Privacy and Security in Cloud Computing

Allan A. Friedman and Darrell M. West

Executive Summary

Cloud computing can mean different things to different people, and obviously the privacy and security concerns will differ between a consumer using a public cloud application, a medium-sized enterprise using a customized suite of business applications on a cloud platform, and a government agency with a private cloud for internal database sharing (Whitten, 2010). The shift of each category of user to cloud systems brings a different package of benefits and risks.

What remains constant, though, is the tangible and intangible value that the user seeks to protect. For an individual, the value at risk can range from loss of civil liberties to the contents of bank accounts. For a business, the value runs from core trade secrets to continuity of business operations and public reputation. Much of this is hard to estimate and translate into standard metrics of value (Lev, 2003) The task in this transition is to compare the opportunities of cloud adoption with the risks. The benefits of cloud have been discussed elsewhere, to the individual to the enterprise, and to the government (West, 2010a, 2010b).

This document explores how to think about privacy and security on the cloud. It is not intended to be a catalog of cloud threats (see ENISA (2009) for an example of rigorous exploration of the risks of cloud adoption to specific groups). We frame the set of concerns for the cloud and highlight what is new and what is not. We analyze a set of policy issues that represent systematic concerns deserving the attention of policy-makers. We argue that the weak link in security generally is the human factor and surrounding institutions and incentives matter more than the platform itself. As long as we learn the lessons of past breakdowns, cloud computing has the potential to generate innovation without sacrificing privacy and
security (Amoroso, 2006; Benioff, 2009).