StudyDaddy Information Systems DENNISWRIGHT

DENNISWRIGHT

C11-1 CASE STUDY 11 C LOUD C OM PUT ING (I N )S EC URI TY Cloud computing is reshaping enterprise network architectures and infrastructures. It refers to applications delivered as services over the Internet as well as the hardware and systems software in data centers that provide those services. The services themselves have long been referred to as Software as a Service (SaaS) which had its roots in Software -Oriented Architecture (SO A) concepts that began shaping enterprise network roadmaps in the early 2000s. IaaS (Infrastructure as a Service) and P aaS (Platform as a Service) a re other types of cloud computing services that are available to business customers. Cloud computing fosters the notion of computing as a utility that can be consumed by businesses on demand in a manner that is si milar to other services (e.g. electricity, municipal water) fro m traditional utilities. It has the potential to reshape much of the IT industry by giving businesses the option of running business software applications fully on-premises, fully in “the cloud ” or some combination of the se two extremes . These are choices that businesses have not had until recently and m any companies are still coming to grips with this new computing landsca pe.

Security is important to any computing infrastructure. Companies go to great lengths to secure on- premises computing systems, so it is not surprising that security looms as a major consideration when augmenting or replacing on- premises systems with cloud services . Allaying security C11-2 concerns is frequently a prerequisite for further discussions about migrating part or all of an organization ’s comp uting architecture to the cloud.

Availa bility is another major concern : “ How will we operate if we can ’t access the Internet? What if our customers can ’t access the cloud to place orders? ” are common questions [AMBR10]. Generally speaking, such questions only arise when businesses contemplating moving core transaction processing, such as ERP syst ems, and other mission critical applications to the cloud. Companies have traditionally demonstrated less concern about migrating high maintenance applications such as e -mail and payroll to cloud service providers even though such applications hold sensitive information. S ecurity Issues and Concerns Auditability is a concern for many organizations, especially those who must comply with Sarbanes -Oxley and/or Health and Human Services Health Insurance Portability and A ccountability Act (HIPAA) regulations [IBM11] .

The auditability of their data must be ensured whether it is stored on - premises or moved to the cloud. Before moving critical infrastructure to the cloud, businesses should do diligence on security threats both fr om outside and inside the cloud [BADG11]. Many of the s ecurity issues a ssociated with protecting clouds from outside threats are similar to those t hat have traditionally faced centralized data centers. In the cloud, however, responsibility for assuring adequate security is frequently shared among user s, vendors , and any third - party firms that users rely on for security -sensitive software or configurations. C loud user s are responsible for application -level security.

C loud vendors are responsible for physical security and some software security such as enforcing external firewall policies. Security for intermediate layer s of the software stack is shared between users and vendors. C11-3 A security risk that can be overlooked by companies considering a migration to the cloud is that posed by sharing vendor resources with other cloud users. Cloud providers must guard against theft or denial -of -service attacks by their users and users need to be protected from one another. Virtualization can be a powerful mechanism for a ddressing these potential risks becaus e it protects against most attempts by users to attack one another or the p rovider’s infrastructure. However, not all resources are virtualized and not all virtualization environments are bug- free. Incorrect virtualization may allow user code to access to sensitive portions of the provider’s infrastructure or the resources of other users. Once again, these security issues are not unique to the cloud and are similar to those involved in managing non- cloud data centers, where different applications need to be protected from one another. Another security concern that businesses should consider is the extent to which s ubscribers are protected against the provider , especially in the area of inadvertent data loss. F or example, in the event of provide r infrastructure improvements, what happens to hardware that is retired or replace d? It is easy to imagine a hard disk being disposed of without being properly wiped clean of s ubscriber data. It is also easy to imagine permissions bugs or errors that make subscriber data visible to unauthorized users. User -level encryption may be an important self -help mechanism for subscribers , but businesses should ensure that other protections are in place to avoid inadvertent data loss. Addressing Cloud Computer Security Concerns Numerous documents have been developed to guide business thinking about the security issues associated with cloud computing. Even NIST has weighed in on these issues [BAD G11]. NIST’s recommendations systematically consider each of the major types of cloud services consumed C11-4 by businesses including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). While security issues vary somewhat depending on the type of cloud service, there are m ultiple NIST recommendatio ns that are independent of service type. Several of these are summarized in Table C11.1. Not surprisingly, NIST recommends selecting cloud providers that support strong encryption, have appropriate redundancy m echani sms in place, employ authentication mechanisms, and offer subscribers sufficient visi bility about mechanisms used to protect subscribers from other subscribers and the provider. As more businesses incorporate cloud services into their enterprise network infrastructures, cloud computing security will persist as an important issue. Examples of cloud computing security failures have to potential to have a chilling effect on business interest in cloud services and this is inspiring service providers to be serious about incorporating security mechanisms that will allay concerns of potential subscribers. Some service providers have moved their operations to Tier 4 data centers to address user concerns about availability and redundancy. Because so many businesses remain reluctant to embrace cloud computing in a big way, cloud service providers will have to continue to work hard to convince potential customers that computing support for core business processes and mission critical applications can be moved safely and securely to the cloud [HEAV11].

Discussion P oints 1. Do some Internet research to identify businesses who have suffered because of cloud secur ity weaknesses or failures. What can companies who are contemplating cloud computing services learn from the negative experiences of these businesses? 2. Do some Internet research on security mechanisms associated with virtualization. How can virtualization be used by cloud service providers to protect subscriber data? C11-5 3.

Choose one of the following cloud services categories: SaaS, IaaS, PaaS. Do some Internet research that focuses the security issues associated with the selected cloud service category. Summarize the major security risks associated with the cloud service category and identify mechanisms that can be used to address these risks. Sources [A RMB10] Armbrust, M., Fox, A., Griffith, R, Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., and Zaharia, M.

“A View of Cloud Computing.” Communications of the ACM, Vol. 53, No. 4, April 2010, pp. 50 -58. [BADG11] Badge r, L., Grance, T., Patt- Comer, R., and Voas, J. Draft Cloud Computing Synopsis and Recommendations: Recommendations of the National Institute of Standards and Technology, Special Publication 800 -146, May 2011. [HEAV11] Heavey, J. “Cloud Computing: Secure or Security Risk?” Technorati.com, November 28, 2011. Retrieved online from:

http://technorati.com/technology/cloud -computing/article/cloud -computing- secure -or- a-security1/ . [IBM11] IBM Global Technology Services. Security and Availability in Cloud Computing Environments, Technical White Paper, June 2011. C11-6

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!