For this assignment, you will discuss what you have learned in Unit III and Unit IV by creating a 12-slide PowerPoint presentation that addresses the case studies below. Based on your reading of the c

Is Business Ready for Wearable Computers?

Wearable computing is starting to take off. Smartwatches, smart glasses, smart ID badges, and activity trackers promise to change how we go about each day and the way we do our jobs. According to Gartner Inc., sales of wearables will increase from 275 million units in 2016 to 477 million units by 2020. Although smartwatches such as the Apple Watch and fitness trackers have been successful consumer products, business uses for wearables appear to be advancing more rapidly. A report from research firm Tractica projects that worldwide sales for enterprise wearables will increase exponentially to 66.4 million units by 2021.

Doctors and nurses are using smart eyewear for hands-free access to patients’ medical records. Oil rig workers sport smart helmets to connect with land-based experts, who can view their work remotely and communicate instructions. Warehouse managers are able to capture real-time performance data using a smartwatch to better manage distribution and fulfillment operations. Wearable computing devices improve productivity by delivering information to workers without requiring them to interrupt their tasks, which in turn empowers employees to make more-informed decisions more quickly.

Wearable devices are helping businesses learn more about employees and the everyday workplace than ever before. New insights and information can be uncovered as IoT sensor data is correlated to actual human behavior. Information on task duration and the proximity of one device or employee to another, when combined with demographic data, can shed light on previously unidentified workflow inefficiencies. Technologically sophisticated firms will understand things they never could before about workers and customers; what they do every day, how healthy they are, where they go, and even how well they feel. This obviously has implications for protecting individual privacy, raising potential employee (and customer) fears that businesses are collecting sensitive data about them. Businesses will need to tread carefully.

Global logistics company DHL worked with Ricoh, the imaging and electronics company, and Ubimax, a wearable computing services and solutions company, to implement “vision picking” in its warehouse operations. Location graphics are displayed on smart glasses guiding staffers through the warehouse to both speed the process of finding items and reduce errors. The company says the technology delivered a 25 percent increase in efficiency. Vision picking gives workers locational information about the items they need to retrieve and allows them to automatically scan retrieved items. Future enhancements will enable the system to plot optimal routes through the warehouse, provide pictures of items to be retrieved (a key aid in case an item has been misplaced on the warehouse shelves), and instruct workers on loading carts and pallets more efficiently.

Google has developed Glass Enterprise Edition smart glasses for business use, with its development partners creating applications for specific industries such as manufacturing and healthcare. Glass Enterprise Edition is being touted as a tool for easing workflows by removing distractions that prevent employees from remaining engaged and focused on tasks. More than 50 businesses including Dignity Health, The Boeing Company, and Volkswagen have been using Glass to complete their work more rapidly and efficiently.

Duke Energy has been piloting the use of smart glasses, and sees multiple uses for them. According to Aleksandar Vukojevic, technology development manager for Duke Energy’s Emerging Technologies Office, smart glasses can enable employees working in the field to access training or instructional videos to help with equipment repairs or upgrades. The glasses also allow remote management, enabling managers to capture what a line or transformer worker sees, annotate images and video with instructions, and send them back out to workers in the field. Duke also tried out the smart glasses in its warehouses for stock inventory. As a worker looks at an item code, it’s automatically recorded against an existing database.

There are some challenges. Locking down data that’s accessed with smart glasses is essential, as with any other mobile device used in the enterprise. Today’s smart glasses haven’t been designed with security in mind. The sensors in the smart glasses are also not as accurate as other products. A field worker using smart glasses to locate a breaker or other device might be off by 10 or 15 feet using Google’s GPS instead of a military-grade solution more common to the energy industry, which can locate equipment to within one centimeter. Additionally, smart glasses don’t necessarily allow safety glasses to be worn over them. Integrating data from smart glasses with Duke’s internal databases could prove difficult.

Smart glasses are like smartphones. Without integration with internal content and the right applications, they would not be so useful. The value of wearable computing devices isn’t from transferring the same information from a laptop or smartphone to a smartwatch or eyeglass display. Rather, it’s about finding ways to use wearables to augment and enhance business processes. Successful adoption of wearable computing depends not only on cost effectiveness but on the development of new and better apps and integration with existing IT infrastructure and the organization’s tools for managing and securing mobile devices (see the chapter-ending case study).

Sources: George Thangadurai, “Wearables at Work: Why Enterprise Usage Is Outshining Consumer Usage,” IoT Agenda, March 8, 2018; Josh Garrett, “Wearables: The Next Wave of Enterprise IoT?” IoT Agenda, February 1, 2018; and Lucas Mearian, “Is Google Glass Really Ready for the Enterprise?” Computerworld, August 1, 2017.

How Reliable Is Big Data?

Today’s companies are dealing with an avalanche of data from social media, search, and sensors, as well as from traditional sources. According to one estimate, 2.5 quintillion bytes of data per day are generated around the world. Making sense of “big data” to improve decision making and business performance has become one of the primary opportunities for organizations of all shapes and sizes, but it also represents big challenges.

Businesses such as Amazon, YouTube, and Spotify have flourished by analyzing the big data they collect about customer interests and purchases to create millions of personalized recommendations. A number of online services analyze big data to help consumers, including services for finding the lowest price on autos, computers, mobile phone plans, clothing, airfare, hotel rooms, and many other types of goods and services. Big data is also providing benefits in sports (see the chapter-opening case), education, science, health care, and law enforcement.

Analyzing billions of data points collected on patients, healthcare providers, and the effectiveness of prescriptions and treatments has helped the UK National Health Service (NHS) save about 581 million pounds (U.S. $784 million). The data are housed in an Oracle Exadata Database Machine, which can quickly analyze very large volumes of data (review this chapter’s discussion of analytic platforms). NHS has used its findings from big data analysis to create dashboards identifying patients taking 10 or more medications at once, and which patients are taking too many antibiotics. Compiling very large amounts of data about drugs and treatments given to cancer patients and correlating that information with patient outcomes has helped NHS identify more effective treatment protocols.

New York City analyzes all the crime-related data it collects to lower the crime rate. Its CompStat crime-mapping program uses a comprehensive citywide database of all reported crimes or complaints, arrests, and summonses in each of the city’s 76 precincts to report weekly on crime complaint and arrest activity at the precinct, patrol borough, and citywide levels. CompStat data can be displayed on maps showing crime and arrest locations, crime hot spots, and other relevant information to help precinct commanders quickly identify patterns and trends and deploy police personnel where they are most needed. Big data on criminal activity also powers New York City’s Crime Strategies Unit, which targets the worst offenders for aggressive prosecution. Healthcare companies are currently analyzing big data to determine the most effective and economical treatments for chronic illnesses and common diseases and provide personalized care recommendations to patients.

There are limits to using big data. A number of companies have rushed to start big data projects without first establishing a business goal for this new information or key performance metrics to measure success. Swimming in numbers doesn’t necessarily mean that the right information is being collected or that people will make smarter decisions. Experts in big data analysis believe too many companies, seduced by the promise of big data, jump into big data projects with nothing to show for their efforts. They start amassing mountains of data with no clear objective or understanding of exactly how analyzing big data will achieve their goal or what questions they are trying to answer. Organizations also won’t benefit from big data that has not been properly cleansed, organized, and managed—think data quality.

Just because something can be measured doesn’t mean it should be measured. Suppose, for instance, that a large company wants to measure its website traffic in relation to the number of mentions on Twitter. It builds a digital dashboard to display the results continuously. In the past, the company had generated most of its sales leads and eventual sales from trade shows and conferences. Switching to Twitter mentions as the key metric to measure changes the sales department’s focus. The department pours its energy and resources into monitoring website clicks and social media traffic, which produce many unqualified leads that never lead to sales.

Although big data is very good at detecting correlations, especially subtle correlations that an analysis of smaller data sets might miss, big data analysis doesn’t necessarily show causation or which correlations are meaningful. For example, examining big data might show that from 2006 to 2011 the United States murder rate was highly correlated with the market share of Internet Explorer, since both declined sharply. But that doesn’t necessarily mean there is any meaningful connection between the two phenomena. Data analysts need some business knowledge of the problem they are trying to solve with big data.

Big data predictive models don’t necessarily give you a better idea of what will happen in the future. Meridian Energy Ltd., an electricity generator and distributor operating in New Zealand and Australia, moved away from using an aging predictive equipment maintenance system. The software was supposed to predict the maintenance needs of all the large equipment the company owns and operates, including generators, wind turbines, transformers, circuit breakers, and industrial batteries. However, the system used outdated modeling techniques and could not actually predict equipment failures. It ran simulations of different scenarios and predicted when assets would fail the simulated tests. The recommendations of the software were useless because they did not accurately predict which pieces of equipment actually failed in the real world. Meridian eventually replaced the old system with IBM’s Predictive Maintenance and Quality software, which bases predictions on more real-time data from equipment.

All data sets and data-driven forecasting models reflect the biases of the people selecting the data and performing the analysis. Several years ago, Google developed what it thought was a leading-edge algorithm using data it collected from web searches to determine exactly how many people had influenza and how the disease was spreading. It tried to calculate the number of people with flu in the United States by relating people’s location to flu-related search queries on Google. Google consistently overestimated flu rates, when compared to conventional data collected afterward by the U.S. Centers for Disease Control (CDC). Several scientists suggested that Google was “tricked” by widespread media coverage of that year’s severe flu season in the United States, which was further amplified by social media coverage. The model developed for forecasting flu trends was based on a flawed assumption—that the incidence of flu-related searches on Googles was a precise indicator of the number of people who actually came down with the flu. Google’s algorithm only looked at numbers, not the context of the search results.

In addition to election tampering by hostile nations, insufficient attention to context and flawed assumptions may have played a role in the failure of most political experts to predict Donald Trump’s victory over Hillary Clinton in the 2016 presidential election. Trump’s victory ran counter to almost every major forecast, which had predicted Clinton’s chances of winning to be between 70 to 99 percent.

Tons of data had been analyzed by political experts and the candidates’ campaign teams. Clinton ran an overwhelmingly data-driven campaign, and big data had played a large role in Obama’s victories in 2008 and 2012. Clinton’s team added to the database the Obama campaigns had built, which connected personal data from traditional sources, such as reports from pollsters and field workers, with other data from social media posts and other online behavior as well as data used to predict consumer behavior. The Clinton team assumed that the same voters who supported Obama would turn out for their candidate, and focused on identifying voters in areas with a likelihood of high voter turnout. However, turnout for Clinton among the key groups who had supported Obama—women, minorities, college graduates, and blue-collar workers—fell short of expectations. (Trump had turned to big data as well, but put more emphasis on tailoring campaign messages to targeted voter groups.)

Political experts were misled into thinking Clinton’s victory was assured because some predictive models lacked context in explaining potentially wide margins of error. There were shortcomings in polling, analysis, and interpretation, and analysts did not spend enough time examining how the data used in the predictive models were created. Many polls used in election forecasts underestimated the strength of Trump’s support. State polls were inaccurate, perhaps failing to capture Republicans who initially refused to vote for Trump and then changed their minds at the last moment. Polls from Wisconsin shortly before the election had put Clinton well ahead of Trump. Polls are important for election predictions, but they are only one of many sources of data that should be consulted. Predictive models were unable to fully determine who would actually turn out to vote as opposed to how people thought they would vote. Analysts overlooked signs that Trump was forging ahead in the battleground states. Britain had a similar surprise when polls mistakenly predicted the nation would vote in June 2016 to stay in the European Union.

And let’s not forget that big data poses some challenges to information security and privacy. As Chapter 4 pointed out, companies are now aggressively collecting and mining massive data sets on people’s shopping habits, incomes, hobbies, residences, and (via mobile devices) movements from place to place. They are using such big data to discover new facts about people, to classify them based on subtle patterns, to flag them as “risks” (for example, loan default risks or health risks), to predict their behavior, and to manipulate them for maximum profit.

When you combine someone’s personal information with pieces of data from many different sources, you can infer new facts about that person (such as the fact that they are showing early signs of Parkinson’s disease, or are unconsciously drawn toward products that are colored blue or green). If asked, most people might not want to disclose such information, but they might not even know such information about them exists. Privacy experts worry that people will be tagged and suffer adverse consequences without due process, the ability to fight back, or even knowledge that they have been discriminated against.

Sources: Linda Currey Post, “Big Data Helps UK National Health Service Lower Costs, Improve Treatments,” Forbes, February 7, 2018; Michael Jude, “Data Preparation Is the Key to Big Data Success,” InfoWorld, February 8, 2018; Rajkumar Venkatesan and Christina Black, “Using Big Data: 3 Reasons It Fails and 4 Ways to Make It Work,” University of Virginia Darden School of Business Press Release, February 8, 3018; Ed Burns, “When Predictive Models Are Less Than Presidential,” Business Information, February 2017; Aaron Timms, “Is Donald Trump’s Surprise Win a Failure of Big Data? Not Really,” Fortune, November 14, 2016; Steve Lohr and Natasha Singer, “The Data Said Clinton Would Win. Why You Shouldn’t Have Believed It,” New York Times, November 10, 2016; Nicole Laskowski and Niel Nikolaisen: “Seven Big Data Problems and How to Avoid Them,” TechTarget Inc., 2016; Joseph Stromberg, “Why Google Flu Trends Can’t Track the Flu (Yet),” smithsonianmag.com, March 13, 2014; and Gary Marcus and Ernest Davis, “Eight (No, Nine!) Problems With Big Data,” New York Times, April 6, 2014.

Google, Apple, and Facebook Battle for Your Internet Experience

Three Internet titans—Google, Apple, and Facebook—are in an epic struggle to dominate your Internet experience, and caught in the crossfire are search, music, video, and other media along with the devices you use for all of these things. Mobile devices with advanced functionality and ubiquitous Internet access are rapidly overtaking traditional desktop machines as the most popular form of computing. Today, people spend more than half their time online using mobile devices that take advantage of a growing cloud of computing capacity. It’s no surprise, then, that today’s tech titans are aggressively battling for control of this brave new online world.

Apple, which started as a personal computer company, quickly expanded into software and consumer electronics. Since upending the music industry with its iPod MP3 player, and the iTunes digital music service, Apple took mobile computing by storm with the iPhone, iPod Touch, and iPad. Now Apple wants to be the computing platform of choice for the Internet.

Apple’s competitive strength is based not on its hardware platform alone but on its superior user interface and mobile software applications, in which it is a leader. Apple’s App Store offers more than 2 million apps for mobile and tablet devices. Applications greatly enrich the experience of using a mobile device, and whoever creates the most appealing set of devices and applications will derive a significant competitive advantage over rival companies. Apps are the new equivalent of the traditional browser.

Apple thrives on its legacy of innovation. In 2011, it unveiled Siri (Speech Interpretation and Recognition Interface), a combination search/navigation tool and personal assistant. Siri promises personalized recommendations that improve as it gains user familiarity—all from a verbal command. Google countered by quickly releasing its own AI tool, Google Now. Facebook has developed an intelligent assistant called M.

Apple faces strong competition for its phones and tablets both in the United States and in developing markets like China from inexpensive Chinese smartphones and from Samsung Android phones that have larger screens and lower prices. iPhone sales have started to slow, but Apple is not counting on hardware devices alone for future growth. Services have always played a large part in the Apple ecosystem, and they have emerged as a major revenue source. Apple has more than 1.3 billion active devices in circulation, creating a huge installed base of users willing to purchase services and a source of new revenue streams. Apple’s services business, which includes Apple’s music (both downloads and subscriptions), video sales and rentals, books, apps (including in-app purchases, subscriptions and advertising), iCloud storage, and payments, has been growing at a double-digit rate.

As Apple rolls out more gadgets, such as the Watch and HomePod, its services revenue will continue to expand and diversify. According to CEO Tim Cook, Apple has become one of the largest service businesses in the world. This service-driven strategy is not without worry because both Google and Facebook offer stiff competition in the services area.

Google continues to be the world’s leading search engine, accounting for about 75 percent of web searches from laptop and desktop devices and over 90 percent of the mobile search market. (Google is also the default search engine for the iPhone). About 84 percent of the revenue from Google’s parent company Alphabet comes from ads, most of them on Google’s search engine. Google dominates online advertising. However, Google is slipping in its position as the gateway to the Internet. New search startups focus on actions and apps instead of the web. Facebook has become an important gateway to the web as well. In 2005, Google had purchased the Android open source mobile operating system to compete in mobile computing. Google provides Android at no cost to smartphone manufacturers, generating revenue indirectly through app purchases and advertising. Many different manufacturers have adopted Android as a standard. In contrast, Apple allows only its own devices to use its proprietary operating system, and all the apps it sells can run only on Apple products. Android is deployed on over 80 percent of smartphones worldwide; is the most common operating system for tablets; and runs on watches, car dashboards, and TVs—more than 4,000 distinct devices. Google wants to extend Android to as many devices as possible.

Google’s Android could gain even more market share in the coming years, which could be problematic for Apple as it tries to maintain customer loyalty and keep software developers focused on the iOS platform. Whoever has the dominant smartphone operating system will have control over the apps where smartphone users spend most of their time and built-in channels for serving ads to mobile devices. Although Google search technology can’t easily navigate the mobile apps where users are spending most of their time, Google is starting to index the content inside mobile apps and provide links pointing to that content featured in Google’s search results on smartphones. Since more than half of global search queries come from mobile devices, the company revised its search algorithms to add “mobile friendliness” to the 200 or so factors it uses to rank websites on its search engine. This favors sites that look good on smartphone screens. The cost-per-click paid for mobile ads has trailed desktop ads, but the gap between computer and mobile ads fees is narrowing. Google instituted a design change to present a cleaner mobile search page.

Seven Google products and services, including Search, YouTube, and Maps, have more than a billion users each. The Android operating system software has over 2 billion monthly active users. Google’s ultimate goal is to knit its services and devices together so that Google users will interact with the company seamlessly all day long and everyone will want to use Google. Much of Google’s efforts to make its search and related services more powerful and user-friendly in the years ahead are based on the company’s investments in artificial intelligence and machine learning (see Chapter 11). These technologies already have been implemented in applications such as voice search, Google Translate, and spam filtering. The goal is to evolve search into more of a smart assistance capability, where computers can understand what people are saying and respond conversationally with the right information at the right moment. Allo is a smart messaging app for iOS and Android that can learn your texting patterns over time to make conversations more expressive and productive. It suggests automatic replies to incoming messages, and you can get suggestions and even book a restaurant reservation without leaving the chat. Google Assistant is meant to provide a continuing, conversational dialogue between users and the search engine.

Facebook is the world’s largest social networking service, with over 2 billion monthly active users. People use Facebook to stay connected with their friends and family and to express what matters most to them. Facebook Platform enables developers to build applications and websites that integrate with Facebook to reach its global network of users and to build personalized and social products. Facebook is so pervasive and appealing that it has become users’ primary gateway to the Internet. For a lot of people, Facebook is the Internet. Whatever they do on the Internet is through Facebook.

Facebook has persistently worked on ways to convert its popularity and trove of user data into advertising dollars, with the expectation that these dollars will increasingly come from mobile smartphones and tablets. As of early 2018, over 95 percent of active user accounts worldwide accessed the social network via smartphone. Facebook ads allow companies to target its users based on their real identities and expressed interests rather than educated guesses derived from web-browsing habits and other online behavior.

At the end of the first quarter of 2018, 98 percent of Facebook’s global revenue came from advertising, and 89 percent of that ad revenue was from mobile advertising. Many of those ads are highly targeted by age, gender, and other demographics. Facebook is now a serious competitor to Google in the mobile ad market and is even trying to compete with emerging mobile platforms. Together, Facebook and Google dominate the digital ad industry and have been responsible for almost all of its growth. Facebook has overhauled its home page to give advertisers more opportunities and more information with which to target markets. The company is expanding advertising in products such as the Instagram feed, Stories, WhatsApp, Facebook Watch, and Messenger, although the majority of ad revenue still comes from its news feed. Facebook has its own personalized search tool to challenge Google’s dominance of search. Facebook CEO Mark Zuckerberg is convinced that social networking is the ideal way to use the web and to consume all of the other content people might desire, including news and video. That makes it an ideal marketing platform for companies. But he also knows that Facebook can’t achieve long-term growth and prosperity based on social networking alone. During the past few years Facebook has moved into virtual reality, messaging, video, and more.

Facebook is challenging YouTube as the premier destination for personal videos, developing its own TV programming, and making its messages “smarter” by deploying chatbots. Chatbots are stripped-down software agents that understand what you type or say and respond by answering questions or executing tasks, and they run in the background of Facebook’s Messenger service (see Chapter 11). Within Facebook Messenger, you can order a ride from Uber, get news updates, check your flight status, or use augmented reality to imagine what a new Nike sneaker looks like by superimposing a 3-D model of that sneaker atop images or video. A new standalone app will allow users to stream videos in their news feed through set-top boxes such as Apple Inc.’s Apple TV and Amazon.com Inc.’s Fire TV, as well as Samsung Internet-connected TVs.

Zuckerberg has said that he intends to help bring the next billion people online by attracting users in developing countries with affordable web connectivity. Facebook has launched several services in emerging markets, such as the Free Basics service designed to get people online so they can explore web applications, including its social network. Facebook wants to beam the Internet to underserved areas through the use of drones and satellites along with other technologies. Zuckerberg thinks that Facebook could eventually be an Internet service provider to underserved areas.

Monetization of personal data drives both Facebook and Google’s business models. However, this practice also threatens individual privacy. The consumer surveillance underlying Facebook and Google’s free services has come under siege from users, regulators, and legislators on both sides of the Atlantic. Calls for restricting Facebook and Google’s collection and use of personal data have gathered steam, especially after recent revelations about Russian agents trying to use Facebook to sway American voters and Facebook’s uncontrolled sharing of user data with third-party companies (see the Chapter 4 ending case study). Both companies will have to come to terms with the European Union’s new privacy law, called the General Data Protection Regulation (GDPR), that requires companies to obtain consent from users before processing their data, and which may inspire more stringent privacy legislation in the United States. Business models that depend less on ads and more on subscriptions have been proposed, although any effort to curb the use of consumer data would put the business model of the ad-supported Internet—and possibly Facebook and Google—at risk. Apple emphasizes its privacy protection features and does not share customer data with others.

These tech giants are also being scrutinized for monopolistic behavior. In the United States, Google drives 89 percent of Internet search, 95 percent of young adults on the Internet use a Facebook product, and Google and Apple provide 99 percent of mobile phone operating systems. Critics have called for breaking up these mega-companies or regulating them as Standard Oil and AT&T once were. In July 2018 European regulators fined Google $5 billion for forcing cellphone makers that use the company’s Android operating system to install Google search and browser apps. Have these companies become so large that they are squeezing consumers and innovation? How governments answer this question will also affect how Apple, Google, and Facebook will fare and what kind of Internet experience they will be able to provide.

Sources: Associated Press, “EU Fines Google a Record $5 Million over Mobile Practices,” July 18, 2018; Christopher Mims, “How Apps, Music and More Can Buoy Apple Beyond the iPhone,” Wall Street Journal, February 4, 2018; “Search Engine Market Share,” www.netmarketshare.com, accessed April 16, 2018; “Facebook’s Advertising Revenue Worldwide from 2009 to 2017 (in Million U.S. Dollars),” statista.com, accessed April 17, 2018; David Streitfeld, Natasha Singer, and Steven Erlanger, “How Calls for Privacy May Upend Business for Facebook and Google,” New York Times, March 24, 2018; Natasha Singer, “Timeline: Facebook and Google Under Regulators’ Glare,” New York Times, March 24, 2018; David Streitfeld, “Google Wants to Be Everywhere with Everyone,” New York Times, May 17, 2017; Tim Bajarin, “Learning This 1 Thing Helped Me Understand Apple’s Strategy,” Time, April 3, 2017; and Mathew Ingram, “How Google and Facebook Have Taken Over the Digital Ad Industry,” Fortune, January 4, 2017.

How Secure Is the Cloud?

Over the last several years, many companies have altered their IT strategies to shift an increasing share of their applications and data to public-cloud infrastructure and platforms. However, using the public cloud disrupts traditional cybersecurity models that many companies have built up over years. As a result, as companies make use of the public cloud, they need to revise their cybersecurity practices in order to consume public-cloud services in a way that enables them both to protect critical data and to fully exploit the speed and agility that these services provide.

Managing security and privacy for cloud services is similar to managing traditional IT infrastructures. However, the risks may be different because some, but not all, responsibilities shift to the cloud service provider. The category of cloud service (IaaS, PaaS, or SaaS) affects exactly how these responsibilities are shared. For IaaS, the provider typically supplies and is responsible for securing basic IT resources such as machines, storage systems, and networks. The cloud services customer is typically responsible for its operating system, applications, and corporate data placed into the cloud computing environment. This means that most of the responsibility for securing the applications and the corporate data falls on the customer.

Cloud service customers should carefully review their cloud services agreement with their cloud provider to make sure their applications and data hosted in cloud services are secured in accordance with their security and compliance policies. But that’s not all. Although many organizations know how to manage security for their own data center—they’re unsure of exactly what they need to do when they shift computing work to the cloud. They need new tool sets and skill sets to manage cloud security from their end to configure and launch cloud instances, manage identity and access controls, update security controls to match configuration changes, and protect workloads and data. There’s a misconception among many IT departments that whatever happens in the cloud is not their responsibility. It is essential to update security requirements developed for enterprise data centers to produce requirements suitable for the use of cloud services. Organizations using cloud services often need to apply additional controls at the user, application, and data level.

Cloud service providers have made great strides in tightening security for their areas of responsibility. Amazon’s security for its cloud service leaves little to chance. The company keeps careful constraints around its staff, watches what they do every day, and instructs service teams to restrict access to data through tooling and automation. Amazon also rotates security credentials for authentication and verification of identity and changes them frequently—sometimes in a matter of hours.

The biggest threats to cloud data for most companies involve lack of software patching or misconfiguration. Many organizations have been breached because they neglected to apply software patches to newly identified security vulnerabilities when they became available or waited too long to do so. (See the discussion of patch management earlier in this chapter.) Companies have also experienced security breaches because they did not configure aspects of cloud security that were their responsibility. Some users forget to set up AWS bucket password protection. (A bucket is a logical unit of storage in Amazon Web Services [AWS] Simple Storage Solution S3 storage service. Buckets are used to store objects, which consist of data and metadata that describes the data.) Others don’t understand basic security features in Amazon such as resource-based access policies (access control lists) or bucket permissions checks, unwittingly exposing data to the public Internet.

Financial publisher Dow Jones & Co. confirmed reports in July 2017 that it may have publicly exposed personal and financial information of 2.2 million customers, including subscribers to The Wall Street Journal and Barron’s. The leak was traced back to a configuration error in a repository in AWS S3 security. Dow Jones had intended to provide semi-public access to select customers over the Internet. However, it wound up granting access to download the data via a URL to “authenticated users,” which included anyone who registered (for free) for an AWS account. Accenture, Verizon, Viacom, Tesla, and Uber Technologies are other high-profile names in the steady stream of companies that have exposed sensitive information via AWS S3 security misconfigurations. Such misconfigurations were often performed by employees who lacked security experience when security configurations should have been handled by skilled IT professionals. Stopping AWS bucket misconfigurations may also require enacting policies that limit the damage caused by careless or untrained employees.

Although customers have their choice of security configurations for the cloud, Amazon has been taking its own steps to prevent misconfigurations. In November 2017, the company updated its AWS dashboard, encasing public in bright orange on the AWS S3 console so that cloud customers could easily see the status of access permissions to buckets and their objects. This helps everyone see more easily when an Amazon S3 bucket is open to the public. Amazon also added default encryption to all objects when they are stored in an AWS bucket and access control lists for cross-region replication. Another new tool called Zelkova examines AWS S3 security policies to help users identify which one is more permissive than the others. Amazon Macie is a managed service that uses machine learning to detect personally identifiable information and intellectual property, and has been available for S3 since August 2017.

Sources: Kathleen Richards, “New Cloud Threats as Attackers Embrace the Power of the Cloud,” SearchCloudSecurity.com, April 3, 2018; “AWS S3 Security Falls Short at High-profile Companies,” SearchCloudSecurity.com, April 2018; “Making a Secure Transition to the Public Cloud,” McKinsey & Company, January 2018; and “Security for Cloud Computing: Ten Steps to Ensure Success,” Cloud Standards Customer Council, December 2017.