1 CLOUD COMPUTING SECURITY: HOW RISKS AND THREATS ARE AFFECTING CLOUD ADOPTION DECISIONS A Thesis Presented to the Faculty of San Diego State University In Partial Fulfillment of the Requirements for the Degree Master of Business Administration by Takahiko Kajiyama Fall 2012
3 iii Copyright 2012 by Takahiko Kajiyama All Rights Reserved
4 iv DEDICATION This thesis is dedicated to my father, who worked hard to support his son s and daughters educational endeavors. May he rest in peace.
5 v The ancient Romans built their greatest masterpieces of architecture for wild beasts to fight in. Voltaire
6 vi ABSTRACT OF THE THESIS Cloud Computing Security: How Risks and Threats Are Affecting Cloud Adoption Decisions by Takahiko Kajiyama Master of Business Administration San Diego State University, 2012 Many IT professionals would agree that cloud computing is the most revolutionary information delivery model since the introduction of the Internet. For corporate management and decision makers, cloud computing brings many financial and functional benefits as well as serious security concerns that may threaten business continuity and corporate reputation. The definition of cloud computing is still blurry in a large part, because of the magnitude of the security risks and the virtually unlimited amount of information being published. The purpose of this research is to assess how cloud security risks and threats most commonly discussed today are affecting current and prospective cloud users decisions on adoption. In this research, both practitioner and academic literature was reviewed in order to incorporate views from both sides on cloud security, as well as technology white papers, government reports, and recent market and security articles. Then an online survey targeting current and prospective cloud users was conducted, and real-life driving and resisting forces of cloud adoption were assessed. The survey posed questions about a variety of security risks, and even though the respondents indicated concerns about these risks, none of them were voted as a show stopper in cloud adoption. Furthermore, the majority of respondents were confident with their cloud service providers protection mechanism, while being well aware of the existence of the risk.
7 vii TABLE OF CONTENTS PAGE ABSTRACT... vi LIST OF TABLES...x LIST OF FIGURES... xi ACKNOWLEDGEMENTS... xiii CHAPTER 1 INTRODUCTION...1 Background...1 Research Question...3 Methodology and Sources PRACTITIONER LITERATURE REVIEW...5 Cloud Services and Models...5 Service Providers and Users...7 Security Standards and Compliance Organizations...9 Non-Regulatory Organizations...9 Significance of Security Standards and Compliance...10 Recent Cloud Data Breach Incidents...11 Epsilon Service Nasdaq Directors Desk The 2011 GAO Report...14 Security Benefits Security Risks RESEARCH LITERATURE REVIEW...18 New versus Traditional Security Concerns...18 New Security Threats and Vulnerabilities...18 Side Channeling Shared Ecosystem and Fate Sharing Vendor Lock-In... 23
8 API Changes Abuse and Nefarious Use Traditional Security Threats and Vulnerabilities...26 Cross-Site Scripting SQL Injection Flaws Access Control Weaknesses Cross-Site Request Forgery Buffer Overflow Attacks HTTP Header Manipulation, Hidden Field Manipulation, and Cookie Manipulation Botnets Other Traditional Security Threats and Vulnerabilities Other Cloud-Specific Concerns...37 Regulatory Compliances Risk Assessment Security as a Service (SECaaS) Cloud Security Best Practices...39 Vendor Selection Service Level Agreement (SLA) Physical Isolation Data Protection Transmission Data Protection Storage and Encryption Virtual Machine Security Auditing Other Considerations in Cloud Adoption SURVEY METHODOLOGY...48 Creation and Distribution...48 Data Collection and Responses...49 Data Analysis Methodology DATA ANALYSIS...52 Introduction...52 Survey Results and Findings...52 viii
9 ix Current Cloud Usage Primary Drivers and Concerns for Cloud Adoption Security Risk and Threat Awareness Risks and Threats Affecting Cloud Adoption Decisions Defensive Measures DISCUSSION...75 Cloud Benefits and Concerns...75 Cloud Adoption Obstacles and Show Stoppers...76 Avoiding Costly Defensive Measures...78 Research Limitations and Shortcomings CONCLUSION...80 REFERENCES...82 APPENDIX SURVEY QUESTIONS AND RESPONSES...87
10 x LIST OF TABLES PAGE Table 1. Likert Scale to Numeric Point Conversion...50 Table 2. T-Test Result: Minimizing Software Licensing Fees as Benefit Expected to Gain by Adopting Cloud...57 Table 3. Q18: Your Cloud Resources Can Be Used as a Platform for Launching Attacks, Hosting Spams and Malware, Software Exploits Publishing, and for Many Other Unethical Purposes...62 Table 4. Q19: Unauthorized Users, such as Hackers and Malicious Insiders, May Gain Access to Your System Due to Flawed Hypervisor, Insecure Cryptography, and So On...63 Table 5. Q20: Vendor-Provided Cloud Apis with Weak Authentication May Jeopardize the Confidentiality, Integrity, and Availability...63 Table 6. Q21: Shared Resources May Affect Your System s Performance and Business Continuity...63 Table 7. Q22: Physical Location of Your Data Is Unknown...63 Table 8. Q23: Your Data May Not Be Recoverable When an Unforeseen Event Takes Place...63 Table 9. Q24: Your Systems May Be Disrupted Entirely When an Unforeseen Event Takes Place...64 Table 10. Q25: Your Service Provider May Not Be Compliant with Regulatory Standards, Including the Internal Control, Compliance, and Internal Security Procedures...64 Table 11. Q26: When a Security Breach Takes Place, There May Be Little or No Forensic Evidence Available...64 Table 12. Q27: Unauthorized Access and Data Leakage Will Always Remain as a Possibility, No Matter How Much Effort You Put Into Cloud Security...64 Table 13. Q28: There Will Be Unknown Risks and Threats as Attackers Continue to Invent New Attacking Methods...64 Table 14. T-Test Result: Unrecoverable Data as a Risk Factor...67 Table 15. T-Test Result: Non-Regulatory Compliant Provider as a Risk Factor...69 Table 16. T-Test Result: Replication of Backup in One or More Cloud Storage...74
11 xi LIST OF FIGURES PAGE Figure 1. The cloud computing stack...6 Figure 2. The cloud scales: Amazon S3 growth...8 Figure 3. Xen hypervisor architecture...20 Figure 4. The traffic signature associated with running SU in a SSH session...21 Figure 5. Relationships of the cloud API and other key cloud components...25 Figure 6. Sample web application error exposing C# source code, framework version, and source code file path on development machine Figure 7. Actual web application error on Chase.com, exposing the database server name Figure 8. Botnet infection methods...35 Figure 9. General botnet spread...36 Figure 10. Overview of the Cloud Adoption Toolkit...46 Figure 11. Cloud computing usage by type Figure 12. SaaS adoption by organization size Figure 13. SaaS adoption by organization type Figure 14. Cloud provider selection Figure 15. Cloud provider overall satisfaction Figure 16. Primary drivers for cloud adoption Figure 17. Primary drivers for cloud adoption by organization size Figure 18. Primary drivers for cloud adoption by organization type Figure 19. Primary concerns for cloud adoption Figure 20. Primary concerns for cloud adoption by organization size Figure 21. Primary concerns for cloud adoption by organization type Figure 22. Security issue awareness Figure 23. More concerned with malicious insiders Figure 24. Provider security confidence Figure 25. Existence of escalation channel Figure 26. On-premise is more secure than cloud....61
12 xii Figure 27. Cloud readiness for mission-critical applications...62 Figure 28. Cloud will be more secure in the future Figure 29. Cloud security risk effects Figure 30. Unrecoverable data as a risk factor, by organization size Figure 31. Unrecoverable data as a risk factor, by organization type Figure 32. Non-regulatory compliant provider as a risk factor, by organization size Figure 33. Non-regulatory compliant provider as a risk factor, by organization type Figure 34. Cloud security defensive measures in place Figure 35. Periodic data backup and restore tests performed, by organization size Figure 36. Periodic data backup and restore tests performed, by organization type Figure 37. Data encryption usage by organization size Figure 38. Data encryption usage by organization type Figure 39. Replication of backup in one or more cloud storage, by organization size Figure 40. Replication of backup in one or more cloud storage, by organization type....73
13 xiii ACKNOWLEDGEMENTS My heartfelt gratitude to Dr. Murray Jennex for continuous and sincere guidance throughout this project, and for sharing most valuable ideas. His professional and academic assistance made this research project much more efficient and rewarding. I am very grateful for his support, and for his willingness to spend his valuable time guiding me. My sincere thanks to Dr. Theo Addo for his valuable suggestions, indispensable recommendations, and continuous encouragement. Special thanks to Dr. Chris Paolini for being a part of my thesis committee, and for thought provoking ideas. My gratitude to Ms. Laura Dieken for helping me with my written English, and for providing constructive comments and encouragement. I would like to thank all my fellow MBA classmates and faculty stuff for inspiring ideas and memorable time in the program.
14 1 CHAPTER 1 INTRODUCTION BACKGROUND From time to time, great innovations are brought to us without wholly new discoveries or technological breakthroughs. Electric vehicles are a combination of existing auto body frames and electric motor technologies. The Internet is merely networked computer devices and resources on a global scale. It is about how existing and mature technologies and knowledge are mixed then advanced, introducing valuable and innovative products and services into our life. Similarly, cloud computing is nothing but a new information delivery model that utilizes existing technologies and resources. Since the introduction of Amazon s S3 (Simple Storage Service) and EC2 (Elastic Compute Cloud) in 2006, cloud computing has been generally welcomed as a cost-effective and flexible alternative to procuring and maintaining hardware and software in-house. According to a Gartner s cloud-based services study released in June 2010, the cloud services market is expected to maintain strong growth through 2014 (Pettey & Tudor, 2009). The study also states that by that time, worldwide cloud service revenue is expected to reach $148.8 billion, which easily surpasses the 2011 revenues of two software giants Microsoft and Oracle combined ($69.94 billion and $35.6 billion, respectively; Bond & Hellinger, 2011; Statista, 2012). On the surface, cloud computing seems to increase IT agility by eliminating many of the wearying tasks and responsibilities that IT departments manage these days. IT departments have been integrated so deeply into core businesses that most business operations would halt without the services and infrastructures that IT teams maintain. Furthermore, the fundamental challenges and responsibilities of IT will never stop expanding, as business and regulatory requirements become more complex, stronger protections from security threats become virtually mandatory, and technologies themselves become more ubiquitous, hence skill- and time-intensive. Therefore, traditional IT teams are frequently forced to devote a large portion of their time and budgets to tasks that are not
15 2 directly tied to revenues, or added-values that are clearly visible to top management. For example, installing security patches on an ERP (Enterprise Resource Planning) system does not bring any new functionalities or benefits to users; however it does require hours of planning and testing before the patches are implemented. According to a report prepared by CFO Research Services, many mid-size companies spend more than $1 million annually to update and maintain their EPR systems (CFO Research Services, 2009). Outsourcing the entire or even partial IT infrastructure and placing resources in the cloud is therefore an attractive alternative, especially for small- to mid-size organizations that cannot afford to allocate a large share of budget for projects that do not generate revenues. The technological advancements in processor performance, virtualization, and fast and reliable network connectivity are all positive driving forces for businesses adopting the cloud computing model. The cloud computing model also makes economic sense for many organizations because it allows rapid application development and deployment by utilizing tools and platforms that are already in-place, tested, and proven to be functional. However, the rapid growth of the cloud market has also raised serious concerns regarding data security and governance, and these are considered to be major barriers to broader adoption. According to a survey conducted by the 1105 Government Information Group in January 2012, more than 50% of respondents indicated that the current cloud solutions are not secure enough due to potential data loss and leakage, lack of strong identity authentication and credential management, ambiguous data ownership, and physical location of data possibly being outside the U.S. border. Many believe that these security concerns will eventually diminish; however the same survey also revealed that more respondents, 60% in 2012 versus 54% in 2011, mentioned cloud computing security risks are greater than on-premises security risks (Brocade Communications Systems, Inc., 2012). For the reasons above, and despite its inexorable growth and popularity, cloud computing continues to be one of the most controversial trends in the IT industry. The situation is similar to when LASIK (Laser-Assisted in Situ Keratomileusis) was introduced nearly two decades ago: Extraordinary risks in the event of an unfavorable outcome but remarkable benefits when successful, therefore creating groups of early adopters and those who waited fearing the unknown risks. Even today, the success ratio is extremely high but still not 100%, leaving some patients with fears and doubts. Similarly, with cloud computing,
16 3 there are already many organizations which have successfully adopted the new computing model and are enjoying its benefits, but unknown security risks are still preventing others from making the commitment. Even though a number of regulatory and non-regulatory organizations are attempting to structure more streamlined and standardized methods for building secure cloud environments, many technical and non-technical hurdles still exist. RESEARCH QUESTION The purpose of this thesis is to assess how security risk factors are affecting the existing and prospective cloud users cloud usage strategies. Organizations hosting mission-critical applications and data in clouds are no longer considered to be early adopters. Are they simply betting that financial benefits will surpass security risks, or are they confident that cloud providers are capable of assuring an equal or higher level of security than on-premise systems? Examining real-world users opinions on risks and threats most commonly discussed in practitioner and academic literature is beneficial to organizations considering adding cloud to their IT portfolio. For management, the largest problem of cloud adoption today is a mass of uncertainty in decision making. Security being the top obstacle, other factors such as cost control, availability, and vendor lock-in require extensive research and analysis which is likely to produce less than definitive indicators for decision making. For the cloud model to be proven, or disproven, worthy of trust for an organization, claims made by cloud service providers and IT journalists are not sufficient. Instead, cloud adoption decisions should be made (1) by evaluating the current cloud service offerings, financial and technical benefits, and security concerns, and then (2) by studying real world examples that present how organizations are weighting these benefits and risks. METHODOLOGY AND SOURCES This thesis, through the examination of published materials and studies, analyzes existing issues along with available countermeasures in order to evaluate the overall assurance level of cloud security. Academic literature and security publications as sited are the main sources of material used for this research. Online resources and technical whitepapers will also be referenced to a
17 4 certain degree in order to present and analyze latest trends in cloud computing, regulatory standards, and research conducted by institutions and government agencies. In addition, in order to assess various perspective views of cloud computing security, a survey targeting IT professionals and managers, specifically current and prospective cloud users, was conducted. The survey respondents were recruited on EDUCAUSE ListServ, Meetup, Google Groups, and Facebook Groups over a period of five weeks. Two primary goals of the survey were (1) to assess how security concerns have affected or will affect the respondents decision on adopting cloud, and (2) to perform positive and normative analyses on how companies are guarding their assets in cloud as compared to the best practices recommended by security experts.
18 5 CHAPTER 2 PRACTITIONER LITERATURE REVIEW CLOUD SERVICES AND MODELS Essential resources consumed by households and businesses, such as water, gas, and electricity, are made available in a virtualized manner: These resources are readily available through faucets and outlets, and their sources and delivery mechanisms are not of interest to resource consumers. Cloud computing introduced the same concept to information technology. With the cloud computing model, software, platforms, and infrastructures are made available as web services through the Internet, and cloud service consumers are not aware of the physical location where these services are performed. Companies obtain hardware and software resources as services from cloud service providers, as opposed to as physical assets. Every service provider and standard organization defines cloud computing slightly differently. For example, the National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (Mell & Grance, 2011, p. 2). Just as application software can be divided into multiple classes based on various criteria such as categories and intended user types, cloud computing can also be divided into several service types and deployment models. Buyya, Broberg, and Gościński (2011) divide cloud computing services into three classes: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (Figure 1). Infrastructure as a Service (IaaS) is the lowest level of separation between what consumers could expect and the resources that are readily available for them to utilize. This service class offers raw computing, networking, and storage services that enable cloud consumers to build custom services and applications. The cloud provider controls the physical resources, and the cloud consumer controls anything above, such as operating systems and development tools. Platform as a Service (PaaS) takes the separation higher in the stack and is an environment where applications which are ready to be developed or deployed are
19 6 Figure 1. The cloud computing stack. Source: Buyya, R., Broberg, J., & Gościński, A. (2011). Cloud computing: Principles and paradigms. Hoboken, NJ: Wiley. offered by the cloud provider. The cloud consumer utilizes the provided platform, such as Java programming language and Oracle databases, without worrying about the underlying details such as software and hardware dependencies and configurations. Software as a Service (SaaS) moves the separation even higher in the stack where the cloud consumer is simply an end-user of applications that the cloud provider hosts. The majority of free cloud services, such as web-based and word processing, can be categorized as this type of service class. The model virtually eliminates the software maintenance for end users and simplifies the testing and deployment procedures for the software developers. Cloud computing can also be categorized by deployment models: Private, community, public, and hybrid. Private clouds are dedicated, in-house clouds that do not allow access from external networks. Companies and schools host their own private clouds that are accessed only by internal users. Private clouds maintain the ease of access to services using the same web service protocols, yet maintain the data confidentiality by making the services visible only to internal users. Community clouds are deployed in a way that multiple organizations share and operate the cloud cooperatively. For example, multiple schools within a region operating a single cloud for sharing library catalogs with a single search interface used by all students attending these schools. Public clouds are either free or paid clouds that are accessible to anyone in the public. The public cloud is the most commonly used model. Many of the popular cloud
20 7 services, such as web-based and paid services offered by service providers like Amazon, are deployed as public clouds. Hybrid clouds consist of one or more private clouds and one or more public clouds, both managed by a single organization. This deployment type is chosen primarily for scalability and cost-efficiency. For example, a company keeping sensitive data internal, and outsourcing other non-critical workloads to a public service provider. SERVICE PROVIDERS AND USERS For each service class, most prominent cloud service providers include: Infrastructure as a Service Amazon AWS GoGrid IBM SmartCloud Joyent Rackspace Verizon Platform as a Service Google App Engine Microsoft Windows Azure Oracle Public Cloud Software as a Service Google Apps Microsoft Office 365 Oracle Public Cloud Salesforce.com The online retail giant Amazon is one of the pioneers of cloud computing, and is by far the most successful cloud service provider today. The company s cloud computing platform, Amazon Web Services (AWS), consists of a collection of web services and is steps ahead in service maturity and customer awareness with aggressive pricing strategies (Search Cloud Computing, 2010). Amazon is heavily betting on cloud computing to be the default platform for running most business applications in the future, and is continuously adding more capacity to its data centers (Robinson, 2012). At the end of the first quarter 2012, as
21 8 Figure 2 illustrates, Amazon s S3 cloud storage housed over 905 billion objects, with 1 billion being added daily (Amazon, 2012). Figure 2. The cloud scales: Amazon S3 growth. Source: Amazon. (2012, April). Amazon web services blog: Amazon S3-905 billion objects and 650,000 requests/second. Retrieved from /04/amazon-s3-905-billion-objects-and requestssecond.html. Users of AWS vary in size and industry. AWS is an attractive platform for small startups with limit IT budgets and resources. Amazon client list also includes large financial institutions and pharmaceuticals companies, the types of companies that demand the highest level of security for their data. For example, Pfizer has set up its worldwide research and development facility within Amazon Virtual Private Cloud, which handles various computation tasks such as large-scale data analysis, research projects, clinical analytics, and modeling (Amazon, n.d.d). Google is another key player in cloud computing. Unlike Amazon s platform offerings, Google s App Engine provides application development and hosting environments. Applications built on App Engine are sandboxed, and run across multiple servers hosted in Google-managed data centers. For example, Best Buy has developed a web browser plugin called Giftag, a free tool that lets users create a wish list from any online retailers, and share it with others. The development team initially developed the server-side Java application on another platform, and then re-platformed and re-launched the system on Google App Engine in just 10 weeks (Bendt, 2009).
22 9 SECURITY STANDARDS AND COMPLIANCE ORGANIZATIONS As concern over the cloud security keeps rising, it has become critical for cloud service providers to present and demonstrate their ability to safeguard customer data. The most common means to accomplish this is to obtain trustworthy security certifications and audits for prospective customers. This type of assurance has become almost mandatory rather than mere marketing incentives. For example, in an effort to attract customers with various requirements, Amazon s AWS has obtained and offers a variety of industry-recognized certifications, accreditations, and audits: SOC 1/SSAE 16/ISAE 3402, PCI DSS Level 1, ISO 27001, ITAR, FISMA Moderate, FIPS 140-2, and SAS 70 Type II (Amazon, n.d.a). At present the security standards and regulatory organizations that have the most direct effect on cloud computing security are PCI DSS, FISMA, and HIPAA. PCI DSS (Payment Card Industry Data Security Standard) provides a framework for cloud providers to host applications that require a robust payment card data security process (Security Standards Council, n.d.). In other words, by choosing a PCI DSS-compliant cloud provider, developers can easily build applications with a secure credit card payment system without using a third party merchant account provider. FISMA (Federal Information Security Management Act) requires federal agencies to develop, document, and implement an agency-wide program to provide information security for the information and information systems (National Institute of Standards and Technology [NIST], 2012). FISMA accredited cloud providers would auto-comply with the regulations that federal agencies are required to follow for data security. HIPAA (Health Insurance Portability and Accountability Act) requires every healthcare provider and organization that handles PHI (protected healthcare information) to adhere strict information security guidelines that assure the protection of patient privacy. Even though HIPAA does not directly impose these guidelines on cloud providers, if a company chooses to store protected healthcare information in cloud, the service provider must either be HIPAA-compliant or provide secure infrastructure and policies that satisfy the HIPAA standards and requirements. NON-REGULATORY ORGANIZATIONS There are non-profit organizations that aim to build a common ground for cloud computing security. These organizations are non-regulatory; however, they have extensive influence on cloud computing security. The most widely recognized organizations are CSA and NIST.
23 10 CSA (Cloud Security Alliance) is a non-profit organization that was officially formed in December 2008, in response to the emerging popularity of cloud computing. CSA consists of a large number of corporate and affiliate members such as Accenture, Amazon, McAfee, Microsoft, and Oracle. CSA s primary objective is to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing (Cloud Security Alliance, n.d., p. 1). CSA provides a variety of security education programs and certifications, such as PCI DSS and GRC (Governance, Risk Management & Compliance) training and CCSK (Certificate of Cloud Security Knowledge). NIST (National Institute of Standards and Technology) is a non-regulatory government agency with in the U.S. Department of Commerce. NIST was originally founded as the National Bureau of Standards in 1901, and it was the first physical science research laboratory owned by the federal government. The agency is also known to be a measurement standard laboratory, with a mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life (NIST, 2008, para. 2). Specifically for cloud computing, NIST primarily aims to provide thought leadership and guidance around the cloud computing paradigm to catalyze its use within industry and government (NIST, 2010, para. 3). SIGNIFICANCE OF SECURITY STANDARDS AND COMPLIANCE IT security in general has experienced intense changes over the past decade. Computerized tasks and processes have created increasing vulnerabilities in the workplace, networked devices have introduced new threat paths, and the ever-growing volume of personal and financial information stored in binary form has triggered waves of privacy concerns from organizations as well as individuals. The electronic giant Sony and the world s largest tech-security company RSA Security experienced massive security breaches in Seeing these systems in a private, closed environment being victims of online attacks, it is natural for one to wonder why cloud services would be any more secure. To mitigate these concerns, cloud service providers are taking a great effort to build secure platforms that meet today s strict security standards. These standards, however, have very little effect on the protection customers receive: The standards are merely a measurement of level of assurance that the certifications entail. For example, applications hosted in a HIPAA-compliant cloud platform still could face security breaches if the application s architecture and deployment are not handled with a full understanding of the
24 July 2013 TimeTec Cloud Security FACING SECURITY CHALLENGES HEAD-ON - by Mr. Daryl Choo, Chief Information Officer, FingerTec HQ Cloud usage and trend Cloud Computing is getting more common nowadays
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
Volume 4, Issue 2, February 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com An Emerging
APPLICATION NOTE: CLOUD DATA TIERING Eversync has developed a hybrid model for cloud-based data protection in which all of the elements of data protection are tiered between an on-premise appliance (software
Tufts University Department of Computer Science COMP 116 Introduction to Computer Security Fall 2014 Final Project Investigating Security Issues in Cloud Computing Guocui Gao Guocui.email@example.com Mentor:
Security Considerations for Public Mobile Cloud Computing Ronnie D. Caytiles 1 and Sunguk Lee 2* 1 Society of Science and Engineering Research Support, Korea firstname.lastname@example.org 2 Research Institute of
The Cloud at Crawford Evaluating the pros and cons of cloud computing and its use in claims management The Cloud at Crawford Wikipedia defines cloud computing as Internet-based computing, whereby shared
The Cloud Threat Why Cloud CompuTing ThreaTens midsized enterprises and WhaT To do about it This white paper outlines the concerns that often prevent midsized enterprises from taking advantage of the Cloud.
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
Achieve Economic Synergies by Managing Your Human Capital In The Cloud By Orblogic, March 12, 2014 KEY POINTS TO CONSIDER C LOUD S OLUTIONS A RE P RACTICAL AND E ASY TO I MPLEMENT Time to market and rapid
THE SECURITY OF HOSTED EXCHANGE FOR SMBs In the interest of security and cost-efficiency, many businesses are turning to hosted Microsoft Exchange for the scalability, ease of use and accessibility available
Cloud-Security: Show-Stopper or Enabling Technology? Fraunhofer Institute for Secure Information Technology (SIT) Technische Universität München Open Grid Forum, 16.3,. 2010, Munich Overview 1. Cloud Characteristics
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
A COALFIRE PERSPECTIVE Top 10 Risks in the Cloud by Balaji Palanisamy, VCP, QSA, Coalfire March 2012 DALLAS DENVER LOS ANGELES NEW YORK SEATTLE Introduction Business leaders today face a complex risk question
Can Cloud Database PaaS Solutions Replace In-House Systems? Abstract: With the advent of Platform-as-a-Service as a viable alternative to traditional database solutions, there is a great deal of interest
A Clear View of Challenges, Solutions and Business Benefits Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide
INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS CLOUD COMPUTING Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
Overview The purpose of this paper is to introduce the reader to the basics of cloud computing or the cloud with the aim of introducing the following aspects: Characteristics and usage of the cloud Realities
Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research
Cloud Computing Keeping Up With IT During Recession Table of Contents Introduction...3 What is Cloud Computing?...3 Importance of robust IT Systems...4 Benefits of Cloud Computing...4 Lower Expenses: capital
Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...
GAO For Release on Delivery Expected at 10:00 a.m. EDT Thursday, July 1, 2010 United States Government Accountability Office Testimony Before the Committee on Oversight and Government Reform and Its Subcommittee
ICSA Labs Risk and Privacy Cloud Computing Series Part I : Balancing Risks and Benefits of Public Cloud Services for SMBs The security challenges cloud computing presents are formidable, including those
GAO United States Government Accountability Office Report to Congressional Requesters May 2010 INFORMATION SECURITY Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing GAO-10-513
Building Energy Security Framework Philosophy, Design, and Implementation Building Energy manages multiple subsets of customer data. Customers have strict requirements for regulatory compliance, privacy
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
WALKME WHITEPAPER WalkMe Architecture Introduction WalkMe - the Enterprise Class Guidance and Engagement Platform - drives users to action as they use software or websites. WalkMe is used by Enterprises
A Survey on Cloud Security Issues and Techniques Garima Gupta 1, P.R.Laxmi 2 and Shubhanjali Sharma 3 1 Department of Computer Engineering, Government Engineering College, Ajmer Guptagarima09@gmail.com
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
The Power of BMC Remedy, the Simplicity of SaaS WHITE PAPER TABLE OF CONTENTS EXECUTIVE SUMMARY............................................... 1 BUSINESS CHALLENGE: MANAGING CHANGE.................................
CLOUD COMPUTING: WHAT YOU SHOULD KNOW There is hardly a topic creating more of a buzz in software industry, than the Cloud. Cloud computing is a dramatic shift in the way we think about providing computing
BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH VORAPOJ.L@G-ABLE.COM Agenda Security Cases What is Cloud? Road Map Security Concerns 1 Security Cases on Cloud Data Protection - Two arrested in ipad
Cloud Services Overview John Hankins Global Offering Executive Ricoh Production Print Solutions May 23, 2012 Cloud Services Agenda Definitions Types of Clouds The Role of Virtualization Cloud Architecture
Why Migrate to the Cloud ABSS Solutions, Inc. 2014 ASI Cloud Services Information Systems Basics Cloud Fundamentals Cloud Options Why Move to the Cloud Our Service Providers Our Process Information System
Are You in Control of Your Cloud Data? Expanded options for keeping your enterprise in the driver s seat EXECUTIVE SUMMARY Hybrid IT is a fact of life in companies today. Increasingly, the way to deploy
FME Cloud Security Table of Contents FME Cloud Architecture Overview Secure Operations I. Backup II. Data Governance and Privacy III. Destruction of Data IV. Incident Reporting V. Development VI. Customer
Capturing the New Frontier: How Software Security Unlocks the Power of Cloud Computing Executive Summary Cloud computing is garnering a vast share of IT interest. Its promise of revolutionary cost savings
Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud
datasheet Trend Micro deep security as a service Advanced Security Built for the Cloud Organizations are embracing the economic and operational benefits of cloud computing, turning to leading cloud providers
AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals
Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there
WHITE PAPER How to choose and implement your cloud strategy INTRODUCTION Cloud computing has the potential to tip strategic advantage away from large established enterprises toward SMBs or startup companies.
Cloud security: A matter of trust? Dr Mark Ian Williams CEO, Muon Consulting I wandered lonely as a cloud... The academic, globe-trotting years: 1992 1993: Parallel software for PET scanner images in Geneva
Driving Company Security is Challenging. Centralized Management Makes it Simple. Overview - P3 Security Threats, Downtime and High Costs - P3 Threats to Company Security and Profitability - P4 A Revolutionary
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
Module 1: Facilitated e-learning CHAPTER 3: OVERVIEW OF CLOUD COMPUTING AND MOBILE CLOUDING: CHALLENGES AND OPPORTUNITIES FOR CAs... 3 PART 1: CLOUD AND MOBILE COMPUTING... 3 Learning Objectives... 3 1.1
Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data
Introduction to Cloud Computing Srinath Beldona email@example.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?
Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
VALUE PROPOSITION FOR SERVICE PROVIDERS Helping Service Providers accelerate adoption of the cloud Partnership with Service Providers Enabling Your Cloud Services in Complex Environments Today s challenge
Public Clouds Krishnan Subramanian Analyst & Researcher Krishworld.com A whitepaper sponsored by Trend Micro Inc. Introduction Public clouds are the latest evolution of computing, offering tremendous value
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,
The Sumo Logic Solution: Security and Compliance Introduction With the number of security threats on the rise and the sophistication of attacks evolving, the inability to analyze terabytes of logs using
1 Introduction to Cloud Computing CERTIFICATION OBJECTIVES 1.01 Cloud Computing: Common Terms and Definitions 1.02 Cloud Computing and Virtualization 1.03 Early Examples of Cloud Computing 1.04 Cloud Computing
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security
A COALFIRE PERSPECTIVE Moving to the Cloud A Summary of Considerations for Implementing Cloud Migration Plans into New Business Platforms NCHELP Spring Convention Panel May 2012 DALLAS DENVER LOS ANGELES
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
To kindle interest in economic affairs... To empower the student community... Open YAccess www.sib.co.in firstname.lastname@example.org A monthly publication from South Indian Bank 20 th Year of Publication Experience
A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS *Dr Umesh Sehgal, #Shalini Guleria *Associate Professor,ARNI School of Computer Science,Arni University,KathagarhUmeshsehgalind@gmail.com
Software Engineering Competence Center TUTORIAL An Introduction to Cloud Computing Concepts Practical Steps for Using Amazon EC2 IaaS Technology Ahmed Mohamed Gamaleldin Senior R&D Engineer-SECC email@example.com
Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
HITS HR & PAYROLL CLOUD MODEL WHITEPAPER Deciphering Total Cost of Ownership Total Cost of Ownership, or TCO, is commonly defined as the estimate of all direct and indirect costs associated with an asset