Cloud computing is still an evolving concept and technology. There is no universally accepted definition, but the definition of National Institute of Standers and Technology [NIST] has prevailed in practice. It defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction”. Amazon says cloud computing refers to the on-demand delivery of IT resources via the internet with pay as you go pricing. It refers running program over the internet instead of local computer, storing data over the internet instead of local computer hard disk, renting resources over the internet rather than buying them on your own ROM. E-mail communication, social networking, Google drive, Microsoft sky drive, Dropbox and apple icloud are some of the examples of cloud network.
Organizations use in a variety of different service models. The service models are Software as a service[Saas], Platform as a service[Paas] and Infrastructure as a service[Iaas]. The services could be deployed using various deployment models. They are public, private, community and hybrid.
A review of some market research report says that cloud computing services are one of the fastest growing segments within the market for software and IT services because of their cloud technologies are often build upon. IDC states that the market grew from 40 billion $ to 47.7 billion $ in 2013. Lots of companies are now moving towards to cloud. 82% of companies reportedly saved money by moving to cloud. By 2020, spending on cloud technology is expected to increase from 10% to 69% of companies IT budgets. Now cloud computing became an essential part of the overall market. Regarding the regional development US is the biggest market for cloud computing and Europe is the second biggest market for cloud computing.
When we consider about the ethical impacts of cloud, privacy and security, compliance, performance metrics and environmental impacts play major role. If we take privacy and security, when an unauthorized access to your sensitive data resident in a cloud is gained – either by a hacker or by the cloud provider itself or a third party, you may who and how your data will be abused, which can lead to several ethical challenges. Therefore, privacy and security mechanism are obviously essential to avoid such ethical issues. A major part of privacy and security mechanisms are formed as a set of standers. A Cloud service should comply with a subset of standards with respect to the of service. When a cloud based application in the SaaS model with some privacy and security requirements is going to be launched in the market, it should comply with the predefined standers.
When we talk about performance metrics, the expected performances of the provided cloud services are specified in Service Level Agreement [SLA]. This is a part of general terms and conditions, concentrating on performance metrics. In case of the law of the performance metrics of SLA, there is a penalty mechanism to pay the customers. In the case of minor law, the compensation for SLA law is not made. The flexibility of a performance metric and the metric is not exactly measurable by the users are the major reasons for why a violation from an SLA metric does not result in compensation. An example from the IaaS cloud service, a client request for a VM with one CPU, since the CPU utilization of the VM is not 100% all the time.
The cloud resource scheduler dedicates the remaining portion of the CPU utilization to other VMs. When the CPU utilization of the VM goes up, there is a policy to prepare the requested CPU utilization for the VM by either migration of other VMs running on the CPU to other CPUs, or killing them. Imagine that the policy is not completely fair, in the sense that it does not provide the CPU utilization immediately in order to gain a higher profit for the cloud provider. As long as the delay is minor and doesn’t result in compensation for SLA violation. The customer rights are not respected. In turn, it is a case of ethical issue.
An important and easily forgotten stockholder affected by cloud computing is the environment. In 2007, Gartner estimated that ICT industry generates about 2% of the total global carbon dioxide emission, which equal to the aviation industry. Even though cloud data centers afford to pay the cost of their huge energy consumption. The energy consumption of data centers world-wide is estimated 26GW, corresponding to about 1.4% of the total energy consumption in the world with the grow rate of 12% per year, they must minimize the energy consumption along with striving to use as much as a green source of energy as possible.
In addition to the technical aspects, terms and conditions (T&C) is another criterion, dramatically affecting ethics in cloud. T&C agreements is a set of rules and obligations that acts as a legal contract between cloud provider and customer, determining the obligations and rights of all parties. T&C not only reflects the expectations derived from the technological criteria, but it also contains the conditions and penalties in the case of the violation of the rules, in the sense that what would be the responsibility of cloud providers, what would be that for the application owner and finally what are the rights of the end users.
If we consider ethics borders in cloud environment, basically, ethical challenges arise when: there is not a set of specific rules, or the rules are ambiguous, in the sense that they can be interpreted in different ways. When there is not a specific rule for an issue came up just now, the role of ethics comes to play. Therefore, both rule-makers for Cloud and negotiators on T&C agreement who come from the client side must struggle to consider as much as possible situations, and make a clear rule to figure out these situations to minimize the ethical issue in the system.
As an example of this case, in the negotiated level of security, that if somebody tried to gain access to your data, then the Cloud provider will let you know. However, if somebody has already gained access to a part of the data and might not be clear evidence that your data is also accessed or not, then whether the provider let you know as a warning that there is a risk of stealing the data. Although this may not be mentioned in the agreement, it is admirable to inform customers in term of ethics. During setting up the rules—which is usually driven by big Cloud provider companies, or government IT regulations—ethical considerations must be taken into account.
Particularly, the rules are specifying the rights of customers in the case of violation of the rules. In this step, unions and Consumer Protection Organizations (CPO) can play a key role. There are specific rules for an event just happened, but there is not an efficient monitoring to detect whether these rules are violated or not. This case is more likely to happen for the two first criteria and the last one (i.e., privacy, security, and performance). Monitoring could be more complicated when not only the user’s data itself, but also meta-data are abused.
The two following examples clearly reflect this issue. The visit rate of hospital in a long period could give meaningful information about your health condition without needing any access to the medical information, which can be abused by insurance institutions for the life insurance services. The physical location that from there you access your Cloud service can also give information about your personal life, even though the data itself is not accessed.
If we take some issues regarding professionally, the threat of malicious insider is well-known to most organizations. An insider threat is a malicious threat to an organization that comes from people within the organization. A malicious insider is employed by the cloud provider, customer or third party provider organization supporting of a cloud service. He may have existing authorized to access to service, data or supporting infrastructure applications, depending on their organizational role.
This threat is increased for customers of cloud services by the convergence of IT services and customers under a single management domain combined with a general lack of transparency into provider process the procedure. For example, provider may not reveal how it grants employees access to physical and virtual assets, how it monitor these employees, or how it analyzes and reports policy and compliance. The impact that malicious insiders can have on an organization is significant, given their level of access and ability to attack organizations and assets.
Such as brand damage, financial impact and productivity losses. As organization adopt cloud services, the human portion takes on an even more thoughtful importance. Policies or controls that are misunderstood, not communicated or inconsistency required can sort offence among employees and potentially result in harmful insider actions. Organizations should ensure the following for their policies and controls, brief and clear documentation, including reasoning behind policy, where applicable, consistent administration and periodic employee training on the policies and their justification, implementation and enforcement.
Organizations should be particularly clear on policies regarding acceptable use of the organization’s system, information resources, use of private or administrator accounts, ownership of information created as a work product, calculation of employee performance, including requirements for promotion and financial bonus and processes and procedures for addressing employee complaints. As individual join the organization, they should receive a copy of organizational policies and code of conducts that clearly outline what is expected of them and the values of abuses. Organizations should keep evidence that each individual has read and agreed to organizational policies.
One of the principles of cloud computing is the lessening of hardware and software proprietorship and preservation to allow corporations to emphasis on their main business. It has clear financial and operational benefits and they must be subjective wisely counter to the differing security anxieties- difficult by the point that cloud deployments are focused by projected benefits, by circles who may slip path of security effects. There are some most important aspects to evaluate company’s security carriage. They are version of software, code updates, security practices and vulnerability profiles.
When adopting a cloud service, the structures and functionality may be well advertised, but what about details or compliance of the internal security procedures, configuration hardening, patching, auditing and logging? How are your data and related logs stored and who has access to them? What information if any will the vendor disclose in the event of security incident? Often such questions are not clearly answered or are overlooked, leaving customers with an unknown risk profile that may include serious professional issues.
There is a real incident related to this issue. Heartland Payment systems is a company that started in 1997 and has had a bit of a storied history from the perspective of data security. Heartland’s payment processing systems were using known-vulnerable software and actually infected, but Heartland was “willing to do only the bare minimum and comply with state laws instead of taking the extra effort to notify every single customer, regardless of law, about whether their data has been stolen’’.