Cloud Computing has indeed emerged as a new buzz-word. However the concepts therein are not new. Cloud Computing in many ways is like Grid Computing that is characterized by large scale distributed computing where a pool of abstracted, virtualized, dynamically scalable, managed computing power, storage, platforms and services are delivered on demand to external customers. Cloud Computing is a system of interrelated dependencies. While the technical dependencies are seemingly obvious, Infrastructure as a Service establishes relationships between organizational structures, processes, competencies and people within and across firms.
Given the evolving nature of the structures, requirements for security have also emerged along the way. For instance, in the 1970s it made perfect sense to simply focus on security requirements such as confidentiality, integrity and availability largely because computing resources were centralized and administratively managed in a top–down hierarchical manner.
This changed in later years largely because of increased networking and the need to authenticate and focus on non repudiation requirements. As systems development environments became more complex, the focus shifted to correctness in specification. In later years other organizational issues emerged to be important – responsibility, integrity of people occupying roles, individual trust, ethicality.The question is, what aspects should be focused upon in the future, particularly as new challenges emerge?
Information security in the Cloud tends to be technically oriented, with some emphasis on regulatory compliance. The value of human actors, business structures and processes is either overlooked or inadequately addressed. However, Cloud Computing security is socio-technical in nature.
Its been argued that social and technical systems are strongly correlated, with one being dependent on the other. This means that besides the technical and regulatory compliance aspects, issues such as responsibility, integrity of individuals, trust and ethics need to be addressed as well. With increased virtualization, management of identity is going to emerge as a critical challenge, more so when individuals and organizations lose control of their data. In order to ensure security of a Cloud, we can postulate that the following condition be met:
1. Forego legacy assumptions regarding the nature of information security. While Its been argued that information security thinking needs to evolve as the context changes, in reality this has not happened. Continuous learning and awareness programs help in ensuring that all stakeholders stay current with the evolving needs. Typical response of the corporations is to train employees on the latest techniques and challenges. Such training in itself is problematic; since knowledge of fundamental principles related to emerging contexts (e.g. Cloud Computing) never gets taught.
2. Shift focus from too much reliance on technical solutions. In a hierarchical and an extremely structured environment, it made sense for more reliance on technical solutions relative to behavioral. However with services moving to the Cloud, it is imperative to ensure integrity, not just of the technical edifice, but also of the people involved. Many a times it becomes an ethical responsibility of various individuals to take necessary actions.
3. Information security practices needs to be contextualized. Until now information security, may it be in conventional organizations or in virtualized environments, has been handled in a rather reactive manner. Implementers generally have a series of checklists that form the basis for ensuring security. However each and every context is different. In some cases importance needs to be placed on confidentiality, while in others non-repudiation may be extremely important. Yet, in other cases identity management may be critical. So, depending on the context information security objectives need to be formulated.
4. Responsibility and authority structures need to derive access rights. Business sensitive information has great value and organizations need to consider whom they allow to access it. The access rights should be based on well-defined authority and responsibility structures. Information security literature emphasizes the importance of clarifying responsibility and authority structures. It is equally important to differentiate between who is responsible, who is accountable and who has authority. In the complicated structures in the Cloud, it is ever more important for the involved parties to understand what their respective roles and responsibilities should be. Responsibility in this context can be defined in terms of accountability, blameworthiness and obligation. However being responsible in this changing and ambiguous environment means not only accountability for blame after something has gone wrong; it also refers to handling of unexpected situations in the future. In the unregulated world of Cloud relationships it might be necessary for the involved parties (organizations and individuals) to develop their own work practices on a basis of a clear understanding of their responsibilities.
5. People issues need to be adequately addressed. As it has been pointed out in the information security literature, majority of security problems are directly or indirectly related to employees who violate or neglect policies and disobey rules. While people management problems still exists in the information security field, they gets compounded in the Cloud when organizations lose control of their data to other parties and the motivation to protect data gets transformed from being socially and ethically grounded to being commercially motivated.
6. Trust in relationships needs to be inculcated. In diffused environments when close supervision is impossible, trust is extremely important in managing information security. Relationships are built on trust rather than control. In such an environment, actors are expected to act according to accepted norms and patterns of behavior. By placing applications and data in the Cloud, companies (Cloud customers) lose control over their own data. Critical information exists on the servers of Cloud provider companies and the customers need to trust the providers that their data is protected. The Cloud relationships are so far diffused and unregulated that they have to be based on self-control, responsibility and trust. Two types of trust are important in Cloud relationships: trust within an organization and trust between organizations. In both cases levels of norms and patterns of behavior for involved parties (individuals and organizations) must be well defined and explained unambiguously in the policies.
7. Encourage and define good ethical principles. Ethicality in an organization refers to defining practices that should be followed by employees where rules do not exist. In the context of the Cloud, defining ethical principles is especially important because the phenomenon is new and there are almost no rules governing how the Cloud should be used and regulated. Moreover new possibilities of using the Cloud are emerging as are the technical developments. This changing environment results in difficulty to define rules and regulations that can be applicable in all emergent situations. As a consequence the involved actors must act in accordance with some ethical principles.
