Srm cloud computing

CASE STUDY 11 CLOUD COMPUTING (IN)SECURITY Cloud computing is reshaping enterprise network architectures and infrastructures. It refers to applications delivered as services over the Internet as well as the hardware and systems software in data centers that provide those services. The services themselves have long been referred to as Software as a Service (SaaS) which had its roots in Software-Oriented Architecture (SOA) concepts that began shaping enterprise network roadmaps in the early 2000s. IaaS (Infrastructure as a Service) and PaaS (Platform as a Service) are other types of cloud computing services that are available to business customers. Cloud computing fosters the notion of computing as a utility that can be consumed by businesses on demand in a manner that is similar to other services (e.g. electricity, municipal water) from traditional utilities. It has the potential to reshape much of the IT industry by giving businesses the option of running business software applications fully on-premises, fully in “the cloud” or some combination of these two extremes. These are choices that businesses have not had until recently and many companies are still coming to grips with this new computing landscape. Security is important to any computing infrastructure. Companies go to great lengths to secure on-premises computing systems, so it is not surprising that security looms as a major consideration when augmenting or replacing on-premises systems with cloud services. Allaying security C11-1 concerns is frequently a prerequisite for further discussions about migrating part or all of an organization’s computing architecture to the cloud. Availability is another major concern: “How will we operate if we can’t access the Internet? What if our customers can’t access the cloud to place orders?” are common questions [AMBR10]. Generally speaking, such questions only arise when businesses contemplating moving core transaction processing, such as ERP systems, and other mission critical applications to the cloud. Companies have traditionally demonstrated less concern about migrating high maintenance applications such as e-mail and payroll to cloud service providers even though such applications hold sensitive information. Security Issues and Concerns Auditability is a concern for many organizations, especially those who must comply with Sarbanes-Oxley and/or Health and Human Services Health Insurance Portability and Accountability Act (HIPAA) regulations [IBM11]. The auditability of their data must be ensured whether it is stored onpremises or moved to the cloud. Before moving critical infrastructure to the cloud, businesses should do diligence on security threats both from outside and inside the cloud [BADG11]. Many of the security issues associated with protecting clouds from outside threats are similar to those that have traditionally faced centralized data centers. In the cloud, however, responsibility for assuring adequate security is frequently shared among users, vendors, and any thirdparty firms that users rely on for security-sensitive software or configurations. Cloud users are responsible for application-level security. Cloud vendors are responsible for physical security and some software security such as enforcing external firewall policies. Security for intermediate layers of the software stack is shared between users and vendors. C11-2 A security risk that can be overlooked by companies considering a migration to the cloud is that posed by sharing vendor resources with other cloud users. Cloud providers must guard against theft or denial-of-service attacks by their users and users need to be protected from one another. Virtualization can be a powerful mechanism for addressing these potential risks because it protects against most attempts by users to attack one another or the provider’s infrastructure. However, not all resources are virtualized and not all virtualization environments are bug-free. Incorrect virtualization may allow user code to access to sensitive portions of the provider’s infrastructure or the resources of other users. Once again, these security issues are not unique to the cloud and are similar to those involved in managing non-cloud data centers, where different applications need to be protected from one another. Another security concern that businesses should consider is the extent to which subscribers are protected against the provider, especially in the area of inadvertent data loss.