TG 3.5-3.8 Flashcards
how does cloud computing have a positive impact on employees
employees can access the info they need wherever they need it
can cloud computing save money
on premise IT can be expensive, cloud computing is pretty cheap
how would you increase storage space if you had on premise IT? if you had cloud computing?
build more storage// pay for more
can cloud computing improve org flexibility and competitiveness?
-> yes, use only the amount of resources they need at a given time (scale up and down easily)
is cloud computing faster than on premise computing?
yes
6 risks/concerns with cloud computing?
1 legacy IT systems
2 reliability
3 privay
4 security
5 legal and regulatory enviornment
6 criminal use of cloud computing
concern 1: legacy IT
LEGACY SPAGHETTI! mix of old IT is hard to upgarde to cloud ocmputing
also professionals can have vested interests in old IT
concern 2: reliabiltiy
outages can occur!
Microsofts cloud computing service name
AZURE
amazon cloud computing service name
S3
simple storage service
or AWS
Conceern 3: privacy
cloud computing can not always guarantee privacy
their are legal regulations
Concern 4: security
very different from tradiitonal IT, so providers need to consider new security measures
Security issues include access to sensitive data, data segregation (among customers), privacy, error exploitation, recovery, accountability, malicious insiders, and account control.
The security of cloud computing services is a contentious issue that may be delaying the adoption of this technology. Security issues arise primarily from the unease of both the private and public sectors with the external management of security-based services. The fact that providers manage these services provides a great incentive for them to prioritize building and maintaining strong security services.
The security of cloud computing services is a contentious issue that may be delaying the adoption of this technology. Security issues arise primarily from the unease of both the private and public sectors with the external management of security-based services. The fact that providers manage these services provides a great incentive for them to prioritize building and maintaining strong security services.
Another security issue involves the control over who is able to access and use the information stored in the cloud. (Recall our discussion of least privilege in Chapter 4.) Many organizations exercise least-privilege controls effectively with their on-premise IT infrastructures. Some cloud computing environments, in contrast, cannot exercise least-privilege controls effectively. This problem occurs because cloud computing environments were originally designed for individuals or groups, not for hierarchical organizations in which some people have both the right and the responsibility to exercise control over other people’s private information. To address this problem, cloud computing vendors are working to incorporate administrative, least-privilege functionality into their products. In fact, many have already done so.
Consider Panama City, Florida, as an example. Panama City was one of the first cities in the United States to adopt Google Apps for Government. The city was searching for a way to gain visibility into who was using Google Apps and how users were collaborating both inside and outside the city’s IT domain. Furthermore, the city had to have the ability to control and enforce data-sharing policies where necessary. The city decided to adopt Cisco Cloudlock (https://umbrella.cisco.com/products/casb).
Cloudlock provides a security system to protect its clients’ information assets located in public cloud applications like Google Apps. Cloudlock provides key data management issues such as the following:
Data inventory: How many information assets exist and what are their types?
Which information assets are shared with the public or over the Internet?
Who has access to what information asset and what information asset is accessible to whom?
Using Cloudlock, Panama City was able to notify data owners of policy violations or exposed documents containing potentially sensitive information, change or revoke excessive privilege, and audit permissions changes. Furthermore, the city’s IT manager was able to designate department leaders to manage their respective organizational unit’s data policies and usage by giving them access to the Cloudlock application.
The security of cloud computing services is a contentious issue that may be delaying the adoption of this technology. Security issues arise primarily from the unease of both the private and public sectors with the external management of security-based services. The fact that providers manage these services provides a great incentive for them to prioritize building and maintaining strong security services.
Another security issue involves the control over who is able to access and use the information stored in the cloud. (Recall our discussion of least privilege in Chapter 4.) Many organizations exercise least-privilege controls effectively with their on-premise IT infrastructures. Some cloud computing environments, in contrast, cannot exercise least-privilege controls effectively. This problem occurs because cloud computing environments were originally designed for individuals or groups, not for hierarchical organizations in which some people have both the right and the responsibility to exercise control over other people’s private information. To address this problem, cloud computing vendors are working to incorporate administrative, least-privilege functionality into their products. In fact, many have already done so.
Consider Panama City, Florida, as an example. Panama City was one of the first cities in the United States to adopt Google Apps for Government. The city was searching for a way to gain visibility into who was using Google Apps and how users were collaborating both inside and outside the city’s IT domain. Furthermore, the city had to have the ability to control and enforce data-sharing policies where necessary. The city decided to adopt Cisco Cloudlock (https://umbrella.cisco.com/products/casb).
Cloudlock provides a security system to protect its clients’ information assets located in public cloud applications like Google Apps. Cloudlock provides key data management issues such as the following:
Data inventory: How many information assets exist and what are their types?
Which information assets are shared with the public or over the Internet?
Who has access to what information asset and what information asset is accessible to whom?
Using Cloudlock, Panama City was able to notify data owners of policy violations or exposed documents containing potentially sensitive information, change or revoke excessive privilege, and audit permissions changes. Furthermore, the city’s IT manager was able to designate department leaders to manage their respective organizational unit’s data policies and usage by giving them access to the Cloudlock application.
concern 5: regulatory and legal environment
There are numerous legal and regulatory barriers to cloud computing, many of which involve data access and transport. For example, the European Union prohibits consumer data from being transferred to nonmember countries without the consumers’ prior consent and approval. Companies located outside the European Union can overcome this restriction by demonstrating that they provide a “safe harbour” for the data. Some countries, such as Germany, have enacted even more restrictive data export laws. Cloud computing vendors are aware of these regulations and laws, and they are working to modify their offerings so that they can assure customers and regulators that data entrusted to them are secure enough to meet all of these requirements.
To obtain compliance with regulations such as the Personal Information Protection and Electronic Documents Act in Canada; the Federal Information Security Management Act (FISMA), the Health Insurance Portability and Accountability Act, and the Sarbanes-Oxley Act in the United States; the Data Protection Directive in the European Union, and the credit card industry’s Payment Card Industry’s Data Security Standard (PCI DSS), cloud computing customers may have to adopt hybrid deployment modes that are typically more expensive and may offer restricted benefits. This process is how, for example, Google is able to “manage and meet additional government policy requirements beyond FISMA,” and Rackspace (www.rackspace.com) is able to claim PCI compliance. FISMA requires each federal agency to develop, document, and implement a program to provide information security for the information and information systems that support the operations of the agency, including those provided by contractors. PCI DSS is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
concern 6: criminal use of cloud computing
Cloud computing makes available a well-managed, generally reliable, scalable global infrastructure that is, unfortunately, as well suited to illegal computing activities as it is to legitimate business activities. We look here at a number of possible illegal activities.
The huge amount of information stored in the cloud makes it an attractive target for data thieves. Also, the distributed nature of cloud computing makes it very difficult to catch criminals.
Cloud computing makes immense processing power available to anyone. Criminals using cloud computing have access to encryption technology and anonymous communication channels that make it difficult for authorities to detect their activities. When law enforcement pursues criminals, the wrongdoers can rapidly shut down computing resources in the cloud, thus greatly decreasing the chances that there will be any clues left for forensic analysis. When criminals no longer need a machine and shut it down, other clients of cloud vendors immediately reuse the storage and computational capacity allocated to that machine. Therefore, the criminal information is overwritten by data from legitimate customers. It is nearly impossible to recover any data after the machine has been de-provisioned.
Criminals are registering for an account (with assumed names and stolen credit cards, of course) with a cloud vendor and “legitimately” using services for illegal purposes. For example, criminals are using Gmail or the text-sharing website Pastebin (www.pastebin.com) to plan crimes and share stolen information. Another example is that criminals use cloud computing in brute-force password cracking (see Chapter 4). Although such uses are prohibited by most company’s terms-of-service agreements, policing the cloud is expensive and not very rewarding for cloud providers.
Many cloud vendors offer geographical diversity—that is, virtual machines that are located in different physical locations around the world. Criminals can use this feature in transnational attacks. Such attacks place political and technical obstacles in the way of authorities seeking to trace a cyberattack back to its source.
Another weakness exploited by criminals arises from the web-based applications, or SaaS offerings, provided by cloud vendors. With millions of users commingling on tens of thousands of servers, a criminal can easily mix in among legitimate users.
Even more complicated for authorities and victims, cyberattacks can originate within cloud programs that we use and trust. For example, researchers at the security firm F-Secure reported that they had detected several phishing sites hosted within Google Docs. What made the attacks possible is a feature within Google’s spreadsheet system that lets users create web-based forms, with titles such as “Webmail Account Upgrade” and “Report a Bug.” These forms, located on a Google server, were authenticated with Google’s encryption certificate. Significantly, they requested sensitive information such as the user’s full name, username, Google password, and so on, according to the F-Secure researchers.
