Privacy, Identity, and Cloud Computing

iUniverse, Inc.

Contents

1. On the Privacy of Cloud Computing...........................................................152. Identity as a Service.......................................................................413. Identity Analytics and Belief Structures....................................................594. Compatibility Relations in Identity Analysis................................................715. Conspectus of Cloud Computing...............................................................856. Cloud Computing Economics: Democratization and Monetization of Services.....................997. Ontological View of Cloud Computing.........................................................1218. Privacy as a Service........................................................................1339. Liberty, Freedom, and Rights................................................................18110. Principles of Data Regulation..............................................................191

Chapter One

INTRODUCTION

It seems as though most computer users would like privacy and information security while having convenient access to interlinked computing services both on-premises and in the cloud. In this instance, the cloud is a metaphor for the Internet, which can be used as the delivery vehicle for computing services and the storage of information. Advocates of cloud computing are faced with two major problems, that is, in addition to the usual problem of transferring one's resources from one operational environment to another. The first of the major problems is the ongoing feeling that we are experiencing the "dj vu all over again" syndrome. Many of us have gone through an avalanche of new technological advances intended as solutions to our administrative and operational problems - at least, the ones involving management and information systems. Some of the technical innovations we have experienced include scalable main-frame computers, advanced operating systems, time sharing, client/server, online systems, mini computers, personal computers, artificial intelligence, hand-held computers, the Internet and the World Wide Web, mobile computers, social networking, and by the time this paper is published, there will no doubt be several more entries to add to the list. So one has reason to be skeptical of someone writing that cloud computing is worthy of serious attention. Of course, we think it is, for obvious reasons.

The second major issue is privacy, and it stems from the fact that with cloud computing, data and programs are stored off-premises and managed by a service provider. When a third party gets a hold of your data, who knows what is going to happen to it. Many proponents of cloud computing conveniently characterize it as analogous to the electric utility. The basic idea is that the private generators of the twentieth century were replaced by the electricity grids of today without undue concern. It is easy to imagine, however, that the measurement of electricity usage would have been of concern to some people in the early 1900s. Although similar in some respects, cloud computing is different in one important way. The cloud will typically handle information, which is the basic unit of exchange, about which security and privacy are of paramount concern. With electricity, there is no interest in individual electrons. With information, the key issues are identity, security, and privacy. The side issues are one's inherent identity attributes (such as age, gender, and race), accountability (for online computing activities), and anonymity (in order to preserve free speech and other forms of behavior for the parties involved). The main consideration may turn out to be a matter of control, because from an organizational perspective, control over information has historically been with the organization that creates or maintains it. From a personal perspective, on the other hand, a person should have the wherewithal to control their identity and the release of information about themselves, and in the latter case, a precise determination of to whom it is released and for what reason.. Who owns the data? Is it the person about whom the data pertains? Is it the organization that prototypically manages the data? Or, is it the cloud provider that physically stores the data somewhere out in cyberspace? Consider your financial information. Is it your property or is it your bank's business property? We will try to provide a perspective on this important issue in the following sections. Privacy issues are not fundamentally caused by cloud computing, but they are exacerbated by employing the technology for economic benefit. To put it as diplomatically as possible, if a business employs cloud computing to save money on its IT bill, should it be allowed to do so at the "privacy" expense of its customers?

CLOUD COMPUTING CONCEPTS

Cloud computing is an architectural model for deploying and accessing computer facilities via the Internet. A cloud service provider would supply ubiquitous access through a web browser to software services executed in a cloud data center. The software would satisfy consumer and business needs. Because software availability plays a major role in cloud computing, the subject is often referred to as software-as-a-service (SaaS). Conceptually, there is nothing particularly special about a cloud data center, because it is a conventional web site that provides computing and storage facilities. The definitive aspect of a cloud data center is the level of sophistication of hardware and software needed to scale up to service a large number of customers. Cloud computing is a form of service provisioning where the service provider supplies the network access, security, application software, processing capability, and data storage from a data center and operates that center as a utility in order to supply on-demand self service, broad network access, resource pooling, rapid application acquisition, and measured service. The notion of measured service represents a "pay for what you use" metered model applied to differing forms of customer service.

Cloud Service Characteristics

The operational environment for cloud computing supports three categories of informational resources for achieving agility, availability, collaboration, and elasticity in the deployment and use of cloud services that include software, information, and cloud infrastructure. The software category includes system software, application software, infrastructure software, and accessibility software. The information category refers to large collections of data and the requisite database and management facilities needed for efficient and secure storage utilization. The category of cloud infrastructure is comprised of computer resources, network facilities, and the fabric for scalable consumer operations. We are going to adopt a description of a cloud framework that necessarily includes three forms of description: terminology, architectural requirements, and a reference model. The description generally adheres to the National Institute of Standards and Technology (NIST) cloud-computing paradigm. (Mell 2009b, Brunette 2009)

Agility generally refers to the ability to respond in a timely manner to market and product changes through business alignment, which is achieved by decreasing the lead time to deploy a new application by reducing or eliminating the effect of training, hardware acquisition, and software acquirement. Thus, the IT department is able to respond more quickly to business needs. Availability concerns two aspects of computer utilization: the time that the facilities are available for use and the scope of the resources that are available. Cloud computing facilitates collaboration through network access, provided that the software tools for end user cooperation are available. Elasticity is the characteristic of cloud services that permits computing and storage capability to be scaled up to meet demands on an on-demand basis through resource pooling.

Based on this brief assessment, we can characterize cloud computing as possessing the following characteristics: (Nelson 2009)

On-demand self service Broad network access Resource pooling Rapid elasticity Measured service

The benefit of having lower costs and a less complex operating environment is particularly attractive to small-to-medium-sized enterprises, certain governmental agencies, research organizations, and many countries.

Cloud Computing Utilization

There are four main actors - so to speak - in cloud computing: the cloud service provider, the software service provider, the customer, and the user. Each of the actors represents centers of computer-related activity that can overlap to some degree. The cloud service provider (CSP) owns the infrastructure, hardware, software, and network facilities needed to supply cloud computing services managed by a cloud operating system. The CSP performs a function known as hosting that can be used to run computer programs, referred to as applications. This facility, known in some circles, as a cloud platform (CP), can be regarded as an application service that runs in the cloud. More specifically, a cloud platform provides services to applications in the same manner that "software as a service" programs provide services to clients using the cloud as a transport medium. A cloud platform is as much about operating in the cloud, as it is about developing applications for the cloud. A software service provider develops applications that are used by customers to obtain computing services. The SSP can be an independent software vendor (ISV) or an organization that develops a software package that uses the CP as a delivery vehicle for computing and provides application services to customers. ISV software can be used by many customers in the usual fashion for software deployment. When it is shared during operation to achieve economy-of-scale, it is regarded as a multi-tenant model, wherein each customer is one of the tenants. The customer (C) is typically an enterprise that is comprised of several employees that use the application and are regarded as users. The user (U) is probably going to be a person that uses the cloud computing service via a web browser in one of the following capacities: as an employee of an organization that is contracted to use SaaS provided by an ISV or acquired independently to run in the cloud on a cloud platform; or as a user of third-party SaaS developed by an ISV or the CSP. The four relevant scenarios are summarized by the following schema:

CSP - CP - ISV - C - U CSP - CP - ISV - U CSP - CP - C - U CSP - CP - U

For example, you will be using scenario CSP - CP - ISV - C - U if your company has acquired an operational package from a software vendor and is hosting that software in the cloud. Similarly, you will be using scenario CSP - CP - U if you are using an office package provided by a CSP and accessed via your browser. This form of conceptualization is important from a privacy point-of-view, because each exchange between modules represents a touch point for privacy concerns.

Cloud Platform

A cloud platform provides the facility for an application developer to create applications that run in the cloud or use cloud platform services that are available from the cloud. Chappell lists three kinds of cloud services: SaaS user services, on-premises application development services (attached services), and cloud application development services. (Chappell 2009) An SaaS application runs entirely in the cloud and is accessible through the Internet from an on-premises browser. Attached services provide functionality through the cloud to support service-oriented architecture (SOA) type component development that runs on-premises. Cloud application development services support the development of applications that typically interact while running in the cloud and on-premises.

A cloud platform can be conceptualized as being comprised of three complementary groups of services: foundations, infrastructure services, and application services. The foundation refers to the operating system, storage system, file system, and database system. Infrastructure services include authorization/authentication/security facilities, integration between infrastructure and application services, and online storage facilities. Application services refer to ordinary business services that expose "functional" services as SOA components. Cloud platforms are a lot like enterprise-level platforms, except that they are designed to scale up to support Internet-level operations.

CLOUD ARCHITECTURE

Cloud architecture is a collection of three categories of information resources for the deployment and use of cloud services that include software, information, and cloud infrastructure. (Katzan 2009) The software category includes system software, application software, infrastructure software, and accessibility software. The information category refers to large collections of data and the requisite database and management facilities needed for efficient and secure storage utilization. The category of cloud infrastructure includes compute resources, network facilities, and the fabric for scalable consumer operations. We are going to adopt an ontological formulation to the description of a cloud framework that necessarily includes three classes of information: terminology, architectural requirements, and a reference model. The description generally adheres to the National Institute of Standards and Technology (NIST) cloud-computing paradigm. (Mel op cit)

Service Models

The cloud service models give a view of what a cloud service is. It is a statement of being. A cloud service system is a set of elements that facilitate the development of cloud applications. (Youseff 2009) Here is a description of the three layers in the NIST service model description: (Mel op cit.)

Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

The three service model elements should be deployed in a cloud environment with the essential characteristics in order to achieve a cloud status.

Service Deployment Models

The essential elements of a cloud service system are given above. In order to develop enterprise-wide applications, a domain ontological viewpoint has to be assumed with deployment models from the following list: (Mel op cit.)

Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.

Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on-premises or off-premises.

Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

Most cloud software service application domains will be synthesized from a combination of the deployment models.

(Continues...)

Excerpted from Privacy, Identity, and Cloud Computingby Harry Katzan, Jr. Copyright © 2010 by Harry Katzan, Jr.. Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.