This chapter proposes a software prototype called 2thecloud, programmed in HTML and PHP under free software guidelines, whose main objective is to allow end users to be aware of imminent cloud dangers. To do this, the user must undergo a metacognitive process of basic risk analysis, which suggested result would be to what cloud the object should go. Through the use of this tool is expected that he / she can develop a risk analysis capability, so that in this way he/she is the one who makes the final decision about selecting between different cloud models (public, private, hybrid, and community) where the object will be placed. An important aspect is that the user has to understand that different cloud models provide different levels of security and this will allow him/her to question safety in other settings, given that it is a work that goes beyond simply encrypting and filtering information. It also presented 2thecloud functions and a description of each step that indicate how it operates. Finally, the authors propose four alternatives in risk analysis calculation, which are plausibly adapted to 2thecloud and if they are implemented they will provide different advantages.
TopIntroduction
Mr. Decker: Shouldn't we take every possible precaution?
Captain Kirk: Mr. Decker...
Mr. Spock: Captain. I suspect there's an object at the heart of that cloud.
Captain Kirk: Mr. Decker. I will not provoke an attack
Star Trek – The Motion Picture
Cloud computing is a design, instrumentation, management and information technology paradigm, oriented to offer the use of computing resources as services normally through a pay-per-use business model. For the user, the way in which the service is offered (software, platform or infrastructure) is unknown, and he/she only has to understand that the cloud is adapted dynamically to his/her needs and that can access to it from different places. This is thought mainly considering it as a way to make business in Internet that reduces costs to the final user (Mcfredries, 2008). From the point of view on how the cloud is conformed, a technical illusion is offered to the end user that simplifies his/her activity, given that the cloud reality is recognized and operated, that it is a jumble of connections of huge information repositories and various access points to diverse devices or resources (Krutz & Vines, 2010). This constitutes an Internet field where company data and software are allocated, according to previous agreements, service level contracts (SLC) agreed by the parties involved in that business model. So, under this conception, security has a secondary role since it is thought that the cloud has to be used and then provide it with desirable security levels. This is clearly stated as follows:
Security is a major concern when entrusting an organization’s critical information to geographically dispersed cloud platforms not under the direct control of that organization. (Krutz & Vines, 2010, p. 61)
Something relevant about the aforementioned is that users do not commonly think that when they make use of the cloud they are transferring part of the control they posses. That is to say, cloud service providers can physically place their data without requiring approval, even in other continents latitudes. CSP can decide who has access to that data in order to carry out technical operations as for instance routine data backs up. Moreover, the control over some security services such as confidentiality, availability, access control, protection against duplication, time and authorization, can be shared and transferred. The fact that some of that information would be encoded do not guarantee that an illegal copy of it will be made and a brute force attack applied behind the user’s knowledge, who would be believing that his/her data are still kept secret.
This means that the first critical consideration is ignored which it is relevant to pose when assuring appropriate cloud use, that is, what should or not go to the cloud?, that is because users commonly believe that the cloud is secure as they expect and that it is possible to move their data, applications or make use of any service (software, platform, hardware e infrastructure) with equal or higher confidence levels that private networks already have (Schneier, 2000). In this research we consider that such assumption is erroneous and as a result of it, in this chapter, an alternative of action is described to address this dilemma.
A software instrument called “2theCloud is presented, that adjusts to the proposed solution and was created to serve as support in the decision making process. A tool developed under a GNU free software orientation and mainly directed to users who do not have experience as security analysts. This tool is conceived to guide users in the decision-making procedure, about which information or resources can be placed or not in the cloud. Additionally, it helps the end user to understand his/her own sequence of actions towards getting a result through a metacognitive process and serves as a support mechanism, to know what basic elements should be taken into account during evaluating risks.