependence on secure hypervisor (NIST/Experts) Multi-tenancy (NIST/Experts) Data Loss or Leakage (CSA/Experts) IaaS Data that is lost or leaked can have different impacts on the organization.Security Risks Abuse and Nefarious use of Cloud Computing (CSA/Experts) Impact Due to weak registration systems allow anonymity and providers fraud detection capabilities are limited so criminals can use this to expand their reach and improve their effectiveness. Human element is a vital issue when employing services in the Cloud so it is of vital importance that the customer understand what the provider are going to do to detect and defend against malicious insider.g. Disk Partitions. how is the data or related logs stored. storage and management. IaaS PaaS SaaS Malicious Insiders (CSA/ENISA/Experts) Attraction to Hackers (NIST) Malicious insiders can impact an organization is related directly with their level in the organizations and their ability to infiltrate. PaaS SaaS Account or Service Hijacking (CSA) Hackers that have stolen credentials can access critical areas of a deployed Cloud which will endanger the organization. IaaS.g. Account or Service Hijacking remains a top threat to Cloud Computing. It may be impossible to fully delete information since full data deletion is only possible by destroying the hard drive that might be shared by multiple organizations. and destruction practices Demand providers wipe persistent media before it is released Demand providers backup and retention strategies Prohibit the sharing of account credentials between users and services Use two strong factor authentication techniques Employ proactive monitoring to detect unauthorized activity Understand the providers security policies and SLAs Disclosure of applicable logs and data Partial/full disclosure of infrastructure details Monitoring and alerting on necessary information Ensure that the provider has effective encryption Table 6. what information will the provider disclose in an event of a security event. Hackers will attempt to gain access to shared elements (e. CPU Caches and GPUs) because of the fact that they were never designed for strong compartmentalization. IaaS PaaS SaaS IaaS PaaS SaaS Insecure or Incomplete Data Deletion (ENISA/Experts) Strong API access control Encrypt data in transit Analyzes data protection at both design and runtimes Strong key generation.

that vendor would have no business and be bankrupt. 7.7 Analysis In this paragraph we will present data obtained through semi-structured interviews conducted with what we deem to be experts in the field. We had different types of responses when we asked if the organization reviewed SLAs. The column of trust was to see how the company gained trust in a specific vendor and what they did to see if that vendor was right for their company. The top three security risks allowed for us to see what the organization saw as a security risk dealing with Cloud Computing and was vital for their business. Table 6. Also. We view that the most surprising point was the fact that organization never reviewed the SLA and expected things to work. The next column is the Security Risks that are evaluated directly from the interview. and if they did. The interview with the senior business consultant directly stated multi-tenancy to be a security threat. No organization actually systematically evaluated trust from the start. and from them we have selected those risks that are considered to be security risks. or NIST. Five out of six of the companies viewed that Isolation failure group was the most important security risk.2 describes what the different interviewees said that and how the organizations view the concept of Cloud Computing. . As we reviewed the interviews we clearly related them to risks that were stated by CSA. which could have influenced what company they decided to systematically review. Instead reputation was often used. CIO I stated who can access our data as a security risks which is related to the hypervisor being able to keep the data separate for each organization. The column Top Three Concerns displays the concerns that organizations have with Cloud Computing and it is important to note that most of the interviewees said that security was one of the top three concerns dealing with Cloud Computing. 45 . The Senior organization that actually wrote their own SLAs and reviewed the vendor s SLA closely to ensure that the SLA covers the areas that they thought was important. The CEO stated if a certain vendor had a horrible SLA. ENISA. This data will be compared and analyzed together with concepts and models from our theoretical framework to evaluate the security risk we have found in the secondary literature study together with the new information from our primary interview study.1 Major security risks within Cloud Computing From our empirical study we have found different risks with Cloud Computing. what part did that organization focus on.

Dependence on secure hypervisor (NIST). NIST) Senior Business Consultant Security Flexible SLA Security Backup Uptime Yes and they write their own CIO Distribute SLAs to employees for a better understanding N/A Computer Consultant Security Connectivity Integration between service CEO Trust Accessibility CIO Interruptions of service control Stealing information SLAs Trust Intellectual Property Legislation Integration between different Clouds and business units Intellectual property of data Security No and they just expect things to work Yes extensively. NIST) Unknown Risks Profile (CSA) Malicious Insiders (CSA. CSA. NIST) Table 6. Isolation Failure (ENISA). Multi-tenancy (NIST) 46 . CSA. NIST) Isolation Failure* (ENISA. and they send parts to lawyers and IT department to compare to our requirements Best practices References Reputation References Size history reputation performance Data Loss or Leakage (CSA) Isolation Failure* (ENISA.2 Interview Security Risk Analysis *Isolation Failure describes a group of security risks that include Shared Technology Issues (CSA). CSA.Interview IT Consultant Top Three Concerns Security Uptime Multi-tenancy Risk Loss of Governance Communication Maintenance Security Flexible SLA Other companies accessing data Uptime Backup Data protection and laws Backups Log files Review SLAs Not extensively Trust References Thorough review of the company Reference Company history Friends in similar field of work Company history Review Companies history References Security Risks Insecure or Incomplete Data Deletion Isolation Failure* (ENISA. ENISA) Abuse and Nefarious use of Cloud Computing (CSA) Isolation Failure* (ENISA. CSA. CSA. NIST) Data Loss or Leakage (CSA Isolation Failure* (ENISA.

There are countermeasures for this specific security risk and they should be clearly stated in the SLA. Multi-tenancy could be directly related to dependence on secure hypervisor because the hypervisor is the program that separates the data and ensures that the different organizations data remains separated. s to ensure that the Isolation failure group of security risks are included in the SLA. Another countermeasure that could be stated is that patches and vulnerability will be enforced and clearly stated in the SLA. The Isolation Failure group only affects the IaaS domain and we consider that domain to be most vulnerable or insecure at the moment. According to ENISA. 47 .1.3 Security Risks from Interviews Ranks 5 2 1 1 1 1 From our interviews that we conducted we have found that the Isolation Failure Group (Shared Technology Issues. 7. which is very interesting. The SLA is vital for an agreement in between multiple organizations but it is critical to review what is actually in the document due to ther company being secure and reliable.The ranking of all security risks that we have gathered from the interviews are below Security Risks from Interviews Isolation Failures Data Loss or leakage Insecure or Incomplete Data Deletion Unknown Risks Profile Malicious Insiders Abuse and Nefarious use of Cloud Computing   Table 6. More than half of the interviewees actually displays that dependence of secure hypervisor was an important security issue. The vendor would increase trust values by allowing the client to conduct a vulnerability scan a couple times a year at an undefined time. Multi-tenancy) is the highest ranked security threat to organizations. This is very disturbing due to the fact that most companies are searching for some type of Cloud solution. a countermeasure to most of the Isolation Failure group is a vulnerability scanning and configuration risk. it would improve the trust that the client would gain from the vendor. Vendors having a clause in the SLA to improve the accountability of the events in the Cloud might provide more customers. because the clients could feel more confident and move more business processes to the Cloud. Isolation Failure. Dependence on Secure Hypervisor.1 Clients expectation of SL As in regarding security As we have stated earlier in the thesis most of the big vendors of Cloud Computing have stated that they are not responsible for any event that happens in the Cloud that is not of their control. There are countermeasures that can reduce these certain security risks listed above can be solved with having proper SLAs with both vendor and customer.

Another countermeasure is to demand to see what the provider s backup and retention strategies are. The countermeasure for Data loss that should be mentioned in the SLA is that providers will wipe persistent media before it is released back into the pool. 48 . The client would be able to see what happens to the data by reviewing what the retention and backup strategies are and will be able to see if the vendor strategies match the organization. Data Loss could result in the loss of competitive edge or even legal ramifications due to the sensitivity of the data. If the vendor were to have add these clauses to their SLAs.The next highest ranked security risk that interviewees have stated is Data Loss or Leakage. the clients might be more willing to move to the Cloud and feel that their data is actually protected.

They could oppose you. Therefore we want to say that trust is very important and that our data supports this. if you are not happy.7. The dependency that you get with a provider. but the one you got can make it a hard time for you. we cannot generalize beyond patterns. In the end we will link our train of thought to the second research question: What possible trust issues are associated with security risks in Cloud Computing and SLA? 7. but we are quite certain that the people we have interviewed are not the only ones to agree with us since so far our response have proven to be 100% positive to that trust is very important. 49 . A CEO from a company we interviewed also stated that Lastly we want to mention the opinion of a Computer Consultant regarding our questions of being proactive and reactive to solve security risks. Both parts have to go all the way.2 Trust related Security Risks in Cloud Computing In this paragraph we will focus on the concept of trust and trust within the context of Cloud Computing together with associated security risks.1 Is t rust i mportant? In our interview with the IT Consultant he stated this in the context of accountability: -term relationship. knowledge about what the provider does with the data and physical equipment. How do you know that get out all the data? And in what for This clearly shows how important trust is in the business agreement and when we talked with the CIO about the subject of security issues with moving to a Cloud we got the response: y issue would be the loss of control and who can access information that could be deemed as This view was further backed up by the choice of Cloud deployment model: If we would move to a Cloud solution it would be to a private Cloud so that we can control the SLA more and the access of the information. can I be proactive? These statements prove to some extent that we were correct when we concluded that trust was of key importance in the context of Cloud Computing security risks. We will present information from our interviews and show how the interviewees view trust and Cloud Computing and then analyze if their trust analysis is conducted mentally or mathematically. how do you do then? You may switch provider.2. Since we have not covered the whole population of our targeted group. but we cannot generalize this information.

7. Cloud Computing is fuzzy and a buzzword that creates confusion of what Cloud Computing really is. a service level and business model level. which is why the security risks we have presented exist and why some of them are connected to the issue of trust.; reputation. The security risks that we have identified to be connected to trust from ENISA. This is something we want to disprove by presenting information about what Cloud Computing really is on a technical level. reciprocity and confidence. This does nevertheless mean that the public and the academic world agree on a single view of Cloud Computing. These categories are used to highlight three parts of Cloud Computing that we have discovered to be critical to the business. as we do in different situations we discover that the main reason for automatic responses is lack of knowledge. we see security risks that are directly connected with lack of knowledge and that many derives from the different shapes of trust. CSA.3 Security risks associated with trust in Cloud Computing As what has been stated before in the thesis. The categories are based on our own assumptions on how the security risks derive themselves from each other. If we expand the lack of knowledge theory and look at Cloud Computing. The categories are: Quality of Service Provider Ownership 50 . NIST and our interviews with experts are: Unknown Risk Profile (CSA/Experts) Shared Technology Issues (CSA) Compliance Risk (Experts) Lock In/Stability of the Provider (ENISA/Experts) Loss of Governance (ENISA/Experts) Logging Challenges (Experts) Data Ownership Issues (Experts) Quality of Service Guarantees (Experts) Dependence on Secure Hypervisors (NIST/Experts) Service Level Agreement/Accountability (Experts) Physically Security (Experts) This list of risk is then divided into categories to show how they are related to security risks and trust as well as explain how to avoid them. This triggers his so action which basically tells us that Cloud Computing can be an automatic response to a problem where people with lack of knowledge agree to trust people with knowledge to help them solve a specific problem.

that person or company could be in serious trouble when service related problems appear since the accountability part was not reviewed. agreements are signed. appearance. and if a person or company does not review this properly and only use trust. the reason for a customer to sign it is because of the degree of confidence the customer has that the provider will deliver the agreed level of service. 51 . log information.; Data is insecure Cannot track what is happening to your information An insecure hypervisor can create openings into your part of the storage The SLA may also have been insufficient regarding what it covers. as we have mentioned. or do not want to work with the provider anymore. which should be accountable for the service and leaving a Cloud Provider. a company decides they lack sufficient knowledge to have their own IT department and decide that they should acquire IaaS to solve this. if you sign an agreement you most certainly trust the provider to live up to their side of the bargain.g. It is also important to understand that complete trust could mean that assumptions are made that once the customer do not need the service. the control functions around the data. If trust has not been systematically evaluated either through a serious review of how the provider work and provides information about the service e.2 Owners hip The security risks in the ownership category are related to the issues with who is owning the data.7. and one of those is SLA. SLA determines the framework of how the service should be delivered and who is accountable for what and.3. that it is just to pull the plug on the collaboration. or systematically as Mui presents.3. The security risks in this category are: Logging Challenges (Experts) Dependence on Secure Hypervisors (NIST/Experts) Shared Technologies Issues (CSA) Service Level Agreement/Accountability (Experts) Quality of Service Guarantees (Experts) The security risks in this list are connected to trust because. as we said.1 Qualit y of Service When a customer enters into a Cloud Computing solution. 7. Loss of Governance (ENISA/Experts) Data Ownership Issues (Experts) Lock in/Stability of the Provider (ENISA/Experts) Service Level Agreement/Accountability (Experts) The security risks associated with trusting a provider too much regarding the control mechanism and the data. there is a chance that the biased trust can let you enter into agreements where the provider provides a service that puts your company in a position where. i. and from what we have seen in SLAs from bigger providers are that they push the responsibility onto you. If trust have been mentally evaluated and created there is a risk that factors such as title.e. are very serious and should not be overlooked. reputation and reciprocity have biased the reason why trust is established and a contract signed.

3 Pro vider The third and final category we have decided to use to highlight what kind of trust related security issues exist in the Cloud Computing environment is Provider.3.4 How to avoid security risks associated with trust? To avoid the risk of entering into an agreement where the provider does not lives up to what they say is not as simple as one might think.What we have seen in literature and from interviews is that Cloud Computing is supposed to be very easy to enter into. It is very important to review if the provider is stable or under economical pressure that could result in less spending on equipment and security for that equipment. or even let them own the data after the agreement is signed and data is moved to the Cloud. This part of the trust related security risks also takes the physical security of the company and the equipment used into consideration. This part deals with how trust in the wrong place can affect what you get from the provider. meaning. so basically the first step is to obtain information to see if the person is trustworthy. is very hard to obtain. Of course this was not the only thing the people interviewed did. but should still be an important question in the process of deciding if you should use a provider or not. If a provider goes bankrupt it is also important to have decided what will happen with information put into the Cloud. which means that for the most part. but leaving a provider is something else. how the provider work and physical or real world related security issues can damage your company. Misplaced trust generally comes from lack of knowledge. This goes all the way to employee level. trustable? Of course this information is hard to obtain. yet the overall method to evaluate trust was to use opinions from a personal network. Genuine trust. and a correctly placed one. Unknown Risk Profile (CSA/Experts) Compliance Risk (Experts) Lock-in/Stability of the Provider (ENISA/Experts) Physical Security (Experts) This final part of the trust related security risks are focusing on the provider and how the what the provider on keeping data secure. 7. If trust is put into the wrong provider this could create serious lock-in related security issues if a company have a hard time leaving a provider that does not let the customer control their own data. how to work with the provider. In our interviews we saw that trust was very important. the evaluation was done mentally. 52 . If mental trust is used there can be risks that good faith results in bad support and no flexibility in how the provider work and that someone who should not have access to your data have access to it because a employee has access to it. but from our results the mental process seemed more important and only backed up by systematical reviews when a provider was deemed to be worth the effort. who owns it? 7.

The connection to our research questions is quite clear. One organization decided to trust standard versions of SLA and the IT Consultant said: t-of-the-box. And adding value to your It is this naivety that is based in lack of knowledge that could be so devastating for a person or a company that decides to use a Cloud solution. it would be the systematical approach. In the discussion with the IT Consultant on what is most important in the SLA review he said: what is included when it comes to security you add value to what you are selling. Ownership trigger feature is the signing of the agreement. it will work again. Quality of Service. 53 . our research question: What possible trust issues are associated with security risks in Cloud Computing and SLA? The avoidance of the automatic response comes from perseverance in understanding your surroundings. What is dangerous though is the thinking that just because I have worked with them before and it turned out well. if you want to work with Cloud Computing you have to understand it and not take simple solution but a necessary one. This leads us to the conclusion of how to avoid the trust related security risks and more importantly. As we have stated in the analysis of the three categories the risks occur on different levels of the Cloud solution. We cannot really affect it. It is The other organization seemed more concerned with getting precisely what they want in the SLA and focus a lot on reviewing SLA. because we have to take their background into consideration and understand that the consultant has probably worked with a provider for a long time and already done the review whereas the CIO is seeking a new provider. The CIO said this: mean Of course this does not mean one side is reckless and one side is wise. a systematical approach should follow to see if the reputation is deserved or not. If we recommend just one.What was quite interesting to see from our interviews was that there seemed to be two sides about how to review a SLA. From our point of view it is clients have to understand what they are getting into or the security issues discussed in research question one could occur. The raw data from the interviews state that while reputation and word to mouth is important to find providers. clients have to systematically and mentally evaluate a provider before a SLA is signed. We do not really review the SLA. If a person takes that kind of decision he/she is clearly not using systematic approach that suppose to measure if a person/company can be trustworthy. or the provider will control the decision of the service.

IaaS) in Cloud Computing? o What should clients expect from Service Providers in the SLA regarding Cloud Computing? What possible trust issues are associated with security risks in Cloud Computing and SLA? o If so. If this knowledge gap is achieved. ownership. Our sub question was stated to see if we could offer countermeasures to apply to avoid possible security risks we could find. Since we did find this connection we analyzed how this connection between trust and security risks could be broken. The solution is to know about the connection and gain knowledge to avoid using an automatic response. It is of utmost importance that the client does a thorough review of the SLA and also demands some clauses be included as well. Our conclusion to that question is simple as we have said. The Isolation Group domain is primarily related to IaaS and we view that this is the most unsecure area of Cloud Computing for the moment. how can clients avoid security risks associated with trust? We have found that the isolation failure group that was stated earlier is the biggest risk to organizations. trust related security risks can be avoided or reduced to the benefit of the client. but very hard to achieve. PaaS. the vendor will provide upgrades and maintenance) between the client and provider will decrease the chance of the security risk from happening. but it is not fool proof. and what we discovered was three groups to categories the security risks into and they are: Quality of Service o Logging Challenges (Experts) o Dependence on Secure Hypervisors (NIST/Experts) o Shared Technologies Issues (CSA) o Service Level Agreement/Accountability (Experts) o Quality of Service Guarantees (Experts) Ownership o Loss of Governance (ENISA/Experts) o Data Ownership Issues (Experts) o Lock in/Stability of the Provider (ENISA/Experts) o Service Level Agreement/Accountability (Experts) Provider o Unknown Risk Profile (CSA/Experts) o Compliance Risk (Experts) o Lock-in/Stability of the Provider (ENISA/Experts) o Physical Security (Experts) 54 . A solid SLA (e. proper data deletion procedures. The isolation failure group has a heavy reliance on the hypervisors to be stable and secure. or response which we also use to discuss what happens. The questions that we set out to answer were: What are the major security risks for clients using SPIs (SaaS. What we had not expected to find was how big this particular area of study was and that will further be explored in our discussion of what the next step in this field of study could be. In the analysis we could conclude that the risks in the categories quality of service. In the second research question we focused on the security risks connected to trust and Cloud Computing. and provider are related to trust and that many of them exist because of misplaced trust which derives from lack of knowledge. The answer was both unexpected and reasonable and we hope that we have contributed to the field of study by answering them.g.8 Conclusion In the analysis we discussed the area of major security risks in Cloud Computing and how trust is connected to those.

the knowledge of the risks that Cloud Computing enable.1 Cloud Computing Triangle To ensure that Cloud Computing is the proper investment to make for an organization it is important to understand the different areas of the diagram.9 Discussion As the Cloud Computing term becomes older. who has made a vulnerability scan available that vendors can do to better secure their Cloud. The Knowledge aspect is to know what should be in the SLA. 55 . The triangle which is the Cloud itself is surrounded by Trust. If the vendor does pass the vulnerability scan McAfee will provide them a certificate to display on their website to say that they are considered secure. but the monitoring processes of that uptime is left to the client. states that they are not responsible for the events that happen in the Cloud and immediate say that the customer is liable. An example of this is McAfee. and what solution is applicable to the organization. Both. Security and Knowledge.95% stated in their SLA. Most providers have an uptime of 99. McAfee also provides Security as a Service which provides a overall security which will aim to decrease the amount of spam and email based threats (McAfee 2004). Trust Cloud   Computing Security Knowledge Figure 9. During our research we discovered three key concepts regarding Cloud Computing: Trust Security Knowledge   Therefore we would like to present a rather simple model of the connections between those concepts. The provider now. Both Security and Knowledge will build upon the trust that the organization gains from the provider and should build a relationship that should benefit both companies. It is absolutely important to know that the Cloud is secure and that the provider will do everything possible to ensure that it will remain secure. more and more along. the organization and the provider should be able to develop a flexible but reliable SLA so accountability issues of the Cloud can be solved.

knowledge. Cloud Computing could change very quickly which would make our research obsolete. 9.2 Future research proposals Looking at our model presented in the discussion paragraph. we estimate that providers in the future will use these key concepts to differentiate themselves once Cloud Computing have become more adopted and standardized. and security in the context of Cloud Computing is important for speeding up the process of approval. Areas for future research could be: Trust building Overall standardization of Cloud Computing Security standards for Cloud Computing 56 . Therefore we believe that further research into trust. the main security risks could change by making the ones that were brought to light in this research less important while new security risks arises. it could have resulted in a more sustainable research by providing an abstracted view of Cloud Computing. security and knowledge. With this in mind. If the research would have focused more on conceptualizing the concepts of trust. Cloud Computing has evolved due to being such a new concept.1 Critique of method While doing this research. Due to the evolution of Cloud Computing.9.

October 23). from http://aws. Retrieved 2010-05-23 .com (N/A) Definition: Scalability.webopedia. Retrieved 2010-05-.com (2009. June 12) Top 10 SaaS Traps: Watch Out For Hidden Snags.htm Computerworld.com (N/A) Definition: Threat.businessdictionary.com (2006. April 26) National Information Assurance glossary Retrieved 2010-03-17.com (N/A) Definition: Risk. Retrieved 2010-05-23 .com/definition/information-security. Retrieved 2010-05-06. from http://www. from http://www.html   Businessdictionary. from http://www.com/definition/applicationprogramming-interface-API. Retrieved 2010-05-22 . Retrieved 2010-05-.com/Articles/2009/06/10/235429/A-history-of-Cloudcomputing. from http://www.businessdictionary. March 17) A history of Cloud Computing.amazon.com/definition/distributed-systems.. Retrieved 2010-02-28. Retrieved 2010-05-14.businessdictionary. from http://www.info/2009/02/23/defining-Cloud-computing-part-6-iaas/ Committee on National Security Systems (2010.com (N/A) Definition: Information Security.com/s/article/111510/Top_10_SaaS_Traps_Watch_Out_For_Hid den_Snags   57 .html Businessdictionary. December 19) Definition: Hypervisor. Amazon EC2 Service Level Agreement.html Businessdictionary.gov/Assets/pdf/cnssi_4009.html Businessdictionary. Retrieved 2010-05-23 .businessdictionary. Retrieved 2010-05-23 .businessdictionary.com/definition/threat. from http://www. from http://www. from http://www. from http://www.businessdictionary.cnss.com (N/A) Definition: Denial of Service (DoS). (2009) Enterprise web 2.html   Businessdictionary. from http://Clouddb. S.).com (N/A) Definition: Application Programming Interface (API).html Businessdictionary.0 Fundamentals Indianapolis: Cisco Press Businessdictionary. Retrieved 2010-05-23.pdf Computerweekly.com (N/A) Definition: Application Service Provider (ASP). Retrieved 2010-04-24.businessdictionary. New York: HarperCollins Publishers Lew (2009. from http://www.html Businessdictionary. February 23) Infrastructure as a Service.com/TERM/H/hypervisor.com (N/A) Definition: Distributed Systems.html Webopedia.html Businessdictionary. from http://www.com/definition/scalable.com/definition/threat.computerworld.com (N/A) Definition: Flexibility. R (2007) The Psychology of Persuasion (1st Collins Business Essential ed. Sankar K.html Cialdini. from http://www. Retrieved 2010-05-6 . Retrieved 2010-03-17.com (2006.com/definition/application-service-provider-ASP.businessdictionary.businessdictionary. from http://www.com/ec2-sla/ Bouchard A.10 References Amazon (2008.com/definition/flexibility.com/definition/denial-of-service-DOS. B.computerweekly.

Retrieved 2010-03-07.mcafee. F. from http://knoesis. Service Level Agreements. Retrieved 2010-04-12.se/2. Retrieved: 2010-03-15. Retrieved 2010-04-20..com/en-us/library/aa479086.ibm. from http://msdn.CSA (2009 December) Security guidance for critical areas of focus in Cloud Computing v2. April) Architecture Strategies for Catching the Long Tail.288641/5-saker-du-maste-veta-om-molnplattformar Knoesis Center Wright State University (N\A) Service Level Agreement in Cloud Computing. Keller.. from http://www.gov/groups/SNS/Cloud-computing/Cloud-computing-v26.aspx Mui. Retrieved 2010-04-02. from http://www. H. Rådmark (2010-01-26) 5 saker du måste veta om molnplattformar. from http://msdn.edu/library/download/OOPSLA_Cloud_wsla_v3. Retrieved 2010-01-30.html Microsoft (N/A).microsoft.html IBM (N/A).aspx MSDN (2006.microsoft.com/apps/intl/en/terms/sla.com/wsla/ H.gni. from http://www.com/en-us/library/aa479069.1 Cloud Security Alliance CSA (2010 March) Top Threats to Cloud Computing v1.pdf McAfee (N\A) Retrived 2010-04-22 From http://www.com/it/page. Massachusetts Institute of Technology NIST (2009-10-7) Effectively and Securely Using the Cloud Computing Paradigm Retrieved: 2010-02-14 from http://csrc.0 Cloud Security Alliance Dan.microsoft.aspx Google (N\A) Google Apps Service Level Agreement Retrieved 2010-03-22.gartner. June) Multi tenancy Data Architecture Retrieved 2010-03-19..com/windowsazure/sla/ MSDN (2006.com/us/small/security_insights/security_as_a_service. Richard.nist.. Richard. A. from http://gcn. Web Service Level Agreements (WSLA). Risks and recommendations for Information security European Network and Information Security Agency Gartner (2008 June 26) Gartner Says Cloud Computing Will Be As Influential As E-business Retrieved: 2010-02-18 from http://www.opencrowd. from http://www.ppt. (2002 December 20) Computation Models of Trust and Reputation.P.jsp?id=707508 GNi (N\A) Infrastructure as a Service Retrieved 2010-03-16.google. M. L. January 28) Web Service Level Agreement (WSLA) Language Specification. from http://www.idg.wright. & Phil.1085/1.com/views/Cloud. Ludwig. A. From http://www. (2003.php 58 .com (N/A) Cloud Computing.. IBM Corporation ENISA (2009 November) Cloud Computing: Benefits.com/blogs/tech-blog/2009/03/google-app-engine. March 03) Revving up Google App Engine Retrieved 2010-03 17.com/services/iaas GCN (2009. OpenCrowd.research.

Open Crowd (2010, May 13). Cloud Taxonomy. Retrieved 2010-05-14 from http://www.opencrowd.com/views/Cloud.php Phoenix (2010, March 18)Confidentiality, Integrity, Availability and what it means for you Retrieved 2010-03-22, from http://continuitydisasterrecovery.phoenixblogs.com/confidentiality-integrity-availability-and-what-it-means-for-you/ Salesforce (N\A) Multitenant kernel 2010-03-19, from http://www.salesforce.com/platform/Cloud-infrastructure/kernel.jsp Saunders. M, Thornhill. A and Lewis. P, Research Methods for Business Students, 2007 Fourth Edition, Pearson Education Limited Service Level Agreement and SLA Guide (N/A). The SLA Guide. Retrieved 2010-04-01, from http://www.service-level-agreement.net/sla-guide.htm SLA Information Zone (N/A). The Service Level Agreement. Retrieved 2010-04-01, from http://www.sla-zone.co.uk TheFreeDictionary.com (2009) Definition: Security. Retrieved 2010-05-02 , from http://www.thefreedictionary.com/security The Linux Information Project (2006, April 29). Vendor lock-in definition. Retrieved 2010-03-17, from http://www.linfo.org/vendor_lockin.html Whatis.techtarget.com (2008, December 14) What is Platform as a Service (PaaS)? Retrieved 2010-03-12, from http://whatis.techtarget.com/definition/platform-as-a-service--paas-.html Wikipedia (2010-05-13). Authority. Retrieved 2010-05-15, from http://en.wikipedia.org/wiki/Authority Wikipedia.org (2010 May 8) John McCarthy (computer scientist). Retrieved 2010-04-, from http://en.wikipedia.org/wiki/John_McCarthy_%28computer_scientist%29 Wikipedia (2010-03-13) Trust (Social Sciences) Retrieved 2010-04-10, from http://en.wikipedia.org/wiki/Trust_%28social_sciences%29

59

Appendix 1 Interview Questions
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. What is your position in the company? What are your first impressions of Cloud Computing? If your company is looking for solutions in the Cloud, what are your biggest concerns? What are your top three concerns with Cloud Computing? What risks do you consider to be in the top three with Cloud Computing? What are the major advantages of Cloud Computing that your company can benefit from? Is your company currently looking for different solutions in Cloud Computing? Why or why not? What business process would your company be willing to relocate into the Cloud? What would be the security issue with relocating to the Cloud? Do you review your SLAs properly, and how? What areas of the SLA does your company mainly focus on? Do you evaluate security from an acceptable loss perspective (e.g. loss of data or downtime)? What type of Cloud deployment model would your company be interested and why (e.g. public, private, hybrid and communities? How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? How can one solve the accountability that arises with Cloud Computing in your opinion? How does your company evaluate trust?

Appendix 2 Interviews with experts
In this section we will present the information we obtained through semi-structured interviews with various experts in the field. The people we have interviewed will be kept anonymous and will only be referred to by their professional title e.g. Consultant, Senior management etc.

10.1 IT-Consultant
On the 22nd of April 2010 we interviewed an IT-consultant that works at a consultancy firm. The interview lasted for 1 ½ hour and was a semi-structured interview, and the interview questions in section 17.1 was used as a basis. What are your first impressions of Cloud Computing? The first thing that came to my mind was that as a company you are freed from the management of the servers. That is the big advantage that you can focus more on the core competence in your company. You let someone else manage the servers, which have got the expertise for it. Cloud Computing feels like a development of something that has been under way for a long time, but it is not until now that you go all out with it. Then it comes to this with the risk assessment, and how does it feel to let someone else take care of everything. Sure it is very good that someone takes care of it, but what if it is business critical information? Do you evaluate security from an acceptable loss perspective (e.g. loss of data or downtime)?

60

This depends from customer to customer. I would say that it is extremely customer specific. If you work with a system that deals with patient information, as for example a care center does, and the thought of putting out that information on the Internet and you would lose information. That is not in any way acceptable. On the other hand if you work with adverts, as for example on blocket.se, the loss of information is not that critical. So it is totally dependent on what type of business you are conducting. If you are a bank and lose a transaction, which cannot just happen. They have problem with that today, and it is their main security concern. They have to deal with redundant data and to log everything. To some information is critical, to some it is not. Is your company currently looking for different solutions in Cloud Computing? We have been discussing that a little bit when it comes to invoice handling. We develop that kind of service for our customers, but we let one of our subcontractors handle the management of the servers. We sell the service to the customer, but we let a third party take of it to ease the pressure on us. Then I would think that we would profit a lot from putting out our internal system, for example our external web service, into the Cloud. That is something that we do not need to manage ourselves. What type of Cloud deployment model would your company be interested and why (e.g. public, private, hybrid and communities? Hybrid is something we have discussed, but it is not something that we are currently focusing on. But I think it would definitely be something that we could profit from. We have been using a platform online for uploading our files on the Internet. What do you think of that type of service? The question is what type of information that you want to put up there. You have to take responsibility to not give out your login information. It is very dependent on the individual. Some people do not have any judgment at all when it comes to those matters. Some users share the same account, and uploading critical data is something you consider twice. What are your top three concerns with Cloud Computing? The security aspect is one. As a provider you have promised a certain uptime, and it is not unusual that security updates are released that has to be installed. What happens to uptime then? That affects the SLA and could mean a lot of costs. Also, the time from when the vulnerability is discovered and that it is fixed is dangerous. So when it comes to the Cloud the security aspects are very exciting, even though you have a lot of external security. There are hacker syndicates that are working solely with stealing information. As a comparison, when you have it in-house, you have got a whole different possibility to isolate the servers. But when you are sharing a server with someone else that has not got the same system, and you need to update your system by restarting the server, you got a problem. With this new business model using old technology you got new problems that need to be solved. Companies take different services that they repack and call Cloud Computing which can create security risks that they did not have before. There is a problem with not having a universal definition of Cloud. The terminology is very unclear. So we got the security aspects, terminology and the possibility to integrate with other systems. Scalability and flexibility are parts that are beneficial with the Cloud. It is cost effective in

61

How do you know that get out all the data? And in what format? Can you import the information to other systems? Do you review your SLAs properly. Some argue that you will make huge savings by putting everything in the Cloud. How can one solve the accountability that arises with Cloud Computing in your opinion? Trust is essential. how shall it be configured? If you have it in-house it goes relatively quick to solve a problem. to troubleshoot or to manage it. How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? You have to know who you are. backup routines. The provider needs to understand the customer. How can you work with putting up counter measures for emerging threats? Worst case scenario. We cannot really affect it. We do not really review the SLA.the way that you can measure what you use. It is not unusual that something goes wrong. while some others say that you need to keep some infrastructure in-house. They could oppose you. The Cloud business model is so new so the SLA has to be constantly updated with emerging issues that are arising all the time. has a third party access to the data? There is a naivety when it comes to security. But it is still hard to calculate the benefits of Cloud. What areas of the SLA does your company mainly focus on? Availability is of utmost importance. If you are going to use a provider you should aim for a long-term relationship. How is the data encrypted. The quality of customer service is important and you should aim for a long time relationship with the provider. there is no standard version that works for everyone. but the one you got can make it a hard time for you. And how much can you affect this out-of-the-box solution. what is your focus and what type of even get help to do that. control. And adding value to your customer is very important. It is a standard agreement and we use it for our customers as well. If you have it as a service. The dependency that you get with a provider. That has to exist in the SLA and you should actively work with renewing it to be able to cope with the new threats that are coming every day. You as a provider need to know exactly how the system shall work. But as a service. Human error is common. It depends on who does the calculation and in what way. how do you do then? You may switch provider. What risks do you consider to be in the top three with Cloud Computing? Generally when you are buying a service you buy a completely configured system. and how? When we buy a service we get it out-of-the-box. To not have control is an issue. So communication. What does security really mean? Who does what? If you can define what is included when it comes to security you add value to what you are selling. The processes and routines regarding security has to be in there. Both parts have to go all the way. And there are problems before you have a fully functioning application up and running. The customer does not have the possibility to monitor the system. maintenance and the possibility to troubleshoot are important aspects. It is one thing to buy something straight up. the lead time from when something goes wrong and it gets fixed is longer. 62 . who has got access to the data.; who your customer is. Based on our demands we can work actively with evaluating what could happen and can absolutely not happen. if you are not happy.

Maybe a master SLA. A Cloud provider can offer a pretty solid security solution which you as a small company may not be able to afford. It should state who does what and you got to have some kind of error-handling. how can you get out of the Cloud? That should be in the SLA. That should also be regulated in the SLA. So you will get SLA on SLA. You want to achieve something. There is no easy technical solution for the accountability. Cell phones are containing a lot of different information today that is important for some organizations. From that it should be the service provider and or the Cloud provider. there are benefits as well. What happens to the data then? Or if a company goes bankrupt. In the SLA the demands should be incorporated. Many companies may just go for the Cloud because it is profitable and just ignore the risks. You buy a service that may be situated in the Cloud. which is probably why the Cloud providers liberate themselves from this.Then who is responsible? How can you integrate accountability solutions? Somewhere you have to start with a requirement model. People are running around with USB flash memories which they sometimes drop or lose. There are not only security risks with the Cloud. A logging function should be installed that does not lower the performance. Also. 63 . The Cloud is probably going to be an expert in the area too. Some other issues though would be if get bought up as a company.

What are your first impressions of Cloud Computing? Outsourcing. what are your biggest concerns? Flexibility Security Accessible   4. What is your position in the company? Senior Business Consultant. 2. What risks do you consider to be in the top three with Cloud Computing? Security Flexible SLA needs to be waterproof   6. Decision process. The questions we used can be find in 17. 8. What are your top three concerns with Cloud Computing? Security Flexible SLA needs to be waterproof   5.10. What would be the security issue with relocating to the Cloud? Multi-tenancy Stability of Supplier Long term focus + track 64 . What are the major advantages of Cloud Computing that your company can benefit from? Startup cost and the flexibility as well as scalability.2 Senior Business Consultant We interviewed a Senior Business Consultant and the company offers professional IT Services and had a third party that provided Cloud Computing to customers. Is your company currently looking for different solutions in Cloud Computing? Why or why not? No solution but using an internal private Cloud. 7. We interviewed the said person on the 24th of April 2010 and it lasted for about 30 minutes. What business process would your company be willing to relocate into the Cloud? Non-critical business process would be the first step then possibly more critical process (e. If your company is looking for solutions in the Cloud. 3. production processes) 9.g.1 1.

16. What areas of the SLA does your company mainly focus on? Review mostly the startup relations. How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? Proactive: Help in establishing the standards and be knowledgeable in being reactive in security threats. when and what data.g. 12. private. and how? Yes they had consultants write SLAs so they have personal review the SLAs. How does your company evaluate trust? Does research on the company and looks for negative reports so reputation plays a big part in it. 13. and uptimes on different applications and how to terminate the contracts. communications. log how it is being done. 15. Supplier A to B how. public. Using a kind of integrated platform.   10. 65 . Example.g. one company required a customer to sign a gag order for some reason so the said person from the company went elsewhere. 14. sent. What type of Cloud deployment model would your company be interested and why (e. Do you review your SLAs properly. loss of data or downtime)? Important not to lose critical data. 11. another words ensure that there are clear responsibilities established. How can one solve the accountability that arises with Cloud Computing in your opinion? Understanding a clear line on where the border is between partners accountability. support. Do you evaluate security from an acceptable loss perspective (e. hybrid and communities? Private. and stored and what issues you take when it does not come through.

What risks do you consider to be in the top three with Cloud Computing? Other companies can access our information Uptime dependent on the provider Backup   6. and that I would not like to connect it to our business critical systems. What are the major advantages of Cloud Computing that your company can benefit from? Scalability .10.3 CIO I On the 28th of April 2010 we interviewed a CIO at a distribution company. cannot have downtime or lose data Backup beyond our control. 4. What are your top three concerns with Cloud Computing? Security Who can access our data? Uptime stable access to the service. What is your position in the company? 2. 3. What business process would your company be willing to relocate into the Cloud? The business process we could consider is office applications that are not connected to critical business systems.1 . 1. The interview was semistructured and the questions we used to establish a theme was the ones in section 17. If your company is looking for solutions in the Cloud. What are your first impressions of Cloud Computing? My first impression was that Cloud Computing could be useful for mainstream applications in the office. fewer IT employees = lower costs 7. We lose control of who can access our information even if the agreement say we are the only ones. what are your biggest concerns? Our concern is the security aspects. what happens if the system crashes? 5. We want to have control over them ourselves. Lower IT costs Smaller IT department. 8. We have recently invested in WM ware solutions to run internally since we consider IT advantage is possible through in-house development and that such an advantage is important in our business. We are also concerned about creating a waterproof SLA about access and control over data since information relocated into the Cloud could be sensitive. 66 . The interview lasted for 20min and the interview was conducted via a speaker telephone. someone could still access it in theory. So we will probably not look for a Cloud solution in the next years.in the sense that applications are not affected because of peaks in usage. Is your company currently looking for different solutions in Cloud Computing? Why or why not? No we are not looking for a Cloud solution at the moment.

How can one solve the accountability that arises with Cloud Computing in your opinion? This issue could be solved through carefully writing the SLAs.g. 11. 13. What areas of the SLA does your company mainly focus on? The part that is most important for us when we agree to and SLA is the uptime. loss of data or downtime)? Since we deem it is unacceptable to lose data we cannot use that when we measure the providers. but the Internet downtime is different.   67 . What type of Cloud deployment model would your company be interested and why (e.g.g. 12. Then I carefully review the SLA and make sure that both companies mean the same for complicated words. we have to make sure that the provider can provide their service at a level that means we can keep working e. How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? I do not have enough experience or knowledge about the Cloud to answer this question in a valid way. 14.9. private. hybrid and communities? If we would move to a Cloud solution it would be to a private Cloud so that we can control the SLA more and the access of the information. I think the public Clouds can have the most problem with this since they appear to be more standardized than the private Cloud SLA. 10. 15. We do have a specific time we can allow Internet to be down so we measure against that. 16. Do you review your SLAs properly. How does your company evaluate trust? I use connections and references from friends and colleges in my field of work together with reading about the provider. Do you evaluate security from an acceptable loss perspective (e. and how? We use to distribute them on our meetings within the IT department so that everyone at the IT department understands them. Internet provider cannot our Internet connection be down too much. What would be the security issue with relocating to the Cloud? Our biggest security issue would be the loss of control and who can access information that could be deemed as sensitive to our company and our clients. public.

both external and internal. how to make it available for the right time. You say bye bye to infrastructure which also means less need for resources like employees and less associated problems. you have no control over where information is. You are buying a service which means less responsibility. integration between services. 7.g. someone notice that the application is not working. 8. 3. industries. loss of governance. 5.4 Computer Consultant On May 7th 2010 we interviewed another Computer Consultant at a distribution company. Is your company currently looking for different solutions in Cloud Computing?   who want to relocate into the Cloud. how do you store data and integrate with their systems? We do not want to put everything in the Cloud. What business process would your company be willing to relocate into the Cloud? Simple stuff. 6. things that are not really hard to integrate into systems in your environment. Cloud is hard to integrate. easy to buy. Manageability is an issue. How to design what to be used in the services bought? The connectivity is important. only some parts. Security. connectivity. The interview was semi-structured and the questions we used to establish a theme was the ones in section 17. SP. Services are awesome. In Sweden it is good. Traditionally. The interview lasted for 40 min and the interview was conducted via teleconference. Because as it is now. You have to think about monitoring. What are your first impressions of Cloud Computing? What I thought was that finally people have realized what can be done when it comes to virtualization. email could be something. What are your top three concerns with Cloud Computing? Security. how to start using it. 1. like how to monitor applications bought through internet.10. What is your position in the company? Computer consultant at different companies. and that someone contacts helpdesk. 4. What are the major advantages of Cloud Computing that your company can benefit from? The environment of Cloud. but when you travel elsewhere it could become an issue. Also how to integrate these different services is important. If your company is looking for solutions in the Cloud. Specific service e. It helps the environment by optimizing the utilization of resources by only using what you need. integration. 2. The reporting platform for example or a traveling template generator to standardize traveling bills in the company instead of using the systems. what are your biggest concerns? That you do not know who customers are. so we should. How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? 68 .1.

Sweden and Poland. a tape where I make big storage backups and where does it go? How do I know I get the data about the service they provide me (for instance log files) is the raw data or changed to look good and to keep you unknowing as a client? How can I know that everything is being logged since I cannot access that information? Will someone tell you if the provider screws up? They need systems to monitor everything so that they can prevent bad things to happen by monitoring activity and activity around the data. How can one solve the accountability that arises with Cloud Computing in your opinion? Right now it is not impossible. But this issue is very complicated. There are risks as industrial espionage and idea stealing.g.g. Pre-programmed triggers to alert if something bad happens exist. Trust is the only current solution. How does your company evaluate trust? Have do you evaluate trust? Maybe by looking at track records or talk to people? General discussion about security Where is my data? What laws governs my data? How can I trace if my data is being copied in a safe way? Where are backups stored? How can I be sure that my data is not being manipulated in the wrong way? When data gets redundant by being stored in two different geographic locations. 10. For example how to hold someone accountable for e. what law is protecting my data when the data is in these two different places? E. how can I monitor my physical storage of data on e. can I be proactive? 9. You will have a hard time to find out where information was manipulated wrongly. fraud or copying of data.g. but trust is hard to create when all information is not shared as well as goals of what wants to be done. 69 .Tru have no knowledge about what the provider do with the data and physical equipment. With backups.

that you are not able to make profit of it. Right now I am storing everything on my computer. We have many systems in the Cloud. the development will not increase. This is because I travel a lot and need access to the information all the time. It s not the computer power that will change in the future. I prefer to have it in Sweden.5 CEO On the 6th of April 2010 we interviewed a CEO at an IT company. 2. You have a 70 .1. 3. 5. It is not possible to move to next level of business with the old way of handling. What business process would your company be willing to relocate into the Cloud? Is Cloud? Not for me. Then of course the trust and intellectual property. Because we don to spend on IT in the companies. 6. The interview lasted for 30 min and the interview was conducted in person. That means that the information needs to be stored locally. Maybe in the future when the accessibility is better I will only have it in the Cloud.  What is your position in the company? CEO at an IT company. If you travel it s the most insecure place for information. People think it s more secure if you have it on your own laptop. The interview was semi-structured and the questions we used to establish a theme was the ones in section 17. If you not make profit. In most countries you are not allowed to keep your book keeping outside the country.10. A company runs all the finance for us. Legislation is definitely not updated for the Cloud. what are your biggest concerns? We are not supplying Cloud solutions. When I look for suppliers I m not only looking for one. What are the major advantages of Cloud Computing that your company can benefit from? Speed and flexibility. 1. Terminals back in 1984 connected to a mainframe. If your company is looking for solutions in the Cloud. it s easier to adapt to it. Accessibility is second. We need to have Cloud solutions and it is also easier to apply best practices in the Cloud. It is like with the importance with internet. But you get so much more power and functionality with the Cloud. 7. even though I have it in the Cloud. 4. What are your top three concerns with Cloud Computing? Top concern for Cloud is trust. But I am not representative in that perspective. What risks do you consider to be in the top three with Cloud Computing? Business model. Secret information cannot be placed in the Cloud. From a technical perspective it is more complex to have it in the Cloud. It is the speed and availability of connectivity. If we understand the strategy of Cloud. What are your first impressions of Cloud Computing? Necessary. But I did not look for solutions abroad. That you can increase the business efficiency and development. Then you could not afford personal computers.

where I can get someone on the line to talk to me. 11. 71 . private. 13. Your information is more secure in the Cloud. and reputation.g. Where is the weak link? Devices as laptop and cell phone certainly are. The physical support is important. It should just be there just as with announcement of downtime etc. it's a new behavior. Do you evaluate security from an acceptable loss perspective (e. The competition will be about the SLAs. 14. it is maybe a lower cost but higher risk. Is storing or using information my concern. It is not only technical issues with Cloud. loss of data or downtime)?   thought of it. is that G fault? Cloud is not a new service. educate people that they need to think about security. Do you review your SLAs properly. Using Cloud as a backup is more secure. and how? No. I just expect that everything should work. What is the long term strategy on this? 9. What areas of the SLA does your company mainly focus on? It s not uptime. We didn t want to be public with our information. How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? Security.lot of information on your phone today. I use a combination of applying best practices. you have to is it 12. Where is it more secure? That is something that you have to evaluate. you will very quickly loose the competitive edge. Because of more security. If you are doing things that you can stand up for. behavior. You don t want to email somebody when something goes wrong. it is a matter of service as well. more efficient. 15. Then we have an issue with the service area. What type of Cloud deployment model would your company be interested and why (e. Big files are however a problem with the Cloud.g. But i a problem with the Cloud? 8. public. hybrid and communities? In the past I was a big fan of private internet. But be a problem. What would be the security issue with relocating to the Cloud? Cloud. But i better. references. because I realize that. It s an illusion that it is more secure on your laptop. How can one solve the accountability that arises with Cloud Computing in your opinion? If you are a small player. which is obvious. Communication and education. The damage is much higher if something goes wrong in the Cloud. faster and in the long run probably more reliable if it is in the public. all the time. 10. But it is always a part of it. How does your company evaluate trust? For me trust is more than everything else. It's a question of privacy. Stop using secret as our normal password and so on. If you a have poor SLA.

security. and how? We review the SLAs very extensively by sending them to our lawyers and IT departments for them to review and discuss the items that they dislike. The interview lasted for 40 min and the interview was conducted via teleconference. 10. 9. will the provider notify you if there is an issue with your Cloud or do you have to keep track of it yourself.g. loss of data or downtime)? We evaluate from an acceptable loss perspective by the sense that we see the cost of downtime. 7. If your company is looking for solutions in the Cloud. 72 . What is your position in the company? CIO 2. 6. The other risk are stealing information. and data loss. another issues that I see are Intellectual property of the data. an 5. 1.10. Hyped up market term 3. What are your top three concerns with Cloud Computing? Interruptions of service control. The interview was semi-structured and the questions we used to establish a theme was the ones in section 17. Is your company currently looking for different solutions in Cloud Computing? Why or why not? Have a partial Cloud internally 8. What are the major advantages of Cloud Computing that your company can benefit from? Scale of economy. What are your first impressions of Cloud Computing? The term itself. salary systems and supporting systems can be moved to the Cloud. Do you evaluate security from an acceptable loss perspective (e. What risks do you consider to be in the top three with Cloud Computing? My biggest concerns are the actual integration between the different Clouds and business units.1. Also. What business process would your company be willing to relocate into the Cloud? I view that the non critical business processes like ASP solutions.6 CIO II On May 15th 2010 we interviewed another Computer Consultant at a distribution company. what are your biggest concerns? Ownership of the actual data and the Cloud 4. and being able to use the different experts from vendors. Cloudy concept. Do you review your SLAs properly.

having a modifiable SLA so if something does change all of us can sit and discuss the new changes. size. How does your company evaluate trust? We review the references.11. hybrid and communities? Most likely private but very confident about moving core business processes to the Cloud. It is a six month process that requires plenty of planning and meetings to build the relationship. It is important to establish a balance between the customer and the vendor. We evaluate different vendor that fit our requirements and conduct meetings with the vendor. example Amazon said no to the IRS when asked to do a C&A risk assessment. If the power becomes unbalanced to the vendor can change its view and the customer has to except it. How can one solve the accountability that arises with Cloud Computing in your opinion? This is a challenge because we have three members we meet monthly to have discussions on how that we will always come back to them. We want them to work for our partnership. performance of the company to build a partnership. 14. 73 . 12. Also.g. How do you think a company can be proactive/reactive when it comes to security issues in Cloud Computing? It is important to have a face to face meeting with the vendor to provide confidence and to get a secure feeling from the vendor to be able to develop a long lasting relationship 13. history. What type of Cloud deployment model would your company be interested and why (e. reputation. public. private.

Sign up to vote on this title
UsefulNot useful