- •Cloud Computing
- •Foreword
- •Preface
- •Introduction
- •Expected Audience
- •Book Overview
- •Part 1: Cloud Base
- •Part 2: Cloud Seeding
- •Part 3: Cloud Breaks
- •Part 4: Cloud Feedback
- •Contents
- •1.1 Introduction
- •1.1.1 Cloud Services and Enabling Technologies
- •1.2 Virtualization Technology
- •1.2.1 Virtual Machines
- •1.2.2 Virtualization Platforms
- •1.2.3 Virtual Infrastructure Management
- •1.2.4 Cloud Infrastructure Manager
- •1.3 The MapReduce System
- •1.3.1 Hadoop MapReduce Overview
- •1.4 Web Services
- •1.4.1 RPC (Remote Procedure Call)
- •1.4.2 SOA (Service-Oriented Architecture)
- •1.4.3 REST (Representative State Transfer)
- •1.4.4 Mashup
- •1.4.5 Web Services in Practice
- •1.5 Conclusions
- •References
- •2.1 Introduction
- •2.2 Background and Related Work
- •2.3 Taxonomy of Cloud Computing
- •2.3.1 Cloud Architecture
- •2.3.1.1 Services and Modes of Cloud Computing
- •Software-as-a-Service (SaaS)
- •Platform-as-a-Service (PaaS)
- •Hardware-as-a-Service (HaaS)
- •Infrastructure-as-a-Service (IaaS)
- •2.3.2 Virtualization Management
- •2.3.3 Core Services
- •2.3.3.1 Discovery and Replication
- •2.3.3.2 Load Balancing
- •2.3.3.3 Resource Management
- •2.3.4 Data Governance
- •2.3.4.1 Interoperability
- •2.3.4.2 Data Migration
- •2.3.5 Management Services
- •2.3.5.1 Deployment and Configuration
- •2.3.5.2 Monitoring and Reporting
- •2.3.5.3 Service-Level Agreements (SLAs) Management
- •2.3.5.4 Metering and Billing
- •2.3.5.5 Provisioning
- •2.3.6 Security
- •2.3.6.1 Encryption/Decryption
- •2.3.6.2 Privacy and Federated Identity
- •2.3.6.3 Authorization and Authentication
- •2.3.7 Fault Tolerance
- •2.4 Classification and Comparison between Cloud Computing Ecosystems
- •2.5 Findings
- •2.5.2 Cloud Computing PaaS and SaaS Provider
- •2.5.3 Open Source Based Cloud Computing Services
- •2.6 Comments on Issues and Opportunities
- •2.7 Conclusions
- •References
- •3.1 Introduction
- •3.2 Scientific Workflows and e-Science
- •3.2.1 Scientific Workflows
- •3.2.2 Scientific Workflow Management Systems
- •3.2.3 Important Aspects of In Silico Experiments
- •3.3 A Taxonomy for Cloud Computing
- •3.3.1 Business Model
- •3.3.2 Privacy
- •3.3.3 Pricing
- •3.3.4 Architecture
- •3.3.5 Technology Infrastructure
- •3.3.6 Access
- •3.3.7 Standards
- •3.3.8 Orientation
- •3.5 Taxonomies for Cloud Computing
- •3.6 Conclusions and Final Remarks
- •References
- •4.1 Introduction
- •4.2 Cloud and Grid: A Comparison
- •4.2.1 A Retrospective View
- •4.2.2 Comparison from the Viewpoint of System
- •4.2.3 Comparison from the Viewpoint of Users
- •4.2.4 A Summary
- •4.3 Examining Cloud Computing from the CSCW Perspective
- •4.3.1 CSCW Findings
- •4.3.2 The Anatomy of Cloud Computing
- •4.3.2.1 Security and Privacy
- •4.3.2.2 Data and/or Vendor Lock-In
- •4.3.2.3 Service Availability/Reliability
- •4.4 Conclusions
- •References
- •5.1 Overview – Cloud Standards – What and Why?
- •5.2 Deep Dive: Interoperability Standards
- •5.2.1 Purpose, Expectations and Challenges
- •5.2.2 Initiatives – Focus, Sponsors and Status
- •5.2.3 Market Adoption
- •5.2.4 Gaps/Areas of Improvement
- •5.3 Deep Dive: Security Standards
- •5.3.1 Purpose, Expectations and Challenges
- •5.3.2 Initiatives – Focus, Sponsors and Status
- •5.3.3 Market Adoption
- •5.3.4 Gaps/Areas of Improvement
- •5.4 Deep Dive: Portability Standards
- •5.4.1 Purpose, Expectations and Challenges
- •5.4.2 Initiatives – Focus, Sponsors and Status
- •5.4.3 Market Adoption
- •5.4.4 Gaps/Areas of Improvement
- •5.5.1 Purpose, Expectations and Challenges
- •5.5.2 Initiatives – Focus, Sponsors and Status
- •5.5.3 Market Adoption
- •5.5.4 Gaps/Areas of Improvement
- •5.6 Deep Dive: Other Key Standards
- •5.6.1 Initiatives – Focus, Sponsors and Status
- •5.7 Closing Notes
- •References
- •6.1 Introduction and Motivation
- •6.2 Cloud@Home Overview
- •6.2.1 Issues, Challenges, and Open Problems
- •6.2.2 Basic Architecture
- •6.2.2.1 Software Environment
- •6.2.2.2 Software Infrastructure
- •6.2.2.3 Software Kernel
- •6.2.2.4 Firmware/Hardware
- •6.2.3 Application Scenarios
- •6.3 Cloud@Home Core Structure
- •6.3.1 Management Subsystem
- •6.3.2 Resource Subsystem
- •6.4 Conclusions
- •References
- •7.1 Introduction
- •7.2 MapReduce
- •7.3 P2P-MapReduce
- •7.3.1 Architecture
- •7.3.2 Implementation
- •7.3.2.1 Basic Mechanisms
- •Resource Discovery
- •Network Maintenance
- •Job Submission and Failure Recovery
- •7.3.2.2 State Diagram and Software Modules
- •7.3.3 Evaluation
- •7.4 Conclusions
- •References
- •8.1 Introduction
- •8.2 The Cloud Evolution
- •8.3 Improved Network Support for Cloud Computing
- •8.3.1 Why the Internet is Not Enough?
- •8.3.2 Transparent Optical Networks for Cloud Applications: The Dedicated Bandwidth Paradigm
- •8.4 Architecture and Implementation Details
- •8.4.1 Traffic Management and Control Plane Facilities
- •8.4.2 Service Plane and Interfaces
- •8.4.2.1 Providing Network Services to Cloud-Computing Infrastructures
- •8.4.2.2 The Cloud Operating System–Network Interface
- •8.5.1 The Prototype Details
- •8.5.1.1 The Underlying Network Infrastructure
- •8.5.1.2 The Prototype Cloud Network Control Logic and its Services
- •8.5.2 Performance Evaluation and Results Discussion
- •8.6 Related Work
- •8.7 Conclusions
- •References
- •9.1 Introduction
- •9.2 Overview of YML
- •9.3 Design and Implementation of YML-PC
- •9.3.1 Concept Stack of Cloud Platform
- •9.3.2 Design of YML-PC
- •9.3.3 Core Design and Implementation of YML-PC
- •9.4 Primary Experiments on YML-PC
- •9.4.1 YML-PC Can Be Scaled Up Very Easily
- •9.4.2 Data Persistence in YML-PC
- •9.4.3 Schedule Mechanism in YML-PC
- •9.5 Conclusion and Future Work
- •References
- •10.1 Introduction
- •10.2 Related Work
- •10.2.1 General View of Cloud Computing frameworks
- •10.2.2 Cloud Computing Middleware
- •10.3 Deploying Applications in the Cloud
- •10.3.1 Benchmarking the Cloud
- •10.3.2 The ProActive GCM Deployment
- •10.3.3 Technical Solutions for Deployment over Heterogeneous Infrastructures
- •10.3.3.1 Virtual Private Network (VPN)
- •10.3.3.2 Amazon Virtual Private Cloud (VPC)
- •10.3.3.3 Message Forwarding and Tunneling
- •10.3.4 Conclusion and Motivation for Mixing
- •10.4 Moving HPC Applications from Grids to Clouds
- •10.4.1 HPC on Heterogeneous Multi-Domain Platforms
- •10.4.2 The Hierarchical SPMD Concept and Multi-level Partitioning of Numerical Meshes
- •10.4.3 The GCM/ProActive-Based Lightweight Framework
- •10.4.4 Performance Evaluation
- •10.5 Dynamic Mixing of Clusters, Grids, and Clouds
- •10.5.1 The ProActive Resource Manager
- •10.5.2 Cloud Bursting: Managing Spike Demand
- •10.5.3 Cloud Seeding: Dealing with Heterogeneous Hardware and Private Data
- •10.6 Conclusion
- •References
- •11.1 Introduction
- •11.2 Background
- •11.2.1 ASKALON
- •11.2.2 Cloud Computing
- •11.3 Resource Management Architecture
- •11.3.1 Cloud Management
- •11.3.2 Image Catalog
- •11.3.3 Security
- •11.4 Evaluation
- •11.5 Related Work
- •11.6 Conclusions and Future Work
- •References
- •12.1 Introduction
- •12.2 Layered Peer-to-Peer Cloud Provisioning Architecture
- •12.4.1 Distributed Hash Tables
- •12.4.2 Designing Complex Services over DHTs
- •12.5 Cloud Peer Software Fabric: Design and Implementation
- •12.5.1 Overlay Construction
- •12.5.2 Multidimensional Query Indexing
- •12.5.3 Multidimensional Query Routing
- •12.6 Experiments and Evaluation
- •12.6.1 Cloud Peer Details
- •12.6.3 Test Application
- •12.6.4 Deployment of Test Services on Amazon EC2 Platform
- •12.7 Results and Discussions
- •12.8 Conclusions and Path Forward
- •References
- •13.1 Introduction
- •13.2 High-Throughput Science with the Nimrod Tools
- •13.2.1 The Nimrod Tool Family
- •13.2.2 Nimrod and the Grid
- •13.2.3 Scheduling in Nimrod
- •13.3 Extensions to Support Amazon’s Elastic Compute Cloud
- •13.3.1 The Nimrod Architecture
- •13.3.2 The EC2 Actuator
- •13.3.3 Additions to the Schedulers
- •13.4.1 Introduction and Background
- •13.4.2 Computational Requirements
- •13.4.3 The Experiment
- •13.4.4 Computational and Economic Results
- •13.4.5 Scientific Results
- •13.5 Conclusions
- •References
- •14.1 Using the Cloud
- •14.1.1 Overview
- •14.1.2 Background
- •14.1.3 Requirements and Obligations
- •14.1.3.1 Regional Laws
- •14.1.3.2 Industry Regulations
- •14.2 Cloud Compliance
- •14.2.1 Information Security Organization
- •14.2.2 Data Classification
- •14.2.2.1 Classifying Data and Systems
- •14.2.2.2 Specific Type of Data of Concern
- •14.2.2.3 Labeling
- •14.2.3 Access Control and Connectivity
- •14.2.3.1 Authentication and Authorization
- •14.2.3.2 Accounting and Auditing
- •14.2.3.3 Encrypting Data in Motion
- •14.2.3.4 Encrypting Data at Rest
- •14.2.4 Risk Assessments
- •14.2.4.1 Threat and Risk Assessments
- •14.2.4.2 Business Impact Assessments
- •14.2.4.3 Privacy Impact Assessments
- •14.2.5 Due Diligence and Provider Contract Requirements
- •14.2.5.1 ISO Certification
- •14.2.5.2 SAS 70 Type II
- •14.2.5.3 PCI PA DSS or Service Provider
- •14.2.5.4 Portability and Interoperability
- •14.2.5.5 Right to Audit
- •14.2.5.6 Service Level Agreements
- •14.2.6 Other Considerations
- •14.2.6.1 Disaster Recovery/Business Continuity
- •14.2.6.2 Governance Structure
- •14.2.6.3 Incident Response Plan
- •14.3 Conclusion
- •Bibliography
- •15.1.1 Location of Cloud Data and Applicable Laws
- •15.1.2 Data Concerns Within a European Context
- •15.1.3 Government Data
- •15.1.4 Trust
- •15.1.5 Interoperability and Standardization in Cloud Computing
- •15.1.6 Open Grid Forum’s (OGF) Production Grid Interoperability Working Group (PGI-WG) Charter
- •15.1.7.1 What will OCCI Provide?
- •15.1.7.2 Cloud Data Management Interface (CDMI)
- •15.1.7.3 How it Works
- •15.1.8 SDOs and their Involvement with Clouds
- •15.1.10 A Microsoft Cloud Interoperability Scenario
- •15.1.11 Opportunities for Public Authorities
- •15.1.12 Future Market Drivers and Challenges
- •15.1.13 Priorities Moving Forward
- •15.2 Conclusions
- •References
- •16.1 Introduction
- •16.2 Cloud Computing (‘The Cloud’)
- •16.3 Understanding Risks to Cloud Computing
- •16.3.1 Privacy Issues
- •16.3.2 Data Ownership and Content Disclosure Issues
- •16.3.3 Data Confidentiality
- •16.3.4 Data Location
- •16.3.5 Control Issues
- •16.3.6 Regulatory and Legislative Compliance
- •16.3.7 Forensic Evidence Issues
- •16.3.8 Auditing Issues
- •16.3.9 Business Continuity and Disaster Recovery Issues
- •16.3.10 Trust Issues
- •16.3.11 Security Policy Issues
- •16.3.12 Emerging Threats to Cloud Computing
- •16.4 Cloud Security Relationship Framework
- •16.4.1 Security Requirements in the Clouds
- •16.5 Conclusion
- •References
- •17.1 Introduction
- •17.1.1 What Is Security?
- •17.2 ISO 27002 Gap Analyses
- •17.2.1 Asset Management
- •17.2.2 Communications and Operations Management
- •17.2.4 Information Security Incident Management
- •17.2.5 Compliance
- •17.3 Security Recommendations
- •17.4 Case Studies
- •17.4.1 Private Cloud: Fortune 100 Company
- •17.4.2 Public Cloud: Amazon.com
- •17.5 Summary and Conclusion
- •References
- •18.1 Introduction
- •18.2 Decoupling Policy from Applications
- •18.2.1 Overlap of Concerns Between the PEP and PDP
- •18.2.2 Patterns for Binding PEPs to Services
- •18.2.3 Agents
- •18.2.4 Intermediaries
- •18.3 PEP Deployment Patterns in the Cloud
- •18.3.1 Software-as-a-Service Deployment
- •18.3.2 Platform-as-a-Service Deployment
- •18.3.3 Infrastructure-as-a-Service Deployment
- •18.3.4 Alternative Approaches to IaaS Policy Enforcement
- •18.3.5 Basic Web Application Security
- •18.3.6 VPN-Based Solutions
- •18.4 Challenges to Deploying PEPs in the Cloud
- •18.4.1 Performance Challenges in the Cloud
- •18.4.2 Strategies for Fault Tolerance
- •18.4.3 Strategies for Scalability
- •18.4.4 Clustering
- •18.4.5 Acceleration Strategies
- •18.4.5.1 Accelerating Message Processing
- •18.4.5.2 Acceleration of Cryptographic Operations
- •18.4.6 Transport Content Coding
- •18.4.7 Security Challenges in the Cloud
- •18.4.9 Binding PEPs and Applications
- •18.4.9.1 Intermediary Isolation
- •18.4.9.2 The Protected Application Stack
- •18.4.10 Authentication and Authorization
- •18.4.11 Clock Synchronization
- •18.4.12 Management Challenges in the Cloud
- •18.4.13 Audit, Logging, and Metrics
- •18.4.14 Repositories
- •18.4.15 Provisioning and Distribution
- •18.4.16 Policy Synchronization and Views
- •18.5 Conclusion
- •References
- •19.1 Introduction and Background
- •19.2 A Media Service Cloud for Traditional Broadcasting
- •19.2.1 Gridcast the PRISM Cloud 0.12
- •19.3 An On-demand Digital Media Cloud
- •19.4 PRISM Cloud Implementation
- •19.4.1 Cloud Resources
- •19.4.2 Cloud Service Deployment and Management
- •19.5 The PRISM Deployment
- •19.6 Summary
- •19.7 Content Note
- •References
- •20.1 Cloud Computing Reference Model
- •20.2 Cloud Economics
- •20.2.1 Economic Context
- •20.2.2 Economic Benefits
- •20.2.3 Economic Costs
- •20.2.5 The Economics of Green Clouds
- •20.3 Quality of Experience in the Cloud
- •20.4 Monetization Models in the Cloud
- •20.5 Charging in the Cloud
- •20.5.1 Existing Models of Charging
- •20.5.1.1 On-Demand IaaS Instances
- •20.5.1.2 Reserved IaaS Instances
- •20.5.1.3 PaaS Charging
- •20.5.1.4 Cloud Vendor Pricing Model
- •20.5.1.5 Interprovider Charging
- •20.6 Taxation in the Cloud
- •References
- •21.1 Introduction
- •21.2 Background
- •21.3 Experiment
- •21.3.1 Target Application: Value at Risk
- •21.3.2 Target Systems
- •21.3.2.1 Condor
- •21.3.2.2 Amazon EC2
- •21.3.2.3 Eucalyptus
- •21.3.3 Results
- •21.3.4 Job Completion
- •21.3.5 Cost
- •21.4 Conclusions and Future Work
- •References
- •Index
16 Security Issues to Cloud Computing |
279 |
We recommend a risk-management approach when evaluating information assets to be migrated to the cloud, giving conscious attention to the security and information assurance requirements of those assets.
16.3.4 Data Location
Where does the data that an end-user has created on an MCSP’s system reside? Location of end-user data is of great importance. For example, the EU Directive on Data Protection (Safe Harbour [8,9]) stipulates countries where EU private and personal data can and cannot reside or traverse.
The EU Directive on Data Protection of 1998 [9] is a comprehensive data protection legislation that orders its member states to establish a legal framework to protect the fundamental rights to privacy with respect to processing personal data that has extraterritorial effect. It prohibits the transfer of personal data or health records data to non-EU nations that do not meet the European ‘adequacy’ standard for privacy protection. The US and the EU share the goal of enhancing privacy protection for their citizens [9]. Clearly, achieving regulatory and legislative compliance in the cloud requires concerted effort from both the user and the provider, where the user knows the information requirements and is able to communicate that clearly to the provider, and in return, the provider is transparent and thus willing to address the regulatory and legislative mandates required with regard to the assets.
With the infrastructure as a service, the cloud provider can dynamically use localised infrastructures that exist outside the EU or US territories. This may contravene or abuse fundamental privacy and legislative mandates, especially if the end-user is not aware of where the information is held or transported to/from. This applies specifically to EU and US cloud consumers, SMEs, government and enterprise who may wish to use the cloud for delivering service. Other countries have other legislations that should be considered when using the cloud. Certain types of assets may easily be abused with cloud computing, for instance, personal medical data (health record data) are subjected to strict compliance act, such as the health information privacy and portability act (HIPPA). A significant concern is that personal medical data can be easily circumvented with the SaaS or IaaS models of the cloud. This highlights some of the inherent risks that exist with cloud computing [10].
That being said, there are cloud providers that operate territorial cloud service. For example, there are UK cloud providers that lease zoned UK only localised resources. In addition, there are US and Canadian cloud providers that offer localised provincial cloud services.
Cloud users whose information assets require location-specific data storage or transit requirements must confirm these with cloud providers that offer locationbased cloud service, and must ensure that they are included in the service contract offered by the cloud provider.
280 |
C. Onwubiko |
16.3.5 Control Issues
It is not until recently that many cloud security interest groups, such as the Cloud Security Alliance [11], the Cloud Computing Interoperability Group [12] and the Multi-Agency Cloud Computing Forum [4] began to seek ways of delivering efficient and effective controls in the cloud to ensure that information in the cloud are secure and protected.
Currently, clouds are hugely uncontrolled, especially the public ones. Recommendations like the use of legal, regulatory, compliance and certification practices have been suggested in order to adequately control cloud services and practices [3,11,12]. Unfortunately, maintaining compliance with regulatory and legislative requirements in the cloud can be much more difficult to demonstrate. The attributes of cloud computing as being location-independent, with unclear borders and boundaries, providing shared pool of resources on a multi-tenancy architecture further make achieving demonstrable regulatory security compliance untenable.
The legal landscape, regulatory compliance and certification are constantly changing, and organisation must understand and evaluate current legal, regulatory compliance needs of their information before moving them to the cloud.
16.3.6 Regulatory and Legislative Compliance
Regulatory compliance and certification are security initiatives with significant impact on information security practices [8]. Standards regulate how information security management is being implemented, managed and conducted. For example, ISO 27001–2005 is a security standard that recommends best practices for information security management. Organisations seeking accreditation go through a regulatory compliance process. Compliant organisations are perceived to possess essential drivers to earn trust, and hence, attract business relations with other organisations. This proposition applies to cloud computing. In fact, obtaining certification to a particular standard is not going to be the only driver, and the coverage of each security accreditation or certification is anticipated to contribute towards establishing trust. Furthermore, compliance to regulatory authorities will certainly earn some ‘Brownie points’ for corporate organisations. For example, corporate organisations that are regulated by the financial services authority (FSA) must seek advice before using public clouds for their operations or risk of facing huge fines, and could possibly lose their practicing license. There should be guidance on what corporate financial institutions can put out in the cloud and what may not be permissible. As the cloud phenomenon unfolds and inherent risks understood, adequate guidelines must follow.
The legal landscape of traditional IT is continuously changing. A significant concern is that some of these legislations are territorial, even within a country, with separate pieces of jurisdiction. For example, the California Security Breach Information Act (SB-1386) legislation mandates Californian organisations that maintain personal information about individuals to inform those individuals if the
16 Security Issues to Cloud Computing |
281 |
security of their information is compromised [13]. This piece of legislation stipulates the disclosure of security breaches only in California. The application of SB-1386 and other legislations in the cloud are unclear.
16.3.7 Forensic Evidence Issues
Information security forensic evidence and e-discovery possess a challenge too. In the cloud, what information constitutes legally acceptable forensic evidence? How is such information received in relation to the different cloud deployment models? If evidence is gathered from a public cloud, how authentic is that information perceived to be compared with when similar information is obtained from a private cloud? Similarly, with pre-trial discovery and e-discovery, as the cloud provider is the data custodian, while the user is the lawful owner of the data, who should provide pre-trial evidence in a court of law, and who is responsible with respect to discovery and other litigation subjects? With copies of most information at different clouds, which information/data constitutes an authentic copy of the information that is admissible in a court of law?
It is pertinent to note that the different cloud deployment models offer varying levels of security, privacy and acceptability; therefore, it is imperative that cloud users must evaluate the security, legal, regulatory and legislative requirements of their valued assets before choosing a particular cloud model, and a cloud vendor or provider.
16.3.8 Auditing Issues
Auditing for security management aims to evaluate policies, practices, operations and technical controls of an organisation in order to assess compliance, detection, protection and security forensics [14]. The need for regular security audits is essential, and should not focus only on the reactive audits done when an incident has occurred, but also on proactive security audits done in order to assess whether security controls, security processes, procedures and operations are adequate and practical in protecting critical assets of the organisation. Two factors make demonstrating security audit in the cloud a critical issue:
First, cloud providers must demonstrate their security audit procedure to their customers. Second, the level of audit coverage being conducted must be acceptable, bearing in mind the myriad of diverse and varied information assets that the cloud providers are data custodians for.
Auditing security requirements in a cloud environment can be difficult and significantly challenging [15]. One approach to addressing auditing issues in the cloud is transparency from the cloud provider in managing information security. That is, the cloud provider must make its customers aware of its audit processes and the different levels of audit coverage. In this way trust and good relationship between the provider and its customers can be achieved.
282 |
C. Onwubiko |
16.3.9 Business Continuity and Disaster Recovery Issues
Cloud computing is dynamic and offers ubiquitous network access to vast amount of significant resources, and these resources are meant to be available swiftly and on-demand to legitimate users. Unfortunately, there have been cases when the availability of data in the cloud has become a major concern. For example, Amazon’s Elastic Compute Cloud (EC2) service in North America was temporarily unavailable at significant times due to ‘lightning storm that caused damage to a single power distribution unit (PDU) in a single availability zone [16]’. This highlights the importance of disaster recovery and business continuity plans in the cloud. The availability of resources in the cloud is of least importance to users according to most surveys. This is because the cloud offers ubiquitous and on-demand network access. Unfortunately, information in the cloud could still be unavailable when needed due to natural disasters, vulnerability exploits and deliberate attacks.
There are three reasons why cloud users must be concerned with the availability of their valued assets in the cloud. First, most cloud providers rent computing and data-centre infrastructures from other cloud providers. This means that when one cloud infrastructure is affected (unavailable), most probably, other providers will suffer similar losses, hindering the availability of resources to a wilder audience much more possible than with the traditional IT networks.
Second, the possibility that a cloud provider can file for bankruptcy, where the provider goes out of business with consequential financial liability to offset makes the availability of cloud resources a serious issue to consider. Finally, cross-vulnerability in the cloud due to the multi-tenancy implementation of cloud infrastructures and services makes the availability of resources in the cloud an important issue to consider.
In these respects, we recommend that users engage with their cloud providers to understand their disaster recovery processes and procedures, and where possible, make inputs as to how best this can be achieved. For instance, users may be provided backup copies of data on a monthly basis as part of the agreement. This practice can be extremely helpful, for example, in the case of bankruptcy of a cloud provider, or when natural disaster threatens the existence of a data centre. Further, users must be aware of their provider’s business continuity plans, for instance, whether the provider has hot-standby sites and whether resilience is built as an abstraction to all layers of its services.
16.3.10 Trust Issues
Trust in both the traditional IT services and cloud computing must be earned. Trust is a major issue with cloud computing irrespective of the cloud model being deployed. Nevertheless, the cloud like traditional IT services can be secured, protected and dependable. It is believed that the cloud offers security advantages.