Information Security in Cloud Computing - Essay Example

INFORMATION SECURITY PROJECT REPORT by Student’s name Code+ course name Professor’s name University name City, State Date Information Security in cloud computing  The term cloud computing refers to a situation where a company outsources it computer serivices. In cloud computing, our organization will be allowed to use storage, computing power, or specifically constructed development environments. Our company will do not have to be worried on how the process of cloud computing works internally. The process of Cloud computing is based on Internet-computing (Ertaul et al. 2010). The concept of cloud computing is generally based on software as a service (SaaS), for example Web 2.0 and various technology advancements, all of which re dependent on the Internet so as to satisfy the needs of the user. For instance, Google Apps are used to provide various commercial applications online that are easily accessed through the web browsers, whereas the software and data have their storage on the Internet servers (Faheem 2014). Since the whole concept of cloud computing is based on internet and servers, there are various risks that are associated with it. Information security issues related to cloud computing 1. Loss of trust It is sometime s hard task for the cloud service users to evaluate how trustworthy their service provider are since there is the black-box feature in the cloud services. There lacks the measurements on how to access and analyze the security level of the service provider in a formal manner. In addition, a cloud service user is not capable of evaluating security implementation level attained by the service provider. This lack of sharing of security level by the context of cloud computing service providers is a serious security threat during the usage of cloud services to a cloud service users (Li et al. 2012, Faheem 2014). 2. Loss of governance Whenever an organization intends to migrate some part of its IT system to the cloud infrastructure, there is an implication that the organization will be partially giving control to the cloud service provider. The abovementioned loss of governance is dependent on the type of cloud service model. For example, IaaS only gives hardware and network management to the cloud computing service providers, whereas SaaS also gives the OS, application, and the service integration so as to give turnkey services to the service users (Shah and Anandan 2013). 3. Service Provider Lock-in As a result of the loss of governance, there arises the possibility of lack of freedom in regard to the way in which a service provider could be replaced by another. This might be a case when a cloud service provider is dependent on non-standard hypervisors or virtual machine image formats and doesn’t provide the tools required during the conversion process of virtual machines into standardized formats. 4. Unsecure Cloud Service User Access Since majority of the resource deliveries are based on remote connections, non-protected APIs, (majority of the management APIs and PaaS services are the easiest attack vectors). There are various forms of attacks such as phishing, frauds, and exploitation of application. Usually, credentials and passwords are re-used, which accelerates the effects of these attacks. Cloud computing solutions augment some threats to the landscape. Whenever the attackers gain access to the users’ credentials, the attackers are likely to eavesdrop on the users’ events and transactions, alter data, return forged information, and redirect the customers to illegitimate sites. The users’ accounts or service instances might turn out to be a new base for the attackers. From here, the attackers might affect the power of the users’ reputation so as to launch successive attacks (Shin and Ahn 2005). 5. Data loss and leakage In case the encryption keys or privileged access codes are lost, there would be some fatal complications to a cloud service user. For that reason, lack of the cryptographic management information, for example, encryption key, authentication code and access privileges would significantly result to a sensitive damage on data losses and unexpected leakages to outside environment. For instance, inadequate authentication, authorization, and the audit (AAA) controls; erratic usage of an encryption and/or authentication key; operational failure; a disposal problem; jurisdiction and political matters; data centers trustworthiness; and disaster recoveries are likely to be the main problems associated with data loss and leakage (Li et al. 2012, Shin and Ahn 2005). 6. Absence of Information/Asset Management Whenever in the process of applying to use the Cloud Services, the users face various points of concern regarding the absence of information/assets management by a cloud service provider, for example, location for the delicate assets/information, absence of tangible control for the data storage, dependability of data backup (that is, data retention concerns), counter-measures for the BCP and Disaster Recovery. Additionally, a cloud service user also has some important points of concern in regard to the data being exposed to the foreign governments and on agreement with privacy laws such as the EU data protection directives (Shah and Anandan 2013). Threats resulting from cloud computing in our organization Broad network access Any staff member of the organization will be capable of accessing business management solutions through a smartphone, tablet, laptop and office computer. These devices can be used at any place they are located given that there is an online access. This mobility is advantageous in the sense that during the working hours or off-times, the staff stay at the top of their tasks, contracts and the clients whether they are in the office or on their journey (Armbrust et al. 2009). However, in case one of the smartphones or tablets is accessed by a hacker, the database of the company might be at risk. The hacker might, maliciously, alter figures in the database for personal interests. There would be also some blame game between the managers and the staff in case the system of the organization is hacked. The managers would start accusing the various staff, who have the login details, even if they are not responsible for the matter (Li et al. 2012). Resource pooling Through cloud computing, the workers are able to enter and use data through the business management software at the same time, at any time and from any location. This is possible since the management software is hosted in the cloud. This feature is suitable for the various business offices of the organization since some are usually found outside the workplace (Ertaul et al. 2010). However, in case the system is being by various employees and customers, there might be increased traffic ant that would make the system to be down. Also, there might be a possibility of the system crashing and that would result to a great loss of the organization data if the cloud service provider provided an unstable system to the organization (Upadhyay et al. 2014). Rapid elasticity The cloud is advantageous in the sense that it has a considerable level of flexibility and scalability that is suited to the immediate use of the organization. The staff will be capable of easily adding or removing users, software features and various resources (Nurmi et al. 2008). However, a staff can erroneously or deliberately remove some software features leading to chaos within the system. This could take a lot of time before the problem is identified. In case the staff, who is responsible of the act, keeps quite, fearing to be summoned, the company could end up in huge loses before the problem is identified (Armbrust et al. 2009, Nurmi et al. 2008). Mitigation of threats associated with cloud computing 1. Firewall This approach decreases the attack surface of the virtualized servers within a cloud computing environment. Bi-directional firewalls, are deployed on individual virtual machines so as to offer centralized management to the server firewall policies. 2. Intrusion Detection and Prevention (IDS/IPS) They help in shielding vulnerabilities within the operating systems and enterprise applications till when they can be patched, to attain well-timed protection from the known and zero-day invasions. The virtual equipment and cloud servers usually use the same operating system, enterprises and web applications as their physical server. Installing intrusion detectives and prevention as software on a virtual machine, acts as a shield of the newly discovered susceptibilities in these applications and the Operating systems, to protect them against exploits attempts aimed at compromising virtual machines (Upadhyay et al. 2014, Takabi 2010). 3. Integrity Monitoring The process of integrity monitoring on the critical operating systems and application files is essential for the detection of malicious and unforeseen alterations that could be signaling the risk posed to the cloud computing facilities. Integrity monitoring software are usually applied within the virtual machine levels (Upadhyay et al. 2014). 4. Log Inspection This approach is meant to collect and analyze operating systems and application logs for any security event. The log inspection rule optimizes the identification of crucial security events hidden in several log entries. These security events are then to stand- alone security systems, though amount to maximum visibility whenever forwarded to security Information as well as event management (SIEM) systems or the centralized logging servers for correlation, reports and archives. As it is the case for the integrity monitoring, log inspection abilities have to be applied within virtual machine levels (Takabi 2010, Teo and Ahn 2007). The four mitigation activities are effective in enhancing security in the cloud computing environment. However, there are minor issues of insecurity in cloud computing but with the current technology, efficient mechanisms are being devised so as to mitigate this matter. Reference List Armbrust, M; Fox, A; Griffith, R; Joseph, A; Katz, R; Konwinski, A; Lee, G; Patterson, D; Rabkin, A; Stoica, I; and Zaharia, M 2009, Above the Clouds: A Berkeley View of Cloud Computing, Electrical Engineering and Computer Sciences University of California at Berkeley: University press Ertaul, L; Singhal, S; and Saldamli, G 2010, Security Challenges in Cloud Computing, available at http://www.mcs.csueastbay.edu/~lertaul/Cloud%20Security%20CamREADY.pdf Faheem, M 2014, Security Issues of Cloud Computing, available at http://www.samanmjournals.org/wp-content/uploads/Security-Issues-of-Cloud-Computing.pdf Li, J; Li, B; Wo, T; Hu, C and Huai, J 2012, Cyberguarder: a virtualization security assurance architecture for green cloud computing, Future Generation Computer Systems, 28 (2) pp. 379–390 Nurmi, D., Wolski, r., Grzegorczyk, C., Obertelli, G., Soman, S., Youseff, l., and Zagorodnov, D. Eucalyptus, 2008, A Technical Report on an Elastic Utility Computing Archietcture Linking Your Programs to Useful Systems . Tech. Rep. 2008-10, University of California, Santa Barbara Shah, H and Anandan, S 2013, Security Issues on Cloud Computing, Available at http://arxiv.org/ftp/arxiv/papers/1308/1308.5996.pdf Shin, D and Ahn, G 2005, Role-Based Privilege and Trust Management, Computer Systems Science & Eng. J., vol. 20, no. 6 Takabi, H 2010, Security and Privacy Challenges in Cloud Computing Environments, available at http://sefcom.asu.edu/publications/security-privacy-challenges-privacy2010.pdf Teo, L; and Ahn, G 2007, Managing Heterogeneous Network Environments Using an Extensible Policy Framework, Proc. Asian ACM Symp. Information, Com­puter and Communications Security, ACM Press Upadhyay, N; Bhansali, A and Upadhyay, M 2014, Security issues in cloud computing, global journal of engineering science and research management, available at http://www.academia.edu/8780966/SECURITY_ISSUES_IN_CLOUD_COMPUTING Read More