Security Concerns in Cloud Computing - Research Paper Example

? Full Paper Introduction Cloud computing is considered to be a value driven technology, as it saves cost along with advanced virtualization of business functions that is globally accessible. Organizations consider it a cost effective tools, as the requirement of maintaining a complex technology infrastructure along with resources is not essential. Likewise, risk factors are also been considered, as the risk, mentioned in the underpinning contract is now owned by a third party i.e. cloud computing vendors. Martin Sandler, who is a director of HP systems security Lab says, “People often think of virtualization as adding to security problems, but it is fundamentally the answer to a lot of those problems,” (Anthes, 2010).In a nutshell, cloud computing delivers major advantages along with negative consequences as well. For instance, information of an organization needs to be protected and is the ultimate responsibility of the board of director for which they are also liable. Likewise, transferring information on the cloud determines that it is not manageable by the organization anymore and any consequence or a breach of data occurring on the vendor side will be a prime threat to the organization. Therefore, information security is the part of due care and due diligence that is derived from the responsible employees of the organization. Cloud Deployment Models It is the prime responsibility of the organization to protect intellectual property and confidential information that may be related to customer personal information, trade secrets, patents etc. Breach of anyone of these classified information types cab result in a permanent loss of business and ultimately bankruptcy that may result in legal and regulatory compliance. Likewise, before making any strategy for transferring critical applications to the cloud, it is important to analyze deployment and service models of cloud computing. The correct choice needs to be made in order to align business requirements to the correct deployment and service model without any unnecessary risk. There are three service models for cloud computing i.e. infrastructure as a service, platform as a service and software as a service (Wilshusen, 2011). Infrastructure as a service (IaaS) is comprised of three components i.e. software, platform and infrastructure. Organizations only provide software and platform and infrastructure is provided by a third party cloud computing vendor. The second service models i.e. platform as a service (PaaS) also comprises of three components i.e. software, platform and infrastructure. Organizations only provide a software or application that will be executed on the third party or vendor’s platform and infrastructure. The third service model also includes the similar three components as mentioned before and called as software as a service (SaaS). Organizations only utilize services provided by the vendors in terms of applications that can be accessed by the Internet. All the three components i.e. software, platform and infrastructure are the property of the vendor (Wilshusen, 2011). In figure 1.1, cloud deployment models are demonstrated Figure 1.1 (Retreived from :Wilshusen, G. C. (2011). INFORMATION SECURITY: Additional guidance needed to address cloud computing concerns. GAO Reports, , 1.) Cloud Service Models After gaining the insight mechanisms of different deployment models of the cloud, the next important aspect is the service models. Cloud computing provides four service models for organizations to operate on. As shown in Fig 1.2, cloud service models are illustrated. Figure 1.2 (Retreived from :Wilshusen, G. C. (2011). INFORMATION SECURITY: Additional guidance needed to address cloud computing concerns. GAO Reports, , 1.) Organizations must choose the relevant client model, as it will be proportional to the business or customer requirements and may differ from organization to organization and business types. The first service mode is called as the ‘Private Cloud’. Private cloud is solely a property of the organization i.e. software, platform and infrastructure is the property of the organization (Wilshusen, 2011). The second service model is called as the community cloud that is accessible to several organizations that may be similar to business types and will focus on customer requiring a similar technology. The third model is the cloud known as ‘Public Cloud’. This type of service model is accessible to public or global industry group. Lastly, the forth service model is called as the ‘Hybrid cloud’. It is considers to be combined with two or more infrastructures that may support two or more clouds. However, the interaction between different clouds is bound on a standardized approach and proprietary technology (Wilshusen, 2011). Cloud Computing Advantages and Challenges Cloud computing derives many valuable benefits for organizations, as they are discussed below (Wu, Shen, Wang, Zhu, & Zhang, 2011): The first factor is justifiable, as there is no requirement of managing or maintaining software, hardware and infrastructure associated with network area storage (NAS) because cloud is taking care of the application as a whole. Secondly, the most important factor is the cost. For instance, an information security manager needs to sell security to the business by using an efficient business case. Total Cost of Ownership (TCO) is the core component of the business case that may justify the cost required for implementing security on the cloud. Therefore, low TCO enables information security managers to justify minimal expenses and more cost savings for getting approval on security projects. Likewise, availability of cloud services is also high resulting in value delivery i.e. low cost of ownership and high availability. Moreover, cloud services also eliminate the requirements of a high profile hot site that may involve a lot of cost. In case of unplanned service outage, cloud computing ensures reliable delivery of core business applications that eliminates the needs for off-site storage. On the other hand, cloud computing also reflects significant risks, as mentioned in the introductory paragraph, principal risks for cloud computing is associated with federal agencies and regulations. Any vulnerability found in the software, platform or infrastructure of the vendors will expose serious exposures, as information may be related to more than one organization. Moreover, employees working internally on the cloud computing premises may also expose a serious threat if no proper background employee checks were performed during recruitment procedures. Furthermore, if any governmental agencies for instance, military or other sensitive body is also using the same cloud from the same vendor is also most likely to be compromised, if any breach of anyone of these fundamental concepts Confidentiality, Integrity and Availability is successful. In addition, the incident response function may not be efficient and effective if any incident occurs and affect the customer or employee. For instance, if a security incident affects the customer, the incident response function of the organization will trigger in a timely manner to isolate and investigate the root cause via root cause analysis. In a cloud computing scenario, it may be a different case and result in ambiguity, as from where the investigation should begin. If an incident is triggered from the vendor’s site, evidence is required to act accordingly and may consume more time that is always a critical success factor. Therefore, compliance of cloud computing vendors and implementing security controls as per the governmental information security requirements is the major concern of organizations associated with services on clouds. Moreover, organizations have also concerns on assessment of security controls and independent audit and limitations of the vendor because data of many organizations is located at the vendor site that may increase risks of the CIA (Wilshusen, 2011). Therefore, an agreement is in process for establishing an independent organization that may conduct security audits and assessment. In this way, organizations can select vendors who are approved by these independent organizations maintaining the required security controls and standards. Cloud Computing Storage The storage of cloud computing requires a lot of space, in fact humongous data centers where data is collected and managed. These data centers pose several threats and security risk that may impact these data storage machines. Threat may be from a professional hacker and also in the form of the cloud provider itself, if data is not adequately dealt with. A minor security incident or misconfiguration can lead to a system failure or unavailability. For instance, in 2008, only a tiny corrupted bit integrated with a message that was used by the servers of Amazon’s Simple Storage Service (S3) that provide services of online data storage imposed a system shutdown for many hours (Talbot, 2010). Moreover, another security breach occurred in 2009, password of an employee working in Twitter was hacked that resulted in breaching the email security questions page that was located in the Google apps account (Talbot, 2010). In relation to that, one more incident occurred when data was erased from one million T-mobile smart phones due to a server failure that was managing the data of these smart phones (Talbot, 2010).As Peter Mell, who is a team lead of cloud security team at National Institute of Standards and Technology (NIST) says, public cloud computing models are more vulnerable to threats, as every customer has access to a broad range of services and levels. Therefore, if any one of the services is breached, they gain access to all the data. References Wilshusen, G. C. (2011). INFORMATION SECURITY: Additional guidance needed to address cloud computing concerns. GAO Reports, , 1. Anthes, G. (2010). Security in the cloud. Communications of the ACM, 53(11), 16-18. doi:10.1145/1839676.1839683 Wu, J., Shen, Q., Wang, T., Zhu, J., & Zhang, J. (2011). Recent advances in cloud security. Journal of Computers, 6(10), 2156-2163. Talbot, D. (2010). Security in the ether. Technology Review, 113(1), 36. Read More