Let’s start with specifying  what the title ‘cloud’ or ‘cloud computing’ is. According to the definition by the National Institute of Standards and Technology it is:

“a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider.”

In simple words, it is a situation where you are able to buy provisionally configured and working IT infrastructure (servers, networks, firewalls, drives, etc.) as a service. There are several levels of rendering this kind of services:

  • IaaS(Infrastructure as a Service) – which means that what you get as the service is only infrastructure (a server with a basic operating system, network, power supply, etc.) within which you can create any database engine, application server, etc.
  • PaaS(Platform as a Service) – you get a ready platform for running your applications. Platform is understood here as a ready installation of a database engine and application server with all mechanisms necessary to serve the application (for example, Proxy servers, load balancing, etc.) .
  • SaaS(Software as a Service) – in this model you get a concrete kind of service in the form of an application installed on certain machines and ready to use (for example, you get the logins and passwords that allow logging in to this application).

In each case, it is the service provider who is responsible for network configuration, ensuring continuity of the infrastructure operation and its physical protection. This means that the provider will make sure that power is always supplied and that the resources assigned to you are separated from the resources of other Clients so that they are not able to interfere with them. As a Client, you usually do not have influence on the kind and level of security; you can only trust the provider that the protection chosen by him will be sufficient.

By making the decision to walk into clouds you have to bear in mind a number of issues concerning the security of such solutions. Let’s discuss the main ones:

  • A part of your infrastructure will be located outside of your company. This means that other people may have physical access to it (depending on the server room security policy employed by the provider ) and that it is possible to remotely access it through the Internet. While you can somehow manage the Internet access (build firewalls, encrypt the connection, limit connection feeds only to your subnets), you will have no control over the server room security policy (which does not mean that it will be bad – more about that later in the article).
  • The amount of resources that you somehow have to manage increases (more technically in the case of IaaS, a little less in the case of PaaS and SaaS). One has to monitor them and react to issues.
  • What you get as a part of such service are de facto virtual resources shared with other Clients of the provider on physical machines and networks. It means that other Clients who purchased services from the same provider may more easily hack your resources (for example, sniff TCP packets).
  • You hand over the security control and management to the provider. Most often you will not have a possibility of carrying out your own penetration tests, while your access to logs of elements which are not included in your infrastructure will be limited or minimal. Usually, you will also have no influence on the choice of physical location for the machines that store your resources, nor will you be able to decide if some administration works are outsourced to other companies.
  • No matter how complex and expensive your SLA is, it will provide for a possible break time or non-operation time of your services.
  • At present, there are no legal norms regulating responsibilities of this kind of service providers and their receivers.

So, are clouds bad?

The answer depends on many factors. If you take a bank’s activity and its possibilities of building its own infrastructure dedicated to the bank’s needs and legal requirements that lie on it, then the answer is: clouds are not designed for such purposes.  No provider of this kind of services will be formally able to meet the specific security requirements (for example, unconditional continuity of operation) or handle the nature of bank systems.

However, if you compare it with a typical situation at a company: “we have to establish an internal e-learning system (or any other)”, then you get many advantages. First of all, much higher infrastructure reliability will be ensured at a lower cost.  Usually emergency power supply, redundant feeders, and internet links are out of reach for a standard company infrastructure, but are run-of-the-mill stuff for cloud computing services providers. The provider also guarantees efficiency of the equipment and, for example, in case of a server component failure, you are faced merely with a short break (usually a minimal one since the service is moved onto working machines, which a regular company would not be able to provide). Moreover, you do not have to worry about the cost of fixing such a failure. Similarly, in case of equipment wearing out you do not have to think about utilization of old components, their replacement with the new ones and about migration of your applications onto new machines – all of this will be taken care of for you thanks to the virtualization of services on the side of the provider.  Security level in the 'cloud' will also be much higher than  the one you could  reach on your own, because scale effect allows the provider to use much more expensive and better solutions.

This letter of praise, however, needs to touch upon a little glitch which appears along with terms 'sensitive data' or 'IGPPD' (Polish: GIODO). What I mean is data important for your activity not only because of legal regulations (IGPPD ), but also because of the nature of your business. No matter how effective physical and software security systems are used to protect the data in the 'cloud' from being lost or stolen, we do not have any influence on where this data is physically stored, as I already mentioned. Let’s see what regulations say about it:

The Regulation of 29 April 2004 by the Minister of Internal Affairs and Administration as regards personal data processing documentation and technical and organizational conditions which should be fulfilled by devices and computer systems used for the personal data processing:


§ 4. The security policy referred to in § 3 paragraph 1 shall include in particular:

1)     a list of buildings, premises or their parts comprising the area where the personal data is processed

Only few providers of cloud computing services may guarantee that.

Another issue – what happens if such a provider closes down (for example, goes bankrupt)? How can you retrieve your data? At this moment, nothing can guarantee recovery of such data.

Let’s have a look at successful implementations of 'Cloud computing':

New York Times used distributed clouds of Amazon servers for digitalization of its historic materials coming from 100 years of its activity. The whole process lasted mere 25 hours and cost USD 1500. About 100 virtual machines were used for computing.

Animoto  - provider of slideshow services for Facebook users. After the contract with Facebook was signed, the number of website users grew from 25,000 to 250,000 in only 3 days. Had it not been for virtual machines (4000 of them were created at that time), it would not have been possible to maintain continuity of the website operation. Imagine, how logistically and financially difficult it would have been if classic servers had been used. Purchasing and starting 4000 servers in 3 days is a considerably challenging task.

Cloud services on the Polish market are used by websites such as ''  (a social network website) for storing enormous volume of pictures and films as well as for scaling web services depending on actual demands.

Author: Maciej Liżewski, 3e Software House

General Data Protection Regulation

I agree to and accept that 3e sp. jawna will collect, make automatic decisions about, analyze and catalog information about Internet electronic addresses which have connected with the device I have used, information about the type of the device I have used, including the type and version of software installed on the device, for the purpose of determining my Internet activities (the user profile). Automatic decision-making does not involve sensitive data. The agreement is in force for the period when it is legally binding, or until a Party withdraws from the agreement. Withdrawing from the agreement shall result in removing the user’s profile.