This paper sought to unveil the perceptions of users towards security on cloud computing adoption at one Teachers’ College in Mutare. The major problem identified was that the college had fear of migrating from on-site data centres to cloud computing due the perceived security concerns associated with the move. While it is important to take advantages of could based computing by means of deploying it in diversified sectors, the security aspects in a cloud based computing environment remains at the core of interest. The main objective of this paper was to establish the security perceptions on cloud computing focusing on backup, access authorization and deletion of unwanted data.
A qualitative study was done. Six staff members out of a target population fifteen staff members were purposively selected from the IT. Computer Science and Administration departments to be participants of the study. The writer went through meeting minutes as well as conducted interviews with semi structured open ended questions. The findings were presented in line with the research questions which are used as sub headings and the researcher commented on major themes drawn from responses.
From the study, it was noted that moving critical applications and sensitive data to public cloud environments beyond the college data centre’s network under their control was of great concern. To alleviate these concerns, a cloud solution provider must ensure that they will continue to have the same security and privacy controls over their applications and services, provide evidence to customers that their organization are secure and they can meet their service-level agreements, and that they can prove compliance to auditors.
KEY WORDS: Cloud computing, cloud security, Security, Data integrity, Data security,
Introduction
Cloud computing is a concept which has emerged to be one of the widespread information technology (IT) service in the recent years. There is no doubt about the big progress of the internet, which is the main factor in IT world, especially with regard to speed in data transfer, both in terms of wired and wireless communication. People run their business, do their researches, complete their studies, etc. by using the facilities available via the internet. All in all the outsourcing of facility management is becoming more and more common.
Since the need for online services is increasing, the extent of services available through the internet, such as online software, platform, storage, etc., is also growing. This leads to formation of a structured provision of services, called cloud computing, which actually provides a huge amount of computing resources as services through the internet. One of the important services in the cloud is the availability of online storage, called cloud computing.
1.1 Background to the study
Many educational institutions have begun their movement to cloud computing by outsourcing their student email provision (Sclater, 2010). Email is a basic, fairly standardized service, can be provided easily by third parties, and is arguably not core to the educational mission. Both Google and Microsoft offer email services for free to the educational sector in many countries.
Educational institutions are also beginning to use lower level cloud services for purposes such as data storage. This may be attractive where data security is of lower concern such as where video and audio is provided as open educational resources. Another use of cloud computing which is beginning to emerge in education is for the hosting of institutional learning management systems (LMSs) in the cloud. Outsourcing the provision of LMSs such as Blackboard or Moodle to a third party makes sense for institutions who cannot justify the costs of purchasing, maintaining and supporting hardware and software themselves.
People are moving towards using cloud computing in order to make use of the advantages, such as flexibility in accessing data from anywhere. People do not need to carry a physical storage device, or use the same computer to store and retrieve their data. By using cloud computing services, people can also share their data with each other, and perform their cooperative tasks together without the need of meeting each other so often. Since the speed of data transfer over the internet is increasing, there is no problem in storing and sharing large data in the cloud. When discussing about all these improvements, we have to remember that there is a very important issue in IT world that must be taken care of, i.e. ensuring security. Users use the cloud computing facility to store and share their data, and especially when these data are secret, the need of security is mandatory. It means that the confidentiality and integrity of data are needed to be ensured. Moreover the stored data must always be available for retrieval, i.e. the system has to provide availability of data. In short, having security in cloud computing is actually ensuring confidentially, integrity and availability of stored data.
In a cloud based computing infrastructure, the resources are normally in someone else\’s premise or network and accessed remotely by the cloud users (Petre, 2012; Ogigau-Neamtiu, 2012; Singh & jangwal, 2012). Processing is done remotely implying the fact that the data and other elements from a person need to be transmitted to the cloud infrastructure or server for processing; and the output is returned upon completion of required processing. These gives the following three sensitive states or scenarios that are of particular concern within the operational context of cloud computing:
The transmission of personal sensitive data to the cloud server,from the cloud server to clients\’ computers and The storage of clients’ personal data in cloud servers which are remote server not owned by the clients. All the above three states of cloud computing are severely prone to security breach that makes the research and investigation within the security aspects of cloud computing practice an imperative one.
Colleges and universities have deep concerns about the loss of control in cloud computing. Concerns about security are one of the major factors limiting greater adoption. (EDUCAUSE, 2010a) The NIST (2009) underscores the research conducted by the IDC Enterprise Panel 2008 which concluded that the primary concerns at various levels voiced noted that there are several security concerns surrounding the implementation of security in cloud computing. The cause of concern was that unless the problem is addressed, the college loses the economic benefit of cloud computing and continue to pump out money trying to improve the existing on site data centres.
The college under study also want to make use of the mentioned advantages but is hesitant due to security concerns.
1.2 Statement of the problem
Multiple meetings on the aspired benefits and viability of migrating from on-site data centres to cloud computing have been done at the college but to date no implementation has been done due to perceived security concerns associated with the move. There are a myriad of benefits of implementing cloud computing in an organization, with economic benefit topping the list. However, there are risks to be incurred when opting for cloud computing with data security being the dominant risk as the remote servers are managed by the service providers.
1.3 Research questions
In order to establish the security perceptions on cloud computing the following research questions were crafted.
a) What are the backup vulnerabilities of cloud computing?
b) Is access to data and information tightly controlled?
c) How is data and information disposed when no longer needed by the user?
d) What gap in security do cloud computing pose?
1.4 Definition of key terms
Cloud Computing Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.(NIST, 2009)
Data Security
Data Integrity
2.0 Emerging trends
The advent of cloud computing has seen providers and experts in the industry come together to research and develop standards and formulate solutions for the current cloud issues. This has resulted in the birth of Cloud Security Alliance (CSA) whose mission is to promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing with the hope of helping secure all other forms of computing. CSA offers certification, training, and security risk assessments, privacy acts, impact assessment and privacy training.
2.1 literature review
In reference to Mell and Grance (2011), there are three typical kinds of cloud computing services: Cloud computing services are generally regarded as falling into three separate categories or levels (Johnson, Levine and Smith, 2009). The lowest level is sometimes known as infrastructures a service (IaaS). Here customers can rent basic computing resources such as processors and storage, and use them to run their own operating systems and applications.
Amazon’s Elastic c Compute Cloud is a one example; organisation can use this Infrastructure to run Linux servers on virtual machines and scale up usage as required. Platform as a service (PaaS) is the next level up. This enables customers to install their own application using a platform specified by the service provider. An example here is the Google Apps Engine where developers can write and install applications using the Python language. The highest level of cloud computing service is known as software as a service (SaaS).This is currently of most interest in education. Not only is the data stored in the cloud but the application is too, with the user requiring only a web browser. The best known examples of this are Google Apps for Education and Microsoft Live@edu which provide communication and office applications such as email and spreadsheets.
The main disadvantage of cloud computing is that the user has no control over the performance of his/her applications or over his/her data that he/she may require, or the aptitude to change or audit the policies and processes under which the individual must work [13]. The other disadvantage is that the cloud clients may risk losing data by locking them into proprietary formats hence losing control over their data since the apparatus for monitoring the person using them or the person viewing them are not always given to the clients [11]. Data loss is, thus, a probable risk in several specific deployments.
This section reviewed what other scholars wrote cloud computing security issues highlighted under the following topics:
• Backup
• Access
• Data Deletion
2.1.1 Back up vulnerabilities
Data Loss
Data loss may occur when a disk drive dies without its owner having created a backup. It occurs when the owner of encrypted data loses the key that unlocks it. And a data loss could occur intentionally in the event of a malicious attack. Data on cloud services can be lost through a malicious attack, natural disaster, or a data wipe by the service provider. Losing vital information can be devastating to businesses that don’t have a recovery plan. Amazon is an example of an organization that suffered data loss by permanently destroying many of its own customers’ data in 2011.Google was another organization that lost data when its power grid was struck by lightning four times.
Securing your data means carefully reviewing your provider’s back up procedures as they relate to physical storage locations, physical access, and physical disasters.Cloud service providers create multiple copies of information and store them in diverse locations to present a high level of performance and reliability (Turun & Ayoola2013). This serves as a form of backup, though it can cause threats from attackers and can lead to further liability. Furthermore, Waleed & Chunlin (2016) highlights that there is a probability for data to be lost, specifically with storage as a service.
2.1.2 Unwanted access to data
As cloud computing normally means using public networks and subsequently putting the transmitting data exposed to the world, cyber attacks in any form are anticipated for cloud computing. The existing contemporary cloud based services have been found to suffer from vulnerability issues with the existence of possible security loopholes that could be exploited by an attacker. Security and privacy both are concerns in cloud computing due to the nature of such computing approach (Bisong & Rahman, 2011). The approach by which cloud computing is done has made it prone to both information security and network security issues (Rakhmi, Sahoo & Mehfuz, 2013; Qaisar & Khawaja, 2012). Third party relationship might emerge as a risk for cloud environment along with other security threats inherent in infrastructural and virtual machine aspects (Hashizume et al., 2013). Factors like software bugs, social engineering, human errors make the security for cloud a dynamically challenging one (Kim, 2009). Intrusion detection is the most important role in seamless network monitoring to reduce security risks. If the contemporary IDSs (Intrusion detection Systems) are inefficient, the resultant consequence might be undetected security breach for cloud environment (Westphall et al., 2011).
With cloud services like Google Drive, Dropbox, and Microsoft Azure becoming a regular part of business processes, enterprises have to deal with newer security issues such as loss of control over sensitive data. The problem here is that when using third-party file sharing services, the data is typically taken outside of the company’s IT environment, and that means that the data’s privacy settings are beyond the control of the enterprise. And because most cloud services are designed to encourage users to back up their data in real-time, a lot of data that wasn’t meant to be shared can end up being viewed by unauthorized personnel as well.
Files in the cloud are among the most susceptible to being hacked without security measures in place. The fact that they are stored and transmitted over the internet is also a major risk factor. And even if the cloud service provides encryption for files, data can still be intercepted on route to its destination.
There needs to be a proper intensity of access control in the cloud environment to defend the security of the assets ( Chow etal,2010). Cloud computing may really increase the danger of access to confidential data (Turun & Ayoola2013).This may include foreign countries; there can be amplified risk because of government surveillance over information stored in the cloud, because the information may be stored in countries where formerly it was not.
Data Leakage
Most of the businesses that have held back from adopting the cloud have done so in the fear of having their data leaked. This feat stems from the fact that the cloud is a multi-user environment, wherein all the resources are shared. It is also a third-party service, which means that data is potentially at risk of being viewed or mishandled by the provider. It is only human nature to doubt the capabilities of a third-party, which seems like an even bigger risk when it comes to businesses and sensitive business data. There are also a number of external threats that can lead to data leakage, including malicious hacks of cloud providers or compromises of cloud user accounts.
Snooping
Files in the cloud are among the most susceptible to being hacked without security measures in place. The fact that they are stored and transmitted over the internet is also a major risk factor. And even if the cloud service provides encryption for files, data can still be intercepted on route to its destination.
Security is the most prioritized aspect for any form of computing, making it an obvious expectation that security issues are crucial for cloud environment as well. As the cloud computing approach could be associated with having users’ sensitive data stored both at clients’ end as well as in cloud servers, identity management and authentication are very crucial in cloud computing (Kim & Hong, 2012; Emam, 2013; Han, Susilo & Mu, 2013; Yassin, Jin, Ibrahim, Qiang & Zou,2012). Verification of eligible users’ credentials and protecting such credentials are part of main security issues in the cloud – violation in these areas could lead to undetected security breach (Kumar, 2012)
2.1.3 Data deletion
Ensuring that the client has control over the lifecycle of their data and particularly deletion, in the logic of how to be certain that data that ought to be deleted actually are deleted and are not recuperate-able by CSP is a major issue for cloud (Turun & Ayoola,2013). Currently, there are no approaches to prove this as it depends on trust. Furthermore, the risk of data exposure varies according to service model employed such models include IaaS and platform as a service (PaaS) (Turun & Ayoola2013). The expansion of cloud-based services has made it possible for both small and enterprise-level organizations to host vast amounts of data easily. However, the cloud’s unprecedented storage capacity has also allowed both hackers and authorized users to easily host and spread malware. The hackers and virus delete stored data without providers or users knowledge.
2017-2-13-1486979525