Organizations use the Cloud in a variety of different service models (SaaS, PaaS, and IaaS) and deployment models (Private, Public, and Hybrid). There are a number of security issues/concerns associated with cloud computing but these issues fall into two broad categories: security issues faced by cloud providers (organizations providing software-, platform-, or infrastructure-as-a-service via the cloud) and security issues faced by their customers.The responsibility goes both ways, however: the provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the user must ensure that the provider has taken the proper security measures to protect their information, and the user must take measures to use strong passwords and authentication measures.
What you need to know:
- Identity management
- Every enterprise will have its own identity management system to control access to information and computing resources. Cloud providers either integrate the customer’s identity management system into their own infrastructure, using federation or SSO technology, or provide an identity management solution of their own.
- Physical security
- Cloud service providers physically secure the IT hardware (servers, routers, cables etc.) against unauthorized access, interference, theft, fires, floods etc. and ensure that essential supplies (such as electricity) are sufficiently robust to minimize the possibility of disruption. This is normally achieved by serving cloud applications from ‘world-class’ (i.e. professionally specified, designed, constructed, managed, monitored and maintained) data centers.
- Personnel security
- Various information security concerns relating to the IT and other professionals associated with cloud services are typically handled through pre-, para- and post-employment activities such as security screening potential recruits, security awareness and training programs, proactive security monitoring and supervision, disciplinary procedures and contractual obligations embedded in employment contracts, service level agreements, codes of conduct, policies etc.
- Cloud providers help ensure that customers can rely on access to their data and applications, at least in part (failures at any point – not just within the cloud service providers’ domains – may disrupt the communications chains between users and applications).
- Application security
- Cloud providers ensure that applications available as a service via the cloud (SaaS) are secure by specifying, designing, implementing, testing and maintaining appropriate application security measures in the production environment. Note that – as with any commercial software – the controls they implement may not necessarily fully mitigate all the risks they have identified, and that they may not necessarily have identified all the risks that are of concern to customers. Consequently, customers may also need to assure themselves that cloud applications are adequately secured for their specific purposes, including their compliance obligations.
- Providers ensure that all critical data (credit card numbers, for example) are masked or encrypted (even better) and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud.
- Legal issues
- Finally, providers and customers must consider legal issues, such as Contracts and E-Discovery, and the related laws, which may vary by country.
Numerous laws and regulations pertain to the storage and use of data, including privacy or data protection laws, Payment Card Industry – Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, the Federal Information Security Management Act of 2002 (FISMA), and Children’s Online Privacy Protection Act of 1998, among others. Many of these regulations mandate particular controls (such as strong access controls and audit trails) and require regular reporting. Cloud customers must ensure that their cloud providers adequately fulfil such requirements as appropriate, enabling them to comply with their obligations since, to a large extent, they remain accountable.
- Business continuity and data recovery
- Cloud providers have business continuity and data recovery plans in place to ensure that service can be maintained in case of a disaster or an emergency and that any data loss will be recovered.These plans may be shared with and reviewed by their customers, ideally dovetailing with the customers’ own continuity arrangements. Joint continuity exercises may be appropriate, simulating a major Internet or electricity supply failure for instance.
- Logs and audit trails
- In addition to producing logs and audit trails, cloud providers work with their customers to ensure that these logs and audit trails are properly secured, maintained for as long as the customer requires, and are accessible for the purposes of forensic investigation (e.g., eDiscovery).
- Unique compliance requirements
- In addition to the requirements to which customers are subject, the data centers used by cloud providers may also be subject to compliance requirements. Using a cloud service provider (CSP) can lead to additional security concerns around data jurisdiction since customer or tenant data may not remain on the same system, or in the same data center or even within the same provider’s cloud.
The Cloud has been quite beneficial for personal and business use and that comes with needing the knowledge of knowing how to keep yourself and business safe.
Are you Safe?
Paylab Plus acknowledges and supports Wikipedia
The origin of the term cloud computing is unclear. The expression cloud is commonly used in science to describe a large agglomeration of objects that visually appear from a distance as a cloud and describes any set of things whose details are not inspected further in a given context.
References to cloud computing in its modern sense can be found as early as 1996, with the earliest known mention to be found in a Compaq internal document.
The popularization of the term can be traced to 2006 when Amazon.com introduced the Elastic Compute Cloud.
The underlying concept of cloud computing dates to the 1950s, when large-scale mainframe computers were seen as the future of computing, and became available in academia and corporations
Cloud computing is believed to have been invented by Joseph Carl Robnett Licklider also known as “computing’s Johnny Appleseed,” for planting the seeds of computing in the digital age in the 1960s.
In 1994, AT&T launched PersonaLink Services, an online platform for personal and business communication and entrepreneurship. The storage was one of the first to be all web-based, and referenced in their commercials as, “you can think of our electronic meeting place as the cloud.”
Since 2000 the technology highway feels like driving a 2015 La Ferrari.
Amazon Web Services introduced their cloud storage service AWS S3 in 2006, and has gained widespread recognition and adoption as the storage supplier to popular services like Smugmug, Dropbox, and Pinterest.
In early 2008, Eucalyptus became the first open-source, AWS API-compatible platform for deploying private clouds. In early 2008, OpenNebula, enhanced in the RESERVOIR European Commission-funded project, became the first open-source software for deploying private and hybrid clouds, and for the federation of clouds. In the same year, efforts were focused on providing quality of service guarantees (as required by real-time interactive applications) to cloud-based infrastructures. By mid-2008, Gartner saw an opportunity for cloud computing “to shape the relationship among consumers of IT services, those who use IT services and those who sell them” and observed that “organizations are switching from company-owned hardware and software assets to per-use service-based models” so that the “projected shift to computing … will result in dramatic growth in IT products in some areas and significant reductions in other areas.”
In July 2010, Rackspace Hosting and NASA jointly launched an open-source cloud-software initiative known as OpenStack.
On March 1, 2011, IBM announced the IBM SmartCloud framework to support Smarter Planet. Among the various components of the Smarter Computing foundation, cloud computing is a critical piece.
In July 2010, Rackspace Hosting and NASA jointly launched an open-source cloud-software initiative known as OpenStack. The OpenStack project intended to help organizations offer cloud-computing services running on standard hardware. The early code came from NASA’s Nebula platform as well as from Rackspace’s Cloud Files platform.
On March 1, 2011, IBM announced the IBM SmartCloud framework to support Smarter Planet.Among the various components of the Smarter Computing foundation, cloud computing is a critical piece.
On June 7, 2012, Oracle announced the Oracle Cloud.
Cloud computing is the result of evolution and adoption of existing technologies and paradigms. The goal of cloud computing is to allow users to take beneﬁt from all of these technologies, without the need for deep knowledge about or expertise with each one of them. The cloud aims to cut costs, and help the users focus on their core business instead of being impeded by IT obstacles.
As we drive into our week lets consider our next conversation in our informative learning experience the characteristics of cloud computing. Drive safe and we’ll see you next week!
Paylab Plus acknowledges and supports wikipedia.org.
No one understand the cloud!!!
In the next few weeks Paylab Plus will be engaging in the conversation of “What Is The Cloud Anyway?” Lets start by discovering data storage.
Cloud storage is a model of data storage where the digital data is stored in logical pools (method of allocating space) , the physical storage spans multiple servers (and often locations), and the physical environment is typically owned and managed by a hosting company. These cloud storage providers are responsible for keeping the data available and accessible, and the physical environment protected and running. People and organizations buy or lease storage capacity from the providers to store end user, organization, or application data.
Cloud storage services may be accessed through a co-located cloud compute service, a web service application programming interface (API) or by applications that utilize the API, such as cloud desktop storage, a cloud storage gateway or Web-based content management systems.
As the mystery unfolds consumers, small and medium size businesses will get a sense of what the cloud can do for you.
See you next week!
The rise of mobile devices in the workplace, speciﬁcally healthcare facilities, has forced providers to look for ways to utilize mobile technology to increase eﬃciency, improve patient care and drive new businesses to their practice, without compromising HIPAA compliance regulations.
From Visa's Risk Management: For: IT, Information Security, IT Support
Visa has recently noticed an increase in malicious remote access activity associated with unauthorized access to merchant point-of-sale environments and ultimately, payment card data. Many remote access solutions are to provide remote management and technical support for retailers. Used maliciously, they can expose payment card data and other sensitive information to cybercriminals to log in, establish additonal “back doors” by installing malware and steal payment card data. The risk of data compromise substantially increases when remote access applications are not PCI DSS compliant.
Examples of common remote access vulnerabilities that can enable intruders to gain access to merchant POS environments. NOTE: most are also violations of the PCI DSS.
- Remote access ports and services always available on the Internet.
- Outdated or un-patched applications and systems.
- Use of default passwords or no password.
- Use of common usernames and passwords.
- Single-factor authentication.
- Improperly configured firewalls.
The attacks take place by successfully logging in to remote access applications with common username/password combinations. Once inside the network an intruder will typically take steps to disable anti-virus applications and establish additonal “back door” connectivity through the installation of malicious sofware. On systems where payment card data processed, card-capturing malware is often installed and used to collect full track data from the POS system. Finally, card data is removed to remote IP addresses.
We are urging you to share this information with your colleagues in the IT departments.
Not sure what option is best for your business? Take a look at this article that hashes out the good and bad with phone systems.
Take a look at the picture Visa released on how to understand the EMV Chip Cards.