Section 6: Security Implications and Adoption of Evolving Technology Flashcards
Platform as a Service: (PaaS)
Offers the capability to deploy onto the cloud infrastructure customer-created or -acquired applications that are created using programming languages and tools supported by the provider.
Web application risk
In implementing and adapting their cloud-based strategies, enterprises tend to include SaaS offerings, sometimes extending this to critical business processes and related applications. Despite the fact that these service offerings may bring business advantages, they nevertheless generate data-in-flow vulnerabilities that may be exploited by cybercrime and cyberwarfare. The resulting risk is exacerbated by the fact that many vendors and hardware providers (e.g., for mobile devices) supply cloud-based freeware designed to enforce user loyalty. This is often the case for data synchronization, handling of popular file types such as music or pictures, and personal information such as email and calendar entries.
Infrastructure as a Service (IaaS)
Offers the capability to provision processing, storage, networks and other fundamental computing resources, enabling the customer to deploy and run arbitrary software, which can include operating systems (OSs) and applications.
Software as a Service (SaaS)
Offers the capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based e-mail)
Cloud Computing
According to NIST and the Cloud Security Alliance (CSA), cloud computing is defined as a “model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
security audit
Similar to the use of any third-party contract, it is important for organizations to ensure that their cloud provider has a security system in place equivalent to or better than the organization’s own security practice.
Many cloud providers are ISO27001 or FIPS 140-2 certified.
In addition, organizations can request security audit of the cloud provider. The security audit should cover: - the facilities - networks - hardware - operating systems within the cloud infrastructure
Benefits of Cloud Computing
- Market drive: Because security is a top priority for most cloud customers, cloud providers have a strong driver for increasing and improving their security practices.
- Scalability: Cloud technology allows for the rapid reallocation of resources, such as those for filtering, traffic shaping, authentication and encryption, to defensive measures.
- Cost-effective: All types of security measures are cheaper when implemented on a large scale. The concentration of resources provides for cheaper physical perimeter and physical access control and easier and cheaper application of many security- related processes.
- Timely and effective updates: Updates can be rolled out rapidly across a homogeneous platform • Audit and evidence: Cloud computing can provide forensic images of virtual machines, which results in less downtime for forensic investigations.
Potential threat events
- Data breaches
- Data loss
- Account hijacking
- Insecure application programming interfaces (APIs)
- Denial-of-service (DoS)
- Malicious insiders
- Abuse of cloud services
- Insufficient due diligence
- Shared technology issues
Zero day exploits
The application layer within the overall IT environment is particularly susceptible to zero-day exploits, as witnessed by many practical examples. Even major software vendors frequently update and patch their applications, but new attack vectors using such applications emerge almost on a daily basis. In terms of cybercrime and cyberwarfare, the market for zero-day exploits is a lively one, and the time span from discovery to recognition and remediation is increasing.
Cloud Malware risk
The propagation of complex malware has been growing over the past several years. From a cybercrime and cyberwarfare perspective, recent specimens of malware show a higher level of sophistication and persistence than the basic varieties used by opportunistic attackers. While software vendors are quick to address malware in terms of recognition and removal, there is a significant residual risk of malware becoming persistent in target enterprises.
Where APTs make use of already installed simple malware—are often successful where the environmental conditions are conducive to user error or lack of vigilance, namely in home user or traveling user scenarios. In practice, removal of the primary malware (a fairly simple process) often allays any further suspicion and causes users and security managers to be lulled into a false sense of security. The secondary and very complex malware may have infiltrated the system, presenting a known and simple piece of primary malware as bait.