Cloud Computing Storage Issues - Literature review Example

? Full Paper Contents Is Cloud Vulnerable? 3 2 Cloud Computing Storage Issues 4 3 Network Security Policy 5 4 Policies Applicable on Cloud Computing 6 5 Estimated Level of Risk 7 6 Information Security Framework 8 1 Is Cloud Vulnerable? Cloud computing delivers numerous benefits along with many security vulnerabilities that are classified as: Customary Security Availability Third Party Security Virtual Machine Issues This type of security is associated with the threats applicable on connecting the workstations to the cloud. SQL injection or cross site scripting vulnerabilities have a high probability, as Google docs are one of the victims of them (Singh & Sharma, 2011). Moreover, threat of phishing is also always available, as automated emails and messages on cloud based applications can steal passwords, personal credentials and other personal information. Organization’s authentication and authorization policy do not addresses cloud security issues. In spite of having several security controls integrated within the cloud based applications, only a password is required to breach into the cloud based application. One of the recent security breaches of exploiting secure passwords that is called as Twitter gate (Singh & Sharma, 2011). Moreover, virtual machines on a single physical machine are shared with multiple instances. Every instance is connected to the Internet or virtual tunnels. This concludes, if a single machine is compromised, all the instances available in that machine are also compromised. In addition, risk of data corruption or storage that may not limited to memory storage, random access memory storage is also in the scope of cloud computing vulnerabilities (Singh & Sharma, 2011). 2 Cloud Computing Storage Issues The storage of cloud computing requires a lot of space, in fact humongous data centers where data is collected and managed. These data centers pose several threats and security risk that may impact these data storage machines. The threat may be from a professional hacker and also in the form of the cloud provider itself, if data is not adequately dealt with. A minor security incident or misconfiguration can lead to a system failure or unavailability. (OGIGAU-NEAMTIU, 2012) Moreover, another security breach occurred in 2009, password of an employee working on Twitter was hacked that resulted in breaching the email security questions page that was located in the Google apps account (Talbot 2010). In relation to that, one more incident occurred when data was erased from one million T-mobile smart phones due to a server failure that was managing the data of these smart phones (Talbot 2010).As Peter Mell, who is a team lead of cloud security team at the National Institute of Standards and Technology (NIST) says, public cloud computing models are more vulnerable to threats, as every customer has access to a broad range of services and levels. Therefore, if any one of the services is breached, they gain access to all the data. As cloud-computing usage is increasing with its connection to the public through an Internet, new opportunities also originate for hackers, cyber terrorists, viruses and worms. These threats will increase and focus on cloud computing enables services and applications for stealing classified data, denial of service attacks on data centers etc. ‘Google apps’ is the major player in the market for providing ‘SaaS’, it was attacked and hacked. The report from cyber forensics indicated that the attacks were originated from China (Bisong & Rahman, 2011). The security and privacy in cloud computing are associated with data storage and data protection. Moreover, monitoring the utilization of resources available on the cloud by the service providers is also included. In order to secure the data in the cloud, it can be stored internally in the organization’s premises. (Talbot, 2012) Moreover, the Sarbanes-Oxley Act (SOX) in the US and Data Protection directives along with the EU are only two compliances from many other compliance concerns related to data and application of cloud computing. Moreover, the EU has backed up with a legislative data protection for the entire member across the globe. However, the US data protection differs from the EU, as it varies in each state. Moreover, the service provides incorporates the highest level of security in the clouds of their inbound technical intelligence, but these measures is affected due to government regulations country by country. For instance, if a cloud computing service providers is located within a country, the service provider is bound to slipshod provisions on privacy that may lead the involvement of the government enforcement agencies to peek in the hosted data of a particular organization. 3 Network Security Policy The network traffic between different departments and the other networks for instance, organization’s network traffic, will be transmitted via a firewall monitored and maintained by the support staff. However, in case of a wireless network transmission, connection to other networks of the organization will be prohibited (Kalyvas, Overly, & Karlyn, 2013). In order to configure or modify any configuration settings on the firewall, it must be reviewed and approved by the information security personnel. Tools associated with port scanning, network sniffing, auto discovery of registered / unregistered ports and other scanning tools must be prohibited within the premises of an organization, as they can trigger information security risks and disrupt the organization’s network operations, or any other network that may be operational. Right to audit for all inbound and outbound activities of any department of organization is applicable to the information security personnel anytime. For ensuring physical access, every employee must identify themselves via physical security controls before entering in the premises of organization. Accessing mobile phones, PDA’s, smart phones, laptops and any other communication device in the parameter of an organization, must be according to the open area security policy. Encryption must be applicable to stored password files, VPN connections and connections to the third party service providers where applicable. 4 Policies Applicable on Cloud Computing 4.1 Passwords policy Password policy defines the complexity level and password length that must be standardized in all modules of applications. The policy also defines ‘Do’s’ and ‘Don’ts’ for setting the password. 4.2 Privileges policy This policy illustrates mandatory and discretionary levels of access on applications, networks and databases. 4.3 Email Use Policy This policy defines the attachment requirements of emails, communication via email to third parties or individuals publicly available. No company information will be shared publicly by using company email address. Moreover, users may not spread non ethical information, religious information via email within the company. 5 Estimated Level of Risk Cloud computing policies and procedures can administratively control the identified risks my mitigating them via technical, physical and environmental controls. Moreover, identified cloud computing risks can also be transferred, for instance insuring critical assets. Furthermore, risk avoidance can also be applicable. For instance, cloud computing data center located in a region where law and order situation is not good. One of the decisions will be to close the data center or move it to another region. Customer satisfaction is achieved by signing a non-disclosure agreement and service level agreements for delivering service whenever required. However, risks having high probability of occurrence are based on quantitative and qualitative risk management. For instance, a cloud based application that can be accessible on the Internet has high probability of phishing, SQL injection and cross site scripting. In addition, applying controls, such as a thoroughly written security policies and privacy policy facilitates customer satisfaction. Policy Control against Vulnerabilities A table below shows a policy control for vulnerabilities defined below: Vulnerability Policy Control Phishing Awareness emails, quizzes, one to one sessions Viruses Security Policy Spyware, Adware Acceptable Use Policy 5.1 Network Use Policy This policy restricts and allows the user to access data, network services and applications available on the network. Users may not be able to access shared files pertaining to other departments. Likewise, if any confidential data is shared, it must not be accessible to other department employees. 5.2 Internet Use policy This policy defines the permitted and restricted information requested via Internet connection. However, certain department may have access to certain websites that may facilitate them, such as marketing department requires research. 5.3 Backup Backup of data and applications is maintained by the network administration staff. 6 Information Security Framework The information Security Framework is the believed as the most inclusive framework model that ensures a variety of security solutions regarding information on the cloud. This can be accomplished by lowering business risks. Moreover, information security figures out other major elements in any business organization and also focus on the technological aspects of cloud computing. For example, process, business technologies etc. these procedures are considered as the core methodologies in the field of Information Security. The Information Security framework determines the policies and applications in an organization’s cloud. In order to access the organization’s recent information security framework, the framework is used that allows a pattern for delivering, evaluating and improving information security polices and applications. Furthermore, other research papers are also included for several information securities framework. In this paper, a selected Information Security framework is mentioned. In providing Information Security services, it is an alarming situation for management to deal with new challenges of cloud computing. Moreover, information system assets are equally significant for small organizations as well that contains data bases 5 and recruiter files, company operations, financial materials etc. The chosen framework maps effortlessly along with the organization’s Information Security policies linked with cloud computing. This can be measured by mapping information security framework. The only difference in the two frameworks is the roles and responsibilities of the drivers that are different from each other. Although, the company has an appropriate information security framework but following suggestions must be reviewed: 6.1 Training The significant information security measures must be provided to establish an invasive security surrounding. A number of measured are taken in order to support the behavioral changes in any organization. Training sessions must be provided to the staff members regarding the information security awareness and security polices practices. Moreover, these procedures and policies must undergo a reactive environment (Sipior & Ward, 2008). 6.2 Password Policy In any organization, the password policy must be cross checked. This policy is considered as the most important security criteria in any organization. Confidentiality agreement: In several cases, personal and confidential agreements among third parties are not intact. Such as, in some organizations, if a consultant joins the client’s location he has to sign the agreement. 6.3 Physical Security For the workstations, physical security is not present in any organization. Therefore, in order to control the stealing of PC and hardware, some type of locking system must be provided. For any organization, information security is considered as the major element or asset. In order to protect the data, a well-established security framework implementation is required. In fact, information security framework is an ongoing procedure. To ensure sufficient protection regarding information resources, a number of improvements in the field of environmental incidences are needed (Ezingeard & Bowen-Schrire, 2007). In order to evaluate capabilities of recent policies, measuring and reporting of risks, control issues and weakness are obligatory (Purtell, 2007). However, in recent times, information security breaches and cyber-crimes are increasing gradually. Thus it is significant for all the companies to focus on information security. This will ensure information security within the organization. Moreover, non-technical issues regarding information security must also be considered. This helps to develop the better information security framework in any organization. Conclusion Cloud computing is the best cost saving option, as there is no need to manage Information Technology infrastructure along with total cost of ownership. In case of personal or confidential data, one cannot manage or mitigate the risk of getting hijacked, as there is no guarantee that the cloud computing providers are applying adequate level of protection to the confidential data. The risk is very high, as the confidential information can be leaked by a security breach. However, strict controls or ISO 27001 certification must be achieved for ensuring compliance with the required policies and procedures of the standard. References Bisong, A., & Rahman, S. M. (2011). An overview of the security concerns in enterprise cloud computing. International Journal of Network Security & its Applications, 3(1), 30-45. doi: 10.5121/ijnsa.2011.3103 Ezingeard, J., & Bowen-Schrire, M. (2007). Triggers of change in information security management practices. Journal of General Management, 32(4), 53-72. Kalyvas, J. R., Overly, M. R., & Karlyn, M. A. (2013). Cloud computing: A practical framework for managing cloud computing risk--part I. Intellectual Property & Technology Law Journal, 25(3), 7-18. OGIGAU-NEAMTIU, F. (2012). Cloud computing security issues. Journal of Defense Resources Management, 3(2), 141-148. Purtell, T. (2007). A new view on it risk. Risk Management (00355593), 54(10), 28-33. Singh, T., & Sharma, K. (2011). A survey of security issues in cloud computing. International Transactions in Mathematical Sciences & Computer, 4(2), 411-424. Sipior, J. C., & Ward, B. T. (2008). A framework for information security management based on guiding standards: A united states perspective. Issues in Informing Science & Information Technology, 5, 51-60. Talbot, C. (2012). The state of cloud computing: Getting real in 2012. Channel Insider, , 1-4. Read More