II. Risk of Cloud Computing in Universities

/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */

The benefits of cloud computing are both a friend and a foe from a security point of view. The massive concentrations of resources and shared usage pattern present a more attractive target to attackers and exposure to new security concerns. Universities should consider the risks and vulnerabilities prior to migrate to the cloud. Examples of these risks are:

1. Data and Privacy Protection 

When universities store their data with programs hosted on someone else's hardware, they lose a degree of control over their sensitive information. The responsibility for protecting that information from hackers and internal data breaches then falls into the hands of the cloud service provider rather than the universities. The multi-tenancy, reuse of hardware and software resources, and resiliency through redundancy nature of cloud computing also means a higher risk of incomplete or unsecured deletion of universities' confidential data.

2. Isolation and Segregation

The multi-tenancy and shared resources are two of the defining characteristics of cloud computing environments. Computing capacity, storage, and network are shared between multiple users. Therefore, failure of mechanisms separating storage, memory, routing and even reputation between different customers of shared infrastructure (e.g. so-called guest-hopping attacks, SQL injection attacks exposing multiple customers' data stored in the same table, and side channel attacks) becomes a key risk in cloud computing.

3. Malicious Insider

The malicious activities of an insider could potentially have an impact on the confidentiality, integrity and availability of universities information asset maintained by cloud service providers. Staff of cloud service providers, such as system administrators, may be granted with privileged access to the sensitive data of all customers within their cloud environments. Any abuse of such system privileges can bring significant risks to customers' information security. On the other hand, when usage of cloud services increases, employees of cloud service providers increasingly become targets for criminal gangs.

4. Regulatory Compliance

Having data, application or processes migrated to a cloud provider, especially a public one, universities are still ultimately responsible for that data and needs to comply with relevant regulatory laws (e.g. Personal Data (Privacy) Ordinance) and information security standards (e.g. ISO27001) when handling such data. Due to the very nature of cloud computing, to know where universities' data is stored, when it is moved, who has accessed and what particular security measures are in place can be difficult. It is also questionable whether the cloud providers are willing to offer support for auditing purpose.

5. Dependency to Service Provider

There is currently little to offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. Universities may find it difficult to in-source their data and IT operations in the cloud or switch to another cloud service providers. This introduces a dependency on a particular cloud service provider for service provision, especially when data portability is not supported.

6. Loss of IT Governance

In using cloud infrastructures, universities necessarily outsource control to the cloud service providers on a number of issues which may affect security of universities' data and applications stored on the cloud's platform or software. At the same time, Service Level Agreement (SLA) may not offer a comprehensive commitment to provide desired IT security measures by cloud service providers, thus leaving a gap in universities IT security defences.

7. Cloud Service Termination or Failure

As in any new IT frontier, competitors'' pressure, inadequate business strategies, lack of financing, immature market, etc, could lead to some cloud providers to go out of business or at least to force them to restructure their service portfolio offering. Short or long term service termination means a loss or deterioration of service delivery performance, as well as a loss of investment. Meanwhile, Universities may be at risk to meet their own duties and obligations, and thus be exposed to contractual or legal liability to their employees, third parties, students or even the public.

8. Legal

In the event of the confiscation of physical hardware as a result of subpoena by law-enforcement agencies or civil suits, the centralisation of storage as well as shared tenancy of physical hardware means universities' sensitive information in the cloud is at risk of disclosure to unwanted parties. On the other hand, in the absence of contractual commitment from service providers or legal enforcement, investigation of inappropriate or illegal activities may be infeasible in cloud computing as some or all universities' data may be stored with other customers and may also be spread across a set of ever-changing hosts.

Related Article

Top Cloud Computing Security Risk: One Company Gets Burned

LawLeaf, a web-based financial services company, suffered a major hit on its reputation after a SQL injection attack that compromised its cloud service provider, BlueHost. However, the argument that whether the provider or LawLeaf should be responsible for the loss still persists.

See the article: http://www.networkworld.com/news/2010/071410-top-cloud-computing-security-risk.html

Reference:

1. http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
2. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport
3. http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853?page=0,1

[Previous section] [Next section]