information assurance challenges, technology, …awc23/eport/docs/info712_final_paper.pdfinformation...

Alexander W. Camara INFO 712

1

Information Assurance Challenges, Technology, and Goals in a

Cloud Computing Environment

INFO 712 – Winter 2014

Alex Camara

[email protected]


2

Table of Contents Abstract ............................................................................................................................... 3

Introduction ......................................................................................................................... 3

Background ..................................................................................................................... 5

Cloud Computing Governance .......................................................................................... 5

Introduction ..................................................................................................................... 6

Discussion ....................................................................................................................... 6

Governance Conclusion .................................................................................................. 9

Trust in Cloud Computing ................................................................................................ 10

Introduction ................................................................................................................... 10

Automated Trust Management ..................................................................................... 11

Trust Discussion............................................................................................................ 12

Trust Conclusion ........................................................................................................... 14

Cloud Client and Provider Relationship ........................................................................... 15

Introduction ................................................................................................................... 15

Cloud Provider Study .................................................................................................... 16

Cloud Provider Discussion ........................................................................................... 17

Cloud Client and Provider Relationship Conclusion .................................................... 18

Conclusion ........................................................................................................................ 19

References ......................................................................................................................... 20


3

Abstract

Cloud computing is the hot topic for the future of information technology (IT) offering

countless benefits, seamless connectivity, and overall reduced costs for businesses. However there

are serious security concerns that can make any business wary once they migrate to the cloud.

Handing the keys to your intellectual property, operations data, and financial position to a third

party cloud service provider may not make executive stakeholders sleep well at night. Knowing

the risks associated with the migration to cloud services and what level of uncertainty a business

can tolerate are fundamental to the topic of information assurance. Cloud governance introduces

new legal, compliance, and security risks that didn’t exist with traditional IT functions. It is

important for cloud clients to understand the territory that comes with the possibility of cloud

computing and how best to incorporate it into their IA posture. Cloud service providers along with

the client must be willing to engage in an open discourse on the state of security practices and be

as transparent as possible. Fundamentally, the topic of trust is what roots whether or not cloud

computing will succeed. This simple yet crucial aspect represents cloud computing risk from a

client and provider standpoint. Overall, how can cloud computing survive if organizations don’t

feel secure and have the appropriate controls and oversight to manage operations within cloud

computing?

Introduction

Cloud computing, also known as distributed computing, is heralded as the future of

enterprise and personal computing. Cloud computing is continually defined as a shared set of

resources that are scalable and accessible on-demand to support information and application needs

(Cloud Security Alliance, 2011).


4

From a high-level perspective the governance of cloud computing is comprised of

regulatory and legal compliance as well as hardware and personnel management in regards to the

platform. As an added layer to the governance portion of cloud computing there is a strong need

for trust between the client (business or personal) and the service provider. The trust builds upon

governance best-practices and opens up communication to share needs and expectations.

Matching expectations is what fosters good security and also strong customer support. These

criteria are defined in several and can be found in service-level agreements, company white papers,

and online publications (Chakraborty, Ramireddy, Raghu, & Rao, 2010). These will serve as the

basis for understanding the role cloud service providers and their clients play into the overall

information assurance practices related to cloud computing.

With a solid fundamental understanding of the unique challenges that cloud computing

brings to the table it will be important to look at how cloud service providers are making headway

to address these concerns. The last part of the paper will look at how specific providers are

overcoming information assurance challenges and how cloud computing is paving the way for the

development of standards (Vincent, 2010).

There is little doubt concerning the benefits of cloud computing. The costs savings that

come from the centralization of data center management along with the rapid deployment of

resources without the need for costly hardware procurement and setup is unmatched. However

these advantages are met with an equal number of disadvantages.

Understanding the differences when transitioning to a cloud computing platform can be

overwhelming for large and small companies alike. The confidentiality, integrity, and availability

of data is vital to the everyday needs and financial stability of many organization today. It is in

the best interest of both the provider and the client to forge trust through an increased awareness


5

of unique platform specific risks. Best-practices through standardization, greater transparency, and

user-centric controls are needed in order to win over hesitate clients that see the platform as a

potential threat to their bottom line. If cloud computing is to succeed in our virtual world it must

do so through continued focus on enhanced governance and client-provider trust that strengthens

the relationship and benefits all those involved.

Background

Cloud computing is a way to make a shared set of resources into a service model. With

the seemingly limitless capabilities of distributed computing, cloud services can be utilized to

solve large scale computations in a fraction of the time (Sadiku, Musa, Momoh, 2014).

When discussing cloud computing it is usually based on three different platform models,

information as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).

Each platform has their own advantages as well as different security and provider based controls.

SaaS cloud types typically provide an application that a cloud service provider manages. These

have the least amount of flexibility but provide a high level of security because the provider is

locking down backdoor access to information. PaaS is a model in which the client is deploying a

specific application or code to the cloud that the service provider manages. This cloud type is the

middle of the road when it comes to security controls and client-side involvement. The last cloud

type is IaaS. Storage and data processing is largely handled on this cloud type and the client is

responsible for implementing a large portion of the security regarding their data. Out of the three

cloud types SaaS and IaaS have emerged as the primary types. PaaS is still in use but not frequently

discussed in the research paper I’ve found. While each unique in their own regard they share the

same fundamental technology that cloud computing is defined by and therefore will be treated the

same when discussing the benefits and risks in the proceeding paper.


6

Cloud Computing Governance

Introduction

Cloud computing as an operational platform isn’t vastly different than traditional in-house

IT. The major differentiation comes from the offload of hardware management and overall

information security (Cloud Security Alliance, 2011). This shift opens the door to reduced costs

from a hardware asset, personnel, and data management standpoint but opens the door for security,

compliance, and legal concerns that can ultimately undermine the company and their business

advantage if not properly controlled. This tradeoff of benefits against risk is highlighted in a 2010

study performed by the Information Systems Audit and Control Association (ISACA) which found

that 45% of respondents said that the risks associated with cloud computing outweigh the benefits

(Prakash, 2011). With less than half of those surveyed in favor of cloud computing it is important

to find steps that are being taken to increase adoption of the platform and minimize the risks

identified.

The overarching topics that encompass cloud computing are lumped into two categories,

governance and operations. While the latter of the two focuses on operational security practices

akin to traditional IT environments the former deals with organization structure, regulatory

compliance, and policies associated with the technology which directly relate to the topic of

information assurance and thus will be the focus of the first section (Cloud Security Alliance,

2011). Specifically, issues related to the risks facing the platform and how changes both through

standardization, location based policies, and cloud provider best practices will be addressed.

Discussion


7

The Cloud Security Alliance Cloud (CSA) outlines cloud computing governance as an idea

that is directly related to the information assurance practices of an organization from a strategic

and operational perspective (Cloud Security Alliance, 2011). Governance in cloud computing

faces a different set of threats than those in a traditional IT environment. For example a multi-

tenant computing environment raises policy enforcement concerns as well as financial billing

complications due to the shared virtual space. It is in these types of applications of cloud

computing that the client entering into a contract must be diligent to understand what their role is

in order to protect themselves and their organization. Overcoming the challenges of this new

technology is what has spurred the U.S. Federal Government to adopt a framework of best-

practices.

With a recent survey indicating that 60% of 600 security professionals experiencing theft of

some kind the focus for a renewed effort is required more than ever (Greer, 2010). Knowing that

a simple defense plan alone is an inadequate approach, the need for a new federal agency called

the Federal Cloud Information Assurance Baseline (CIAB) was founded to oversee regulatory

compliance and auditing of vendors and the services they offer. The focus is to limit the increasing

threat of cyberwar by minimizing risks in data loss and security through an increase in vendor

compliance and viability. The involvement of the government and a federal agency increase the

awareness and compliance of specific threats to the underlying cloud computing architecture

however it is known that even with their involvement they cannot always keep up with the dizzying

pace of technological innovation.

Knowing the initiative by the federal government to enforce governance practices in cloud

computing doesn’t free us from the fact that traditional IT computing faces similar compliance and

security threats. In contrast to the government’s position, Ovum reporter Laurent Lachal (2010)


8

states that oversight by an agency isn’t what governance should be comprised of and that real

change to the platform should be focused on behavioral rather than top down rules imposed on or

by cloud service providers. This viewpoint offers a perspective that cloud governance should be

organic in nature and develop through a shared interest between IT teams. With this mind-set the

afflictions of both traditional IT and cloud computing can be overcome rather than just focusing

on rehashing the oversight of a new technology from a government perspective.

The thought of governance as an imposed set of rules that are enforced upon the relationship

between the client and the cloud service provider will not change the fact that there is still a high

level of uncertainty among adopters of cloud computing. If the recent ISACA survey is to be

believed, 90% of mission critical application will never make it to the cloud due to risks with the

platform as a whole (Prakash, 2011). One detractor to adoption of cloud computing is thought to

be based on the lack of a comprehension strategy put in place by companies seeking to utilize this

new technology.

An example of this deals with the location of company data which is not necessarily fixed

inside the same state, country, or continent. This change in data location introduces regulatory

and legal repercussions. One area where this is highlighted is in the European Union.

A 2012 reform of EU laws introduced stricter controls that increase responsibility for service

providers operating outside and within the EU that aim to raise awareness through fast

communication about data leakage and security breaches. Additionally, the reform covers user

rights respective to cloud computing by increasing portability of data and allowing for their usage

history to be wiped clean when they request it (Lovrek, Lovric, & Lucic, 2010). These reforms

mark a victory for personal information and give more control over individual user data. These


9

laws also allow for greater transparency from a business perspective about the integrity of their

data.

However it’s not just the location that is worrisome to potential customers. Data loss from

human error is estimated at 75% reinforcing the fact that cloud service providers must be vigilant

about their own physical access controls and whether or not they have a reduced human

intervention system that limits involvement altogether (Khan, Oriol, Kiran, Jiang, & Djemame,

2012). Additionally, since data is stored throughout the world, a variety of natural disasters unique

to the specific location of the data can threaten the availability of a cloud application or information

service.

Insider attacks are another possible avenue of data leakage and compromise. In a study

conducted between 2000 and 2006 the number of internal and external attacks were equal (Duncan,

Creese, & Goldsmith, 2012). With the risk of obtaining confidential data and the potential for

reputation altering damage insider attacks are a real and very difficult threat to prevent against.

Choosing a cloud provider that has policies in place that audit employee behavior and limit their

access controls between clients can minimize the possibility of an attack. Additionally, a strong

security policy that resonates from all levels of manage helps breed a culture of trust and

compliance.

Governance Conclusion

Governance in cloud computing is fundamental for the successful adoption of the platform.

Clients and providers must be transparent about their security practices, location of their data, to

establish a baseline of trust. Though risks are inherent with any new technology it is not wise to

wade into cloud computing without a complete profile on the company you’re entrusting your data

to. With an estimated 10% of all data residing in the cloud by 2015 there must be a continued


10

focus on the formation of standards that baseline the technology from the ground up (Duncan,

Creese, & Goldsmith, 2012).

Trust in Cloud Computing

Introduction

The concept of trust in cloud computing is simple and involves the client and the cloud service

provider engaging in an open relationship to provide services to one another. The problem that

arises from this is one of differing levels of technical complexity and how companies weigh the

options when it comes to topics of regulatory compliance, liabilities, and other legalities inherent

with this change in technology (Vincent, 2010).

Recent surveys echo these concerns. Of the 3,000 cloud clients being polled 88% said that

they were worried about who was about to access their data on the provider side (Habib, Sebastian,

& Muhlhauser, 2011). The complications of this relationship also surface in the unclear language

used to form the service level agreements. These agreements form the basis for engaging in a cloud

computing partnership and outline the general constraints placed on your data in the cloud. The

terminology in these documents can be technical to someone unfamiliar with the platform which is

why technology is being used to bridge the gap.

To better manage these difficulties a number of technical solutions are being developed to

automate the process of trust. Trust in this form rely on surveys and technical break downs of the

service level agreement that take into account the clients expectations of security, compliance, and

overall governance of the cloud provider and the way they handle their data. Ultimately, the concept

of trust can be summed up in Kahn and Malluhi’s paper that states, “Trust is more important than

money and will ultimately determine cloud computing’s success” (Kahn, & Malluhi, 2013).


11

Automated Trust Management

If you believe trust is only forged through face to face meetings and handshakes then there

are two interesting technologies looking to change your mind. An automated approach to trust

management alleviates the personnel overhead required to monitor a cloud service and specific

provider actions. These systems also introduce performance measurements that clearly define the

expectations of both parties increasing overall transparency and reducing the gray areas found in

service level agreements.

The first of two automated approaches that will be discussed relies on the participation of

clients and providers to answer questionnaires. The questions are designed to judge the priorities

associated with both parties and to develop performance metrics that each can be rated upon. The

results of the survey are then fed into a computation engine that evaluates the responses and builds

a digital representation of the client and cloud service provider. The goal is to develop a

marketplace for both the client and the service provider so that they can easily identify what they’re

looking for in each other to find the best match. This is the equivalent of an online dating algorithm

that finds your match based on answers to predefined questions.

This trust management model aims to provide a more in-depth review of the robustness of a

cloud service provider that has yet to be achieved. By looking beyond the general requirements

of cost, scalability, and availability, additional questions tackle concerns related to information

assurance, confidentiality, and integrity. In addition to questionnaires, sources such as work-of-

mouth, cloud service provider statements, and compliance assessments are used to complete a

thorough picture of what a client can expect from a provider. All of this information is built into

a reputation model and fed into several trust systems that allow for the customization and

evaluation of how a provider stacks up.


12

The second technical approach to increasing trust between the client and the provider is

through the use of details extracted from the service level agreement. The service level agreement

provides the terms and conditions for the contract that each party is actively engaging in. The

application of trust management comes online once the service level agreement is signed and the

client is officially subscribing to a cloud service provider. The difference in this approach,

compared to that above, is through the active management of the provider. This technology gives

a real-time representation of compliance related to the service level agree. The visibility given to

the client helps them to understand the processing power, storage, execution efficiency, failure

handling and so forth. These attributes, like those proposed in the previous example, are fed into

a program that evaluates the provider and outputs a rating between 0 and 1 that informs the client

whether or not their expectations match what they’re really being given.

Trust Discussion

With two different technical approaches outlined, and many other in development, the real

question comes down to whether or not machines can build our trust in cloud computing. An

automated system provides ease of control, ownership, and a sense of overall security but not the

human factor that comes out of business meetings or face to face partnerships. Customer

perception is not easily calculated or factored into a machine and therefore must be built over time

before a client is willing to place their trust in it.

To reduce concerns over the past, current, and future state of a client’s data, providers are

leveraging additional tools that provide users with control. Traditionally, cloud computing doesn’t

allow the user to have completely control over their data. It is in these cases that cloud tools like

remote access control give the client control over what the provider has access to. Manipulation

of cloud data along with detailed report logs and audit trails round out the tool suite that providers


13

are trying to give clients. Private enclaves are another avenue of building client focused controls

into the cloud computing platform. These areas within a cloud environment eliminate the threat

from a multi-tenant virtualization and allow single security policy enforcement over a cloud

partition (Kahn, & Malluhi, 2013). These controls add an additional layer of mechanisms that

reassure existing and can sway potential clients apprehensive about placing their trust in a provider.

Clients knowing the state of their data and services is an important topic in the realm of trust

building.

Trust isn’t something that is unique to the partnership of a business and a large cloud

computing vendor. Millions of people across the globe actively participate in a trust relationship

with cloud computing providers. When people access Facebook and Google they’re trusting their

personal information to a cloud service provider whether they know it or not. This level of trust

wasn’t built overnight and provides an interesting perspective into how non-business consumers

are inviting the cloud platform into their daily lives. A research initiative is looking to capture

how trust is built in social networks and existing popular cloud based application. The research

aims to gather feedback through semi-structured interviews and questionnaires hoping to

understand how consumer categorize their feelings into the five defined research processes of trust,

prediction, consistency of trustees, attribution, bonding, and identification (Kim, & Yoon, 2012).

Though the research has just begin, initial feedback shows that convenience of cloud computing

is the primary driving force behind the choice to begin using the platform. Word of mouth

marketing takes over from there and as the preliminary results show, the more people who use a

service the more likely individuals will feel safe using it. This kind of insight isn’t fundamentally

different than what a business owner will go through. It is reasonable to assume they will solicit


14

feedback on a provider and would be more willing to trust those if multiple friends or other

businesses in the same market are using it as well.

Trust Conclusion

Trust among existing and potential cloud consumers and cloud service providers is paramount

to the continued success of the platform. The partnerships formed during these interactions along

with the performance of providers will reassure hesitant business owners and consumers alike. The

fact that cloud computing is relatively new only the block gives rise to the theory that it should

start with a “clean sheet” to implement more robust security practices (Ghosh, Acre, 2010).

Technological innovations are giving forging new way to gain trust. By automating the

selection of criteria that a provider is offering entries barriers are vastly reduced. This gives way

to greater engagement from the beginning of a cloud partnership which has greater potential to

blossom into businesses moving more of their application and information services to a cloud

platform. Additional controls that monitor continued compliance of a provider fit into the model

of giving the client more control.

Remote access tools that allow for easy viewing of a system and control of access can be a

game changer. Giving the cloud control is the best example of trust as it allows the provider to

give users increased reign over the services they offer. This type of trust is what ultimately will

lead the way for better consumer related controls.

Google and Facebook, along with a host of other services, are already on public display as

cloud successes. Users many not be fully aware that the data they share, like, and post is forever

in the cloud but most have already committed to the idea. Competition among these providers


15

over access control and portability of data is increasing as they strive to one up each other in a

large scale popularity contest.

Trust will be for the consumer and the business owner to decide. With financial repercussions

and lasting reputations on the line, one wrong file transfer or security break could make or break

the future of a cloud service provider.

Cloud Client and Provider Relationship

Introduction

The struggles to adjust to policy and legal issues are not the only trust and compliance issues

cloud providers face. Trust from a client or consumer perspective is also a steep hill to overcome.

Technology along with more user control are two ways of easing the transition for many people

seeking cloud services. With a foundation for understanding the risks that providers and clients

face it’s important to address how providers are adopting best-practices to develop the platform as

a whole.

The cloud service provider and client must be trusting of each other. In addition to that vendors

must implement best-practice strategies to mitigate risks and ensure consistent and robust data and

application security. These practices vary widely among different providers and while there are

many, some feel that there aren’t enough to consider the platform mature. In addition to this

companies are investing in third-party audits that can baseline the technology and offer better

marketing advantages based on their reputation and customer base (“Mitigating Security, 2012).

It is therefore necessary to look at how different characteristics of a company value security,

privacy, and business integrity.

The growth of cloud computing has risen 27% between 2008 and 2012 (Leavitt, 2009). This

increase reinforces the fact that cloud computing is a viable solution to lowering operating costs


16

while maintaining robust information and applications. A review Symantec’s approach to cloud

computing will be covered to provide real world context to the solutions they offer to some of

cloud computing’s biggest problems.

Cloud Provider Study

The overall information assurance of cloud service providers is best shown in a study

conducted by (Chakraborty et al., 2010). Criteria essential to information assurance was gathered

based on security, privacy, and business integrity. These three areas represent the CIA triad and

provide a comparable set of rules that allow each vendor to be equally assessed. Security covers

all aspects of the triad with privacy covering the confidentiality and integrity portion and business

covering the integrity and availability portion.

With an understanding of how to rate vendors against one another specific attributes of

each service were developed. Categories such as online traffic, ranging from low to very high,

company size (small to large), and cloud type were all captured through questionnaires, company

releases, and white papers distributed on the internet. The online traffic of a company represents

the customer base that it serves and therefore goes hand in hand with the trust factor applied to

work-of-mouth advertising and the safety net associated with the mob mentality. The cloud service

type is another critical factor to consider in this study. It is well documented that as you move

down the stack from SaaS to IaaS the vendor security controls decrease and the level of control

increases. Company size is an odd choice but one that helps show the level of involvement, either

internal or external, in shaping the policies that are enforced on the cloud platform.

The results of the study are mixed. Ratings range from 0 to 1 and were plotted for the three

information assurance concepts. Consistent trends were displayed for the IA concepts when it

came to the specific cloud types. IaaS maintained the highest positive score out of all three cloud


17

service types with SaaS receiving the lowest except for the privacy attribute. The privacy anomaly

is best described by the low adoption rate of the platform. IaaS and SaaS are more popular options

and therefore are better represented in this survey.

The second set of results deals specifically with online traffic for each IA concept. In

regards to all three of the IA concepts, site traffic doesn’t play a large enough role to dictate any

meaningful differentiation. This is positive in many ways because it shows that the platform is

stable for high traffic vendors and also that low traffic vendors follow similar practices ensuring a

consistent level of quality in regards to business integrity, security, and privacy.

The third set of results outline the three criteria against the company size. A positive trend

can be seen for business integrity based on the company size. It is thought that larger companies

can put more capital towards ensuring business integrity because their reputation relies on it. The

other interesting data points are for the medium sized companies. The negative security and

privacy index for companies of this size is far lower than the small and larger companies. This

places an emphasis on the services offered by medium sized companies providing some insight on

how they’re trying to compete against other providers.

Cloud Provider Discussion

The study conducted in the section above leads us to a better understanding of the

differences and similarities between providers. This study shows us that cloud providers as a

whole value security and privacy regardless of the online traffic and cloud type. The major

differences were only seen when a comparison based on the company sized, which was an estimate

at best, showed medium sized companies with an increased focus on privacy and security.

Business integrity stood out for large companies which can be summed up by acknowledging the

fact that they have large amounts of capital to invest in this service compared to smaller companies.


18

In addition to cloud provider’s providing their own support and security services,

companies like Symantec are entering the cloud arena. Symantec’s goal is to provide intermediary

security, compliance, legal, and regulatory services to ease private and public concerns. Symantec

has established industry leading experience for providing cloud security with existing providers

such as salesforce.com and amazon.com (“Protected Clouds”, 2012). These tools can be seen as

leveling agents that ensure consistent compliance from both the client and provider perspective.

A small provider can rely on Symantec’s specialized tools such as Compliance Suite, Symantec

O3, and Data Loss Prevention Network Discovery to better round out their offerings and make

themselves marketable when compared to other companies competing for the same customer base.

This approach is highlighted in a recent publication by Symantec as holistic and also as a

hybrid cloud model that combines physical and virtual computing best-practices (“Mitigating

Security, 2012).

Cloud Client and Provider Relationship Conclusion

In this section we provided the basis for security, privacy, and business integrity practices

based on a recent study conducted by (Chakraborty et al., 2010). This study showed predictable

differences in IA practices based on cloud types in addition to some interesting results based on

company size. The outcome shows us that many medium size companies are offering unique

advantages over large and small companies in regards to the security and privacy.

Third-party information assurance providers such as Symantec also help mitigate a

variety of risks normally associated with building and security cloud infrastructure. This third-

party abstraction provides a buffer for cloud service providers. By allowing a third-party

company with a reputation for security and information assurance, cloud service providers can

focus on delivering their service instead of managing downstream compliance, legal, and


19

regulatory concerns. This offloading of service is similar to that provide by cloud companies as

they take the data center management and hardware overhead off of companies looking to enter

the cloud arena.

Conclusion

Cloud computing as a platform is here to stay. This statement is reinforced by the fact that

global business spending on cloud computing is expected to rise 20% in 2014 compared to 2013

(Seitz, 2014). With this rapid expansion the focus on standardization and greater governance

controls is more important than ever. The global increase in regulatory and location based policies

and laws will play larger roles as business leaders seek to capture the benefits associated with

moving their IT products to a cloud platform. This drive shouldn’t overshadow the fact that

information assurances best-practices need to be dealt with during initial planning when moving

information, applications, and software to the cloud. The bond between the client and the cloud

service provider needs to be continually reviewed throughout the relationship lifecycle. Tools to

manage trust are trying to lower the overwhelming entry barriers that many businesses face. New

marketplaces are being developed to level set expectations between both entities. Vendors are also

looking to deliver top-notch quality regardless of platform, company size, and overall traffic they

receive. These factors improve overall quality of service making cloud offerings comparable

between a varieties of vendors. In addition to individual cloud service providers increasing their

user level control, companies like Symantec are aiming to package a suite of services that further

reduce entry barriers and thus make transitioning easier for users of all kinds.


20

References

1. Sadiku, M., Musa, S. & MoMOh, O. (2014, January 07). Cloud computing: Opportunities

and challenges. IEEE,

2. Prakash, S. (2011). Risk management: Cloud computing considerations. CMA

Magazine, 85(2), 40. Retrieved from

http://search.proquest.com/docview/894725517?accountid=10559

3. Security guidance for critical areas of focus in cloud computing v3.0. In (2011). (Vol. 3.0).

Cloud Security Alliance.

4. Khan, A., Oriol, M., Kiran, M., Jiang, M., & Djemame, K. (2012). Security risks and their

management in cloud computing. International conference on cloud computing technology

and science.

5. Duncan, A., Creese, S., & Goldsmith, M. (2012). Insider attacks in cloud computing. Ieee

11th international conference on trust, security and privacy in computing and

communications. doi: 10.1109

6. Greer, M. (2010). Survivability and information assurance in the cloud. International

conference on dependable systems and networks workshops (dsn-w).

7. Cloud computing governance 'must improve' says ovum. (2010). Express

Computer, Retrieved from




21

8. Vincent, M. (2010, October 26). Australia: Cloud computing - legal issues in the

cloud. Mondaq

9. Chakraborty, S., & Roy, K. (2012). An sla-based framework for estimating trustworthiness

of a cloud. IEEE 11th international conference on trust, security and privacy in computing

and communications. doi: 10.1109

10. Habib, S., Sebastian, R., & Muhlhauser, M. (2011).Towards a trust management system for

cloud computing. 2011 international joint conference of ieee trustcom-11/ieee icess-11/fcst-

11. doi: 10.1109

11. Malluhi, Q. & Khan, K. (2013). Trust in cloud services: Providing more controls to

clients. IEEE

12. Leavitt, N. (2009, January). Is cloud computing really ready for prime time?. IEEE,

13. Chakraborty, R., Ramireddy, S., Raghu, T., & Rao, H. (2010). The information assurance

practices of cloud computing vendors. IT PRO,

14. Symantec Corp. (n.d.). Mitigating security risk in the cloud. Retrieved March 9th, 2014,

from http://eval.symantec.com/mktginfo/enterprise/white_papers/b-

mitigating_security_risk_in_the_cloud_WP.en-us.pdf

15. Arce’s, I. (2010, November). In cloud computing we trust—but should we?. IEEE Security,

Retrieved from http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5655238

16. Khan, K. & Malluhi, Q. (2010, September). Establishing trust in cloud computing. IT PRO,

17. Kim, S. and Yoon, A. (2012), Do I trust google? An exploration of how people form trust in

cloud computing. Proc. Am. Soc. Info. Sci. Tech., 49: 1–3. doi: 10.1002/meet.14504901267

18. Lovrek, I., Lovric, T., Lucic, D., & , (2010). Regulatory aspects of cloud computing.

(Master's thesis, University of Zagreb, Zagreb, Croatia).

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-mitigating_security_risk_in_the_cloud_WP.en-us.pdf

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-mitigating_security_risk_in_the_cloud_WP.en-us.pdf


22

19. Symantec Corp. (n.d.). PROTECTED CLOUDS: Symantec solutions for consuming,

building, or extending into the cloud. Retrieved March 9th, 2014, from

http://www.symantec.com/content/en/us/enterprise/brochures/b-protected-

clouds_21260411.en-us.pdf

20. Seitz, P. (2014, Feb 14). Cloud computing sales to triple by 2017, new forecast

says. Investor's Business Daily. Retrieved from


http://www.symantec.com/content/en/us/enterprise/brochures/b-protected-clouds_21260411.en-us.pdf

http://www.symantec.com/content/en/us/enterprise/brochures/b-protected-clouds_21260411.en-us.pdf

information assurance challenges, technology, …awc23/eport/docs/info712_final_paper.pdfinformation...

Documents