Min 2 articles per each student. the literature review with - 3~4 pages in 12 po
ID: 3592896 • Letter: M
Question
Min 2 articles per each student. the literature review with - 3~4 pages in 12 points & single spaced. This will be an aggregation of summaries from the articles that relate to the security of the Cloud Computing , including one sentence that describes why you are doing this literature review at the beginning of the text of the paper. Sources that are used for literature review: academic journals, conference papers, government documents and official white papers. Sources that are not used for the literature review: wikipedia, Internet news articles, personal essay or writings, blogs or forums
Explanation / Answer
Cloud Security Landscape :
Loss of gov
ernance.
In a public cloud deployment, customers cede control to the cloud provider
over a number of issues that may affect security. Yet cloud service agreements may not offer a
commitment to resolve such issues on the part of the cloud provider, thus leaving gaps
in
security defenses.
Responsibility ambiguity
. Responsibility over aspects of security may be split between the
provider and the customer, with the potential for vital parts of the defenses to be left
unguarded if there is a failure to allocate responsibility clearly. This split is likely to vary
depending on the cloud computing model used (e.g., IaaS vs. SaaS).
Authentication and Authorization.
The fact that sensitive cloud resources are accessed from
anywhere on the Internet heightens the need
to establish with certainty the identity of a user --
especially
if users
now include employees, contractors, partners and customers. Strong
authentication and authorization becomes a critical concern.
Isolation failure.
Multi
-tenancy and shared resource
s are defining characteristics of public cloud
computing. This risk category covers the failure of mechanisms separating the usage of storage,
memory, routing and even reputation between tenants (e.g. so
-called guest
-hopping attacks).
Compliance and legal
risks.
The cloud customer’s investment in achieving certification (e.g., to
demonstrate compliance with industry standards or regulatory requirements) may be lost if the
cloud provider cannot provide evidence of their own compliance with the relevant
requ
irements, or does not permit audits by the cloud customer. The customer must check that
the cloud provider has appropriate certifications in place.
Copyright © 2015 Cloud Standards Customer Council
Page
6
Handling of security incidents
. The detection, reporting and subsequent management of
security breaches may
be delegated to the cloud provider, but these incidents impact the
customer. Notification rules need to be
negotiated in the cloud service agreement so that
customers are not caught unaware or informed with an unacceptable delay.
Management interface vulne
rability.
Interfaces to manage public cloud resources (such as self
-
provisioning) are usually accessible through the Internet. Since they allow access to larger sets
of resources than traditional hosting providers, they pose an increased risk, especially w
hen
combined with remote access and web browser vulnerabilities.
Application Protection.
Traditionally, applications have been protected with defense
-in-depth
security solutions based on a clear demarcation of physical and virtual resources, and on trus
ted
zones. With the delegation of infrastructure security responsibility to the cloud provider,
organizations need to rethink perimeter security at the network level, applying more controls at
the user, application and data level. The same level of user ac
cess control and protection must
be applied to workloads deployed in cloud services as to those running in traditional data
centers. This requires creating and managing workload
-centric policies as well as implementing
centralized management across distrib
uted workload instances.
Data protection.
Here, the major concerns are exposure or release of sensitive data as well as
the loss or unavailability of data. It may be difficult for the cloud service customer (in the role of
data controller) to effectively c
heck the data handling practices of the cloud provider. This
problem is exacerbated in cases of multiple transfers of data, (e.g., between federated cloud
services or where a cloud provider uses subcontractors).
Malicious behavior of insiders
. Damage cau
sed by the malicious actions of people working
within an organization can be substantial, given the access and authorizations they enjoy. This is
compounded in the cloud computing environment since such activity might occur within either
or both the custom
er organization and the provider organization.
Business failure of the provider
. Such failures could render data and applications essential to
the customer's business unavailable over an extended period.
Service unavailability
. This could be caused by hard
ware, software or communication network
failures.
Vendor lock
-in
. Dependency on proprietary services of a particular cloud service provider could
lead to the customer being tied to that provider. The lack of portability of applications and data
across prov
iders poses a risk of data and service unavailability in case of a change in providers;
therefore it is an important if sometimes overlooked aspect of security. Lack of interoperability
of interfaces associated with cloud services similarly ties the custom
er to a particular provider
and can make it difficult to switch to another provider.
Insecure or incomplete data deletion.
The termination of a contract with a provider may not
result in deletion of the customer’s data. Backup copies of data usually exist,
and may be mixed
on the same media with other customers’ data, making it impossible to selectively erase. The
very advantage of multi-
tenancy (the sharing of hardware resources) thus represents a higher
risk to the customer than dedicated hardware.
Visib
ility and Audit.
Some enterprise users are creating a “shadow IT” by procuring cloud
services to build IT solutions without explicit organizational approval. Key challenges for the
security team are to know about all uses of cloud services within the organ
ization (what
resources are being used, for what purpose, to what extent, and by whom), understand what
Cloud Security Guidance :
1
Ensure effective governance, risk and compliance processes exist
2.
Audit operational and business processes
3.
Manage people,
roles and identities
4.
Ensure proper protection of data and information
5.
Enforce privacy policies
6.
Assess the security provisions for cloud applications
7.
Ensure cloud networks and connections are secure
8.
Evaluate security controls on physical infrastructure and
facilities
9.
Manage security terms in the cloud service agreement
10.
Understand the security requirements of the exit proces