AN ADVANCED UNDERSTANDING OF SECURITY ISSUES IN CLOUD COMPUTING: MODEL OF SOLUTIONS FOR THESE ISSUES
Introduction
From the initial concept to the current actual deployment, cloud computing is maturing.In modern times, numerous organizations, especially SMEs, are increasingly beginning to recognize the importance of cloud computing in enhancing their overall efficiency and effectiveness by developing and deploying features that will help to enhance their production process and save costs associated with the purchase and maintenance of the business’s infrastructure.
In terms of defining what cloud computing is all about, the definition offered by NIST is the most widely utilized: "Cloud computing is defined as a model used to enable convenient, on-demand network access to a pool of configurable computer resources shared within a given network (such as applications, services, servers, storage, networks, etc.), which can be rapidly made available with minimum effort from management or the interaction of service providers. "The cloud model does promote availability, and it comprises five major characteristics, three service models, and four deployment models" (Peter and Tim, 2009). The three service models as highlighted by NIST are also known as SPI models, and they are: software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). The models for deployment are private cloud, community cloud, public cloud, and hybrid cloud.
In an actual sense, cloud computing does cover numerous activities that encompass using social networking sites and other forms of personal computing systems. In any case, it is important to note that cloud computing does focus more on how online applications, the storage of data, and the processing of that data into raw information can be made easily accessible. However, the quest to make this information readily available does expose the whole system to higher security risks, which makes the cloud computing environment very vulnerable to different forms of attack.
Background of the study
As a result of increased demand for storage systems, recent years have witnessed an increasing growth in information and data storage facilities. In any case, Gartner (2008) brought to light the seven security issues that companies will need to address prior to making the decision to switch to cloud computing models, and these issues are:
- Privileged user access—information obtained by clients via the internet—poses some level of risk due to data ownership issues, and it encourages enterprises to invest more in knowing their internet service providers and regulating these service providers to ensure that they do not violate the company's vital information, as this can put the company at high risk of exposures to an unintended audience.
- Regulatory compliance: this calls on the need for clients to understand that they are responsible for the security of their solution, as they have the power to choose the providers that can be regulated and verified by third parties that have higher security features over those that are not willing to undergo such a precautionary process.
- Data location: it is also important to note that some clients might not have the power to know the location of their data or the power to access it, and this is an issue for companies that want to go into cloud computing.
- Data segregation: encrypted information gathered from different companies can be stored on the same hard disk, and this makes it necessary for providers to adopt trusted platforms when separating data as a means of ensuring that access by a given company doesn’t allow the company access to another company’s data within the same hard disk.
- Recovery: service providers need to have clear and reliable protocols for recovery as a way of protecting users' data.
- Investigative assistance: When clients suspect illegal activity on the part of service providers, they may not have enough options to pursue necessary legal actions against such providers.
- Long-term viability: this issue reflects the ability of a client to retract a contract and all data in cases where the current provider is bought out by another provider.
Case discussion groups are used in cloud computing to discuss different use cases and related requirements that can exist in a cloud model. Use cases from different perspectives are considered, and they include those from consumers, developers, and security engineers. ENISA investigated the different security codes in cloud computing with reference to its adoption and other affected assets, and they found that the chances of risk, impact, and vulnerabilities in the cloud computing setting can result in high security risks, as discussed above. Other authors, like Balachandra et al. (2009), did present an analysis of the security SLA’s specifications and objectives when it comes to the location of data, segregation, and data recovery. Kresimir et al. (2010) also conducted an analysis on the high level of security concern in cloud computing models, such as data integrity, privacy, and sensitive information protection.A number of other authors (such as Subashini and Kavitha, 2010; Bernd et al., 2010; Kresimir et al., 2010; Ragovind et al., 2010) have opened up discussions on cloud computing and its related issues, with these authors noting that the cloud computing environment is hugely affected as a result of different security issues. Thus, this further validates the essence of this research, as it focuses on understanding these security issues as well as devising solutions to them.
Problem statement
From the works of Kevin et al. (2010), it can be identified that there are vast security issues in cloud computing, and these issues are the outcome of the fact that cloud computing does comprise of different technologies and networks, virtualized processes, databases, transaction management, operating systems, resource scheduling, load balancing, controls in their concurrency form, and memory management. This makes it evident that cloud computing does come with numerous security issues, and these issues can arise from one or a combination of the processes involved.
Considering that there are numerous processes in the cloud computing environment, it is now clear that understanding security issues in the cloud computing environment can be a tremendous issue with complicated outcomes because there are many ways that such issues can occur and they can also affect different facets of the cloud computing environment (e.g., storage, processing, privacy, etc.).
As a result of the vast nature of cloud computing systems and the potential for risks to emanate from all the processes (Kevin et al., 2010), the solution to this research becomes very complex, as focusing on one area of cloud computing can bring about the research while ignoring other areas, while focusing on all areas can make the whole research even more complex. Additionally, it should be noted that the majority of the research on security issues in cloud computing has focused primarily on one area of the cloud computing component (e.g., storage, process, access, etc.), which makes such research like this very complex because it combines all issues from different activities in cloud computing. Irrespective of these issues discussed above, it is important to note that these issues will not negatively influence the outcome of this research because extra measures will be enacted to ensure quality delivery in terms of understanding the issues and modeling the right solutions for these issues.
Research objectives
From the above analysis, it is now obvious that in cloud computing, security issues do come with their own distinctive impacts on distinctive facets of the cloud environment.
Analyzing security issues in the context of cloud computing is a clear proof that each issue does come with its own different impact on distinct assertions. Thus, researchers that aim to create a security model for both studying the security aspects of cloud computing and creating the right solutions to support decision-making need to consider the risks and vulnerabilities that have been identified in the past and arrange them in their order of importance in order to create a cloud security taxonomy. The main structure of the cloud computing taxonomy that is generally applicable is illustrated below.
Figure 1. Cloud computing security taxonomy top-level overview of the security taxonomy proposed, highlighting the three main categories: security related to privacy, architecture, and compliance (Nelson et al., 2012).
In the view of such understanding, the objectives of this research include:
4.1. To gain an understanding of what cloud computing is all about, prior to analyzing security issues and presenting solutions to such issues, it is very important that a clear understanding of the research topic be presented in order to know what is being solved, how it is being solved, and how to measure solutions in terms of their effectiveness in solving the identified problem.
4.2. To gain an understanding of the security issues in cloud computing Following success with the first objective, the second is geared towards presenting an idea of what the security issues in cloud computing are. The importance of such an approach is reflected in the understanding that it will help better define solutions for these ideas.
4.3. To develop a model-based solution for security issues in cloud computing—this is the core objective of this research as it reflects the overall purpose of the research. However, it won’t be very effective if the first two objectives are not achieved, as they define the kind of solution that will be modeled for security issues in cloud computing.
- Research Framework
Figure 2: Research Framework
From the figure above, it can be seen that the research framework is centered on three dimensions. The first is to understand what the security issues are in cloud computing by assessing and analyzing these issues. The assessment phase involves understanding the causes of security issues in cloud computing and how these causes can be mitigated in order to ensure a more advanced and secured cloud system. Following the assessment, past solutions will be analyzed in order to understand where and how these solutions have failed, as well as how to improve them to better advance cloud computing security. Such an analysis will lay the foundation for the final stages of the paper, which are to provide a modeled solution for cloud computing security by understanding what the issues are and improving the security system of past solutions.
- Research Methodology
In any given research, it is critical to define the methodology in a precise and calculated manner.This is because a careful definition of research methodology will ensure that the objectives of the research are perfectly aligned within the context of the whole research process. The methodology for this research is as described below.
- Research design
This is secondary research, which is based on qualitative analysis of data from past and related studies. The essence of such an approach is to analyze past solutions to security issues, compare these solutions to understand which of them provided the highest level of solution, and then define the new framework or format for a solution based on the understanding gained from such analysis. The idea of secondary research is to present a broader understanding of existing security measures and the issues they are designed to solve. Such an understanding will ensure the definition of a better security model solution because the weaknesses established in the existing solutions will be addressed in the new model solution.
In the case of this research, the approach chosen is qualitative research. Different definitions exist as to what qualitative research is all about, and some of the authors have reverted to focusing on the purpose of the research in terms of defining what qualitative research is all about. Basically, qualitative research is built around the understanding of the meaning that people have constructed with respect to how people make sense of their world and the experiences they have in the world (Merriam, 2009, p. 13).
Other definitions of qualitative research have focused on the nature of the research's epistemological stance.In this sense, "qualitative research" is defined as the research that makes use of methods such as the observations of participants or case studies, resulting in a narrative and descriptive account of the setting that is being reviewed. Normally, sociologists that make use of this method reject positivism and make use of interpretive sociology (Parkinson & Drislane, 2011).
Besides the two areas highlighted above, other definitions of what qualitative research is all about focus more on the process and context involved in data gathering. In its essence, qualitative research is defined as a situated activity that locates the observer in the world it represents. It is made up of interpretive materials that make the world much more visible to the observer. Qualitative research turns the world into a series of representations that include field notes, conversations, interviews, photographs, personal memos, and recordings of different kinds in the course of obtaining the necessary data needed to make the process a success. On the basis of such an understanding, the elements encoded can be summarized as qualitative research involving an interpretive, naturalistic approach to the world. The implication is that qualitative researchers do study things in their own natural state, attempting to make sense of them, interpret them, and understand the phenomena from the view of the people who bring them to them (Denzin & Lincoln, 2005, p. 3).
Although these definitions are not viewed as being wrong in the context of this research, it is important to note that they are not particularly useful when viewed from the perspective of applied research. As such, the definition that will be adopted in this research is the simpler and more functional definition that was offered by Nkwi, Nyamongo, and Ryan (2001, p. 1), which defined qualitative research as involving any kind of research that makes use of data that do not indicate ordinal values. According to these authors, the criterion that defines these studies includes the type of data generated and/or used rather than the entire process on which previous views are based.In fact, qualitative research is based on the collection and use of data in the form of texts, images, or sounds, and the outcome viewed, such as that provided by these authors, presented a typical generalization of what qualitative research is all about.
The qualitative nature of this research is based on the earlier understanding provided, in which it was made known that this research is based on understanding security issues in cloud computing, analyzing existing solutions, and then modeling a new solution that solves the weaknesses of existing solutions.
- Sampling
Sampling will be conducted based on the context of the research. According to the solutions they are meant to solve, related research in the context of the research topic will be analyzed and compared together.This comparison will then be used to group the studies according to their importance, with the most important and closely related studies being chosen for further examination.
- Instrument
In terms of instrumentation, two major instruments exist in the context of this research, and they are the security issues and the modeled solutions. Security issues are loaded on the basis of the understanding that they limit the security essence of users in cloud computing. It is any issue that is capable of denying users the ability to access data at any given place while also protecting their privacy from a third party or an unintended audience. On the other hand, modeled solutions for these issues are the approaches that either users or network providers can adopt to protect users from such exposures. Thus, their research is instrumented on the grounds of understanding existing issues in cloud computing and providing solutions for these issues.
- Data Collection
Data will be collected from reliable databases of previous cloud computing research; basically, all collected data that will be used in this research, as well as the evidence provided to validate that they are from reliable sources, will be sourced.
- Data Analysis
In terms of the data analysis, this will be done in the context of the instrumentation. Thus, data will be analyzed to determine whether they aid in understanding security issues in cloud computing or in modeling solutions to such issues. Just as the research is secondary in nature, the analysis will be qualitative and in-depth in nature. All theories in the context of this research will be assessed, and such assessments will be used to model a new solution by improving on the weaknesses of existing solutions and aligning such improvements with the identified issue in cloud computing.