Data Confidentiality and Risk Management in Cloud Computing

Cloud computing can enable an organisation to outsource computing resources to gain economic benefits. Cloud computing is transparent to both the programmers and the users; as a result, it introduces new challenges when compared with previous forms of distributed computing. Cloud computing enables its users to abstract away from low level configuration (configuring IP addresses and routers). It creates an illusion that this entire configuration is automated. This illusion is also true for security services, for instance automating security policies and access control in the Cloud, so that companies using the Cloud perform only very high- level (business oriented) configuration. This thesis identifies research challenges related to security, posed by the transparency of distribution, abstraction of configuration and automation of services that entails Cloud computing. It provides solutions to some of these research challenges. As mentioned, Cloud computing provides outsourcing of resources; the outsourcing does not enable a data owner to outsource the responsibility of confidentiality, integrity and access control as it remains the responsibility of the data owner. The challenge of providing confidentiality, integrity and access control of data hosted on Cloud platforms is not catered for by traditional access control models. These models were developed over the course of many decades to fulfil the requirements of organisations which assumed full control over the physical infrastructure of the resources they control access to. The assumption is that the data owner, data controller and administrator are present in the same trusted domain. This assumption does not hold for the Cloud computing paradigm. Risk management of data present on the Cloud is another challenge. There is a requirement to identify the risks an organisation would be taking while hosting data and services on the Cloud. Furthermore, the identification of risk would be the first step, the next step would be to develop the mitigation strategies. As part of the thesis, two main areas of research are targeted: distributed access control and security risk management.