This article was downloaded by: [94.79.182.

6]
On: 02 March 2015, At: 11:11
Publisher: Taylor & Francis
Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,
37-41 Mortimer Street, London W1T 3JH, UK

Information Security Journal: A Global Perspective

Publication details, including instructions for authors and subscription information:
http://www.tandfonline.com/loi/uiss20

Security in Cloud Computing: An Analysis of Key Drivers

and Constraints
Derek Mohammed

Computer Information Systems & Security, Our Lady of the Lake University , San Antonio ,
Texas , USA
Published online: 26 May 2011.

To cite this article: Derek Mohammed (2011) Security in Cloud Computing: An Analysis of Key Drivers and Constraints,
Information Security Journal: A Global Perspective, 20:3, 123-127, DOI: 10.1080/19393555.2010.544704
To link to this article: http://dx.doi.org/10.1080/19393555.2010.544704

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the Content) contained
in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no
representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the
Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and
are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and
should be independently verified with primary sources of information. Taylor and Francis shall not be liable for
any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever
or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of
the Content.
This article may be used for research, teaching, and private study purposes. Any substantial or systematic
reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any
form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://
www.tandfonline.com/page/terms-and-conditions

Information Security Journal: A Global Perspective, 20:123127, 2011

Copyright Taylor & Francis Group, LLC
ISSN: 1939-3555 print / 1939-3547 online
DOI: 10.1080/19393555.2010.544704

Security in Cloud Computing:

An Analysis of Key Drivers and Constraints

Downloaded by [94.79.182.6] at 11:11 02 March 2015

Derek Mohammed
Computer Information Systems
& Security, Our Lady of the Lake
University, San Antonio, Texas

ABSTRACT In the emerging computing paradigm known as cloud computing, there are significant issues that need to be addressed in order for cloud
computing to be adopted as universally as the Internet. Among these issues,
the societal and technological issues around security for cloud computing are
some of the most important and will act as both drivers and constraints for
mass adoption of cloud computing. The goal of cloud computing is to share
data and services transparently among users of a massive grid referred to generically as the cloud. The promise of the cloud is in achieving significant cost
savings and information technology agility. This paper examines some of the
more important key drivers and constraints for secure cloud computing from
a societal and technological perspective. The societal issues addressed involved
trust, privacy, and user behavior and how security affects these factors. The
technological issues include scalability, reliability, encryption, data rights, and
transparency. Transparency is a constraint for cloud computing today, and a
case can be made that this is one of the most important issues needing resolution before corporations will move their computing infrastructure to the
cloud.
KEYWORDS cloud, computing, societal, technological, transparency

INTRODUCTION

Address correspondence to
Derek Mohammed, Our Lady of the
Lake University, Computer Information
Systems & Security, 411 S.W. 24th Street,
San Antonio, 78207.
E-mail: dmohammed@ollusa.edu

Cloud computing is defined in many different ways. Global industry participants, academia, and governments all have varying definitions of what
cloud computing is and of the innate value of the cloud. In this paper,
the definition from the National Institutes for Standards and Technology
(NIST) is used, which states: Cloud computing is a model for enabling
convenient, on-demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage, applications, services)
that can be rapidly provisioned and released with minimal management
effort or service provider interaction (Mell & Grance, 2009, p. 1). The history of cloud computing is built upon the foundational technologies that
make up the modern Internet. The cloud was a construct that depicted
the network as a cloud. The first cloud computing platform was developed
around the concept of networking and the Transmission Control Protocol/

123

Downloaded by [94.79.182.6] at 11:11 02 March 2015

Internet Protocol (TCP/IP). The second cloud computing platform, the World Wide Web, was based
on the posting and sharing of information in the
form of documents. The frontier of cloud computing infrastructure involves servers, applications, data,
and heterogeneous platforms that will make computing ubiquitous, mobile, and provide the holy grail of
seemly unlimited bandwidth on demand.
The value of cloud computing is in the sharing of
information and services transparently among users of
a massive computing grid (Foster, Zhao, Raicu, & Lu,
2008). The technological progress in distributed, and
cloud computing has had a dramatic impact on society. The way we live, work, and relate to one another
has changed and will continue to have an impact on
society. The key to adoption of the cloud by individuals and institutions is to ensure the technology is
secure. Without security, validity, and privacy, cloud
computing for individuals and consumers will remain
islands of computing platforms and will not reach its
true potential. The U.S. government plans to migrate
large amounts of its computing resources to the cloud.
Therefore, various public sector entities are presently
engaged in defining and assessing cloud computing. In
doing so, security has to be a primary issue of concern.
Mell and Grance (2009) stated that the cloud
has both security advantages and disadvantages. For
instance, the unprecedented availability of services
which could be offered by the cloud will certainly
result in it being the technology of choice. However,
as Mell and Grance noted, the pooling of resources
in the cloud may results in data confidentiality and
integrity being questioned. If ignorance is bliss, then it
is good that the average citizen is ignorant to the security issues of the cloud. If they became fully aware of
how vulnerable their information was, they would dramatically scale back their use of on-line services. There
have been several reports where the cloud failures have
lead to major problems for consumers, for example:
Amazon lost service due to lightning strike to cloud
(Metz, 2009), Microsoft Azure cloud suffers first crash
(Clarke, 2009), Microsoft data loss (Ionescu, 2009), and
Rackspace apologizes for cloud outage (Brodkin, 2009).

SOCIETAL DRIVERS AND

CONSTRAINTS
This social aspect of cloud security is fascinating and
is rapidly becoming an area of study at the intersection
D. Mohammed

of sociology, computer science, and anthropology. The

social implications of cloud computing are being seen
today. The cloud enables devices to be freed from the
need to store applications, libraries, and code locally, as
well as frees up computing to take place on the cloud.
The ability to call up a spreadsheet from the cloud and
make edits will change the where and the way work
is done. This a bellweather for things to come when
companies no longer purchase software to install on
individual computers; rather, they log in to a Web service to create, edit, and store information. Today we
are in a transitional time between centralized computing (data and computing power residing in physical
machines or restricted physical networks), which limit
the ability to compute on demand, and ubiquitous
computing, where the citizen user can access virtual
services and applications on demand from anywhere
in the world.
The issue of trust is both a major driver and constraint for secure cloud computing. Users and consumers show little concern about storing personal data
in the cloud. Consider the growth of social networking sites such as Facebook, LinkedIn, and MySpace,
all of which add value around individuals placing personal data in a shared (cloud) environment. Consider
photo-sharing sites, in which consumers entrust their
most precious memories to an unknown data center.
Consider particularly the rise of online banking, a highrisk activity that involves storage and transmission of
private financial data. All are cloud or cloud-like environments, and all involve a degree of trust and risk
taking that most users and consumers normally would
not consider.
In large part, consumer acceptance is a function of
not understanding the risk of storing and transmitting
private information in a shared (cloud) environment.
The view of most technology professionals is that consumer are not fully educated in the security risk of
cloud computing. For instance, when it comes to financial data, consumers do not know or understand the
risks of data leakage and unauthorized access to data.
It will take a few well-publicized data breaches to make
consumers shy away from online banking, and even
then banks may respond first by assuring customers of
their security measures.
For consumers, the drivers of cost savings and ease
of use outweigh the constraints of data risk. Software
as a Service (SaaS) and other cloud-based applications are low cost and sometimes free. Even more
124

Downloaded by [94.79.182.6] at 11:11 02 March 2015

important, they do not require as much work on the

part of the consumer, who does not have to deal
with downloading software, ensuring sufficient available space, backing up the files, or upgrading to new
versions. For many consumers, ease of implementation and use is even more compelling than cost
factors.
It is apparent that users will trade security for convenience and price. Much of the information consumers
store publicly is not confidential and, if lost, will
not have as severe an impact as if their personal
financial information became compromised. However,
the retention of electronic healthcare records is a
controversial issue. The creation of electronic healthcare records and the potential for compromise via
the cloud have huge implications for individual privacy and the healthcare insurance system. This is
not an area where consumers will trade security for
convenience.
Popular applications, such as social networking, provide consumers with an illusion of privacy and security. These systems all require some sort of secure or
password-based access, and the consumer has a great
deal of control over what data are stored there and
who else has access to the data. This is not necessarily the case with electronic healthcare records. Today,
current regulations allow consumers access to their current hard copy records; it is not clear that consumers,
not the providers, actually own the records and data.
Consumers do not feel in control of their data. It is
reasonable for consumers to be alarmed at the concept that highly personal data will be available in the
cloud, accessible to and updatable by any number of
providers in the huge, fragmented healthcare industry.
The benefits of immediate access to full and essential
data to provide high-quality healthcare will need to
be weighed against the possibility that something will
be compromised, such as unauthorized access to data,
improper use of data, or incorrect data. Given the high
visibility and political nature of electronic data proposals, there is also a high probability that fears will be
fueled by companies or individuals who can benefit
either financially and or politically.
Several articles have been published that document
how Americans are surprisingly willing to give up
their personal privacy in exchange for other values, for
instance, security, financial, or social benefit. Further,
as long as the individual is voluntarily providing the

125

information they are fine with making this information

public. However, it is a different story when corporations or government make that decision for them.
Hence the saying, its okay if I post private data on the
Web, but its not okay if you post my private data on
the Web.
Businesses are much more wary than consumers
of where their information is created and stored.
Today there are few enterprises storing any proprietary
data in a shared cloud environment, and experts do
not anticipate this happening for another 10 years
(Hewitt, 2008). Among the main fears of businesses
for adopting the cloud include compromise of data
in transit or data being stored, compliance-meeting
standards for transmission, storage, and availability of
data.
Some regulations address where the data are stored,
which is difficult to determine in a true cloud environment in which multiple servers in multiple data
centers act as a single computing resource. What is
being observed in the enterprise market is a willingness
to enter the cloud for noncore applications, such as
email and document sharing, as well as bursts or shortterm computing needs such as marketing campaigns
and software testing.
Ownership is still an unresolved issue that has the
potential to derail mass adoption of the cloud. Critics
paint a scenario in which a cloud application user, such
as an accountant, runs the general ledger for a small
company utilizing Google spreadsheets. When companies need to generate their quarterly reports, Googles
server goes down. Although this is an unlikely scenario, it illustrates what can happen at the wrong time.
Another foreseeable problem is when Google starts
charging a service fee for Google docs, which they will
ultimately have to do. The problem becomes ownership of the data. In this example, what happens to a
companys financial data when the accountant does
not pay the bill? This is an issue that should be easily resolved, but again the cloud, with its network of
servers, routers, and software, tends to blur the lines of
ownership and accountability. This scenario is a growing concern around adoption of cloud computing and
presents a unique combination of privacy and ownership issues. Richard Stallman, an outspoken privacy
advocate, recommends that users find local providers
and store their data on their own computers in order
to maintain ownership and control (Johnson, 2008).

Security in Cloud Computing

Downloaded by [94.79.182.6] at 11:11 02 March 2015

TECHNOLOGICAL DRIVERS AND

CONSTRAINTS
The cloud is many things to many people. The
terms grid, cloud, utility computing and large-scale
computing, and cloud-like infrastructures all describe
variations on a theme and will be with us for the long
haul. How cloud computing will function and what
services will be offered are still being debated, and
market forces will drive the most desired solutions to
the top. The cloud solutions bring with them challenges and opportunities. Moreover, new and untested
delivery models will be accompanied with new vulnerabilities.
In discussions with enterprises about the cloud,
security is always a top concern. Enterprises are reluctant to place core and mission-critical applications and
data in a shared environment. These organizations
are also reluctant to entrust important information
to multitenant cloud environments where the physical hardware may be shared by multiple customers.
They are very concerned about the traceability and
lack of transparency of virtual machines, which make
it difficult or near impossible to determine where this
machine is located and whether a customers data
retains the desired level of integrity. According to Mell
and Grance (2009), the key drivers of cloud computing
are on-demand self-service, ubiquitous network access,
location independent resource pooling, rapid elasticity, infinite capabilities for provisioning, and measured
service. These authors also listed the key technological
constraints as transparency, multitenancy, encryption,
compliance, and trust.
Enterprises fear that when data from multiple customers are stored on a shared server, the possibility
of contamination exists. Transparency is the next issue
that analysts cite as being a major factor in cloud adoption, and it has a crucial impact on cloud security due
to the lack of insight into the performance of security methods in the cloud. Transparency remains the
biggest complaint at present for users and providers
alike. The lack of reporting, logs, and general feedback
lower the level of confidence an entity has that its
data is secure, accurate, and available. While vendors
are slowing addressing this shortcoming, it remains
an area where there are few standards. Further, there
are few reporting applications that let tenants manage
cloud computing resources as if they were a network
administrator.
D. Mohammed

The lack of compliance to standards, reporting,

monitoring, service level agreements, laws, etc., will
be a crucial constraint to cloud ubiquity. Providers
have data centers worldwide, and customer data can
be dynamically allocated among data centers. For customers, this creates anxiety because they may not know
where their data is at any given time. Service providers
and most governments have the ability to track and
manage records and most of the data that flow in and
out of their environments. That leaves cloud customers
with little means of determining their level of trust and
transparency as to how and if they are in compliance
when storing and creating data via a cloud provider.

CONCLUSIONS
Cloud computing is still an abstract marketing and
design concept for all but the most innovative organizations. Some view the clouds that exist today as
repackaged versions of the present Internet. What differs is the scale and magnitude of what the cloud
can do once massive computing power and nearly
unlimited bandwidth can be brought to even individual users. The impact of this capability that was once
reserved for government laboratories and universities
available to individuals will be truly revolutionary.
However, in order for the revolution to reach the
masses, the drivers and constraints discussed in this
paper will need to be addressed. Chief among the constraints that need to be addressed is transparency. Once
the cloud is transparent and users can access, manage,
and report on the state of their outsourced services and
data, the level of trust in these services will increase.
As a result, adoption of cloud computing in the global
marketplace will be widespread, and we will enter a new
era of computing.

REFERENCES
Brodkin, J. (2009). Rackspace apologizes for cloud outage, prepares
to issue service credits. Network World, November 5. Available
from: http://www.networkworld.com/news/2009/110509-rackspaceoutage-apology.html?fsrc=netflash-rss
Clarke, G. (2009). Microsoft Azure cloud suffers first crash. The
Register, March 16. Available from: http://www.theregister.co.uk/
2009/03/16/azure_cloud_crash/
Foster, I., Zhao, Y., Raicu, I., and Lu, S. (2008, November). Cloud computing and grid computing 360-degree compared. Proceedings of the
IEEE GCEW, pp. 110.
Hewitt, C. (2008). ORGs for scalable, robust, privacy-friendly client cloud
computing. IEEE Internet Computing, 12(5), 9699.

126

BIOGRAPHY
Derek Mohammed Ph.D., CISSP, CISA, PMP, currently teaches undergraduate and graduate level courses
in information security and assurance at Our Lady
of the Lake University in San Antonio, Texas. He
has worked extensively in both the public and private sectors to improve the security of their critical information systems. His research focuses on
improving the security of computer and network
systems.

Downloaded by [94.79.182.6] at 11:11 02 March 2015

Johnson, B. (2008). Cloud computing is a trap, warns GNU founder

Richard Stallman. Guardian, September 8. Available from:
http://www.guardian.co.uk/technology/2008/sep/29/cloud.computing.
richard.stallman
Lonescu, D. (2009). Microsoft red-faced after massive sidekick
data loss. PC World, October 12. Available from: http://www.pcworld.com/ article/173470/ microsoft_redfaced_after_massive_sidekick_
data_loss.html
Mell, P. and Grance, T. (2009). The NIST definition of cloud
computing. National Institute of Standards and Technology,
October 7. Available from: http://csrc.nist.gov/groups/SNS/cloudcomputing/cloud-def-v15.doc
Metz, C. (2009). Lightning strikes Amazon cloud. The Register,
June 12. Available from: http://www.theregister.co.uk/2009/06/12/
lightning_strikes_amazon_cloud/

127

Security in Cloud Computing