Background

Summary

Cloud computing is growing as its appeal to both consumers and businesses increases since it replaces large initial capital outlays, for information processing hardware, software, security, and data storage, with a relatively small monthly or annual charge.  Many consumers and businesses, whom own software and hardware, are often not aware they are using cloud computing when they store information on Facebook, use Google Applications, and check email on Yahoo.  According the Ponemon Study, “36 percent of business-critical applications are housed in the cloud, yet IT isn’t aware of nearly half of them” (Netscope, 2018).  Issues of cyber security in cloud computing also grow as the “cloud multiplier effect” draws more cyber criminals to attacking cloud computing with the 2013 Yahoo breach impacting 3 billion Yahoo users and the 2016 Facebook debacle leading to Facebook’s admission it has sold private user data of its 2 billion users to companies spanning the globe (Watkins, 2018; Allsbrook 2018).

There are three main ways for privacy and security to be breached in cloud computing.  The first is when unauthorized parties gain access data in the cloud.  The unauthorized party can then sell the data and/or extort money from the cloud provider.  The second way cloud computing can be breached is when a party inserts ransomware into the cloud, and the party can then extort money through threatening either to publish the victim’s data or to block access to the victim’s data.  The third way is when the cloud provider itself sells its users’ data to private organizations and governments.

This module uses reading materials, lecture, Actor Network Theory, and a class activity of teams ‘sales pitching’ to explore cloud computing and security in comparison to traditional onsite compute.

Definitions

• Cloud Computing is defined by the United States National Institute of Standards and Technology (NIST) as: “A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (National Institute of Standards and Technology 2011).” Additionally, Cloud Computing has been defined as, “the applications or IT resources delivered as services over the internet; also, to the hardware and systems software in datacenters that provides those services (Huang, 2010).”

 

• Cloud Multiplier Effect is both the costs of data breaches and the number of people impacted increase when a cloud is breached because the cloud contains a concentration of data for large numbers of people and companies in comparison to the data breach of a home computer or one organization’s server (Hughes, 2014). The large amount of data in a cloud increases the number of cyber attacks because successful cyber attacks on a cloud can yield higher payoffs for cyber criminals.

 

• Indemnification is the protection from having to pay for another’s negligence. Laws from one country to another vary, and one needs to be very specific in a signed contract with service provider as to what they are responsible for.

 

• Ransomware has been defined as, “a type of malicious software from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.  In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult (Wikipedia).”

Risk

“When it comes to cloud computing, the security and privacy of personal information is extremely important. Given that personal information is being turned over to another organization, often in another country, it is vital to ensure that the information is safe and that only the people who need to access it are able to do so. There is the risk that personal information sent to a cloud provider might be kept indefinitely or used for other purposes. Such information could also be accessed by government agencies, domestic or foreign (if the cloud provider retains the information outside of Canada)” (Office of the Privacy Commissioner of Canada 2010).

Example of Occurrence

2013 Yahoo was hacked and 3 billion of its users data is compromised.

2016 Facebook admits to selling personal user data to Cambridge Analytica.