Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
Cloud Computing Security
Table of Contents
Intro, Melvin: 2
Threats and Vulnerabilities, Janah Kirby: 4
Prevention Strategies, Froylan Sosa: 8
Cloud Computing Options and Data Policy Regulation: 14
Conclusion, Melvin: 16
2
Intro: Melvin
Cloud Computing is something that is used throughout everyday life when using
computers today. It was not always like this but since the 1970’s people have been working to
make cloud computing what it is today. Not known by many but cloud computing is a metaphor
used by many to express network elements that show provider services; ie cloud computing.
Cloud computing is said to help companies to run/manage their applications more
efficiently and is also known to be more cost effective than traditional methods. Another thing
cloud computing brings to the table it is the answer to companies as far as data storage is
concerned and there is also the capability to keep all the of the company’s information private to
only their company. The information that the company needs to access can be housed anywhere
because with cloud computing the internet is the powerhouse for making things work. With
3
keeping information private there is also the concern of keep this information secure and not
available to third parties, so sensitive information cannot be accessed. Data security is of rising
concern when it comes to cloud computing because it seems that nowadays many companies are
already switching to cloud computing if they have not already done so.
How cloud computing relates to database management and security and our class is the
fact that many different factors need to be considered when having a good understanding and to
adequately deal with cloud computing from an information technology standpoint. First would
be to understand the history of cloud computing because to move forward, something’s about the
past should also be learned; so, the same mistakes are not made and positive outcomes are the
result.
The second factor that should be analyzed would the risk and security concerns of cloud
computing because as cloud computing continues to grow with a lot of different corporations the
security risks are something to pay close attention to. The ability to identify the vulnerabilities
and possible real-world examples can show what roads not to go down while also being aware of
how things can go well if the right precautions are taken to prevent this possible preaches.
The third factor that needs to be looked at ties in closely with the second factor and that is
prevention strategies that can stop possible illegal third-party intervention. Being aware of
prevention strategies including encryption, data hiding methods and monitoring activities can all
help in understating cloud computing protection. Adding to these factors is finding real world
application. Real world application is important to look at when looking at cloud computing or
any other subject because seeing how all this information can be implemented shows the logos of
everything being taught. Combining these factors will show how cloud computing relates back to
class and database management.
4
In this paper all the factors talked about above will be discussed in greater detail to show
someone what cloud computing is. The paper will also show how in the bases of security,
implication, and use of cloud computing can be used in the benefit of companies plus how it has
grown overtime. Being able to show all the different bases of cloud computing in the paper will
help the reader be able to clearly and understand and have a practical knowledge on the subject.
Cloud computing history, security concerns, prevention strategies, implications, and leveraging
cloud computing will be detailed throughout.
History: Gabriel
Cloud computing is technology that most of us are now familiar with but do not know
exactly how it works. During recent years has made very big waves in the technology scene in
recent years. It permeates all types of business both big and small and is almost mandatory for
modern business to have some form or cloud computing or cloud data storage. Since its inception
it has become a bigger and bigger part of our world and will mostly likely continue to do so.
Many people if asked would guess that cloud computing is a fairly new technology that
hasn't been around for more very long, and technically they would be correct; cloud computing
has only really been in use for a little over a decade. However, the concepts and previous and
technologies that led up to the birth of modern cloud technology started in the 1950’s. The
concepts of cloud computing have been floating around the technology industry for several
decades. In fact, since the 70s where primitive versions were created which included time
sharing. Virtual Machines were created during this period which was a very big deal at the time
and gave birth to give birth to several great technologies that all revolved around the
5
virtualization movement. Then during the 90s telecommunications companies began to offer
Virtual Private Networks which was another big step toward cloud computing and cloud storage.
Previously the only offering from telecommunications companies was point to point
connections which was a hassle because when more connections needed to be made physical
infrastructure would have to be built which we can imagine was quite costly to the company and
customer. Now the customer or client could have several different connections, and this was all
accomplished while the users would be using the same physical infrastructure. It was really a
time of experimentation with the new technology. Computers were becoming more and more
common in households and different needs for storage increased.
Cloud computing started to be implemented in IT businesses and services and continued
to gain more and more popularity as it expanded. Eventually by the mid-2000s it became used by
large majority of technology companies, if not all that involved IT services and much more.
Currently a company called SoftLayer is one of the largest and arguably the most popular when
it comes to the providing cloud computing infrastructure. Other major companies such as IBM
have been involved with the technology almost since its inception. It has a wide range of cloud
services and solutions that it provides.
A data center has always been the place where companies store a majority of their
information, especially sensitive information to the company and its customers. However,
running them or paying other big companies such as AT&T to hold them can be quite expensive
especially for smaller company. There is now big movement towards storing the company's
information in public and private clouds. There was initially big controversy surrounding this
concept regarding the security of the information and there still is to a degree.
6
CIO’s of companies were very hesitant to make a full or even partial transition toward
cloud based technologies based on the simple fact that it was so new and companies are
usually very hesitant in making changes especially when technology departments can very
expensive and any breach in security breaches could be quite costly for the business at stake.
Soon companies started to realize the beneficial features of cloud technologies and its cost
effectiveness started to become more and more apparent. This controversy did not stop the
push towards large amounts of company data being housed on the cloud which can be relatively
cheaper than a physical database. Even companies that still prefer to house most of their data in
data centers especially large ones, still hold a portion of their data in the cloud.
In today’s ever increasing technological environment it is hard to ignore such a powerful
technology that has so many benefits to it. The technology is everywhere nowadays and
expanding rapidly. A lot of people use it daily without even knowing. For example, when you
take pictures on your iPhone and it automatically uploads to your computer or when you
download music on your computer and it is downloaded on your phone as well, vice versa. That
process is all made possible because of cloud technologies and in that example cloud
technologies provided by apple.
Threats and Vulnerabilities: Janah Kirby
7
In 2009 the international data corporation conducted a study at 244 IT executives, and out
of the nine points raised, security was highlighted as the most serious concern by by
approximately 87.5% of the respondents (Nicho, Mathew). Security in the cloud has become a
critical issue because of the usage in between people, organizations, and companies that use the
cloud systems in their businesses. Many disadvantages of cloud computing relate with the
security of cloud computing, and so they are tradeoffs between security and data storage.
Although, cloud computing is not new, there have been many issues and challenges when
it comes to securing the cloud, which do not have solutions. Cloud computing is very complex
model and requires different perspectives to identify on threats and vulnerabilities including a
business perspective and personal perspectives of people.
Threats
Cloud computing has many threats, but because of the lack a definition for threat in the model
there are many threats that can be covered. Natural disasters and hardware theft are forms of
threats that cloud computing faces; however, they are not as common as dealing with the threat
of attacks internally and externally, as well as leaks internally, breaches, and misuse of data and
the infrastructure from malicious insiders.
Attacks
One of the main categories of cloud computing is the Software as a Service category,
which is when a third party hosts a software for users to access. Commonly acronym SaaS, this
category shares the cloud name with infrastructure as a service, and platform as a service. These
8
services have become very prone to attacks since they all use the internet based cloud computing
systems. This makes them vulnerable to attacks of all kinds.
One of the types of attacks that a user would use to access a database would be an SQL
attack, which is when the unauthorized user injects their malicious code into SQL code in the
attempt to gain access to the database (Bhadauria, Rohit). Gaining access to a database that has
sensitive information is only the start for malicious users. Once this information is accessed it
can be sold on the black market to high bidders. Such information like social security numbers,
bank account information, and passwords gives black market buyers the ability to become
someone new, cause financial conflicts for others without worry, and gain access to
places/systems they may not have had before.
Another popular form of attack is the Denial of Service Attack, which is an attack where
a user sends many requests to the server until the server becomes unable to handle the capacity,
and so users can not access the site (Bhadauria, Rohit). When this attack is happening, the cloud
will use a lot of resources to get the network to work correctly, and the site users try to access
will be slow and then eventually result in an error page.
This attack seems to have more of a personal ring to it, but when you think about what
types of people would be targeted, a few names such as Apple and Microsoft come to the mind.
These companies may not have a personal vendetta to where a malicious user would like to shut
down their websites, but many hackers like the thought of shutting the down just for the fun of it.
Companies like Microsoft, however, have great security protocols that are set up to shield their
servers from these types of attacks. If their sites were to shut down then they could lose a huge
profit of sales just because their products aren't available.
9
Leaks
Leaks are a little self-explanatory, and happens when a user on the inside of an infrastructure
releases information that was not supposed to be accessed by the public. Leaks do not always
happen from users on the inside sometimes this happens when a user hacks into an infrastructure
and takes information that they did not have authorization to.
Leaks are especially popular with people in the public as such as famous celebrities and
stars like Jennifer Lawrence. In 2014, 100 celebrities including the uprising actress, Jennifer
Lawrence, were the victims of a hack that leaked their nude photos. This event shook the internet
by a storm, especially with young consumers now gripping their iPhones, worried their sensitive
information could become available to the public. This attack leaked very sensitive information
that caused an uproar in the law community and women’s rights community. This attack showed
a huge vulnerability within Apple's cloud services system login.
A Russian security analyst names Alexei Troshichev declared that he had found the bug
that allowed hackers to gain access to hundreds of political and on-political celebrities within just
two hours. Troshichev said that he found many of Apple’s login interfaces to be fine, however, it
was the FindMyIphone interface that had critical vulnerabilities and gave the malicious users
access. Unfortunately for the victims, Troshichev states creating stronger passwords could have
prevented this situation (Telegraph.co.uk). Security doesn’t just start with the cloud protocols,
but also the user’s education of IT security!
Breaches
A breach in some ways are like leaks, but the difference is that the malicious user does
not necessarily “leak” the information to anyone such as the public. Many companies such as
10
Target and Verizon have been the victims of breaches within their enterprise systems, but a case
that sheds light on breaches that can result serious loss is the 21st Century Oncology data breach
that happened in October of 2016 (Gluck, Frank).
21st Century Oncology had to release a statement letting 2.2 million patients know that
their database had been breached and their information could be subject to misuse and to keep an
eye on their information. The breach involved social security numbers, treatments, diagnoses,
patients and even doctor’s names from all 50 states and several sovereign countries. “The breach
is far larger than the one recently reported Radiology Regional Center. In that case, records for
more than 480,000 patients blew out of a Lee County Solid Waste Division truck on Fowler
Street. The incident has prompted two lawsuits against Radiology Regional and Lee County
(Gluck, Frank).”
Vulnerabilities
Vulnerabilities are exposed when attacks and hacks happen. They are not always
immediately known within the infrastructure, but once they are exposed they must be protected
immediately or eliminated in general. For example, when Apple had the massive celebrity leak,
their vulnerability was found in their FindMyiPhone infrastructure, and exploited by malicious
users. A vulnerability can be seen in similar terms to a weakness.
Prevention Strategies: Froylan Sosa
With as many security threats that exist today, there are many reasons why everyone
should be concerned about their privacy. Despite all the vulnerabilities that websites,
11
applications and programs have in general, there are ways of preventing threats that are posed.
Cloud security is a broad topic on keeping data and information on the cloud that covers endless
amounts of information based on sites, networks, applications and other technological
advancements that are based on “the cloud” or internet. The main points that will be explained
on this page will be based on simpler methods that have been touched upon in the classroom but
that help prevent vulnerabilities and threats. The topics being discussed will be methods such as
updating and securing passwords, knowing the right kinds of encryption methods, and being able
to identify untrusted sources.
When people think about threats against cloud computing they often think that there is
something huge involved such as an international special agent spy that is on the lookout for
their sandwich recipe. Not that that idea may be completely impossible but more than often that’s
not the case for everyone. When storing any kind of information in the cloud, usually you will
need a secure and reliable way to access the information that you do not want others to see.
Many services will offer protective measures to store your information in their online storage.
For example, iCloud storage from Apple will save any documents or files but to access the files
you will first need to enter the email that is connected to the iCloud and then enter the password.
Another example like that is Dropbox, you will need to enter the required email and password
plus if you are accessing their services through a mobile device they will also have an extra
feature and add a pin for mobile devices. The following instructions may seem simple but it’s an
effective way of keeping your information secure. The thing about passwords/pins is that they
should be constantly updated and never told anyone. Therefore, some companies request that
employees practice the clean desk policy. The clean desk policy simply asks that employees keep
their desks clean from any information that can be used against them and this includes
12
passwords/pins and other things that could access their online information. Other types of
prevention strategies are the three factors of authentication.
We have already discussed Something you know (such as username and password). What
remains is something you have and something you are. Something you have could be a card or
keychain fob. For example, military personnel store their information on the cloud in their own
private network. To access this information, they are required a card known as a Common
Access Card also known as a CAC. Every individual in the military has one, but with different
access levels granted. Along with inserting the card to access their network, the card requires a
pin that’s customized by everyone.
The other prevention strategy based on passwords is something you are. So, to access
private information that is on the cloud some companies require a pass based on something you
are such as fingerprints. When it comes to prevention strategies against vulnerabilities with the
cloud passwords and different forms of authorization are some of the basic ways to prevent
malware.
The next part will be based on knowing how to communicate effectively with others and
knowing how to properly secure your data by knowing the proper methods of encryption. To
begin with encryption is known as pretty much the process of converting any kind of information
or data into a kind of code that will be hard to decipher from just anybody to try and prevent
unauthorized access by the wrong person. There are many forms of encryption. Although,
hashing is not technically considered a form of encryption it is a good way to send information to
others that you don’t necessarily mind being private if the content is not changed. Hashing
simply transforms any data to a code that gives back a hash.
13
For example, user one performs a hash and receives a code that should be the same
regardless of the amount of times it has been hashed, if user two receives the message and the
code is the same code that user one received then the message has not been tampered with,
although it may have been seen. Encryption normally includes an algorithm and a key. Two
known forms of encryption are Symmetric Encryption and Asymmetric Encryption. In a
symmetric encryption there is only one key that is used when encrypting and decrypting at both
ends of the transmission. This kind of encryption is much more efficient in encrypting large
amounts of data than asymmetric encryption.
There are methods that fall under symmetric encryptions. One which is known as Block
ciphers and one which is known as stream ciphers. Block ciphers encrypt data into 64 or 128-bit
blocks, encrypting each block separately. Stream ciphers encrypt data as a form of streams.
Other known forms under symmetric encryption are Advanced Encryption Ciphers (AES), DES,
3DES, Blowfish, TwoFish and RC4 which is used by SSL for HTTPS. In asymmetric
encryption, there is a private key and a public key one to encrypt and the other to decrypt. The
private key is only for the one user to know while public key is for any person to know. Methods
that fall under asymmetric encryption are RSA, Diffie-Hellman, Elliptic curve cryptography,
steganography, quantum cryptography, TLS and SSL all that secures internet traffic, emails,
messages and digital signatures. These are essential when accessing the cloud.
Lastly, this next portion will explain further prevention strategies based on the cloud that
may not follow the same pattern as the other examples. When people think about the cloud,
people imagine as if it were an area that always stays online without the need of hardware.
Unfortunately, that is not the case. One should always keep in mind that the cloud is nothing but
a server that stores all the information in one place for a private network and each network has
14
their version of the cloud. Some much bigger and some much smaller. For example, the
University of North Carolina at Greensboro has their cloud servers in the McNutt building and
they take care of their hardware so that everything stored in the cloud (which is a physical piece
of hardware) will not be accessed by the wrong third party. They have a team of personnel that
take care of this location. For the wrong people to tailgate inside the area and access the building
is a threat so monitoring the area is a prevention strategy to keep the cloud computing safe.
Many of the things that prevent threats for cloud computing doesn’t necessarily have to
be complex like using the right kind of encryption, it could be as simple as taking care of the
hardware, not showing anyone the password and not allowing people to trick you into telling
them the password. As well as constantly checking on the applications that may be outdated.
Sometimes hackers find a glitch in the system that could potentially give them access to the
information on the cloud. If you check for the updates on the programs/applications/services that
are connected to the cloud, then there could be a fix to those problems if the issue was sent to the
developers. These are only some of the ways that prevent threats against cloud computing but it
is always good to stay informed and look things up. Cloud Computing Options and Data Privacy Regulation - Chris Holder
Clouds can be thought of as virtual computing environments where virtual servers and
desktops live and can be accessed by users. Cloud computing is the practice of using a network
of remote servers hosted on the Internet to store, manage, and process data, rather than a local
server or a personal computer. Cloud computing is synonymous with virtualization. Cloud
storage locates the data on a central server, but unlike an internal data center in the LAN, the data
is accessible from anywhere and in many cases from a variety of device types (Lammle, 2015).
According to the European Commission, surveys show that 80% of businesses already using the
15
cloud reported 10%-20% lower IT costs, while 20% of them reported savings rising to 30% or
above (Commission, 2012). The following are business solutions provided under the cloud.
Private Cloud
This is a solution owned and managed by one company solely for that company’s use. A private
cloud is one in which this virtual computing environment is provided to the enterprise by a third
party for a fee. This is a good option for a company that has neither the expertise nor the
resources to manage their own cloud yet would like to take advantage of the benefits that cloud
computing offers
Public Cloud
This is a solution provided by a third party. It offloads the details to the third party but gives up
some control and can introduce security issues. Public Cloud example would be Dropbox.
Hybrid Cloud
This is some combination of private and public. For example, perhaps you only use the facilities
of the provider but still manage the data yourself.
Community Cloud
This is a solution owned and managed by a group of organizations that create the cloud for a
common purpose.
Virtual Networking
Over the last few years, one of the most significant developments helping to increase the
efficient use of computing resources - leading to an increase in network performance without an
increase in spending on hardware- has been the widespread adoption of virtualization
16
technology. Virtual computing solutions come from many vendors. The following are some of
the more popular currently:
● VMware vSphere
● Microsoft Hyper-V
● Citrix XenServer
Virtual servers can perform all the same functions as physical servers but can enjoy some
significant advantages. The virtualization software can allow you to allocate CPU and memory
resources to the virtual machines(VMs) dynamically as needed to ensure that the maximum
amount of computing power is available to any single VM at any moment while not wasting any
of that power on an idle VM. In fact, in situations where VMs have been clustered, they may
even be suspended or powered down in times low demand in the cluster. (Lammle, 2015)
Anti-malware software
When it comes to anti-malware software the Cloud provides unique advantages. Cloud antivirus
products run not on local computers but in the cloud, creating a smaller footprint on the client
and utilizing processing power in the cloud. They have the following advantages:
● They allow access to the latest malware data within minutes of the cloud antivirus service
learning about it.
● They eliminate the need to continually update your antivirus.
● The client is small, and it requires littler processing power.
Cloud antivirus products have the following disadvantages:
● There is a client-to-cloud relationship, which means they cannot run in the background.
● They may scan only the core Windows files for viruses and not the whole computer
17
● They are highly dependent on an Internet connection
Data Privacy Regulation
The evolution of Cloud computing has had among the most influential forces in
reshaping regulation. In Europe there is substantial differences among in interpretation and
implementation of data privacy regulations. For example, maximum penalties for the misuse of
personal information on a vary considerably. In Spain, the penalty is €600,000; in France, it’s
€150,000 for a first offense plus five years in prison; and in Germany, it’s €250,000(D.C.
Dowling, “International Data Protection and Privacy Law,” Aug. 2009; http://tinyurl.com/
bgh4fza). If the cloud customer operates in the United States, Canada or the European Union,
they’re subject to numerous regulatory requirements. These include Control Objectives for
Information and related Technology and Safe Harbor. These laws might relate to where the data
is stored or transferred, as well as how well this data is protected from a confidentiality aspect.
Some of these laws apply to specific markets, such as the Health Insurance Portability and
Accountability Act (HIPAA) for the health-care industry.
Failure to adequately protect your data can have many consequences, including the potential for
fines by one or more government or industry regulatory bodies. Such fines can be substantial and
potentially crippling for a small or midsize business. For example, the Payment Card Industry
(PCI) can impose fines of up to $100,000 per month for violations to its compliance.
Laws or regulations typically specify who within an enterprise should be held responsible
and accountable for data accuracy and security. The Sarbanes–Oxley Act designates the CFO
and CEO to have joint responsibility for the financial data. The Gramm–Leach–Bliley Act is
broader, specifying the responsibility for security with the entire board of directors. Less specific
18
is the Federal Trade Commission (FTC), which just requires a specific individual to be
accountable for the information security program within a company. (Winkler, 2011)
Conclusion: Melvin
In conclusion cloud computing is a service that will continue to grow from where it is
today. Since cloud computing has become such a modern commodity will technology use the
service will continue to be more popular. Many companies use cloud based services that have
become integrated in our everyday lives including Apple, Microsoft, Adobe and, other
technology companies. The information held by these companies is very important because a lot
of their software is used in many everyday jobs across America and many other countries
worldwide
The history of cloud computing shows how the service has come to show the dominance
from old techniques to new techniques. Old methods as far as using non- internet methods have
shown to be not as effective with companies as the new cloud computing service surfaced. It is
believed that cloud computing is more effective for the growth of companies. Shown above
many companies believe that cloud computing security is of the utmost importance and will
continue to do whatever it takes to make sure that all the information in the cloud will not be
19
compromised by third parties looking to change, disrupt, and steal sensitive information.
Learning from others and staying aware of everything that goes on with cloud computing
security is how everything runs more efficiently. Being able to see what others may have messed
up or even where the company has done good or bad will should assist a company to have a
brighter outcome when looking at cloud computing or any other aspect that the company is
considering.
Coming back to how cloud computing relates to our class of database management and
security is by making sure knowing at all the factors that cloud computing supports are reviewed.
First would be history and how it came to be so prevalent. The second factor would be to know
the analyzed risk and security concerns of cloud programming. The third factor that should be
known is the prevention strategies that are used to make sure all information is secure and not
tampered with. The last factor but all a very important factor is knowing how these different
parts can be applied in real world situations.
This paper talked about these different factors in detail and hopefully gave a better grasp
of what cloud computing is, how, and why it is important to the world of technology. After
showing all the aspects of cloud computing a greater knowledge will be able to be demonstrated
because cloud computing history, security concerns, prevention strategies, implications, and
leveraging cloud computing have all been discussed. Cloud computing has grown and will
continue to grow and now after reading hope a better insight is available.
20
Sources:
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead SYO-301 Study Guide. North
Charleston, SC: CreateSpace, 2011. Print. - Froylan Sosa
Nicho, Mathew, and Mahmoud Hendy. "Dimensions of Security Threats in Cloud Computing: A
Case Study." The Review of Business Information Systems (Online), vol. 17, no. 4, 2013, pp.
159-n/a, ProQuest Central,
https://login.libproxy.uncg.edu/login?url=http://search.proquest.com/docview/1458944582?acco
untid=14604. - Janah Kirby
Bhadauria, Rohit, et al. "SECURITY ISSUES IN CLOUD COMPUTING." Acta Technica
Corviniensis - Bulletin of Engineering, vol. 7, no. 4, 2014, pp. 159-177, ProQuest Central,
https://login.libproxy.uncg.edu/login?url=http://search.proquest.com/docview/1618069466?acco
untid=14604. - Janah Kirby
"Nude Celebrity Photos Leaked: Russian Analyst Says It Took Less than Two Hours to Identify
Security Flaw." Telegraph.co.uk, Sep 02, 2014, ProQuest Central,
https://login.libproxy.uncg.edu/login?url=http://search.proquest.com/docview/1558902475?acco
untid=14604. - Janah Kirby
Gluck, Frank. "Data Breach Affects 2.2M 21st Century Oncology Patients." The News Press,
Mar 10, 2016, ProQuest Central,
https://login.libproxy.uncg.edu/login?url=http://search.proquest.com/docview/1772140073?acco
untid=14604. - Janah Kirby
Commission, E. (2012, September 27). European Commission. Retrieved from europa.eu:
http://europa.eu/rapid/press-release_MEMO-12-713_en.htm?locale=fr - Chris Holder
21
Lammle, T. (2015). CompTIA Network+. Indianapolis: John Wiley & Sons. - Chris Holder
Winkler, V. (. (2011). Cloud Computing: Legal and Regulatory Issues. Retrieved from TechNet
Magazine: https://technet.microsoft.com/en-us/library/hh994647.aspx - Chris Holder