Cloud computing is undoubtedly the best technological advancement of the 21st century. Clouds offer a range of capabilities for small and large enterprises such as the flexibility to enter and exit, scalability, cost-savings among others. However, maintaining security of data in the clouds proves to be a hard task. Cloud computing poses significant challenges to the privacy of personal as well as corporate and government data. With the advancement and increase in the adoption of cloud computing, data security becomes more and more weighty. This paper attempts to analyse ways of maintaining data security in the clouds.
Cloud security is approached in three ways: Data confidentiality, integrity and availability. Confidentiality refers to keeping data private from unauthorized access. As data leaves the borders of an organization and traverses to a storage medium or to be used in other departments, it must be safeguarded from unauthorized access. Secrecy of the data, metadata and transactional information must be guaranteed.
Though cloud computing provide real benefits to an organization in the form of cost savings, it introduces real issues in terms of privacy and confidentiality to an organization. This is exacerbated by the different regulatory frameworks and laws concerning privacy in many organizations. In the discussion and analysis of relevant laws, governments, private entities and litigants often cite that it is much easier to obtain information from third parties then to obtain from the creator. A cloud provider is a third party and its terms of service, privacy policy, location and rules and regulations governing access, sharing and use of information in that location affects a user’s privacy and confidentiality interests.
Since cloud computing is based on the sharing and distribution of computing resources and services via open networks, security is of concern. The implications of maintaining the security of data in the clouds are significant. With various privacy violations reported inside and outside the realms of cloud computing, it warrants a more careful consideration. Various security services are currently in place such as authentication, encryption and decryption, and compression. Whereas encryption technologies have been applied to secure the confidentiality of data, it is not a cure-it all. Cloud providers have the mandate to provide evidence to users that their encryption schemes are designed and tested beyond compromise by experienced specialists.
Cloud computing is built on top of virtualization. If there are issues with virtualization, there will also be issues with cloud computing. In order to safeguard the confidentiality of data in the clouds include the following mechanisms and technologies are applied:
Cloud information gateway technology
This technology is developed by Fujitsu in collaboration with Windows. The technology flexible can control data including data content and metadata transmitted between the organizations inside, to the cloud and between multiple clouds. It blocks confidential data from being accessed by unauthorized personnel as well as offer other additional features such as;
- Data masking: In this way, when data passes through the information gateway, confidential parts are stripped off by deleting or changing it before the data is transmitted to an external cloud provider. In data masking, all identifiable and distinguishing characteristics of confidential information are removed. Information traversing gateways is anonymous but still operable for the user.
- Secure Logic Migration and Execution technology: Confidential data that cannot be released past the organizational boundary even if they are formed by concealing certain aspects can be assigned different security levels. In this way, the information gateway can transfer the cloud-based application to the in-house sandbox for execution. Applications that require the use of confidential data are transferred to the remote sand-box for execution after which confidential data remains intact after operation. Sandbox will not allow data or networks that lack certain authentication credential.
- Confidential data can be better managed by employing data traceability practices. The information gateway tracks all information moving to and from the cloud so that these movements can be audited. Using data traceability technologies to audit who accessed financial information in an organization, for instance, helps maintain confidentiality of such data. Data traceability use logs derived from data traffic as well as metadata from the data used in the clouds.
- Authentication and identity: Authentication techniques takes a number of ways combining what the user knows, what they and a measurable characteristic that is unique to them (fingerprint). Authentication through encryption has been commonly used to protect data in the clouds. Encryption is used to assure confidentiality and integrity in case of a breach between the parties exchanging data. Authentication is used to restore confidence between the parties communicating in a data exchange process. Cryptographic techniques have been used to authenticate themselves to systems and data in the clouds.
Other than technological prospects, behavioural aspects are used to secure confidentiality of data in an organization. User policies defining the role of cloud providers as well as the user interaction in the cloud play a crucial role in ensuring that information is safely accessed, stored and retrieved. An organization should establish proper controls to guarantee that only authenticated employees are accessing the data. Technology can be used to audit the system, but employees must also be managed through organizational policies.
The cloud provider is required to be proactive with global regulatory systems and policy agencies so that mandates and best practices are implemented always. Prior to choosing a cloud provider, organizations should scrutinize the performance and regulatory adherence of cloud vendors. Organization should understand in advance their requirements in respect to regulatory measures and policies guiding data privacy in their countries. Also, Service Level Agreements between organizations and cloud vendors defines in detail the responsibilities, obligations and roles of both parties in maintaining the confidentiality of cloud data. A user’s privacy and confidentiality risk varies significantly depending on the terms and privacy policy. The risk is inflated when the provider has reserved rights to alter its terms and conditions at will. This way, the cloud provider, can violate laws under which the data was collected for own benefits, and thus, should be held responsible. Other determinants of the privacy relationships between the vendor and the client are procedural or substantive barriers, which may impact the limit of disclosure. For instance, health records need formal agreements before sharing while government data may be limited by records management and disposal laws.
In conclusion, confidentiality of information in an organization is a factor of many requirements. Organizations need to preserve the confidentiality of their data through technological and logical processes. Because any one solution is not the magic bullet, organizations should tailor made their controls according to their structure and their operational requirements.
References
Grobauer B, W. T. (2011). Understanding Cloud Computing vulnerabilities. . IEEE Security Privacy, 9(2):50–57.
Keiko Hashizume1, D. G.-M. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and applications , 4/1-5.
Rittinghouse JW, R. (2009). Security in the Cloud. In: Cloud Computing. Implementation, Management, and Security,. CRS.
