Enlarge text Enlarge text Enlarge text    Print

Resources

Newsletter Article

Data Security – The Case Against Cloud Computing

Published: 05/25/2011

By Bernice Karn

Introduction

From a legal perspective, the need for data security by cloud users is a given. The user wants the data to be secure, period. At its most basic level, this means that the data entrusted to a cloud provider should not be subject to unauthorized access or disclosure or to modification or corruption. However, other risks are also inherent in cloud computing. This paper takes the position that, in spite of the perceived economic advantages of cloud computing such as scalability, speed to market, lack of capital investment by the user, and leaving computing functions to the experts (i.e., cloud providers) key business should never be entrusted to the cloud.

What Does “Cloud Computing” Mean?

Although definitions of cloud computing vary among experts in the field, the National Institute of Standards and Technology (“NIST”) in the U.S. defines cloud computing in terms of characteristics, service models and deployment models.According to Peter Mell and Tim Grance of NIST, cloud computing means “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

Characteristics

NIST describes five characteristics of cloud computing that attract users. The five characteristics identified by NIST are:

  1. Cloud computing is an “On Demand” service. Classifying a service as “on demand” means that the user can unilaterally provision computing capabilities automatically without the need for any human interaction with each service’s provider. So, through the user interface the user may be able to order additional network storage space or possibly schedule server time.
     
  2. Broad network access. Whether the user is accessing infrastructure, platforms or software, all are available over the network and accessed through standard mechanisms that promote use by various types of thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
     
  3. Resource pooling. The cloud provider uses a multi-tenant model to pool computing resources. These resources, both physical and virtual, are dynamically assigned and reassigned according to consumer demand. In addition, the resources may be varied by type of equipment and may be located in any number of disparate jurisdictions.
     
  4. Rapid elasticity or scalability. In a cloud computing model, the computing resources can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in as required by user demand.
     
  5. Measured Service. Cloud systems have the ability to measure the service and therefore control and optimize resource use (e.g., storage, processing, bandwidth, and active user accounts). This monitoring and control ability provides transparency for both the provider and consumer of the utilized service.

Other widely recognized benefits of cloud computing include: the cost savings of using a multi-tenant model; centralization of resources making maintenance, sustainability, management and control of resources easier; the perceived environmental benefits of building and operating fewer servers; standardized and hardened images offering better resilience against malicious attacks, and leaving the operation of sophisticated systems to the experts (i.e., the cloud provider).

Service Models

NIST has identified three “service models” through which cloud computing is offered. They are:

  1. SaaS  The concept in “Software as a Service” is the simple use of the cloud provider’s applications running on a cloud infrastructure. The user does not manage or control the underlying cloud infrastructure such as the network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. This is a very “commercial off the shelf” example of cloud computing.
     
  2. PaaS  The next layer of complexity in cloud computing, “Platform as a Service”, as far as the user is concerned, is to deploy onto the cloud infrastructure consumer-created or acquired applications using programming languages and tools supported by the provider. As in the case of a SaaS model, the user does not manage or control the underlying network, servers, operating systems, or storage, but in the case of a PaaS model, the user does have the ability to control the deployed applications and potentially application hosting environment configurations.
     
  3. IaaS  The most comprehensive model of cloud computing is known as “Infrastructure as a Service”. In this model, the provider supplies the required processing, storage, networks, and other fundamental computing resources and the user is able to deploy and run any software that it may require, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). 

Deployment Models

Finally, NIST identifies four different types of deployment models for the foregoing service models. These deployment models are:

  1. Private cloud. The cloud infrastructure is operated solely for one organization. It may be managed by the organization or a third party and may exist on premise or off premise. Arguably this may be the most secure type of infrastructure, depending on the nature of the controls deployed and the diligence of the operator.
     
  2. Community cloud. In this model, the cloud infrastructure could be shared by several organizations and supports a specific community or interest group that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
     
  3. Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
     
  4. Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
Click here to view the full article.

This article is also appeared in the May edition of the Privacy Law Review published by LexisNexis.

[1] The author gratefully acknowledges the assistance of Rashesh Mandani, Student-At-Law in the preparation of this paper.

[2] Peter Mell & Tim Grance, The NIST Definition of Cloud Computing (2009), online:  National Institute of Standards and Technology <http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc>.

[3] Peter Mell & Tim Grance, “Effectively and Securely Using the Cloud Computing Paradigm” (Presentation delivered at the National Institute of Standards and Technology, 7 October 2009), online:  NIST <http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt#313,81>.