Study on the Security of Cloud Computing

Feb 26, 2010

Not only does cloud computing help to save money, it also helps to increase IT security: Small and medium sized companies especially can profit from special cloud security solutions and the knowledge advantage of experienced providers. Large companies, however, should check thoroughly whether the terms of contract offer adequate security guarantees for the respective case, because failures and disruptions are not uncommon in cloud computing. These findings were the result from a study exploring the security risks of cloud computing carried out by the Fraunhofer Institute for Secure Information Technology (Germany).

The study provides an overview of prices and functions offered by the most important cloud providers and detailed risk assessments for various use cases.

The number of companies using continues to increase and they are shifting their data, applications and business processes to server farms from providers such as Amazon, , IBM or Microsoft. Benefit: The companies do not have to purchase servers and software solutions themselves, but lease the necessary capacities for data, processing power and applications from professional providers. This saves money and effort and, furthermore, provides for high flexibility, because the activity of the leased service can be adjusted according to the customers needs.

But what happens in the case of a service failure? Who guarantees that the company secrets are secure on the external servers? Which security risks evolve when a cloud service subcontractor accesses the cloud systems? Is the data destroyed after deletion? These and similar questions should be resolved before a company decides if and what cloud service to use. The strategy of outsourcing into the cloud on the one hand allows the companies to concentrate on their core competencies and to develop new business opportunities. But on the other hand the dependency on external IT systems is increasing, and a failure of these systems due to technical failures, malware or hacker attacks may not only cripple communication but can disrupt even whole business or production processes.

"Almost every large cloud service provider had an incident in the past in the areas of availability or security“, reports Dr. Werner Streitberger, one of the study's authors. "The current offerings in cloud services show that especially in the area of infrastructure a number of security technologies have been applied already. The cloud providers have not yet advanced the support of security technologies as much in the areas of architecture, management and compliance.“

The SIT study showed that small and medium sized companies would be able to increase their security by using cloud services despite certain risks. "They can obtain security solutions as a service from a specialised provider and thus benefit from the provider's experience in the implementation and running of secure services“, explains Streitberger.

Large companies, however, should review a cloud provider's security functions individually and decide also on an individual basis, whether the supplied security mechanisms are sufficient for the specific requirement of the company. "The current cloud service offerings show that a number of security technologies are already in use at infrastructure level, but in the areas of application and platform, management and compliance, the cloud providers have not yet fully achieved the required protection targets“, Streitberger criticizes. The responsibility for the data usually remains with the cloud user, so he needs to define exact requirements how and which data may be stored and processed in a cloud service, and what security functions have to be in place.

The Service Level Agreement (SLA), i. e. the agreement about the rights and duties between the cloud user and the cloud provider, represent another weak point. The current customary agreements only provide minimal warranty for the quality of service for the cloud. Security guarantees exist rudimentarily and the functions necessary for the guarantees are insufficiently documented by the cloud provider. "Quite often security plays a secondary role in the offered service. We therefore recommend requesting detailed information about the cloud service from the various providers. A proof of concept may be a valuable option before using a cloud service in a production environment“, says Streitberger.

Explore further: Freight train industry to miss safety deadline

More information: The study can be ordered via the Internet at www.sit.fraunhofer.de/cloud-security

add to favorites email to friend print save as pdf

Related Stories

Sun Microsystems to offer 'public cloud' service

Mar 18, 2009

(AP) -- Taking a cue from Amazon.com, Sun Microsystems Inc. plans to launch its own "public cloud" service, which will let everyone from big-time corporations to dorm-room entrepreneurs run their businesses on Sun's computers ...

IBM to Build First Cloud Computing Center in China

Feb 01, 2008

IBM today announced it will establish the first Cloud Computing Center for software companies in China, which will be situated at the new Wuxi Tai Hu New Town Science and Education Industrial Park in Wuxi, China

Privacy group urges probe of Google cloud services

Mar 18, 2009

A US electronic privacy group has called for the Federal Trade Commission (FTC) to investigate the security and privacy of Google's Web-based products such as email and photo services.

Recommended for you

Freight train industry to miss safety deadline

8 hours ago

The U.S. freight railroad industry says only one-fifth of its track will be equipped with mandatory safety technology to prevent most collisions and derailments by the deadline set by Congress.

Gaza cops trade bullets for laser-tech in training

Apr 14, 2014

Security forces in the Hamas-ruled Gaza Strip are using technology to practice shooting on laser simulators, saving money spent on ammunition in the cash-strapped Palestinian territory.

User comments : 0

More news stories

Simplicity is key to co-operative robots

A way of making hundreds—or even thousands—of tiny robots cluster to carry out tasks without using any memory or processing power has been developed by engineers at the University of Sheffield, UK.

Microsoft CEO is driving data-culture mindset

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

Floating nuclear plants could ride out tsunamis

When an earthquake and tsunami struck the Fukushima Daiichi nuclear plant complex in 2011, neither the quake nor the inundation caused the ensuing contamination. Rather, it was the aftereffects—specifically, ...

Patent talk: Google sharpens contact lens vision

(Phys.org) —A report from Patent Bolt brings us one step closer to what Google may have in mind in developing smart contact lenses. According to the discussion Google is interested in the concept of contact ...

Quantenna promises 10-gigabit Wi-Fi by next year

(Phys.org) —Quantenna Communications has announced that it has plans for releasing a chipset that will be capable of delivering 10Gbps WiFi to/from routers, bridges and computers by sometime next year. ...