The 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013)
Cloud Security and Compliance Concerns: Demystifying stakeholders' roles and responsibilities Muteveri Kandira
Jabu Mtsweni
Keshnee Padayachee
School of Computing
School of Computing
School of Computing
University of South Africa
University of South Africa
University of South Africa
Pretoria, South Africa
Pretoria, South Africa
Pretoria, South Africa
[email protected]
[email protected]
[email protected]
Abstract-Cloud computing is a new computing model that
may
offer
sharing
numerous
of
benefits
dynamically
to
scalable
potential
users.
resources
The
such
as
take responsibility for both security and compliance [I]. This paper
therefore
aims
to
identify the
computing, storage, and infrastructure via the internet
to
identify
the
stakeholders
could
minimizing
the
identified
enhance
an
organisation's
growth
through
the
reduction of IT costs. However, research has shown that
cloud
security
and
compliance risks and subsequently classify them. It also seeks that
risks.
should
be
involved
Furthermore,
the
in
paper
delineates stakeholders' roles and responsibilities to inform and
cloud computing has various security and compliance
protect cloud users. The rest of the paper is structured as
concerns.
follows: Section II presents a discussion on related work and
identify
The the
ancillary
security
objective of
and
this paper
compliance
concerns
is to that
cloud
services
in
general.
The
compliance
and
security
organisations are likely to encounter when choosing to
concerns are identified, elaborated, and classified in Section III,
adopt and use cloud services.
followed
Consequently, the main
by
Section
the
A. Keywords
-
cloud
services;
compliance;
security;
stakeholders; threats
I.
and with
revolution in Information Technology (IT) that offers various computer
users.
It
allows
the
provision
of
computing resources on the Internet, where processing, storage, networking
infrastructure
together
with
deployment
and
development platforms are dynamically requested and made available on demand. Key computing areas such as software development, mobile computing, and offshore banking are embracing
cloud
Cloud Computing Definition The most
common
defmition
of
cloud computing
is
Standards and Technology) definition [4]. It states that:
INTRODUCTION
"a rapidly developing technology that aroused the concerns of the world" [I], is a to
RELATED WORK AND CLOUD COMPUTING
referred to as the NIST (United States' National Institute for
Cloud computing, described as
benefits
paper
roles
Section V and outlines possible future research opportunities. II.
The
concludes
responsibilities of the stakeholders who are central in cloud platform.
discussed.
stakeholders'
responsibilities
addressing these security and compliance concerns in the
are
IV
contribution of this paper is the identification of roles and
services.
In
addition,
consumers
and
organisations are increasingly leveraging cloud services such as mature sales management, electronic mail, and smartphone
"Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models and four deployment models". Five cloud computing characteristics are mentioned, namely: resource grouping, rapid elasticity, measured service, on demand self-service and broad network access. Cloud computing models are discussed further in the following section.
Cloud Computing Models
applications [2]. However, cloud computing usage is generally
B.
associated with security and compliance issues [3] such as
The cloud computing model consists of four deployment
laws, regulations, data privacy, data protection, cybercrime,
models that operate within three main aspects known as
and contractual agreements. Traditionally information security
service models. The deployment models are [5]:
and compliance activities are managed and resolved within organisations. However, information security management is multifaceted within the cloud computing domain. An organisation may have no control over the cloud
•
Public cloud:
This is a common type of cloud where
multiple users can access a number of applications over the Internet. In a public cloud, cloud computing technologies
are
controlled
by
Cloud
environment, in which case, the cloud service providers would
978-1-908320-20/9/$25.00©2013 IEEE
653
Services
The 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013)
•
Providers (CSPs) and the cloud infrastructure is
The classification and stakeholders roles are outlined in the
located outside the organisation.
following section.
Community cloud:
This
involves
two
or
more
organisations combined where they jointly share the same cloud infrastructure together with governing
III.
It is imperative for cloud stakeholders to clarify their roles
policies and values. •
•
Private cloud:
CLASSIFICA nON OF CLOUD SECURITY AND
COMPLIANCE CONCERNS
This is devoted to one organisation
and responsibilities. If not, users may assume that the cloud
solely for their internal use. The cloud infrastructure
environment is not secure because traditional data security
may be hosted within the organisation or by a third
issues like phishing, and data integrity [9] are not explicitly
party vendor.
addressed. These issues which arise depending on the service
Hybrid cloud:
model (e.g. IaaS, SaaS and PaaS) used, are discussed in this
public
clouds
This is a combination of private and within
the
same
network.
It
is
controlled by the same standardized technology that
section.
A
classification
of
some
of
the
security
and
compliance issues is also outlined.
allows a uniform platform for data exchange [6]. The three main cloud service models are Infrastructure-as-a Service (IaaS), Software-as-a-Service (SaaS), and Platform-as a-Service (PaaS) [2]: •
Software-as-a-Service:
SaaS is a model that is hosted
and managed by CSPs or vendors and is rendered on demand. •
Platform-as-a-Service:
CSPs
provide
the
fundamental infrastructure as well as application development platform (e.g. Google App Engine). •
Infrastructure-as-a-Service:
In an IaaS model, the
CSP only provides the essential infrastructure - the network,
storage,
computing
resources
and
virtualization technology (e.g. Amazon S3).
A.
Service Model Related Issues In general, SaaS delivers software or applications to the end
user. In most cases, the user is not concerned about the supporting infrastructure, but mainly utilizes the applications provided [10]. The data for the users are stored in the data centres of the CSPs, and if the CSP is hosting more than one client, it implies that the security of the data is at an increased risk. This is because the customer does not have control over the storage of data and a third party could access it without notice. The following cloud security issues, among others, are crucial for consideration when SaaS is the service model to be adopted:
data security,
data
locality,
data
integrity,
data
confidentiality, availability, data backup, and network security [7]. These issues mainly deal with data management, which is
C.
typical of a SaaS model. Customers have to cede control of
Cloud Security and Compliance There are various security issues affecting the cloud
environment. Cloud users need to be aware of and understand the security offerings that exist within the cloud environment [7]. Cloud customers'
security
issues
include
responsibility
data security and integrity,
for
the
authentication and
identification and data location [8]. Data location is a cloud security threat in which the customers do not have control over the data and are unaware of its location. Cloud compliance issues revolve around laws, regulations and governance. Despite the existence of traditional security measures and newly developed instruments to cater for the lack of security and compliance within the cloud environment, the same issues remain a concern. This is mainly because there is
their data in order for them to receive a service. In a PaaS model, a bundle of modifiable software and infrastructure is delivered [10]. A platform for end users to host their developed applications or services is offered, but there are threats that lie within these platforms. In that case, the CSP would have to offer good assurances that the platform is free from threats such as intrusion, hackers, malicious code and also liabilities associated with the machine-to-machine Service Oriented Architecture (SOA) such as governance [7]. However, better security control exists in the IaaS model since most providers of IaaS offer resources like virtual machines as a service. Nevertheless, virtualization has security issues such as data location and data control since the customer still would not have control over the data.
no clear description of the roles and responsibilities of cloud stakeholders regarding cloud adoption and usage. In addition, compliance issues manifest particularly when security breaches occur and neither party claims responsibility. This usually leaves vulnerable parties, especially users at risk. Such practice also fosters uncertainty for cloud users who intend to adopt cloud computing offerings. Efforts are made in this paper to classify the issues and also
B.
Regulatory Issues Regulatory
issues
arise
when
legal
restrictions
are
promulgated by a government authority, or when there are contractual obligations that bind different parties. •
Compliance
identify stakeholders' responsibilities in order to mitigate the
In general, compliance involves adherence to established
impact of cloud security and compliance. Following a literature
standards, specifications, regulations, or laws [11]. In order to
review, conference and journal articles were analysed and
guarantee that CSPs provide required delivery, CSPs and
outcome was synthesized in order to derive the classification.
enterprises enter into Service Level Agreements (SLAs) [12].
978-1-908320-20/9/$25.00©2013 IEEE
654
The 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013)
SLAs should have provisions to allow for the measurement and
instituted in order to avert the dangers of such scenarios. Cloud
enforcement
and
clients require confidence that their organisation will continue
guarantees of uptime should be part of the SLAs [12]. CSPs
to function even if the CSP environment is compromised by
include matters such as required or expected service levels via
such disasters [13].
of
the
service
levels.
Response
times
quality of service (QoS) constraints, level of service (LoS) accessibility, security measures and rates of services in those Nonetheless,
users and organisations still need to be
ultimately responsible for assuring their data security and integrity. This leaves the client at a vulnerable end of the agreement since they do not have direct control of their data. Clients need to prove their own compliance with security irrespective of the
location of their data and
applications [9]. When a business entity decides to use the cloud, potential compliance issues could arise at the same time. This is because the organisation is actually requesting another party to handle its compliance activities [2]. These compliance activities are part of the organisation' s day-to-day running and they include tax requirements, internal control policies, private laws, industry specific regulations, and other legal statues.
vulnerable to cybercriminals [14], when cybercrime 2.0 also emerged. This suggests that cybercrime is lucrative and closely imitates the real business world [14]. Cybercriminals often target
financial
institutions,
enterprises
and
government
departments. •
Network availability
The importance of cloud computing is determined by the availability of the network resources, including minimum bandwidth requirements [10]. This is best covered by Service
an assurance that bandwidth would be available as per request;
Technologies
(lCTs)
are
unique
to
each
jurisdiction. These are laws and regulations with regard to data usage and storage demand, consistent reports and audit trails. Respectively, CSPs need to make sure that their clients adhere to these laws and regulations
[1]. Therefore, it becomes
difficult to use the cloud if the data that are required for processing are subject to a number of legal limitations and regulatory compliance [10]. •
[2]. Information is vulnerable to be misused by cybercriminals. For example, the upgrade of Web 1.0 to Web 2.0 in 2004 was
including that of network availability [7]. The CSP would offer
The regulations and laws that govern Information and Communication
and exposure as compared to using a privately owned network
Level Agreements (SLAs), which defme the service levels,
Regulations and laws
•
Cybercrime 2.0
Data communication on the cloud causes data susceptibility
SLAs [3].
standards,
•
otherwise, it becomes a breach of agreement. •
Security breaches
In case of security breaches identified in the cloud, It IS crucial that the party concerned be informed timeously. In contracts between the CSP and the client, it should be specified clearly that in case of a security breach, the party concerned should
be
infonned
in
order
to
avoid
ambiguity
in
responsibilities [10].
Governance
Governance is a key element of cloud security compliance.
D. Data-oriented Protection Issues
In cloud computing, clients sometimes lose total control of the
Data protection issues mainly arise from intention to secure
cloud environment to the CSP, thereby compromising security
data and safeguard it from loss and unauthorized use.
in areas that require attention [12]. The availability of cloud computing services, coupled with the lack of organisational regulators over employees engaging with such services may compound
the
compliance
issue
[11].
Cloud
computing
policies need to be introduced for the purposes of protecting potential users from security threats. Laws and regulations that are instituted need to be monitored and enforced so that employees will not fmd loopholes for non-compliance.
C.
Socio-technical Issues Socio-technical issues are the combination of issues that
emanate from the social and technical view of using the cloud.
•
In most cloud computing cases, the client is unaware of the location their data. More so, data processing and handling laws differ from one country to the other [13]. It is extremely difficult to ascertain whether enough safety procedures are in place and also whether the regulatory compliance statues are met when the data are located outside the company premises, let alone outside the country [11]. This means that whenever there is trans-border data transfer, it would be difficult to detennine whether the data is safe or not.
Examples of such issues include cybercrime, risk management, disaster recovery, security breaches and network availability. •
Risk management and continuity
Data location
•
Data privacy
Data security and privacy risks have become the main reason
why
organisations
are
reluctant
to
adopt
cloud
Organisations need to ensure continuity in case of disasters
computing [1]. Privacy is essential for organisations, bearing in
or unexpected events. Disasters and unexpected events like
mind that some personal and sensitive information such as
earthquakes, liquidation, or fire may result in data loss. In such
passwords may need to be stored on a cloud system. However,
cases, the organisation would want to retain its data and
there is little or no knowledge as to how the infrastructure is
relocate it to a different cloud provider [10]; therefore, this
going
should be considered before deploying the services on the
organisation to break privacy regulations [15]. Organisations
to
manage
the
infonnation
without
forcing
cloud. Most importantly, a disaster recovery plan needs to be
978-1-908320-20/9/$25.00©2013 IEEE
655
the
The 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013)
need to protect the privacy of the data they hold and cannot sell
and/or
or disclose it to a third party [13].
responsibilities: a)
Data transparency
•
individuals.
It
has
the
following
roles
and
Service provision: The responsibility of the service
provider is to make the service available to the parties
In a SaaS service model, data are received and processed by
requesting such services [5]. As such, the cloud provider is
the CSP and then archived at the other end of the network. As
entitled to provide the cloud services as needed by the third
the data is transmitted, it needs to be secured [7] by using
party. The cloud provider and client enter into a Service Level
encrypting technologies such as Secure Socket Layer (SSL)
Agreement (SLA), which is a part of a service contract
and Transport Layer Security (TLS). These are adequate data
between the consumer and the provider that formally defines
encryption technologies that were used before the advent of
the level of service to which the cloud provider needs to
cloud computing. Currently, malicious hackers and attackers
adhere [7].
may take advantage of a weak network configuration and sniff
b)
Cloud management: The cloud provider manages the
out the data packets. It is important for organisations to know
computing infrastructure in which the platform runs and also
their data location and the encryption methods
maintains the software with the components of the platform.
that are
employed.
The providers also maintain the cloud system by providing the
Table I gives a summary of the cloud security and
necessary support to the cloud environment and to the client.
compliance threats according to their category. It also relates
c)
Cloud security management: CSPs are required to
the service models based on different threats. For example,
have strong security policies in place. They need to provide
cybercrime is a socio-technical issue that mainly affects a cloud
credibility to the client by implementing sound security
user who requires SaaS, while compliance is a regulatory issue
policies. Some of the key security issues the CSP needs to
mainly affecting users of all service models.
give attention to include, but not limited to, sound security policies within the cloud system, disaster recovery plans,
TABLE I Cloud Threats Category vs. Service model
back-up d)
category vs. service model Data Regulatory
protection
issues
issues
oriented
Issues
.
f:
-"
;::
2 . u
�
�� *
IaaS
*
PaaS *
SaaS
c� ..c: ... () '" OJ ()