IT Risk Management

profiledananjayad2@
ITC596-A3Sample2.pdf

CHARLES STURT UNIVERSITY

Cloud Computing IT Risk Management

Student ID: Name:

Cloud Computing

Cloud Computing

2

Contents Cyber Security ............................................................................................................................................... 3

Executive Summary: ...................................................................................................................................... 3

Features of cloud computing: ................................................................................................................... 3

Types of cloud computing: ........................................................................................................................ 4

Merits of the cloud computing: ................................................................................................................ 4

Recommendations .................................................................................................................................... 4

Risks .......................................................................................................................................................... 5

Risk Assessment ............................................................................................................................................ 6

Threats: ..................................................................................................................................................... 6

Vulnerabilities: .......................................................................................................................................... 6

Mitigation steps ........................................................................................................................................ 7

Protection mechanisms ................................................................................................................................ 7

References .................................................................................................................................................... 8

Cloud Computing

3

Cyber Security

Executive Summary: Cloud computing is defined as a service provided by another company which can be accessed over the

internet, instead of using the hardware and software inside your own company (Chris Woodward, 2017).

It clearly explains that the user is nowhere concerned about the location of the hardware and software

and the work it does, it is all done in the “CLOUD”. The word cloud computing is explained differently to

people in different domain areas, for IT people cloud computing is the outsourcing, for others it may be

a computing service and for some others it may be a bought software or service which usually sits

outside the firewall (Chris Woodward, 2017).

Examples of cloud computing:

 When we query into Google, our desktop or laptop is not doing much in getting the output for

the query, it is the service provided by some other source which may be located at some other

location. We usually do not recognize this most of the times as we are only concerned with the

output we get and not the process of getting the output (Chris Woodward, 2017).

 We prepare different documents on-line without using the inbuilt applications like Microsoft

office word or power-point. This would be another newer example of the cloud computing.

Features of cloud computing: Manageable: These are easily manageable because the users are using the services provided by the

cloud and they are managed by the people on cloud. For example, if we are using some Google

documents we need not worry about the virus that is going to affect the document or neither installs

some software that is supporting it. All these tasks are performed by the cloud computing services (Chris

Woodward, 2017).

On-demand: Cloud computing services are very high on demand and we can pay for the services as we

use it or on a subscription basis. So, it is quite similar to paying the electricity or telephone bills as we

pay for what we use. This really saves time and money instead of buying huge software and hardware

and one doesn’t know what to do (Chris Woodward, 2017).

Public/private: Usually we have two types of cloud computing based on the internet and intranet

services we use. For example, the free services like those which Google provides and the web based

emails come under the public services. The services which use the intranet services come under the

private computing (Chris Woodward, 2017).

These easily accessible feature of cloud computing make it more popular and used all over the web

which can be accessed anywhere and anytime. We also have different types of cloud computing services

based on the service it provides (Chris Woodward, 2017).

Cloud Computing

4

Types of cloud computing: Infrastructure as a service: This service is provided where we buy access to the computer hardware

through the internet, for examples servers which are used for data storage. Here, utility comes into

picture as we pay for the service what we use. Web hosting is a simple example for the infrastructure as

a service and is used very often (Chris Woodward, 2017).

Software as a service: Here the complete application will be running on some other’s system. Google

documents and the web based emails will be the best examples for the software as a service (Chris

Woodward, 2017).

Platform as a service: Here, the web applications will be developed at one location and it will be running

on end-users system. For example, a website can be created at one place and it can be accessed from

anywhere all over the world like Amazon (Chris Woodward, 2017).

Merits of the cloud computing:  Cost savings: Money can be saved by introducing cloud computing into one’s business as it has

huge benefits.

 Security: Cloud computing offers full time security as it is its main responsibility.

 Flexibility: Cloud computing offers more flexible services as per the requirement.

 Mobility: Easily accessed through our mobile phones from any location all over the web.

 Insight: Tracking of the data can be maintained for the data in the cloud.

 Collaboration: Employees in a team can work very effectively as the data can be easily accessed.

 Quality assurance: All the documents in the cloud will be saved in one format and are

maintained with at most quality.

 Disaster recovery: Cloud computing stores all the data very effectively in their services and can

be retrieved as we like.

 Prevention of loss: Loss can be prevented to a large extent as the data resides in the cloud.

 Automated software updates: Most of the people have no time to update or install new

software in their systems; here the cloud based applications will be installed and updated

automatically on time when needed.

 Competitive edge: People who use cloud computing services are getting their services used on

their fingertips when compared to people who get their services locally.

 Sustainable: This can be clearly explained as the hosting on cloud is more eco-friendly which

results in less number of carbon footprints.

Recommendations:

 Clear identification of the data and the data processing operations is required before passing the

data into cloud (Gaeten Cordier, 2016).

 Definite requirements have to be designed for the legal and technical security (Gaeten Cordier,

2016).

Cloud Computing

5

 Risk analysis has to be carried out to identify the security measures needed for the organization

(Gaeten Cordier, 2016).

 Proper and relevant cloud has to be identified and picked for the services needed (Gaeten

Cordier, 2016).

 Service provider has to definitely provide proper guarantees and one has to chose based on the

requirements (Gaeten Cordier, 2016).

 Internal security should be clearly reviewed (Gaeten Cordier, 2016).

 Changes in the cloud should be monitored over time and have to be handled from time to time

(Gaeten Cordier, 2016).

Risks  Unauthorized access: As the cloud services integrate data of many small businesses, one should

be careful on the security of the data.

 Vendor based risks: One should be completely aware about the services that vendors provide

and the methodologies they use in protect ting valuable data.

 Legal risks and compliance: One should definitely know the location where the data resides,

people who can access the data and the methods of protection.

 Lack of control risks: This risk comes into picture because we can control the services on our

desktop, but we can control the services on the cloud as the vendor does that.

 Availability: 100% uptime is not guaranteed by any service. If the internet services are bad and

we are unable to access the application, the cloud services may not be capable of the uptime.

Below is a sample screenshot of the risk.

Cloud Computing

6

Risk Assessment

Threats:

Due to many of the advantages that cloud services have, it is also prone so many threats. One should be

wise in choosing cloud services. Below are some of the top threats for cloud services:

Data transmission: While the data is transferred from the client systems to the servers in the cloud,

proper security measures have to be taken to avoid data transmission loss and insecurity.

Malicious insiders: Employees are the resources who have complete access to the data in the cloud

computing, so we should be careful with the employees and their quality of work.

Data loss: One should be very careful about the hard drive failure as there will huge loss of data.

Data breach: When we use a virtual machine to access other virtual server, there is possibility of data

breach at certain times and it most likely to occur.

Hijacking: Two-factor authentication is always preferred why because password is the only way to enter

into the service accounts. One should aware in this area about the authentication.

Unknown risk profile: All the security implications have to be considered before entering the cloud

services, the security softwares have to be installed on time and updated on time so as to meet the

requirements.

Denial of service: This is one of the most common attacks where the hacker can send millions of

unwanted requests and interrupt the service where the original requests will not be served on time.

Lack of understanding: Users of the cloud computing has to get a very clear idea on the services

provided to them and should be aware of the technologies involved. One cannot expect the protection

services at the user end in the cloud computing.

User awareness: Users have to be aware of various types of attacks while using the cloud computing

services; it may not be always possible for the service providers to provide security for us.

Vulnerabilities: It is defines as the weakness that an attacker can exploit for his personal gain. Below are some of the vulnerabilities in cloud computing services.

Session riding: This occurs when the hacker tricks the users by sending authentication requests in order

to achieve various things. A hacker can steal the user cookie and start his own work.

Virtual machine escape: We have a possibility that virtual servers can run much number of machines in

the cloud and there are chances that hackers can attack the systems and exploit them for their own

benefits.

Cloud Computing

7

Service availability and reliability: There may not be a chance of 100% uptime while using cloud services

as we don’t have internet when there is really bad weather. We should be prepared for the downtime of

the cloud services due to poor weather conditions.

Insecure cryptography: Virtual machines which are used by the users have to be relied on sources,

which can produce easy guessable numbers so as to avoid huge entropy in algorithms in cryptography.

Portability and data protection: When we chose a new vendor in cloud servicing, one has to make sure

that all the data has to be deleted from the old vendor cloud services.

CSP lock-in: Customers should not be locked in the cloud services for years and years and should be

easily transferrable from their accounts or services.

Internet dependency: One will be completely dependent on internet to use cloud services, so if the

internet falls down we cannot access or use the cloud services.

Mitigation steps  Reliable cloud provider provides better security, so choose right provider.

 In order to ensure data security, proper encryption systems have to be installed.

 Introduce suitable validation processes and registration of the authorizers.

 Network flow and traffic should be viewed time to time so that service is maintained perfectly.

 Security standards have to meet the requirements.

 Strict authentication has to be maintained along with the encrypted transmission of data, so

ensure data is safe even while transmission.

 Vulnerabilities have to be checked from time to time and ensure safety measures are installed

and updated on time.

 SSl encryption of data and API security has to be provided on time where necessary.

Protection mechanisms Below image shows how the attack may occur in the cloud services and let us discuss few protective

measures:

Cloud Computing

8

Cryptography related security measures:

 Authorize encryption: Cloud service provides use advanced tools like proxy re encryption where

required in order to ensure security in all the conditions. Users can upload and download data

into the cloud form their smart phones and hence ensuring safety will be of higher priority.

 Remote data auditing: This technique provides assurance for the data protection and security in

many ways. It works effectively in improving efficiency, public verifiability and probability of

detection when required.

 BP-XOR gates: Installing these gates will work as an effective approach in the cryptography to

get trust worthy evaluation. These gates have to be installed at the major junctions and where

there are secret sharing schemes in order to ensure security of the system.

 Key encryption: This key encryption is dependent on private hidden key encryption which is

very effective in providing security to the servers and database. The difficulty arises where it is

highly tough to decrypt the keys which are encrypted.

References

Explain that Stuff. (2018). Cloud computing - A simple introduction. [online] Available at:

http://www.explainthatstuff.com/cloud-computing-introduction.html [Accessed 27 Jan. 2018]. Salesforce.com. (2018). Cite a Website - Cite This For Me. [online] Available at:

https://www.salesforce.com/hub/technology/benefits-of-cloud/ [Accessed 27 Jan. 2018].

Iapp.org. (2018). CNIL Cloud Computing Recommendations. [online] Available at:

https://iapp.org/resources/article/cnil-cloud-computing-recommendations/ [Accessed 27 Jan. 2018].

Calyptix Security. (2018). Top 5 Risks of Cloud Computing. [online] Available at:

https://www.calyptix.com/research-2/top-5-risks-of-cloud-computing/ [Accessed 27 Jan. 2018].

Singh, N. and Singh, A. (2018). Data Privacy Protection Mechanisms in Cloud.

SSL Certificates by ClickSSL - Cheap Price, Best Quality & Support. (2018). Top 8 Cloud Computing Threats

and its Security Solutions. [online] Available at: https://www.clickssl.net/blog/top-8-cloud-computing-

threats-and-its-security-solutions [Accessed 27 Jan. 2018].

Lukan, D. and Lukan, D. (2018). The top cloud computing threats and vulnerabilities in an enterprise

environment. [online] Cloud Tech News. Available at: https://www.cloudcomputing-

news.net/news/2014/nov/21/top-cloud-computing-threats-and-vulnerabilities-enterprise-environment/

[Accessed 27 Jan. 2018].

Cloud Computing

9