Privacy, Security and Trust in Cloud Computing

  • Siani PearsonEmail author
Part of the Computer Communications and Networks book series (CCN)


Cloud computing refers to the underlying infrastructure for an emerging model of service provision that has the advantage of reducing cost by sharing computing and storage resources, combined with an on-demand provisioning mechanism relying on a pay-per-use business model. These new features have a direct impact on information technology (IT) budgeting but also affect traditional security, trust and privacy mechanisms. The advantages of cloud computing—its ability to scale rapidly, store data remotely and share services in a dynamic environment—can become disadvantages in maintaining a level of assurance sufficient to sustain confidence in potential customers. Some core traditional mechanisms for addressing privacy (such as model contracts) are no longer flexible or dynamic enough, so new approaches need to be developed to fit this new paradigm. In this chapter, we assess how security, trust and privacy issues occur in the context of cloud computing and discuss ways in which they may be addressed.


Cloud computing Privacy Security Risk Trust 



The influence and input contributing to development of the ideas in this chapter of various colleagues is gratefully acknowledged, notably Daniel Pradelles.


  1. 1.
    Mell, P., Grance, T.: A NIST definition of cloud computing. National Institute of Standards and Technology. NIST SP 800–145. (2009)
  2. 2.
  3. 3.
    Cloud Industry Forum: Transition to the Cloud: The case for a code of practice. CIF Report. (2011)
  4. 4.
    Cloud Security Alliance: Top Threats to Cloud Computing. v1.0, Mar (2010)Google Scholar
  5. 5.
    Horrigan, J.B.: Use of cloud computing applications and services. Pew Internet & American Life project memo, Sept (2008)Google Scholar
  6. 6.
    Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT ACT) Title V, s 505 (2001)Google Scholar
  7. 7.
    Catteddu, D., Hogben, G. (eds.): Cloud computing: Benefits, risks and recommendations for information security. ENISA Report, Nov. (2009)
  8. 8.
    Marchini, R.: Cloud Computing: A Practical Introduction to the Legal Issues. BSI, London (2010)CrossRefGoogle Scholar
  9. 9.
    McKinley, P.K., Samimi, F.A., Shapiro, J.K., Chiping, T.: Service clouds: a distributed infrastructure for constructing autonomic communication services. In: Dependable, Autonomic and Secure Computing, IEEE, 12–14 Dec 2011, Sydney, Australia, 341–348 (2006)Google Scholar
  10. 10.
    Warren, S., Brandeis, L.: The right to privacy. Harv. Law Rev. 4, 193 (1890)CrossRefGoogle Scholar
  11. 11.
    Westin, A.: Privacy and Freedom. Atheneum, New York (1967)Google Scholar
  12. 12.
    American Institute of Certified Public Accountants (AICPA) and CICA: Generally accepted privacy principles. Aug. (2009)
  13. 13.
    Solove, D.J.: A taxonomy of privacy. Univ. Pennsylvania Law Rev. 154(3), 477, Jan. (2006)
  14. 14.
    Nissenbaum, H.: Privacy as contextual integrity. Washington Law Rev. 79, 101–139 (2004)Google Scholar
  15. 15.
    Nissenbaum, H.: Privacy in Context: Technology, Policy and the Integrity of Social Life. Stanford University Press, Stanford (2009)Google Scholar
  16. 16.
    Swire, P.P., Bermann, S.: Information Privacy: Official Reference for the Certified Information Privacy Professional, CIPP. International Association of Privacy Professionals, York (2007)Google Scholar
  17. 17.
    European Commission: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. (1995)
  18. 18.
    Privacy Protection Study Commission: Personal privacy in Information society, United States Privacy Protection Study Commission fair information practices. (1977)
  19. 19.
    Organization for Economic Co-operation and Development (OECD): Guidelines for the protection of personal data and transborder data flows.,3746,en_2649_34223_1815186_1_1_1_1,00.html (1980)
  20. 20.
    Safe Harbor website: (2012)
  21. 21.
    The White House: Consumer data privacy in a networked world: a framework for protecting privacy and promoting innovation in the global digital economy, Feb. (2012)Google Scholar
  22. 22.
    European Commission: Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, Jan. (2012)
  23. 23.
    ISO: 27001: Information Security Management – Specification with Guidance for Use. ISO, London (2005)Google Scholar
  24. 24.
    Rousseau, D., Sitkin, S., Burt, R., Camerer, C.: Not so different after all: a cross-discipline view of trust. Acad. Manage. Rev. 23(3), 393–404 (1998)CrossRefGoogle Scholar
  25. 25.
    Baier, A.: Trust and antitrust. Ethics 96(2), 231–260 (1986)Google Scholar
  26. 26.
    Gambetta, D.: Can we trust trust? In: Gambetta, D. (ed.) Trust: Making and Breaking Cooperative Relations. Basil Blackwell, New York (1988)Google Scholar
  27. 27.
    Nooteboom, B.: Social capital, institutions and trust. Rev. Soc. Econ. 65(1), 29–53 (2007)CrossRefGoogle Scholar
  28. 28.
    Sitkin, S., Roth, N.: Explaining the limited effectiveness of legalistic ‘remedies’ for trust/distrust. Org. Sci. 4, 367–392 (1993)CrossRefGoogle Scholar
  29. 29.
    Wang, Y., Lin, K.-J.: Reputation-oriented trustworthy computing in e-commerce environments. Internet Comput. IEEE 12(4), 55–59 (2008)CrossRefGoogle Scholar
  30. 30.
    Singh, S., Morley, C.: Young Australians’ privacy, security and trust in internet banking. In: Proceedings of the 21st Annual Conference of the Australian Computer-Human Interaction Special interest Group: Design: Open 24/7 (2009)Google Scholar
  31. 31.
    Osterwalder, D.: Trust through evaluation and certification. Soc. Sci. Comput. Rev. 19(1), 32–46 (2001)CrossRefGoogle Scholar
  32. 32.
    Best, S.J., Kreuger, B.S., Ladewig, J.: The effect of risk perceptions on online political participatory decisions. J. Inform. Technol. Polit. 4, 5–17 (2005)CrossRefGoogle Scholar
  33. 33.
    Chang, E., Dillon, T., Calder, D.: Human system interaction with confident computing: the megatrend. In: Proceedings of the Conference on Human System Interactions, Krakow, Poland (2008)Google Scholar
  34. 34.
    Jaeger, P.T., Fleischmann, K.R.: Public libraries, values, trust, and e-government. Inf. Technol. Libr. 26(4), 35–43 (2007)Google Scholar
  35. 35.
    Nissenbaum, H.: Can trust be secured online? A theoretical perspective. Etica e Politica, 2 (1999)Google Scholar
  36. 36.
    Giff, S.: The influence of metaphor, smart cards and interface dialogue on trust in e-commerce. M.Sc. project, University College, London (2000)Google Scholar
  37. 37.
    Nielsen, J.: Trust or bust: communicating trustworthiness in web design. Jacob Nielsen’s Alertbox. (1999)
  38. 38.
    Huynh, T.: A personalized framework for trust assessment. ACM Symp. Appl. Comput. 2, 1302–1307 (2008)Google Scholar
  39. 39.
    Leiven, R.: Attack resistant trust metrics. Ph.D. thesis, University of California, Berkeley (2003)Google Scholar
  40. 40.
    Ziegler, C.N., Lausen, G.: Spreading activation models for trust propagation. In: EEE 2004, IEEE, Taipei (2004)Google Scholar
  41. 41.
    Kosko, B.: Fuzzy cognitive maps. Int. J. Man-Mach. Stud. 24, 65–75 (1986)CrossRefzbMATHGoogle Scholar
  42. 42.
    Pearson, S., Casassa Mont, M., Crane, S.: Persistent and dynamic trust: analysis and the related impact of trusted platforms. In: Herrmann, P., Issarny, V., Shiu, S. (eds.) Trust Management, Proc. iTrust 2005, LNCS 3477, pp. 355–363. Springer-Verlag, Berlin/Heidelberg/Paris (2005)Google Scholar
  43. 43.
    Gellman, R.: Privacy in the clouds: risks to privacy and confidentiality from cloud computing. World Privacy Forum. (2009)
  44. 44.
    Greenberg, A.: Cloud computing’s stormy Side. Forbes Magazine, 19 Feb (2008)Google Scholar
  45. 45.
    Fratto, M.: Internet evolution. The Big Report, Cloud Control. (2009)
  46. 46.
    Hall, J.A., Liedtka, S.L.: The Sarbanes-Oxley Act: implications for large-scale IT outsourcing. Commun. ACM 50(3), 95–100 (2007)CrossRefGoogle Scholar
  47. 47.
    Reidenberg, J.: Technology and internet jurisdiction. Univ. Pennsylvania Law Rev.1, SSRN eLibrary (2005)Google Scholar
  48. 48.
    Kohl, U.: Jurisdiction and the Internet. Cambridge University Press, Cambridge (2007)CrossRefGoogle Scholar
  49. 49.
    Mowbray, M.: The fog over the Grimpen Mire: cloud computing and the law. Script-ed J. Law, Technol. Soc. 6(1), 132–143 (Apr 2009)CrossRefGoogle Scholar
  50. 50.
    Goldberg, N.M., Wildon-Byrne, M.: Securing communications on the cloud. Bloomberg Law Rep.—Technol. Law. 1(10). (2009)
  51. 51.
    Salmon, J.: Clouded in uncertainty—the legal pitfalls of cloud computing. Computing Magazine, 24 Sept. (2008)
  52. 52.
    Crompton, M.:, Cowper, C., Jefferis, C.: The Australian Dodo Case: an insight for data protection regulation. World Data Protection Report. 9(1), BNA (2009)Google Scholar
  53. 53.
    Hon, K.: Personal data in the UK, anonymisation and encryption. Queen Mary University of London, 9 June. (2011)
  54. 54.
    Cloud Security Alliance: Security guidance for critical areas of focus in cloud computing. v2.1, English language version, Dec. (2009)
  55. 55.
    Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy. O’Reilly, Sebastopol, CA (2009)Google Scholar
  56. 56.
    Vaquero, L., Rodero-Merino, L., Morán, D.: Locking the sky: a survey on IaaS cloud security. Computing 91, 93–118 (2011)CrossRefzbMATHGoogle Scholar
  57. 57.
    Regulation of Investigatory Powers Act: Part II, s 28, UK (2000)Google Scholar
  58. 58.
    Narayanan, A., Shmatikov, V.: Robust deanonymization of large sparse datasets. IEEE Symp. Sec. Privacy (S&P) 111–125 (2008). doi: 10.1109/SP.2008.33
  59. 59.
  60. 60.
    Open Cloud Computing Interface (OCCI): (2012)
  61. 61.
    Google: Data liberation front. (2012)
  62. 62.
    SNIA: Cloud data management interface. (2012)
  63. 63.
    OASIS. Security Assertion Markup Language (SAML). (2005)
  64. 64.
    Wei, J., Zhang, X., Ammons, G., Bala, V., Ning, P.: Managing security of virtual machine images in a cloud environment. In: Proceedings of the CCSW ‘09. ACM, New York, pp. 91–96 (2009)Google Scholar
  65. 65.
  66. 66.
    Kortchinsky, K.: CLOUDBURST: A VMWare Guest to Host Escape Story. BlackHat, Las Vegas (2009)Google Scholar
  67. 67.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of CCS’09, ACM, Chicago, Nov (2009)Google Scholar
  68. 68.
    IBM: X-force® 2010 mid-year trend and risk report. Aug. (2010)
  69. 69.
    ENISA: Cloud computing information assurance framework. In: Catteddu, D., Hogben, G. (eds.), Nov. (2009)
  70. 70.
    UK Cabinet Office and CESG: HMG information assurance maturity model and assessment framework. (2010)
  71. 71.
    Jansen, W., Grance, T.: Guidelines on security and privacy in public cloud computing. NIST Special Publication 800–144, Dec (2011)Google Scholar
  72. 72.
    International Organisation for Standardisation (ISO): ISO/IEC 27001:2005 Information technology—security techniques—information security management systems—requirements. (2005)
  73. 73.
    ISO: ISO/IEC 27002:2005 Information technology—Security techniques—Code of practice for information security management. (2005)
  74. 74.
    ISO: ISO 31000:2009 Risk management—Principles and guidelines. (2009)
  75. 75.
    Shared Assessments: Evaluating cloud risk for the enterprise. The Santa Fe Group, Oct. (2010)
  76. 76.
    Hagen, J.M., Sivertsen, T.K., Rong, C.: Protection against unauthorized access and computer crime in Norwegian enterprises. J. Comput. Secur. 16(3), 341–366 (2008)CrossRefGoogle Scholar
  77. 77.
    CSA: Trusted cloud initiative. (2012)
  78. 78.
    Information Commissioner’s Office (ICO): Privacy impact assessment handbook. Version 2, June. (2009)
  79. 79.
    Ardagna, C.A., et al.: Exploiting cryptography for privacy-enhanced access control. J. Comput. Soc. 18(1), 123–160 (2010) (IOS Press)Google Scholar
  80. 80.
    Data Loss Prevention: (2012)
  81. 81.
    Bier, E., et al.: The rules of redaction: identify, protect, review (and repeat). Secur. Privacy, IEEE 7(6), 46–53 (2009)CrossRefGoogle Scholar
  82. 82.
    Information Commissioner’s Office UK ICO: Data protection guidance note: Privacy enhancing technologies: (2007)
  83. 83.
  84. 84.
    Cranor, L.: Web Privacy with P3P. O’Reilly and Associates, Sebastopol, CA (2002)Google Scholar
  85. 85.
    EnCoRe: Ensuring Consent and Revocation project: (2012)
  86. 86.
    Cachin, C., Schunter, M.: A cloud you can trust. Dec. (2011)
  87. 87.
  88. 88.
    SysTrust and WebTrust:
  89. 89.
  90. 90.
  91. 91.
  92. 92.
    Takabi, H., Joshi, J.B.D., Ahn, G.: Security and privacy challenges in cloud computing environments. Secur. Privacy, IEEE 8(6), 24–31 (2010)CrossRefGoogle Scholar
  93. 93.
    EGEE project: Logging and Bookkeeping (LB) service. (2012)
  94. 94.
  95. 95.
    Nicolett, M., Kavanagh, K.M.: Critical capabilities for security information and event management technology, Gartner Report (2011)Google Scholar
  96. 96.
    RSA: EnVision platform. (2012)
  97. 97.
    HP: ArcSight. (2012)
  98. 98.
    Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems: recommendations of the National Institute of Standards and Technology. Special publication 800–30, July (2002)Google Scholar
  99. 99.
    Committee of Sponsoring Organisations of the Treadway Commission (COSO): (2012)
  100. 100.
    ISACA: (2012)
  101. 101.
  102. 102.
    Amazon: CloudWatch. (2012)
  103. 103.
    Haeberlen, A.: A case for the accountable cloud. ACM SIGOPS OS Rev. 44(2), 52–57 (2010)CrossRefGoogle Scholar
  104. 104.
    Haeberlen, A., et al.: Accountable virtual machines. In: Proceedings of the OSDI’10, USENIX, Vancouver, Canada (2010)Google Scholar
  105. 105.
  106. 106.
    Chen, S., Wang, C.: Accountability as a service for the cloud: from concept to implementation with BPEL. In: Proceedings of the 6th IEEE World Congress on Services, IEEE, pp. 91–98 (2010)Google Scholar
  107. 107.
    Jaeger, P., Lin, J., Grimes, J.: Cloud computing and information policy: computing in a policy cloud? J. Inf. Technol. Polit. 5, 269–283 (2008)CrossRefGoogle Scholar
  108. 108.
    European Commission: Attitudes on data protection and electronic identity in the European Union. June. (2011)
  109. 109.
    IDC: Cloud computing attitudes, Survey, Doc.#223077 (2010)Google Scholar
  110. 110.
    Forrester Research, Inc.: Ignoring cloud risks: a growing gap between I&O and the business. Mar (2011)Google Scholar
  111. 111.
    Forrester Research, Inc.: You’re not ready for internal cloud. July (2010)Google Scholar
  112. 112.
    Goldman Sachs: Equity Research, Jan (2011)Google Scholar
  113. 113.
    Fujitsu Research Institute: Personal data in the cloud: a global survey of consumer attitudes. (2010)
  114. 114.
    Uusitalo, I., Karppinen, K., Arto, J., Savola, R.: Trust and cloud services – an interview study. In: Proceedings of the CloudCom 2010, IEEE, Indianapolis (2010)Google Scholar
  115. 115.
    Lacohé, H., Crane, S., Phippen, A.: Trustguide Final Report, October. DTI Sciencewise Programme. (2006)Google Scholar
  116. 116.
    Artz, D., Gil, Y.: A survey of trust in computer science and the semantic web. Web Semant. Sci. Serv. Agents World Wide Web 5, 58–71 (2007)CrossRefGoogle Scholar
  117. 117.
    Li, W., Ping, L.: Trust model to enhance security and interoperability of cloud environment. In: Cloud Computing. Lecture Notes in Computer Science, vol. 5931, pp. 69–79. Springer, Berlin (2009)CrossRefGoogle Scholar
  118. 118.
    Marsh, S.: Formalising trust as a computational concept. Doctoral dissertation, University of Stirling (1994)Google Scholar
  119. 119.
    Banerjee, S., Mattmann, C., Medvidovic, N., Golubchik, L.: Leveraging architectural models to inject trust into software systems. In: Proceedings of SESS ‘05, pp. 1–7. ACM, New York (2005)Google Scholar
  120. 120.
    The Centre for Information Policy Leadership (CIPP): Demonstrating and measuring accountability: a discussion document. Accountability Phase II—The Paris Project. (2010)Google Scholar
  121. 121.
    Shin, D., Ahn, G.-J.: Role-based privilege and trust management. Comput. Syst. Sci. Eng. J. 20(6), 401–410 (2005)Google Scholar
  122. 122.
    CSA: Cloud trust protocol (2012).
  123. 123.
    Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J., Sussman, G.J.: Information accountability. Commun. ACM 51(6), 87 June (2008)CrossRefGoogle Scholar
  124. 124.
    Pearson, S., Charlesworth, A.: Accountability as a way forward for privacy protection in the cloud. In: Jaatun, M.G., Zhao, G., Rong, C. (eds.) Proceedings of the 1st International Conference on Cloud Computing (CloudCom 2009), Beijing, Dec. LNCS, vol. 5931, pp. 131–144. Springer, Berlin (2009)Google Scholar
  125. 125.
    Pearson, S., et al.: Scalable, accountable privacy management for large organizations. In: INSPEC 2009, IEEE, Sept, pp. 168–175 (2009)Google Scholar
  126. 126.
    Information Commissioners Office: Privacy by design. Report. (2008)
  127. 127.
    Cavoukian, A., Taylor, S., Abrams, M.: Privacy by design: essential for organizational accountability and strong business practices. Identity Inf. Soc. 3(2), 405–413. (2010)
  128. 128.
    Cavoukian, A.: Privacy by design: origins, meaning, and prospects for assuring privacy and trust in the information era. In: Yee, G. (ed.) Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards, pp. 170–208. IGI Global, Hershey (2012)CrossRefGoogle Scholar
  129. 129.
    Camenisch, J., Fischer-Hübner, S., Rannenberg, K. (eds.): Privacy and Identity Management for Life. Springer, Heidelberg (2011)Google Scholar
  130. 130.
    Kamara, S., Lauter, K.: Cryptographic cloud storage. In: Financial Cloud and Data Security. LNCS, vol. 6054, pp. 136–149. Springer, Berlin (2010). doi:10.1007/978%973%97642%9714992%974_13 CrossRefGoogle Scholar
  131. 131.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: 41st ACM Symposium on Theory of Computing (STOC), pp. 169–178. ACM, New York (2009)Google Scholar
  132. 132.
    Spiekermann, S., Cranor, L.F.: Engineering privacy. IEEE Trans. Software Eng. 35(1), 67–82, Jan/Feb (2009)Google Scholar

Recommended Reading

  1. Camenisch, J., Fischer-Hubner, S., Rannenberg, K. (eds.): Privacy and Identity Management for Life. Springer, Berlin (2011)Google Scholar
  2. Catteddu, D., Hogben, G. (eds.): Cloud computing: benefits, risks and recommendations for information security. ENISA Report. (2009)
  3. Cavoukian, A., Taylor, S., Abrams, M.: Privacy by design: essential for organizational accountability and strong business practices. Identity Inf. Soc. 3(2), 405–413. (2010)
  4. Cloud Security Alliance (CSA): Security Guidance for Critical Areas of Focus in Cloud Computing. v2.1, English language version, Dec. (2009)
  5. Cofta, P.: The trustworthy and trusted web. Foundations Trends Web Sci. 2(4), 243–381 (2011)CrossRefGoogle Scholar
  6. Craig, T., Ludloff, M.E.: Privacy and Big Data. O’Reilly, Sebastopol, CA (2011)Google Scholar
  7. Gellman, R.: Privacy in the clouds: risks to privacy and confidentiality from cloud computing. World Privacy Forum. (2009)
  8. Information Commissioners Office: Privacy by design. Report, Nov. (2008)
  9. Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy. O’Reilly, Sebastopol, CA (2009)Google Scholar
  10. Pearson, S.: Toward accountability in the cloud. IEEE Internet Comput., IEEE Comput. Soc. 15(4), 64–69, July/Aug (2011) CrossRefGoogle Scholar
  11. Pearson, S., Casassa Mont, M.: Sticky policies: an approach for privacy management across multiple parties. IEEE Comput. 44(9), 60–68, Sept (2011)CrossRefGoogle Scholar
  12. Schwartz, P.M.: Data Protection Law and the Ethical Use of Analytics, CIPL. (2010)
  13. Solove, D.J.: Nothing to Hide: The False Tradeoff between Privacy and Security. Yale University Press, New Haven (2011)Google Scholar
  14. The Royal Academy of Engineering: Dilemmas of Privacy and Surveillance: Challenges of Technological Change. Mar. (2007)
  15. Yee, G. (ed.): Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards. IGI Global, Hershey (2012)Google Scholar

Copyright information

© Springer-Verlag London 2013

Authors and Affiliations

  1. 1.Cloud and Security LabHP LabsBristolUK

Personalised recommendations