Introduction

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a

shared pool of configurable computing resources that can be rapidly provisioned and released

with minimal management effort or service provider interaction (National Institute of Standards

and Technology,n.d). Appearing as a computational paradigm and a distribution architecture,

cloud computing’s main objective is to provide secure, quick, convenient data storage and net

computing resources visualized as services and delivered via the internet ( Murthy & Selvan,

2015).

After years of utilizing traditional information storage methods, the Royal St. Christopher and

Nevis Police have chosen not to lag in technological advancement anymore and found it

imperative to adapt to the new computerized world. Noting the influx of data i.e. police reports,

crime scene photographs, fingerprint processing, and classified information, the Police Force is

seeking to implement cloud computing (Powell (2020). With advantages such as cost-saving,

high speed, unlimited storage capacity, back-up and restoration of data, automatic software

integration, reliability, mobility and collaboration the Police Force would benefit greatly upon

completion on implementing the cloud. SaaS, PaaS and IaaS are delivery models that form the

core of the cloud and are utilized within deployment models such as hybrid, community, private

and public models.

Despite the perks of cloud computing, The Royal St. Christopher and Nevis Police Force may be

vulnerable to threats found within cloud computing. Significant barriers to adoption include

security issues such as data loss, insider threats and authentication and access control
(ACC) ,legal issues such as governance/control and compliance and a performance issue such as

availability.

Security Threats Issues

An investment that is rapidly growing, cloud computing is transforming how businesses use,

store and share workloads, information and also applications. The success of the cloud system

brings no surprise to lingering concerns of the cyber attacks that come along with it. It has

become a natural target of several security threats and challenges such as data breaches, insider

threats and Authentication and Access Control (ACC) (Cloud Security Alliance Report, 2019).

Data Loss

Though it is highly unlikely that a cloud service provider may lose cloud users’ data or come

across a full-service outage, while considering implementing the cloud, the Police Force should

consider the possibility of losing data.

Briefly, Aldossary and Allen ( 2016) listed ways data can be lost, this includes, malicious

attacks, server crashes or accidental deletion by providers and even catastrophic events. To assist

in mitigating data loss, the authors indicated solutions suggest by the Cloud Security Alliance

(2010). The recommendations included, the use of a strong API for access control, analyze data

at run and design time, utilize strong key generation, storage, destruction and management

practices and specifying the backup and retention strategies.

Similarly to Aldossary and Allen, Wormeli(2012) indicated one of law enforcement's main

concerns as it relates to damaged, seized, or no longer access data is recovering loss data cloud

computing. Carefully categorizing different ways of losing data and mitigating factors,
Wormeli(2012) proposes geographically separating, securing and duplicating redundant

computing services as a way to avoid data loss by a natural disaster or a personal attack on the

data center. The author also notes that disaster recovery is a design principle that is built into

cloud services. Additional solutions on avoiding data loss are provided by Wormeli where data

may subject to disappearing if the cloud service provider goes out of business, bankrupt, assets

seized or incurs financial trauma. The author suggested the use of multiple cloud services

assuring that the methods provided multiple copies of the data.

As a law enforcement agency that deals with tons of information daily, the Police Force has to

factor in how losing information can affect the organization and the importance of being able to

recover the data. The authors barely gave enough solutions to soothe any concerns as this

specific issue barely has any other accessible scholarly research.

Insider Threats

Perceived as the next step in the evolution of information technology resource distributed

systems ( Troulong 2010), cloud computing, based on research continues to be of great benefit to

organizations. Despite the advantages of the cloud, second thoughts of security still exist.

Frankly, using cloud services can affect the security of the organization infrastructures, as such

the Police Force must know the threats and risks of introducing this paradigm. These threats

include Malicious Insiders.

Malicious insiders are the people who are authorized to manage the data such as database

administrators or employees of the company offering cloud services, partners, and contractors

who have access to the data ( Aldossary & Allen, 2016). Who is more of a cyber threat to any

organization than an insider, for obvious reasons they are already inside. The authors stated that
the insiders whether paid by competitors or just out of malice can steal or corrupt data just to hurt

a company. Aldossary and Allen (2016) explained that cloud providers may not be aware of this

challenge due to the inability of their employees. The paper provided solutions proposed by

Cloud Security Alliance (2010), they included, carefully assessing the cloud supplier practices,

making supply chain management ID stricter, define screening and hiring requirements as part of

the legal contract with the supplier, having transparency in information security and all cloud

service practices and create a system to notify data breaches.

In comparison, Javaid (2014) went further in-depth in his analysis on malicious insiders. Like the

former, both papers stated the insider attacks are generally done by employees. According to the

author, the culprit accesses cryptographic keys, files and passwords allowing them to steal,

damage or fraud information. Consequently, CSA (2013) stated, implementation of encryption, if

keys are not kept secure with the user and available only during data-usage time, the system is

still at risk of an insider attack. Not having to breach external security barriers, it is easy for the

insiders to by-pass and bends security control to engage in their criminal acts thereby

compromising. Based on the authors’ research insider attacks have been spiraling due to

transparency issues in the process and procedures of providing cloud services. Customers of the

cloud are not familiar with the human resource practices of their service providers, nor how

access is granted to their employees. The Police Force should consider that without raising red

flags, the insiders have different levels of access to confidential information or can take control

of the cloud and pose a threat to the organization’s reputation (Javaid, 2014). Javaid (2014)

explained that an insider on the cloud provider end can use methods such as phishing emails to

trick users of the provider into doing stuff that is not their norm.
To mitigate the threat of an insider it is important to implement policies to curb these persistent

attacks, though difficult and costly, separation of duties is a concept suggested to do so (Javaid,

2014). Key concept of internal controls,separation of duties purpose is to prevent an individual

from having all necessary permissions to systems to complete malicious attacks. It allows an

audit trail to track requested information and also underlines the governance surrounding.

Each author's analysis of the malicious insider was clear and concise enough to assist the Police

Force as they consider cloud computing as an organization value. Both studies provided

substantial mitigating factors to avoid insider threats. After overcoming this challenge it is only

fair to assess the authentication and access control of employees.

Authentication and Access Control

Cloud computing has different services and deployment models offered but present challenges

that can deter businesses from adopting cloud computing such as Authentication and Access

Control (Kumar, Raj and Jelcianna ( 2018). Within their paper, Kumar, Raj and Jelciana (2018)

defined ACC as a process to verify and confirm the user’s identity to connect, access and use the

cloud resources. Private cloud authentication is similar to enterprise computing which is done

using a virtual private network whilst a public cloud uses the internet to connect to the cloud

service provider. The Royal St. Christopher and Nevis Police Force must note that once

implementing a public cloud, according to Kumar et al (2018), different users can co-exists

within the same Cloud Service Provider (CSP) and its consumer can access applications from

anywhere on any device and is more susceptible to vulnerability. Also noted within the paper

were tricks such as “ phishing” and “ dictionary attacks” used to manipulate the systems, as such

password-based authentication is not an effective way to secure a public cloud. The authors
suggestions to mitigate AAC security challenges were a few methods and standards that

included, the usage of Multi-factor authentication ( enables both identity and access

management), single-sign-on policies, biometric authentication ( use of physical and behavioural

human characteristics), RSA cryptosystem, Intrusion Detection System (IDS) and third-party

identity management solutions ( Microsoft Azure Active Directory and Okta identity

management).

Keshavarzi, Haghighat and Bohlouli (2020) also listed authentication and authorization control

as a common security challenge. The usage of remote computing resources for critical

applications carries a risk that unauthorized individuals can degrade or abscond with sensitive

law enforcement data ( Wormeli, 2012). Similar to Kumar et al (2018), Keshavarzi et al (2020)

explained with authentication, the identification of applicants is verified and the access level is

controlled through authorization steps. The authors concluded that identity and access

management is one way to preserve privacy and as such to combat AAC issues, an access control

framework needs to be designed to integrate access policies of multiple domains. Keshavarzi et

al (2020) like Kumar et al (2018) support the use of single sign-on as a way to mitigate

authentication and access control challenges. In addition to previously stated mitigation factors,

specification frameworks such as Security Assertion Markup Language (SAML) and Extensible

Access Control Markup Language (XACML) were suggested by the authors for cross-domain

access specification and verification. If the organization chooses to use identity federation over

the single sign on option, Keshavarzi et al (2020) recommended SAML and OpenID

standards.Much of the earlier work dealt with authentication but Keshavarzi et al (2020) also

dealt with the access control aspect. For access control , Identity Management (idM) method has
been recommended by the authors as well proposing Role Base Access Control model (RBAC)

to control APIs as interfaces between customers and providers.

Both papers generated results in concordance with each as they both presented the definition of

ACC, the issues surrounding ACC and ways to alleviate such issues. Kesharzi et al edged the

former authors as they went further to discuss not only the authentication issue mitigation factors

but the access control aspect as well. After handling all security threats, it is now for the Police

Force to get a grip of cloud computing performance issues and make an effort of controlling it.

Performance Issue

Various research has complimented cloud computing on its exceptional offerings in the

Information Technology sectors. Though having shown how advantageous this system is, it also

introduces challenges such as performance issues, more so availability.

Wormeli (2012) presented the definition, history and characteristics of cloud computing in his

paper. “ Mitigating Risks in the Application of Cloud Computing in Law Enforcement.” Like

many other authors on this topic area the author listed the many benefits of cloud computing. Of

the many benefits, Wormeli (2012) identified “service availability”. Referenced in particular for

public cloud providers, service availability was described as a hallmark of cloud computing. The

author described the data centers as having built-in redundancy and environmental controls that

are rarely found in law enforcement computer centers. The accessibility rate of the users is

generally higher than a local level enterprise computing ( Wormeli, 2012).

Surprisingly in the authors’ same paper, availability was identified as a specific concern that law

enforcement have about using cloud computing. Wormeli (2012) spoke directly to the doubts of
internet reliability. The Royal St. Christopher and Nevis Police Force has to take into account

serious consequences that may arise due to internet disruptions. Availability is a matter of

determining how much the system can be inoperable (Wormeli, 2012). Based on the authors'

study the system can only be inoperable 5.26 minutes per year. Liu, Chen and Tung (2012)

referred to a service interruption causing Google mail service to me down for 30 hours and thus

affecting thousands of people. Liu et al explained that interruptions can cause businesses to

suffer loss of goodwill and profit and worst-case scenario damaged data and leaked information.

The issues regarding the reliability and availability of the internet are normally negotiated with

cloud suppliers (Wormelie, 2012). Unfortunately, the author provided one solution as it relates to

the internet performance issues, that was having a redundant way to connect, i.e. having both

wired and wireless service to ensure the availability needed.

Also referring to availability as an issue of cloud computing were authors Rashmi, Sahoo and

Mehfuz (2013). The authors explained that reliable and timely access to cloud data and

computing resources relies heavily on availability. The concern lies that a disrupted service can

affect more users than a traditional method. The Amazon cloud service disruption and downtime

of many websites including Reddit and Quora was a prime example. Instead of negotiating issues

regarding reliability and availability Wormeli (2012), Rashmi et al (2013) stated, the cloud

providers are required to ensure that systems are running efficiently and effectively at all times.

The authors noted to add scalability and have high availability cloud providers should make

architectural changes at the application and infrastructural levels. Within the application,

resiliency to hardware and software failures should be built (Rashemi et al 2013). A suggestion

of having action plans and a disaster recovery system were given for users to consider in case of

an emergency as it ensures safety of data during the downtime of a business. On the contrary to
the former authors, this study took a different approach by suggesting mitigation factors for

availability based on cyber attacks done through disrupting services of the host connected to the

internet. Rashemi et al (2013) proposed mitigation techniques such as synchronous cookies and

connection limiting and also suggested the use of maintaining internal bandwidth that exceeds its

provider-supplied Internet bandwidth like Amazon. Also, Vandana, Nandhini, Balaji and

Karthikeyan(2013) suggested how important it is to design a fault tolerance mechanism for

dealing with faults that consist of node faults like network faults like disconnection and

suggested an approach called Byzantine Fault Tolerant Cloud (BFT Cloud), for tolerating

different types of failures in voluntary resource clouds.

Although both papers are useful and also seem evident that these two approaches are mutually

exclusive, clearly Vandana et al (2013) open a scope here for a greater deal of more research as it

relates to availability any related to connections. No matter the availability of the information, if

this information cannot be used to properly indict criminals, The Royal St.Christopher and Nevis

Police Force would lose in the long wrong. To effectively prosecute the offenders there is a need

to overcome governance/control and compliance issues.

Governance/Control and Compliance Issue

As an entity that is governed by rules and regulations and should operate in accordance with the

laws of the land there is a concern about legal complications as it relates to implementing the

cloud. As the Police Force transfers police reports, crime scene photographs, fingerprint

processing, and classified information into the cloud, a question of whether or not the data would

be admissible in the court of law.

of forensics to cloud computing environments ( Dykstra & Sherman, ). The authors used

hypothetical case studies to relate the state of digital forensics in the cloud. The cases presented

issues that challenged the legality of the data stored, that is the acquisition of the data; knowing

exactly where the data is after storing and being able to access it at a later date and the chain of

custody of the data; the order in which items of evidence have been handled during an

investigation of a case. Through the case studies, the authors were able to present a few subtle

ways to provide solutions such as using legal vehicles of subpoena and search warrant to assist in

data acquisition issues. The use of digital provenance systems to document all movements of the

data was proposed to guide the chain of custody issues. Glisson, Grispos & Storer(n.d) also

indicated in their research that the chain of custody was a challenge in cloud forensics.The

authors indicated that services can be accessed by any system with a network connection to the

hosting cloud. Glison et al, unfortunately, expressed the lack of work of researchers and

practitioners of examining the practicality of obtaining control of a cloud service during an on-

going forensic investigation.

The Police Force has to remember that like traditional investigation, evidence gathered should be

in accordance with laws and legislation, this would apply to cloud computing investigations as

well and as such having the appropriate legal and regulatory framework should be put in place

before completing the implementation.

Conclusion

This literature review aimed to provide knowledge on the topic, discuss the issues

of cloud computing and its safeguards as the Royal St.Christopher and Nevis Police Force
seeks to implement cloud computing. Although there is a need for cloud computing to be

better defined, the research from all the authors provided beneficial factors of using the

cloud. Risks of implementing the cloud were listed in abundance but on most occasions

poorly discussed and lacked in depth mitigating solutions. It must be noted while it may

seem appealing to state the many positive outcomes of implementing cloud computing there

was still a gap between academic research and that of empirical observations that need to be

addressed. There is a call for future study to relate/link cloud computing and law

enforcement as a whole. This assists in encouraging cloud forensics and addressing

regulations and laws that are necessary for the process.

Allen, W., & Aldossary, S. (2016). Data Security, Privacy, Availability and Integrity in

Cloud Computing: Issues and Current Solutions. Retrieved from

https://pdfs.semanticscholar.org/09fd/5326be429b39d75103ddd6550176c10e0ba3.pdf

Alan, J., & Sherman, D. UNDERSTANDING ISSUES IN CLOUD FORENSICS: TWO

HYPOTHETICAL CASE STUDIES. Retrieved from

https://www.csee.umbc.edu/~dykstra/Dykstra-

UnderstandingIssuesInCloudForensics.pdf

CSA Releases New Research - Top Threats to | Cloud Security Alliance. (2019). Retrieved

from https://cloudsecurityalliance.org/press-releases/2019/08/09/csa-releases-new-

research-top-threats-to-cloud-computing-egregious-eleven/#:~:text=LAS%20VEGAS

%20%E2%80%93%20AUGUST%206%2C%202019,Computing%3A%20The

%20Egregious%20Eleven%2C%20a

G, S., & S, M. (2013). Securing Software as a Service Model of Cloud Computing: Issues

and Solutions. International Journal On Cloud Computing: Services And Architecture,

3(4), 1-11. doi: 10.5121/ijccsa.2013.3401

Kar, S. (2020). CSA Report: Top Nine Cloud Security Threats in 2013 – Cloud Times.

Retrieved from http://cloudtimes.org/2013/03/07/csa-report-top-nine-cloud-security-

threats-in-2013/
 Keshavarzi, A., Haghighat, A., & Bohlouli, M. (2013). Research Challenges and

Prospective Business Impacts of Cloud Computing: A Survey. Retrieved from

https://arxiv.org/ftp/arxiv/papers/2005/2005.01475.pdf

Kruger, R. J. (2014). Cloud computing: An analysis of cloud computing issues &

investigations (Order No. 1554505). Available from ProQuest Dissertations & Theses Global.

(1527639023). Retrieved from

https://search-proquest-com.library.open.uwi.edu/docview/1527639023?accountid=42537

Kumar, R., Raj, H., & Jelcianna. (2018). Exploring Data Security Issues and Solutions in

Cloud Computing. Retrieved from

https://www.sciencedirect.com/science/article/pii/S1877050917328570

Liu, C. L., Chen, W. H., & Tung, D. K. (2011). Identification of critical security issues for cloud

computing. Applied Mechanics and Materials, 145, 272.

doi:http://dx.doi.org.library.open.uwi.edu/10.4028/www.scientific.net/AMM.145.272

Muhammad Adeel Javaid , (2014). Cloud Computing Security and Privacy. Computer Science

and Information Technology, 2(5), 219 - 231. DOI: 10.13189/csit.2014.020501:

http://www.hrpub.org/download/20140405/CSIT1-13501148.pdf

Nyamekye Powell, (2020). Annotated Bibliography: Implementation of Cloud Computing within

the Royal St.Christopher and Nevis Police Force- Issues and Safeguards.

Truong, Dothang. (2010). How cloud computing enhances competitive advantages: A

research model for small businesses. The Business Review, Cambridge. 15. 59-65:

https://www.researchgate.net/profile/Dothang_Truong/publication/273447113_How_cl
 oud_computing_enhances_competitive_advantages_A_research_model_for_small_busi

nesses/links/554286940cf23ff716835f5e.pdf

Vandana, Aswathi & B, Saravana Balaji & Karthikeyan, N & Nandhini,. (2013). An Overview

on Performance Issues in Cloud Computing. International Journal of Engineering Research &

Technology. 2. 2373-2378.

Wormeli, P. (2012). Mitigating Risks in the Application of Cloud Computing in Law

Enforcement. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?

doi=10.1.1.638.178&rep=rep1&type=pd