24-08-2012, 02:56 PM
Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control
Controlling Data i.pdf (Size: 442.43 KB / Downloads: 18)
ABSTRACT
Cloud computing is clearly one of today’s most enticing technology areas due, at least in part, to its cost-efficiency and flexibility. However, despite the surge in activity and interest, there are significant, persistent concerns about cloud computing that are impeding momentum and will eventually compromise the vision of cloud computing as a new IT procurement model. In this paper, we characterize the problems and their impact on adoption. In addition, and equally importantly, we describe how the combination of existing research thrusts has the potential to alleviate many of the concerns impeding adoption. In particular, we argue that with continued research advances in trusted computing and computation-supporting encryption, life in the cloud can be advantageous from a business intelligence standpoint over the isolated alternative that is more common today.
INTRODUCTION
Today, the 14th largest software company by market capitalization (Salesforce.com) operates almost entirely in the cloud, the top five software companies by sales revenue all have major cloud offerings, and the market as a whole is predicted to grow to $160B by 2011 (source: Merrill Lynch). Yet, despite the trumpeted business and technical advantages of cloud computing, many potential cloud users have yet to join the cloud, and those major corporations that are cloud users are for the most part putting only their less sensitive data in the cloud. Lack of control in the cloud is the major worry. One aspect of control is transparency in the cloud implementation - somewhat contrary to the original promise of cloud computing in which the cloud implementation is not relevant.
FEAR OF THE CLOUD
What are the “security” concerns that are preventing companies from taking advantage of the cloud? Numerous studies, for example IDC’s 2008 Cloud Services User Survey [29] of IT executives, cite security as the number one challenge for cloud users.
In this section we present a taxonomy of the “security” concerns. The Cloud Security Alliance’s initial report [39] contains a different sort of taxonomy based on 15 different security domains and the processes that need to be followed in an overall cloud deployment. We categorize the security concerns as: Traditional security Availability Third-party data control
Traditional Security
These concerns involve computer and network intrusions or attacks that will be made possible or at least easier by moving to the cloud. Cloud providers respond to these concerns by arguing that their security measures and processes are more mature and tested than those of the average company. Another argument, made by the Jericho Forum [16], is: "It could be easier to lock down information if it's administered by a third party rather than in-house, if companies are worried about insider threats… In addition, it may be easier to enforce security via contracts with online services providers than via internal controls."
NEW DIRECTIONS
We now describe some elements of our vision. The core issue is that with the advent of the cloud, the cloud provider also has some control of the cloud users’ data. We aim to provide tools supporting the current capabilities of the cloud while limiting cloud provider control of data and enabling all cloud users to benefit from cloud data through enhanced business intelligence.
Information-centric security
In order for enterprises to extend control to data in the cloud, we propose shifting from protecting data from the outside (system and applications which use the data) to protecting data from within. We call this approach of data and information protecting itself information-centric (note that [4], [17], [19] use this terminology differently). This self-protection requires intelligence be put in the data itself. Data needs to be self-describing and defending, regardless of its environment. Data needs to be encrypted and packaged with a usage policy. When accessed, data should consult its policy and attempt to re-create a secure environment using virtualization and reveal itself only if the environment is verified as trustworthy (using Trusted Computing). Information-centric security is a natural extension of the trend toward finer, stronger, and more usable data protection.
CONCLUSION
Cloud computing is the most popular notion in IT today; even an academic report [6] from UC Berkeley says “Cloud Computing is likely to have the same impact on software that foundries have had on the hardware industry.” They go on to recommend that “developers would be wise to design their next generation of systems to be deployed into Cloud Computing”. While many of the predictions may be cloud hype, we believe the new IT procurement model offered by cloud computing is here to stay. Whether adoption becomes as prevalent and deep as some forecast will depend largely on overcoming fears of the cloud.
Cloud fears largely stem from the perceived loss of control of sensitive data. Current control measures do not adequately address cloud computing’s third-party data storage and processing needs. In our vision, we propose to extend control measures from the enterprise into the cloud through the use of Trusted Computing and applied cryptographic techniques. These measures should alleviate much of today’s fear of cloud computing, and, we believe, have the potential to provide demonstrable business intelligence advantages to cloud participation.