The Campus of Tomorrow

CIS 4403: Cloud Computing

Week 9-10: LO3 – Cloud Computing Security

Thursday, November 17, 2022

Delivery Outline
• W1: CLO1 - Introduction to Cloud Computing
• W2: CLO1 - Cloud Computing Models and Services
• W3-4: CLO2 - Resource Virtualization and Pooling
• W5: CLO2 - Scaling and Capacity Planning
• W6: CLO2 - Load Balancing
• W7: CLO2 - File System and Storage
• W8: CLO3 - Database Technology
• W9-10: CLO3 - Cloud Computing Security
• W11: CLO3 - Privacy and Compliance
• W12: CLO4 - Content Delivery Network
• W13: CLO4 - Portability and Interoperability
• W14: CLO4 - Cloud Management
• W15: CLO all - Hot Research Topics

2
Objectives

• Upon completing this chapter the learner should be able to:

• Understand the threats to Cloud Security (Chapter 16 of Tex t Book)
• Implement Infrastructure Security (Chapter 16 of Tex t Book)
• Implement Information Security (Chapter 16 of Tex t Book)
• Explore Cloud Security Model (Chapter 6 of Tex t Book)
• Develop Security Policy (Chapter 6 of Tex t Book)
• Understand Trusted Cloud Computing (Chapter 6 of Tex t Book)
The Security Concern in Cloud Computing

• Traditional computing systems used to create a security boundary by placing firewalls at

the gateways through which the network used to communicate with the outer world.
• Malicious accesses get blocked at firewalls in the traditional data centers in order to keep the system
protected from outside threats.
• Traditional data centers allow perimeterized (i.e. within organization’s own network boundary or
perimeter) access to computing resources.
• Cloud computing provides for a de-perimeterization (to open-up the interaction with outer
networks).
• The traditional concept of security boundary no longer applies here.
• A new philosophy is needed that could provide security to computing resources at data
centers, accepting the necessity of de-perimeterization.

4
Whose Responsibility is It?
• The security issues associated with cloud
computing can be viewed from two angles:
• The concerns of the service consumers.
• The concerns of cloud providers (providing SaaS,
PaaS or IaaS).
• Consumers no more need to manage everything
starting from the bottom of the stack, they can
concentrate more on the security of a limited area.
• The provider must ensure security of its own
infrastructure as well as of the clients’ data and
applications.
• IaaS consumers have maximum security
management responsibility among all cloud service
consumers.
• The responsibility (of consumers) decreases as
they move from IaaS service towards SaaS service.
• The consumers must verify and ensure that the
provider has employed all possible security
measures to make the services secure. 5
Whose Responsibility is It?

• Cloud computing demands shared

responsibilities to take care of security issues.
It should not be left solely under the purview
of the cloud provider, the consumers also have
major roles to play.
• With appropriate selection of a cloud security
model for business implementation, the cloud
computing environment may even provide
more security than the traditional
environment.
• The relationship between the consumer and
the service provider is also important in
establishing a robust security system.
• Provider must establish a trust relationship with its
consumers.
• Both parties should have a clear idea about their
own responsibilities towards security
management.

6
The Importance of the Service-Level Agreement (SLA)
• Service-level agreements (SLAs) are used in different industries to establish a trust relationship
between service providers and consumers.
• SLA document should include the security issues in adequate detail.
• SLA details the service-level capabilities promised by the providers to be delivered and
requirements/expectations stated by consumers.
• Strong security maintenance activities need to define the responsibilities of both service providers and consumers
in documented form.
• Should have detailed mentioning of the security capabilities of the solutions and the security standards to be
maintained by the service providers.
• Consumers should provide clear-cut information to the service providers about what they consider as a breach of
security.
• These details are very important as the document establishes a legal binding for both parties and
works as reference in any dispute.
• Organizations should engage legal experts to review the SLA document during contract negotiation and before
making the final agreement.
• SLA document plays an important role in security management, for consumers moving towards cloud
solutions.

7
Threat, Vulnerability and Risk

• The conventional security concerns like threat, vulnerability and risk also persist in cloud
computing systems.
• Threat is an event that can cause harm to a system. It can damage the system’s reliability and
demote confidentiality, availability or integrity of information stored in the system.
• Vulnerability refers to some weaknesses or flaws in a system (hardware, software or process) that a
threat may exploit to damage the system.
• Risk is the ability of a threat to exploit vulnerabilities and thereby causing harm to the system. Risk
occurs when threat and vulnerability overlap. It is the prospect of a threat to materialize.

8
Threat, Vulnerability and Risk

• Following are the common threats to any computing system:

• Eavesdropping: This attack captures the data packets during network transmission and looks for
sensitive information to create a foundation for an attack.
• Fraud: It is materialized through fallacious transactions and misleading alteration of data to make
some illegitimate gains.
• Theft: In computing system, theft basically means the stealing of trade secrets or data for gain. It
also means unlawful disclosure of information to cause harm.
• Sabotage: This can be performed through various means like disrupting data integrity (referred as
data sabotage), delaying production, denial-of-service (DoS) attack and so on.
• External attack: Insertion of a malicious code or virus to an application or system falls under this
category of threat.
• Security concerns inherent to any computing system are also present in cloud computing
and require a cloud-specific perspective for their resolution.

9
Threats to Cloud Security

• The security threat concerns in cloud computing can be categorized as follows:

• Threats to Infrastructure: Application level, host level or network level infrastructure security threats
are no new issues introduced by cloud. The only difference is the share of responsibilities that both
provider and consumer have to safeguard the system.
• Threats to Information: Apart from conventional threats to information, cloud computing introduces
new security concerns as consumers’ (both organizations and individuals) data stays under the
control of a third-party cloud provider.
• Threats to Access Control: As the trust boundary expands beyond organization’s own control
(especially in public cloud), proper authentication and authorization management for applications in
the cloud is a very vital issue for security.
• Special considerations in cloud computing:
• The cloud computing model itself has some unique security concerns associated with it which
surfaced due to sharing of infrastructure or multi-tenancy features, especially in the public cloud
model.
• Public cloud deployment is the most critical case study to understand security concerns of
cloud computing. It covers all possible security threats to the cloud.

10
Infrastructure Security

• Infrastructure security describes the issues related with controlling access to physical
resources which support the cloud infrastructure.
• From consumer’s point of view, infrastructure security may seem to be more closely related
to infrastructure-as-a-service (IaaS) or IaaS vendors but the platform-as-a-service (PaaS)
and software-as-a-service (SaaS) layers cannot be ignored as they also have some roles to
play in securing the computing infrastructure.
• Infrastructure security can be classified into three categories:
• Network Level.
• Host Level.
• Service Level.

11
Network Level Security

• The network-level security risks exist for all the cloud computing services; SaaS, PaaS,
IaaS.
• The cloud deployment type (public, private or hybrid) determine the level of risk.
• There are no new threats, vulnerabilities or risks associated with private clouds apart from
those already been there if the organization uses a private extranet in place.
• An extranet is a controlled private network (intranet) that allows access to authorized outside users
enabling businesses to exchange information in a secure way.
• Ensuring data confidentiality, integrity and availability are the responsibilities of network
level infrastructure security arrangement.
• Data confidentiality risk is generally reduced by using techniques like encryption and digital
signatures but data availability problem at the network level causes more difficulty and
needs more attention to manage.
• Most of the network-level security challenges are not new to cloud; rather, these have
existed since the early days of the Internet. Advanced techniques are always evolving to
tackle these issues.

12
Host Level Security
• At cloud service provider’s end, the ‘host’ refers to the physical machines.
• No new threats occur to the hosts which are specific to cloud computing, in fact the hypervisor
provides added layer of protection.
• Weak implementation of access control mechanism to the hypervisor may create trouble for the
physical hosts.
• A cloud host ties together the capacity of hundreds of computing nodes. This means that any threat is
easy to amplify quickly which is called velocity of attack factor in the cloud.
• The responsibilities of the host-level security management for different types of consumers of cloud
services vary:
• SaaS and PaaS consumers: Service providers do not publicly share details of their host platforms. Hackers may
exploit those details to break the security. Hence, the service providers take the entire responsibility of making
the hosts secure.
• IaaS consumers: Consumers share the responsibility in securing the host. Service providers ensure the security
of physical resources through abstraction. IaaS consumers must ensure that no malicious application could try to
break it.
• Among service consumers, IaaS consumers have major share of responsibilities for ensuring security
of host machines in cloud.

13
Application Level Security

• Both the consumer and service providers have their share of responsibilities of security
management at this level so that no application can harm the infrastructure.
• The contract of the Service-Level Agreement sets the roles of each party in the security
management task.

14
Safety and Security of the Physical Systems

• IaaS service providers are responsible for the safety and security of the physical systems to
ensure the availability of their services.
• Issues to consider for uninterrupted availability of cloud services:
• Facility of uninterruptible power supply (UPS).
• Proper safety measures against fire to minimize the loss in case of a disaster.
• Adequate cooling and ventilation facility.
• Stringent restriction on physical access to the servers. Unauthorized persons must not have any
access to the area.
• These physical protections should also be maintained for all of the network related devices (such as
routers, switches) and cables.

15
Information Security

• An information system security policy deals with a number of critical issues and all those
are justifiable concerns in cloud computing.
• The concern of the cloud service consumers’ is related to the unauthorized access to
confidential information, and the data theft.
• In cloud computing, there must be a policy for securing data both during transfers
between entities or when it is kept in rest.
• Cloud computing systems deal with user’s confidential information. The three fundamental
principles of information security, the CIA-triad (confidentiality, integrity and availability),
are important pillars of cloud software security.

16
Confidentiality

• Confidentiality deals with the threat of illegal disclosure of the users’ confidential data;
whether intentional or unintentional.
• There should always be a defined policy for confidentiality maintenance to prevent
unlawful disclosure of information.
• To maintain the confidentiality of stored information (that is, information in rest), two
potential concerns must be addressed:
• Access control mechanism to protect the data. This deals with authorization and authentication.
• Data secrecy maintenance when in transit. Policy specification should determine who can exchange
what type of information. This is generally maintained using different encryption techniques.

17
Confidentiality

• To maintain confidentiality of information and ensure a secure cloud system (or any
networked computing environment), the following must be addressed:
• Encryption: Through encryption, the information is scrambled so that no unauthorized access can
interpret it. Strength of encryption depends on the robustness and quality of the encryption
algorithm.
• Traffic analysis: Traffic analysis investigates for sudden change in traffic activity (like rate, volume,
source or destination of traffic) which may indicate that an incident is taking place.
• Covert channels: Hackers often try to receive information by establishing secret communication
paths known as covert channels. They generally do this by studying the timing of messages passing
or through utilizing a system vulnerability.
• Intellectual property (IP) of information through copyright law is also important in
maintaining information confidentiality.

18
Covert channels
• Covert channel problem is a new threat to confidentiality in virtualization-based cloud system.
• A covert channel is a path established to illegally pass information between elements of systems.
• Covert channel exploits weakness of a system design and utilizes system resources for purposes
which it was not intended for. In computing, covert channel poses security threats. Processes can
convert any communication path into a covert channel by exploiting the system’s security flaws.
• Although, virtualization adds protection to the physical resources, a covert channel can break the
isolation of the virtualization platform.
• The dynamic nature of the cloud environment also causes risks related with covert channels. A covert
channel particularly exploits imperfections in the shared resources of the elastic cloud environment.

19
Integrity

• Integrity of information guarantees against intentional or unintentional alteration.

• Information can be encrypted to maintain confidentiality but it may still get distorted.
• Loss of integrity in information can happen due to some deliberate attacks to alter it or
there can be unintentional modifications where data is accidentally altered.
• Integrity of information can be protected through strict access control.
• Access to information is generally restricted by installing firewalls and intrusion detection
systems.
• A policy must also be there to recover information from detectable errors, such as deletion
and modification.

20
Availability

• Availability ensures reliable and timely access to information. It guarantees that

information is available when needed.
• One threat in this regard is network-based attacks like denial-of-service attacks.
• A system must implement reliable network security mechanisms for these kind of attacks.
• The other threat to availability is Cloud Service Providers’ own accessibility by denying the
legitimate access to computing resources. This problem can be avoided by using backups
and redundant systems.
• Availability of information in cloud largely depends on the Cloud Service Providers’ own
availability. Ideally, the service of a provider should be up for 99.999% of time. But, hardly
any CSP can offer the desired ‘five 9s’ (that is, 99.999%) of uptime.
• In general, reputed service providers ensure of delivering ‘three 9s’ of uptime.
• For instance, Amazon promises 99.95% of service availability for its virtual machines (EC2)
in the service level agreement.

21
Identity Management and Access Control (IAM)

• Identity management and access control (often termed as identification and access
management or IAM) are primary functionalities needed for any secure computing system.
• The benefits of identification and access management are:
• It protects a system and enhances the security of its application and information against harmful
attacks.
• Proper execution of IAM technique improves a system’s operational efficiency through automation of
user verification process.
• The IAM processes to support a business roughly comprise of the following activities:
• Identification Management: It is the way by which users state their identities to a system. Through
the identification, users establish their accountability for any action performed in the system.
Identity of a user for a system is managed with a user Id or user name which must be unique in the
system.
• Authentication Management: The verification of a user’s identity for a system is known as
‘authentication’. It checks the validity of the claimed identity and is commonly implemented by
asking for a password during log-in or through fingerprint or retina scan.

22
Identity Management and Access Control (IAM)

• Authorization Management: Authorization decides the user’s level of access right to functionality or
resources of a system and is determined after a system establishes user’s identity and authenticity.
• Access management: It deals with the execution of organizational policies and pre-stored system
privileges in access control when an entity (user or process) requests for some computing resource.
• Accountability: Accountability establishes the concept of non-denial of activities where an individual
cannot deny the activities he/she has performed in a system. It is the system’s capability of
identifying a particular individual from his/her actions and behaviors within the system by using
audit trails and logs.
• Monitoring and auditing: User can monitor, audit and report compliance issues regarding access to
resources based on the defined policies of the organization.

23
IAM in the Cloud
• Cloud security needs strong identity management and access control mechanisms to compensate the
loss of network control.
• It requires robust authentication, authorization and access control mechanisms.
• An organization’s trust boundary may move beyond their own control. The boundary extends into the
service provider’s domain.
• Both the service providers and consumers have roles to play in controlling these means.
• Service providers must provide utmost effort towards implementing identity management and access
control mechanisms to protect their cloud computing environment from any malicious activities.
• specially in public cloud environments this becomes very critical as the entire computing environment resides at
some remote place outside the network boundary of the consumer organization.
• From consumer organization’s end, this loss of network control can be compensated by the
implementation of proper user access control techniques, like authentication and authorization.
• Organizations can pass on the identification and access management responsibilities to an identity
management-as-a-service (IDaaS) provider also.

24
Elements of a Cloud Security Model

• Elements for designing good security policy in cloud computing:

• Privileged user access: Here, the user means ‘users’ at the provider’s end who are managing the
cloud. ‘how much access they have over data’ or ‘how their accesses are being controlled’ are
important areas of consideration for the service provider to ensure the confidence of consumers.
• Regulatory compliance: Service providers may store and manage data of enterprises in cloud
computing but enterprises are ultimately responsible for integrity and privacy of their own data.
Consumers should opt for providers who have obtained security certifications to prove credentials
and conduct regular audits by reputed external audit firms to check compliance. Consumers must
not provide their sensitive data to those service providers who deny to undergo such scrutiny.
• Data location: Data in cloud are stored in data centers of the service providers spread over the
globe. Consumers generally would not have any knowledge about where their data are being stored.
Even they may not know in which country or region their data is hosted. In case of specific
compliance requirements of consumers, providers must abide by consumer’s request for storing their
data in particular region or country.

25
Elements of a Cloud Security Model

• Data segregation: Providers must implement mechanisms to logically segregate stored data of different
consumers. Encryption is one such technique.
• Recovery: Recovery of data in case of any disaster. Cloud service providers must declare what will happen to the
data in such cases and how long will it take for recovery of data as well as for restoration of the services. For a
complete restoration, the provider must maintain data and application infrastructure across multiple sites.
• Investigative support: Investigation of inappropriate or illegal activity may be a difficult task in cloud computing.
This is primarily because data are organized and stored across ever-changing set of nodes. Co-location of stored
data from multiple consumers is another problem in conducting the investigations. Consumers must get
contractual commitment from the providers for support in some particular types of investigation if required.
• Long-term viability: Ideally, no reputed cloud service provider will shut business or will be acquired by some
larger vendor. But if such thing happens, the question will be raised about the consumer data. Will it remain
available? Consumers must be aware what will happen in such situations in detail.

26
Cloud Security Reference Model – The Cloud Cube Model

• The Jericho Forum proposed Cloud Cube Model in 2009

defining a three-dimensional cube.
• Their purpose was to provide a basis for standardization of a
secure cloud computing.
• The model suggests that the consumers should not measure
cloud security only depending on the narrow perspectives of
‘internal’ or ‘external’ systems.
• Many other factors are related with the issue like whether
everything is under consumer’s own network boundary, who
is responsible for the management of the cloud and/or who
have the access rights to the cloud and so on.
• The Cloud Cube Model illustrates different permutations
available in cloud offerings and presents four criteria to
differentiate various types of cloud formations.
• The model helps to understand how security issues can be
approached in cloud computing.

27
The Cloud Cube Model

• The primary objectives behind building the cloud cube model can be listed as follows:
• To represent different formations of clouds.
• To highlight the key characteristics of each cloud formation.
• To represent the benefits and risks associated with each form of cloud.
• To focus that traditional non-cloud approach is not totally obsolete and may sometimes be a suitable
choice for operating the particular business functions.
• To present a roadmap for more detailed study and to make the environment more secure.

28
The Cloud Cube Model
• The cloud cube model is designed to represent four security related criteria:
• Whether data will be stored internally within physical boundary of the organization or to
some external location?
• Will the cloud be formed using proprietary technology (technology that is property of
someone) of some computing firm or by using open technology that is open to everyone
for use?
• Whether the cloud will operate within organization’s network boundary (the logical
security perimeter) only or outside the boundary also?
• Will the development and maintenance of the cloud service be outsourced to some third
party or will be done with in-house team?
• These four criteria are represented across different dimensions of a cube.
• The answers of these four questions decide the nature of the cloud formation.
• Since there are four issues to decide upon and the question raised for each
issue can have two probable answers; there can be 42 or 16 different forms of
cloud computing environment.

29
Security Policy

• Security policies are the sets of documentations that guide for reliable security
implementation in a system.
• Applicable standards and guidelines flow to the subsequent levels from this policy
documentations defined by the highest level authority.
• Cloud security strategy define different policies like system security policies, software
policies and information system policies etc.
• A cloud provider must satisfy all of the security regulations and directives as per those
policies to make the cloud system secure.
• Apart from these security policies, the cloud computing environment asks the organizations
to maintain some general policies related to security, including:
• Management Policy: This is a general, high-level policy defined by senior management of an
organization. It governs security guidelines throughout the enterprise, like frequency of backup
operation, selection regarding cloud deployment type and sourcing and others.

30
Security Policy

• Regulatory Policy: Organizations have no role in this policy making. These policies are usually
specific to the industry and/or government under which the organizations operate. Regulatory
policies are important to maintain compliance, regulation and/or other legal requirements.
• Advisory Policy: This security policy is not mandatory but strongly suggested. An advisory policy may
suggest periodic security auditing by an external audit firm.
• Informative Policy: This is about making everyone concerned about the security issues. The
intended audience of these information could be certain internal (within the organization) or external
parties. One such policy may try to make everyone aware about some specific situation.

31
Trusted Cloud Computing
• ‘Trusted Computing’ is a term that refers to technologies, design and policies to develop a highly secure
and reliable computing system.
• Trusted cloud computing can be viewed as a way to ensure that the system acts in a predictable
manner as intended.
• The trust building initiative in cloud computing is responsibility of the service providers.
• To increase the adoption of cloud services, cloud service providers must establish trust initially and
ensure security to ease the worries of a large number of consumers.
• The uses of technology, to some extent can enhance trust, though it is more a social issue than a
technical problem.
• Trust should be raised to a level of consumer’s faith. A certified assurance regarding the protection of
the cloud system against attack is a definite way to enhance this trust relationship.
• To satisfy the legal and forensic requirements, a trusted cloud provider may include security information
and event management (SIEM) capability that can manage records and logs in a manner that evades
legal constraints.
• Service providers should also secure security certification for their cloud services from internationally
recognized reviewer organizations.
• ‘Security, Trust & Assurance Registry (STAR)’ from CSA is one of such certification programs offered by
Cloud Security Alliance (CSA).

32
Cloud Security Design Principles

• The fundamental principles of security design approach of any information system remain valid for
cloud computing.
• An intensely-secure cloud system may ultimately deliver poor performance features.
• The motive of building a completely-secure cloud system should not result in poor performance of the
system. That is the goal of security design principle in cloud.
• It is necessary to maintain a balance between security and performance.
• Principles of cloud computing security include:
• Least Privilege: The least privilege principle states that any subject (user or process) should always be assigned
minimum required privileges to perform its task. A time limit should also be set to bind the period for which the
subject can hold a resource to complete a task. This reduces the opportunity of any malpractice and prevents
unauthorized access to sensitive information.
• Defense in Depth: The defense in depth principle states to architect the protection system by having multiple
layers. This enhances the safety mechanism. If one layer is breached for security, the subsequent internal layers
defend the attack and provide the protection to the system.

33
Cloud Security Design Principles

• Fail Safe: a system should be safe of any security threats even if it crashes and should ensure that the safety of
information is not compromised. The system recovery from failure should take it to a secure state to prevent any
unauthorized access that may happen to the system or to its sensitive information.
• Economy of Mechanism: A simple design of security mechanism reduces the chance of going wrong in
understanding and implementation.
• Open Design: In cloud computing, as a multi-tenant and utility service provider, where high security is the key,
an open design principle suggests to architect such a model where security of the system does not depend on
secrecy of its design.
• Complete Mediation: Following the complete mediation principle ensures a rigorous checking of access controls
with every request. Any access by a subject to any object is checked for authority using an effective
authorization procedure.

34
Cloud Security Design Principles
• Least Common Mechanism: The least common mechanism principle discourages the sharing of similar security
mechanisms among different components. When security mechanisms are common among the components, the
whole system becomes unsafe if security of any one component is cracked by hackers.
• Separation of privilege: The principle of separation of privilege suggests to break a single privilege among
multiple independent subjects (component or user) so that more than one authorizations are required to perform
an action.
• Weakest Link: Attackers always try to identify the most fragile part of the whole protection system in order to
start their activities to dilapidate the system. Thus, the security system should be revised again and again to
detect and resolve the weakest parts in the security chain.
• Psychological Acceptability: The accessibility of the system for its authorized users should remain as simple and
easier as it was in the absence of the security mechanism.

35
Security-as-a-Service
• This is where an organization can outsource the security management responsibilities to some third-
party service providers.
• Security-as-a-Service is built, hosted and managed by the third-party service provider. Like any other
cloud services, the business model of security-as-a-service is also subscription-based.
• Services usually delivered as part of security-as-a-service:
• Email Filtering: primarily protects an organization’s incoming mailbox from spam, phishing emails and malware
by filtering them from delivered emails. Also used to filter the outgoing emails from an organization when
organizations want to ensure and restrict the un-intentional dispatches of any malware-infected emails.
• Web Content Filtering: can be utilized to scan web content. An outgoing web content can be checked for
malware threats or for sensitive information (e.g., banking account related data, intellectual property and others)
which a user could send intentionally or unintentionally without approval.
• Vulnerability Management: a service to assess and detect vulnerabilities in systems and provide remedies.
• Identity Management: facilitates user identity management by providing a centralized and trustworthy source of
user identities.

36
 Summary
• Cloud computing expands itself beyond the traditional perimeterized access to resources in computing. Here,
the collaboration is the tune and thus de-perimeterization is integral.
• Apart from de-perimeterization, external or off-premises access to resources also brings security concerns for
cloud service consumers.
• Consumer’s responsibility increases as they move from SaaS level to PaaS level applications and from PaaS level
to IaaS level applications. From a consumer’s viewpoint, using SaaS in the cloud minimizes their responsibilities
for security management.
• The service-level agreements should be comprehensive enough to resolve issues in case of any security dispute.
• Service providers must develop a secure computing environment by taking measures against all possible
security threats. Securing the infrastructure, information and implementing strong access control mechanism
can guarantee a safe environment.
• Establishing the host and network level infrastructure security is provider’s responsibility. Consumers are
responsible for the security of their applications, that they run on cloud.
• Unauthorized access to confidential information and data theft is a major concern of cloud services. Apart from
taking care of the conventional CIA-triad for information security, a strong identification and access
management (IAM) system should be in place in cloud environment to compensate the loss of network control.
• Jericho Forum’s Cloud Cube Model, introduced in 2009, has been accepted as the standard model for cloud
security. The model clearly distinguishes different formations of cloud and focuses on the benefits and risks
associated with each form.

37
 Summary
• Cloud cube model talks about four issues or dimensions while forming cloud environment and represents those four
dimensions through the uses of a three-dimensional cube.
• The cube model represents sixteen (16) different formations of cloud. Consumers must analyze their needs and select
the most suitable cloud for their requirement from those suggested by Jericho Forum.
• Security policy is the foundation of any sound security implementation. There should be standard security policies in
every organization, specific to its need. The service-level agreement between the provider and consumer plays an
important role in the policy implementation.
• Apart from establishing on-premises private clouds, consumers/enterprises extend their faith to trusted off-premises
cloud services to benefit from the economic advantages of utility computing. Responsibility of this trust building
process falls on the shoulders of service providers.
• Service providers should take appropriate measures to develop trust among consumers about their cloud environment.
Acquiring security certifications through an audit conducted by some external agency may enhance this trust
regarding the service among consumers.
• There are industry standard management frameworks, which provide guidance for robust security management in
cloud systems.
• With appropriate choice of cloud for computing needs of customers and security, the outcome can be better than that
of traditional computing.
• There can be no comparison of traditional outsourcing with cloud outsourcing when cloud service is delivered by
globally reputed computing vendors, rather than by IT service companies as in traditional computing.

38
 Thank You

800 MyHCT (800 69428) www.hct.ac.ae