Risk Control Plan Strategy for Cloud Services - Literature review Example

Information Security Name: Lecturer: Course: Date: Table of Contents Table of Contents 2 Introduction 3 Risk Discussion 4 Risk Analysis 5 Policy and organisational security risks 6 Technical security risks 7 Legal risks in data security 8 Analysis 8 Risk Mitigation and Control 9 IT-related Counter measures 10 Policing and Compliance 11 Risk Control Plan Strategy for cloud services 12 Conclusion 13 References 13 CASE: An enterprise is considering whether it should use a cloud service provider application for its corporate stock control and pricing systems processing three of the most significant information security risks pertinent to the selected topic. Introduction Cloud services, also called “infrastructure as service (IaaS)”, “software as service (SaaS)” and “platform as service (PaaS)”enable express deployment of infrastructure and applications with the extra complexities and costs associated with purchase and maintenance of the underlying software and hardware (Hashizume et al. 2013). The constantly dynamic and intricate business environment has forced business entities, including small-to-medium-sized enterprises (SMEs) to respond by seeking innovative cloud solutions to benefit from a range of computing needs cost effectively and reliably (Gong et al 2010). In the case an enterprise considers adopting cloud service provider’s application for its corporate stock and pricing system processing. The enterprise would benefit from expedient, ubiquitous, fast on-demand network access to a pool of shared configurable IT resources such as storage, networks, services and servers that are provided rapidly and released through interaction with the service provider. However, security effectiveness of the cloud services is held in doubt ((Hashizume et al. 2013; Durowoju, Chan & Wang 2011). This report explores vulnerabilities that the enterprise faces. Each risk is identified in detail in addition to the risk assessment factors, potential mitigation and control measures, and what actions would appear in a risk control strategy plan to demonstrate confidence in the effectiveness of the suggested mitigation and control measures. Risk Discussion Cloud computing is distinguished by several features. The enterprise often has an on-demand access to scalable information on corporate stock control and pricing systems on the cloud, which is provided through web-based technology (Rahimli 2013). However, cloud computing presents extra level of risks since the essential IT services are outsourced to a third party making it more complicated to maintain privacy and data security, show compliance and service availability (Azarnik et al 2012). This report presents a categorisation of security issues related to using cloud computing, focused on the SPI model (PaaS, SaaS and IaaS). a) Software as a Service (SaaS) The service provider provides an enterprise the ability to use the provider’s stock control and pricing systems processing applications that run on a cloud infrastructure. The applications are accessible through various devices used by the enterprise via a thin client interface such as web-based email or web-browser. With SaaS, the burden of providing security lies with the cloud service provider because of the high level of abstraction as the model is based on a high level of integrated functionality, which gives an enterprise limited control (Durowoju, Chan & Wang 2011). b) Platform as a Service (PaaS) The service provider provides an enterprise the ability to use his stock control and pricing systems processing applications on the provider’s infrastructure without the need to install any hardware or software tools on the enterprise’ IT infrastructure. The service provider offers platform layer resources, such as software development frameworks that can be applied to enhance higher-level stock control and pricing systems processing services. The PaaS model offers an enterprise greater control and extensibility, which presents the enterprise with a higher degree of security (Durowoju, Chan & Wang 2011). c) Infrastructure as a Service (IaaS) The service provider provides an enterprise processing, storage and network as well as essential computing resources, which enables the enterprise to set up and run arbitrary stock control and pricing systems processing software. Given the comparatively lower level of abstraction, IaaS model presents an enterprise greater control over security than SaaS and PaaS (Durowoju, Chan & Wang 2011). Risk Analysis In risk assessment, the key questions of concern are the categorisation of threat (basing on what can happen to the enterprise security assets), impact of threat (how severe the threat can be), frequency of the threat (how often the threat may happen) and uncertainty factor (how certain the risks can be mitigated). IT-related risks are categorised into three, namely policy and organisational risks, technical risks and legal risks. Policy and organisational security risks Policy and organisational risks are business-related IT risks that the enterprise may face in using the application. Such risk included loss of governance and lock-in. In regards to loss of governance, an enterprise cedes control to the cloud service provider (CP) on issues related to security. Since the application is delivered through an internet browser, the security flaws in web applications present vulnerabilities or the stock control and pricing systems processing applications (Kuyoro, Ibikunle &Awodole 2011). The customer data is stored in database scheme developed by the cloud service provider. Typically, SaaS providers offer API calls to read, hence they export data records. Although an enterprise can access applications over the internet using any device, including mobile devices and public computers, it presents additional risks such as information stealing via mobile malware, insecure marketplace, data threats due to insecure networks or Wi-Fi, and proximity-based hacking. Since PaaS developers lack access to the underlying layers, the cloud service providers are still responsible for ensuring the security of the underlying infrastructure in addition to the application. Despite an enterprise’s developers being in control of the security of the application, they lack the assurance that the development environment tools that PaaS provides are secure (Kuyoro, Ibikunle & Awodole 2011). The IaaS offers a pool of shared resources, such as network, servers and storage in the form of virtualised systems accessible through the internet. An enterprise is hence entitled to run the corporate stock and pricing system processing application with full control on resources provisioned to them (Jamal, Omer & Qureshu 2013). Underlying security risks are however associated with virtualisation and include copying, sharing, migrating and rolling back virtual machines. This presents attackers with opportunities to launch attacks given the existence of extra layers that an enterprise must secure. Virtualised environments are more vulnerable to security compared to traditional infrastructure because of added points of entry and interconnection complexities (Azarnik et al 2012). Technical security risks These include IT-related risks that have direct technical impact on the cloud computing systems hosting the application. Such risks include multi-tenancy and interception of data during transit. Multi-tenancy is one underlying security risk. The SaaS applications can be categorised into maturity models determined through configurability, scalability through multi-tenancy and metadata ((Tan, Liu & Sun 2013). Each enterprise or customer is given request of the software. This model has security drawbacks. Since the data from various tenants is stored in the same database, risks of data leakage are high between the various tenants. Within the multi-tenant structure, problems of data segregation may occur, which increase the risk of security breach because of lack of proper sealing. Hence, co-tenants may launch attacks. PaaS, unlike SaaS and IaaS, does not offer traditional programming language or third-part web services such as mashups, which gives them security advantage over SaaS. However, they also inherit some security issues associated with mashups such as network and data security. Applications based on PaaS also depend on the security provided by third party services and web-hosted development tools. In the PaaS application development cycle, developers are faced with the intricacies of building secure applications that can be hosted in the cloud. The IaaS also offers a level of multi-tenancy because the virtual machines on the same servers shares memory, CP and I/O. This decreases the level of security for each virtual machine, since a malicious virtual machine can steal information from other virtual machines because of the shared memory. This allows attackers to launch cross-tenant attacks. To overcome the security issues in multi-tenancy, each virtual machine should be hooked with its host through the use of a dedicated physical channel (Betcher 2010). Legal risks in data security Legal risks consist of IT-related risks that are by nature legal and which negatively impact an enterprise using the cloud services. Such risks include data privacy. Despite the large number of benefits that an enterprise can accrue from cloud computing in regards to corporate stock control and pricing systems processing, a range of significant barriers also exist. Among the most critical barriers to effective use of the cloud services by an enterprise is security and privacy (Betcher 2010). Data security becomes a concern when SaaS users have to depend on their cloud services provider to offer enhanced security. In the SaaS model, an enterprise’s data is a process in plaintext for storage in the cloud. The provider is responsible for providing security to the data. In addition, data backup is essential to promote recovery in the event of a disaster. In addition, cloud providers may subcontract other service providers, which raise data security concerns because of third party involvement. Under this scenario, the service provider must enforce compliance issues, such as data segregation, privacy and security. SaaS offers stock control and pricing systems processing application services on demand, such as ERP. Indeed, since cloud computing embodies comparatively new computing model, a great deal of uncertainty exists on levels of security, such as date, network, application and host levels. Such uncertainty signifies that security is an underlying concern that is related to using cloud computing services in enhancing corporate stock control and pricing systems processing by an enterprise (Hashizume et al. 2013). Analysis The level of risk is assessed based on the probability of security breach scenario mapped against an estimable negative impact. The probability of the incident scenario is presented by a threat that exploits the vulnerability of the SPI model, since in most cases the vulnerability is dependent on the SPI model. Based on the above analysis, the three anticipated cloud risks associated with using a cloud service provider application for corporate stock control and pricing systems processing are; loss of governance and lock-in, multi-tenancy and data interception and data privacy (See Table 1). Table 1: Security risks Risk Category Risk Risk level Probability Impact Policy Loss of governance High Very high Very High (IaaS Very High, Saas Low Lock-in High High Medium Technical Data interception Medium Medium High Multi-tenancy High High High (IaaS low, SaaS very high, PaaS high) Legal Data privacy High High High The results suggest that the identified threats can critically impact an enterprise specifically when handling with confidential information. Risk Mitigation and Control The security risks can be mitigated by developing holistic infrastructure that covers physical and virtual computing systems. It-related Security risk counter measures and policies should be developed. IT-related Counter measures Fragmentation-redundancy-scattering (FRS) technique can efficiently mitigate the risks of data leakage through loss of governance and privacy. The technique provides tolerance to intrusion and in the processes securing data storage. Sensitive data is broken down into insignificant fragment, where each fragment lack is allocated insignificant information. Afterwards, the fragments are scattered randomly across various sites of a distributed system. Digital signatures can also be used with RSA algorithm, while transfer of data takes place over the internet. RSA is a recognisable algorithm that can protect data in the cloud (Hashizume et al. 2013). Homomorphic encryption can also be effective in mitigating data leakage security risks. It denotes an encryption technique where data is secured while being transferred to and from the cloud or at the service provider’s server. Encryption schemes such as Advanced Encryption Standard (AES) and SSL technology can be used to secure data while on transit to and from the cloud. Hence, cloud providers have to decrypt data in order to process it. Although this may raise security concern, homomorphic encryption ensures that arbitrary computation is done on ciphertexts without being decrypted, hence mitigating the risks of data leakage (Hashizume et al. 2013). Web applications are easy target for attacks, since they are exposed to the public. Web application scanners can be used to mitigate the security risks related to data interception and multi-tenancy. It consists of a program that scans web applications using web front-end that identifies security vulnerabilities. Other web application security tools such as web application firewall can also be used to route all web traffic in order to inspect particular threats. The enterprise can also use a trusted cloud computing platform (TCCP) to mitigate security risks related to data interception and multi-tenancy. TCCP allows cloud service providers to provide closed-box environment for executing the cloud service, which allows an enterprise to inspect the environment before launching their virtual machines. It mostly applies for IaaS model. The TCCP uses to essential elements, namely a trusted coordinator (TC) and a trusted virtual machine monitor (TVMM). The TC oversees a set of trusted nodes running the TVMMS, which is maintained by a trusted third party. The TC launches or migrates a VM, which authenticates whether a VM runs in a trusted platform (Hashizume et al. 2013). Trusted virtual datacentre (TVDc) can be integrated to mitigate security risks related to data interception, multi-tenancy and data privacy. TVDc ensures the integrity and isolation of the cloud environment by grouping virtual machines designed for similar purposes into workloads known as Trusted Virtual Domains which mitigate security risks by enforcing mandatory access control and protected communication channels. They also verify the integrity of the system before an application is launched (Hashizume et al. 2013). Policing and Compliance Data security should be approached based on the content rather than the location. In this case, security regulations should remain consistent, despite where the data resides. Mitigation strategies include having audit controls, policies and procedures and service level agreements with the cloud providers (Brender & Markov 2013). Audit controls involve coming up with mitigation strategies that cover the enterprise and the cloud service provider. The enterprise can as well establish standards at organisational level to ensure that employees who use the cloud service are screened and that the application is update for security (Betcher 2010). For instance, the enterprise should come up with policies that prompt employees to update the application. For instance, developers may be prompted to frequently upgrade PaaS applications to ensure that the development process is flexible enough to keep up with the changes in security levels. Developing policies and procedures include formulating and maintaining a range of documents for enforcing policies of the enterprise and that of the cloud service provider. To prevent security risks related to multi-tenancy, security policies should be used to ensure an enterprise’s data are kept separate from other customers (Dupre & Haeberlen 2009). The stock control and pricing systems processing application can be scaled up by being moved to more powerful servers. Service level agreements may be reached to ensure that the enterprise’s concerns are addressed, minimise dispute and to reduce unrealistic expectations. The enterprise should work with security legal and assurance professionals to examine that various security levels and privacy are attained. At the same time, the service provider’s policies and procedures should be reviewed to determine whether they are acceptable (Betcher 2010). Risk Control Plan Strategy for cloud services A three-step process should be used in risk control plan strategy. These include; establishing high-level information security policies for protection of data. Second, granular compliance-related security policies should be developed. Next, a process of auditing and improving the effectiveness of a policy should be developed. Once the enterprise comes up with consistent internal policies, the service provider’s policies should also be reviewed. At this stage, a cost-benefit analysis of using a certain cloud service from a specific provider should be conducted. The service provider should be examined to check whether that aligns with an enterprise's business objectives (Betcher 2010). The regulatory and privacy requirements should be identified and lastly, a contingency plan and exit strategy should be developed. It is also critical that a service agreement be reached with the cloud service provider to ensure compliance with regulatory and privacy requirements. Hence, the enterprise should look for providers with industry experience and background in achieving specific security needs. Contingency plans are also essential since an enterprise needs to have a backup plan of how to handle its data in the event that a relationship with the service provider does not work out (Dupre & Haeberlen 2009). Conclusion After assessing the risks and mitigation practices, it is concluded that the security risks that an enterprise is exposed to by adopting a cloud service provider’s application for its corporate stock control and pricing systems processing are indeed manageable. In addition, it is concluded that PaaS model should be adopted for the application in place of SaaS or IaaS, since they offer most effective security infrastructure that are manageable at enterprise level. It is also viable to conclude that virtualisation, storage and networks are the key biggest security concerns related to adopting the cloud application. These present security risks, including related to loss of governance, Multi-tenancy and data privacy. References Azarnik, A, Shayan, J, Allizedeh, M & Karamizadeh, S 2012, "Associated Risks of Cloud Computing for SMEs," Open International Journal of Informatics (OIJI), vol. 1, p.37-42 Betcher, T 2010, Cloud Computing: Key IT-Related Risks and Mitigation Strategies for Consideration by IT Security Practitioners, Capstone Report Presented at University of Oregon, Brender, N & Markov, L 2013, "Risk perception and risk management in cloud computing: Results from a case study of Swiss companies," International Journal of Information Management, Vol. 33 No. 5, p.726-733 Dupre, L & Haeberlen, T 2009, Cloud Computing Benefits, risks and recommendations for information security, viewed 3 April 2013, https://resilience.enisa.europa.eu/cloud-security-and-resilience/publications/cloud-computing-benefits-risks-and-recommendations-for-information-security Durowoju, O, Chan, H & Wang, X 2011, "The Impact Of Security And Scalability Of Cloud Service On Supply Chain Performance," Journal of Electronic Commerce Research, VOL 12, NO 4, p.243-254 Gong, C, Liu, J, Zhang, Q, Chen, H, Gong, Z 2010, The Characteristics of Cloud Computing, 39th International Conference on Parallel Processing Workshops Hashizume, K, Rosado, D, Medina, E & Fernandez, E 2013, "An analysis of security issues for cloud computing," Journal of Internet Services and Applications 2013, Vol. 3 No. 5 Jamal, K, Omerm A, Qureshu, A 2013, "Cloud Computing Solution and Services for RFID Based Supply Chain Management," Advances in Internet of Things, Vol. 3, p.79-85 Kuyoro, S, Ibikunle, F, Awodole, O 2011, "Cloud Computing Security Issues and Challenges," International Journal of Computer Networks (IJCN), Vol. 3 Iss. 5, pp. 247-254 Rahimli, A 2013, "Factors Influencing Organization Adoption Decision on Cloud Computing," International Journal of Cloud Computing and Services Science, Vol. 2 No. 2, pp.140-146 Tan, C, Liu, K & Sun, L 2013, “A design of evaluation method for SaaS in cloud computing,” Journal of Industrial Engineering and Management, Vol. 6 No. 1, p.50-72 Read More