Security And Privacy Issues In Cloud Computing Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The use of cloud computing can reduce capital expenditure as well as the operational expenditure for the organization. However, along with the benefits comes the major issue of security and privacy of the data because both the data and programs reside at providers premises. This paper discusses various cloud deployment models and security as well as privacy issues related to them. The security issues were classified into two parts; governance and operational issues. The governance issues discussed were enterprise risk management, electronic discovery and legal, compliance and audit, portability and interoperability and information lifecycle management. The operational issues taken up for discussion were related to general infrastructure, business continuity, identity and access management, incidents and responses, application, virtualization security. The privacy related issues were also discussed.

Categories and Subject Descriptors

K.6.5 [Management of Computing and Information Systems]: Security and Protection (C.2, D.4.6, K.4.2).

General Terms

Security, Legal Aspects, Standardization


Cloud computing, security in cloud computing, privacy in cloud computing. Identity management, cloud computing models


Cloud computing is set to revolutionize the way computing is done. The data centers with huge capacities and numerous programs offer many options to their customers who need not make any investment in costly hardware and software as well as system maintenance. The use of cloud computing can reduce capital expenditure as well as the operational expenditure for the organization. However, along with the benefits comes the major issue of security and privacy of the data because both the data and programs reside at providers premises.

On positive side the service provider with large setup can provide better security control that may not be possible for small organization for their in house setup. The data residing at service providers premises is no longer under direct protection of the owner. This creates a sense of lack of control over data, restricting many organizations to move towards cloud computing. [ HYPERLINK \l "Rob09" 1 ] 2]

A survey by Deloitte Consulting showed that executives were excited about benefits of implementing cloud computing in their organization. However, 35% of executives indicated that security and privacy was the major concern in adoption of cloud computing [ HYPERLINK \l "Chr10" 3 ]. Numbers of organizations have adopted cloud computing but hesitant to put sensitive data in cloud due to transparency and security concerns. 4]

A survey by IDC of 244 IT executives/CIOs on challenges and issues for implementing cloud computing in their organization showed( Figure SEQ Figure \* ARABIC 1) that the security was of highest concern [ HYPERLINK \l "Joh10" 5 ].

Figure SEQ Figure \* ARABIC 1, Results of IDC survey ranking security challenges CITATION Joh10 \l 1033 [HYPERLINK \l "Joh10"5]

The problem of security is not new for a organization and similar concerns are there when the company outsources the work to other organization. The privacy and regulatory issue applicable for outsourcing are also applicable to Cloud computing. Like in outsourcing, transparency and trust is required between the service provider and the client. The attacks on computer networks and data are not new and can be tackled with management and technology. The trust can make the client comfortable in putting the sensitive information under control of someone else. The transparency reduces the problems related to breach in security and regulatory issues. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

With the data in hands of third party, the privacy of data is another issue in cloud computing implementation. We can see that the security issues in case of cloud computing requires built-up of trust, transparency and good governance.

This paper looks into the various security concerns of cloud computing along with the strategies that can be used to take care of these.

Cloud Computing Models

In order to discuss security issues it is important to understand the cloud computing models. The computing models depend on the style of providing services using cloud and are classified as SPI (Software, Platform or Infrastructure) models CITATION Pet09 \l 1033 [HYPERLINK \l "Pet09"6].

Cloud Software as a Service (SaaS)

In this model the service provider provides everything to the customer including the applications. Customer accesses the applications using interface such as web browser or thin client provided. The customer has no control over infrastructure as well as applications other than minor configurations setting in applications. Thus in this model the total security of system rests with the service provider. CITATION Pet09 \l 1033 [HYPERLINK \l "Pet09"6]

Cloud Platform as a Service (PaaS)

In PaaS model the application is built or acquired by the customer. The applications run on platform and tools provided by the service provider. The cloud infrastructure is controlled by the service provider and user has only control over applications. The security of applications rests with the customers. CITATION Pet09 \l 1033 [HYPERLINK \l "Pet09"6]

Cloud Infrastructure as a Service (IaaS)

In IaaS the customer can play greater role as the service provider provides the basic cloud infrastructure on which the customer can provision processing, storage and other resources that allow customer to run the operating system and applications of his choice. In this case the customer has limited control over the network. The security of the system or software supplied by the customer rests with customer. CITATION Pet09 \l 1033 [HYPERLINK \l "Pet09"6]

Cloud Deployment Models

There are four models for deployment of cloud computing.

Public Cloud:

In this delivery model the general public uses the cloud infrastructure provided by the cloud service provider.

Private Cloud

The cloud infrastructure is normally owned and operated solely by a single organization. It may be owned and managed by a third party. The location of cloud infrastructure may be on premises or off premises.

Community Cloud

In community cloud, the cloud infrastructure is shared among number of organizations. Normally the community members shares the same concerns such as policy, security requirements, compliance etc. The cloud infrastructure may be owned and managed by a third party. The location of cloud infrastructure may be on premises or off premises.

Hybrid Cloud

The hybrid cloud consists of combination of two or more clouds models (public, private or community). These clouds are bound together by technology to enable application and data portability. CITATION Pet09 \l 1033 [HYPERLINK \l "Pet09"6]

Security Issues in Cloud Computing

The security control in cloud computing are same as those for any IT infrastructure. However, the use of different service models and the mode of deployment present different type of risk than normal IT solutions. The risks depend on types of assets, resources and data, the management of infrastructure, controls selected and compliance issues CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4].

The various issues involved in deployments models are summarized in REF _Ref273978833 \h Table 1 CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4].

Infrastructure Managed by

Infrastructure Managed by

Infrastructure Location

Accessible and Consumed by


Third Party provider

Third Party provider

Outside premises


Private/ Community



Third party provider

Organization or

Third party provider

On Premises




Both Organization and

Third party provider

Both Organization and

Third party provider

Both On Premises and


Trusted Untrusted

Table SEQ Table \* ARABIC 1: Cloud Computing Deployment Models CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

I feel that CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4] has described security control issue nicely by saying in Cloud computing one loses control gracefully but is still accountable even though the system is operated by others CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4].

The security requirements range from physical security, to the network security, to the IT system security to application security. The controls at process and people levels are also required for proper implementation. The security responsibilities of consumer and the provider depend on the service model deployed. In Saas environment the cloud service provider is fully responsible for security. In PaaS the provider is responsible for cloud platform security whereas the customer need to take care of application security. In IaaS model the security of abstraction layers and underlying infrastructure should be taken care of by the provider and security of rest of the stack becomes customer's responsibility. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

The security issues are defined by various authors in various ways. CITATION Zha10 \l 1033 [HYPERLINK \l "Zha10"7] gave three major security concerns from user point of view. These are Fault tolerance and service availability, data migration and data confidentiality and integrity. As per [6] these are the major hurdles in adoption of cloud computing.

What appealed to me was the way CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4] divides the various security issues in various domains and provides the guidance for each of these domains. The combination of these domain can be used for any deployment models and cloud service.

CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4] divides the domain in two categories: governance and operations. The governance domains take care of policy and strategic issues within a cloud computing environment. The operational domains take care of implementation within the architecture and tactical security concerns.

Governance Domains

The governance domain has 5 domains; Governance and enterprise risk management, compliance and audit, legal and electronic discovery, portability and interoperability and information lifecycle management. Each of the domains is discussed below:

Governance and Enterprise Risk Management

It is said that security is more of a management issue than technical issue. Lack of governance can lead to breach in security as many security issues may not be addressed properly. It can also lead to further degradation in security situation as the focus is not there on improving the security functions. Thus, proper governance and enterprise risk management is required by provider to ensure that standard information security governance processes are followed. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

The security governance requires provider to focus on security initiatives from management side so that it is in line with the provider's IT strategies. It requires that the roles and responsibilities of all involved in security related issues are clearly identified as well as conveyed so that everyone understands his functions clearly. CITATION Joh10 \l 1033 [HYPERLINK \l "Joh10"5]

The cloud computing leaves little in the hands of the customer for controlling security. The customer makes this up for providing controls through the contract document, Service Level Agreements and assurance given in provider's documents. The cloud computing may have multiple tenants as well as provide on demand provisioning. This makes assessment and audits in case of cloud computing much different that in traditional systems. It is therefore necessary that the proper identification and valuation of assets is done followed by identification and analysis of related vulnerabilities and threats. The potential impact of these on assets is required to be worked out and necessary risk management and treatment as per the policy should be adopted. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

Legal and Electronic Discovery

With data and governance in hands of provider the cloud computing has special functional, contractual and jurisdictional issues. The functional issues require identification of the services and functions that can have legal implications for customers and service providers. The contractual issues involve identifying and taking care of the issues related to contractual terms and conditions so that all can take care of the legal issues involved. The jurisdictional part takes care of the adherence to governmental law and regulations for customers and service providers. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

Compliance and Audit

The compliance to various regulatory and legislative issues while using the cloud computing is important for the company. The cloud provider should be able to demonstrate these compliances to the auditors as well as assessors and provide necessary evidence as required for compliance. This requires proper division of responsibilities between the customer and cloud service provider. The customers need to take into account all these issues before moving the applications to cloud and draft the contract clauses carefully to cover all issues. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4] provides detailed recommendations to be followed on the subject. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

Information Lifecycle Management

The management of data in the cloud requires steps to ensure data integrity, confidentiality and availability. This requires new methodology such as multi-tenancy, elasticity, new types of architectures and abstracted controls. These new methodologies also require different set of data security strategies than traditional data security methods.

The main requirements of data lifecycle security in cloud environment are following CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]:

Data security: The data security includes data Integrity, Confidentiality, Authenticity, Authorization, Availability, Authentication, and Non-Repudiation.

Location of the data: The data including its backup and copies should be located only in geographic locations that are as per contract as well as regulations. As per CITATION Mic09 \l 1033 [HYPERLINK \l "Mic09"8] many nations have laws that restrict SaaS provider by making them keep copyrighted material and customer data within national boundaries. In such situations in case of any legal problems court may not be able to get the access to data located outside national boundaries. CITATION Mic09 \l 1033 [HYPERLINK \l "Mic09"8]

Data remanance or persistence: Normal deletion of data does not delete the data fully and it can be recovered by using special tools. In cloud environment the destruction of data should be complete and through secure deletion so that it cannot be recovered and misused by any means.

Commingling data with other cloud customers: The sensitive and classified data of one customer should not be mixed with other customers as it may compromise data security and integrity.

Data backup and recovery: Procedures for suitable data backup and restoration should be available to avoid loss of data in case of any exigency.

Data discovery: Suitable methods and controls should be in place so that the data requested for any administrative, legal or technical reasons can be made available.

Data aggregation and inference: The data aggregation and inference in cloud requires proper controls and practices to be followed so that there is no breach in data confidentiality. Use of different encryption keys for different customers is one such solution.

Portability and Interoperability

Portability and interoperability of data in the cloud is required if the customer decides to change the cloud service provider due to some reasons. This can happen due to disputes between provider and customer or unacceptable service or increase in rates. The necessary security controls and audits should be able to make sure that the data can be shifted in secure way without leaving any trace at service provider's end. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

CITATION Joh10 \l 1033 [HYPERLINK \l "Joh10"5] reports that cloud providers create services, termed sticky services, that make it difficult to transport data from one vendor to another. CITATION Joh10 \l 1033 [HYPERLINK \l "Joh10"5] reports that Amazon's "Simple Storage Service" is not compatible with Blue Cloud service of IBM or Google.

Operational Domains

Seven operational domains have been defined by CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4].

Traditional Security, Business Continuity and Disaster Recovery

The normal physical security, business continuity and disaster recovery is also required in Cloud Computing. However, extra efforts are required due to fast changing nature of cloud computing involving many clients. The physical security should have access control system and monitoring tool including closed-circuit TV system. The proper environmental control and back up is required for uninterrupted operations. CITATION Joh10 \l 1033 [HYPERLINK \l "Joh10"5]

The cloud is prone to abuse by provider's internal staff as well. This requires cloud provider to select the operational staff after proper background checks, keep knowledge of customers discrete and known only to select people. The duties of the staff should be clearly defined along with signing of non disclosure agreements even with employees. The security awareness among the staff and proper training is a must to ward off internal threats. CITATION Joh10 \l 1033 [HYPERLINK \l "Joh10"5]

Information security policy is another important document for providing a secure environment. The security policies should take care of the requirement of cloud environment and should be comprehensive following standards and guidelines. Each employee of the service provider should be fully aware of the security policy and his role in maintaining requisite security standard. CITATION Chr10 \l 1033 [HYPERLINK \l "Chr10"3]

In case of any eventuality such as attacks or natural calamity, the services may get disrupted. In order to reduce the impact of such thing a business continuity plan is required to be in place that will help provider in recovering from discontinuity. The disaster recovery plan which is a subset of business continuity plan requires steps to ensure uninterrupted operations as well as necessary measures to prevent, get ready for and recover from a disruption. CITATION Joh10 \l 1033 [HYPERLINK \l "Joh10"5]

Data Center Operations

The large data center with many clients is the cost effective way of running cloud operations. However, this create security requirement appropriate for shared environment so that there is no mix up of data from various customers. Proper security requires adequate compartmentalization of data, systems, networks, provisioning, management and personnel. The proper controls are required at every infrastructure layer so that there is no interference between controls required for segregation. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

Incident Response, Notification, and Remediation

The security information and it's management is very important to handle any security breaches at the earliest. The security monitoring is required at all the levels to make sure that the vulnerabilities can be detected as well as any attempts for breach in security are immediately conveyed. Different models of cloud require different approach for monitoring. The security requirement is to have capability to monitor system security at data level as well as at application levels. CITATION Joh10 \l 1033 [HYPERLINK \l "Joh10"5]

Many times the applications are not designed to keep security in mind and this can create problem in cloud environment. In case of large cloud with SAAS, PaaS and IaaS services chances are there for generation of large number of security incidents. A security monitoring center (SOC) is necessary to handle the security incidents. The SOC should provide a robust incident response mechanism so that the security incidents are reported to all concerned promptly. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

The cloud security requires prompt notification of security related incidents to security specialist as well as to customers so that the breach can be plugged safely and immediately. A well defined notification scheme should be in place so that SOC knows who to inform and where. The customers should also be made aware of the action to be taken when they notice any incident and whom to contact at service provider to tackle the problem. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

The remedial action in case of security incident is equally important and there should be a well defined strategy to be followed to recover from any security related incidents. The remediation methodology should take into account the forensic recording of incident data to take care of legal requirements.

I found remediation to be a very essential requirement if one need to trace the source of problem and similarly the notification procedure in case of the security breach can help in controlling the damage to a large extent.

Application Security

The responsibility of application security is dependent on cloud service model and SLA's but both provider as well as customer will have some security responsibility. In cloud computing the application level security is one of the critical issues for simple as well as complex CRM type applications. It is necessary that the applications are designed with security in mind. The web based applications are one of the most used applications in cloud environment. At the client end these applications use standard web browsers such as Internet explorer, Google Chrome, Safari, Firefox etc. CITATION Tim09 \l 1033 [HYPERLINK \l "Tim09"9]

CITATION Joh10 \l 1033 [HYPERLINK \l "Joh10"5] indicates that web application should follow guidelines for secure application development given by Open Web Application Security Project (OWASP). In addition the unnecessary command on Linux, MySql, Apache and PHP as well as port should be locked down so that attacker can not breach application security using these. CITATION Joh10 \l 1033 [HYPERLINK \l "Joh10"5]

CITATION Jen09 \l 1033 [HYPERLINK \l "Jen09"10] discusses the web services security in details and showed how XML encryption and Transport Layer Security (TLS) can be used enhance security. CITATION Jen09 \l 1033 [HYPERLINK \l "Jen09"10] also recommends adding XML encryption and XML Signature to enhance browser security API.

The application security should be thoroughly tested by reviewing the sources code as well as penetration test. This will provide assurance to the provider as well as customer that the applications are secure. Many times the customers in cloud have no knowledge of vulnerabilities of application level software and due to this they are unable to manage the operational risk associated with these vulnerabilities. CITATION Tim09 \l 1033 [HYPERLINK \l "Tim09"9]

In SaaS model the application is provided by the cloud service provider making him primarily responsible for security of application. The user's role is limited to operational security functions such as user and access management which also has to be supported by the service provider. CITATION Tim09 \l 1033 [HYPERLINK \l "Tim09"9]

In case of PaaS model the application security will be dependent on provider as well as application software provider because the base line tool and platform for the applications is provided by the service provider. The customer using in house application shall be responsible for making sure that application developed is secure. The software developers for Paas should be familiar with the APIs that are required for deployments and controlling the software module that enforce security. CITATION Tim09 \l 1033 [HYPERLINK \l "Tim09"9]

In IaaS environment the applications as well as the platform for running these is provided by the customer. These applications run on customer's virtual servers which are also managed by customers and therefore the application security totally rests with the customers. CITATION Tim09 \l 1033 [HYPERLINK \l "Tim09"9]

CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4] indicates that the best practices used to harden the servers in DMZ should be used for virtual machines as well in case of IaaS model. The security of inter host communication is of prime importance and should not be neglected as an attacker can exploit this route.

I found that tackling application security can be a daunting task when responsibility of the same falls almost equally in hands of customer as well as provider. Thus in my opinion the PaaS model requires more careful security planning than other two models.

Encryption and Key Management

Encryption is one of the key requirements for guarding data against eavesdropping and theft. The encryption can ensure that data wherever it is located is safe from others eyes. Some regulation mandate data encryption. In the case of cloud computing, with data from many customers, strong encryption along with proper key management is required for data confidentiality and protection. The encryption provides data protection and the key management provides access to protected data. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

Encrypting data in transit over networks: In cloud environments lots of data such as passwords, encryption key and credit card numbers require encryption while in transit over Internet. Within the cloud itself many customers share the various components of cloud and information in transit requires encryption for protection. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

Encrypting data at rest: The cloud computing involves storage of large amount of various types of data storage in a distributed environment. The data may be frequently changed, deleted or appended by the users. This dynamic nature of data storage requires that data integrity is maintained under all circumstances. In many cases the data may be sent by the customers themselves in encrypted form to provide further security from their end. The redundancy techniques may be used to store data at different locations along with proper encryption. CITATION Wan09 \l 1033 [HYPERLINK \l "Wan09"11]

The encryption of data in SaaS model is done by the provider. In case of PaaS model it requires efforts by the customer as well as provider to provide requisite encryption technique. In IaaS environment it is the total responsibility of the customer. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

CITATION Wan09 \l 1033 [HYPERLINK \l "Wan09"11] proposed a data storage scheme for distributed application such as cloud with support for block update, append and delete. The authors used erasure-correcting code while distributing the files for providing data dependability using redundancy parity vectors. They showed that their scheme was efficient as well as resilient to malicious data modification attack, Byzantine failure and server colluding attacks. CITATION Wan09 \l 1033 [HYPERLINK \l "Wan09"11]

Encrypting data on backup media: The encryption of data on backup media is important to provide protection in case of stolen or lost media. CITATION Rit \l 1033 [HYPERLINK \l "Rit"12]

Key Management: The keys themselves are very sensitive data, because a loss of key can compromise whole lot of data. Key's protection while in transit, storage and backup is most important. The access to keys should be highly restricted and strong policy in this respect is required. The function of key storage and key users should be kept separately to avoid conflict of interest. The loss of key can lead to loss of mission critical data and therefore secure key backup and recovery schemes should be used.

I have observed that in most cases less emphasis is given for stored backup data and this may lead to data theft. Encryption of stored data as a norm can avoid this.

Identity and Access Management

CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4] defines following identity and access management (IAM) functions that are required for implementing effective identity management in cloud environment.

Identity Provisioning: Provisioning (addition) and deprovisioning (removal) of user in a secure manner is one of the major challenges in cloud environment. This has to be done in timely manner with assignment of proper rights as needed by the users for carrying out his job efficiently. The practices used by the enterprise for users management can also be applied in cloud environment. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

Authentication: User's authentication for accessing cloud services is vital for maintaining the security. The authentication scheme should be trustworthy, easy to administer and use. Numbers of strong authentication techniques are available by using smart cards, biometric methods, dynamic token or combination of these. The deployment of scheme should be as per policy and requirement. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

OAuth is an authentication standard that can be used for authorization via a secure application programming interface (API). The OAuth can be used for single sign-on (SSO) with a trusted service provider using web services model. CITATION Tim09 \l 1033 [HYPERLINK \l "Tim09"9]

Federation: Federation allows the various organizations to form an association so that information of users can be exchange among themselves. With this the users needs a single sign up for accessing services in the cloud. The identities can be maintained by a trusted identity provider (IdP) and the service provider exchanges information with IdP in a secure manner.

Authorization & user profile management: To provide requisite access it is necessary that a trusted user profile is established. This will allow allocation of necessary controls to the user inside the cloud as per his profile. The profile can also be managed centrally without requiring application developers to build it into their applications. [4]

In my opinion the use of IAM can be a boon for an organization because it not only improves the operational efficiency but also allow organizations to comply with various privacy, regulatory and data protection requirements. Figure 4 shows the identity life cycle.


End of relationship

Password Management

Beginning of relationship







Figure SEQ Figure \* ARABIC 3: Identity Life Cycle


The virtualization in cloud allows multiple users to work on single IT infrastructure and take benefit of sharing the infrastructure. The virtualized operating system is most commonly used to provide these services. The use of virtualization brings additional security concerns. The virtual machines do not generally communicate over network and are therefore blind to security controls put in place for network such as in line blocking or monitoring. In addition the security concerns will be there due to commingling of data in services and repositories. CITATION Clo09 \l 1033 [HYPERLINK \l "Clo09"4]

In order to provide proper security in VM environment necessary security controls are required to be put in place including hardening of VM Machines, installing a host based IDS system, track inventory of VM images for any security violations, protection of hardened image from unauthorized access etc. CITATION Tim09 \l 1033 [HYPERLINK \l "Tim09"9]

I observe that virtualization is important in case of IaaS model only. It is in this model that customer has to take care of security to maximum and proper security mechanism must be put in place to avoid security breach.

Privacy in Cloud

The basis of privacy practices and laws around the world is right of an individual to exercise control over use, collection and disclosure of his personal information. The interest of user must be protected by any organization that collects and uses personal data of user. CITATION Cav08 \l 1033 [HYPERLINK \l "Cav08"13]

The personal information in cloud is like the data and its management requires same treatment as identity and access management. At each stage of its phases, as depicted in REF _Ref273173302 \h REF _Ref273180795 \h Figure 4 Identity Life Cycle, the information is required to be protected in cloud environment. CITATION Tim09 \l 1033 [HYPERLINK \l "Tim09"9]

The cloud computing environment impacts the key privacy principles given by Organization for Economic Cooperation and Development (OECD) and others as given below CITATION Tim09 \l 1033 [HYPERLINK \l "Tim09"9]:

Collection Limitation Principle: This principle limits the data collection only to the purpose for which data is required and that too by lawful mean with full knowledge of the person. In cloud different data elements may be collected for some purpose and later combined data collected may be more than what is required violating the laws. CITATION Tim09 \l 1033 [HYPERLINK \l "Tim09"9]

Use Limitation Principle: This limits the disclosure of data available for the purpose other than it has been acquired. Data's any other use should be with the consent of individual whom it belongs. However, in cloud environment the data may be shared among various entities and this may create excess data availability without the consent of individuals. This creates a risk of unexpected use of data by agencies with access to them CITATION Tim09 \l 1033 [HYPERLINK \l "Tim09"9].

Security Principle: It deals with proper security for data and the same holds good in the cloud.

Retention and Destruction Principle: As per this data should be retained only till the time it is required and thereafter it should be destroyed by secure means. In cloud especially SaaS the onus the data retention and destruction rests with the provider.

Transfer Principle: It limits the data transfer to the countries that do not have similar privacy levels as that of original data location. In cloud it is very difficult to control this as some complex application such as ecommerce may transfer data dynamically across the regions. This has to be dealt properly in cloud.

Accountability Principle: In cloud, accountability can be achieved by attaching policies to data along with the mechanism to ensure adherence to these policies by data handlers.

Legal and Regulatory Implications: Adherence to legal and regulatory requirements is a complicated task for the companies operating globally. Various countries have different types of requirements which at time may be conflicting with each other and care has to be taken for these while handling the personal data. CITATION Tim09 \l 1033 [HYPERLINK \l "Tim09"9]

I have found that users while visiting sites, such as social networking sites, very easily post their personal information. They do not realize that this data can also be used by the service provider for his benefits . In order to check that service provider does not misuse the collected data and adheres to privacy norms, it is necessary that regulatory authorities should keep strict vigil for this


Our thanks to ACM SIGCHI for allowing us to modify templates they had developed.