The Cloud

The Cloud: Understanding the Security, Privacy and Trust Challenges

Neil Robinson
Lorenzo Valeri
Jonathan Cave
Tony Starkey
Hans Graux
Sadie Creese
Paul Hopkins
Copyright Date: 2011
Published by: RAND Corporation
Pages: 135
  • Cite this Item
  • Book Info
    The Cloud
    Book Description:

    This report discusses how policy-makers might address the challenges and risks in respect of the security, privacy and trust aspects of cloud computing that could undermine the attainment of broader economic and societal objectives across Europe.

    eISBN: 978-0-8330-5960-4
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. i-iv)
  2. Table of Contents
    (pp. v-vi)
  3. Glossary
    (pp. vii-ix)
  4. Executive Summary
    (pp. x-xii)
  5. Synthesis
    (pp. 1-14)
  6. CHAPTER 1 Introduction
    (pp. 15-15)

    Successfully addressing the privacy, trust and security risks inherent in deployments of cloud computing represents a complex and difficult challenge for one significant reason: the widespread use of cloud technologies brings into sharper focus linkages among issues that formerly were firmly within the purview of ‘stove–piped’ regulatory or technological approaches or domains.

    Although the technologies and legal or compliance requirements associated with the cloud may not be new or particularly innovative (for example, the audit requirements resemble those required for outsourcing arrangements), the public policy challenge hinges on whether their combination in a cloud environment undermines or degrades current...

  7. CHAPTER 2 Definitions and drivers
    (pp. 16-22)

    A definition of cloud computing based on a consolidation of the available literature is provided here, as well as an examination of the operational and strategic motivations pushing organisations and individuals to exploit the capabilities of cloud computing.

    The starting point for any public policy analysis is the definition of terms and concepts. In light of its novelty there are many definitions of cloud computing. Based on an analysis of twenty such definitions Vaquero et al. find that the literature appears to be converging on the following operational definition:

    Clouds are a large pool of easily usable and accessible virtualised...

  8. CHAPTER 3 Understanding the implications for security, privacy and trust
    (pp. 23-27)

    Having reviewed cloud computing definitions and drivers in the previous chapter, the security, privacy and trust implications of cloud computing will now be examined.

    Before assessing the literature dealing with security, privacy and trust in the cloud, it is important to define these terms because their currency and usage can change radically in different contexts. This document uses the following definitions or concepts:

    Security concerns the confidentiality, availability and integrity of data or information. Security may also include authentication and non–repudiation.

    Privacy concerns the expression of or adherence to various legal and nonlegal norms. In the European context this...

  9. CHAPTER 4 Security, privacy and trust challenges stemming from the technological underpinnings of cloud computing
    (pp. 28-40)

    This chapter provides an analysis of the technological challenges of cloud computing and associated services, and will support the argument that the benefits of using clouds hinge on finding appropriate technological answers to the security, privacy and trust challenges. The starting point of this analysis is that cloud technologies are on the whole not new, but that their development has been revitalised by cloud computing. Development paths as they appear in the literature will be examined.

    Taking into consideration the US NIST definition, a number of challenges for security, privacy and trust from the underlying technological drivers of cloud computing...

  10. CHAPTER 5 Security, privacy and trust challenges inherent to the legal and regulatory aspects of cloud computing
    (pp. 41-53)

    Against the backdrop of the technologically orientated challenges introduced in the previous chapters, it is clear that there are also substantial legal aspects to be taken into consideration for the provisions of cloud computing services. While these challenges are global in nature, the normative response may vary substantially from region to region or even from service to service. Diverging interpretations and legal uncertainties could well endanger the development of innovative cloud service models, as they can adversely affect the trustworthiness of such services: how can users invest in the cloud without a clear perspective on the compliance of the chosen...

  11. CHAPTER 6 Putting it all together: key risks and operational challenges
    (pp. 54-60)

    The two preceding chapters provided a summary overview of the main legal and technical issues that can present challenges to the deployment and use of cloud services, and also examined what the impact of these issues was on cloud services in practice.

    Table 3, below, combines the tables from the previous chapters and provides an overview of many of the key legal and technical concerns found in the literature reviewed, and maps them against the resulting security, privacy and trust implications. As can be seen, some issues such as availability, accountability and integrity appear relatively frequently. Unsurprisingly, each specific identified...

  12. CHAPTER 7 Case studies
    (pp. 61-85)

    As has been illustrated in the previous chapters of this report there are a range of concerns, challenges and uncertainties relating to the security, privacy and trust issues associated with the use of cloud computing. These may be inherent in the underlying technical components or drivers of cloud computing, such as virtualisation and web services, or the legal or regulatory frameworks that surround cloud computing, such as the identification of applicable law and data protection/privacy compliance.

    In any respect, the characteristics of cloud computing (shared to a certain extent with outsourcing) relating to security or privacy may be seen as...

  13. CHAPTER 8 Gap analysis
    (pp. 86-93)

    This chapter presents an overview of gaps in various aspects of current European policy approaches relevant to cloud computing. The available approaches will be characterised, including legislation, standards, guidelines, support to implementation and R&D. This gap analysis is designed to indicate where (from the literature, case studies, interviews and expert workshop) gaps, problems, challenges or inadequacies exist in current European policy approaches to addressing the previously identified security, privacy and trust issues of cloud computing.

    Three distinct policy domains of relevance can be identified: legislation, implementation and ICT research. With respect to identifying gaps in legislation, some may be wording...

  14. CHAPTER 9 Solving the challenges: recommendations and actions
    (pp. 94-104)

    Addressing the security and privacy challenges of cloud computing is a complex undertaking since it requires a combination of technological solutions and legal approaches that is capable of addressing operational realities and concerns. The extent of the technical, legal and operational challenges has been presented in the preceding chapters, and it is clear that an appropriate policy framework will be needed to address these challenges in a way that reconciles business drivers with public interests, while avoiding the pitfall of imposing burdens that put European businesses at a competitive disadvantage. However, the novelty of the subject has led to a...

  15. CHAPTER 10 Conclusions
    (pp. 105-106)

    This research study has shown that the emergent landscape for cloud computing is characterised by a number of challenges for security, privacy and trust. In many respects these challenges are not new (some exhibiting similarities with outsourcing), but cloud computing models brings them into sharper focus. These challenges exist in relation to the use of specific technologies in the cloud context as well as existent or latent vulnerabilities in the technological building blocks comprising different cloud computing deployments. There are also important questions in respect of the pertinent legal and regulatory domains as applied to cloud computing, most notably relating...

    (pp. 107-116)
    (pp. 117-122)