The Privacy Of Cloud Security

Published Date: 02 Nov 2017

In today’s day and age of modern technology, information is the key to everything: success or downfall, the right information can get you whatever you want. Cloud Computing is just such a technology, that allows users to access information over a cloud or network, without having to go through all the trouble of installing extra hardware and software. Companies with a large employee base and large data files are resorting more and more towards cloud computing systems, which help decrease work load and leave more space (physically at the workplace and also within the system).

Technically speaking, Cloud Computing is done when computing resources are used over a network – typically, this network is usually the internet. The name Cloud Computing arose from the diagram that represents this technology, which shows a cloud encompassing all the applications that are possible using this particular technology, along with its infrastructure and the different platforms that can be used in order to access it.

The benefits of Cloud Computing include, but are not exclusive to, the significant workload shift that takes place on both sides. The end user suddenly finds himself with fewer demands when it comes to hardware and software, with the local computers no longer being required to run all the heavy applications. It is the network of ‘clouds’ that runs everything instead, with the user only having to access the information via a particular interface that their computer must be capable of running. This interface can be as simple as a Web browser or even a mobile app. [2]

For the layman, Cloud Computing can be broken down into two simple forms: the front end and the back end. The front end is the end the user faces – majorly, the interface (Web browser or app, etc.) being used to connect to the cloud. The back end is where the major ‘work’ is, comprising of the cloud section of the entire system. While the front end includes the client’s computer/device and the particular interface required to run it, the back end comprises of servers, data storage systems and various other computers than form the network comprising the cloud.

Technically speaking, a Cloud Computing system works with a central server monitoring traffic and client demands. It must follow a set of rules preordained for it in order for everything to run smoothly; these rules are also known as protocols. The central server also uses special software known as Middleware, which allows computers in the network to easily communicate with one another. Since one server has a lot of processing power, and it usually is not run on optimum levels, it is possible to ‘trick’ the server into thinking that it is actually many different servers, and thus receive the same amount of work from it as you would from various different servers – helping to reduce the need for physical machines. This also helps when a company has a large amount of data and a vast employee/client base, which requires access to its data.

One of the major benefits of Cloud Computing is that it can, at least theoretically up until now, run any application the user wishes. From video games to data processing to simple storage, Cloud Computing can do it all; the only glitch is that the user must have a readable interface, with which to easily access the cloud. Other benefits of using Cloud Computing include ease of access to application software and databases, faster running of applications and easier for the IT department in the company(s) to adjust resources required by employees/clients according to demand using the cloud service.

When thinking about the vast array of applications that are made possible due to Cloud Computing, it simply boggles the mind when one realizes that this is simply the first step into the future. Other offerings of Cloud Computing (and, subsequently, the benefits) include the lack of physical storage of information – clients can easily access their information as long as they have an interface (usually the internet); and decrease cost when it comes to hiring IT personnel. With inflation and production costs increasing exponentially worldwide, Cloud Computing helps employers by letting them use another’s hardware to save their own data. It can allow flexibility of infrastructure and the adaptation of resources at the cloud’s disposal, along with faster deployment of applications used on the consumer’s end, thus saving a lot of time and cost.

However, given all the above benefits of Cloud Computing, there are certain concerns regarding the concept and technology used that have arisen over the past few years. The biggest of these are the concerns about security and privacy, both of which are highly different things. It is understandable that most companies are hesitant about using this technology, since they would prefer their information to be under lock and key given the sensitivity of most company data and market competition.

In defense of the companies providing these services, the counter argument can be that they live or die by their reputations – thus it is in their own interest to provide the best security available, and keep on updating it so that there are no threats where the security of their clientele’s information is concerned.

Make no mistake; privacy is another matter entirely when compared with security. Security is when your data or possession(s) is under threat of being stolen by another party; privacy on the other hand is your ability to be the sole person authorized to access your data. You will note, however, that they are both strongly connected to each other. Companies providing Cloud Computing services can employ various techniques to ensure the privacy of their clients. These include, but are not exclusive of, authorization: password, certain login details, etcetera; encryption keys, and fingerprint scans.

Another way to ensure protection of the client’s data and their privacy is to introduce the authorization format, whereby only the data relevant to that client can be viewed, and nobody else’s information is on display.

One avenue that is at present being researched, with regards to both security and privacy of the clients using Cloud Computing, is autonomic computing. This involves an intelligent central system that keeps constant check on the data going in or out, ensuring that there are no problems – be it internal, or external. However, it has as yet been unexplored given the fact that its introduction would mean the loss of several different IT jobs.

As with many other aspects of all businesses, legal issues also arise when it comes to Cloud Computing. These include trademark infringement, security concerns, and sharing of proprietary data.

Other concerns regarding Cloud Computing are more philosophical than anything else. Mostly based on user opinions, they include questions such as: Does the user or company using the cloud services own the data? Or is it owned by the cloud service provider? Is it possible for a cloud company to deny its customers access to their data? How will cloud computing affect other businesses and industries across the world?

In order to ensure maximum privacy inside Cloud Computing systems, developers use various techniques when developing these particular information systems. These include battling Vendor Lock- In, using Open Source, Open Standards and implementing various Security Procedures.

There are three types of Vendor Lock Ins possible, which are as follows: [3]

Platform Lock In: these cloud services are based on different platforms. However, for a client to jump from one platform to another is very difficult. Developers are trying to ensure maximum security when such a jump takes place within a particular cloud.

Data Lock In: technology used for Cloud Computing is very high, and the data stored within clouds is naturally the property of the client who stored it (however, this topic is at present still under discussion across the globe). Given how new Cloud Computing is, developers are trying to build a safer way for clients to remove their data off the cloud’s server whenever they wish to do so.

Tools Lock In: this takes place when one cloud environment is not compatible with the tools or applications the client(s) is using to access that cloud.

To combat Vendor Lock Ins, developers use heterogeneous cloud computing. The absence of Vendor Lock Ins, as in this case, lets the user or end consumer choose what tasks he/she wishes to undertake or which visual enterprise they wish to deploy. There is a great difference between heterogeneous cloud computing and homogeneous cloud computing, whereby the latter uses only consistent building blocks to form one particular structure that is fixed.

Other techniques used by developers include Data Masking, Identity Management Systems, Legal Security, etc.

Some usual techniques that authors use to ensure data privacy include the following:

Homomorphic Encryption: this is a form of encryption that allows different types of computations to be carried out. These computations are done on ciphertext, and the encrypted result obtained can then be decrypted by another to get a completely different answer; matching the operations performed on the plaintext. Homomorphic Encryption can have partial cryptosystems or full cryptosystems, depending on what the use required is. Using this particular technique, a company could upload its entire database into the Cloud, and then use that data as required.

Obfuscation Technique: a very popular technique to use in order to secure the data being used or uploaded by the clients using Cloud Computing, this technique makes the code unreadable and uneditable by other people. It becomes difficult to understand due to its unique coding, making it impossible to duplicate and use illegally or without permission. Other similar techniques include minifying or packaging. In lay man terms, the Obfuscation Technique takes normal human readable code and makes it compact, changing variable names in the code into shorter names, removing spaces and changing places, so that the code, even though it remains the same and is absolutely workable, becomes ineditable, and unable to be copied or reproduced by outside parties, enhancing security a thousand fold as compared to other security measures.

TPM: "Trusted Platform Module" is the both the actual name used when detailing a secure crypto processor to protect information, along with the general name for the techniques and processes used in order to do so. To the end user, facilities are provided for the secure generation of keys, which enhances security when using Cloud Computing Systems. TPM can be used in various ways to enhance security: Platform Integrity – ensures secure storage of data onto the platform being used to access that particular cloud, and also makes sure that the platform is being used as intended, without giving access to outside parties so that data remains secure; Disk Encryption – this can be used to protect the encryption keys that encrypt computer’s hard disk, securing data. However a number of third parties prefer not to use it, TrueCrypt included. Password Protection – access to client data on the cloud is often protected and requires authentication for obvious reasons, however if this access is only reduced to the software level implementation, it can come under attack from various sources. These attacks are called Dictionary Attacks, and are combated effectively by TPM, which is encrypted within the hard drive, thus giving the user the option to choose weaker passwords that are easier to remember. Without TPM, higher security passwords would be required.

Going over the information so far; Cloud Computing helps clients use data without taking up much space. It reduces cost efficiency, increases security and availability of access and provides various different services without adding to the physical or monetary cost of adding extra hardware. However, to tackle the various concerns of Cloud Computing, developers have begun using the above ways, which include Homomorphic Encryption, Obfuscation (preventing code from being copied by making it unreadable) and TPM techniques (protection of code keys used in Clouds). [4]

The Cluster Approach to coding involves a group of code that are put together so that they may work towards a common objective. For the layman, this can be described as hard core math being used during code. There are various forms of Clustering; in the supervised learning algorithms, a code model is trained to predict a particular outcome using various permutations and combinations of data fed into it. These concrete algorithms are used in order to undertake highly technical processes and get very specific results, majorly used during scientific research. [6]

Finally, it is very important to build trust between the user – end consumer – and the cloud provider. This is because all the data the user feed into the cloud goes into the system; and it is natural for concerns to arise in the hearts of the client, with respect to their data and its security – problems that we have already discussed in the previous pages.

In the age of consumer interests, cloud providers are rushing more and more towards increased information access to the end client, without losing their own hold on the product. High competition in the field also increases the tensions. The major aspects most marketers regularly point out during such transactions – especially Cloud Computing Systems, are trust between the end user and the system provider.

There is a fear that third parties might be able to access data that is sensitive to the company and its image. Thus, when marketing cloud systems, providers make sure to say the following: "Enterprises that have, or are considering, the move to cloud computing should understand that they are not simply purchasing a specific product or service. Rather, they are entering into a partnership with their cloud provider. An enterprise's cloud provider becomes an extension of the enterprise IT department. As a result, the vendor should be considered a trusted partner. In order for this to happen, both client and vendor must commit to communication and transparency that is generally foreign to the purchase of on-premise IT solutions". [7]

The explosion of cloud companies and their various offerings is an emphasis on how far the IT market has grown, and a brief peek into the future. Cloud Computing has provided a way forward where many where giving up hope; and in order to introduce it further and embed it deeper into the industry and the average user, there must be a level of trust – significant level of trust – between the end user and the provider of the cloud system.

This can only come when the provider ensure complete security and absolute privacy to the data being used and uploaded into the cloud by the client, and this can be done by the steps discussed above (coding/ authorization/ passwords, etc). Both front end and back end systems must be involved if trust is to be built between the provider and the user of clouds, but it will naturally take time. Names are not built over night, and neither is trust. It is a slowly growing factor, between the provider of the cloud service and the user of the product.

With respect to third parties using or accessing data into the cloud system, techniques are being used to prevent such happenings. Brand endorsements of certain cloud providing companies is another major way to ensure trust and faith in that particular provider, without any room for doubt or hesitancy in the consumer’s mind.

Third parties can also be used in order to bridge the gap of trust between the user and the provider of clouds; third parties can delve deep into the clouds system and gauge appropriately its strength and weaknesses, thus providing and giving a better version of the product to the client – and a more trusted one, compared to the version the client is likely to believe he is getting from the main provider himself. [8]

Other keys to building trust are ensuring full transparency during operations, so that the client is fully aware of all the procedures that take place behind the scenes. These include making the client aware of policies before hand, helping them understand the infrastructure that goes into making and running the cloud without overwhelming them by too much information and finally, by giving them on the job support and maintenance help as and when required. [7]

Finally, given the tight legal regulations in today’s world, run by information technology, where information is as priceless as they come; it is no wonder that legal regulations have been tightened every day until the provider can hardly draw breath without gasping. [9] These regulations are only in place to instill total confidence in the system by the end user, and ensure no cheating is undertaken by the provider at any cost. Information is completely protected.

Thus following are some legal regulations that cloud providers must face:

Third Party Involvement: as discussed above, third parties ensure that no foul play is being undertaken. All procedures are being followed and the client is getting the treatment and trusted service he deserves

Contractual Issues: These include Initial Due Diligence – ensuring that before entering into a cloud providing service, your company does a thorough check of the reviews associated with the name of the cloud service provider. Contact Negotiation – make sure your company is not being ripped off by the cloud service provider, and he is giving you the standard rate for providing the service. Implementation – this is done via several Third Parties, but the end user can also undertake certain procedures to effectively ascertain that the policies and procedures that were mentioned in the contract agreement are being implemented as is. If not, this becomes a legal matter and the provider liable to answer to the court. Termination – after the contract ends, it is the choice of the consumer whether to continue forth with the same cloud provider or end the agreement. If the latter option is chosen, it is beholden upon the service provider to let the client go without any fuss, and also to give back or transfer the data given to the provider by the client to wherever the client wishes to transfer it for future use. Finally, Supplier Transfer – this takes place once the client decides to terminate the contract, and shift to another supplier of the cloud service.

All the above points are very important and legally bind the cloud provider to them. If any shift in the implementation of these points occurs, he can face very harsh charges from the law in case of information exploitation and various other incidents.

CITATION

[1] Christian Sven Collberg, Clark David Thomborson, Douglas Wai Kok Low: Obfuscation techniques for enhancing software security. InterTrust Technologies Dec, 23 2003:

[2] Johnathan Strickland: How Stuff Works, October 2, 2012.

[3] Erica Naone: Making Cloud Computing More Secure, June 2011.

[4] Trusted Platform Module Specifications, Trusted Group

[5] TPM Main Specification Level 2, Version 1.2 – Design Principles, 2012

[6] Mingru Wu: A Learning Approach for Clustering, 2011.

[7] Seth Payne: Building Trust between Consumers and Cloud Providers, March 4 2013.

[8] PWC: Protecting your brand in the cloud

[9] J.R. Wrinkler: Cloud Computing: Legal Regulations, May 2012