The Cloud. You can’t see it. You can’t touch it. But you hear it mentioned nearly every day. Either someone just stored something in the Cloud or someone is having trouble accessing the Cloud or someone is worried that what he put in the Cloud is not secure. This amorphous being—a universal computing and storage system—has become a large part of our daily lives.
While you may think the idea of the Cloud is very much 21st century, that is not the case. According to Computer Weekly people were dreaming of universally connected computers decades ago: “the idea of an ‘intergalactic computer network’ was introduced in the sixties by J.C.R. Licklider. . . . His vision was for everyone on the globe to be interconnected and accessing programs and data at any site, from anywhere” (ComputerWeekly.com, March 2009). He wasn’t alone in imagining the future for computers; John McCarthy, who gave us the term “artificial intelligence,” envisioned computer functions as more a “public utility” than, say, just a business function. So even in the pre-microprocessor days, at a time when a computer filled up a room or floor in an office building, people were thinking ahead.
Were they also considering the dark side of interconnected computers—the vulnerability of private information, whether it was details on a business’s operations or a top-secret government project? Most definitely. As computers moved to desktops in the 1980s, so did “worms” and “viruses,” what we today know as malware, intent on doing damage at various levels. And as the Internet developed and grew, more data faced the potential of exposure. Today computer security is a billion-dollar industry as companies and governments—and even private citizens—try to protect themselves and their networks from cyber-attack.
Dr. Syed Rizvi, assistant professor of information sciences and technology at Penn State Altoona, has been doing research in cloud security for last few years. He says, “The emerging cloud computing paradigm provides numerous advantages” and yet people are uncertain about using it. “Organizations want to take advantage of this new computing paradigm– however they are hesitant to join the Cloud because they have serious security and privacy concerns. Once an organization outsources its customer’s data to a cloud, they lose control over the security. Therefore, they want to know what security measures the service provider is taking to ensure the security and privacy of their customer information.”
“There is clearly a trust deficit between cloud users and providers, which hinders the widespread use of the Cloud,” Rizvi says. “To fully adopt the Cloud as a new computing paradigm, we want to reduce that trust deficit, which will surely benefit all stakeholders including the customers and the service providers.” So how does a cloud provider convince skeptics that their data will be secured? Rizvi is hoping to answer that in his current research. “Our goal is to develop some sort of security evaluation framework which would provide scientific ways to measure the security readiness of service providers. This will help the organizations to choose a service provider that satisfies their security preferences/requirements and eventually this will establish the trust between the customers and providers.”
Where does one start to build that framework? In this case, in a possibly surprising place. We have all become accustomed to having our questions answered by a simple Internet search. One much utilized Internet function is as a forum for feedback. People review everything from restaurants to home repair services to shipping efficiency. Service providers encourage those reviews to expand their businesses and gain new customers. Cloud service providers (CSPs) are subject to those same reviews and prospective consumers have access to those reviews. But that still may not give the business owner the information he or she needs to select the right CSP.
This is where Dr. Rizvi’s work comes in. First, it is important to identify what a business owner needs in cloud services. Then, Rizvi says, “we use our system to evaluate the potential CSPs and come back to the business owner with the most suitable CSPs for that business’s needs. But it’s up to the business owner to make the decision.” He says, “We want to build a system or a framework that can facilitate the customers (cloud users) as much as possible so that they can make informed/rational decisions in choosing the right service providers.”
Students Christopher Gates and Katie Cover, presenting their poster “A New Cryptographic Protocol for Secure Data Sharing in Public Clouds,” at the Undergraduate Research Fair, Penn State Altoona, April 2014.
Students Christopher Gates and Katie Cover, presenting their poster “A New Cryptographic Protocol for Secure Data Sharing in Public Clouds,” at the Undergraduate Research Fair, Penn State Altoona, April 2014.
For his research, Rizvi has recruited a number of Penn State Altoona students to work with him. John Mitchell, a senior majoring in security and risk analysis, was Dr. Rizvi’s research assistant in 2014. “Mainly what we focused on was cloud computing,” Mitchell says. “You don’t want a third party handling your data. We looked at different vulnerabilities and the number of different ways in which cloud data can be exploited. For example, virtual machines offer attackers new ways to steal user data.” In July 2014 Mitchell presented a paper co-written with Dr. Rizvi titled “A Framework for Leveraging Cloud Computing to Facilitate Biometrics,” at the 2014 International Conference on Security and Management (SAM’14) in Las Vegas. He recognizes that he was fortunate to be able to work with Dr. Rizvi on some of his research projects as an undergraduate. “I learned a lot more than I ever would have learned in the classroom.” And when he interviewed for a job he will start after graduation, Mitchell says, “that’s what the interviewer talked about, my work in the Cloud. He brought it up and that was our main discussion point.”
Senior Katie Jo Cover chose security and risk analysis as her major because “I knew there were a lot of job opportunities,” she says. “I was one of Dr. Rizvi’s first-year students when he came to PSA. We just kind of connected and I talked to him about doing research and we went from there. The beginning of my sophomore year is when we planned to write out my first paper.” That led to a second and a third paper for meetings in Philadelphia and New York City. Most recently, Cover presented “Third-Party Auditor (TPA): A Potential Solution for Securing a Cloud Environment” (coauthored with Dr. Rizvi) at the 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud 2015) in November in New York, where she was also served as a session chair. About her meeting experience, Cover says, “It was not what I expected. They were all professionals, but they didn’t treat me like an undergrad. I went by myself and all the questions I knew the answers to.” After graduation Cover will continue working for Sheetz, where she interned and obtained, as she says, “real-world knowledge and excellent hands-on experience, such as Whitehat training, where I was taught the basics of legal hacking.”
Dr. Syed Rizvi, assistant professor of information sciences and technology, with student Nathan Showan, who presented a poster on “Investigating Security Issues in Cognitive Radio (CR) Networks” at the 2014 Undergraduate Exhibition, Penn State University Park.
Nathan Showan, now a senior at University Park, also worked with Dr. Rizvi on his research projects while at Penn State Altoona for his first two years of college. Majoring in security risk and analysis with the option of intelligence analysis and modeling, Showan worked on research with the integration issues of the Cloud and “cognitive radio.” He explains: “The FCC regulates the radio spectrum. Licensed (primary) users pay to have exclusive access to certain parts of the radio spectrum. The FCC is now considering allowing secondary (nonpaying) bandwidth users into areas that used to be restricted to primary users. The risk is that the secondary user might use the same channel as a primary user, which would degrade the quality of service for the primary user. Cognitive radio alerts the secondary user when that happens and tells the secondary user to move to another channel.” In part because of a class visit to a Washington, DC, think-tank, Showan hopes to work in public policy research when he graduates in 2016. “I really like public policy research because the work is so important and influential, not to mention the challenges. With public policy, there are multiple ways of looking at things, so dealing with these complex situations really adds to the excitement factor.”
An article on “The Future of the Cloud” (Forbes.com, July 8, 2015) paints a rosy picture of increased revenues and business growth as the Cloud becomes utilized more and more. But every step toward growth will bring more potential for vulnerabilities and more need for research and study on cloud computing. The “widespread adoption of cloud computing,” Rizvi says, can only happen once confidence in the Cloud increases, and that will not happen overnight; “trust grows over time.” But through their research Rizvi and his students are working to help that trust grow.
—Therese Boyd, ’79