Cloud Security Report
Security Risks of Using External Cloud Service Providers (CSPs) for Essential Business Applications
Abstract
Cloud Computing is the result of a rapid evolution of computing technologies and a response to the new world business requirements. The adoption of the technology is widely accepted and its future is promising. However the cloud computing phenomena does not come without a risk. There are many issues of concerns that might slow the adoption of the cloud computing; most notably are the security concerns which come as a result of the complexity of cloud technologies and the wide parties involved with them. Issues such as cloud computing compliance and governance, cloud computing deployment and architectural models, virtualization, cloud computing applications, cloud operations, standards, guidelines, frameworks and contracting for cloud service provisioning are all necessary for any business to understand before adopting the technology. This report will explain the top security risks of using cloud service providers for essential business applications and how they can be identified using the cloud risk assessment process. It will also explore various topics related to cloud computing, including concepts and terminologies of cloud security, risk assessment, frameworks and standards. It will conclude with a scenario of a case study to explain the process of analyzing a cloud service provider services security; and to show some of the most common cloud computing risks that exist in the world.
QUT INN255 Security Report [Mukhtar Sharif] [Mohammed Hakami] 5/17/2013
Page |1 Report Contents:
1. Introduction 2. Understanding Cloud Computing 2.1. Cloud Computing Core Technologies 2.2. Cloud Computing Architecture 2.2.1. Characteristics of Cloud Computing 2.2.2. Cloud Organizational Architectures (Deployment Model) 2.2.3. Cloud Computing Technical Architectures (Service Model) 3. Understanding Cloud Computing Security Risks 4. Implementing a standards-based
Abstract
Cloud Computing is the result of a rapid evolution of computing technologies and a response to the new world business requirements. The adoption of the technology is widely accepted and its future is promising. However the cloud computing phenomena does not come without a risk. There are many issues of concerns that might slow the adoption of the cloud computing; most notably are the security concerns which come as a result of the complexity of cloud technologies and the wide parties involved with them. Issues such as cloud computing compliance and governance, cloud computing deployment and architectural models, virtualization, cloud computing applications, cloud operations, standards, guidelines, frameworks and contracting for cloud service provisioning are all necessary for any business to understand before adopting the technology. This report will explain the top security risks of using cloud service providers for essential business applications and how they can be identified using the cloud risk assessment process. It will also explore various topics related to cloud computing, including concepts and terminologies of cloud security, risk assessment, frameworks and standards. It will conclude with a scenario of a case study to explain the process of analyzing a cloud service provider services security; and to show some of the most common cloud computing risks that exist in the world.
QUT INN255 Security Report [Mukhtar Sharif] [Mohammed Hakami] 5/17/2013
Page |1 Report Contents:
1. Introduction 2. Understanding Cloud Computing 2.1. Cloud Computing Core Technologies 2.2. Cloud Computing Architecture 2.2.1. Characteristics of Cloud Computing 2.2.2. Cloud Organizational Architectures (Deployment Model) 2.2.3. Cloud Computing Technical Architectures (Service Model) 3. Understanding Cloud Computing Security Risks 4. Implementing a standards-based
References: [3] Dournaee B. (2012) ‘Taking Control of the Cloud for Your Enterprise: Addressing Security, Visibility, and Governance Challenges in Cloud Computing’ Intel White Paper. [31] Badger, L., Grance, T., Patt-Comer, R., Voas, J. (2012) ‘Cloud Computing Synopsis and Recommendations: Recommendations of the National Institute of Standards and Technology’ NIST Special Publication. INN 255 Security Report (Semester1,2013) P a g e | ii [33] Trend Micro (2013) ‘Report of Security Threats to Evolving Data Centers’ Trend Micro. http://www.trendmicro.com.au/cloud-content/us/pdfs/about/rpt_security-threats-to-datacenters.pdf [34] Trend Micro (2013) ‘Report of Virtualization and Cloud Computing Security Best Practice’ Trend Micro. http://www.dsd.gov.au/publications/csocprotect/Cloud_Computing_Security_Considerations.pdf [41] NIST Strategy to build a USG Cloud Computing Technology Roadmap (2011) http://www.nist.gov/itl/cloud/upload/NIST_CC_program_updated_external_overview_040511.pdf [42] COSO Integrated Framework (2013) http://www.coso.org/IC.htm [43] Raiha, K http://atos.net/NR/rdonlyres/C827DC38-26E9-4309-9FE7-3CEB9BB8392/0/ATOS404416Cloudriskanalysiswp_LoRes.pdf [45] The CSA Matrix (2012) https://cloudsecurityalliance.org/research/ccm/ [46] ENISA IAF INN 255 Security Report (Semester1,2013) Appendix Table 2: Cloud Security Risks identified by ENISA; adapted from (Haeberlen, T. et al., 2012) Page |i Table 3: Cloud Security Risks identified by NIST; adapted from (Badger, L. et al., 2012) Software-as-a-Service Environments Browser-based Risks and Risk Remediation Network Dependence Lack of Portability between SaaS Clouds Isolation vs INN 255 Security Report (Semester1,2013) P a g e | ii