Comparing public cloud providers on the basis of security issues

This blog compares the strategies of handling security issues amongst the four most common public cloud providers (Google, Amazon, Microsoft and Rack space) on the basis of an online survey that was conducted. The survey investigated the strategies of public cloud providers on handling security issues and threats as viewed by different potential public cloud users. The blog deals with the results of comparison and survey done on these four public cloud providers.

Note:  This blog is a part of my paper which has been submitted in Journal “New Technology of Library and Information Service”. If you need to do citation for any contain of this blog, you can refer to my paper. I have provided detail information at the end of this blog.

Introduction

There are growing numbers of companies that are handling and providing different public cloud services. The diversity of the public cloud providers in the market eventually raise the question among the customers about which is the best one for their requirement. Even after long surveys to find the best public cloud providers, customers still hesitate to subscribe for public cloud services due to security issues. Therefore, third party public cloud providers should consequentially consider security issues with risks and threats in appropriate way to assure and gain reliability from customers.

Lots of research has been done comparing different service providers from academia to enterprise perspectives. However there is a gap in the comparison of public cloud service providers in terms of security during testing. Therefore, in this research, a small-scale empirical survey has been done to compare the top four public cloud providers (Amazon AWS, Microsoft Azure, Google App Engine and Rackspace Cloud Servers) and resolve following questions:

  • What are the security strategies they are putting forward to take precaution on security issues along with risks and threats during testing?
  • What is the view of subscriber on the security strategies of public cloud providers during testing?

Why these four Public cloud providers ?

Rosen (2011) conducted a comparative study between Amazon AWS and Rackspace Cloud Server and it shows that they are the top two cloud providers who are hosting largest number of web services as shown in Figure 1.

On the other hand, Google App Engine is the unique PaaS provider in the public cloud whereas Microsoft Azure is a new competitor in market of cloud providers which offers similar service as those of AWS in computation and storage services . Therefore these four cloud providers have been selected for comparison and have been generalized and reviewed on the basis of security issues:

  • Trust
  • Governance
  • Compliance
  • Identity and Access Management
  • Availability
  • Data Security
  • Instance Isolation and its failure
  • Architecture

Survey with results and interpretations

The empirical study on the security issues of public cloud applications during testing is still rare in research literature. Therefore, as part of my research, a small scale survey was conducted to determine the strategies of public cloud providers for handling security issues. The survey was composed of 15 questions.

Internet is becoming the most widespread communication channels. Moreover, the research subject of this survey is an emerging technology tightly associated with the Internet. Therefore, the Internet was used as the main channel for data collection. All the data used in this chapter for the analysis and reporting is the primary data collected from online survey. The survey was titled “Comparing the strategies of public cloud providers on handling security issues and threats!!!” and was carried out  taking into account the security risks and threats mentioned above. No other secondary data from other sources was used in the analysis.

Status Quo of Security Strategies of Public Cloud Providers

Figure 2 shows the responses to the question “Which of the following public cloud provider’s service are you subscribing?” The percentage of companies or customers already using Google Apps for Business and Microsoft Azure is higher compared to the remaining public cloud providers even though other cloud providers are providing services of cloud since 2006 (27% of them are using Google Apps for Business and Microsoft Azure). One of the possible reasons for that high proportion is the brand name of companies and new concept of security strategies implemented by Google and Microsoft in the marketplace. In addition, the survey tracked that 59% of customers think both the cloud provider and subscriber must be responsible for proper implementation of security as shown in Figure 3.

The data collected from individual respondents has been generalized in Likert scale (Very strong =4, strong= 3, satisfied =2 and totally dissatisfied= 1). It helps to draw following conclusion as shown in table 1

  • Amazon AWS is providing very good security strategies for the security issue related to trust, whereas the other seven security issues (governance, compliance, identity and access management, availability, instance isolation and its failure, data security and architecture) are handled in good level.
  • Google Apps Engine is implementing good security strategies for six security issues (trust, identity and access management, availability, instance isolation and its failure, data security and architecture) except governance and compliance.
  • Microsoft Azure is addressing data security issues as very strong issues, whereas other seven security issues (trust, governance, identity and access management, compliance, instance isolation and its failure, availability and architecture) are handled as strong issues.
  • Finally, Rackspace is providing very good security strategies for two security issues (trust and data security), good security strategies for five security issues (compliance, identity and access management, instance isolation and its failure, availability and architecture) and satisfactory for governance.
  • In addition, 91% of respondents help to conclude that trust and data protection are two security issues that have been properly addressed by public cloud service providers as shown in figure 4.  However there is still lack in addressing issues related to governance.

The risk assessment of eight security issues assessed by European Network and Information Security Agency (ENISA) risk assessment process proposed in November 2009 (click here for detail information)  mentioned that risk factor is high for trust, governance, compliance, instance isolation and its failure, data security and architecture. However, most of the public cloud providers are not addressing some of the security issues as high risk factor.  Therefore, there is still a need to build appropriate approaches for security issues having high risk; otherwise it would not be secure to do testing in public cloud applications.

Limitations of Research Methodology

As every survey has some limitations, the readers and analyzer should pay attention to the following points which may cause potential biases on the result of survey:

  • The survey was a web-based in nature and sample collection doesn’t include non-web responses such as telephone calls and face-to-face interviews, which would have provided different results.
  • The results of the survey are based on respondent’s personal analysis and it is always possible that the person who hasn’t provided input could have had different views from the ones reflected in the results of this survey. In addition, the survey is totally based on the subject of security and it is also possible that the response of an individual may not be true on the basis of subject.
  • On the basis of research on different field, eight security issues were chosen as criteria for the survey. All the questions of survey were designed to evaluate these eight security issues. However, there can be other possible influencing factors and issues which are not considered in this survey, as they might be beyond our scope.

Thank you for reading my blog. If you are interested to read my whole journal paper, you can message me.

Citation of my journal paper:

Journal: T. Udhyan, K. Leah, T. Ossi, S. Kari and W. Weijun, “Security Issues on Testing of Public Cloud Applications”, New Technology of Library and Information Service, 2012 [Submitted]

With kind regards,

Udhyan Timilsina.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s