Abstract
Cloud computing refers to the underlying infrastructure for an emerging model of service provision that has the advantage of reducing cost by sharing computing and storage resources, combined with an on-demand provisioning mechanism relying on a pay-per-use business model. These new features have a direct impact on information technology (IT) budgeting but also affect traditional security, trust and privacy mechanisms. The advantages of cloud computing—its ability to scale rapidly, store data remotely and share services in a dynamic environment—can become disadvantages in maintaining a level of assurance sufficient to sustain confidence in potential customers. Some core traditional mechanisms for addressing privacy (such as model contracts) are no longer flexible or dynamic enough, so new approaches need to be developed to fit this new paradigm. In this chapter, we assess how security, trust and privacy issues occur in the context of cloud computing and discuss ways in which they may be addressed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Mell, P., Grance, T.: A NIST definition of cloud computing. National Institute of Standards and Technology. NIST SP 800–145. http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf (2009)
IDC: Enterprise Panel, Sept. http://www.slideshare.net/JorFigOr/cloud-computing-2010-an-idc-update (2009)
Cloud Industry Forum: Transition to the Cloud: The case for a code of practice. CIF Report. http://www.cloudindustryforum.org/downloads/transition-to-the-cloud.pdf (2011)
Cloud Security Alliance: Top Threats to Cloud Computing. v1.0, Mar (2010)
Horrigan, J.B.: Use of cloud computing applications and services. Pew Internet & American Life project memo, Sept (2008)
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT ACT) Title V, s 505 (2001)
Catteddu, D., Hogben, G. (eds.): Cloud computing: Benefits, risks and recommendations for information security. ENISA Report, Nov. http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment/ (2009)
Marchini, R.: Cloud Computing: A Practical Introduction to the Legal Issues. BSI, London (2010)
McKinley, P.K., Samimi, F.A., Shapiro, J.K., Chiping, T.: Service clouds: a distributed infrastructure for constructing autonomic communication services. In: Dependable, Autonomic and Secure Computing, IEEE, 12–14 Dec 2011, Sydney, Australia, 341–348 (2006)
Warren, S., Brandeis, L.: The right to privacy. Harv. Law Rev. 4, 193 (1890)
Westin, A.: Privacy and Freedom. Atheneum, New York (1967)
American Institute of Certified Public Accountants (AICPA) and CICA: Generally accepted privacy principles. Aug. http://www.aicpa.org/interestareas/informationtechnology/resources/privacy/generallyacceptedprivacyprinciples/downloadabledocuments/gapp_prac_%200909.pdf (2009)
Solove, D.J.: A taxonomy of privacy. Univ. Pennsylvania Law Rev. 154(3), 477, Jan. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=667622 (2006)
Nissenbaum, H.: Privacy as contextual integrity. Washington Law Rev. 79, 101–139 (2004)
Nissenbaum, H.: Privacy in Context: Technology, Policy and the Integrity of Social Life. Stanford University Press, Stanford (2009)
Swire, P.P., Bermann, S.: Information Privacy: Official Reference for the Certified Information Privacy Professional, CIPP. International Association of Privacy Professionals, York (2007)
European Commission: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf (1995)
Privacy Protection Study Commission: Personal privacy in Information society, United States Privacy Protection Study Commission fair information practices. http://epic.org/privacy/ppsc1977report/ (1977)
Organization for Economic Co-operation and Development (OECD): Guidelines for the protection of personal data and transborder data flows. http://www.oecd.org/document/18/0,3746,en_2649_34223_1815186_1_1_1_1,00.html (1980)
Safe Harbor website: http://export.gov/safeharbor/ (2012)
The White House: Consumer data privacy in a networked world: a framework for protecting privacy and promoting innovation in the global digital economy, Feb. http://www.whitehouse.gov/sites/default/Files/privacy-Final.pdf (2012)
European Commission: Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, Jan. http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_10_en.pdf (2012)
ISO: 27001: Information Security Management – Specification with Guidance for Use. ISO, London (2005)
Rousseau, D., Sitkin, S., Burt, R., Camerer, C.: Not so different after all: a cross-discipline view of trust. Acad. Manage. Rev. 23(3), 393–404 (1998)
Baier, A.: Trust and antitrust. Ethics 96(2), 231–260 (1986)
Gambetta, D.: Can we trust trust? In: Gambetta, D. (ed.) Trust: Making and Breaking Cooperative Relations. Basil Blackwell, New York (1988)
Nooteboom, B.: Social capital, institutions and trust. Rev. Soc. Econ. 65(1), 29–53 (2007)
Sitkin, S., Roth, N.: Explaining the limited effectiveness of legalistic ‘remedies’ for trust/distrust. Org. Sci. 4, 367–392 (1993)
Wang, Y., Lin, K.-J.: Reputation-oriented trustworthy computing in e-commerce environments. Internet Comput. IEEE 12(4), 55–59 (2008)
Singh, S., Morley, C.: Young Australians’ privacy, security and trust in internet banking. In: Proceedings of the 21st Annual Conference of the Australian Computer-Human Interaction Special interest Group: Design: Open 24/7 (2009)
Osterwalder, D.: Trust through evaluation and certification. Soc. Sci. Comput. Rev. 19(1), 32–46 (2001)
Best, S.J., Kreuger, B.S., Ladewig, J.: The effect of risk perceptions on online political participatory decisions. J. Inform. Technol. Polit. 4, 5–17 (2005)
Chang, E., Dillon, T., Calder, D.: Human system interaction with confident computing: the megatrend. In: Proceedings of the Conference on Human System Interactions, Krakow, Poland (2008)
Jaeger, P.T., Fleischmann, K.R.: Public libraries, values, trust, and e-government. Inf. Technol. Libr. 26(4), 35–43 (2007)
Nissenbaum, H.: Can trust be secured online? A theoretical perspective. Etica e Politica, 2 (1999)
Giff, S.: The influence of metaphor, smart cards and interface dialogue on trust in e-commerce. M.Sc. project, University College, London (2000)
Nielsen, J.: Trust or bust: communicating trustworthiness in web design. Jacob Nielsen’s Alertbox. http://www.useit.com/alertbox/990307.html (1999)
Huynh, T.: A personalized framework for trust assessment. ACM Symp. Appl. Comput. 2, 1302–1307 (2008)
Leiven, R.: Attack resistant trust metrics. Ph.D. thesis, University of California, Berkeley (2003)
Ziegler, C.N., Lausen, G.: Spreading activation models for trust propagation. In: EEE 2004, IEEE, Taipei (2004)
Kosko, B.: Fuzzy cognitive maps. Int. J. Man-Mach. Stud. 24, 65–75 (1986)
Pearson, S., Casassa Mont, M., Crane, S.: Persistent and dynamic trust: analysis and the related impact of trusted platforms. In: Herrmann, P., Issarny, V., Shiu, S. (eds.) Trust Management, Proc. iTrust 2005, LNCS 3477, pp. 355–363. Springer-Verlag, Berlin/Heidelberg/Paris (2005)
Gellman, R.: Privacy in the clouds: risks to privacy and confidentiality from cloud computing. World Privacy Forum. http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf (2009)
Greenberg, A.: Cloud computing’s stormy Side. Forbes Magazine, 19 Feb (2008)
Fratto, M.: Internet evolution. The Big Report, Cloud Control. http://www.internetevolution.com/document.asp?doc_id=170782 (2009)
Hall, J.A., Liedtka, S.L.: The Sarbanes-Oxley Act: implications for large-scale IT outsourcing. Commun. ACM 50(3), 95–100 (2007)
Reidenberg, J.: Technology and internet jurisdiction. Univ. Pennsylvania Law Rev.1, SSRN eLibrary (2005)
Kohl, U.: Jurisdiction and the Internet. Cambridge University Press, Cambridge (2007)
Mowbray, M.: The fog over the Grimpen Mire: cloud computing and the law. Script-ed J. Law, Technol. Soc. 6(1), 132–143 (Apr 2009)
Goldberg, N.M., Wildon-Byrne, M.: Securing communications on the cloud. Bloomberg Law Rep.—Technol. Law. 1(10). http://www.infolawgroup.com/uploads/file/Goldberg%20Article.pdf (2009)
Salmon, J.: Clouded in uncertainty—the legal pitfalls of cloud computing. Computing Magazine, 24 Sept. http://www.computing.co.uk/computing/features/2226701/clouded-uncertainty-4229153 (2008)
Crompton, M.:, Cowper, C., Jefferis, C.: The Australian Dodo Case: an insight for data protection regulation. World Data Protection Report. 9(1), BNA (2009)
Hon, K.: Personal data in the UK, anonymisation and encryption. Queen Mary University of London, 9 June. http://www.cloudlegal.ccls.qmul.ac.uk/Research/49700.html (2011)
Cloud Security Alliance: Security guidance for critical areas of focus in cloud computing. v2.1, English language version, Dec. http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf (2009)
Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy. O’Reilly, Sebastopol, CA (2009)
Vaquero, L., Rodero-Merino, L., Morán, D.: Locking the sky: a survey on IaaS cloud security. Computing 91, 93–118 (2011)
Regulation of Investigatory Powers Act: Part II, s 28, UK (2000)
Narayanan, A., Shmatikov, V.: Robust deanonymization of large sparse datasets. IEEE Symp. Sec. Privacy (S&P) 111–125 (2008). doi:10.1109/SP.2008.33
VMWare: Virtual appliances. http://www.vmware.com/appliances/getting-started/learn/ovf.html (2012)
Open Cloud Computing Interface (OCCI): http://occi-wg.org/ (2012)
Google: Data liberation front. http://www.dataliberation.org/ (2012)
SNIA: Cloud data management interface. http://www.snia.org/cdmi (2012)
OASIS. Security Assertion Markup Language (SAML). http://www.oasis-open.org/standards#samlv2.0 (2005)
Wei, J., Zhang, X., Ammons, G., Bala, V., Ning, P.: Managing security of virtual machine images in a cloud environment. In: Proceedings of the CCSW ‘09. ACM, New York, pp. 91–96 (2009)
Google App Engine: http://code.google.com/appengine
Kortchinsky, K.: CLOUDBURST: A VMWare Guest to Host Escape Story. BlackHat, Las Vegas (2009)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of CCS’09, ACM, Chicago, Nov (2009)
IBM: X-force® 2010 mid-year trend and risk report. Aug. ftp://public.dhe.ibm.com/common/ssi/ecm/en/wgl03003usen/WGL03003USEN.PDF (2010)
ENISA: Cloud computing information assurance framework. In: Catteddu, D., Hogben, G. (eds.), Nov. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework (2009)
UK Cabinet Office and CESG: HMG information assurance maturity model and assessment framework. www.cesg.gov.uk/publications/Documents/iamm-assessment-framework.pdf (2010)
Jansen, W., Grance, T.: Guidelines on security and privacy in public cloud computing. NIST Special Publication 800–144, Dec (2011)
International Organisation for Standardisation (ISO): ISO/IEC 27001:2005 Information technology—security techniques—information security management systems—requirements. http://www.iso.org/iso/catalogue_detail?csnumber=42103 (2005)
ISO: ISO/IEC 27002:2005 Information technology—Security techniques—Code of practice for information security management. http://www.iso.org/iso/catalogue_detail?csnumber=50297 (2005)
ISO: ISO 31000:2009 Risk management—Principles and guidelines. http://www.iso.org/iso/catalogue_detail?csnumber=43170 (2009)
Shared Assessments: Evaluating cloud risk for the enterprise. The Santa Fe Group, Oct. http://www.sharedassessments.org/media/pdf-EnterpriseCloud-SA.pdf (2010)
Hagen, J.M., Sivertsen, T.K., Rong, C.: Protection against unauthorized access and computer crime in Norwegian enterprises. J. Comput. Secur. 16(3), 341–366 (2008)
CSA: Trusted cloud initiative. http://www.cloudsecurityalliance.org/trustedcloud.html (2012)
Information Commissioner’s Office (ICO): Privacy impact assessment handbook. Version 2, June. http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/privacy_impact_assessment.aspx (2009)
Ardagna, C.A., et al.: Exploiting cryptography for privacy-enhanced access control. J. Comput. Soc. 18(1), 123–160 (2010) (IOS Press)
Data Loss Prevention: http://datalossprevention.com/ (2012)
Bier, E., et al.: The rules of redaction: identify, protect, review (and repeat). Secur. Privacy, IEEE 7(6), 46–53 (2009)
Information Commissioner’s Office UK ICO: Data protection guidance note: Privacy enhancing technologies: http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/privacy_enhancing_technologies_v2.pdf (2007)
Informatica: Dynamic data masking. http://www.informatica.com/au/products_services/data_masking/Pages/index.aspx (2012)
Cranor, L.: Web Privacy with P3P. O’Reilly and Associates, Sebastopol, CA (2002)
EnCoRe: Ensuring Consent and Revocation project: http://www.encore-project.info (2012)
Cachin, C., Schunter, M.: A cloud you can trust. Dec. http://spectrum.ieee.org/computing/networks/a-cloud-you-can-trust/4 (2011)
SAS 70: http://sas70.com/
SysTrust and WebTrust: http://www.webtrust.org/
RSA Archer: eGRC. http://www.emc.com/security/rsa-archer.htm (2012)
CSA: GRC stack. http://www.cloudsecurityalliance.org/grcstack.html (2012)
CSA: CloudAudit. http://cloudaudit.org/CloudAudit/Home.html (2012)
Takabi, H., Joshi, J.B.D., Ahn, G.: Security and privacy challenges in cloud computing environments. Secur. Privacy, IEEE 8(6), 24–31 (2010)
EGEE project: Logging and Bookkeeping (LB) service. http://egee.cesnet.cz/en/JRA1/LB/ (2012)
Chuckwa: http://incubator.apache.org/chukwa/ (2012)
Nicolett, M., Kavanagh, K.M.: Critical capabilities for security information and event management technology, Gartner Report (2011)
RSA: EnVision platform. http://www.rsa.com/experience/envision/3n1/ (2012)
HP: ArcSight. http://www.arcsight.com/ (2012)
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems: recommendations of the National Institute of Standards and Technology. Special publication 800–30, July (2002)
Committee of Sponsoring Organisations of the Treadway Commission (COSO): http://www.coso.org (2012)
ISACA: http://www.isaca.org (2012)
American Institute of CPAs (AICPA): http://www.aicpa.org/INTERESTAREAS/INFORMATIONTECHNOLOGY/RESOURCES/TRUSTSERVICES/Pages/default.aspx (2012)
Amazon: CloudWatch. http://aws.amazon.com/cloudwatch/ (2012)
Haeberlen, A.: A case for the accountable cloud. ACM SIGOPS OS Rev. 44(2), 52–57 (2010)
Haeberlen, A., et al.: Accountable virtual machines. In: Proceedings of the OSDI’10, USENIX, Vancouver, Canada (2010)
HyTrust: http://www.hytrust.com/product/overview/ (2012)
Chen, S., Wang, C.: Accountability as a service for the cloud: from concept to implementation with BPEL. In: Proceedings of the 6th IEEE World Congress on Services, IEEE, pp. 91–98 (2010)
Jaeger, P., Lin, J., Grimes, J.: Cloud computing and information policy: computing in a policy cloud? J. Inf. Technol. Polit. 5, 269–283 (2008)
European Commission: Attitudes on data protection and electronic identity in the European Union. June. http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf (2011)
IDC: Cloud computing attitudes, Survey, Doc.#223077 (2010)
Forrester Research, Inc.: Ignoring cloud risks: a growing gap between I&O and the business. Mar (2011)
Forrester Research, Inc.: You’re not ready for internal cloud. July (2010)
Goldman Sachs: Equity Research, Jan (2011)
Fujitsu Research Institute: Personal data in the cloud: a global survey of consumer attitudes. http://www.fujitsu.com/downloads/SOL/fai/reports/fujitsu_personaldata-in-the-cloud.pdf (2010)
Uusitalo, I., Karppinen, K., Arto, J., Savola, R.: Trust and cloud services – an interview study. In: Proceedings of the CloudCom 2010, IEEE, Indianapolis (2010)
Lacohé, H., Crane, S., Phippen, A.: Trustguide Final Report, October. DTI Sciencewise Programme. www.trustguide.org (2006)
Artz, D., Gil, Y.: A survey of trust in computer science and the semantic web. Web Semant. Sci. Serv. Agents World Wide Web 5, 58–71 (2007)
Li, W., Ping, L.: Trust model to enhance security and interoperability of cloud environment. In: Cloud Computing. Lecture Notes in Computer Science, vol. 5931, pp. 69–79. Springer, Berlin (2009)
Marsh, S.: Formalising trust as a computational concept. Doctoral dissertation, University of Stirling (1994)
Banerjee, S., Mattmann, C., Medvidovic, N., Golubchik, L.: Leveraging architectural models to inject trust into software systems. In: Proceedings of SESS ‘05, pp. 1–7. ACM, New York (2005)
The Centre for Information Policy Leadership (CIPP): Demonstrating and measuring accountability: a discussion document. Accountability Phase II—The Paris Project. http://www.huntonFiles.com/Files/webupload/CIPL_Accountability_Phase_II_Paris_Project.PDF (2010)
Shin, D., Ahn, G.-J.: Role-based privilege and trust management. Comput. Syst. Sci. Eng. J. 20(6), 401–410 (2005)
CSA: Cloud trust protocol https://cloudsecurityalliance.org/research/ctp/ (2012).
Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J., Sussman, G.J.: Information accountability. Commun. ACM 51(6), 87 June (2008)
Pearson, S., Charlesworth, A.: Accountability as a way forward for privacy protection in the cloud. In: Jaatun, M.G., Zhao, G., Rong, C. (eds.) Proceedings of the 1st International Conference on Cloud Computing (CloudCom 2009), Beijing, Dec. LNCS, vol. 5931, pp. 131–144. Springer, Berlin (2009)
Pearson, S., et al.: Scalable, accountable privacy management for large organizations. In: INSPEC 2009, IEEE, Sept, pp. 168–175 (2009)
Information Commissioners Office: Privacy by design. Report. www.ico.gov.uk (2008)
Cavoukian, A., Taylor, S., Abrams, M.: Privacy by design: essential for organizational accountability and strong business practices. Identity Inf. Soc. 3(2), 405–413. http://www.springerlink.com/content/96852p1667mwl665/ (2010)
Cavoukian, A.: Privacy by design: origins, meaning, and prospects for assuring privacy and trust in the information era. In: Yee, G. (ed.) Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards, pp. 170–208. IGI Global, Hershey (2012)
Camenisch, J., Fischer-Hübner, S., Rannenberg, K. (eds.): Privacy and Identity Management for Life. Springer, Heidelberg (2011)
Kamara, S., Lauter, K.: Cryptographic cloud storage. In: Financial Cloud and Data Security. LNCS, vol. 6054, pp. 136–149. Springer, Berlin (2010). doi:10.1007/978%973%97642%9714992%974_13
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: 41st ACM Symposium on Theory of Computing (STOC), pp. 169–178. ACM, New York (2009)
Spiekermann, S., Cranor, L.F.: Engineering privacy. IEEE Trans. Software Eng. 35(1), 67–82, Jan/Feb (2009)
Recommended Reading
Camenisch, J., Fischer-Hubner, S., Rannenberg, K. (eds.): Privacy and Identity Management for Life. Springer, Berlin (2011)
Catteddu, D., Hogben, G. (eds.): Cloud computing: benefits, risks and recommendations for information security. ENISA Report. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment (2009)
Cavoukian, A., Taylor, S., Abrams, M.: Privacy by design: essential for organizational accountability and strong business practices. Identity Inf. Soc. 3(2), 405–413. http://www.springerlink.com/content/96852p1667mwl665/ (2010)
Cloud Security Alliance (CSA): Security Guidance for Critical Areas of Focus in Cloud Computing. v2.1, English language version, Dec. http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf (2009)
Cofta, P.: The trustworthy and trusted web. Foundations Trends Web Sci. 2(4), 243–381 (2011)
Craig, T., Ludloff, M.E.: Privacy and Big Data. O’Reilly, Sebastopol, CA (2011)
Gellman, R.: Privacy in the clouds: risks to privacy and confidentiality from cloud computing. World Privacy Forum. www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf (2009)
Information Commissioners Office: Privacy by design. Report, Nov. www.ico.gov.uk (2008)
Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy. O’Reilly, Sebastopol, CA (2009)
Pearson, S.: Toward accountability in the cloud. IEEE Internet Comput., IEEE Comput. Soc. 15(4), 64–69, July/Aug (2011)
Pearson, S., Casassa Mont, M.: Sticky policies: an approach for privacy management across multiple parties. IEEE Comput. 44(9), 60–68, Sept (2011)
Schwartz, P.M.: Data Protection Law and the Ethical Use of Analytics, CIPL. http://www.huntonfiles.com/files/webupload/CIPL_Ethical_Undperinnings_of_Analytics_Paper.pdf (2010)
Solove, D.J.: Nothing to Hide: The False Tradeoff between Privacy and Security. Yale University Press, New Haven (2011)
The Royal Academy of Engineering: Dilemmas of Privacy and Surveillance: Challenges of Technological Change. Mar. www.raeng.org.uk/policy/reports/default.htm (2007)
Yee, G. (ed.): Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards. IGI Global, Hershey (2012)
Acknowledgements
The influence and input contributing to development of the ideas in this chapter of various colleagues is gratefully acknowledged, notably Daniel Pradelles.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag London
About this chapter
Cite this chapter
Pearson, S. (2013). Privacy, Security and Trust in Cloud Computing. In: Pearson, S., Yee, G. (eds) Privacy and Security for Cloud Computing. Computer Communications and Networks. Springer, London. https://doi.org/10.1007/978-1-4471-4189-1_1
Download citation
DOI: https://doi.org/10.1007/978-1-4471-4189-1_1
Published:
Publisher Name: Springer, London
Print ISBN: 978-1-4471-4188-4
Online ISBN: 978-1-4471-4189-1
eBook Packages: Computer ScienceComputer Science (R0)