Data Security in Cloud Computing Amal AlKadi, Hanouf AlYahya CIS Department, Prince Sultan University Riyadh, Saudi Arabia AmalKadi@gmail.com Hanouf777@hotmail.com Abstract- Cloud computing is one of the new trends that a lot of companies are shifting towards. According to Gartner researches, cloud computing is one of four trends that will transform information technology and the way business is conducted. One of the reasons that limit the expansion of cloud computing to all business functions is the data security concerns. This research is about Data Security in Cloud Computing. We first talk about the definitions of data security and cloud computing and their importance. We then move to talk about data security technologies and techniques. After that we start discussing data security in cloud computing by first addressing most of the threats that may occur when using could computing. After seeing all major issues we will talk about all possible solutions. The last part in the research will be about the security benefits of cloud computing. The concerns of data security are increasing due to the ongoing development of the internet and the ease of data sharing and communication. Data security is critical in all aspects of our lives; banking information, personal files and businesses almost all of those are processed using technologies and through network communication. communication. One major reason security concerns are raising is because companies are conducting core and noncore business functions through other companies. Index Terms—Cloud computing, Data security. I. INTRODUCTION Cloud computing is one of the new trends that a lot of companies are shifting toward. According to Gartner researches cloud computing is one of four trends that will transform information technology and the way business is conducted [1]. One of the reasons that limit the expansion of cloud computing to all business functions is the data security concerns. In this research we will discuss the main aspects of data security in cloud computing, what made it a hot topic and what is the cloud provided are offering. Fig. 1. The data lifecycle [3] Figure 1 above shows the data lifecycle. Data first goes through the collection phase, where the risk of losing data or data being manipulated is moderate. Next it goes to the relevance phase, next to the classification phase; the risk is low in both phases. The next phase is handling and storing data, where there is a high risk of data loss or unprivileged A. Data Security access. Then data is transmitted and transported, the risk here Data security is the practice of keeping data protected is moderate. The next phase is the manipulation, conversion or from corruption and unauthorized access [2]. It helps with altering of data, this phase has a high risk of losing data. The insuring privacy and protecting personal data. The concerns of data then goes through release, backup, and retention and then data security are increasing due to the ongoing development destruction phases, where the risk is moderate. We can of the internet and the ease of data sharing and communication. conclude that the phases where the data is threatened the most Data security is critical in all aspects of our lives; banking are the handling and storage, and the manipulation, conversion information, personal files and businesses. Almost all of those or altering of data. are processed using technologies and through network B. Cloud Computing II. DATA SECURITY TECHNOLOGIES When talking about cloud computing, what we mean by the term "cloud" is the Internet; because typically the internet is represented in network diagrams as clouds. Cloud computing is hard to define. Before explaining what cloud computing is, we will start with what enforced it. Time-sharing systems enabled computer machinery that lacked the capabilities to work through a main server which is connected to it through wires [4].Cloud computing provides the same ease of sharing data and information but through the Internet. Nowadays major companies such as Google and Microsoft provide this capability as a service. Gartner defines cloud computing as "a style of computing in which scalable and elastic IT-enabled capabilities are delivered as a service to external customers using Internet technologies" [5]. Another definition of cloud computing, "a standardized IT capability (services, software, or infrastructure) delivered via the Internet in a pay-per-use and self-service way"[6]. To clearly understand the definition of cloud computing we have to know the service and deployment models of cloud computing which are Infrastructure-as-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). IaaS is the delivery of computer infrastructure components, such as hardware, data storage and other compute recourses, as a service. PaaS provides a platform that runs over an infrastructure, it offers a ready to use platform and it enables users of this platform to develop their own applications. SaaS provides software that runs over a platform and infrastructure that is manage by the company offering the service [7]. Gartner predicts that 30% of new software will be delivered via SaaS model by the end of this year [8]. With the development of cloud computing a lot of big companies provided cloud computing services. Table 1 below, shows major companies that are providing these three types of services.[9] Major cloud computing service providers are; Amazon, Google, and Microsoft. Later in this research we will discuss Amazon’s services in details and we will talk about the security measures they take. TABLE I EXAMPLES OF MAJOR CLOUD COMPUTING SERVICE PROVIDERS Offering Amazon Google Microsoft Core offering includes the AWS infrastructure related to servers, storage and bandwidth, and databases For creating and running web services Supports only Python and java Also provides SaaS–related productivity application. Operating system with a set of developer service. Allows the building of new cloud application and the enhancement of existing application for the could. Platform for Microsoft application development. Focus Area SMB focus SMB focus Enterprise /SMB focus To understand data security, we need to explain security basics. Data security key pillars are: authentication, access control, and auditing. A. Authentication Authentication is verifying that the person who requested an access to the information is who he claims to be. It is a process of proving identity. Authentication is a major security measure for cloud computing service providers and users. It is important for service providers to insure that the technologies of authentication are accurate. Authentication is categorized into three categories; authentication by what you have, what you know, and what you are. The main techniques used in authentication are: username and password, tokens, biometrics, certificates, and Kerberos. Username and password is the most common user technique. A token is a security device that has a permission of access embedded in the token itself. Biometric is using the person’s own characteristics for authentication. Certificates link a specific person to a key, they are issued by certification authority (CA). The digital certificate helps the receiver to verify the identity of the sender. Kerberos is an authentication system developed by Massachusetts Institute of Technology (MIT) and it is used to verify the identity of the users. Kerberos uses encryption and authentication for security [10]. B. Access control After authentication and making sure that the user is who he claims to be, the next step is access control; which is restricting the user from access all information, and limiting his access to only material which the user has permission to access. Assigning rights to groups is more efficient than assigning them to specific users. Thus, users should be assigned to groups and then getting the same privileges for all the group members. A list of permissions can be assigned to a group or a user, it can be; Full Control, Modify, Read, Write, List Folder Contents, Read and Execute. The models to determine the access control types are; Mandatory Access Control (MAC), Role-Based Access Control (RBAC), Discretionary Access Control (DAC). In Mandatory Access Control the user has no privileges of giving permissions to other users with regards to an object or file. This model is the most restricted. In Role-Based Access Control the permission is assigned to a position or a role, where the person in a specific position can distribute permission to access objects under his control. In Discretionary Access Control any user can adjust the permissions of all other users. This model is the least restricted [10]. C. Audit The last pillar of data security is auditing. Information security configurations should be audited to ensure that the access controls are in place. Some of the auditing techniques are; logging and system scanning. Logging is keeping record of the activities performed by users and the time at which it occurred. The information recorded in the logging is useful when it’s compared with the access control list (ACL). An access control list saves all users and the permissions they have. Performing checking will allow us to find unauthorized access and if a user has permission that he should not have. The logging is performed automatically in most cases. The second technique in auditing is system scanning. System scanning checks the permissions assigned to a user or a role, whereas logging keeps track of actions performed by users in the system and when it was performed [10]. Amazon’s Elastic Computer Cloud EC2. They used one virtual machine as a target, and another as an attacker, and then they tried planting malicious virtual machines at the same server, and they succeed. However, Amazon said they have solved this problem, but no details were shared. Radu Sion, a computer scientist at the State University of New York said "If you don't have everybody using the cloud, you can't have a cheap service. But when you have everybody using the clouds, you have all these security issues that you have to solve suddenly."[12] Thus, costumers usually demand transparency and detailed information of the security measures of the vendors. Costumers are mostly concerned about these major security threats; Unknown risk profile, Malicious insiders, Shared technology issues, Data loss and leakage, Insecure interfaces and APIs, Account or service hijacking, and Abuse use of cloud computing. A. Insecure Interfaces and APIs III. DATA SECURITY IN CLOUD COMPUTING The first major threat that we are discussing is insecure interfaces and APIs. The interface and API are the most important part of the cloud. Having non-secure one will jeopardize the integrity and confidentiality of the data. This threat puts all of the three cloud computing service models in risk. Since all activates done by the user goes through the interface, it’s crucial to have a secure one. It’s hard for companies moving to the cloud to identify whether the interface they are using to get to the cloud and the data stored there is secure. Some suggestion for perspective cloud computing costumers is to analyze the security model of the interface used; they should insure strong authentication and access control, in addition to encryption. [13] B. Malicious Insiders Fig. 2. The main issues on cloud computing. The above graph shows that the number one concern about cloud services is security; since the business’s critical information is exposed to a third-party which worries the businesses of the information’s vulnerability to be attacked. [11] Since cloud computing is offered as a service, which raises a lot of questions to be answered with regards to data security. Costumers moving to the cloud have a lot of concerns when it comes to handing over control to a third-party; especially sensitive data of the company and its customers. Computer security researches found out that when two programs running at the same time on the same operating system an attacker can steal data by using eavesdropping program. One research raised concerns about having the same problem when two virtual machines are running on the same server. What confirmed this security issues was a research done by three computer scientists at the University of California in San Diego, and one at MIT. This research was done by hiring two virtual machines at the same server, which was offered from A second threat is malicious insiders, which threatens all three models of cloud computing. This threat is well-know to organizations. With the introduction of cloud computing, this threat has been amplified. Companies moving their data to the cloud providers may not reveal how access to their physical and non-physical assets is being granted, and how they monitor the employees. The level of impact depends on the level of access granted to employees, so, for the consumer of cloud services, they should know how the providers are detecting and protecting their data from malicious insider threat. One way a company can ensure that malicious insider threat is almost eliminated is by specifying human resources requirements as part of the legal contracts. As well, a company can require transparency in the overall information security and management practices. [13] C. Shared Technology Issues A third example of threats is shared technology issues, which was the issue in the previous discussed research. This threatens the infrastructure as a service model only (IaaS). This problem occurs because the underlying physical components that form the infrastructure were not designed to offer isolation for multi-tenant architecture. Sharing the CPU and the cache threatens the security of the data. In theory, customers should not be able to access any other tenant’s information or network. A cloud provider should conduct vulnerability scanning and configuration audits to protect customers. [13] D. Data Loss or Leakage Another threat is data loss or leakage. Due to the architectural and operational characteristics of the cloud environment, data loss and leakage are increasing. Unauthorized people should not be granted access to the data to insure that none will be deleted or altered intentionally in anyway. For a service provider, data loss or leakage can have a destructive impact on their reputation and name. In addition, loss of some sensitive data might affect the providers legally and financially. Providers should backup the data and have a solid plan to overcome this kind of threats. This threat affects all the three cloud computing models. [13] G. Account or Service Hijacking This threat, which is “account or service hijacking”, is not a new threat; as it has existed since the begging of the evolution of using computers. Since users usually use the same password for all different kinds of services; their passwords are more vulnerable to these kinds of attacks. Hijacking someone’s account could offer the chance of eavesdropping on others’ activities. Account hijacking jeopardizes the integrity and the availability of data. Cloud service providers should monitor the activities so that they can detect any illegal or suspicious activity. In addition to emphasizing the importance of keeping everyone’s user safe and top secret. [13] Table 2 below, shows each threat and which models does it effect. TABLE 2 EXAMPLES OF THE THREATS THAT MIGHT THREATEN THE CLOUD COMPUTING MODELS Threats Insecure Interfaces and APIs Malicious Insiders Shared Technology Issues Data Loss or Leakage Unknown Risk Profile Abuse Use of Cloud Computing Account or Service Hijacking IaaS PaaS SaaS E. Unknown Risk Profile The next threat that we will be discussing is unknown risk profile. Companies are driven by the advertisement of the service providers showing all the benefits of moving to the cloud; like hardware reduction, maintenance and licensing. On the other hand, they miss the downside of using the cloud. A company who’s making long term decision needs to address all the potential risks. The service provider should inform customers of all possible risks or otherwise this may include serious threats. Potential customers should ask for disclosure of applicable logs, data, and infrastructure details. [13] F. Abuse Use of Cloud Computing Our next threat is about the abuse use of cloud computing. Since cloud computing providers try to promote for their services by offering a free trial period for their customers; in which the customers only need a valid credit card to register for the service. These users can easily abuse the service by spamming and implementing malicious codes. At first, the abuse of cloud computing was limited to the IaaS model, but nowadays, PaaS model is affected as well. For service providers to prevent these kinds of activates, they should have a strict registration process. In addition to monitoring public blacklists for their own network blocks. [13] IV. DATA SECURITY SOLUTIONS Due to the threats discussed above, researches came up with some solutions and some ideas to be implemented. One of the solutions provided was by Amazon web service. Another idea was suggested by a group from Microsoft. Amazon has introduced a private cloud that offered more security because of the demand of Amazon’s customers to have a more enhanced level of security in the cloud service. In addition, the group from Microsoft suggested a way to prevent what happened in the case of the researchers from San Diego and MIT by monitoring the use of the shared cache memory by a virtual machine which is operation on the same server. A. Encryption Major cloud computing security solutions are based on encryption. The most secure ways nowadays is getting the encrypted data from the cloud to a secure location, decrypting it, then use it and work with, and at last, return the data encrypted again back to the cloud. Another possibility which is less secure, is keeping the information in the cloud unencrypted. Craug Gentry, a cryptography researcher at IBM “The general theme of cloud computing is that you want Fig. 3. Traditional page table updates vs. new page table updates in HyperSafe Fig. 4. Traditional indirect call vs. new indirect call in HyperSafe to be able to outsource all kinds of functionality but you don’t want to give away your privacy—and you need very versatile cryptography to do that,”. Encryption techniques used nowadays need to be more advanced to suit the cloud computing environment. [12] IBM researcher called Craig Gentry have founded a solution for analysing data in the cloud without having to decrypted which years ago was considered impossible. The solution was called “privacy homomorphism," or "fully homomorphic encryption”.[14] privacy homomorphism is defined as “ a form of encryption where a specific algebraic operation is performed on the plaintext and another (possibly different) algebraic operation is performed on the cipher text[15]” B. Virtualization solution To solve the problem of virtualization, a research called “HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity” by Zhi Wang and Xuxian Jiang, presented HyperSafe. When people first started using virtual machines, they assumed that they were safe and the hypervisor (virtual machine monitor VMM) is secure. A study by the National Vulnerability Database showed that in the last three years, there were 26 security vulnerabilities. These contemporary hypervisors where the security vulnerabilities occurred (Xen and VMware) had a large complex code base. HyperSafe is developed to solve this problem by using two techniques. “The first technique locks down write-protected memory pages and prevents them from being manipulated at runtime, thus effectively protecting the hypervisor’s code integrity; The second key technique converts the control data into pointer indexes by introducing one layer of indirection and thus expands protection to include control-flow enforcement”.[16] C. Private clouds Private cloud is a stack of network servers and storage hardware used for one single customer. The first benefit is providing security; where you have your own dedicated data center, that is not available for anyone but you, exclusively provided for you from the service provider. The second benefit is flexibility; with the option of changing the specific features of the cloud to meet your changing needs. With that level of flexibility, some challenges raised, such as, the level of complexity used in building these private clouds. [17] Private cloud is considered a solution to two of the major threats which are hacking and denial of service attacks (DOS). To solve the problem of hacking, private cloud restricts access to administrators only, and allows the business to have access control over their environment. The other threat is denial of service attacks on other customers that share the same infrastructure. Private clouds allow you to have your own infrastructure not sharing it with any other person, which eliminates any threat of DOS.[18] The private cloud helps with disaster recovery plan since it allows for isolating the resources if any hardware failure occurs. Another benefit is that you can connect your private cloud to your dedicated environment. Private cloud is specially fitted for companies that have very specific security resources or data requirement.[19] The figure below shows a comparison between private clouds and other types of clouds.[20] unless you get an X.509 certificate, and a key to authorize the change. The next and the last level is the signed API calls. All API functions are signed by the customer’s Amazon Secret Access Key. Amazon recommends that all API calls are encrypted using SSL. A second measure of security is Instance Isolation. “Different instances running on the same physical machine are isolated from each other via the Xen hypervisor. Amazon is active in the Xen community, which ensures awareness of the latest developments. In addition, the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms. AWS recommends that customers further protect their data using appropriate means. One common solution is to run an encrypted file system on top of the virtualized disk device.”[22] Fig 5. Features of private cloud in comparison to other types of clouds V. AMAZON WEB SERVICES Amazon provides a lot of services related to cloud computing. Amazon web services offer a variety of services. They have computing services; like Amazon Elastic Compute Cloud, Amazon private cloud and Amazon Simple Storage Service. Fig 6. Illustration of the Instance Isolation measure A. Amazon Elastic Compute Cloud Amazon Elastic Compute Cloud (EC2). “EC2 is a web service that provides resizable compute capacity”.[21].EC2 provides multiple levels of security to its customers; starting with security in the host and the guest operating systems, firewalls, and signed API calls. In the level of host operating system; only administrators from Amazon who are granted the privilege using strong authentication can access the system and manage the cloud. All accesses in this level are logged and audited. The second level; the guest operating system, customers have full control over the virtual instances; accounts, services, and applications. Amazon web servers (AWS) have no access to the customers’ instances. The next level is firewalls, where all configurations of the firewall are set to “deny” mode in default. The customer has the choice of changing the mode whenever needed, and can configure the firewall to treat different classes of instances in different set of rules. The security measure here is that the firewall configurations cannot be manipulated by the guest OS B. Amazon Virtual Private Cloud Another package of services provided from Amazon are networking services; such as Amazon Virtual Private Cloud (VPC), they enable companies to connect their infrastructure with a set of isolated AWC resources using virtual private network (VPN) connection. Amazon VPC is integrated with Amazon EC2. Figure 7 below illustrates the architecture of Amazon VPC.[22] Fig 7. Illustration of Amazon VPC setting C. Amazon Simple Storage Service Another service that Amazon provides is; Amazon Simple Storage Service (S3), which gives customers the capability of storing their own data on Amazon premises. Customers using this service are mostly concerned whether someone with unauthorized access would be able to access their data. What Amazon did, to eliminate these concerns, is two security measures; data management, and access logging. In data management, to secure the data, they use data encryption and physical security. When a customer deletes an object from Amazon S3, the link of the object will be deleted. After the deletion of the link, there will be no remote access to the deleted object. To insure availability of data, Amazon S3 objects are stored redundantly on multiple devices across Amazon’s S3 region. They also provide versioning, which can be used to distinguish, retrieve, and restore every version of each object stored in Amazon S3 packets. With versioning customer can recover all versions when an application fail. Amazon S3 packets are configured to keep logs of access to them and their objects. These access logs contain information about the request type, and the requested resource, and the requester IP, plus the time and date of the request. Log records are combined periodically into log files.[22] VI. SECURITY BENEFITS OF CLOUD security needs a few more years to be solid. A lot of researches have been conducted to introduce new ways of securing the clouds and the data. Most researches are not yet implemented, but, hopefully, in the next few years we will find these technologies implemented, and used to its full potential. And as technology is evolving, more risks might threat the business. However, many researches are working on improving these issues as it progress. REFERENCES [1] "Gartner Identifies Four Converging Trends That Will Change the Face of IT and Business." Technology Research & Business Leader Insight | Gartner. Gartner, 15 Nov. 2010. Web. 11 Dec. 2010. <http://www.gartner.com/it/page.jsp?id=1470115>. [2] "What Is Data Security?" Spam – Antivirus - Identity Theft - Scams and Fraud: STOP IT. Web. 30 Nov. 2010. <http://www.spamlaws.com/datasecurity.html>. [3] Data Lifycycle. Digital image. Web. 9 Jan. 2011. <http://cloudsecurityalliance.googlegroups.com/web/Datalifecycle.pdf?g da=_lh7REMAAACJG7iKeUOOFamAbEkryLW2jHbjBu1NcoXB7Khi xHtQlfvV_T_OFibCcYqzBc7w-eMytiJHdGYYcPi_09pl8N7FWLveOaWjzbYnpnkpmxcWg>. [4] Hayes, Brian. "Cloud Computing | July 2008." Communications of the ACM. Web. 28 Nov. 2010. <http://cacm.acm.org/magazines/2008/7/5368-cloud-computing/fulltext>. [5] STAMFORD, CONN. "Gartner Highlights Five Attributes of Cloud Computing." Technology Research & Business Leader Insight | Gartner. 23 June 2009. Web. 11 Dec. 2010. <http://www.gartner.com/it/page.jsp?id=1035013>. [6] Staten, James. "Cloud Computing for the Enterprise." Forrester. Forrester Research, 3 Feb. 2009. Web. 9 Dec. 2010. <http://www.forrester.com/imagesV2/uplmisc/CloudComputingWebinar SlideDeck.pdf>. [7] Wilshusen, By Gregory. "Information Security: Federal ..." Google Books. DIANE Publishing. Web. 28 Nov. 2010. <http://books.google.com/books?id=DtZSSxhPZPQC&pg=PA15&dq=cl oud computing&hl=en&ei=tpzvTJL0F9P4waJwtjdBA&sa=X&oi=book_result&ct=result&resnum=1&ved=0CCk Q6AEwAA&safe=active#v=onepage&q&f=false>. [8] Rittinghouse, John W., and James F. Ransome. "• Cloud Computing: Implementation, Management, and Security." Klc Consulting. CRC Press. Web. 29 Nov. 2010. <http://www.klcconsulting.net/security_resources/cloud/Cloud_Computi ng_Book-Implementation-Management-Security-2010.pdf>. The benefit of scale is considered one of the major security benefits of the cloud. Since most cloud providers operate in multiple locations by default, this will increase the independency from failure and provide a level of disaster recovery. In addition, when using the service from a cloud computing provider, you get a list of benefits with it; such as hiring specialists to deal with security threats. Plus, it is easier for the service providers to insure that the system is secure from hackers and bugs. Another benefit of the cloud is having protection from distributed denial of service (DDOS). When having a large cloud provider like Amazon, it is hard to overload their [9] Latif, Shahed, Subra Kumaraswamy, and Tim Mather. "Cloud Security system because of its size, so, as a result, customers of such and Privacy: An ... - Google." Google Books. Web. 28 Nov. 2010. companies get protected from these attacks. <http://books.google.com/books?id=BHazecOuDLYC&printsec=frontco ver&hl=ar&safe=active#v=onepage&q&f=false>. One more benefit is the chance for standardization and collaboration. Since the servers are owned by the service [10] Ciampa, Mark D. Security Guide to Network Security Fundamentals. 2nd ed. Boston, MA: Thomson/Course Technology, 2005. Print. providers, there is a greater chance of using the same set of [11] Gens, Frank. "IT Cloud Services User Survey, Pt.2: Top Benefits & hardware, which will eventually lead to the standardization Challenges." IDC EXchange. 02 Oct. 2008. Web. 14 Dec. 2010. <http://blogs.idc.com/ie/?p=210>. and collaboration for improving security services for the [12] Talbot, David. "Security in the Ether." Smith College. Feb. 2009. Web. users.[23] VII. CONCLUSION 29 Nov. 2010. <http://cs.smith.edu/dftwiki/images/0/02/SecurityInTheEther.pdf>. [13] "Top Threats to Cloud Computing V1.0." Cloud Security Alliance (CSA) - Security Best Practices for Cloud Computing. Cloud Security Alliance, Mar. 2010. Web. 29 Nov. 2010. <http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf>. [14] Cohen, Reuven. "IBM Researcher Solves In-Cloud Data Encryption Whenever a new technology is introduced, a great benefit comes along with it; just like cloud computing. Meanwhile, [15] potential risks are attached to it as well. Cloud computing Puzzle." Cloud Computing Journal. Web. 14 Jan. 2011. <http://cloudcomputing.sys-con.com/node/1015761>. "Homomorphic Encryption." Wikipedia, the Free Encyclopedia. Web. 14 Jan. 2011. <http://en.wikipedia.org/wiki/Privacy_homomorphism>. [16] Wang, Zhi, and Xuxian Jiang. "HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity." North Carolina State University. Web. 9 Jan. 2011. <http://www4.ncsu.edu/~zwang15/files/oakland10.pdf>. [17] "What Are the Benefits of Private Cloud Computing for Businesses? » Welcome to Privatecloud.com." Privatecloud.com. 28 July 2010. Web. 09 Jan. 2011. <http://www.privatecloud.com/2010/08/06/what-are-the-benefits-ofprivate-cloud-computing-for-businesses/?fbid=jUhoEh0OcQD>. Chen, Yanpei, Vern Paxson, and Randy H. Katz. "What’s New About Cloud Computing Security?" Electrical Engineering and Computer Sciences University of California at Berkeley. Jan. 2010. Web. 29 Nov. 2010. <http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.pdf>. [18] Marler, Jon. "Securing the Cloud: Addressing Cloud Computing Security Concerns with Private Cloud." 25 May 2010. Web. 09 Jan. 2011. <http://www.rackspace.com/hosting_knowledge/private-cloud/securingthe-cloud-addressing-cloud-computing-security-concerns-with-privatecloud/>. [19] Private Cloud 101 Video - Who's a Good Fit for Private Cloud? Perf. RackspaceHosting.YouTube. 17 Nov. 2009. Web. 09 Jan. 2011. <http://www.youtube.com/watch?v=1RbEbo8UyCE&feature=related>. [20] "Cloud Computing Risk Assessment — ENISA." Securing Europe's Information Society. ENISA, 20 Nov. 2009. Web. 09 Jan. 2011. <http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computingrisk-assessment>. [21] Sns, Using Amazon. "What Is AWS?" Amazon Web Services. Web. 11 Jan. 2011. <http://aws.amazon.com/what-is-aws/>. [22] "Amazon Web Services: Overview of Security Processes." AmazonAWS. Aug. 2010. Web. 11 Jan. 2011. <http://awsmedia.s3.amazonaws.com/pdf/AWS_Security_Whitepaper.pd f>. [23] "The Security Benefits of Cloud Computing | CloudTweaks.com - The Cloud Computing Community." Cloud Computing Social Community CloudTweaks.com. 15 Aug. 2010. Web. 11 Jan. 2011. <http://www.cloudtweaks.com/2010/08/the-security-benefits-of-cloudcomputing/>.