The greatest challenge that corporations, governments and users are facing in adopting Cloud Computing is 'Privacy'. Privacy demands significant attention in terms of legal policies as well as gaining user trust. This paper focuses on privacy challenges and risks that developers need to address for the cloud paradigm. Further we discuss the privacy policies and best practices recommended by regulatory authorities and technologists. We will also analyze two such implementations, Client-Based Privacy Manager and Privacy Assurance Approach, as presented by their authors.
Today, a large number of organizations are weighing the benefits of a paradigm shift of their infrastructure to the cloud environment. The Cloud offers them the ability to store and process volumes of data in a centralized source remotely. This significantly reduces their expenditure on software and hardware resources. Most of the computations are done on resources, not owned by the customer. Thus, on the flip side, users loose control to their private data (remote processing), and fear sensitive information leakage. Sensitive information might include references like name, address, passwords, gender, religion, biological/health data, behavioral patterns and financial information that identify an individual and subsequently aid cyber criminals in launching attacks. Privacy-protection mechanisms should mitigate users concerns to gain trust. Privacy requirements are also applicable to enterprises, as they would want to safeguard information about their revenues, clients, business plans, strategies, etc.
Get your grade
or your money back
using our Essay Writing Service!
A lot of policies, regulations, user privacy rights and restrictions govern the deployment of a cloud system.
2. Privacy: Problems, Challenges and Risks
Data privacy is of prime concern in a cloud environment. A lot of the customers' private details are available unencrypted on the cloud system, making them available to undesired attacker. With the advent of virtualization technologies, platform-sharing applications and remote processing functionalities there is fundamental need to protect confidential information that might be accessible to undesired parties. The cloud facilitates prompt, dynamic deployment of new infrastructure, services and applications. While doing so, corporation must adhere to desired security regulations and protection. Since, data is processed centrally, it offers a single point of failure. In the event of such a mishap, un-interrupted business continuity and data restoration processes must take over.
Good access control scheme must be employed to block unauthorized users from abusing data and changing system configuration. As stated in , cloud environment faces critical privacy risks. End-users run the risk of getting tricked to feed personal details to illegitimate recipients and can suffer manipulation of private data, monetary loss and identity theft. If failed, service providers' credibility and reputation will be at stake; sending them out of business.
When data processing is outsourced, it poses problems of accountability and legal liability. It becomes mandatory to clearly define who takes responsibility for scrutinizing privacy standards and their implementation. The trust-model should effectively incorporate good auditing practices (standards), verification of third parties' identities and their rights in dealing with personal data.
Unlike conventional systems cryptography, data encryption is not a sound privacy approach for the cloud environment. It is very difficult for cloud-based applications to work on encrypted data. Especially, in case of databases, unified data management becomes difficult.
Always on Time
Marked to Standard
A major privacy breach occurred in 2007, when cyber-criminals managed to steal emails and addresses from Salesforce.com, a major cloud service provider [2, 10]. A phishing attack was targeted at Salesforce. Salesforce essentially managed databases containing huge volumes of sensitive business information like sales records, client addresses, purchase history, business reports, targets, purchase patterns, strategies, etc. Business accepting the cloud infrastructure should be assured that their data will be safe and secure. Moreover, it is of prime importance to provide data recovery and business continuity, in case of system attack, to gain their trust.
Often contextual and profile information about a user like name, place, hobbies, preferences, likes and dislikes, contacts, browsing history, investments, profession, financial information, etc; may be extracted, used in an undesired and unauthorized manner without his consent. Such stealth of private information can also be used to launch inference attacks . Using these data, the identity and profile of the user can be accurately predicted. This scenario is very much applicable in the case of social networking sites. Using the characteristic traits and attribute values of users' friends, a user's sensitive or undisclosed information can be acquired . This information can also be used by advertising companies to target products. These attacks run the risk of identity theft. A Cloud Computing environment should address this issue of information leakage.
3. Privacy: Policy Requirements
Several key policies, as presented in [1, 4, 5, 7, 8, 20], are discussed below to address these challenges and risks.
- Notice: When some party intends to use personal information, users must be notified about actual data collected, usage, duration, other parties involved, manipulations, etc. Permission to use sensitive private details must be directly granted only by the user. Users completely reserve the rights to accept/refuse such a request.
- Clear and Comprehensive: The policies should be easy to comprehend for all parties concerned, without ambiguity.
- Relevance & Purpose: Only information that is relevant for the party for computation may be requested. Usage must be strictly restricted to the prior clearly defined purpose for which it was collected. These formalities must be specifically discussed at the time of data aggregation.
- Check Up: Users must be provided the luxury to monitor how their personal information is being used. They should have access to check up if information published about them is accurate, non-derogatory and legitimate.
- Authorization: System should prevent unauthorized access, disclosure, copying or manipulation of Personal Information. It can use different mechanisms like access control list, etc.
- Legal Conformance: The privacy processes must be transparent. User reserves the right to check if the processes conform to privacy regulations. E.g. abiding to cross- border transfer obligations.
- Limiting disclosure: Data can only be divulged to parties authorized to receive it. Personal data must be referred anonymous as much as possible to limit inference attacks.
- Duration: Parties reserve the right to use information only as long as permission has been granted.
- Accountability: Personnel must be appointed to check and report if best-practices privacy standards are followed. Audit functions must regularly be deployed to monitor data access and changes.
4. Privacy: Best Practices
Siani Pearson  has presented many best-case practices for achieving privacy; for developers to follow during the system development life cycle.
- Privacy Impact Assessment (PIA)[1, 23]: The PIA process was originally launched by UK Information Commissions Office in November 2007 for regulating usage of private information. It was initially intended for use within the UK public sector, but later extended to business processes associated with private information usage. The PIA helps systems assess their privacy enforcement requirements, even at each phase of the design process. With the number of cloud computing applications and services growing tremendously, PIA can be employed to methodically measure contextual privacy requirements and see the implementation.
- Assessment during Design: The privacy requirements differ at every phase namely- initiation, planning, execution, closure and decommission [1,3]. Assessment essentially involves setting standards, addressing privacy concerns systematically, considering various implementation methodologies, documentation, auditing, etc. It should also address safe wrap-up and complete deletion of private information on program termination. Privacy specifications can be given prime importance in requirement specifications, guidelines, policy files, review documents, FAQs.
- Privacy Enhancing Technologies (PET): provide privacy protection. A few examples [1, 17]: browsers can be trained to automatically verify website's privacy policies with the desired settings of the user. Online programs that verify correctness and authenticity of user private information are also PETs. Every technology that aids the user in achieving privacy protection comes under the umbrella of PETs.
- Minimizing data stored in the cloud: By optimizing/limiting the amount of private details sent over for a specific task, the extra effort in protecting unnecessary data can be reduced. Attackers may try to figure out a specific detail using other relevant information provided. This way we can also protect the system against inference attacks. This can further be achieved by encrypting the data sent or hiding it with other irrelevant streams. When information is sent across care should be taken that it doesn't help attackers zero-in on the identity of the individual. Sometimes attackers use statistical analysis, to extract private details.
- Protecting information in the cloud: Security mechanisms that prevent intrusion, manipulation/falsification of private details unauthorized access, information stealth, etc need to be deployed by both service providers and interacting clients to safeguard data. Access control schemes can be employed to classify and authorize permitted operations.  expresses that cryptographic mechanisms provide a good solution for safe information transfer, storage and retrieval. Information can be encrypted using symmetric or public key cryptography during each of the above mentioned phases. So the receiver will decrypt and access the message. Once, the operation is complete, on termination, the decryption keys can also be destroyed. This provides a very safe disposal method for the sensitive details stored in the cloud, as it cannot be accessed any more.
- Maximize User Control : The most pressing issue in cloud computing is that users feel isolated from where the processing is, lack of control and hence are unsure if their private information will be protected; and further go on to loose trust in the system. Such a user opinion threatens the acceptance of the cloud. One suggested approach  is to let users manage their personal information. Else as suggested [17, 19], a trusted third party can be deployed to manage privacy. Users would always expect to have uninterrupted, un-altered access to their resources; which must be granted. Users must always be consented about their private data being collected, used for specific purpose, duration, other parties gaining access to data, modifications, publishing, etc. User completely reserves right to accept/deny a proposal. Strictly adhere to above policies for gaining trust.
- Feedback [9, 24]: Interactive and suggestive interfaces can continuously guide users about best ways to ensure privacy in their context. These hints and pieces of information can help user take a balanced decision in regards to the level of privacy setting he/she desires. Several authors have provided solutions for the implementation of such a feedback system.
5. Client-Based Privacy Manager
This Essay is
a Student's Work
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.Examples of our work
Miranda Mowbray and Siani Pearson have described a client-based privacy manager approach for the cloud system. In this section, we will see study how their approach has dealt with privacy challenges of cloud computing. Such an implementation gains a lot of user trust, essential for the survival of the cloud concept.
Authors propose a solution where, a significant volume of sensitive information is managed by the client along with cooperation from corresponding cloud-side components and service providers. Essentially, it is user-focused, as he has the privilege to enforce his privacy preferences. This approach also empowers the user to hide/camouflage his data from undesired or unauthorized service providers.
The architecture of the author's solution is depicted in Fig. 1. Privacy Manager is a software, installed on the client-side for privacy protection. It empowers obfuscation and de- obfuscation of private details when communicating and storing them in the cloud. With this user can customize his privacy preferences while interacting with different entities in the cloud.
The following are the features of the proposed Privacy Manager.
Obfuscation[2, 4, 5] feature of the Privacy Manager is almost similar to an encryption and decryption mechanism. The Privacy Manager maintains a key, with which some or all of the private data sent to the cloud for computation can be obfuscated (made obscure/manipulated/falsified). Further, the same key can be used to retrieve back any computation results obtained from the cloud. This feature provides high levels of privacy and control, as it is impossible for anyone (cloud service providers, applications, attackers) except user to retrieve the encrypted data without the key. But, on the flip side such an approach limits the number of applications that can be provided and also consumes time and processing power.
The users have been given the privileges to set preferences for controlling their private information available on the cloud. The specified policies can be bound, tagged to the data sent, by using public key (shared) encryption. Thus, whenever data is used, the corresponding policies associated with it will also be enforced. Before granting access, system can now check if the usage will abide by the specified policies.
Users can access and perform an audit check if the information referred about them is accurate and non-derogatory. Privacy violations as specified in  will be unearthed. On the Client machine, this module establishes session access connection, stores, maintains and logs such information. The system will be difficult to implement if the information is spread across myriad number of machines.
An interactive interface will continuously monitor and provide feedback  to the user as to how their private information is being used. Further, they can guide users about best ways to ensure privacy in their context. These reports, statistics and analysis can help user take a balanced decision in regards to the level of privacy setting he/she desires.
'Personae' feature is very analogous to profiling. It gives user the luxury to interact with applications and provide details at a level he is comfortable with. The user can deal providing complete details or remain anonymous.
Solutions: Privacy Manager Approach
The authors have expressed in detail as to how their approach can tackle cloud privacy problems like the salesforce attack.
Salesforce Automation [2, 10, 25]:
Lets consider a case, where the client sends critical sales data like product, status, pricing and time parameters to salesforce cloud for report generation, storage, database queries or automation.
"The Privacy Manager obfuscation module translates the customer, product and status into pseudonyms, multiplies the price by a factor, and moves the time forward by a time interval. The obfuscation software will generate new pseudonym maps and price factors for each new user. (The pseudonym maps may be implemented by association tables, or by a deterministic symmetric encryption function; in the latter case different maps correspond to different keys.)" .
This obfuscated data is sent to the cloud. The clouds' resources have the ability to perform most of their operations on this data and eventually return the results in a similar manner. Now, only, the privacy manager can de-obfuscate and get the results, with the associated keys and mapping. Obfuscation can also be achieved by inserting misleading or fake values in the queries. Obfuscation is not as safe as encryption as sometimes, it is prone to inference and statistical attacks. Moreover, the privacy manger should remember the keys for each transaction, as they are different and obfuscate the same data in different ways. So there needs to be a keys-backup reference that would retrieve the exact contextual data desired.
Customized End-User Services :
The Preference feature of the privacy manager enables customers to put check on the data third parties can use. With the Persona feature user can determine what kind of profile (allowable data and policies) to be maintained while interacting in a given context.
For instance, in a social networking application, a user can hide his/her profile from unknown individuals, third party advertisers, etc and yet reveal private details to their friends. Even within friends, they can create specific profile while sharing data with each other. Profiling could also be based on the time of the day, secure assessment of contacting party based on feedback feature.
As mentioned earlier user-specific policies can be attached to the data. Thus, whenever data is accessed, the associated policies will also be enforced. Before granting access, system can now check if the usage will abide by the specified policies. Moreover, with the feedback and data access feature user can continuously monitor the state of their private information, whether it is accurate or manipulated.
Failure: Privacy Manager Approach
This approach is not applicable in all scenarios. This model is user-focused and based on the assumption that all service providers will extend full co-operation to address the privacy needs of their clients. Authors point out that, if their business revenue is generated from providing user details to advertisers, their cloud infrastructure may not support the privacy manager completely. In this case, except obfuscation, none of the other features can be supported.
Even, in the case of obfuscation, the cloud applications must be written such that they can accept obfuscated data as input, process them and return back in a similar manner. Some applications it may treat the input as invalid. The processing will not move any further.
Despite this, the authors  believe that their approach doesn't require complete service-provider support and can function well independently in most scenarios.
6. Privacy Assurance Approach
"A privacy assurance solution should allow communication between end-users and service providers in a common language, establish guidelines on levels of assurance information, provide mappings between privacy preferences and the back end, and above all provide trust in these mappings ".
Systems Design: Privacy Assurance Approach
Clauses : A clause is a common standardized vocabulary, created for simple, precise and unambiguous communication of policies between the clients and service provider. The parties do not require knowledge expertise of privacy, security to interact using clauses. Due to their fixed form, clients will easily be able to unearth any aberrations or omissions from expected policies. From service-provider point of view, he can clearly understand the client requirements and state what is in his capability to provide. Emphasis is placed on the total outcome of all the clauses rather than individual. Both parties will precisely know the security stand point of each other. Many clauses grouped together to address a particular context form a policy. Templates that provide best practices are also proposed by the author. Using these clients can customize the policies they desire. The most significant issue that needs to be addressed with respect to clauses is standardization and global acceptance. The authors have called upon regulatory bodies to provide a solution.
As proposed in the system, when a client is asked to reveal its private details, it immediately matches its policy with the service provider and continues interaction, in case of identical clauses. However, in case of Missing Clauses , user is alerted that the service policies are not complete by the users requirements. But, the case of Excessive Clauses  is accepted as it only provides increased security.
Trusted Third Parties(TTP) and the Trust Chain[9, 17]:
In order to facilitate trust in the mentioned above mapping system, the authors have proposed the TTP model. TTP as expected can be VeriSign or government or regulatory bodies. In compliance with ISO 17799 and ISO 27001 , TTP will evaluate the mapping and privacy system. On validation, a trust token will be given to the service provider. The users will be presented with the token when their private details will be asked for. This is very similar to the digital certificates trust model used for integrity and non-repudiation. Apart from validating the mapping, TTP also ensure if the privacy features of the service provider are up running well. It is also expected to maintain confidentiality, integrity and availability of trust tokens . Even in this approach, the TTP has to be sure that the test case set is good enough to answer the privacy concerns. User then will simply trust the judgement of the TTP and the validity of the token.
Privacy and Identity Management for Europe(PRIME): Implementation [13, 14]
PRIME is a real-time system with similar implementation as the one proposed in . The primary role is to bring to light the similarities, aberrations and missing privacy policies between users and service providers. The system conducts capability test , to verify if the service provider abides by the agreed policies and implements them successfully. The nature of the results is easy for the common user to comprehend and hence aids them in making rational decision, if they can divulge sensitive information. The following steps are paraphrased from 
- These are passed on to the corresponding validator resident on the service provider.
- The service-side Policy Validator maps the clauses to relevant test cases. Further the assurance information database pulls out the corresponding results of the test cases. The service provider can decide on what level of results information it wants to provide to the user. Care will be taken that it doesn't divulge information about its backend or infrastructure.
- With the available results, users are now in a position to decide if they are agreeing to divulge specific sensitive information for this transaction.
- On satisfaction, the user can send his personal details.
7. Testing Cloud-Based Services :
Cloud computing forms a large integration of users, data, hardware and software resources. Thus, the complexity of the system has increased. Organizations are ramping up their testing and quality assurance processes, to attain compliance to legal and regulatory policies and most important of all, gain user trust. Hence, it is of prime importance to involve users and address privacy concerns in each phase of the product life cycle.
When making test-plans the 2 aspects of privacy that requires attention are user-privacy and service-provider's privacy. Service providers need to test if their infrastructure information or application details are getting leaked to the general users. This is precisely what is pointed out in the testing practices of the privacy assurance approach. The test results and methods should not divulge more information than required to the users.
Lin Gu et al  have brought to light some important considerations and research areas associated with testing for the cloud platform. Specific models need to be established for defining users and policies in test cases. The system should clearly define as to what information can be divulged to external users. There preferably should be a mechanism in place to classify users in groups and measure their trust-worthiness. Determining to what level the code under test must be hidden, modularizing users software for secure and complete testing are few more domains. The testing system should be consistent enough to regularly deliver accurate results.
8. Accountability In The Cloud:
Siani Pearson and Andrew Charlesworth have presented the accountability approach as a solution. Accountability essentially revolves around effective corporate data governance in terms how data is collected, used, processed, managed, stored and secured within. It also reflects on enforced privacy laws and regulations as well as technologies that make implementation possible. From the end-user point of view Accountability provides transparency and assurance as to who is responsible for what process and how it will be managed. This helps in gaining user trust. From the organizations point of view it provides compliance to regulatory standards, laws, policies as well as technological implementations. As more and more service providers, cloud applications, end-user base arrive, accountability can offer a safe mechanism for inter-operability. Contractual obligations and service-level-agreements will play a pivotal role in such a system.
9. Future Research:
Cloud Computing is at a pretty nascent stage as newer challenges and solutions are evolving at a brisk pace. An important area of research would be how data will be protected within the cloud. Different encryption and obfuscation mechanisms need to be developed, to provide contextual solution. Cryptographers have an opportunity to develop new key management systems. Since cloud provides an opportunity for global data management, it will be interesting to see how systems and process evolve to be inter-operable. There is lot of scope in areas of how classification of user groups, access control mechanisms can be implemented. Similar to the clauses used in the privacy assurance approach, there is a need for a standard communication protocol that can model all the privacy requirements and present in a simple and unambiguous way. Various trust models can be developed. Providing confidentiality, Integrity and Availability for the cloud is going to be different from conventional systems.
The cloud approach is a sudden and drastic shift compared to the traditional systems, where private data ownership and control is now a big concern. The success of the cloud paradigm depends on efficient compliance and inter-operability of regulatory standards, policies and associated technological implementations. Legal issues governing privacy and data governance should move towards uniformity. Various regulatory organizations seem to be working in coherence to develop standardized policies, technologies and laws for the cloud platform. The Client-Privacy Manager is user-centric and hence gains trust very easily. Its success will depend on how much the service-providers cooperate to give clients such a luxury. The Privacy Assurance system is unique in the sense that it actually verifies if the service provider has abided by the agreed upon policies. There is tremendous scope for the implementation of such a system. It will be very exciting to see how the cloud computation model evolves with regulatory and technological changes.
- Taking Account of Privacy when Designing Cloud Computing Services, Siani Pearson, ICSE-CLOUD'09, May 23, 2009, Vancouver, Canada 978-1-4244-3713-9/09/ 2009 IEEE.
- A Client-Based Privacy Manager for Cloud Computing, Miranda Mowbray, Siani Pearson, COMSWARE'09, June 16-19, 2009, Dublin, Ireland.
- Constructing and Testing Privacy-Aware Services in a Cloud Computing Environment - Challenges and Opportunities, Lin Gu, Shing-chi Cheung, Internetware'2009, Beijing, China.
- Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing, Robert Gellman for the World Privacy Forum, February 23, 2009.
- Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing (2009), http://www.cloudsecurityalliance.org/guidance/csaguide.pdf
- Accountability as a Way Forward for Privacy Protection in the Cloud, Siani Pearson and Andrew Charlesworth, HP Labs.
- Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress. Washington DC: FTC, May 22, 2000.
- Organization for Economic Co-operation and Development (OECD), "Guidelines governing the protection of privacy and transborder flows of personal data", Paris, 1980 and "Guidelines for consumer protection for ecommerce", 1999. www.ftc.gov/opa/1999/9912/oecdguide.htm
- T. E. Elahi and S. Pearson, "Privacy Assurance: Bridging the Gap Between Preference and Practice", C. Lambrinoudakis, G. Pernul, A.M. Tjoa (eds.), Proc. TrustBus 2007, LNCS 4657, Springer-Verlag Berlin Heidelberg, 2007, pp. 65-74.
- Greenberg, A. 2008. Cloud Computing's Stormy Side. Forbes Magazine (19 Feb 2008).
- Preventing Private Information Inference Attacks on Social Networks Technical Report UTDCS-03-09, Raymond Heatherly, Murat Kantarcioglu, and Bhavani Thuraisingham Computer Science Department University of Texas at Dallas, Jack Lindamood Facebook, February 22, 2009
- Cranor, L.F., Hogben, G., Langheinrich, M., Marchiori, M., Presler-Marshal, M., Reagle, J., Schunter, M.: The Platform for Privacy Preferences 1.1 (P3P1.1) Specification, W3C Working Draft 10 (February 2006)
- Moulinos, K., Iliadis, J., Tsoumas, V.: Towards secure sealing of privacy policies. Information Management & Computer Security 12-4, 350-361 (2004)
- Privacy and Identity Management for Europe https://www.primeproject.eu/prime_products/reports/arch/
- "Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds", Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage- CCS'09, November 9-13, 2009, Chicago, Illinois, USA.
- "Above the Clouds: A Berkeley View of Cloud Computing",Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy Katz, Andy Konwinski, Gunho Lee, David Patterson, Ariel Rabkin, Ion Stoica, and Matei Zaharia
- Privacy in a Semantic Cloud: What's Trust Got to Do with It?, Asmund Ahlmann Nyre and Martin Gilje Jaatun, SINTEF ICT, NO-7465 Trondheim, Norway
- Cloud Computing - Issues, Research and Implementations, Mladen A. Vouk, Journal of Computing and Information Technology - CIT 16, 2008, 4, 235-246 doi:10.2498 /cit.1001391
- Towards Trusted Cloud Computing Nuno Santos, Krishna P.Gummadi, Rodrigo Rodrigues, MPI-SWS
- Cloud Computing- BENEFITS, RISKS AND RECOMMENDATIONS FOR INFORMATION SECURITY, Report by The European Network and Information Security Agency (ENISA)
- CLOUD COVER CONFIDENTIALITY KEY INFRASTRUCTURE, Report by Communications-Electronics Security Group (CESG).
- Burkert, H.: Privacy-enhancing technologies: typology, critique, vision. In: Agre, P., Rotenberg, M. (eds.) Technology and Privacy: The New Landscape, pp. 125-142. MIT Press, Cambridge (1997)
- Information Commissioner's Office, "PIA handbook", 2007. http://www.ico.gov.uk/
- A. Patrick and S. Kenny, "From Privacy Legislation to Interface Design: Implementing Information Privacy in Human-Computer Interactions", R. Dingledine (ed.), PET 2003, LNCS 2760, pp. 107-124, Springer-Verlag Berlin Heidelberg, 2003.
- Salesforce.com, Inc. 2000-2009. Sales Force Automation. Web page. http://www.salesforce.com/products/sales-force- automation/