1
Introduction to the Cloud and Fundamental Security and Privacy Issues of the Cloud

Hassan Takabi1 and Mohammad GhasemiGol2

1Department of Computer Science and Engineering, University of North Texas, Denton, TX, USA

2Department of Computer Engineering, University of Birjand, Birjand, Iran

1.1 Introduction

Cloud computing is the most popular paradigm in the computer world that provides on‐demand computing and storage capabilities to consumers over the Internet. However, these benefits may result in serious security issues such as data breaches, computation breaches, flooding attacks, etc. On the other hand, the whole IT infrastructure is under the control of the cloud provider, and cloud consumers have to trust the security‐protection mechanisms that are offered by service providers. Therefore, security concerns should be considered to improve the assurance of required security for cloud customers.

The key security constructs in the cloud environment are information, identity, and infrastructure. Cloud information flows into the physical infrastructure from many users across different devices and geographies. The objective of information security is to protect information as well as information systems from unauthorized access, use, disclosure, disruption, modification, or destruction (Winkler 2011). In other words, at the heart of any information security system is the requirement to protect the confidentiality, integrity, and availability of data. It is important to thoroughly understand your organization's security policies in order to implement standards in a cloud environment that will form your security framework (Steiner and Khiabani 2012). Data governance concerns commonly arise in the areas of IP protection, regulatory governance, industry compliance requirements, and data mobility. A consistent set of policies is needed for compliance and governance across cloud platforms that IT may not always control. These policies are required for identifying sensitive information; controlling its transmission, storage, and use in the Cloud; and sharing it among users and devices. These policies must be consistently enforced across private and public clouds, and physical infrastructure. Traditionally, IT has used enterprise identity to control user access and entitlement to a variety of on‐premises information and application assets. This principle must be extended to identities at cloud service providers, controlling what information employees can access in which clouds, from which devices, and in which locations.

This chapter provides an introduction to the Cloud and its fundamental security and privacy issues. We start with a background of cloud computing and security issues in Section 1.2. In Section 1.3, we briefly discuss identity security in cloud computing. Cloud information security issues are investigated in Section 1.4. In Section 1.5, we discuss some cloud security standards. Finally, conclusions are drawn in Section 1.6.

1.2 Cloud Computing and Security Issues

The US ( ) defines cloud computing as follows: “Cloud computing is a model for enabling ubiquitous, convenient, on‐demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models (Mell and Grance 2011).”

NIST defines five major actors: cloud consumer, cloud provider, cloud auditor, cloud broker, and cloud carrier (Hogan et al. 2011):

• Cloud consumer – A person or organization that maintains a business relationship with and uses services offered by cloud providers.
• Cloud provider – A person, organization, or entity responsible for offering various services to cloud consumers.
• Cloud auditor – A party that can conduct independent assessments of cloud services, information system operations, performance, and security of cloud implementations.
• Cloud broker – An entity that manages the use, performance, and delivery of cloud services, and negotiates relationships between cloud providers and cloud consumers.
• Cloud carrier – The intermediary that provides connectivity and transport of cloud services from cloud providers to cloud consumers.

There are three service‐delivery models and four deployment models in the cloud environment. As shown in Figure 1.1, cloud providers offer Infrastructure‐as‐a‐Service ( ), Platform‐as‐a‐Service ( ), and Software‐as‐a‐Service () as three fundamental services (Hashizume 2013; Mell and Grance 2011):

• Infrastructure‐as‐a‐Service – IaaS is the most basic cloud service model, where cloud providers offer servers, storage, and network, typically in the form of virtual appliances. Consumers can deploy and run any software such as operating systems and applications. IaaS providers are responsible for the underlying infrastructure including housing, running, and maintaining these resources, while consumers are responsible for maintaining the operating system and their applications. Amazon Elastic Compute Cloud (, http://aws.amazon.com/ec2)), Eucalyptus (http://www8.hp.com/us/en/cloud/helion‐eucalyptus.html), and OpenNebula (http://opennebula.org) are some examples of IaaS providers.
• Platform‐as‐a‐Service – In PaaS, providers offer environments for developing, deploying, hosting, and testing software applications. Typically, it includes programming languages, databases, libraries, and other development tools. Consumers are not responsible for the underlying infrastructure, operating systems, or storage, but they are responsible for their deployed applications. Examples of PaaS providers include Microsoft Azure (https://azure.microsoft.com/en‐us), Force.com (http://www.force.com), and Google App Engine (https://cloud.google.com/appengine).
• Software‐as‐a‐Service – In SaaS, cloud providers offer applications on demand that are hosted on the Cloud and can be accessed through thin clients. Consumers do not manage or control the underlying infrastructure. Some SaaS applications allow limited user‐specific customization. Examples of SaaS providers include Salesforce.com's Customer Relationship Management (, www.salesforce.com) and FreshBooks (www.freshbooks.com).

Figure 1.1 Cloud components in the different types of cloud services.

The four cloud deployment models are briefly described as follows (Mell and Grance 2011):

• Public cloud – A public cloud is deployed by an organization that offers various services to the general public over the Internet. The infrastructure is owned and managed by the service provider, and it is located in the provider's facilities. Cloud providers are responsible for the installation, management, provisioning, and maintenance of the cloud services. Users' data is stored and processed in the Cloud, which may raise security and privacy issues. It exists on the premises of the cloud provider.
• Private cloud – A private cloud is deployed for a single organization and is dedicated entirely to that organization's internal users. The private cloud resides in the organization's facilities; however, it can be hosted and managed by a third‐party provider. The private cloud can be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises, so that data security and availability can be controlled by each of them.
• Community cloud – A community cloud is deployed for a specific community of consumers from organizations that share common computing concerns. It may be owned, managed, and operated by one or more of the organization's members, a third party, or some combination of them, and it may exist on or off premises.
• Hybrid cloud – This is a combination of the previous types of clouds (private, public, or community) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability. In order to ensure security, an organization should migrate some of its processes to a public cloud while remaining its critical process in‐house.

Several characteristics of cloud computing that are mentioned in the literature are listed next (Hashizume 2013; Kizza and Yang 2014; Mell and Grance 2011):

• Accessibility – Cloud services can be accessed from anywhere at any time via browsers or APIs by different client platforms such as laptops, desktops, mobile phones, and tablets. Cloud services are network dependent, so the network (Internet, [LAN], or [WAN]) has to work in order to access cloud services.
• On‐demand, self‐service – Traditionally, acquisition of computing...