Project title

An examination of Cloud Computing so as to assess if it poses new threats on

organisations.

Main aim of the project

To find out whether the relatively new technology of Cloud Computing is also a secured one for big and small
enterprises.

Project objectives
The main objectives of this study are:
1. Exploring basics of Cloud Computing and its advantages and disadvantages
2. Researching security issues posed by cloud computing
3. Researching the most appropriate solution to threats
Importance of Research
Cloud computing is a relatively new technology and the new buzzword in the I.T. industry. With this technology,
organisations can just plug-in to a cloud and access a centralised data-centre and applications with a powerful
Internet connection. There is no doubt about the raving reviews cloud computing is receiving in the present-day. It
offers a cost-effective, energy-effective and time-effective solution to big and small enterprises. The caveat though
is in security and privacy threats it poses.
A cloud is a collection of software applications, database storage and processing power all in packed one place. It
is needless to say that a cloud on its own is a powerful multi-purpose computer network. Now, lets consider a
hacker trying to hack into a big organisations database. With a laptop, it will take him 5 weeks to break in and
hack the password. Cracking a password requires enormous processing power and a laptop just cannot keep up
with it.
However, by just plugging in to a cloud, a hacker is give veto power in posing a threat within a few minutes.
Using cloud computing, a hacker can connect to a set of very powerful services and computers and process a hack
on a million-dollar super-computer of any organisation. Once the wi-fi password is hacked, the hacker can use the
passwords and gain access to highly sensitive database of the company. Users who dont think about security are
often those who become victims of identity theft and fraud. (Doug Howard, Kevin Prince, 2011) [9].
The purpose of this paper is to look into the ways a threat is posed when a company uses cloud computing.

Project description
Cloud computing is everywhere. (Anthony T. Velte, Toby J Velte, Robert Elsenpeter, 2010, p. 3) [10]
Cloud Computing is the buzzword in I.T industry. It has been turning the whole software industry upside down,
and its not even fully incorporated yet. It is therefore clear that the future will have us accessing almost every
service via a cloud. Today, we see cloud computing in full throttle when we use Google Docs. When using Google
Docs, there is no need to install any word processing application on ones computer as such. The software is
installed and ready to be used at some location in the world. The exact details of where and how this word
processor is located are not necessary for an end-user to know. All the user needs to do is have a working Internet
connection and access the free service online.
Google doesnt charge for Google Docs, but it may in future. While we cannot dictate the future, it is safe to
expect that. But for full-fledged purposes like running an entire organisation, cloud computing providers like
Clarizen, Employease, Netsuite, Salesforce and Zoho charge the organisation on usage basis. This means if you
access an email application, say, you will be charged for it and nothing else by the cloud computing provider. The
elimination of fixed costs is a benefit.
In his book Nicholas Carr [2] compares this computer industry revolution with electrification in industrial era. In
early days, the companies would produce their own electricity. But later on, centralised solutions emerged and
these companies, though hesitant at first, switched to a centralised electricity generation provider and reaped the
benefits of cost and time. They no longer needed the resources that electricity generation called for: magnets,
turbines, generators. Things were simpler and life was made easy. All they now had to do was to pay a monthly
bill to the centralised generation company and use the electricity for their business.

Thats the sheer beauty of cloud computers. The technology makes everything seamless yet powerful and reliable.
It is easy to assume cloud computing will only gain more popularity as time progresses. But in real, cloud
computing isnt much of a technology but a bringing together of other existing technologies. [3]
Christopher Barnatt writes in his book, After all, once people start running programs over the Internet they will
have no need to purchase and install them on their own computers. Companies will also not be required to
purchase and maintain so much hardware and software if it can simply be rented online. The growth of cloud
computing therefore threatens the survival of many software vendors and corporate data centres. [1]
What he says is true and seems to be the way organisations are going. The Government of Iceland, for example,
has started work for its first massive cloud computing centre. Many newspaper organisations today get their work
done on Google Docs and other such application. At least half of their writing is estimated to be done via cloud
computing which lets various employees in different offices collaborate on a piece from their original locations
because updates are in real-time.
Many other groups have also announced efforts dedicated to cloud computing, such as the Distributed
Management Task Force (DMTF); the Information Technology Association of America, a high-technology
industry association; and the Jericho Forum, an international information security through leadership association,
among many others. (Tim Mather, Subra Kumaraswamy, Shahed Latif, 2009, p. 5) [3]

Cloud Computing Advantages:

1. Cost: The cloud computing technology uses SaaS (Software as a Service) model. This allows the users
(organisation, individuals) to pay per usage or on subscription. It saves millions of dollars for companies which
install a data centre of their own, in house.
2. Energy: It is estimated that companies use their servers at only 30% of their full capacity whereas a cloud
computing technology can assure up to 80% of the same. There is no doubt that energy is saved with this
innovative technology. Organisations can go greener with the adoption of cloud computing.
3. Collaboration: Using a cloud computing centre, employees in an organisation can work on the same file in
real-time and collaborate without the need to move away from their desks. They can be located in different cabins,
offices, cities or even countries. This saves time and reduces carbon foot-prints especially because air-travel is
reduced.
However, despite these glowing benefits, there is a huge risk involved. Organisations which switch to cloud
computing will save on money, energy, time and more but they still are open to security threats from third parties.
After all, everything they rely on is provided by an external party and they have to trust the security measures
incorporated by these providers. What if the measures are not strong enough? What is privacy is compromised?
There is no answer to that. When applications are in-house, things are easier to monitor, but when everything is
centralised at a third party location, things get difficult on the security and privacy front.

Cloud Computing Disadvantages:

1. Privacy: With the data passing in and out of a cloud whose whereabouts are unknown to the end user, the
privacy of an organisation is at stake. Anyone can listen to the information being passed and extract what they
wish to. Its as good as using the Internet for your business. Thought this is done even today, it is done in minor
ways like for email with attachments etc. Privacy is therefore a weak link when it comes to cloud computing.
2. Security: Similar to privacy issue above. When you rely 100% on an Internet-based super-computer like
network, security can be easily breached. A hacker can plug into the cloud, just as any innocent user, and use the
power of hundreds of cloud computers and servers to hack an organisations data.
3. Connectivity: For companies to permanently switch to this technology, a very fast Internet connection is
required. This should be possible in near future but at the moment, it is a problem.

Sources of Security Threats in a Cloud Platform

1.
2.

Threats for Data Centre

Threats lying in Connectivity to the Cloud

The above two are the main sources of threats that can be expected.

Password Cracking: Testing

Password cracking involves hacking for targets passwords. It is a tedious process but if the cloud doesnt lock the
hacker out after x tries, he or she has unlimited tries at hand and the whole process of cracking is reduced to a
matter of extensive bandwidth and time. (Ronald Krutz, Russell Dean Vines, 2010) [8].

We can try testing the cloud platform in the following ways:

Dictionary Method: It works if a password is made of letters. A file of words is run against accounts.
Hybrid Method: This is similar to dictionary attack but also incorporates common symbols and numbers
at the end of trial passwords in the file.
Brute Force Method: Try every combination until the password is hacked. Time consuming and
tedious.
Tools in market: Brutus, WebCracker, ObiWan, Burp Intruder, and Burp Repeater. . (Ronald Krutz, Russell Dean
Vines, 2010) [8].

References used in project description

1. Christopher Barnatt, 2010. A Brief Guide to Cloud Computing. London, UK: Constable & Robinson Ltd.
2. Nicholas Carr, 2008. The Big Switch: Rewiring the World, from Edison to Google. New York, NY: W.W.
Norton & Company, Inc.
3. Tim Mather, Subra Kumaraswamy, Shahed Latif, 2009. Cloud Security and Privacy. Sebastopol, CA: OReilly
Media, Inc.
4. Victoria Ho, 2009. Cloud Computing to Usher New Threats. ZDNet Asia [online] 11 December. Available at:
http://www.zdnetasia.com/cloud-computing-to-usher-new-threats-62059940.htm [Accessed 28 April 2011].
5. Stephen Shankland, 2009. Gartner: Brace Yourself for Cloud Computing. ZDNet Asia [online] 21 October.
Available at: http://www.zdnetasia.com/gartner-brace-yourself-for-cloud-computing-62058752.htm [Accessed 28
April 2011].
6. Trend Micro Incorporated, n.d. Trend Threats 2010: The Year of the Toolkit. [online] Trend Micro
Incorporated. Available at:
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/12296_trend__tlabs_ebook_210x210-web.pdf [Accessed 28 April 2011].
7. ISO27001security.com, n.d. ISO/IEC 27002:2005 Information technology Security techniques Code of
practice for information security management. [online] Available at:
http://www.iso27001security.com/html/27002.html [Accessed 28 April 2011].
8. Ronald L. Krutz and Russel Dean Vines, 2010. Cloud Security: A Comprehensive Guide to Secure Cloud
Computing. Indianapolis, IN: Wiley Publishing, Inc.
9. Doug Howard and Kevin Prince, 2011. Security 2020: Reduce Security Risks This Decade. Indianapolis, IN:
Wiley Publishing, Inc.
10. Anthony T. Velte et al., 2010. Cloud Computing: A Practical Approach. The McGraw-Hill Companies.

Project plan

1. Literature Review
Trend Micro suggests important security measures and issues advice for businesses which have embraced cloud
computing. [6] Here are some of the ones mentioned:
1. Encrypt all your sensitive data
2. Ensure that your firewall Intrusion Prevention System (IPS) and Intrusion Detection System (IDS)
protect each Virtual Machine (VM) separately.
3. Be in control of your encryption keys.
For medium-sized and small-sized businesses (SMBs), the report goes on to advise the following:
1. Employ cloud-based protection.
2. Procure all brand-related and look-alike domain names and avoid phishing.
3. Educate staff about cyber-crime.
4. Let customers know about your email and website policies.
5. Do not ask for their personal information via emailthis looks like phishing.
6. Send personalised emails.
7. Avoid relying on pop-ups for data collection.
Lastly, for end users, the report advises:
1. Keep your PC up-to-date with latest updates and patches.
2. Do not send sensitive data over email.
3. Never open dubious-looking attachments.
4. Check your bank account and credit cards regularly.
5. Scan programs before executing.
6. Avoid using same password for every login need.
7. Avoid instant messages form unknown people.
Tim Mather and others bring about a very good point in their book [2] when they say that after switching to a
cloud computing service, the responsibility for security is shared between the user (organisation) and the provider.
This new shared responsibility requires different ways of handling. The first point, therefore, that a Chief
Information Security Officer (CISO) must deal with is whether he or she has sufficient control on governance as
well has transparency from the provider of cloud platform. This will help in ensuring that the data is appropriately
protected. The CISO needs to be sure of what security procedures will his/her organisation provide above the
controls inherent in cloud platform and how.

2. Research Methodology
The standards which we will take into consideration and which are relevant to security management practices in
cloud: [3]
a. ITIL
b. ISO/IEC 27001 and 27002
ITIL (Information Technology Infrastructure Library) can be applied to a cloud computing environment and
hence will be our point of concern. This standard works at the tactical, strategic and operational levels and ensures
that the security is intact. The standard breaks information as follows:
I.
Policies
II.
Processes
III.
Procedures
IV.
Work Instructions
ISO/IEC 27001 is a standard against which organisations seek independent certification of their ISMS
(Information Security Management System). It consists of a formal set of specifications and ensures security of
the system. The main aim of the standard is to make information accessible, confidential, maintain integrity and
availability while keeping risks at minimum.
ISO/IEC 27001 formally defines the mandatory requirements for an Information Security Management System
(ISMS). It uses ISO/IEC 27002 to indicate suitable information security controls within the ISMS, but since
ISO/IEC 27002 is merely a code of practice/guideline rather than a certification standard, organizations are free to
select and implement other controls, or indeed adopt alternative complete suites of information security controls)
as they see fit. ISO/IEC 27001 incorporates a summary (little more that than the section titles in fact) of controls
from ISO/IEC 27002 under its Annex A. In practice, organizations that adopt ISO/IEC 27001 also substantially
adopt ISO/IEC 27002. [7]

Questionnaires

Legal and ethical concerns

Before an organisation can test how secure its data centre and business is on the cloud platform, it must have a
permission and adequate transparency from the CSPs side. It is important to note that now there are two parties
involved: the user organisation and the provider of cloud computing platform.
Unless both parties agree, a test cannot and should not be conducted on the organisations business security model.
All documents must be read and checked for any breach of contract which was signed when the subscription
began.
Along with the permission of the organisation in question, permission from the CSP is also to be sought before
conducting any tests on the networks security.
An ethical tester must stick to high standard of conduct. There is a certification that an ethical hacker must
undergo known as Certified Ethical Hacker or CEH. (Ronald Krutz and Russell Dean Vines, 2010) [8]. The
certification is sponsored by International Council of E-commerce and attests ethical hackers knowledge and
adherence to principles.
Lastly, it is important for both the ethical hacking party and organisation to be on same page as to what to expect
and the subsequent risks involved.

Risk management
Enterprises must fully assess vendors' security systems, as they will be reliant on the provider's due diligence.
(2009) [4]
An organisation cannot have complete control on who sees their data or where it goes when inside a cloud. But,
there is a way out for intelligent organisations and it is via contractual agreements.
The Cloud Service Providers (CSPs) can be asked to sign a powerful contract which deals with a security breach,
if at all, in future. This was done by Los Angeles City Council when they decided to move their 30,000 strong
work-forces to Googles Government Cloud. The Council got a security breach penalty signed from Google and
this provided a safety net for the organisation buying the services (Christopher Barnatt, 2010, p. 9) [1]. Although
this may not seem attractive for small scale organisations, the bigger ones with a lot of sensitive data can go the
contract-way.
Along with this, organisations must ensure that they are free to move from one vendor to another, if need be. They
shouldnt be tied down to stay with a single provider if problems of security and privacy and otherwise seem
obvious.
Cloud computing takes several forms, from the nuts and bolts of Amazon Web Services to the more finished
foundation of Google App Engine to the full-on application of Salesforce.com. Companies should figure out what
if any of those approaches are most suited to their challenges, Gartner said. (2009) [5].
It is clear that before renting out a service, an organisation must be sure of the best possible approach for their
specific needs.
While a test is conducted on the network, it is important to make sure the CSP knows and is oriented about it in
order to avoid accidental loss of data.