Bryan School of Business and Economics
  1. Dean's Welcome
  2. Programs/Departments
    1. Accounting and Finance
    2. Business Administration
    3. Consumer Apparel and Retail Studies
    4. Economics
    5. Hospitality and Tourism Management
    6. Information Systems and Operations Management
    7. My Bryan MBA
    8. Online Programs
  3. Faculty & Staff Directory
  4. Financial Aid
  5. Services
    1. Bryan Career Services
      1. Graduate
      2. Undergraduate
    2. Undergraduate Student Services
    3. Study Abroad
  6. Centers/Offices
    1. Executive Education
    2. Center for Business & Economics Research
    3. Office of Research
    4. BB&T Program
  7. Bryan School On-Campus Laptop Policy (PDF)
  8. AACSB Logo

Cybercrime expert expresses concerns about cloud security


Nir Kshetri More and more computer users are using cloud providers to help aggregate their information, but the security policies of those providers haven't kept pace with their growing popularity. That's the assessment of Dr. Nir Ksherti, an associate professor of business administration in UNCG's Bryan School of Business and Economics, who presented his findings on cloud computing and cybercrime to the International Telecommunications Union, the leading United Nations agency for information and communication technology issues.

Cloud technology is the newest thing in computing. Advertised widely by giants such as Google, Amazon and Windows, it allows corporations or individuals to store data remotely, that is, not on their computers. The technology provides data, software, storage and other applications via the internet. Documents and information can be stored at remote locations -- even in other countries.

"Cloud security is the major concern now," Kshetri said. "Cloud providers have very, very sophisticated technology, but it is nascent, or emerging, technology. As a very new area, whatever security mechanisms have been used in the past, they might not be applicable to the cloud, so they have to develop new types of security."

Kshetri, the author of "The Global Cybercrime Industry: Economic, Institutional and Strategic Perspectives," a book that examines the rapidly growing cybercrime industry, cites several points in his concerns about cloud security:

  • Large cloud suppliers, such as Amazon and Windows Live, are much bigger than their individual clients, making them attractive targets. Information stored in clouds is a potential goldmine for cyber-criminals. The cybercrime industry is enormous, valued at an estimated $1 trillion.
  • The cloud-related legal system and enforcement mechanisms are evolving more slowly compared to the cloud technology development. Compliance frameworks do not clearly define the guidelines and requirements for data stored on the cloud. Cloud computing thus poses challenges and constraints for companies that have responsibilities to meet stringent compliance related to these frameworks and reporting requirements for their data.
  • The cloud has several important new and unique features, which create problems in writing contracts. Some argue that, if a cloud provider files bankruptcy, a court might consider data stored with the provider as an asset of the provider. Currently, it is not clear whether legislation in jurisdictions of the user's location, the provider's location or the data's location will govern the protection of the data stored in the cloud.
  • Reduction in user control is an obvious concern because cloud users don't have access to the hardware and other resources that store and process their data. There is no physical control over data and information in the cloud. Moreover, while the client has no control over the data managed by the cloud provider, cloud services contracts often stipulate that data protection is the user's responsibility. A case in point is Google. The company provides security and privacy assurances to its Google Docs users unless the users publish them online or invite collaborators. However, Google service agreements explicitly make it clear that the company provides no warranty or bears no liability for harm in case of Google's negligence to protect the privacy and security.
  • Proximity. From the standpoint of security, most users prefer computing and security to be local.
  • Outage problems. Popular clouds such as Google's Gmail, Amazon S3, and those of Salesforce.com and Microsoft have suffered outages.

"Also there are complicated legal and regulatory issues which are typical for many new industries," said Kshetri. "In all industries, the technologies usually develop faster than the regulatory authorities can handle them. They don't necessarily tell a customer where your data will be stored - maybe China, or India or South Africa. If you are a cloud provider in the United States for a client in the U.S., with the data being stored in China, there may be very complicated issues if there is any dispute over which regulatory authority applies."

More than 40 percent of cybercrimes are done by internal personnel, so depending on the culture of the country, Kshetri said there may be an insider risk. Also, cloud providers may be reluctant to alert clients if there is a data breach and something has been stolen. Trade associations and industry groups are developing regulations and are seeking laws from governments to combat these issues.

"It is impossible to design a security software that is infallible; there are always some flaws," said Kshetri. "In the cloud's case, the clients need to make sure their data will be safe. Also, when a cloud contract is about to expire, how will the data be transferred? Many large companies may have to develop a private cloud to maintain security."

When Kshetri spoke on cybercrime last December his audience was about 200 senior telecommunication and security officials from corporations and countries, many from developing countries like China, India, African countries.

Among other things, he reported that global cybercrime is big enough to call it an industry, and that cybercriminals are expanding their operations. Major players include the Russian mafia and the Japanese yakuza.

"Three or four years back, the people who monitor this said that cybercrime is bigger than the drug industry, which is estimated to bring in $105-$110 billion annually," said Kshetri.

Kshetri said that many cybercrime operations are located in economies with a lot of highly skilled people, but without a well-developed information technology infrastructure or industry where they can find employment. Examples he cites are Russia, Belarus, Romania, Ukraine, China and Vietnam. In addition to IT skills, they also employ social engineering skills, and are well-versed in social media such as YouTube and Facebook.

Kshetri said that laws are not really well enforced in many of the countries where cybercrime flourishes. The governments are not really concerned with enforcement if the cybercriminals are not harming their own countrymen. "Why should Russia be concerned if they are harming customers outside Russia?" asked Kshetri.

 

Page updated: 10-May-2011

Accessibility Policy

The Bryan School of Business and Economics
The University of North Carolina at Greensboro
PO Box 26170
Greensboro, NC 27402-6170
VOICE 336.334.5338
FAX 336.334.5580
EMAIL uncgbryn@uncg.edu