• No results found

On Information Security Processes in Cloud Computing

N/A
N/A
Protected

Academic year: 2021

Share "On Information Security Processes in Cloud Computing"

Copied!
113
0
0

Loading.... (view fulltext now)

Full text

(1)

Faculty of Technology and Society

Department of Computer Science

Master Thesis Project 30p, Spring 2013

On Information Security Processes

in Cloud Computing

By:

Suzan Mahmoud

Supervisor:

Andreas Jacobsson

Examiner:

Marie G. Friberger

(2)

Contact information

Author:

Suzan Mahmoud

E-mail: mahmoud_suzan@hotmail.com

Supervisor:

Andreas Jacobsson

E-mail: andreas.jacobsson@mah.se

Malmö University, Department of Computer Science.

Examiner:

Marie G. Friberger

E-mail: marie.friberger@mah.se

(3)

Abstract

Cloud computing allows user access to virtual services (applications, servers and devices, digital storage and service packages sources) through a network using a web browser. Cloud computing is rapidly growing and has become an attractive and affordable service model among organizations. It has many benefits but is also associated with many risks and security challenges.

In cloud computing users can connect with any device and use virtual computing services at any time and from anywhere, which has brought new challenges for enterprise security. The problem of securing data in the cloud and building trust in the cloud computing environment has become a widely discussed and important issue.

This research aims to investigate how enterprises deal with security problems and protect their data in the cloud through security measures and processes. It also investigates what processes could be adapted to the security environment. To achieve this, an empirical study was performed. The empirical study consisted of interviews with a number of enterprises that use cloud computing in their business, with the purpose to give a deep picture of how they handle security issues related to their cloud services.

During the empirical study it could be found differences and similarities in the security measures used by the different organizations, depending on the size of the organization and the type of services used or provided by the organizations. Information security should be managed in a series of processes or procedures, linked together in an environment such as the Information security management system (ISMS1). On the basis of the evaluation of the interviews and literature, a cloud environment with different security processes is defined.

1 Information security management system, http://en.wikipedia.org/wiki/ISMS

Keywords: Cloud Computing, Information Security, Security Management, Cloud Computing

(4)

Table of Contents

1 Introduction ... 1 1.1 Goal ... 2 1.2 Research Questions ... 3 1.3 Outline ... 3 2 Research Methodology ... 5 2.1 Literature Review ... 5 2.2 Interviews ... 6 2.3 Selection of Interviewees ... 6

2.4 Conducting the Interviews ... 7

2.5 Design of Security Processes ... 8

2.6 Data Analysis ... 8

2.7 Threats to validity ... 9

3 On the Foundations of Cloud Computing and Security ... 11

3.1 Cloud Computing ... 11

3.1.1 Cloud Computing Architecture ... 11

3.1.2 Cloud Computing Stakeholders ... 13

3.1.3 Cloud Service Models ... 14

3.1.4 Cloud Deployment Models ... 17

3.1.5 Cloud Characteristics ... 19

3.2 Security ... 20

3.2.1 Information Security ... 22

3.2.2 Security Threats ... 24

3.3 Information Security Processes ... 27

3.3.1 Management of Information Security ... 27

3.3.2 Standards ... 29

(5)

3.3.4 Responsibility ... 31 3.3.5 Risk Analysis ... 31 3.3.6 Information Classification ... 32 3.3.7 Procurement process ... 32 3.3.8 Protection Work ... 32 3.3.9 Continuity Management ... 33

3.3.10 Identity and Access Management ... 33

3.4 Compilation of Information Security Processes ... 33

3.5 Concluding Remarks ... 34 4 Empirical Study ... 36 4.1 Presentation of Participants ... 37 4.2 Cloud Services ... 38 4.3 Security Concerns ... 39 4.4 Agreement ... 40 4.4.1 Responsibility of Security ... 41

4.4.2 Effective Updates and Backups ... 41

4.4.3 Personal Data ... 42

4.5 Encryption ... 43

4.6 Technical and Administrative Safeguards ... 43

4.7 Local Process ... 44

4.8 Standards and Policies ... 46

4.9 Developing Security Processes ... 46

4.10 Benefits and Challenges ... 46

4.11 Security Approach ... 48

4.12 Security Improvements ... 48

4.13 Cloud Vendor or In-house Server ... 49

(6)

4.15 Concluding Remarks ... 51 5 Discussion ... 52 5.1 Cloud Services ... 52 5.2 Security Concerns ... 53 5.3 Agreement ... 54 5.4 Responsibility of Security ... 55

5.5 Effective Updates and Backups ... 55

5.6 Encryption ... 56

5.7 Technical and Administrative Safeguards ... 57

5.8 Local Process ... 57

5.9 Standards and Policies ... 58

5.10 Benefits and Challenges ... 58

5.11 Cloud Vendor or In-house Server ... 60

5.12 Concluding Remarks ... 60

5.13 Process Design ... 61

5.13.1 Processes ... 62

5.13.2 Awareness ... 64

5.13.3 Compilation of Theory and Empiri ... 64

5.13.4 Concluding Remarks ... 65

6 Conclusion and Future Work ... 67

6.1 Future Work ... 68

References ... 69

Appendix I: Interview questions ... 73

Appendix ll: Dell Interview ... 75

(7)

Appendix lV: Sony Interview ... 89 Appendix V: LDC Interview ... 92 Appendix Vl: AB Interview ... 103

(8)

List of Figures

Figure 1: Visual model of NIST working definition of cloud computing ..………...……… 12

Figure 2: Cloud Service Models, Al Morsy et al. (2010) …..……….………... 17

Figure 3: The PDCA - model ………..……….. 30

Figure 4: Security Processes of cloud computing ………. 34

Figure 5: Security processes in the cloud ecosystem ……… 66

List of Tables

Table 1: Key concepts of information security threat and protection ………..………... 28

Table 2: Top Threats in Cloud computing for 2013 (Cloud Security Alliance, 2013)……… 32

Table 3: Compilation of information security processes………. 41

Table 4: Compilation of Interview results .………. 58

(9)

1

1 Introduction

Cloud computing is an exciting area of research, because of its exploding growth. It has become a widely discussed research topic in recent years and is becoming more popular. Cloud computing is an architecture technology that ultimately allows user access to virtual services (applications, servers and devices, digital storage and service packages sources) through a network by using a web browser. The idea behind cloud computing is to “provide a large amount of services in a virtualized manner in order to reduce the server sprawl, inefficiencies and high cost” of administration and infrastructure (Inbarani et al., 2013). In the cloud computing, software applications and databases are moved to centralized large data centers (Wei et al., 2010).

Cloud computing is an architecture that ultimately allows user access to virtual services (applications, servers and devices, digital storage and service packages sources) through a network. The National Institute of Standards and Technology (NIST), an organization that publishes standards and guidelines for Information Technology (IT), defines cloud computing as a model for enabling shared access to computing resources (e.g., networks, servers, storage, applications, and services) that can be managed efficiently and with little interaction of the service provider (Mell and Grance, 2011). Cloud computing, “a new age of ‘anytime’ and ‘anywhere’ computing” using ‘any device’ has introduced new challenges in enterprise security (InfoSecurity, 2011). Two example of the use of cloud computing are Gmail and Dropbox. Google’s Gmail collapsed in February 2009 (Fiveash, 2009) and the software update that caused the Dropbox security failure in June 2011 (McCullagh, 2011) makes some potential cloud users hesitant in using cloud computing.

Security is an important issue in the IT-world and even more so in cloud computing. The problem of securing data in the cloud and building trust in a cloud computing environment is not only a current research topic, but also a challenge. Wei et al. (2010) confirms the importance of cloud data security by the following statement:

Even though cloud computing is envisioned as a promising service platform for the next-generation Internet, security and privacy is one of major challenge

which prevent its wide acceptance in practice.

Often, researchers discuss security and privacy concerns either without distinguishing between the concepts or with little explanation of differentiation.

(10)

2

Jacobsson (2008) believes that both security and privacy complement each other. Users need privacy to know and control who has their personal information, as well as security by knowing how others access this information (Jacobsson, 2008).

There are anonymity tools that help protecting the privacy of users, but the anonymity makes it difficult to discover security violators and in this way causes serious security concerns (Jacobsson, 2008). It is impossible for the user to have 100 percent security and 100 percent privacy, so by enhancing security some privacy has to be sacrificed. It is important that mechanisms for protecting privacy are embedded in all security solutions (Takabi et al., 2010). Jacobsson means that privacy and security should not be used as synonyms and says:

In privacy, the main task is not to protect the data in itself; it is the task to protect the personal sphere represented by the data and their relations associated with that person (Jacobsson, 2008).

The enhancement of security and privacy strengthen trust (Jacobsson, 2008). Trust relates to the interaction of the service provider and organizations, and the information exchanged between the two. Mather et al. (2009) says:

A major concern is to trust that a company’s or an individual’s information is both secure and private. Establishing this trust is a major milestone in the adoption of the full range of cloud computing (Mather et al., 2009).

Cloud computing has become an attractive and affordable service model among small and medium enterprises (SMEs). However, it is also associated with many business risks and security challenges. The adoption of cloud computing weakens important business-level security policies, processes, and best practices which makes the companies vulnerable to intrusions (Cloud Security Alliance, 2013).

1.1 Goal

As mentioned previously, there are concerns about security and challenges related to security and privacy in the event of the adoption of cloud computing. Organizations may face benefits and problems in cloud computing security. The goal of this thesis is to investigate how enterprises deal with security problems and protect their data in the cloud through security measures and processes. Security processes such as policies and procedures help to increase the effectiveness and quality of cloud computing services. Therefore it is important to evaluate current processes used by organizations to secure their data in cloud computing and define security process with the included activities that can be used by organizations for more secure cloud computing. From these current processes, standardization may be observed.

(11)

3

1.2 Research Questions

A security process is a process that is designed to manage information security (MSB, 2011). A clearly defined process facilitates the work and help increasing the effectiveness and quality of cloud computing. Information security management is crucial in cloud computing. Although processes have been established for information security in closed systems, few have been established for cloud computing, and of those, there are no standard policies and procedures. The question remains, then, how are organizations currently managing information security in the cloud, and can these individual processes be standardized for all organizations using various aspects of the cloud. This translates to the following RQs:

RQ1: How do organizations manage data security and protect themselves against threats and risks in cloud computing?

RQ2: How should data security processes be designed to help organizations increase the benefits of cloud computing services?

This research challenge gives reasons to investigate also how organizations deal with security issues and protect their data in the cloud through available security measures and processes and what processes could be adapted to the security environment to improve security in cloud computing.

1.3 Outline

The thesis contains the following chapters:

2. Research Methodology: In this chapter the research approach undertaken for this thesis is

described. First, the chosen research methodology is described where the research process and a brief literature review are specified. Then we introduce the possible data collection methods and then a data analysis is done to evaluate the data collected.

3. Foundations of Cloud Computing and Security: Chapter 3 presents literature studies on

prioritization factors and currently available techniques and methods. This chapter contains a presentation of the central concepts in the thesis and the concept of cloud computing is clarified. Key aspects such as scalability, as well as cloud categories are discussed. Security risks in cloud computing are identified.

In this chapter we review how important information security is for enterprises and how it is handled by organizations using cloud Services. We explore how important processes are for the Information Security and what processes are important.

(12)

4

4. Empirical Study: In this chapter, a brief background description of the participants is given

and then the empirical material and its findings are presented. This chapter introduces the interviews conducted with different organizations to identify what security solutions and measures are used to protect the data.

5. Analysis: In this chapter we analyze the interviews as well as the process. We analyze the

interviewees’ statements and links to previous research results and discuss about this.

6. Conclusion: In our conclusion we will have a presentation and discussion of results,

(13)

5

2 Research Methodology

2.1 Literature Review

The literature review provides the conceptual framework and the foundation of a research (Oates, 2006). The purpose of the literature review is to identify possible research areas, evaluate material for possible research topics and to gather and present evidence to support claims that new knowledge has been created (Oates, 2006).

A literature review is conducted in several steps: Searching, obtaining, assessing, reading, critically evaluating, recording and writing a review. These steps have been undertaken while processing our literature review.

Since cloud computing is a recent phenomenon

of only a few years, it is more

practical to focus on online databases for a literature review on cloud. Keywords were selected

for searching across the online databases with phrases relevant to “cloud computing” such as ‘cloud computing, ‘cloud storage’, ‘cloud security’, ‘cloud privacy’, ‘cloud integrity’, ‘cloud provider’, ‘online security’, ‘cloud security threats’, ‘security process’ and ‘IT security’. After searching, the literature was obtained and assessed by evaluating their relevance to our research topic. The reference sections in relevant articles were used to find other related sources of information. The articles are classified based on the focus of the research to investigate how enterprises deal with information security problems in cloud computing and how they protect their data through security measures and processes.

In this section we describe the research approach undertaken for this thesis. First, the chosen research methodology is described, as in section 2.1. Then the data collection methods are introduced, section 2.2 and section 2.3. Section 2.6 discusses the design of security processes and how the included procedures were defined, then in section 2.7 a data analysis is done to evaluate the data collected and finally threats to validity are discussed in section 2.8.

The empirical material consists of interviews with organizations using cloud computing, to get a deep picture of how organizations deal with security. The interviews show the extent to which organizations use processes and what kind of security measures are applied to security management in different organizations. In addition to literature review and qualitative interviews a process of information security will be designed.

(14)

6

Critical evaluation of literature is another important step in conducting literature reviews. This consists of reading the full text of each important article to compare and draw conclusions (Oates, 2006).

2.2 Interviews

In order to answer the research questions an empirical study was performed. The study consists of interviews of a number of enterprises that use cloud computing in their business, to get a more in depth picture of how they handle security issues related to their cloud services.

In our research we have found that the qualitative research was preferable since we want to understand not only if the enterprises are using processes and defining what processes they are using but also understand why these processes are chosen and to what extent they are used in everyday work. “A qualitative research covers a wide range of different, even conflicting activities” (Silverman, 2011). Since we have enterprises with different backgrounds and different activities it is suitable to apply the qualitative method that allows us to study various phenomena up close. With this approach, there usually are fewer participants and a hypothesis is not necessary. The researcher does the interpretation of the tested material during the writing (Silverman, 2011). In our research, we preferred to study fewer enterprises in a more detailed approach.

Interviews are typically of three types: structured, unstructured or semi-structured (Oates, 2006). In this case, semi-structured interviews with predefined questions were conducted, in order to change the order of the questions or allow new or additional questions during the interview as a result of what the interviewee says. The interviews can be direct (face to face), and indirect (phone) interviews (Creswell 2008).

2.3 Selection of Interviewees

The selection criterion among the interviewees necessitated that they would belong to organizations using any form of cloud computing. The organizations were chosen by making a general inquiry among friends and acquaintances, and by searching the web. Some friends spread it through their social networks including Facebook. Then the relevant companies were contacted to inquire about the possibility of participating in the interviews. The organizations to interview may be of different sizes with different numbers of employees. The reason is that we want to see

(15)

7

how different organizations handle security processes whatever cloud Services they use. This is to get a view of the security management at various organizations. The interviewees were IT security managers, IT managers or information managers.

2.4 Conducting the Interviews

The interviews were conducted by the researcher, with one company at a time. The participants were informed in advance about the purpose of the interview and how long it would take (Trost, 2005; Oates, 2006). We were clear in explaining that the main theme of this research is information security in the cloud.

From the ethical aspects, we explained that full anonymity for the study was possible and that fictitious names could be used. We indicated that Dictaphone is used during the interview and that the interviewee may end the interview at any time (Trost, 2005). Another option was to write down the answers by hand, which would be very time consuming and would lead to many interruptions.

The advantage of the Dictaphone was that we did not have to write all the time, but was able to listen better and ask follow-up questions. The downside was that it was very time consuming to write and compile the material. To be on the safe side, an iPod was used in addition to the Dictaphone to record the interviews. This was beneficial since it had better sound quality than the Dictaphone.

Interviews are often characterized by asking straight and simple questions to get longer and richer answers (Trost, 2010). To be prepared before the interviews background information was gathered about the organization to be interviewed (Oates, 2006). Before the interview, the questions (Appendix I) related to the purpose of the study were put together. Sometimes the order of the questions was changed to allow the interview to proceed coherently. The questions were designed so that they were easy to understand and where an average answer was expected. There was a pre-defined order of the questions: introduction, main part and conclusion.

The interview was started by introducing the interviewer and explaining what the questions would be about, and estimated that the interview would take approximately 45-60 minutes (Oates, 2006; Trost, 2005). Initial background questions were asked, followed by, more in-depth questions and finally,with relevant follow-up questions. Additional questions were asked to help the interviewees to clarify their answers. The interview questions were put together to provide a structure in the answers to the analysis section (Trost, 2010). In this order the interviews were

(16)

8

then sorted in different groups depending on the topic they belong to. The presentation and discussion of the interviews in later chapters follow this structure where the topic is given as a title for each group of questions and answers for the questions are presented under the topic.

2.5 Design of Security Processes

This section describes the overall design of the information security process. In the design and creation part, the interviews and literature were used to find out the requirements for the process. The purpose is to help answer the RQ2. The literature for existing processes was used and tested by organizations for both IT security and information security. By studying threats and risks to cloud computing security and how these threats can affect cloud computing security and how they can be defended, we defined the processes that can be used to mitigate these threats. We then used the information we received from the interviewees about which security processes they are using, if these processes are helpful in protecting the data in the cloud, and what processes or methods are needed to improve the security. Based on literature and interviews, processes were combined and created to be included in the security process systems or ISMS for cloud computing.

2.6 Data Analysis

After the interviews and the scientific material were collected, we began preparing the material. We then began by writing the background material, introduction, purpose and questions. We listened to the recorded interviews and transcribed the interviews after conducting each one. This was time consuming, since one hour of recorded material required approximately 5 – 6 hours for transcribing (Oates 2006). While transcribing the interviews we avoided to making early hypotheses, since in qualitative research the “field” is deeply explored before making any speculations about details in the field (Silverman, 2011). When all the interviews were transcribed, we then started processing the interviews. The interviews were written in their

entirety in order to have a structure to follow and to allow deeper insight into the

interviewees’ thoughts. After transcribing the interviews, we needed to “identify key themes” (Oates, 2006) in the collected material. According to Oates (2006), there are three themes: Sections that has no relation to our research, sections with general descriptive information such as number of employees and background of the interviewee, and the third section would relate to our

(17)

9

research (Oates, 2006). We focused on the third type that relates to our research questions. We then categorized the relevant data under relevant headings and looked for “inter-connections between the categories” (Oates, 2006). We then made an intensive analysis which means that we deeply analyzed a “limited amount of data” (Silverman, 2011) and compared them with each other and with collected literature. One rule for data analysis is to focus on sequences. In this case, the researcher presents the interviewer’s question before presenting an interviewee’s comment to be able to make follow up comments on what was said (Silverman, 2011).

The interviews were crucial to back up the facts we have and to be able to draw conclusions and analyze from there. While studying the interviews, sometimes we had to reassess the purpose to exclude certain answers.

We put together interviews with its analysis and completed the study with arranging the answers and compare this with the background material we already had (Trost, 2005).

2.7 Threats to validity

“Both reliability and validity are important issues in field research” (Silverman, 2011). It is important that the credibility of qualitative research is reliable and that the empirical material has been collected in a proper and ethical manner (Trost, 2005). For the research to be

meaningful, it is necessary to make a connection between theoretical and empirical data, and that it should be relevant to the research problem. With this in mind, it is relevant for us to make connections between the literature and interviewees’ statements, and manage these connections in the direction of our research question. The connections, interpretations and conclusions presented are ultimately our own. Since the interviewer tends to interpret the results through his own experience and understanding, it is inevitable that the interviewer might skew the interviewee’s statements to reflect his/her own comprehension. It is therefore important for us to strive to be as neutral as possible and not let own opinions affect the empirical material (Trost, 2005).

According to (Silverman, 2011) there are two ways to validate qualitative research: Triangulation (“comparing different kinds of data and different methods to see whether they corroborate one another”) and respondent validation (taking back the findings to the persons being studied to obtain their approval) (Silverman, 2011).

We ensured the validity of our study by using scientific literature, studies and theories that have a strong connection to the research problem and to the interviewee’s statements. We combine and compare literature and empirical material for “a more accurate, comprehensive and

(18)

10

objective” result of the study (Silverman, 2011). We also raised the validity of our study by sending back the interviews transcripts to the interviewees by e-mail to make sure that our interpretation and transcription of the interviews has been done in a correct way and to give the interviewees a chance to validate them.

According to Silverman “when people’s activities are tape recorded and transcribed the reliability of the interpretation of transcripts may be gravely weakened by a failure to transcribe” (Silverman, 2011). For this reason we have also raised the research’s reliability by listening through the recorded material several time, so that we can be sure that we understood the interviewee right.

The selection of interviewees is another problem that can exist in all research, which may affect the empirical verdict. The result would probably have been different with other

organizations as interviewees, as cloud security issues arise as per size and level of the enterprise. Therefore, it is important to note that the selected interviewees do not represent all enterprises. However, we still decided to make a generalization and to highlight some issues, since this research aimed to study almost every level of enterprise to know the security issues faced by the different organizations while using the cloud computing environment. It also studied the common methods that most of the enterprises are adopting for the security of their data

(19)

11

3 On the Foundations of Cloud Computing and

Security

This chapter presents a descriptive literature review for information security processes in cloud computing. It begins with an overview of different aspects of cloud computing (Section 3.1). In this overview, we integrate a discussion of security concerns with the presentation of cloud related topics, such as, cloud service and deployment models and cloud characteristics. After this, we take the concerns generally associated with security, and go through how these can be applied to cloud computing (Section 3.2). Section 3.3 details the ISMS and lists various processes that can be integrated to form the ISMS. Finally, in Section 3.5, a summary and concluding remark is done.

Regardless of which cloud computing deployment model or service model that an organization uses, some or all aspects of security must be integrated. In order to further understand this integrated perspective, cloud computing is discussed as a whole and then security and information security processes are each more fully explained.

3.1 Cloud Computing

Cloud computing emerged as a practical solution after the availability of the infrastructure of the Internet in various parts of the world. Especially after the boom in the issuance of smart phones, which carry with them always properties of connecting to the Internet and the possibility of dealing with the various information and files on the network.

Cloud computing is known as a technology that relies on transferring processing and computer storage space to the so-called cloud, a device server to be accessed via the Internet, and this turns IT software products to services. Where this technology contributes to keep the problems of maintenance and development of the programs in IT away from the organizations (where it is used) and thus organizations can concentrate on using these services only.

3.1.1 Cloud Computing Architecture

Mell and Grance (2011) describe the cloud technology as composed of five essential characteristics, three service models, and four deployment models. These will be detailed in the sections 3.1.2, 3.1.3 and 3.1.4.

(20)

12

Cloud computing, as shown in the NIST2 definition of cloud computing (see Figure 1),

can be seen as either deployment models, service models, or as having certain characteristics. However, to be completely accurate, figure 2 shows that these views all work together or partially together, at any given time to make up the concept of cloud computing.

Figure 1: Visual model of NIST Working Definition of Cloud computing (Cloud Security Alliance, 2009).

Al Morsy et al. (2010) describe the dependencies in the cloud computing architecture as a deep stack of dependent layers of objects such as VMs3, APIs4, Services and Applications, that

cloud computing depends on and where the functionality and security of a higher layer depends on the lower layer. The IaaS includes the following layers; cloud physical infrastructure layer (storage, networks and servers), virtualization layer (hypervisors), and virtualized resources layer (VMs, virtual storage, virtual networks). The PaaS covers the platform layers (such as application servers, servers, IDEs, and other tools), and APIs and Services layer. The PaaS layer depends on the virtualization of resources as delivered by IaaS. The SaaS includes applications and services

2 National Institute of Standards and Technology

3 Virtual machine (VM), http://en.wikipedia.org/wiki/Virtual_machine 4 Application programming interface, http://en.wikipedia.org/wiki/API

(21)

13

offered as a service for end users and depends on both the platforms layer to host the services and a virtualization layer to optimize resources utilization when delivering services to multi-tenant.

The security challenge is complicated with this dependency of cloud objects in which each object / layer depends on the security of the lower objects/layers. This means that any breach to any cloud objects or layer will affect the security of the whole cloud platform. A set of security controls is required to secure the service of each cloud layer with the different security requirements and vulnerabilities.

Managing this large number of controls is really complicated since there could be conflicts among the security requirements and among security controls at each layer. This can result in an inconsistent security model, where a unified security control management module is required to coordinate and integrate security controls among the various layers’ based on security needs (Al Morsy et al., 2010).

3.1.2 Cloud Computing Stakeholders

So far, the concepts themselves have been presented. However, someone needs to put the controls in place and manage them. Those who are in charge are the ‘stakeholders’. The stakeholders have their own reasons or objectives for selecting the type of architecture best suited for the organization using cloud computing.

Al Morsy et al. (2010) defines different stakeholders in the cloud computing technology:

• Cloud provider – delivers infrastructure to cloud customers.

• Service provider – uses the cloud infrastructure in order to provide applications and services to end users.

• Service customer – uses the services hosted on the cloud infrastructure.

The service provider and service customer can be cloud customer, directly or indirectly. Each one of the stakeholders has its own security management systems and processes and each one has requirements and capabilities from other stakeholders. This can cause conflicts in the security requirements. Therefore providers and customers need to have agreements on the applied security properties. Both service provider and service customer lose control since the cloud provider does not know about the security requirements needed for the services hosted on their infrastructure and the cloud customer has no control on their assets security or on the services sharing the same resources (Al Morsy et al., 2010).

(22)

14

The security SLA management partly covers this kind of issues but does not cover the details of the security policies and security control. Since the cloud providers are not aware of the hosted services’ architectures they cannot provide efficient and effective security controls (Al Morsy et al., 2010).

It is recommended to have transparency between both service provider and customer of what security is enforced, what risks exist, and what breaches occur on the cloud platform and the hosted services. There should be trust between the two where cloud consumers should trust their providers meanwhile cloud providers should deliver tools to help consumers to verify and monitor security (Al Morsy et al., 2010).

3.1.3 Cloud Service Models

As mentioned in section 3.1.2 there are three service models in cloud computing:

Infrastructure-as-a-Service: Infrastructure-as-a-Service (IaaS) is the basic cloud-service model.

Instead of buying expensive data center infrastructure, the users hire a little space in a virtual data center from an IaaS provider. Cloud access to these virtual data centers is through the Internet. Users pay only for the devices that they use such as CPU5 cores, RAM6, hard disk space and data

transfer. Some of the providers that allow users to rent virtual servers are Amazon EC2, which is one of the most known IaaS provider (Al Morsy et al., 2010), and Rackspace Cloud (Rackspace, 2013).

The user needs to manage its platform, can control the operating system and storage units, and manage applications but cannot control the major infrastructure for the cloud.

The IaaS provider is responsible for the hardware, performs all maintenance and ensures that the servers are functioning properly and stable.

The lack of control of the infrastructure from customers side gives the user concerns about security. There are some issues related to IaaS model such as:

• Virtual machine (VM) security – VM operating systems and workloads need to be secured from security threats like malware and viruses that may affect traditional physical servers. This is the responsibility of the cloud customer and can be done

5 Central processing unit, http://en.wikipedia.org/wiki/Cpu

(23)

15

through traditional or cloud-oriented security solutions based on the users need, risk level and own security management processes (Al Morsy et al., 2010).

• Virtual network security – shared infrastructure in same server or in the physical networks between different tenants increases the risk of exploiting vulnerabilities in DNS servers, DHCP, and IP protocol (Al Morsy et al., 2010).

Platform-as-a-Service: Platform-as-a-service (PaaS) is a solution to develop, test, use and

manage custom applications in the cloud. This pillar of cloud computing is gaining popularity since it allows users to focus on application development without having to worry about factors such as system administration or infrastructure maintenance.

PaaS providers work together with IaaS providers to host the respective platforms on a flexible infrastructure foundation from the development to the use.

Most known providers are Google (Google App Engine), Salesforce (Force.com) and Microsoft (Azure, Live services and Sharepoint services) (Al Morsy et al., 2010).

Among the security issues related to PaaS can be mentioned:

• Service-Oriented Architecture (SOA) related security issues – the PaaS is based on the OAS model which leads to same security issues that exist in the SOA model such as DOS attacks, Man-in-the-middle attacks, XML-related attacks, Dictionary attacks and Replay attacks. This is the responsibility of both service provider and service customer (Al Morsy et al., 2010).

• API Security – APIs that deliver management functions are offered by PaaS model. The APIs should be delivered with security controls and implemented standards in order to apply consistent authentication and authorization on calls to such APIs. This is the responsibility of the service provider (Al Morsy et al., 2010).

Software-as-a-Service: Software as a Service (SaaS) describes the use of software online

through cloud computing, instead of buying and installing them locally on the computer. The users do not need to manage or control the underlying cloud infrastructure including network, servers, operating systems and storage. SaaS is the service mostly connected with cloud computing, because of its accessibility and the applications it offers to users (Prince, 2011).

SaaS products can be divided into two areas: user products and enterprise applications. Common examples of SaaS user products are Gmail and Google Docs, and both are free to use and accessible via a web browser. Netsuite and Salesforce.com are two examples of enterprises using SaaS applications. These programs allow individual business segments, such as Sales & Marketing, to utilize more efficiently through the Internet.

(24)

16

SaaS providers use client capability (Multy-tenancy) to keep infrastructure costs low. The software is accessible to all registered users and is automatically updated and modified, without incurring additional costs. The SaaS provider manages the entire infrastructure at one or more locations, thus reducing the costs so that the provider can offer the use of software by means of a monthly fee much cheaper than the expensive initial investment by the user himself.)

SaaS has advantages such as flexibility of software. Updates and add-ons can be loaded in the backend, without disturbing front-end user in his work. Another advantage is the compatibility: if several people work together, then everyone has the same version of software to work on. More examples of SaaS can be mentioned the photo sharing and storage sites Picassa and Flickr, Netflix and Spotify, video and music streaming services, Wordpress, and dropbox (Prince, 2011).

Since SaaS is built on top of both IaaS and PaaS it inherits security issues including data security management (such as integrity, confidentiality and backups) and network security (Al Morsy et al., 2010). Among the security issues related to PaaS, web application vulnerability

scanning is of great importance.

Web application scanners are used to validate and scan web applications for vulnerabilities and should be up-to-date with the latest protection against known and potential vulnerabilities and threats (Al Morsy et al., 2010). Vulnerabilities can also be mitigated by using web application firewalls.

Web application security miss-configuration and breaking-security miss-configuration can be very critical with multi-tenancy since each tenant has own security configurations that could conflict with each other leading to security holes (Al Morsy et al., 2010). It is highly recommended to use cloud provider security controls to apply and manage security in a consistent and robust way (Al Morsy et al., 2010).

Each of the three service models can be implemented in different possible ways as shown in figure 2. This complicates the development of standard security model for each service model, which in turn makes the security management process more complicated since these service models can exist in one cloud platform (Al Morsy et al., 2010).

(25)

17

Figure 2. Cloud Service Models (Al Morsy et al., 2010).

3.1.4 Cloud Deployment Models

An organization implements one or more deployment models depending on the need of the service and on which of the models provide the best solution for the needed service. For example, private and hybrid clouds are more likely to be used when an organization has special requirements for compliance and security, while public cloud models are more likely to be used when e.g. general applications are needed for temporary projects that don not require security specifications (Krutz and Vines, 2010).

Public cloud: Public clouds use a virtualization technology which makes it possible that several

users share a single physical server. This model of cloud is owned and operated by third-party service providers like Amazon AWS, Microsoft and Google and offer cloud services like application, storage and resources to the general public either for free or on a pay-per-use model.

The public cloud is a prime example of the cloud computing technology: easy to setup, fast and flexible, scalable and cost-effective because the users pay only for what they need. On the other hand this deployment model is the most vulnerable one since it is available to public and multiple users to host their services who may be harmful users (Al Morsy et al., 2010). The day-to-day operations and security management such as logging, monitoring and implementation controls, in public cloud are passed on to the third party service providers, who provides the public cloud service and in this way the user has less control of the sensitive data and physical and logical security aspects (Mather et al., 2009) .

Private cloud: Private cloud also works with virtualization technology and is typically used by

single organization and managed by the organization itself or by a third party. Private cloud offers

SaaS

PaaS

IaaS

(26)

18

same benefits as public clouds but at the same time enables the organizations to keep control over the data and process (Krutz and Vines, 2010).

Servers and resources are specifically adapted to the needs of the organization and cannot be used by other parties. Access can be limited to a number of ways. Those private clouds are ideal for businesses that rely on the security of their data and want to have a more conscious control over their IT environment.

There are some differences between private and public clouds according to Krutz and Vines (2010):

• The infrastructure of a private cloud is dedicated to a single organization and not shared with other organizations.

• Private cloud is not more secure than public cloud unless secure best practices are followed but the security is more controlled here since the organization owns the infrastructure and controls how applications are deployed on it.

• Private cloud enables the organization to leverage existing infrastructure to the cloud without sacrificing control, corporate governance, and reliability.

Since the organizations need to build, and manage the private cloud, they do not benefit from lower upfront capital costs and less management (Mather et al., 2010).

Community cloud: A range of organizations controls this type of cloud, where it is possible to

create a cloud of many common organizations with the same requirements and seek to share infrastructure in order to achieve some of the interests and benefits of cloud computing. With the spread and distribution of cost among users the choice of community cloud becomes more expensive but provides a higher level of privacy, Security and Compliance Policy.

Hybrid cloud: A combination of the interaction between public and private cloud and sometimes

even community cloud. In this model, users typically use the public cloud computing resources to do information processing, while the information is maintained and controlled using the private cloud. This may for example be an organization that manages some servers in a private cloud, while other servers are outsourced to a public cloud.

The idea of hybrid cloud allows organizations to take advantage of the scalability of cloud technologies and at the same time to manage sensitive corporate data in a protected way. In hybrid clouds the physical control of the shared infrastructure may rely on one of the organizations included or on third party, which can make the management of this cloud more complicated due to different ownerships and responsibilities. This in turn makes the hybrid cloud

(27)

19

technically challenging when dealing with concerns over management of resource, resilience, privacy and security requirements (Krutz and Vines, 2010).

3.1.5 Cloud Characteristics

Cloud computing has many advantages. One in particular is the significant economic benefits that the international integration that cloud computing leads to. For example SMEs and organizations can save costs by adopting IT without the need to invest in infrastructure and software licenses (Al Morsy et al., 2010).

In some cases cloud computing can improve the information security in an organization (MSB, 2013). The security benefits are linked to the possibility of redundancy, which means that the service provider can control the delivery between various delivery points so that the user does not have to risk interruption in availability of service. The user is also able to rapidly expand their use of the service and has the ability to rapid changes in capacity utilization which can be considerably more difficult if information processing is done in own systems (MSB, 2013). The same applies to redundancy where it can be much more expensive to the individual organization to create alternative solutions in order to maintain the operation than it is for a large IT supplier (MSB, 2013).

The five essential characteristics of cloud computing defined by NIST are:

• Resource Pooling: The resources provided by a service provider are in a pool that can serve many users (multi-tenant model). Multi-tenancy enables users to share the same service instance. The user does not know where exactly the resources are, but can determine the location, e g region, country or datacenter. The resources could be for example storage, processing, email services and network bandwidth.

• Broad Network Access: Services are available with standard mechanisms over the net and not tied to a specific client.

• Rapid Elasticity: Services may be provided rapidly and elastically and in some cases automatically. From the user's point of view, therefore, the resources seem to be endless. Elasticity enables users to scale up and down resources.

• Measured Service: Resource usage can be monitored and measured and thereafter made available to cloud users.

• On-demand Self-service: The provisioning of resources such as computing power and storage runs automatically without any interaction with the service provider.

(28)

20

As mentioned with resource pooling, multi-tenancy allows the sharing of resources which in turn can violate the confidentiality of tenants’ IT resources that leads to the need for secure multi-tenancy. To achieve secure multi-tenancy, including isolating tenants’ data is required as well as location transparency where tenants do not know the location of the resources and have no control (Al Morsy et al., 2010). Isolation includes different components depending on which service is used e.g. Iaas, PaaS and SaaS.

When taking advantage of the elasticity of cloud computing confidentiality issues may arise. By being able to scale resources up and down, the previously assigned tenants’ resources are given to other tenants, which can possibly lead to confidentiality issues (Al Morsy et al., 2010). An example is when a tenant A scales down resources and these released resources goes to tenant B who uses these resources to deduce the previous contents of tenant A (Al Morsy et al., 2010).

3.2 Security

When an organization adopts cloud computing, it is incumbent on the cloud providers to ensure the levels of security are in place. The control mechanisms of integrity and confidentiality are on the server-side (control of physical infrastructure). Organizations still have the responsibility of security at IT system level such as data and applications (CSA, 2009).

Information is a basic building block of an organization. It can be communicated, stored, and it controls processes. Through a systematic approach to information security based on established standards, organizations can increase the quality of and confidence in their business. No known standardization for cloud Security has been made up to this point.

There is a growth in interest of information security management processes among organizations and therefore it is very important that people within an organization are aware and educated to support the information security efforts and help building protection of the organization against threats and vulnerabilities (Whitman, 2008).

By developing security processes, organizations can create feeds that are important for information security to function effectively. They are the basis for the security to be implemented in a structured manner (MSB, 2011).

Security glitches and the lack of security process models in organizations using virtual services indicate that there is a need to evaluate available approaches to secure cloud computing.

(29)

21

There is also a need to improve the current approaches by designing a security process that could be used by organizations to enhance the information security management in the cloud.

Cloud computing requires extra security measures due to its ephemeral aspects. This section defines the crucial aspects of cloud security. Wei et al. (2010) classifies cloud security into two major classes: Cloud Data Security and Cloud Computation Security. Cloud Data Security refers to ensuring the integrity of outsourced data stored at an untrusted cloud server. By ensuring security in cloud data, confidentiality, integrity and availability are also ensured.

According to the CSA guide (2009)7 there are many threats against the security of

network systems, and cloud computing security is not an exception in this context. Regarding the nature of threats the CSA says:

Because of the cloud service models employed, the operational models, and the technologies used to enable Cloud Services, Cloud computing may present different risks to an organization than traditional IT solutions.

Security and privacy issues prevent many users from switching to cloud computing systems (Microsoft, 2012). As mentioned in 3.1 there is a lack of control of the data and infrastructure in the different cloud deployment models and service models from both cloud service providers and end users and this raise concerns about the security. Security and privacy are main concern for many organizations when adapting cloud computing (Catteddu & Hogben, 2009). Many of the security threats are pointed towards the data availability and communication. Customers do not know where the data is stored, who manage data or other vulnerabilities that can occur. In traditional IT environment the users have full control of the computing and the stored data, while in cloud computing the physical data and machine are controlled by the service provider and the users have limited control over the virtual machines (Wei et al., 2010).

Security is an open research problem in the cloud computing technology. It is the major concern for the cloud computing users and is a hindrance for cloud computing adoption. Several reasons for this are as defined by Al Morsy et al. (2010):

• Organizations and individuals have less or no control of the data that is hosted by third party.

• Multiple tenants use the same service in the same location without being aware of the strength of security measures used.

(30)

22

• No clear guarantees and responsibilities between the service provider and service user in the SLAs (service level agreement).

• Using the public available infrastructure for the valuable services increases the possibility for attacks.

The cloud provider sees that security requires expenditures e.g. security solutions’ licenses, resources, and is difficult to control. But still the cloud provider needs to find security solutions to resolve the users concern about security issues (Al Morsy et al., 2010).

3.2.1 Information Security

Information is an important resource for the organization but that is subject to risks and threats of various kinds. The demand for information security has increased as both the public and private businesses become more aware of the dependence on their information management (MSB, 2013). The term information security evolved from the concept computer security and covers everything from the protection of data to the protection of human resources.

Information security is about identifying, measuring and mitigating risks in data operations (Whitman and Mattord, 2008). It is designed to protect against risks and threats, and to perform risk minimization.

Whitman and Mattord define information security as:

The protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information.

Another definition is given by Jacobsson (2008) as the process undertaken to protect the information from harm.

Information is a basic building block of an organization. It can be communicated, stored, and it control processes. Security is the state of being secure and protected (Whitman &Mattord, 2008). Through a systematic approach to information security based on established standards, organizations can increase the quality of and confidence in their business.

Information security includes some of the areas of security, like management of information security, computer and data security and network security. So it is built both on administrative functions with the policies and guidelines as well as technical protection including firewalls and encryption. It is about taking a holistic approach and create an effective long-term process to provide the organization's critical information, the protection it deserves.

(31)

23

Many experts still see the adoption of cloud computing as a real threat to information security (Microsoft, 2010). In order to protect the information the key concepts and requirements of information security (see table 1) such as confidentiality, integrity and availability, also called the C.I.A. triad needs to be maintained at the right level (MSB, 2013).

• Confidentiality and privacy: Confidentiality means that only relevant information may be given to relevant people and only authorized persons may take part of it (Whitman and Mattord, 2008; Gollmann, 2006). Especially in an organization, confidentiality is very important when it comes to personal data for example about employees, customers or patients. Privacy is related to confidentiality and defined by Jacobsson (2008) as:

The right for individuals to determine for themselves when, how, and to what extent personal data can be gathered, stored, processed or selectively disseminated by other. (Jacobsson, 2008)

• Integrity: Integrity means that data must be whole and available in original form (Whitman & Mattord, 2008) and prevented from being changed by unauthorized users (Zhou et al., 2010)

• Availability: Availability means that the data is available for use when we need to access it. The information should be accessible to authorized users, either computer systems or persons (Whitman & Mattord, 2008).

Threat Protection

Confidentiality • hacking

• stealing information. • information classification • secure document storage • applying security policies • Cryptography

Integrity • computer viruses and worms • faulty programming

• noise in the transmission channel or media.

• employing error control techniques such as: - hash values

- error-correcting codes Availability • Denial of Service • fault-tolerant computing

Table 1: Key concepts of information security threat and protection according to Gollmann (2006) and Whitman and Mattord (2008).

(32)

24

• Authentication: This is the process when users ensure that they are the person they claim to be. This is required before letting the user access any system or carry out an operation (Belapurkar et al., 2009). Authentication is used for example when a user has a user ID and need to type a password in order to log in to a system. The user is then authenticated by the system by verifying that the password corresponds to the user ID (Krutz and Vines, 2010).

• Authorization: This is when providing different level of access to different operations in a system (Belapurkar et al., 2009). The users’ identity and the system that needs to be accessed determine the type of access (Belapurkar et al., 2009). This means that when the users identity and authentication are established the extent of system rights a user have can be determined by authorization levels (Krutz and Vines, 2010).

Achieving the “right” security level in an organization depends on several strategies undertaken separately or in combination with each other. Information security process can be achieved through good management and leadership, communication and cooperation among the three responsible groups within the organization, and the combination of the key concepts of security (Whitman and Mattord, 2008). In cloud computing users have less control of data storage and computing and though of data security (Wei et al., 2010), so controlling the information security is not just an important issue for large organizations but also for small and medium companies (BSI, 2004).

3.2.2 Security Threats

Cloud computing is rapidly growing and has become an attractive and affordable service model among organizations, especially SMEs. It has many benefits but is also associated with many business risks and security challenges. The risks are very different depending on the type of cloud service. Cloud customers are facing concerns about privacy and threats to information security when adopting the cloud (Microsoft, 2010). The adoption of cloud weakens important business-level security policies, processes, and best practices which makes the companies vulnerable to intrusions (Cloud Security Alliance, 2013).

The awareness and knowledge about malicious sources is the base in the protection against intrusions of privacy and breaches in security (Jacobsson, 2008). Petterson (2012) classifies security intrusions in the cloud in two variants namely: undirected such as botnets guessing passwords, scripts looking for vulnerabilities in web pages and criminals who run the

(33)

25

scanners on your network through the internet, and directed such as the attacks against the companies RSA, HBGary, and DigiNotar.

In the RSA attack hackers got into the security company's own IT systems and came across data that has to do with SecurID (Larsson, 2011).

In the HBGary attack the security firm HBGary and its HBGary Federal was hacked and HBGary's servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced (Bright, 2011).

The Certificate authority DigiNotar was attacked in September 2011 when someone broke into the system and issued fraudulent certificates for websites (Sundkvist, 2011).

The targets of undirected intrusion could be anyone that has specific security holes or weakness and not much time is spent on these intrusions. There is much that must be done right to have the right protection against undirected intrusion. The targets of directed intrusions are defined and affect certain people. The attacker looks for security weaknesses that this specific target has and spend the required time to get through these weaknesses. Protection against these intrusions is very challenging.

Understanding the nature of security threats enables organizations to make enlightened risk-management decisions in their cloud adoption process (Cloud Security Alliance, 2013). In addition to publishing standards for effective cloud security that have been incorporated by many businesses and organizations as guidance for their cloud strategies, cloud security alliance (CSA) has identified the top threats in cloud computing for 2013. As mentioned in section 3.1.3 tools for scanning web application for vulnerabilities and threats should be up to date with the latest discovered vulnerabilities and threats in order to protect the data. Also in 3.1.3 we mentioned the different threats for the different deployment models and cloud services. Table 2 shows the threats identified for 2013, their definition, how to handle them and what service they affect.

(34)

26

Threat Example/Description Measure

1.Data Breaches: • data loss

• data leakage • unauthorized access,

database corruption.

• strong controls,

• proper design of multitenant cloud service databases • data encryption • data protection processes

2.Data Loss: • malicious attackers

• accidental deletion (by cloud service provider)

• forces of nature • lost encryption key

• retaining audit records or documentation

• backups

3. Account Hijacking: • phishing

• fraud

• exploitation software vulnerabilities.

• in depth protection strategies • two-factor authentication

techniques. 4. Insecure Intefaces and APIs: Reduces an organization’s:

confidentiality integrity availability accountability Protect by using: • authentication • access control • encryption • activity monitoring.

5. Denial of Service: Consumes and slows down system

resources:

• processor power • memory • disk space • network bandwidth • increases cost of cloud

services

6.Malicious Insiders Users who misuse authorized access to

an organization's network, system, or data.

Keep encryption keys with the cloud customer and have available only at data-usage time.

7. Abuse of Cloud Services An array of cloud servers is used to crack encryption and make attacks.

This is an issue for cloud service providers (CSP) to solve.

8.Insufficient Due Diligence Lack of capable resources and

knowledge of the risks when adopting cloud technology.

• capable resources • extensive internal and CSP

due-diligence • knowledge of the CSP security environment • comprehension of operational responsibilities (incident response, encryption, and security monitoring).

9.Shared Technology Issues: Threats of shared vulnerabilities in cloud service models, occurs when security requirements are not integrated into the shared infrastructure,

platforms, and applications (i.e. computing resources, storage, and networking).

A defensive process of compute, storage, network, application and user security enforcement, and monitoring, in all service models is required.

(35)

27

In 3.1.3, we defined the responsibilities of the service provider and service user with regard to the different security issues in cloud Services.

As far as we can see, information security is the responsibility of both the service provider and the cloud service customer (depending on the service agreement between the two). Pettersson (2012) states that having a good agreement is a way of building trust with the service provider.

The responsibility of the service provider is to protect the information from unauthorized viewing and change and the organization has the responsibility of the information and the ability to manage it (MSB, 2013). Since the cloud customers are the owners of the information, they have the responsibility to establish security strategies for the protection of data regardless of where the data is stored (Microsoft, 2010).

3.3 Information Security Processes

Information security threats and risks force organizations to better protect their valuable information and resources by using an ISMS (Suciu et al., 2012). Using an information security management system (ISMS) will help keep data secure over time. This section details the ISMS and then lists various processes that can be integrated to form the ISMS.

3.3.1 Management of Information Security

Threats and vulnerabilities regarding information security are forcing organizations to use an information security management system (ISMS) to protect their information and resources (Suciu et al., 2012). Through good information management, risks in information security are prevented. A good information management builds on well-functioning, everyday security processes (MSB, 2012).

A process is the collection of previously determined, linked and documented activities that meet a defined need in information security. A security process is a process that is designed to manage information security (MSB, 2011) or a structured series of processes for managing the ongoing operations of securing the cloud computing (Microsoft, 2010).

By developing processes organizations can create feeds that are important for information security to function effectively. They are the basis for the security to be implemented in a structured manner and provide an important starting point to regularly review the work. There are very few security measures that can be entered once and for all and then serve in perpetuity. For example a virus scanner quickly becomes worthless if it is not updated, and an alarm system

Figure

Figure 1: Visual model of NIST Working Definition of Cloud computing (Cloud Security Alliance, 2009)
Figure 2. Cloud Service Models (Al Morsy et al., 2010).
Table 1: Key concepts of information security threat and protection according to Gollmann (2006) and Whitman and  Mattord (2008)
Table 3 compiles the processes and measures that  were identified in the literature review as  important to protect information security, and in which sections these processes are mentioned
+5

References

Related documents

Since today’s applications and services need strong computing power and data storage, raising question will be “Who will provide these 2 attributes if users do not?” Cloud computing

In IaaS, where this project uses the OpenStack as a cloud provider, just using resource utilization from the compute nodes cannot meet the security concerns because of using the

Amazon RDS database instances are basically instances of MySQL, Microsoft SQL server or Oracle database running on an Amazon’s EC2 platform. Since users do not have access to the

Design and implementation of a generic and secure architecture for cloud computing platform is still an open issue in the field of security for IT organizations. Due to

To address these research questions, this thesis explores in detail the impact of cloud computing on different organizations in cost and security aspect and

This finding is corroborated by a recent Early Breast Cancer Trialists’ Collaborative Group meta-analysis assessing 20-year prognosis among women with ER-positive tumors treated with

To better understand Cloud computing, the US National Institute of Science and Technology (NIST) define it as: “Cloud computing is a model for enabling

I vårt fall, när Cloud Computing införs, så får den nya tjänsten en processägare som ansvarar för hela processen istället för en systemägare som teorin