Cloud Computing

Cloud Computing: Assessing the risks

JARED CARSTENSEN
BERNARD GOLDEN
JP MORGENTHAL
Copyright Date: 2012
Published by: IT Governance Publishing
Pages: 297
https://www.jstor.org/stable/j.ctt5hh5bm
  • Cite this Item
  • Book Info
    Cloud Computing
    Book Description:

    Cloud Computing: Assessing the risks answers these questions and many more. Using jargon-free language and relevant examples, analogies and diagrams, it is an up-to-date, clear and comprehensive guide the security, governance, risk, and compliance elements of Cloud Computing. Written by three internationally renowned experts, this book discusses the primary concerns of most businesses leaders – the security and risk elements of the Cloud. But 'security and risk’ are just two elements of Cloud Computing, and this book focuses on all the critical components of a successful cloud programme including – compliance, risk, reliability, availability, areas of responsibility, Cloud Computing borders, legalities, digital forensics and business continuity. This book covers them all.

    eISBN: 978-1-84928-360-1
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. WHAT OTHERS ARE SAYING ABOUT THIS BOOK
    (pp. 5-10)
  3. FOREWORD
    (pp. 11-13)
    Christofer Hoff

    ‘Cloud is secure!’ ‘Cloud is insecure!’ How many times have you heard these very contrarian viewpoints argued – often by the same person – without the necessary context reinforcing these assertions or anything substantive offered beyond anecdotes and buzzwords for comparison?

    It is clear that Cloud Computing has achieved escape velocity from the massive hype that initially had it tethered in low orbit to the point that it has now joined the ranks of popular culture.

    Everyone, from technicians to technophobes, speak of ‘The Cloud,’ each with their own interpretation of why and how it matters personally. Whether you’re an...

  4. ABOUT THE AUTHORS
    (pp. 14-16)
  5. ACKNOWLEDGEMENTS
    (pp. 17-18)
    Jared Carstensen, Bernard Golden and JP Morgenthal
  6. Table of Contents
    (pp. 19-22)
  7. CHAPTER 1: CLOUD COMPUTING EXPLAINED
    (pp. 23-57)

    In late 2007, executives atThe New York Timesfaced a common commercial dilemma: they identified an attractive business opportunity, but couldn’t pursue it because of the high cost and long lead time for necessary IT resources. Initial estimates for the project were that it would require over $100,000 investment and couldn’t start for several months’ time due to the lengthy timeframe for budget request, hardware ordering and installation/configuration.

    It’s no secret that the newspaper business is severely challenged by the growth of the Internet. Any new profitable business offerings capable of increasing subscriber loyalty are eagerly seized by an...

  8. CHAPTER 2: HOW CLOUD COMPUTING CHANGES SECURITY, GOVERNANCE, RISK AND COMPLIANCE
    (pp. 58-74)

    Survey after survey identifies security as people’s number one concern about Cloud Computing. IT organisations decide to continue existing on-premises deployment practices (often using a private Cloud environment) because they have higher confidence in the security of their own environment.

    But a curious thing emerges when one engages in a discussion on this topic. When IT professionals are asked what specific concerns about Cloud Computing security they have, responses like these are common:

    What’s to prevent a Cloud service provider employee from sticking a thumb drive into a server and downloading my data?

    How do I know if my company’s...

  9. CHAPTER 3: GOVERNANCE OF CLOUD COMPUTING
    (pp. 75-91)

    Governance: a: to control, direct or strongly influence the actions and conduct of. (www.webster.com)

    Given the vast changes (economic, technological, geopolitical) that businesses and governments need to react to, managing risk has become a key initiative for many organisations. Governance is one tool that can be used to minimise risk by providing consistent controls and processes regarding the management of assets.

    The topic of governance is rapidly gaining support within the enterprise IT community. Typically the nature of information technology within mid-sized and large enterprises forces the need to implement some form of governance, albeit usually on a case-by-case basis....

  10. CHAPTER 4: CLOUD COMPUTING TOP SECURITY RISKS
    (pp. 92-114)

    InChapter 2, we examined how Cloud Computing changes security, governance, risk and compliance. Building on that, in this chapter we will focus on the top security risks facing users of Cloud Computing.

    Underlying every aspect of Cloud Computing security is the fact that the fundamental assumptions regarding the operating environment to which security practices are applied are different in the world of Cloud Computing.

    In the past, security practices assumed the following:

    Static and ‘owned’ computing environmentSecurity practices assumed that the foundations of computing environments – the data centre, physical infrastructure (electrical system, UPS, cooling, etc.), and so...

  11. CHAPTER 5: ASSESSING SECURITY IN THE CLOUD
    (pp. 115-135)

    InChapter 4, we discussed why Cloud Computing security is different from traditional approaches to computing security. Among the reasons cited were:

    VirtualisationMany traditional security solutions rely on examining network traffic. In virtualised environments, network traffic often goes from one virtual machine to another without leaving the physical server, rendering network-attached security devices ineffective.

    Dynamic environmentsVirtualisation environments support dynamic placement and relocation of virtual machines to enable hardware failure resiliency and better application performance. The side effect of this is that security practices that assume a static environment are challenged to operate effectively in a dynamic infrastructure.

    Multi-tenant...

  12. CHAPTER 6: CLOUD COMPUTING APPLICATION SECURITY
    (pp. 136-175)

    We concludedChapter 5by noting that CSPs view security (quite rightly) as a shared responsibility. A CSP may be quite willing to accept responsibility for the security measures that lie on its side of the trust boundary, but it will (also quite rightly) abjure any responsibility for the security of an application deployed by a third party.

    That attitude certainly makes sense; after all, the CSP has no insight into the development practices, testing regimen or operational processes of the application’s owner – how can it possibly accept responsibility for its security?

    This bifurcation of security responsibilities is illustrated...

  13. CHAPTER 7: ORGANISATIONAL RISKS ASSOCIATED WITH CLOUD COMPUTING
    (pp. 176-205)

    Organisational risks are threats, negative effects or problems due to internal or external changes in organisational structure or management processes that can impact the mission of a company or an organisation. While many organisations practise operational risk management, few practise organisational risk management although they are intimately tied together. An organisation operates through the combination of people, processes and technology working together. If any one of these categories has a major structural impact, it will most likely affect the other two categories.

    One of the major sources of organisational risk is the introduction of new technologies. In an exceptional example...

  14. CHAPTER 8: BUSINESS CONTINUITY AND DISASTER RECOVERY IN CLOUD COMPUTING
    (pp. 206-228)

    A commonly used, but often misunderstood, phrase mentioned by corporate executives right down to the engineers in the networks team is ‘business continuity’.

    The best description I have heard used to reference business continuity would be to ‘plan for things that you can expect to go wrong, but hope that they don’t’. Whether we like to admit it or not, systems will fail, people will fail, natural disasters may well happen (depending on your geographical location this might become a more common occurrence than other locations), and, believe it or not, even the hallowed IT professionals make mistakes.

    For the...

  15. CHAPTER 9: INVESTIGATIONS AND FORENSICS IN THE CLOUD
    (pp. 229-243)

    Cloud Computing forensics is currently an unknown by both Cloud providers and Cloud customers due to its immaturity and lack of Cloud investigations conducted. This is an area that is set to develop extensively in the next few years. At present, no formal mechanisms, methodologies or standards have been developed for Cloud forensics.

    The goal of this chapter is to promote thought and insight into the changes and challenges introduced in digital forensic investigations when in a Cloud environment.

    As yet, there is no solution – no commercial forensic tools have been developed for Cloud Computing platforms, nor are there...

  16. CHAPTER 10: CLOUD COMPUTING BORDERS – NATIONAL AND INTERNATIONAL DEPLOYMENT
    (pp. 244-271)

    Notwithstanding the benefits gained from Cloud Computing, Cloud Computing can introduce a number of legal and international challenges for your organisation.

    From an international legal perspective, the key difference between traditional IT outsourcing and Cloud Computing iswherethe data resides, is processed and stored. Data can (and almost always is) be stored in various locations, data centres and different jurisdictions all over the world and across multiple platforms. This can result in multiple copies of data being stored and processed in different locations.

    The Cloud revolutionises the term ‘outsourcing’ and introduces numerous implications of outsourced data handling, contract terms...

  17. CHAPTER 11: EVALUATING COMPLIANCE IN THE CLOUD
    (pp. 272-290)

    Compliance from a definitions perspective would be defined as ‘conforming to a rule, such as a specification, policy, standard or law’ – these are typically external to the organisation.

    In many real-world situations and environments, the above definition is often expanded, and tends to include additional operational risks and additional regulations, thereby extending the notion ‘compliance’ to other operational risk assessments and other frameworks or internal processes.

    Compliance can be across any number of business units, functions or departments with a varying degree of requirements, measurement or frequency for assessment and adherence.

    Regulations have grown in breadth due to fraud...

  18. CHAPTER 12: WHERE CLOUD COMPUTING IS HEADING
    (pp. 291-294)

    The industry enthusiasm for Cloud Computing indicates that it addresses elements of IT that suffer from fundamental dissatisfaction.

    IT is commonly regarded as unresponsive, slow-moving, expensive and difficult to work with.

    Cloud Computing, with its rapid provisioning, pay-as-you-go pricing and user self-service, addresses these pain points.

    Any time a new solution neatly addresses the shortcomings of a given situation, it seems obvious that it will be embraced immediately.

    The overwhelming enthusiasm directed toward Cloud Computing suffers from only one reservation: security. Many IT professionals react to the promise of Cloud Computing with a ‘yes, but’ attitude. ‘Yes, Cloud Computing sounds...

  19. ITG RESOURCES
    (pp. 295-297)