Cloud Computing Research

Question: Describe thebarriers to adoption and performance of cloud computing and alsoRisk Identification Matrix,Current EU Legal frameworks,Data Security Metrics? Answer: Introduction Cloud computing is a platform that allows IT Managers to use applications on demand(Mell Grance, 2012). Cloud computing provides flexibility as well as scalability and it saves on capital costs which is why it is adding significant value to businesses who are turning to cloud computing as a model for the use of IT in the enterprises. Cloud computing is application based on service oriented technology that can access information from a common pool of resources. The cloud computing has been increasingly popular in small and medium enterprises as well as used by some bigger organizations. It began with e-mail technology in 1971 and by 2010 we saw the launch of sales forced data basis(Rajaraman, 2012). Three major models of cloud computing are Infrastructure Services, Platform as a Service and software as a Service(Kulkarni, Khatawkar, Gambhir, 2011). Each of these models has different features and advantages. IaaS provides information to networks on demand; take cares of storage and m anages firewalls. Some examples of IaaS are Amazon EC2 and Eucalyptus(Cloud Infrastructure Service Management A Review, 287-292). PaaS is a feature of integrated design used for platform implementation and test development. Some examples of PaaS are Google App Engine and Wave Maker(Rymer Ried, 2011). SaaS is majorly used for collaboration within an outside organization and for managing productivity. Certain complex system such as Enterprise Resource Planning and Customer Resource Planning use this model. Some examples are sales force.com and App Exchange. Although cloud computing offers many benefits to the corporate but it has some barriers that have to be overcome. This paper discusses some of these barriers and ways to mitigated them. Such issues can result into poor performance of cloud and may also lead to loss of data. Thus, it becomes important to study potential barriers as well as make mitigation plans before a company plans to adopt Cloud Computing. This paper would identify various issues and barriers by studying Cloud Computing architectures and understanding potential weaknesses of systems. Further, the paper would explore how companies identify these issues and associated risks and arrive at a mitigation plan. Background One major barrier preventing adoption of cloud technology by enterprises is the perceived risk of using Cloud Computing in the minds of users. One common concern is that enterprises feel that Cloud Computing is less secure than traditional enterprise. However, the fact remains that Cloud Computing can actually be more secure in certain situations. Thus, in order to have expectable level of risks, a company must identify assets and make mitigation plans while adopting cloud technology. Risk identification and mitigation: There are five sources of risks to Cloud Computing. These include users, enterprise, network provider, cloud provider and environment(Catteddu Hogben, 2010). In practice, each of these sources are explored and a cloud Risk Identification Matrix is made and it is found if the risk is high or low depending on likely hood of a risk event, size of the impact caused and eases of mitigation(Gadia, 2011). This matrix creates a risk profile for a specific workload. Change on these workloads on the IT system can be further modifying on this risk profile. These Risks can be segmented into availability issues, integrity and confidential complied or auditing. Thus, the risk profile would include the information about type of risk, the origin of risk and the level of risk(Schotman, Shahim, Mitwalli, 2013). An example of such a matrix is shown below: Figure 1 Risk Identification Matrix User risk Users today access cloud over multiple devices and some of them are privately owned such as BYOD devices. These devices have limited control and thus the risk is higher. If such a device is stolen or lost the data can be accessed by anyone owing the device(Buchhloz, Dunlop, Ross, 2012). Users also used common applications such as Excel and E-mail that are posing high risks to corporate as they can be used for distributing sensitive data beyond the control of a company(Oracle Corporation , 2007). To ensure data protection on a user device, enterprises have to use proper controls. Enterprises risk It is often felt that a private cloud is more secure than a public cloud but in reality, enterprises rarely used industrial-grade data centers that can provide high security leaving scope for risks(Engine Yard, Inc., 2014). To mitigate such risk, cloud providers have to use more comprehensive security procedures. One concern area is enterprise identity access management (IAM). An incomplete understanding of IAM, which is the area of movement into cloud, can lead to risks(Wipro Council for Industrial Research, 2013). Thus, a proper governance process has to be used for IAM. Proper assessments of different sources of risk during migration to cloud computing have to be thoroughly understood. Network provider risk Cloud services can change network topologies and bandwidth requirements there could be two types of networks between the enterprise and cloud providers, and between cloud provider and the user. The network between the cloud provider and enterprise can be control but controlling communication between user and cloud provider is very difficult. Moreover, in case users are spread into wider regions, establishing control can compromise availability. Further, user sections are often high jacked such as done in Man in the Middle attacks(Mkrtchyan, 2010). Although encryptions are used such as in SSL for mitigating such risks, the network can still be broken into by attackers leading to bad impacts on confidentiality and integrity(RistiĆ¡, 2014). Thus, assessment of service quality, network topology and associated risk is required before designing a cloud solution. Cloud provider risk Risks may be caused by cloud providers related to their operations and these risks can affect the organizations. These risks are small but difficult to identify as well as predict the occurrence. It is often considered that service level agreements can solve operational risks but it does not provide any prevention to the occurrence of a risk event. SLAs can only impose incentives on service provider to manage impact events of high frequency but low frequency events are often neglected if such low frequency events go to extremes in attacking, the business can suffer huge losses(Huber Imfeld, 2011). A cloud service provider usually has a redundant server but may not have a disaster recovery for managing for such extreme events(Chen, Longstaff, Carley, 2004). Environment risk Some risk can be caused by political scenarios or natural disasters. For instance, the blogging of Google by Chinese Government in November 2012 has affected business using Google docs as they have denied the services(Hathaway, et al., 2012). A similar issue was caused by the US patriot act on data privacy. United State demanded access to corporate data, which was forbidden by European Union. This resulted in enterprises caught in the middle of the two policies. Natural disasters can cause severe impacts on security of an IT infrastructure. For instance 2011 tsunami of Japan led to Fukushima nuclear energy plants resulting in power shortage(AKIYAMA, SATO, NAITO, NAOI, KATSUTA, 2012) and 2012 Hurricane sandy disrupted services in developed areas of the US. Key concerns that act as barriers to cloud Computing are data availability issues, data security concerns, legal or compliance issues and loss of control over data(Shinde Chavan, 2013). In a mitigation plan for overcoming barriers to Cloud Computing, each of these inhibitors had to be explored and their potential risk has to be studied. The plan would include ways to mitigate these risks. Barriers to Cloud Computing Availability issues: In cloud computing, services are made available on demand. High availability is the demand of all companies adopting cloud computing(Emerson Network Power, 2012). Certain concerns that are important or maintaining high availability include network vulnerability, storage failure and redundancy. Node failure is the biggest concern causing failure in cloud computing. Although there are many applications that work to avoid network failure, they are unable to provide full functionalities and thus, complementary cloud deployments may be done(IBM Global Technology Services , 2011). To prevent network failure, a standard practice followed by major applications is provision of Virtual IP addresses in addition to the static IP for cloud computing. A pair of virtual machines would have static IPs but each of them would be configured to dynamically possess a virtual IP address. In case of failure of one machine, IP address switches to other machine, which can then serve all the traffic. This type of arrangement is called as Active/Passive configuration in which one machine out of a pair of virtual machines is active and other is on standby. This ensures that the cloud remains available even in case of failure. Another challenge may arise in availability if a cloud service provider is taken over by another larger organization resulting in major changes in processes and functions. To avoid any difficulties in such cases, data is prepared in a format, which can be easily imported into the replaced application. A technique, which is used for improving availability, is mirroring in which pair of two disks are created over single disk such as done by RAID 1 Mirror pair. Each of the mirrored disks in such case has the complete data, which allows one to use either of the two disks anytime. If one disk fails, other can be used for obtaining data and thus, the availability of the cloud is increased. For even stronger level of security and availability of data, mirroring can be used on more than one disk. For instance, in RAID 5, there are four identical disks(Gupta, Pande, Qureshi, Sharma, 2011). Data security concerns There are four different types of deployment models and three types of service models. Different forms of Cloud Computing based on these models have different characteristics, collaboration opportunities, and flexibility and thus face different risks. Thus each of the three firms and each of the four deployment models has to be studied to accurately assess associated risk and build a security plan. Each combination of the deployment and hosting models has its specific risk considerations related to threats, response and jurisdiction. Thus, while moving to a cloud technology a risk based approach based on these risk parameters of combinations have to be considered and IT manager has to find the best deployment and hosting combination for risk tolerance and identify security control requirements for this selection. Certain steps may be followed for identification of the best combination. These are: Determine IT assets that are included for cloud deployment. Determine the importance of each IT asset to the organization. This includes assessment of availability, confidentiality and integrity requirements of the assets. It also includes understanding the impacts of the risk on the asset and its parts. Certain questions may be asked to gain this understanding such as: Is there a sensitive data that cannot be placed into the cloud? Is there any application providing a competitive advantage that could be lost in the cloud? Determine deployment models that the organization is most comfortable with. For instance, a critical application can be so important that the company may not want to move it to public cloud. On the other side, a non-critical low value data application would not require a private deployment or extensive security. Each layer of the deployment models has to be studied with a focus on control requirements of the organization(Hurtaud Vaissire, 2011). There are certain information security standard and compliance frameworks that are established for providing security control to cloud computing such as ISO/IEC 27002, NIST SP 800-53 and PCI DSS to choose appropriate framework, a risk based approach has to be taken that means specific risk for the combination of cloud model and deployment have to be identified. Further, potential exposure of information assets to these risks has to be considered. Further, a clear division of responsibilities of risk management between cloud provider and subscriber has to be established. An example of division of control responsibilities between cloud provider and subscriber for SaaS model is shown below: Security Components Security requirements (not exhaustive-for illustrative purpose) Cloud subscriber Cloud provider Identity and Access Management (IAM) While designing IAM solution it controls both current and anticipated requirements. Use access control life cycle that are role-based and secure their authorization. A line access control with requirements of customer as well as regulators. Enable least privilege access. Cyber Threat Revise standards and policies related to vulnerability assessment on the basis of risks. Standards used for winder management should be matured. Security monitoring must be done according to vulnerability management program. Use encryption. Use code reviews at application level and build stringent processes for software development lifecycle. Enable notification for any changes in processes. Privacy Revise programs and privacy statements based on geographical challenges also defines these processes and practices. The processes developed for handling sensitive data must define protection processes, standards and expectable use of data. Establish a process for reporting unauthorized access. Security Operations Security operations and standard policies must be created explicitly. A policy-based approach must be used while accessing cloud services. Establish security operation center; define assessment reporting and responses, considering policy-based approach for managing systems. Regulatory The selected vendor must support regulatory requirement of the information asset. The compliance of the vendor program to the requirements of the contract has to be studied. Multiple regulatory requirements may be studied for creating a security framework for managing control. Resiliency and Availability Standards and policies for enterprise continuity have to be redefined to incorporate backup and replication of data and availability metrics as well as standards must be reestablished. Define replication, failure and reconstitution processes as per disruptions. Assess availability related comments against SLA compliance. Change and release management policies must be used. Use code reviews at application level and build stringent processes for software development lifecycle. Enable notification for release and change management. Have acceptance processes for self-service changes. Enterprise Resource Planning(ERP) Establish standard and security policies for ERP and data usage. Define acceptability for using data basis and ERP modules. Data protection, excess provision and security zoning must be established. A single sign-on with strong authentication should be established in the basis of consumer role. For having an efficient mitigation strategy, some security requirements have to be complied by cloud providers including contractual protection, security audits, certifications and standards. Contractual protection makes a vendor use acceptable practices and it can also take care of termination. Security audits can be conducted onsite, tested remotely or done by third parties. Providers must certify the control environment to be used. Further, consenters is required for choosing leverage standards. Legal or compliance issues: Legal framework for cloud computing involves liability, data protection, data portability, application law, compliance and copywriting which changes in technologies of cloud computing, there was an evaluation in the European Union legality framework. At the time of .com hype copyright was added to the directives and by the time Web 2.0 was used as Software as the Service data retention directive was imposed. Figure 2 Current EU Legal frameworks European Union loss applicable to data protection and privacy are defined in the EU Directive 95/46/EC. Additionally, countries have their national acts defined for the same such as Belgian Act, 1992. EU Directive 95/46/EC: As per this directive, data processing systems are made for serving humans and thus these systems must take care of their fundamental rights including privacy, social progress, economic progress and trade expansion. Different individuals depending on their locality need different level of protection as personal data floats across different nations, maintaining this protection can become obstacle to economic progress if national laws protect such a flow from other nations. Thus, the directive states that the level of protection must be equivalent in all member states of a community or a country to overcome this barrier(Union, 1995). Cloud Computing has several challenges related to data management. It is difficult to find the effectiveness of control on the data. Moreover, this issue is further amplified when the data flows across the world. The directive had been useful in overcoming data protection barriers to the flow of data such that economic activities could be enhanced. The directive allows data flows from European Union to other countries only when the other country provides adequate protection. This rule indirectly promotes commercial relationship with European Union. Such a choice of adopting European standards or losing commercial relationships for data flow across borders was also faced by United States that came to terms with EC. The European regulation primarily includes data processing lawfulness and data quality, right to access data, consent by subject based on data processing information, confidentiality and security of data. The EU model provides way to correctly identify responsibility and the responsible person for ensuring data protection. This model is useful even when services are used from service providers working in countries that have low levels of data protection. The applicability of the regulation on cloud service providers depend on nature of user activity, type of data and location of data processing. The directive does not apply if a person is sharing data personally but if the data is generated by a service this may involve asking personal details to users for some purpose like marketing, the data has to be under the control of service provider(Mantelero, 2012). Loss of control over data: Data control is a major concern when a third party is involved in Cloud Computing. A regulatory compliance would require third party to provide transparency, which can affect the momentum of the growth of cloud. Thus, many companies use private clouds to avoid such barriers. However, acquisition of a private cloud is the significant cost and thus consumers tend to use public cloud. There are benefits to using the public cloud such as cheaper data availability and cost efficient data analysis but public clouds have impacts on the privacy of the data negatively. Because of such concerns of privacy, people often anonymous their information. There has been major problems seen in guarding private data which is why EPIC called Google applications for improving privacy guards. As a result Google used 18 months retention policy which allows saving of such data for 18 months after which the data is anonymised. This means identity related data such as IP addresses would be removed after this time span. However, this anonymisation can cause issue when the data is required for analysis. For instance, a data mining applications requires relationship and transactional information of users and anonymisation makes it difficult to have. Authentication by users is being used in cloud computing as a security measure. The security of users is managed by cloud service provider and thus users do not have to bother about data loss. However, increasing use of cloud for data storage increases threats of phishing and stealing of excess credentials. Some services create mash-up of data, which further increases the risk of data leakage. A central access control can to a great extent solve such issues but they are not desirable in a public cloud setting. For instance, Facebook is used for applauding personal data, which can be used by Facebook as well as third party applications running over it. Such applications may not be verified by Facebook opening an opportunity for these applications to create malicious code and steal sensitive data form Facebook(Chow, et al., 2009). New solution To design a new solution for overcoming barriers to cloud computing each of the barriers have to be explored for identification of issues and finding ways to mitigate them. Next, is discussed these issues with respect to the mitigation of these barriers as per the identified problems or risks discussed earlier in this document. Availability issues: Availability is defined by the percentage down time per week, per month, per year. Service level agreements are made on the basis of promise of this availability. For instance, an SLA may promise a customer 99% of availability which would mean that the down time of the system would be 1.68 hours per week, 7.20 hours per month and 3.65 days per year. There can also be multiple availability zones or regions such as in the cases of Google and Microsoft. A violation of such an SLA can make the user eligible for refunds. For instance, Amazon gives the credit of up to 10% of monthly bill as refund in case of such violation. HP has kept this cap on credit at 30%. The cost may be calculated for the resources that are failed such as compute only or storage only. Thus in order to ensure that there are no complications in terms of availability, a service provider must define availability zones and have SLA agreements for acceptable downtimes. These agreements will improve commitment level of service provider and would provide protection to the user. Thus, the user would have more confidence over the use of cloud service(Dimension Data, 2013). Legal or compliance issues: To avoid legal issues, the cloud computing applications and related arrangement must comply with regulatory directive. For this, identification of directives to be followed becomes necessary. Thus, the controller of application feature or data has to be identified and the applicable law has to be understood. Further, one should explore if the applicable law is outside EU. The data controller is the party that defines the purpose of processing and data processer processes the data. The responsibility of adherence to directive can be on controller or processor. Data subjects liability is on controller and thus the controller ha to choose data processers and make arrangements for protection. EU legislation to an extent has the opposite purpose of cloud computing while cloud computing believe in removing direct control, EU legislations wants to control data. A company or a service provider may choose to use a EU- based data center but it would result in very strict protection rules. There would not be any data transfer possible to countries that are outside EU without an educate level of protection. Thus, many service providers avoid doing this. But they have legally enforceable click-rape agreements. Cloud computing contracts can limit the liabilities of the host to certain level. Loss of Control over Data: It is difficult to protect data from outside of a system and thus, a system must deploy protection from inside. Such an approach of data protection can be called information-centric. This would require intelligence to be put in the data itself. The data should be able to describe itself and defend itself in respective of the environment it get into. One such method of self-protection is use of encryption, which is packed with usage policy. When such a data is accessed, the data will recreate an environment for security using virtualization techniques such that the data can be seen only after verification from a trustworthy receiver. Another area that can be worked upon for improvement in cloud services is provision of auditing. Currently cloud providers use manual auditing procedures such as SAS-70. However, if a trusted monitor or auditor can be installed on the cloud server for providing compliance proof to data owner and information in case of excess policy violation, the integrity of cloud system can be maintained. To create this proof of compliance, the monitor code has to sign and once this signed proof of compliance is received by the data owner verification of the code can be done and it can be found if the cloud server is compiling with the policy of access control. This would result in enhanced protection automatically. Although encryption can be a good measure for data protection, it can act as a barrier to cloud computing as it would limit the data use and indexing the data would become problematic. For instance, a clear text data can be easily searched but an encrypted scheme is difficult to find. State- of- the-art- cryptography has new tools to overcome these barriers. Versatile schemes of encryption allow computations and operations on these cipher text. For instance, predicate encryption allows the owner of the data to compute capabilities from the secrete key. This capability can be used for encoding a search query such that the cloud can use the capability to find the documents matching the search query without the need to obtain additional information. Other encryption methods such as homographic encryption and private information retrieval (PIR) can perform computations without the need of decrypting the data. The cryptography cannot only endure privacy but can also address other security concerns. For instance, proofs of retrieve-ability can be used for to ensure correct storage of client data on a server. Data Security: Data security ids a primary challenge in cloud computing and in order to maintain it a service provider needs to have an encryption schema, access control and backup plan. Normal data encryption can affect the efficiency of process of searching making it difficult to conduct active research. Thus, techniques like homomorphic encryption and searchable encryption can be used. But even such techniques have limited usage as they cannot be deployed for large-scale environments. To have an excess control, some privileged excess to the user data may only be given to cloud administrators. Moreover, the backup plan is required to explain the compliance to legal requirements, location of user data, and separation of user data from other users, system restoration capacity, and backup available for recovery and data replication. Further, the data must have a standard format while making it available to users. Security monitoring is required to be done against SLA agreements. Thus security SLAs must defined the security monitoring architecture, configuration, and administration and performance metrics(Vitti, Santos, Westphall, Westphall, Vieira, 2014). Figure 3 Data Security Metrics Evaluation The performance monitoring of the cloud can be used to understand its capabilities and evaluate it to understand if the cloud is able to deliver expected services. This monitoring can be done from the point of view of the service provider or from the view of customer. Various performance measures would include evaluation of infrastructure performance and application performance. Infrastructure performance would be judge by evaluating infrastructure components such as network, storage and virtual machines. It may be difficult to check the performance and judge it against each component and thus infrastructure response time is the measure used for defining infrastructure performance. In addition to this key metric, other resource utilization metrics may also be found such as CPU usage, disk usage, disk latency, percentage busy or ready or used, network bytes, host system state and resource usage, virtual machine state and configuration. For understanding application performance, application resource time is calculated. There are several other parameters that a give the view of cloud performance such as virtualization metrics, transaction metrics and resource utilization. After the performance data is collected reporting is done by analyzing the performance to give a clear view of resources and usage requirements such that a plan can be for the SLA(V, 2012). Figure 4 Cloud Computing The solution proposed here is taking care of all these requirements of monitoring by exploring four major types of issues including availability, data loss, data security and compliance for preparation of SLAs and thus, can be used for as a sound solution to building a sustainable cloud model. Conclusion Cloud computing consists of multiple computers connected together and are made available for processing information technology. It has become a widely used model in the world because of its cost effectiveness and availability. However, the technology also faces certain challenges creating barriers to its adoption or to its performance. The aim of this paper was to explore these barriers, identify associated risks and come up with mitigation plan for overcoming these barriers. Major risks identified in the research were user, enterprise, network, cloud or environment generated. Further, a classification was made to categorize these risks into major issues caused in cloud computing. These were information availability, data loss, data security and legal compliance. The paper explored each of these parameters and identified some major issues in these areas. These were node failure, cloud server downtime, legality framework compliance, privacy impacts, national data laws and more. A solution was proposed for mitigation of barriers in each of the category. For managing availability issues, a service provider must deploy redundant RAID servers that can take the data requests in case of a machine failure. Further, the availability must be defined on the basis of acceptable down time in the SLAs that stand as agreements between user and the service provider to ensure suitable availability. For managing data security, three main processes were suggested for service provider including data encryption, data control definition and backup planning. For ensuring compliance, a service provider can choose to deploy EU complied cloud systems depending on the level of acceptable restrictions. To prevent data loss, an information-centric system must be deployed which makes the data itself strong enough to protect itself through encryption such that it creates a security environment at the destination and displays itself only after the destination user authenticates itself. The solution covers all major issues and thus, can be evaluated as efficient but without having a performance monitoring in place, the evaluation cannot stand confident. Thus, a performance monitoring process was discussed for deployment in the evaluation. In a future research, a real case study can be taken and a cloud service can be monitored using the method after applying the proposed solution. This would reveal the actual efficiency of the suggested solution. References Mell, P., Grance, T. (2012). The NIST Definition of Cloud Computing. National Institute of Standards and Technology. Rajaraman, V. (2012). HISTORY OF COMPUTING IN INDIA. Bangalore: IEEE Computer Society. Kulkarni, G., Khatawkar, P., Gambhir, J. (2011). Cloud Computing-Platform as Service. International Journal of Engineering and Advanced Technology , 115-120. Cloud Infrastructure Service Management A Review. (287-292). IJCSI International Journal of Computer Science , 2 (2). Rymer, J. R., Ried, S. (2011). The Forrester Wave: PlatformAs-A-Service. Forrester. Catteddu, D., Hogben, G. (2010). Cloud Computing: Benefits, risks and recommendations for information security. ENISA. Gadia, S. (2011). Cloud Computing Risk Assessment : A Case Study. CISA. Schotman, R., Shahim, A., Mitwalli, A. (2013). Cloud Risks - Are we looking in the right direction? Canopy Cloud Ltd. Buchhloz, D., Dunlop, J., Ross, A. (2012). Improving Security and Mobility for Personally Owned Devices. Intel IT. Oracle Corporation . (2007). The Risks of Metadata and Hidden Information . Oracle. Engine Yard, Inc. (2014). Security, Risk, and Compliance. Engine Yard. Wipro Council for Industrial Research. (2013). IDENTITY ACCESS MANAGEMENT IN THE CLOUD. Wipro Technologies. Mkrtchyan, G. (2010). Caf Jacking. CrossSocial Security LLC. RistiĆ¡, I. (2014). SSL/TLS Deployment Best Practices. Qualys SSL Labs. Huber, C., Imfeld, D. (2011). Operational Risk Management in Practice: Implementation, Success Factors and Pitfalls. RodexRisk Advisers LLC. Chen, L.-C., Longstaff, T. A., Carley, K. M. (2004). THE ECONOMIC INCENTIVES OF PROVIDING NETWORK SECURITY SERVICES ON THE INTERNET INFRASTRUCTURE. Carnegie Mellon University . Hathaway, O. A., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W., et al. (2012). THE LAW OF CYBER-ATTACK. California Law Review. AKIYAMA, N., SATO, H., NAITO, K., NAOI, Y., KATSUTA, T. (2012). The Fukushima Nuclear Accident and Crisis Management. Shinde, S. A., Chavan, V. (2013). Data Security in Cloud Computing: Major Concerns and Implications . National Conference on Emerging Trends: Innovations and Challenges in IT (pp. 1-4). G.H. Raisoni College of Engg Mgt. Emerson Network Power. (2012). Taking the Enterprise Data Center into the Cloud. Emerson. IBM Global Technology Services . (2011). Security and high availability in cloud computing environments. IBM Corporation. Gupta, A., Pande, P., Qureshi, A., Sharma, V. (2011). A proposed Solution: Data Availability and Error Correction in Cloud Computing. International Journal of Computer Science and Security , 5 (4), 405-413. Hurtaud, S., Vaissire, L. d. (2011). How to ensure control and security when moving to SaaS/cloud applications. Deloitte. Union, e. (1995). DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. Official journal of the European Communities , 31-39. Mantelero, A. (2012). Cloud computing, trans-border data flows and the European Directive 95/46/EC: applicable law and task distribution. European Journal of Law and Technology , 3 (2). Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., et al. (2009). Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control. Chicago, Illinois, USA: Fujitsu Laboratories of America. Dimension Data. (2013). Comparing Public Cloud : Service Level Agreements. Dimension Data. Vitti, P. A., Santos, D. R., Westphall, C. B., Westphall, C. M., Vieira, K. M. (2014). Current Issues in Cloud Computing Security and Management. Florianopolis, Santa Catarina, Brazil: Federal University of Santa Catarina. V, V. (2012). Performance Monitoring in Cloud. Banglore : infosys.