A Performance Analysis of EC2 Cloud Computing Services for Scientific Computing
Cloud Computing Trade Offs
31
A TECHNICAL REPORT ON THE SECURITY TRADE-OFFS BETWEEN, PUBLIC, PRIVATE AND HYBRID CLOUDS October 22, 2022 SCC 441 MOHAMMED BASHIR JIBRIL
Transcript of Cloud Computing Trade Offs
A TECHNICAL REPORT
ON
THE SECURITY TRADE-OFFS BETWEEN, PUBLIC, PRIVATE AND HYBRIDCLOUDS
October 22, 2022SCC 441
MOHAMMED BASHIR JIBRIL
7/11/2014MOHAMMED BASHIR JIBRIL CONSIDERING THE TECHNICAL, ORGANIZATIONAL AND POTENTIAL LEGAL
ISSUES ON A MOVE TO A CLOUD BASED INFRASTRUCTURE
ii
7/11/2014MOHAMMED BASHIR JIBRIL
DEDICATIONTo my niece, Umm Salama
iii
7/11/2014MOHAMMED BASHIR JIBRIL
DECLARATIONThis technical report, its research and draft is done by me.
iv
7/11/2014MOHAMMED BASHIR JIBRIL
ACKNOWLEDGEMENTPraise is to the Almighty Allah for granting me the Knowledge to
do this work. I am indebted to John for his care and
encouragement during the work.
v
7/11/2014MOHAMMED BASHIR JIBRIL
TABLE OF CONTENTS
Title Page ………………………………………………………………………………………i
Dedication…………………………………………………………………………………….. ii
Declaration ………………………………………………………………………………….. ..iii
Acknowledgement…………………………………………………………………………….. iv
Table of Content ……………………………………………………………………………… .v
Chapter One
1.0 Introductin ………………………………………………………………………….. …….. 1
vi
7/11/2014MOHAMMED BASHIR JIBRIL 1.1 Scope of the Project ………………………………………………………………………… 1
Chapter Two
2.0 Security Trade Offs between Public, Private and Hybrid Clouds
…………………………. 2
2.0.1 Security Lapses in Public Clouds …………………………………………………………. 2
2.0.2 Security Lapses in Private Clouds ………………………………………………………… 2
2.0.3 Security Lapses in Hybrid Cluuds ………………………………………………………… 3
2.1 The TradeOffs ……………………………………………………………………………… 3
Chapter Three
3.0 Technical, Organisational, and Potential Legal Issues
……………………………………. 5
3.1 Technical Issues ……………………………………………………………………………. 5
3.2 Organisational Issues ………………………………………………………………………... 5
3.3 Potential Legal Issues ……………………………………………………………………….. 6
Chapter Four
4.0 The Impact on Security Policy and how a Move to cloud may
impact the business in the Organization
…………………………………………………………………………………. 8
vii
7/11/2014MOHAMMED BASHIR JIBRIL 4.1 Impact on the Organization’s Security Policy
……………………………………………. 8
4.2 How a Move to Cloud May Impact on the Business Areas of the
Organization …………. 9
Chapter Five
5.0 Conclusion and Recommendation …………………………………………………………. 13
References
viii
7/11/2014MOHAMMED BASHIR JIBRIL
CHAPTER ONE
1.0 Introduction
Security in information technology is always a topic of
discussion among both professionals and non professionals in the
field. Security in Cloud computing is not an exception; it is
vital to the existence of cloud itself. Public, Private and
Hybrid cloud computing all posses security vulnerabilities; but
analysis of tradeoffs between them will give people the choice of
which cloud to use. Each of the three claims some advantages and
proves efficient for backup and other purposes. Example, while
private cloud has the merit of giving more freedom and
flexibility to data owners, public can boost of advantageous to
storing enormous data amount. Cloud computing technical,
organizational and legal issues coupled with its security
policies and impact of a move is very important to it as an
entity. There is always a need to have a choice among various
options provided by cloud computing a move that prompts a work on
its security. Organisations need to have a clear understanding of
the risk their data is open to if they chose the wrong method to
store or back it up. Many attempts in the past have been made to
explain security issues as they relate to cloud computing either
in part or as an entity. As a result; a number of vulnerabilities
recorded have now been rectified through more in-depth
technological breakthrough. There are quite a number of
challenges a given company or organization that moved to cloud
1
7/11/2014MOHAMMED BASHIR JIBRIL computing is likely to experience at the beginning. These may
include both technical and organisational constraints, but as
events unfold they simply will vanish and normalcy in
return.Cloud computing is defined as “ a model for enabling convenient,
ondemand network access to a shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services) that can be rapidly provisioned
and released with minimal management effort or cloud provider interaction” (NIST,
2011).
1.1 Scope of the Project
These project works will Operates within the borders of Amal
Securities; that is my organization. Amal is a software security
organization that specializes in secured cards production and
maintenance.
CHAPTER TWO
2.0 SECURITY TRADEOFFS BETWEEN PUBLIC, PRIVATE AND HYBRID CLOUDS
2.0.1 Security lapses In Public Cloud
Basically, in public cloud computing customers are unaware of
where and how their data is stored. This is actually a serious
security lapse that inflicts fear into the mind of the customer.
2
7/11/2014MOHAMMED BASHIR JIBRIL Major security vulnerability is the presence of zero-day
vulnerabilities which the cloud computing company may not be
aware of. These tend to provide a means by which the hackers can
sniff data on public cloud thus putting customers at risk. The
moment a given company is attacked then all customers having
their data on the cloud can be affected. The security risk
increases each time maintenance and system overhaul is carried
out.
Multiple customers having their data stored and managed by a
single company means that anyone can bypass authentication and
cause severe damage, this can be unhealthy especially if the
company do not have adequate legal policies on ground to counter
the threat. This also brings us to the question as to who process
my data on the public cloud. The increasing number of people
visiting the public cloud environment means an increased number
of possible attackers. Not only that, public clouds are connected
to the internet and without virtual private networking properly
secured then clients’ data are exposed to external attacks.
There is also a loss of control of data on the side of the
clients because its contents are in the hands of the cloud
provider.
Clients have also faced the problem of changing passwords
regularly to shield data against external attack; by so doing
there exist the likelihood of disclosure of this passwords to
unauthorized persons. The huge cache of data on the public cloud
3
7/11/2014MOHAMMED BASHIR JIBRIL makes it difficult for companies to offer maximum security to
their clients who reside in their environment. Businesses should
find out more about the viability and credibility of companies
before entrusting their data to them as well as the knowledge of
legal issues that bind on them prior to entering into any
business contract with them.
2.0.2 Security Lapses in Private Clouds
It may be seen as one having the most secured environment in
cloud computing though; it also has its own security drawbacks.
One of its major securities set back is an attack from an
internal job. Private clouds utilize the virtual machines in
their operation and if there exist a breach of communication
between two or more virtual machines on the same virtual
environment then the cloud is in danger of attack. In other cases
back door virtual machines can decide to set up a communication
with a private cloud virtual machine and can render data even
inaccessible to the original owner. Inability of private cloud
owners to apply security configuration on systems has exposed
their clouds to malicious penetration. Some other security
setbacks can actually crop as a result of accidental or
unintentional introduction of malware into the machines by
authorized persons as in the case of the Stuxnet virus getting
its way into Iranian nuclear facility. When compliance with
standards and specifications in the industry fail to be effected
in a private cloud then data could be compromised.
4
7/11/2014MOHAMMED BASHIR JIBRIL
2.0.3 Security Lapses in Hybrid Clouds
Hybrid clouds are a mixture of both public and private clouds.
Can we simply infer that it contains security setback from both?
Clients tend to avoid hosting their sensitive data on hybrid
giving reasons such as inability to be in charge and control of
their data and that they don’t know who the cloud provider will
assign to manage giving rise to the issue of unknown persons
seeing the contents of their data. Because hybrids are hosted on
the internet is also a security concern as most breaches are
conducted on the internet. Unencrypted can simply be intercepted
by hackers as it journeys across different networks on the
internet. This brings us to the problem of data leakage or “data
discharge”. This can occur as a result of data being transported
or migrated as requested by the owners of the data. In some cases
failure to apply the much needed or necessary audit processes can
simply undermine data giving rise to disruption, distortion or
even complete or partial loss of data. The security concerns of
private clouds are also inherent in hybrid despite the fact that
the severity of the ones in public might have outshined those of
the private.
2.1 The Tradeoffs
5
7/11/2014MOHAMMED BASHIR JIBRIL A clear analysis of the three cloud types reveals that the
exchange of one for another can first be viewed from two angles;
i.e. Big and small enterprises. Small entrepreneurs mostly adopt
the public if they want to move to cloud because it is cheap. Now
the big clients have the option to choice among the various
tradeoffs between the clouds. The analysis of the tradeoffs can
be summarized as thus:
Public
Private Hybrid
Data Separation
(Segregation)
Weak Strong Medium
Encryption Medium Strong Medium
Physical
( barricades)
Security
Medium Strong Medium
Data tenancy
(residency)
Weak Strong Medium
Data ownership
Control
Weak Strong Medium
Attack
Frequency
Strong Medium Medium
Conformity
(compliance
Weak Strong Medium
6
7/11/2014MOHAMMED BASHIR JIBRIL with policies)
From the table above we can infer that the tradeoffs tend to
grant both the clients and cloud providers the choice of an
exchange for either public or private, private for hybrid or
hybrid for public or the other way round for each case. It offers
flexibility for people to make choices of equal, more or less
value amongst the types of clouds available.
CHAPTER THREE
3.0 Technical, Organizational and Potential Legal Issues
3.1 Technical issues
A number of open source software applications have been developed
on whose platforms the cloud was built. They include hadoop, and
ubuntu with eucalyptus etc. It is actually difficult to and very
complex to install a private cloud because of the intricacies
contained in the servers and on the virtual machines. Denial of
access DoS results from technical in capabilities of cloud and
can lead to a serious network disruption which in turn affects
businesses hosted on the clouds. Cloud computing allows
collaboration between clients across a particular environment but7
7/11/2014MOHAMMED BASHIR JIBRIL the issue of network overloads can hamper other users’ usage of
the environment. Frequently, there are needs to integrate new
applications into the cloud but most certainly this is hampered
by hand coded solutions which in turn are expensive to maintain.
Software vendors may even fail to produce patches to cover up
some zero day vulnerabilities exploited by hackers. Cloud
computing is deployed on three different technical models of
Infrastructure as a Service (IaaS), Software as a Service (SaaS)
and Platform as a Service (PaaS). The issue with IaaS is that the
customers have no control over the hardware installations. In the
case of PaaS, the customer has a platform to interact with
applications
3.2 Organizational Issues
When organizations decide to move their data to cloud; there is
actually a change in attitude and the way they operate. It helped
to shape business routines of such organizations. They become
wary of the security of their data especially if they opted to
move to public where the problem of multi tenancy is prominent.
Security is always a number one priority on the lips of Amal
securities. Our consideration of security helps to raise the
question as to who is warranted to access my data. Is my provider
in conformity with legal issues and standards, how much is it
going to cost me to pay for a cloud service? Is my staff trained
enough to handle the technical aspects of cloud computing. What
machinery do we have in place to recover in case the
8
7/11/2014MOHAMMED BASHIR JIBRIL infrastructure fails and measures are my providers taking in
order to safeguard my data against external and to some extent
internal attacks? If all the questions got their answers then the
organization can begin the search for agencies that fits best
into their demands; then the way and manner it can process its
property too is going to be resolved. Prospective customers (Amal
Securities) can take a tour to the facility and see for
themselves security measures and customer satisfactory measures
put in place by the provider. The history of the provider as to
the approach they provided to the properties in custody in terms
of disaster or an attack. Its’ success story in risk management,
approach to disaster recovery, swift response to internal and
external attacks and triumphs in business continuity planning
with business impact analysis.
Other issues that can crop in include how profitable is our
decision to move to cloud, and if they decide not to; what then
is the financial consequences. Issues relating to cloud have
basically cause a stir to some organizations because some have
the notion that it does hold the key to the success of their
organizations as such a sharp dividing line is now created
between those in favor and those against. But as time passes by
people began to realize the beauty of clouds even though the
security issues and other regulatory problems have been
completely eradicated. To what degree is their human security
enhanced? How are their electronic and biometric security systems
installed and functioning?.9
7/11/2014MOHAMMED BASHIR JIBRIL Organizational issues may also mean the way and manner business
functions are carried out in hierarchy by the infrastructure
provider. It depicts the provider’s zeal to give maximum
satisfaction to the customers in terms of service provision,
security and compliance with data protection acts within the
framework of IT industry.
3.3 Potential legal Issues
Legal issues help to bring sanity into the IT industry and in
particular to the cloud infrastructure by giving rights to all
players of the cloud computing world. The rights of the customers
start by protecting the privacy of their data by keeping its
integrity, confidentiality and authenticity. Other legal issues
include causing harm to people, their property (data), and
copyright infringements.
The sole aim of the customer is to keep their data intact in its
original form; therefore it is the role of the cloud providing
agency to abide by the provisions of law with regards to this. If
in the process of handling data on cloud either the customer,
staff, or any other person can be harmed then the law provides
that offenders can be tried or made to pay the victims
compensation for injuries caused them. In other instances
customers’ property may come under intentional or unintentional
attack causing its loss, disfigure or depletion so indemnity can
come into play and the agreeing party will shoulder the risk.
10
7/11/2014MOHAMMED BASHIR JIBRIL The Data Protection Acts in the UK (Schedule I part II, paragraph
12(a)(ii)) requires the data controller to have a written
contract with the processor that the “data processor is to act only on
instructions from the data controller”. A written document can be tendered
before a competent court of law by the aggrieved party in the
event that a breach of contract had taken place. Since our
organization (Amal securities) is in the UK, we have resolved to
undertake this opportunity as provided by the DPA.
Amal security’s may opt to buy the idea of using the
infrastructure as a Service (IaaS) because of its advantage of
having data encrypted before it leaves the cloud; this is
sometimes termed as “data in transit” and the UK DPA cover this. Some
legal issues only apply in some countries but do not apply in
others; thus it is entirely a new issue altogether as data
departs and cross international borders. We should be in position
to sign a written document as to how the legal issues of the
country of destination affect our property. By this, it is very
important that we know the whereabouts of our data e.g. if it is
resident in another country whose legal laws we don’t know or it
is being managed by a third that laws of country are not binding
on them.
Another legal issue that Amal securities have worked on is that
of certification because according to the British Standards
Institution all cloud computing agencies should posses a
11
7/11/2014MOHAMMED BASHIR JIBRIL certificate of operation before they can begin work in the UK
contained in ISO 27000 applicability statement.
CHAPTER FOUR
4.0 The Impact on Security Policy and how a Move to cloud may
impact the business in the Organization (Amal)
4.1 Impact on the Organization’s Security Policy
Cloud computing can change completely the security policies of
Amal security. We now view the security of our data as an
essential part of the organization. The impacts have changed our
traditional policy of doing things in house; to the policy of
outsourcing data for storage to another party. Although it is a
risk that could see our data being undermined it is also a good
bargain as the possible of a growth in the business is clearly
feasible.
12
7/11/2014MOHAMMED BASHIR JIBRIL Prior to the decision to adopt cloud computing for storage,
managing and entrusting data to a cloud service provider, the
organization has become accustomed to the use of “traditional
security” methods in which physical security is applied to
safeguard data contents. A switch to cloud infrastructure will
simply mean a move to more advanced and sophisticated form of
technology. Our methods of access control and encryption have now
taken a new dimension as the organization depends on a third
party to encrypt and create passwords for us depending on our
choice of cloud deployment.
We therefore are left with the only option of reviewing risk
assessment policies, business continuity plan and disaster
recovery to be in conformity with what is obtained in the
industry.
The new security trend now made it compulsory on us to have our
staff trained in order to move in conformity with current
developments. The possible switch also meant that our customers
will have to be informed about these new trends and to apply them
where necessary. They will need to have a change of passwords on
their credit cards before it could be put to use. Any defect on
the card can simply be rectified by the affected customer on the
internet as against old traditions of filling forms before making
the much needed changes online.
In our former security methods we manage external attacks by
responding and denying them (hackers) access to our property but;
13
7/11/2014MOHAMMED BASHIR JIBRIL we now have someone to do it at our discretion. Our backups now
have now a new shape because we do not only store data on
secondary storage devices; we also back them on a reserve portion
of the cloud itself. Other important security features have now
been added to our products to give our customers a sense of
ownership and Scalability. Example is the option of signing or
pin identification on our new hard tokens. This enables them to
escape the risk of losing valuables in case of lost or theft. A
quick response team of personnel and system have been enacted to
block cards instantly in case owners have loose them to
unauthorized persons.
4.2 How a Move to Cloud May Impact on the Business Areas of the
Organization
The resolution reached by the management of Amal to move to cloud
is borne out of its determination to provide optimum service
delivery to the growing number of its loyal customers and
business partners. However, it is a fact that the decision has
both positive and negative impacts on other areas of the
business. The following are some of the areas commonly found in a
business set up:
Technology
Profit management
Finance and Supply
14
7/11/2014MOHAMMED BASHIR JIBRIL
Operations
Audit and Asset management
Customer Services Unit
Improved Technology
The firm has witnessed a rise in the way and manner it utilized
its technology. It has now joined the league of organizations
that have their data hosted on the cloud. There exists the ease
of accessing data at a minimal cost. The use of Infrastructure as
a Service has now become a daily routine as the organization now
relate with big cloud infrastructure owners like Amazon and
Google. The company has now improved its online collaboration and
interacting capabilities among its staff wherever they may be
allowing sensitive information to be encrypted and sent in no
time. Recently Amal has launched its own customer based
electronic-mail platform following successes recorded one on
after the launch of the staff version. Consequently, all mails
sent to or received from our customers are linked directly to our
servers on the cloud. The technology provided by the cloud made
it possible and easier for us to add to retrieve data from the
cloud via the virtual machine. There is also an enabling
environment that allows the company to switch from one server to
the other on the cloud and to block access to malicious
intrusion. Cloud computing has brought to us the choice of
accessing offline information through virtual machines. We no
15
7/11/2014MOHAMMED BASHIR JIBRIL more buy software from local vendors because on the cloud we
simply can update and download software that suits our Demands.
Profit Management
Managing the organization’s profit is a reflection of the success
and growth of the business. How cloud infrastructure impacts on
this would be culminates into the profit itself. The business
indexes of Amal have shown an accelerated growth in total asset
since joining the cloud. Neglecting some losses (which are of
course natural in every firm), indicators have shown a
significant rise in total profit. It has also given us the
capacity to increase the numerical base of our customers. We now
have more flexibility in the market making it possible for us to
attract more customers on board coupled with different cloud
supporting business capabilities at our disposal. The cloud have
given the company power and might to move above its peers in
terms speed of delivering services at even cheaper rates and at
the comfort of customer’s home. The video conferencing allows the
organization to collaborate live with customers, business
partners and some other supply and delivery channels to share
common business knowledge, ferry equipments and deliver door step
services. At Amal, we have grown faster than expected because the
cloud has given us the experiences of business innovations.
Innovations that helped us a great deal to come top of our
competitors in market.
16
7/11/2014MOHAMMED BASHIR JIBRIL
Finance and Supply
The finance and supply department now work hand in hand with our
cloud infrastructure provider effect payments and remittance of
funds through facilitating software that easily conducts this on
the cloud. The cloud also makes easier the flow of cash across
the net meaning we easily make payments to our host through the
pay as you go method. Supplies have been made much easier against
the old traditions of downloading supply based applications from
the web. With cloud computing infrastructure at our finger tips
we use running applications supported by virtual machines to do
that. The NetSuite software for example helped us make shipping
and payrolls became Simpler and faster.
Operations
The general operations conducted here have change for the better
from customer satisfactory operations, market participation, man
power training, human resources management and development. It
has greatly reduced our workloads and the time to execute many
processes on the cloud environment. It gave the organization a
change of roles and activities among the different sections of
departments we have. It may sound that the adoption of cloud can
bring a reduction to workforce; it gave the organization the
17
7/11/2014MOHAMMED BASHIR JIBRIL choice of assigning duties to the personnel who lost their job to
cloud infrastructure.
Audit and Asset Management
The auditing process starts even before the decision to
migrate was reached, it involves gathering knowledge about the
system it has on ground and the system it is likely going to move
to in the future. The auditing process will help identify what
applications the organization is willing to lay its data to and
which other ones it would avoid. The work of managing our assets
now is divided between Amal and the service environment. The
assets include all buildings and structures, all IT components
both hardware and software. There has been a clear harmonization
of figures from both sides emanating from our esteem auditors and
assets analysts. A quarterly assessment and auditing of our data
is being document concurrently by auditors from the two parties.
Customer Service Unit
Amal’s customer services unit now integrates most of its
operations on the cloud to enable feel a touch of what cloud
computing may look like. A 24\7 dedicated server is available to
respond to all the needs of customers. The system is programmed
in such a way that solutions to problems can be tackled as soon
as possible.
Just as the cloud computing going to give us some positive
impact; it hasn’t waste time in giving some negative ones either.
18
7/11/2014MOHAMMED BASHIR JIBRIL First, the security issue where data theft, loss or disfiguration
comes as a result of vulnerabilities (mostly because of the use
of uniform Operating system by most CSPs) in the cloud software
or platform. Attackers have capitalized on this weakness to
undermine the whole system or part of the system. The technology
it operates upon could be challenging and daunting sometimes
making it difficult for fresher to operate. At some other
instances a minor problem could easily lead to a system breakdown
and cost many considerable loss of money. It usually slashes the
workforce by claiming a large part of the work to itself.
Notwithstanding the above negative influences and others, the
positive impacts have surely demonstrated that cloud computing is
always a platform to trust, a software to count and an
infrastructure to depend on.
19
7/11/2014MOHAMMED BASHIR JIBRIL
CHAPTER FIVE
5.0 Conclusions and Recommendations
The three cloud types have one common enemy i.e. although we can
exchange one for the other, private clouds yet expensive have
proven to be the safest so far. The security nightmare has over
shadowed successes recorded in clouds’ technical advancement.
Government needed to come in and enact laws to make the industry
habitable for all players; companies now organize the industry.
Organizations like Amal who are on cloud have gotten positive
impacts since joining and almost all our business areas have
touched positively by the cloud.
In the future we hope to see cloud computing professionals
building advance software and infrastructures that will harbor
even as ten times data as they hold today. More organizations
will join the league as the security issue will be greatly
improved.
Recommendations
To get the best out of this technology, organizations need to
follow the security considerations from top to bottom prior to
moving their data to clouds. Amal is likely going for the private
20
7/11/2014MOHAMMED BASHIR JIBRIL cloud therefore an analysis of the business impact and a complete
business implementation plan need to be drafted before that. This
must include the financial buoyancy of the organization to avoid
future failures from the cloud.
REFERENCES
WANG, L. et al. (2012) Cloud Computing Methodology Systems and
Applications USA: CRC
Data Protection Act [1998] Guidance on the Use of Cloud Computing[Online] Available From:
http://ico.org.uk/for_organisations/data_protection/topic_guides/online/~/media/documents/library/Data_Protection/Practical_application/cloud_computing_guidance_for_organisations.ashx [Accessed: 26thOctober 2014].
21
7/11/2014MOHAMMED BASHIR JIBRIL NIST [2011] Guidelines on Security and Policy on Public Cloud Computing[Online] Available From:http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf[Accessed: 26th October 2014].
AGIMO [2013] Negotiating the Cloud-Legal Issues in cloud Computing Agreementshttp://www.finance.gov.au/files/2013/02/negotiating-the-cloud-legal-issues-in-cloud-computing-agreements-v1.1.pdf [Accessed:27th October 2014].
[Online] Available From: http://www.aerohive.com/pdfs/Aerohive-Whitepaper-Public-or-Private-Cloud.pdf [Accessed: 28th October2014].
[Online] Available From:http://www.infoworld.com/article/2613560/cloud-security/9-top-threats-to-cloud-computing-security.html [Accessed: 29th October2014].
[Online] Available From:http://www.fujitsu.com/global/Images/WBOC-2-Security.pdf[Accessed: 2nd November 2014].
[Online] Available From:http://arxiv.org/ftp/arxiv/papers/1303/1303.4814.pdf [Accessed:4th November 2014].
[Online] AvailableFrom:https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf[Accessed: 5th November 2014].
22
7/11/2014MOHAMMED BASHIR JIBRIL
23
