|
You have selected free tutorial of the Microsoft Corporation for the Microsoft Technology Associate (MTA) :
98-369: MTA: Cloud Fundamentals :
Module 1: Understand the Cloud :
Describe cloud security requirements and policies.
Microsoft Help:-
Hints:Describe how cloud services manage privacy, how compliance goals are met, how data is secured at rest or on-the-wire, and how data and operations transparency requirements are met
Understanding WS-Security
Using compute and storage services starts with selecting an appropriate IT service provider (SP). Within their terms of use and privacy statements, SPs define which information about a customer (and, if the customer is an organization, its users) they require in order to provide the selected service. It also must be specified for which purposes the collected data will be used, and how long it will be retained. Typically, customer and user information is required for accounting and billing purposes as well as for service personalization. Generally, it thus includes personally identifiable information (PII), i.e., data that can be used to uniquely identify a single person.
In order to prevent any misuse of such sensitive data, e.g., selling email addresses to marketing agencies, legislative regulations exist; they restrict how PII may be used on an organizational level and must be mapped to technical solutions, which often have been neglected in the past, resulting in potential vulnerabilities. Although privacy and data protection laws differ between countries and dedicated regulations exist for industrial sectors such as finance and healthcare, one classic and common principle is that data must only be used for purposes which the user has been informed about and agreed to. Cloud computing has entered everyone’s life today irrespective of technology or any other aspect. Every tech magazine or every information technology (IT) organization website speaks about cloud computing.
What exactly is this cloud computing? Cloud in Information Technology Cloud computing has revolutionized the IT industry for the past decade and is still developing creative ways to solve current problems. Companies and research institutes are slowly moving to the cloud to address their computing needs. To make cloud more user friendly for computing, the industry has invested a lot into the following aspects:
- Time and finance: The cloud is a centralized system and updates realtime information. Businesses with time-sensitive data are quick to grab this opportunity and harness the efficiency of the cloud. For example, medical researches that needed months of in-house number crunching moved to distributed systems, significantly reducing computing time and expenses.
- People and association: With the advent of cloud, an online collaboration between distributed teams became easy. It is now easier to communicate and work with people located in different areas, sometimes different countries, during office hours. Teams now consist of members distributed across large geographic areas. As mentioned, the capability of the cloud to update information in real time enables teams to address issues immediately. Working together no longer means meeting up in the boardroom. Internet Protocol (IP) telephony, such as Skype and Google Hangout, provides a platform that allows team members to discuss tasks without stepping a foot outside their cubicles.
- Replacing hardware: Relocating information and data systems to the cloud not only saves money but also reduces wasted resources. Companies no longer need to purchase hardware and systems that need installation and maintenance. Data centers on the cloud can reallocate these resources to clients by saving company dollars only by paying what is used and avoiding the purchase of machines that will not be useful in the long run. Cloud service providers (CSPs) also have the ability to optimize their systems to reduce waste. They also have the capability of upgrading their systems according to service demands. This is usually very expensive for businesses to do and results in wasted resources. Fewer in-house machines means that companies could redirect funds toward improving other aspects of business operations.
- Energy efficient: A study reports that clients of Salesforce produced 95% less carbon compared to companies with systems in their premises.
- Study from Accenture, Microsoft, and WSP Environment and Energy: A 2010 study from Accenture, Microsoft, and WSP Environment and Energy reported a huge impact of the cloud on CO2 emissions. They found out that businesses with systems and applications on the cloud could reduce per-user carbon footprint by 30% for large companies and 90% for small businesses.
- Going green: Greenpeace pointed out in a recent study that while efficiency is increasing, the energy source is also varying. The internal operations of data centers are green, but it is superficial if the power source is nonrenewable. With the increasing demand for cloud computing, energy consumption is expected to increase by 12% each year. An analysis of Greenpeace showed that out of the 10 leading tech companies—Akamai, Amazon, Apple, Facebook, Google, HP, IBM, Microsoft, Twitter, and Yahoo!—Akamai and Yahoo! are the most environment friendly and Apple the least. The report also highlighted Google’s effort in greening its energy sources.
- The future of the cloud and the environment: Two companies in Iceland, Green Earth Data and GreenQloud, both claim to offer 100% renewable energy by powering their data centers with geothermal and hydropower resources, which are abundant in the country. "The internet with cloud computing is becoming a big contributor to carbon emissions because of dirty energy usage," GreenQloud aims to set an example to cloud computing giants in creating environmentfriendly cloud services. As the cloud industry expects to grow to a $150 billion market by the end of the year, users are increasingly demanding green services. Cloud technologies are quickly taking off, and it is a chance for companies and businesses to think of creative ways of harnessing its power while saving the environment.
Data and services are stored remotely but accessible from anywhere. Though cloud is the hotcake technology today, there are many issues related with it. The following four major issues stand out with cloud computing:
- Threshold policy: To test if the program works, develops, or improves and implements, a threshold policy is a pilot study before moving the program to the production environment. Check how the policy detects sudden increases in the demand and results in the creation of additional instances to fill in the demand. Also, check to determine how unused resources are to be deallocated and turned over to other work.
- Interoperability issues: The problems of achieving interoperability of applications between two cloud computing vendors. The need to reformat data or change the logic in applications.
- Hidden costs: Cloud computing does not tell you what hidden costs are. In an instance of incurring network costs, companies who are far from the location of cloud providers could experience latency, particularly when there is heavy traffic.
- Unexpected behavior: The tests to be made to show unexpected results of validation or releasing unused resources. The need to fix the problem before running the application in the cloud.
Cloud computing places business data into the hands of an outside provider and makes regulatory compliance inherently riskier and more complex than it is when systems are maintained in-house. Loss of direct oversight means that the client company must verify that the service provider is working to ensure that data security and integrity are ironclad. The following are the current security-related research areas in cloud computing:
- Reliable, distributed applications based on the Internet, such as the e-commerce system, rely heavily on the trust path among involved parties.
- The skyrocketing demand for a new generation of cloud-based consumer and business applications is driving the need for a next generation of data centers that must be massively scalable, efficient, agile, reliable, and secure. In order to scale cloud services reliably to millions of service developers and billions of end users, the nextgeneration cloud computing and data center infrastructure will have to follow an evolution similar to the one that led to the creation of scalable telecommunication networks.
- In the future, network-based CSPs will leverage virtualization technologies to be able to allocate just the right levels of virtualized compute, network, and storage resources to individual applications based on realtime business demand while also providing full service-level assurance of availability, performance, and security at a reasonable cost.
Due to huge infrastructure, cost organizations are slowly switching to cloud technology. Data are stored in the CSP’s infrastructure. As data do not reside in organization territory, many complex challenges arise. Some of the complex data security challenges in cloud include the following:
- The need to protect confidential business, government, or regulatory data
- Cloud service models with multiple tenants sharing the same infrastructure
- Data mobility and legal issues relative to such government rules as the European Union (EU) Data Privacy Directive
- Lack of standards about how CSPs securely recycle disk space and erase existing data
- Auditing, reporting, and compliance concerns
- Loss of visibility to key security and operational intelligence that no longer is available to feed enterprise IT security intelligence and risk management
- A new type of insider who does not even work for your company but may have control and visibility into your data
Data management at rest: Businesses should ask specific questions to determine the CSP’s data storage life cycle and security policy. Businesses should find out if
- Multitenant storage is being used, and if it is, find out what separation mechanism is being used between tenants
- Mechanisms such as tagging are used to prevent data being replicated to specific countries or regions
Storage used for archive and backup is encrypted and the key management strategy includes a strong identity and access management policy to restrict access within certain jurisdictions.
Infrastructure-as-a-Service Security Issues Cloud computing makes a lot of promises in the areas of increased flexibility and agility, potential cost savings, and competitive advantages for developers so that they can stand up an infrastructure quickly and efficiently to enable them to develop the software to drive business success. There are a lot of problems that cloud, especially private cloud, solves, but it is not that much good in solving problems related to security. However, in a private cloud environment, some of the traditional problems faced are as follows:
- Hypervisor security: In private cloud, most or all of services will run in a virtualized environment and the security model used by the hypervisor cannot be taken for granted. A need to evaluate the security models and the development of hypervisors becomes necessary.
- Multitenancy: Although all the tenants in the multitenancy environment will be from the same company, not all tenants may be comfortable sharing infrastructure with other users within the same company.
- Identity management and access control (IdAM): In a traditional data center, we were comfortable with the small handful of authentication repositories we had to work with—Active Directory being one of the most popular. But with private cloud, handling authentication and authorization for the cloud infrastructure, handling tenants, and handling delegation of administration of various aspects of the cloud fabric are the major tasks to be addressed.
- Network security: In private cloud, we are likely to have many components of a service communicate with each other over virtual network channels only. Assessing the traffic, employing some powerful access controls for physical networks, and control quality of service, which is a key issue in the availability aspect of the confidentiality, integrity and availability (CIA) security model, are major concerns.
Software-as-a-Service Security Issues In a traditional on-premise application deployment model, the sensitive data of each enterprise continue to reside within the enterprise boundary and are subject to its physical, logical, and personnel security and access control policies. The architecture of SaaS-based applications is specifically designed to support many users concurrently (multitenancy). SaaS applications are accessed through the web, and so web browser security is very much important. Information security officers will need to consider various methods of securing SaaS applications. Web services (WS) security, Extensible Markup Language (XML) encryption, SSL, and available options used in enforcing data protection transmitted over the Internet. In the SaaS model, the enterprise data are stored outside the enterprise boundary, at the SaaS vendor end. Consequently, the SaaS vendor must adopt additional security checks to ensure data security and to prevent
breaches due to security vulnerabilities in the application or through malicious employees. This involves the use of strong encryption techniques for data security and fine-grained authorization to control access to data. The pain points of concern in SaaS are as follows.
- Network security: In an SaaS deployment model, sensitive data flow over the network needs to be secured in order to prevent leakage of sensitive information. This involves the use of strong network traffic encryption techniques such as the SSL and TLS for security.
- Resource locality: In an SaaS model of a cloud environment, the end users use the services provided by the cloud providers without knowing exactly where the resources for such services are located. Due to compliance and data privacy laws in various countries, locality of data is of utmost importance in much enterprise architecture. The directive prohibits transfers of personal data to countries that do not ensure an adequate level of protection. For example, the recent Dropbox users have to agree to the Terms of Service that grant the providers the right to disclose user information in compliance with laws and law enforcement requests.
- Cloud standards: To achieve interoperability among clouds and to increase their stability and security, cloud standards are needed across organizations. For example, the current storage services by a cloud provider may be incompatible with those of other providers. In order to keep their customers, cloud providers may introduce so-called sticky services that create difficulty for the users if they want to migrate from one provider to the other.
- Data segregation: Multitenancy is one of the major characteristics of cloud computing. In a multitenancy situation, data of various users will reside at the same location. Intrusion of data of one user by another becomes possible in this environment. This intrusion can be done either by hacking through the loop holes in the application or by injecting client code into the SaaS system. An SaaS model should, therefore, ensure a clear boundary for each user’s data. The boundary must be ensured not only at the physical level but also at the application level. The service should be intelligent enough to segregate the data from different users.
- Data access: Data access issue is mainly related to security policies provided to the users while accessing the data. The organizations will have their own security policies based on which each employee can have access to a particular set of data. The security policies may entitle some considerations, wherein some of the employees are not given access to a certain amount of data. These security policies must be adhered by the cloud to avoid intrusion of data by unauthorized users. The SaaS model must be flexible enough to incorporate the specific policies put forward by the organization. The model must also be able to provide organizational boundary within the cloud because multiple organizations will be deploying their business processes within a single cloud environment.
- Data breaches: Since data from various users and business organizations lie together in a cloud environment, breaching into the cloud environment will potentially attack the data of all the users. Thus, the cloud becomes a highvalue target.
- Backup: The SaaS vendor needs to ensure that all sensitive enterprise data are regularly backed up to facilitate quick recovery in case of disasters. Also, the use of strong encryption schemes to protect the backup data is recommended to prevent accidental leakage of sensitive information. In the case of cloud vendors such as Amazon, the data at rest in S3 are not encrypted by default. The users need to separately encrypt their data and backups so that it cannot be accessed or tampered with by unauthorized parties.
- Identity management (IdM) and sign-on process: IdM deals with identifying individuals in a system and controlling the access to the resources in that system by placing restrictions on the established identities. When an SaaS provider has to know how to control who has access to what systems within the enterprise, it becomes all the more challenging task. In such scenarios, the provisioning and deprovisioning of the users in the cloud become very crucial.
Platform-as-a-Service Security Issues PaaS provides a ready-to-use platform, including OS that runs on vendorprovided infrastructure. As the infrastructure is of the CSP, various security challenges of the focused architecture are caused mainly by the spread of the user objects over the hosts of the cloud. Stringently allowing access of objects to the resources and defending the objects against malicious or corrupt providers reasonably reduce possible risks. Network access and service measurement bring together concerns about secure communications and access control. Well-known practices, object scale enforcement of authorization, and undeniable traceability methods may alleviate the concerns. Apart from the aforementioned problems, user privacy must be protected in a public, shared cloud. Therefore, proposed solutions must be privacy aware. Service continuity is another concern for many enterprises that consider cloud adoption. Accordingly, fault-tolerant reliable
systems are required.
Audit and Compliance It is a widely known fact that data protection and regulatory compliance are among the top security concerns for chief information officers (CIOs) of any organization. According to the Pew Internet and American Life Project, an overwhelming majority of users of cloud computing services expressed serious concern about the possibility of a service provider disclosing their data to others. Ninety percent of cloud application users said that they would be very concerned if the company at which their data were stored sold them to another party. A survey conducted by many firms expressed the view that security is the biggest challenge for the cloud computing model. Stakeholders, therefore, increasingly feel the need to prevent data breaches. In recent months, many newspaper articles have revealed data leaks in sensitive areas such as the financial and governmental domains and web community. One of the missions of the data protection authorities is to
prevent the socalled Big Brother phenomenon, which refers to a scenario whereby a public authority processes personal data without adequate privacy protection. In such a situation, end users may view the cloud as a vehicle for drifting into a totalitarian surveillance society. The specificities of cloud computing, therefore, make the data protection incentive even greater. For example, the cloud provider should provide encryption to protect the stored personal data against unauthorized access, copy, leakage, or processing. In a cloud environment, companies have no control over their data, which, being entrusted to third-party application service providers in the cloud, could now reside anywhere in the world. Nor will a company know in which country its data reside at any given point in time. This is a central issue of cloud computing that conflicts with the EU requirements whereby a company must at all times know where the personal data in its possession are being transferred to.
Cloud computing thus poses special problems for multinationals with specific EU customers.
- Disaster Recovery Simple data backup as well as more comprehensive disaster recovery and business continuity planning is an essential part of business and personal life. Backup as a Service and Disaster Recovery as a Service is now available online through the cloud for every level of user, from personal, small business to large enterprise data storage and retrieval, either publicly through the Internet or via more secure dedicated access methods. As a result, traditional methods are becoming obsolete. A few of the advantages include the following: • No huge upfront costs for capital investment or infrastructure management or black boxes. • Backups are physically stored in a different location from the original source of your data. • Remote backup does not require user intervention or periodic manual backups. • Unlimited data retention. You can get as much or as little data storage space as you need. • Backups are automatic and smart. They occur continuously and
efficiently back up your files only as the data change.
- Privacy and Integrity The promise to deliver IT as a service is addressed to a large range of consumers, from small- and medium-sized enterprises (SMEs) and public administrations to end users. Users are creating an ever-growing quantity of personal data. This expanding quantity of personal data will drive demand for cloud services, particularly if cloud computing delivers on the promises of lower costs for customers and the emergence of new business models for providers. Among the main privacy challenges for cloud computing are as follows. Complexity of risk assessment in a cloud environment: The complexity of cloud services introduces a number of unknown parameters. Service providers and consumers are cautious about offering guarantees for compliance-ready services and adopting the services. With service providers promoting a simple way to flow personal data irrespective of national boundaries, a real challenge arises in terms of checking the data processing life
cycle and its compliance with legal frameworks. To address the issues like stakeholders’ roles and responsibilities, data replication, and legal issues compliance, the Madrid Resolution states that every responsible person shall have transparent policies with regard to the processing of personal data. Stakeholders need to specify requirements for cloud computing that meet the expected level of security and privacy. In Europe, the European Network and Information Security Agency (ENISA) provides recommendations to facilitate the understanding of the shift in the balance of responsibility and accountability for key functions such as governance and control over data and IT operations and compliance with laws and regulations. Emergence of new business models and their implications for consumer privacy: A report by the Federal Trade Commission (FTC) on Protecting consumer privacy in an era of rapid change analyzes the implications for consumer privacy of technological advances in the IT
sphere. According to the FTC, users are able to collect, store, manipulate, and share vast amounts of consumer data for very little cost.
Ref:-
- An introduction to cloud computing in public sector. White Paper, APPTIS. Bioh, M. and D. Earhart. Security issues that affect cloud computing data storage. www.slideshare.net, 2009. Accessed November 2, 2014.
- Brodkin, J. Gartner: Seven cloud-computing security risks, 2008. www.infoworld. com/d/security-central/gartner-seven-cloud-computing-security-risks-853. Accessed November 23, 2014.
- Cloud computing issues and impacts. White Paper, Ernst and Young.
- Cloud computing security and privacy issues. White Paper, CEPIS. Curran, K., S. Carlin, and M. Adams Security issues in cloud computing. Journal of Network Engineering 4069–4072, 2011.
- Hamlen, K., M. Kantarcioglu, L. Khan, and B. Thuraisingham. Security issues for cloud computing. International Journal of Information Security and Privacy 4(2): 39–51, 2010.
- Hashizume, K., D. G. Rosado, E. Fernández-Medina, and E. B. Fernandez. An analysis of security issues for cloud computing. Journal of Internet Services and Applications 4: 5, 2013.
- Cloud Computing, http://www.gartner.com/technology/research/cloud-computing/ report. Accessed December 21, 2013.
- http://www.hostway.com/resources/media/disaster-recovery-in-the-cloud.pdf. Accessed November 27, 2013.
- Kuyoro, S. O., F. Ibikunle, and O. Awodele. Cloud computing security issues and challenges. International Journal of Computer Networks (IJCN) 3(5): 247–255, 2011.
- Ma, M. and C. Meinel. A proposal for trust model: Independent trust intermediary service (ITIS). Proceedings of IADIS International Conference WWW/Internet 2002, Lisbon, Portugal, 2002, pp. 785–790.
- More, J. J. Cloud computing: Information technology’s answer to sustainability. www. ecoseed.org. Accessed November 9, 2013.
- Murphy, A. Keeping your head above the cloud: Seven data center challenges to consider before going virtual. White Paper.
- Rashmi, G. Sahoo, and S. Mehfuz. Securing software as a service model of cloud computing: Issues and solutions. International Journal on Cloud Computing: Services and Architecture (IJCCSA) 3(4): 1–11, 2013.
- Subashini, S. and V. Kavitha. A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications 34(1): 1–11, 2011.
- The ethics and security of cloud computing. White Paper, ILTA. www.trustedcomputinggroup.org.
- Xu, K., M. Song, X. Zhang, and J. Song. A cloud computing platform based on P2P. Proceedings of the IEEE, 2009.
|
Your Salary Above $ 66000... Click ...
Ohh! You want More.... be game developer of your choice $ 102000 ....
|