next challenge for governance cloud computing
DESCRIPTION
Cloud ComputingTRANSCRIPT
P a g e | 1
Next Challenge for Governance -
the Cloud Computing
The internet has transformed the planet Earth
into a global village; where in cyberspace boundaries
have little meaning. However perimeterization of an
organizational data was always possible even in the
Internet environment and it was possible to create
De-Militarized Zone (DMZ) between the Internet
and organization’s data. However with the adoption
of Cloud computing, even this hazy boundary is being
eroded. Thus the challenge ahead for a sovereign
state is how to adapt to new technological paradigm.
Cloud computing (‘Cloud’) is changing the
concepts of information handling in the same
revolutionary manner as the World Wide Web did to
P a g e | 2
it about a decade ago. So what is this Cloud
Computing? It describes the use of collection of
services, applications, information, processing power
and storage resources. These components can be
rapidly provisioned, implemented and decommissioned
and scale up or down, providing for an on demand
utility-like model of allocation and consumption of
Computer based resources. It is hiring of various
hardware, operating system and application software
remotely from a very large pool from a Cloud Service
Provider (CSP). The word cloud emerged from the
initial diagrammatical representation of the Internet
as cloud. It changes the capital cost into a variable
cost.
Cloud computing is an evolving term that
describes the development of many existing
technologies and approaches to computing into
something different. Some of the existing technologies
orchestrated together to form a cloud include web
2.0, ubiquitous connectivity, virtualization, broadband
networking, clustering, utility computing, multi
tenancy, service oriented architecture and out
sourcing. Cloud separates application and information
P a g e | 3
resources from the underlying infrastructure, and the
mechanisms used to deliver them.
National Institute of Standards and Technology
(US) has published the working definition of the
Cloud, which is “ A model for enabling convenient,
on-demand network access to a shared pool of
configurable computing resources (e.g. networks,
servers, storage, applications, and services) that can
rapidly provisioned and released with minimal
management effort or service provider interaction”.
According to NIST, Cloud services exhibit five
essential characteristics that demonstrate their
relation to, and differences from, traditional
computing approaches: On-demand self-service, broad
network access, resource pooling, rapid elasticity and
measured service.
Though there are many flavors of services
provided by CSPs but primarily there are three
service models. Where only hardware such as Servers,
memory, storage space etc. are provided on demand
and user need to deploy its own Operating System
(OS) and applications (apps), such services are called
P a g e | 4
Infrastructure as a Service (IaaS). Incase CSP
provides IaaS + Operating System than such a service
model is called Platform as a Service (PaaS). The
Software as a Service (SaaS) is the service model
where CSP provides complete package including apps.
The cloud can be deployed as a ‘Private cloud’ by
a group of companies under same banner or a
government for internal purpose; or as ‘Community
cloud’ for a specific community, say banking
community; or as ‘Public cloud’ where anyone can buy
any services and use; and in ‘Hybrid cloud’
environment private and public clouds are jointly used
in an efficient and secure mode.
In ideal situation, cloud provides a kind of
security which can never be matched by any medium
size organization and at cost which can be as low as
10% of existing security cost. But the sense of loss
of data outside the perimeter of the organization
creates new challenges to cyber security. Challenges
are created because the data of the organization is
under CPS’s control, which may be fragmented and
P a g e | 5
stored /processed at various locations across the globe
unless service level agreement specifically bars it.
For a nation-state, the Cloud has created a new
area of legal risks which lacks any precedence or
established legal history. There will be difficulties in
establishing legal jurisdiction for gathering evidence
and enforcing any court order. Some of the challenges
for law enforcement in the Cloud will be:-
(a) How the evidence will be gathered from the
Cloud, in reliable and authentic manner, which can
be verified during the trial - may be few years
later?
(b) Who will be considered as custodian of data – the
user who kept the data in the cloud or the CSP
who owns the data storage space?
(c) Indian Police, which is still cannot cope with
collecting digital evidence from desktops in
accordance with the IT Act, let alone servers &
clusters, how will they collect the evidence from
the Cloud?
(d) Unlike first world countries where e-discovery and
cyber evidence related to privacy of an individual
P a g e | 6
can be gathered only on a court order, in India
such orders are issued under sections 68 and 69
of IT Act by the executive. How such dramatic
differences will be resolved? Rule under section
69 have been issued but no one is following
them. Such attitude cannot help in cases with
international ramifications.
(e) What happens when the original CSP goes
bankrupt or taken over by a company from a
country having not so friendly relations with
India?
(f) What if criminals/ cyber terrorists use cloud for
perpetuating a crime in real world and then
release all resources back to the cloud? How such
evidence will be retrieved? (It is one of the cloud
management requirements that if a storage space
is vacated by one legitimate tenant of the cloud,
same to be forensically cleaned up immediately
otherwise there exist a possibility of data
leakage.)
Cloud Computing is a new paradigm which cannot
be wished away, nor an executive order that no one
P a g e | 7
to use cloud, will be of help because not allowing own
companies / organization to use the Cloud will make
them far less efficient and will have adverse affect on
economy. It has been estimated that cloud provides
80 to 90 percent efficiency on IT spend and allow an
organization to focus on its core competence. Simile
could be, buying an aircraft to go from Delhi to New
York, (traditional computing) versus buying a ticket
from an airline for the journey (Cloud computing).
According to Gartner survey report, cloud
computing service revenue in 2010 was estimated to
be around £41 billion. The US Government as well as
US industry is very aggressive on this technological
shift. China has already rolled out “Sea of Cloud
Plan” which will create 200 billion Yuan industrial
cloud server by 2015.
Some of the suggested recommendations at nation-
state level are:
(a) Government cannot afford to move at its
lethargic pace, not only security but the very
growth rate of India may be adversely impacted if
P a g e | 8
this issue is not handled properly and timely
manner.
(b) Government must aggressively launch Cyber
Security Awareness campaign.
(c) Frame all rules as envisaged under the IT Act.
(d) Form a task force to advice and guide the
policy and law makers. The Task Force must
contain those who understand cloud security
technological issues as well as national policy
matters.
(e) Government must sign Convention of
Cybercrime without further delay.
(f) Train Police, Cyber Forensic experts, Public
prosecutors, lawyers and judiciary, to understand
the complexity of investigation in the Cloud.
(g) Involve industry and private players in
capacity building.
(h) Be a proactive partner in international fora
on Cyber Security.
(i) And appoint an Ombudsman for resolving
complaints of Cloud users and CSPs.
P a g e | 9
The world is at the chasm of next disrupting
technological breakthrough which will make the
national borders further meaningless. We can ignore
the CLOUD at our own peril. There will be no choice
expect adopting this new tool, therefore it will be
better to understand it and make new laws to
protect our interest, without attempting to contain
its adoption. Aligning with international community
will be a necessity, while getting into cocoon could be
dangerous.