JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617

HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 72

Understanding the Risks of Cloud Computing

Maximilian ROBU

Abstract— Last few years were marked by a major IT revolution, the extending world-wide, based on scale economy of the
major vendor resources, such as IBM or Google. The current economical crisis has affected the IT market as well. A solution
came from the Cloud Computing area by optimizing IT budgets and eliminating different types of expenses (servers, licences,
and so on). Cloud Computing is an exciting and interesting phenomenon, because of its relative novelty and exploding growth.
But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about
just how safe the environment is. Naturally, raises the issue of security: Is it safe to put our most important data in a cloud? This
paper analyzes the various security risks that can arise in the Cloud Computing area.

Keywords— cloud computing, risks, security, technology

1 INTRODUCTION

C loud Computing is a relatively new concept in the IT

field, which marks the evolution and innovation of
the way the information technology is provided. It
nal customers [15]. This definition presents the cloud
computing concept referring to any computing capability
that is delivered as a service over the Internet.
describes how the technology will be offered in the fu- National Institute for Standards and Technologies
ture, “as a service”. Also, it can be considered a funda- (NIST) [21] and Cloud Security Alliance [2] presents
mental factor of the evolution of the Internet and how to cloud computing as a model for enabling convenient, on-
access information. demand network access to a shared pool of configurable
The freshness and boost of cloud computing makes it computing resources (e.g., networks, servers, storage,
an exciting subject for research. The concept is on the applications, and services) that can be rapidly provi-
front-stage of recent publications in the area of informa- sioned and released with minimal management effort or
tion and communications technologies. service provider interaction. This approach leads to a
The cloud computing model allows access, via a net- consumption basis way of pay for IT services just like it
work, to a preconfigured number of informational re- now happens with electricity, gas or water.
sources (applications, services, storage facilities, and so Another interpretation explains cloud computing like
on) which can be used with minimal effort and no interac- an on-demand service model for IT provision, often based
tion with the supplier. on virtualization and distributed computing technologies.
The problem appears when our dependency on cloud Cloud computing architectures have: highly abstracted
computing increases: as any technology it has its vulner- resources; near instant scalability and flexibility; near in-
abilities and the more we use it the more we expose our- stantaneous provisioning; shared resources (hardware,
selves to these risks. database, memory, etc); “service on demand”, usually
The reminder of this paper is organised as follows. with a “pay as you go” billing system; programmatic
First of all an overview of cloud computing concept is management (e.g., through WS API) [3].
given. Next the research presents some details about As you could probably deduce by now, cloud compu-
cloud computing architecture and services delivered. ting implies a service oriented architecture (SOA) through
These are followed by a presentation of risks categories offering software and platforms as services, reduced in-
that can appear in the cloud computing area. Finally, formation technology overhead for the end-user, great
some discussions and conclusion are drawn. flexibility, reduced total cost of ownership(TCO) and of-
fers on demand services.
Basically, cloud computing represents the IT service,
2 THE CLOUD COMPUTING CONCEPT
offered via a network, that is designed to be scalable and
Literature doesn’t offer any universally accepted defi- thus, better adjusted to the customers needs.
nition or a "founding father" of this topic, there are sever- To conclude cloud computing it’s a result of the con-
al approaches of the term. tinuous expansion of the Internet, we are of course refer-
One of the most frequently used definitions is the one ring to the ease of access to both data and applications,
who described cloud computing as a style of computing and a new concept that the IT market offers.
where massively scalable IT-related capabilities are pro-
vided “as a service” across the Internet to multiple exter-

————————————————
Maximilian ROBU, PhD Student, Faculty of Economics and Business
Administration, “Alexandru Ioan Cuza” University of Iassy.
© 2010 Journal of Computing Press, NY, USA, ISSN 2151-9617
http://sites.google.com/site/journalofcomputing/
 JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 73

3 AN OVERVIEW OF CLOUD COMPUTING like operating systems and applications. For example, it’s
ARCHITECTURE AND SERVICES worth mentioning various server hosting solutions like
Amazon Web services or BlueLock.
Since cloud computing is a very broad term, it makes Platform as a Service (PaaS) is a service that enables
the architecture classification complicated. There isn’t any
universally accepted model. An example of cloud compu-
ting architecture is displayed in Figure 1. Customers con-
nect to the cloud from their own computers or portable
devices, over the Internet. To these individual users, the
cloud appears as a single application, device, or docu-
ment.

As you could notice the architecture contains compris-

es hardware and software designed by a cloud architect
who typically works for a cloud provider. Usually this
involves a number of cloud components that are commu-

Fig. 2. Services that can be found into a cloud

source: Kraan, W, Yuan, L., “Cloud computing in institutions”, JISC
CETIS,2009,
http://wiki.cetis.ac.uk/images/1/11/Cloud_computing_web.pdfion.

the consumer to deploy into the cloud, infrastructure,

custom-created applications using a specific environment
and toolset supported by the provider. Google App En-
gine and Windows Azure are two of the most known
tools in this area.
Software-as-a-Service (SaaS) represents the ability of
the consumer to run applications into a cloud using a
Fig. 1. An example of cloud computing architecture.
source: http://www.smartcloudsw.com/
simple interface such as a Web browser. These applica-
tions can be everything from Twitter or an important
nicating with each other most often over web services. web-based email, SalesForce.com or Google Mail.
This architecture will then be relayed to the client over
web browser thus enabling him to access the applications
from the cloud. 4 MODELS OF CLOUD COMPUTING
Applications of cloud computing can be split into When we speak about the cloud computing concept
three types, known as cloud service delivery models [2], [3] : the keyword that defines it is “cloud”. Cloud describes
1. Infrastructure as a Service (IaaS). the use of services, applications, information, and infra-
2. Platform as a Service (PaaS). structure comprised of pools of compute, network, infor-
3. Software as a Service (SaaS). mation and storage resources. The scalability of the cloud:
Previously presented services can be integrated into up or down, addition of applications is done through
the architecture which is based on Internet, as you can see these components.
in the Figure 2. For every level there are a set of sugges- Specialized literature presents several cloud comput-
tive examples. ing models. One of the most important classification
The first service from the list, Infrastructure as a Ser- comes from ISACA (Information Systems Audit and Con-
vice (IaaS), allows consumers to rent processing, storage, trol Association) [4] and contains 4 major models that are
networks, and other fundamental computing resources reproduced in Table no. 1.
that enables them to deploy and run arbitrary software,
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 74

5.1 Policy and organizational risks

These are business-related risks that organizations may
face when considering to choose cloud computing service
providers. The most common risks that we can include in
this category are lock-in, loss of governance, compliance
challenges, loss of business reputation, and cloud service
termination or failure.
Lock-in refers to the inability of a customer to move
his applications and / or data away from a the cloud of a
vendor [5]. The problem found here is the possibility to
change your vendor when you find it necessary. It is
worth mentioning that interoperability has improved
among platforms, application programming interfaces for
cloud computing itself are still largely proprietary
According to European Network and Information Se-
curity Agency (ENISA) [3] currently there are few "tools,
procedures or standard data formats or services interfaces
that guarantee data, application or services portability"
and because of that it can be "difficult for the customer to
migrate from one provider to another or migrate data and
services back to an in-house IT environment".
Customers might be exposed to price increase, reliabil-
ity issues or the imminent bankruptcy of providers when
choosing customer lock-in. It is true that for the providers
might prove itself quite a deal. One of the motivating fac-
tors for lock-in that is the permanent desire of vendors to
increase the prices for the provided services.
One other thing worth mentioning is that customers
might be interested in portability from one cloud provid-
er to another without much fuss and, some others might
be interested in using multiple clouds at the same time
[11]. Because the cloud computing concept is so new and
When deciding what type of cloud to use companies didn’t reach maturity, not many users have faced this sort
must take into consideration several factors and of course of problems.
their needs. It is good to know that public, private or hy- One of the top security risks is Loss of gover-
brid do not point to location. It’s true that public clouds nance. Customers give the control to cloud computing
are generally on the Internet and private ones on dedicat- service providers on a number of issues that may impact
ed premises but a private cloud can also be hosted at a their security, mission, and goals. Cloud Security Alliance
colocation facility too. Because companies can rapidly [2] suggests that businesses are vulnerable when they
change their needs they can also choose to use two differ- entrust their data to a third party, and many things can go
ent types of cloud if it best fits their interest. For example wrong.
if you need a certain application just for a limited period Finnie [13] sees cloud computing as a "minefield"
of time you will most probably opt for a public cloud so when referring to CIOs and IT organizations concerning
you won’t have to acquire any storage equipment. On the to loss of control that can lead to low security levels. This
other hand, if we are talking about important software will result in the inability to satisfy some requirements
that will be used on a daily basis you will rather deploy it concerning the lack of confidentiality, integrity or the
in a private or hybrid cloud. availability of data.
Compliance challenges represent the third risk from
5 RISKS OF CLOUD COMPUTING this category. Cloud Security Alliance [2] suggest that
lack of governance over audits and industry standard
Moving informational resources to the clouds gives a assessments may leave cloud computing customers
lot of flexibility and efficiency, but also has consequences “without a view into the processes, procedures, and prac-
in a number of areas that require some thought. tices of the provider in the areas of access, identity man-
Although the benefits of cloud computing are well agement, and segregation of duties non-inclusively leav-
known, safety concerns have received less attention. Con- ing control risks an unknown quantity”.
cerning security an important aspect represents the study Cloud computing service providers need to be more
of risks that arise from using this technology. Research transparent, so customers can ensure they meet the ap-
has identified three types of cloud computing risks: poli- propriate rules and regulations. If a company is trying to
cy and organizational, technical, and legal [2], [3]. get a certain certification, the acceptance might
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 75

be jeopardize by the fact that the cloud computing service and replay attacks [2].
provider can't offer data about their own compliance or Distributed Denial of Service (DDoS) attacks
might not accept an audit from one of their customers. represents another risk to using cloud computing servic-
Loss of business reputation is another important risk es. Douglis [11] launches an alarm in what concerns virus
that refers to one customer s bad behavior, one neighbor attacks as this technology grows heading to one single
from the cloud, that can affect negatively the reputation interface. It will help the transmission of viruses or one
of the cloud as a whole [5]. company that is a hack victim might affect other organi-
Cloud service termination or failure refers to the fi- zations that share the same cloud.
nancial viability of cloud service providers. When you
choose a vendor, the financials aspect is a critical issue 5.3 Legal risks
and should be evaluated [2] The last risk category is related to the legal nature of
ENISA [3] also states the possibility to terminate some operations from clouds, and can also have a negative im-
cloud computing serviced as a result of competitive or pact on an organization that uses cloud computing ser-
financial pressures. Because this sort of termination can vices. Legal risks include subpoena and e-discovery,
disturb your business and not only, the Cloud Security changes of jurisdiction, data privacy, and licensing.
Alliance [2] suggests an alternative location for the servic- Subpoena and e-discovery refers to the possibility of
es to be taken on for all cloud computing customers. This the confiscation of physical hardware as a result of sub-
location can be either another cloud computing service poena by law-enforcement agencies or civil suits. The
provider site or the costumers own data center. result can be the disclosure of client’s data to unwanted
parties.
5.2 Technical risks Changes of jurisdiction can be a high risk for the cus-
tomer’s data keep data in multiple jurisdictions. Because
When we speak about a subject like cloud computing it
jurisdictions apply their own laws, the issues and risks of
is inevitably that we have to speak about some specific
data being unintentionally disclosed will grow in com-
risk, the technical ones. Usually these risks have a direct,
plexity as cloud computing is more widely adopted [2].
technological impact on the cloud computing systems.
Gatewood [16] stated that the supplier's location and
Such risks include: availability of service, resource ex-
the data location might not be the same. Also, if that data
haustion, intercepting data in transit and distributed
is held in a country that does not honor international
denial of service.
laws, the underlined contracts might be disclosed. The
Availability of service describes availability of service
same applies to countries that are considered high-risk.
as the number one obstacle to the growth of cloud com-
Data privacy remains “one of the longest standing and
puting.
most important concerns with cloud computing”[16] .
When you use a single vendor for cloud computing
There are many aspects regarding this specific risk.
you expose yourself to the risk of single point failure. Af-
First of all it’s important to known the person respon-
ter all, the provider also has a business that can go wrong,
sible with data privacy is. Generally it's expectable that
depends on different network providers and can also go
the customer is also the person in charge on processing
out of business.
personal data, even when this type of data processing is
Resource exhaustion is another risk type that have to
being performed by the cloud provider.
be taken into consideration when we speak about to the
Companies have already been held liable for activities
technical side of cloud computing. Cloud computing ser-
performed by their subcontractors by government agen-
vices are considered on-demand, which suggests a level
cies in the US and European Union [2].
of calculated risk because resources of a cloud service are
Another aspect refers to the fact that information that
allocated to statistical projections [3].
belongs to an entity may be resident in several locations
It's true that the virtual machines that are used in
and coexist with another organization’s data [16]. Taking
cloud computing share CPUs and main memory but disk
into consideration data type and location you can get
I/O sharing proves to be more troublesome. Armbrust [5]
more legal issues concerning data privacy. The safety of
states that the main problem with virtual machines and
financial data, intellectual property or health must be tak-
operating systems is that they fail to offer a programmatic
en into consideration.
way in order to make sure that all the threads of an appli-
It can be difficult for the cloud customer (in its role of
cation run at the same time.
data controller) to effectively check the data processing
The Intercepting data in transit risk is the result of the
that the cloud provider carries out, and thus be sure that
distributed architecture, cloud computing implies more
the data is handled in a lawful way. Violation of the pro-
data is in transit than in traditional infrastructures.
visions on data security can bring administrative, civil
Data is viewed as a risk especially when it's in transit,
and also criminal sanctions, which varies from country to
so companies have to ensure that the data is encrypted in
country.
all the phases [7].
Licensing conditions is also a risk that organizations
Encryption should be strong and employ key man-
may pay more than desired to license software on sys-
agement that allows customers to keep data encrypted
tems hosted by cloud computing service providers. ENI-
and therefore private [2]. The threat sources that worth
SA [3] explains that “licensing conditions, such as per-
mention here, without proper encryption, include sniff-
seat agreements, and online licensing checks may be un-
ing, spoofing, man-in-the-middle attacks, side channel
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 76

workable in a cloud environment”. [9] Chonka, A., Yang, X., Zhou, W., Bonti, B., “Cloud security defence to
In the case of PaaS and IaaS services appears the possi- protect cloud computing against HTTP-DoS and XML-DoS attacks “
Journal of Network and Computer Applications, 2010, retrieved from
bility for creating original work in the cloud for example
http://www.sciencedirect.com
new software. In this point we can talk about the fact that [10] Coviello, A. - Securing cloud computing is industry responsibility,
there aren’t laws to protect new created products and the Infosecurity, Volume 7, Issue 2, March-April 2010, p. 11, retrieved from
original work may be at risk. www.infosecurity-magazine.com/.../rsa-securing-cloud-computing-
is- industry-responsibility-says-art-coviello
[11] Douglis, F. (2009). Staring at clouds. Internet Computing, IEEE, 13(3), 
6 CONCLUSION 4‐6.  
In the current economic environment, cloud compu- doi: http://doi.ieeecomputersociety.org/10.1109/MIC.2009.70 
[12] Everett, C., “Cloud computing, A question of trust”, Computer Fraud
ting is one of the top technology trends and intends to & Security, Volume 2009, Issue 6, June 2009, pp. 5-7, retrieved from
be the saving solution for optimizing the IT budgets. http://www.sciencedirect.com
Currently, cloud computing is considered the next [13] Finnie, S., “Peering behind the cloud”, Computerworld, 2008, p. 22.
retrieved from Academic Search Premier database:
best thing when in comes to optimize IT budgets in the
http://search.ebscohost.com.libproxy.uoregon.edu/login.aspx?direc
current economic environment. It's believed that it t=true&db=aph&AN=34703832&loginpage=Login.asp&site=ehost-
will become a key technology oriented at sharing in- live&scope=site
frastructure, software or business processes. [14] Fitz-Gerald, SJ – “Cloud Computing: Implementation, Management
and Security”, INTERNATIONAL JOURNAL OF INFORMATION
As cloud computing will be used more the risks it MANAGEMENT, Volume: 30 Issue: 5, 2010, pp. 472-472.
involves will arise according to Pearson. It will be wise [15] Gartner Research – “Definition of Cloud Computing. Cloud Compu-
to place data into a cloud as long as you know the per- ting: It's the destination, not the journey that is important”, DevCentral
Weblog, 2008, retrieved from
sons that have access to that information. http://devcentral.f5.com/weblogs/macvittie/archive/2008/11/03/
The novelty of the concept, the lack of international cloud-computing-its-the-destination-not-the-journey-that-is.aspx.
security specific standards and the immaturity of this [16] Gatewood, B., “Clouds on the information horizon: How to avoid the
storm”, Information Management (15352897), 43(4), 32-36, retrieved
technology have given way to many interpretations on from Academic Search Premier database:
how the application security should be treated in the http://search.ebscohost.com.libproxy.uoregon.edu/login.aspx?direc
cloud. t=true&db=aph&AN=43659227&loginpage=login.asp&site=ehost-
live&scope=site
[17] Kraan, W, Yuan, L., “Cloud computing in institutions”, JISC CETIS
REFERENCES 4A, 2009,
[1] ***, CPNI – “INFORMATION SECURITY BRIEFING 01/2010. http://wiki.cetis.ac.uk/images/1/11/Cloud_computing_web.pdf
CLOUD COMPUTING”, 2010, retrieved from [18] Jaeger, P. T. , Lin, J., Grimes, J. M. , “Cloud Computing and Informa-
http://www.cpni.gov.uk/Docs/cloud-computing-briefing.pdf . tion Policy: Computing in a Policy Cloud?”, Journal of Information
[2] ***, Cloud Security Alliance, “Security guidance for critical areas of Technology & Politics, Vol. 5 Issue 3, 2008, pp. 269 — 283, retrieved
focus in cloud computing”, 2009 retrieved from from http://citeseerx.ist.psu.edu.
http://www.cloudsecurityalliance.org/guidance/csaguide.pdf [19] Lillard, T. V., Garrison, C. P., Schiller, C.A., Steele, J. “Legal Implica-
[3] ***, ENISA, “Cloud computing: benefits, risks and recommendations tions and Considerations”, Digital Forensics for Network, Internet, and
for information security”, 2009 retrieved from Cloud Computing, 2010, pp. 275-299
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud- [20] Mansfield-Devine, S., “Danger in the clouds” , Network Security, Vo-
computing-risk-assessment/at_download/fullReport lume 2008, Issue 12, 2008, pp. 9-11
[4] ***, ISACA, “Cloud Computing: Business Benefits With Security, [21] Mell, P., Grance., T., “The NIST Definition of Cloud Compu-
Governance and Assurance Perspectives”, 2009, retrieved from ting”,Version 15, National Institute of Standards and Technology, In-
http://www.isaca.org/Knowledge- formation Technology Laboratory, 2009, retrieved from
Center/Research/Documents/Cloud-Computing-28Oct09- http://csrc.nist.gov/groups/SNS/cloud-computing.
Research.pdf [22] Paquette, S., Jaeger, P T., Susan C. Wilson, “Identifying the security
[5] Armbrust, M., Fox, A., Griffith, R., Joseph, A., Katz, R., Konwinski, A., risks associated with governmental use of cloud computing”, Gov-
et al, “Above the Clouds: A Berkeley view of cloud computing”, 2009, ernment Information Quarterly, Volume 27, Issue 3, 2010, pp. 245-253,
retrieved from retrieved from http://www.sciencedirect.com.
http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009- [23] Shipley, G. “CLOUD COMPUTING RISKS”, InformationWeek , Issue
28.pdf, 28.html 1262, 2010, pp. 20-24. retrieved from
[6] Barrett, D., Kipper, G., “Visions of the Future: Virtualization and http://www.informationweek.com .
Cloud Computing Virtualization and Forensics”, 2010, pp. 211-220, [24] Subashini, S., Kavitha, V. “A survey on security issues in service
retrieved from www.informationweek.com . delivery models of cloud computing”, Journal of Network and Comput-
[7] Brynko, B. (2008). “Cloud computing: Knowing the ground rules”. er Applications, In Press, 2010
Information Today, 25 (10), 23, retrieved from Business Source Premier [25] Svantesson, D., Clarke, R., “Privacy and consumer risks in cloud
database: computing” , Computer Law & Security Review, Volume 26, Issue 4,
http://search.ebscohost.com.libproxy.uoregon.edu/login.aspx?direc 2010, pp. 391-397, Taylor, M., Haggerty, M., Gresty, D., Hegarty, R. –
t=true&db=buh&AN=35126515&loginpage=login.asp&site=ehost- “Digital evidence in cloud computing systems”, Computer Law & Se-
live&scope=site . curity Review, Volume 26, Issue 3, 2010, pp. 304-308, retrieved from
[8] Cagle, K., “But what exactly “is” cloud computing?”, O’Reilly Broad- http://www.sciencedirect.com/.
cast, 2008, retrieved from [26] Walsh, P.,J., “The brightening future of cloud security”, Network
http://broadcast.oreilly.com/2008/12/but-what-exactly-is-cloud- Security, Volume 2009, Issue 10, 2009, pp. 7-10, retrieved from
comp.html . http://linkinghub.elsevier.com/retrieve/pii/S1353485809701096
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 11, NOVEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 77
[27] Walter, S. – “Cloud security: is it really an issue for SMBs?” , Computer
Fraud & Security, Volume 2010, Issue 10, 2010, pp. 14-15

Robu Maximilian – Currently trying to get my PhD in Economic

Computer Science at “Al. I Cuza” University Iassy, Romania. I’m an
information technology enthusiast who's interested in what's new
and exciting in today's computer business. I’ve have a Postuniversi-
tary degree in Business Administration System (2010) and an Eco-
nomic Computer Science degree achived in 2008 both achieved at
the “Al. I Cuza” University Iassy, Romania . Cloud computing, green
computing, ERP systems and their practical implementations are
interests of mine, so it was only normal to place my research in
these areas.