Cloud security
is basically the protection of data that is available online from different cyber-attacks,
deletion and leakage. There are different methods that are provided by the
cloud security that include, penetration testing, firewalls, ionization, obfuscation,
defusing public internet services and virtual private networks. Through
applying these methods, cloud security services can be improved easily. The main
aim of this article is to review cloud security, and its risk management in
detail. These securities play an important role in protecting data, protecting
customer privacy, and supporting regulatory compliance. There are some major
threats to cloud security due to this that service is highly affected. These
include data breaches, amount hijacking, insecure application program
interference, data loss, service traffic hijacking shared technology, and also
poor cloud storage providers. One of the most important threats to cloud
security is the distributed denial of services. These kind of attacks are able
to shut down the complete service by crushing the data completely. Through this,
the user is unable to access this data from anywhere in the world.
Many cloud
security companies are working on proper risk management for the services. For
development, every organization must have to extend their information system
security risk management practice for implementing their cloud environment. Moreover,
the organizations must have to understand cloud security in detail, so they are
able to manage the risks in an effective way. It can be seen that risk
management also involves the identification of technological assets, data and
their links with the business. For this, all actions must be taken to minimize
the cloud security risks in a proper way. The organizational owners must have work
on minimizing the risk regarding cloud security for the future of technology.
Cloud security methods
There are some
methods of cloud security that are explained in the given section
Firewalls of Cloud Security and Risk Management
This is
basically a cloud-deployed, and software-based network devices are used for
stopping and mitigating unwanted access to different private networks. This is
one of the most important technologies that is designed for completing the
modern business need, and also other online application environments. There are
also some important benefits of cloud firewalls include better scalability,
Availability, migration security, extensibility, identify protection,
performance management, and secure access parity. There are two important types
of firewall that include SaaS Firewalls and Next-generation firewalls (Management Association,
2019).
Penetration testing of Cloud Security and Risk
Management
This is one of
the most important methods that is used for cloud security, and it is also
called pen-testing. This is the method to test the computer system and its
network in detail. This is basically a web application for finding security
vulnerabilities for the attacker activity. This service can be automatic easily
by a different software application and can be performed manually. Moreover,
this process also gathers important data that is regarding target before
testing and identifying important entry points. The main aim of this method is
to test and identify the weakness that is present in the network.
This method can
be used to test the organizational security policy. This method also involves
measuring the compliance of its security policy. Also, help the organization by
guiding them about the different security disasters. This test also helps to
highlight weaknesses that are present in the security policy of the company. There
are also some penetration testing tools that will help to scan any kind of
system easily. It will be easy to identify hardcoded values like passwords and
usernames (Krishna, 2018).
Obfuscation of Cloud Security and Risk Management
This is
basically the practice to make something extremely difficult for understanding.
This means that all things are written in machine language. It can be seen that different programming
codes are obfuscated for protecting the intellectual property and also prevent
attacked from applying reverse engineering for hacking the system.
This may include
encrypting some part of the code or sorting meaningless labels to the code in
the form of binary. This is one of the essential methods of cloud security.
This can be implemented through the use of obfuscator tools that will help to
convert automatically source code into an important program that is extremely
hard to understand. The main purpose of obfuscating code is to protect the
system or network from any kind of cyber-attacks. The programs that are written
are in the form of C and C++ that will help to enhance difficulty for
understanding (Tim Mather, 2009).
Tokenization of Cloud Security and Risk Management
This is one of
the essential methods of cloud security used by different banks. It is one of
the methods used for breaking up the sequence in the form of strings into
pieces like words, numbers, phrases, and keywords that are known as tokens. A
token may be a single word or a complete sentence. After the process of
ionization is applied to the sentence, some punctuation and characters are
discarded, and then this token becomes the main input for the next text mining.
This method is mainly used in computer science, and it plays an important role in
the process of lexical analysis. Through the help of some steps, the tokens are
separated easily
All of these
tokens are separated by giving punctuation, white space, word, and number.
But the
white space, punctuation marks are excluded that may depend upon the need.
After
ionization, all of these characters are converted into a special one for the
user, and it will help the user to protect its valuable data.
There some
benefits of ionization that include
If a security
breach is activated by the user, so the cardholder’s information is protected.
The reason is that the hacker was only able to access tokens that are
completely useless. It will also help to reduce data environment for the user
and help to save money and time for the user. Through the use of ionization,
there will be end-to-end encryption. This means that the data can be encrypted
and encrypted easily at no cost (Dotson, 2019).
Virtual private networks of Cloud Security and Risk Management
This is also one
of the methods used for cloud security. This will help to provide a safe,
encrypted connection over a less protected network connection that is public
internet. This technology only works through the use of shared public
infrastructure through maintaining privacy by different protocols. Then, on the
other hand, these protocols encrypt the data at the sending point, decry pt it
at the receiving point. All data is sent through the help of the tunnel. This
will not pass the data that is not fully encrypted. Through the help of this
technology, the unwanted data is unable to send or receive.
There are some
important types of VPNs that include Remote access VPN; that can be used by the
organization as the gateway server. Site-to-site VPN this is the server that is
connected to the entire network through only one location. Mobile VPN helps the
server to provide a safe gateway for the user through a data tunnel. This will
also enable the safe server for the network. Hardware VPN, this is more
beneficial than all software-based VPNs. This will also help to apply load
balancing for handling a large amount of data from the user. VPN appliance is a
software-based VPN that will help to enhance the security features of the
entire network in a perfect way. VPN reconnect is one of the best features that
is used in windows 7, and it will help to allow proper private network
connection for internet services (Winkler, 2011).
Refrain from public internet connections of Cloud Security and Risk
Management
This is one of
the simplest methods for cloud security. In this method, the user just has to
avoid public internet services for uploading, sending, and receiving important
data.
Risk Management for Cloud Computing
Cloud computing
is one of the finest computing strategies that have the potential to provide
flexible, agile and cost-effective information services. Under the paradigm of
cloud computing, the cloud service provider (CSP) given up the direct control
on many security aspects and the privacy by some organisations. Many
organisations are using the cloud services at the same time that are still
accountable for availability, confidentiality and integrity of the related
information and information about the system hosting the cloud service provider
(CSP).
As a result, the
information system security practice of risk management must be extended by
organisations to add up the cloud environment. The shareable nature of using
and operating the cloud environment changes that will be responsible for the
construction or implementation, functionality and the maintenance of the
security controls. Therefore, the organization who are using cloud computing
must need to take understandings about cloud security to address all the risks
effectively. The organisations or corporation can address the risks effectively
by understandings about cloud security (Carlin & Curran, 2013).
To establish the
cloud-based services, the government designed and constructed the integrated
risk management approach for the adoption of cloud computing. So the proposed
approach, which is designed and developed at the governmental level, could be
applied to all the services on cloud-based. This approach could be applied
independently to all cloud-based services and could apply to the deployment
models.
The cloud
service providers (CSP), due to the economies of scale, have the potential to
offer state of the art in the cloud ecosystem and secure than a customer’s
environment who are controlling own systems. In simple words, it has the
potential to give benefits to many organisations effectively. Moreover, there
is a need to make visible the customers data of the business into the cloud
provider’s service, to build up the essential trust for the cloud-based solution
in the sense of adoption benefits to store the customer’s data in the cloud (Osmanoglu, 2013).
The stored data
in the cloud is so much sense and commonly considered against the proposed
incurred security and the risks in privacy. In simple, the cloud-based solution
benefits should depend on the cloud model, the kind of cloud service, type of
complexity level, type of involved data, several services type and also depends
on the different types of the requirements. The information systems which based
on the cloud are exposed threats, and it can have negative effects on the
operations of organisations such as the functions, missions, vision, or
reputation (Loske, 2015).
The malicious
entities in the cloud could be very harmful, which can damage the information
or the incurred data of the customers. However, it can damage the stored
information into the cloud database of customers of the organisation and
availability of the confidential information by those systems. There are
several kinds of risks that should be addressed by the organisations for the
solution. However, risk management considered as a holistic activity, which is
full-fledged integrated with every aspect of the organisation.
The selection of
the appropriate management satisfies the requirements of Information security
from the standard uncatalogued of controls and security. Organisations should do
quantify their risks which are acceptable to prevent or minimize the threats,
negative actions, attacks or compromises. In other words, the organisations
that are using cloud services, they may face many threats and negative actions.
So they need to count all the risks which can damage the service or
confidential information to prevent or mitigate the threats, disruptions in the
service, cyber-attacks and the adverse actions (Ackermann, 2012).
For the
management of the information security risk effectively at the ecosystem level,
you need to establish the following high-level elements.
The risk
management responsibilities assigned to the cloud actors would be involved in
the cloud ecosystem’s orchestration. Every cloud actors should assign the
responsibilities to the respected representatives, managers, leaders or
executives internally.
Under the
instructions of service level agreement (SLA), the establishment cloud
ecosystem widely tolerance the risks as well as communication of such risk
tolerance. It needs to add up the information on the decision-making activities
which can be impactful on the risk tolerance.
Near the
real-time recognition, screening, monitoring and understanding of information
security system by every cloud actor from the risk operation is.
The cloud actors
count up the threats, malicious actions or attacks, decision making in the risk
management process, and the solutions during the real-time information sharing.
The risk management framework
The risk
management framework integrates information security and risk management
activities for the provision of a disciplined and structured method in the
system development life cycle (SDLC). Researchers introduce a risk management
framework (RMF) that provides the risk executive with the feedback during the
monitoring and through the decision of authorization such as spreading the
updated and upgraded information about risk to the owners of information
system.
The picture
highlights information all the steps of the risk management framework that
enlighten on its functionality about the self-managed subsystems or system. The
figure indicated its three levels having six elements or steps. All of the
mentioned levels and stages explained. Risk management contains two steps, such
as categorization and selection. Risk treatment contains three steps, including
implementation, assessment and authorization. But the risk control contains
only one stop, which is denoted by monitor. All steps of the risk management
framework explained mentioned below.
Risk Assessment of Cloud Security
I n this level,
analysis of the cloud environment will perform for the identification of the
effective and potential vulnerabilities and short-comings. This level has two
steps for gathering information and then analysis. The steps are as follows
categorization and selection.
Step 1:
Categorization
The information
system concerns the processed, transmitted, and the stored information by the
proposed system, which based on the system impact analysis. In this step, the
proposed information, data about risks are categorized by following some rules
that belong to the operations identification, its performance, requirements of
privacy and security.
Step 2:
Selection
This step is
based on the security that is categorized and concerns with the initial set of
security of controls for the information systems, which refers to the security
controls of the baseline. The proposed baseline security controls set on the
assessment of the organisation for risk and its current conditions of the
environmental operations. The strategy will be made up for monitoring the
security controls for evaluation of the effectiveness of the security control.
In the end, you have to write all the controls and outcome into a word document
along with the remarks that show where the issues occurred and how they could
be refined in the security plan. The last thing is to take a look again for the
review and approve all security plan (Sabri Boubaker, 2016).
Risk Treatment of Cloud Security
Risk treatment
is concerned about the treatment in the risk management framework where we can
check the design mitigation plans and the related policies. The proposed level
has three following steps, such as implementation, assessment, and the third
one is authorization.
Step 3:
Implementation
The
implementation step indicates the implementation of the security controls as
well as gives a brief description of how the controls employed within its
environmental operation and the information system.
Step 4:
Assessment
it is all about
to assess the security controls by using the proposed assessment procedures
which documented in the assessment planning. It is a very useful step in the
risk management framework or in the risk management process which identifies
that if the security controls are being implemented correctly without any error
or fault as well as it is fully functional or effective in producing the
required outputs.
Step 5: Authorization
This step is all
about the information system operation, which based on the identified risks in
the results from the information system‘s operations. Just identify the real
outcome and decide on risks that they are acceptable or not. If it is
acceptable, then you should go further. The all organisational operations such
as the image, reputation, organisational mission or functions, organisational
assets and the other requirements also performed in the assessment of risks
step.
Risk Control of Cloud Security and Risk Management
this step for
the security controls of the information security systems is one of the most
important steps for risk control. In the risk management framework on the bases
of assessing the security control effectiveness, making changes in the
documentation of the proposed system or the environment of the operations,
effective analysis about the proposed changes as well as the stated or
highlighted security of the system to the designated of the organizational
officials and concerns with the other required things.
Conclusion on Cloud Security and Risk Management
Summing up all
the discussion from above, it is concluded that cloud security plays an
important role in providing internet services. Through applying these methods,
cloud security services can be improved easily. The main aim of this article is
to review cloud security, and its risk management in detail. These include data
breaches, amount hijacking, insecure application program interference, data
loss, service traffic hijacking shared technology, and also poor cloud storage
providers. This service can be automatic easily by the different software
application and can be performed manually. This method can be used to test the
organizational security policy. The risk management framework integrates
information security and risk management activities for the provision of a
disciplined and structured method in the system development life cycle
(SDLC).This level has two steps for gathering information, and then analysis
Risk treatment is concerned about the treatment in the risk management
framework where we can check the design mitigation plans and the related
policies.
References of
Cloud Security and Risk Management
Ackermann, T. (2012). IT Security
Risk Management: Perceived IT Security Risks in the Context of Cloud Computing.
Springer Science & Business Media, 2012.
Carlin, S., & Curran, K. (2013). Cloud computing
security. Cloud computing security. In Pervasive and Ubiquitous Technology
Innovations for Ambient Intelligence Environments, 12-17.
Dotson, C. (2019). Practical Cloud Security: A
Guide for Secure Design and Deployment. O'Reilly Media, Inc.
Krishna, D. S. (2018). DATA OWNERÕS CONCERNS IN
CLOUD SECURITY AND MITIGATIONS. Lulu.com.
Loske, A. (2015). IT Security Risk Management in
the Context of Cloud Computing: Towards an Understanding of the Key Role of
Providers’ IT Security Risk Perceptions. Springer, 2015.
Management Association, I. R. (2019). Cloud
Security: Concepts, Methodologies, Tools, and Applications: Concepts,
Methodologies, Tools, and Applications. IGI Global.
Osmanoglu, E. (2013). Identity and Access
Management: Business Performance Through Connected Intelligence. Newnes,
2013.
Sabri Boubaker, B. B. (2016). Risk Management in
Emerging Markets: Issues, Framework, and Modeling. Emerald Group
Publishing, 2016.
Tim Mather, S. K. (2009). Cloud Security and
Privacy: An Enterprise Perspective on Risks and Compliance Theory in Practice.
O'Reilly Media, Inc.
Winkler, V. (. (2011). Securing the Cloud: Cloud
Computer Security Techniques and Tactics. Elsevier,.