Backup and Recovery issues
Backup (B1)
Cloud Computing servers are place where users store all the sensitive enterprise data and Regular Backup of the user data needs to be done as a fault tolerant mechanism and recover case of disasters where original data is destroyed [144][166]. But the author of [105] is concerned what will happen to the data backup if the company switches? Or company goes down? He also mentions relying on CSPs backup could be foolish. There is also another concern from customer point of view, which mentions that will data stored in the cloud will still be valid even though the cloud provider go broke? Will the data stay intact, accessible, without any logistical problem even when there are merged and acquisitions made by the service provider (long-term viability) [85][142][123][109][55]. The main aspect in all this discussion is to verify whether the client data has high probability in server side. Malicious vendors try to make it fake and collect the data from the server. For example: the server claims that it is storing five copies of data but actually it is storing three copies of data and shows only 5 copies of Data Occupation
- Insecure storage
- Insecure organization
For this there are assumptions such as:
- Trusted Platform Module (TPM) is installed for each data backup.
- Private key is certified by the third party.
- Assume that the server cannot launch any sophisticated hardware to the stored data.
Article [116] exemplifies a situation of issue when a backup is not Properly Managed.
Data retention and recovery (B2)
Disaster recovery is another important issue [55]. To recover data service provider needs to have business continuity and disaster recovery planning policies [142]. Even if the customer do not know where his/her data is, cloud provider should be able to tell what will happen to it in the event of a disaster and how long will it take to recover? [85][123]. Industry pundits warn that if any offering is made which does not replicate the data and application of infrastructure across multiple sites is ‘vulnerable to total failure’. Data replication policies should be established along with the proof that the vendor can enact a complete restoration and indicate them how long will it take [22][72]. The author from [164] mentions that disaster and recovery are paid more attention in PaaS.
Investigative support: Investigating data in certain cases is necessary, and data stored in cloud provides some complexities [55]. Author in [71] mentions that digital forensic investigation of information, which include seizing system for investigation in cloud is complicated. In a report on Security Issues of cloud computing, Gartner pointed out that investigating inappropriate or illegal activity in the cloud is impossible because data of multiple users could be co-located or could be spread out in an ever changing set of hosts and data centers, which was also agreed in the articles [86][3][142]. It also says that the only way to safeguard your data on cloud is to ask the provider for any previous evidences of any such investigation supported i.e., ask provider if it does have ability to investigate any inappropriate or illegal activity? [123][142]. The authors in this context have no evidence of any such investigations successfully performed, which means there is no investigation possible when cloud services are used [3].
Risk management: Risk management is a process of identifying and assessing risks and plan accordingly to mitigate or the reduce impact of risk. In Cloud Computing services some components, subsystems or complete system could be distributed and may not be under the control of the organization using them. Most likely organizations have a better risk management when there is control over process and equipment. With traditional information systems, risks are managed through systems lifecycle and in case of CC services, assessing and managing becomes challenging. Since the organization does not get full control, organization should ensure that security controls are implemented correctly and they are operated as expected. Organization’s trust towards cloud service varies based on the extent of control provided to the organization for its data, applications and also on evidence provided about the effectiveness of those controls. Performing all these tasks to estimate the functionality of service provider is difficult, so solutions to this is using third party audits and establish trusts based result. Finally if the level of trust falls below the level of expectation and no compensatory controls can be employed then the organization has to reject the service or accept with a greater risk.
There is utmost need to have control over physical host security and also virtual machine. If the physical security is compromised all Virtual Machines residing on that specific host get compromised