O 324 Part Two Information Technology Infrastructure INTERACTIVE SESSION MANAGEMENT How Secure Is the Cloud? Over...
Fantastic news! We've Found the answer you've been seeking!
Question:
Transcribed Image Text:
O 324 Part Two Information Technology Infrastructure INTERACTIVE SESSION MANAGEMENT How Secure Is the Cloud? Over the last several years, many companies have altered their IT strategies to shift an increasing share of their applications and data to public-cloud infra- structure and platforms. However, using the public cloud disrupts traditional cybersecurity models that many companies have built up over years. As a re- sult, as companies make use of the public cloud, they need to revise their cybersecurity practices in order to consume public-cloud services in a way that enables them both to protect critical data and to fully exploit the speed and agility that these services provide. Managing security and privacy for cloud services is similar to managing traditional IT infrastructures. However, the risks may be different because some, but not all, responsibilities shift to the cloud service provider. The category of cloud service (IaaS, PaaS, or SaaS) affects exactly how these responsibilities are shared. For IaaS, the provider typically supplies and is responsible for securing basic IT resources such as machines, storage systems, and networks. The cloud services customer is typically responsible for its operating system, applications, and corporate data placed into the cloud computing environment. This means that most of the responsibility for securing the applications and the corporate data falls on the villid VA metreye puituam customer. Cloud service customers should carefully review their cloud services agreement with their cloud provider to make sure their applications and data hosted in cloud services are secured in accordance with their security and compliance policies. But that's not all. Although many organizations know how to manage security for their own data center- they're unsure of exactly what they need to do when they shift computing work to the cloud. They need new tool sets and skill sets to manage cloud security from their end to configure and launch cloud instances, manage identity and access con- trols, update security controls to match configu- ration changes, and protect workloads and data. There's a misconception among many IT depart- ments that whatever happens in the cloud is not their responsibility. It is essential to update security requirements developed for enterprise data centers to produce requirements suitable for the use of cloud services. Organizations using cloud services often need to apply additional controls at the user, application, and data level. Cloud service providers have made great strides in tightening security for their areas of responsibility. Amazon's security for its cloud service leaves little to chance. The company keeps careful constraints around its staff, watches what they do every day, and instructs service teams to restrict access to data through tooling and automation. Amazon also rotates security credentials for authentication and verifi- cation of identity and changes them frequently- sometimes in a matter of hours. The biggest threats to cloud data for most com- panies involve lack of software patching or miscon- figuration. Many organizations have been breached because they neglected to apply software patches to newly identified security vulnerabilities when they became available or waited too long to do so. (See the discussion of patch management earlier in this chapter.) Companies have also experienced security breaches because they did not configure aspects of cloud security that were their responsibility. Some users forget to set up AWS bucket password protection. (A bucket is a logical unit of storage in Amazon Web Services [AWS] Simple Storage Solution S3 storage service. Buckets are used to store objects, which consist of data and metadata that describes the data.) Others don't understand basic security features in Amazon such as resource-based access policies (access control lists) or bucket permissions checks, unwittingly exposing data to the public Internet. Financial publisher Dow Jones & Co. confirmed reports in July 2017 that it may have publicly exposed personal and financial information of 2.2 million customers, including subscribers to The Wall Street Journal and Barron's. The leak was traced back to a configuration error in a reposi- tory in AWS S3 security. Dow Jones had intended to provide semi-public access to select customers over the Internet. However, it wound up granting access to download the data via a URL to "authen- ticated users," which included anyone who reg- istered (for free) for an AWS account. Accenture, Verizon, Viacom, Tesla, and Uber Technologies are 11 S d other high-profile names in the steady stream of companies that have exposed sensitive information via AWS S3 security misconfigurations. Such mis- configurations were often performed by employ- ees who lacked security experience when security configurations should have been handled by skilled IT professionals. Stopping AWS bucket miscon- figurations may also require enacting policies that limit the damage caused by careless or untrained employees. Although customers have their choice of secu- rity configurations for the cloud, Amazon has been taking its own steps to prevent misconfigurations. In November 2017, the company updated its AWS dashboard, encasing public in bright orange on the AWS S3 console so that cloud customers could eas- ily see the status of access permissions to buckets and their objects. This helps everyone see more CASE STUDY QUESTIONS 1. What kinds of security problems does cloud com- puting pose? How serious are they? Explain your answer. 2. What management, organization, and technology factors are responsible for cloud security prob- lems? To what extent is cloud security a manage- ment issue? Chapter 8 Securing Information Systems 325 1000 easily when an Amazon S3 bucket is open to the public. Amazon also added default encryption to all objects when they are stored in an AWS bucket and access control lists for cross-region replication. Another new tool called Zelkova examines AWS S3 security policies to help users identify which one is more permissive than the others. Amazon Macie is a managed service that uses machine learning to detect personally identifiable information and intellectual property, and has been available for S3 since August 2017. Sources: Kathleen Richards, "New Cloud Threats as Attackers Embrace the Power of the Cloud," SearchCloudSecurity.com, April 3, 2018; "AWS S3 Security Falls Short at High-profile Companies," SearchCloudSecurity.com, April 2018; "Making a Secure Transition to the Public Cloud," McKinsey & Company, January 2018; and "Security for Cloud Computing: Ten Steps to Ensure Success," Cloud Standards Customer Council, December 2017. 3. What steps can organizations take to make their cloud-based systems more secure? 4. Should companies use the public cloud to run their mission-critical systems? Why or why not? Cloud computing is highly distributed. Cloud applications reside in large remote data centers and server farms that supply business services and data management for multiple corporate clients. To save money and keep costs low, cloud computing providers often distribute work to data centers around the globe where work can be accomplished most efficiently. When you use the cloud, you may not know precisely where your data are being hosted. Virtually all cloud providers use encryption to secure the data they handle while the data are being transmitted. However, if the data are stored on devices that also store oth panies' data it's important to ensure that these stored O 324 Part Two Information Technology Infrastructure INTERACTIVE SESSION MANAGEMENT How Secure Is the Cloud? Over the last several years, many companies have altered their IT strategies to shift an increasing share of their applications and data to public-cloud infra- structure and platforms. However, using the public cloud disrupts traditional cybersecurity models that many companies have built up over years. As a re- sult, as companies make use of the public cloud, they need to revise their cybersecurity practices in order to consume public-cloud services in a way that enables them both to protect critical data and to fully exploit the speed and agility that these services provide. Managing security and privacy for cloud services is similar to managing traditional IT infrastructures. However, the risks may be different because some, but not all, responsibilities shift to the cloud service provider. The category of cloud service (IaaS, PaaS, or SaaS) affects exactly how these responsibilities are shared. For IaaS, the provider typically supplies and is responsible for securing basic IT resources such as machines, storage systems, and networks. The cloud services customer is typically responsible for its operating system, applications, and corporate data placed into the cloud computing environment. This means that most of the responsibility for securing the applications and the corporate data falls on the villid VA metreye puituam customer. Cloud service customers should carefully review their cloud services agreement with their cloud provider to make sure their applications and data hosted in cloud services are secured in accordance with their security and compliance policies. But that's not all. Although many organizations know how to manage security for their own data center- they're unsure of exactly what they need to do when they shift computing work to the cloud. They need new tool sets and skill sets to manage cloud security from their end to configure and launch cloud instances, manage identity and access con- trols, update security controls to match configu- ration changes, and protect workloads and data. There's a misconception among many IT depart- ments that whatever happens in the cloud is not their responsibility. It is essential to update security requirements developed for enterprise data centers to produce requirements suitable for the use of cloud services. Organizations using cloud services often need to apply additional controls at the user, application, and data level. Cloud service providers have made great strides in tightening security for their areas of responsibility. Amazon's security for its cloud service leaves little to chance. The company keeps careful constraints around its staff, watches what they do every day, and instructs service teams to restrict access to data through tooling and automation. Amazon also rotates security credentials for authentication and verifi- cation of identity and changes them frequently- sometimes in a matter of hours. The biggest threats to cloud data for most com- panies involve lack of software patching or miscon- figuration. Many organizations have been breached because they neglected to apply software patches to newly identified security vulnerabilities when they became available or waited too long to do so. (See the discussion of patch management earlier in this chapter.) Companies have also experienced security breaches because they did not configure aspects of cloud security that were their responsibility. Some users forget to set up AWS bucket password protection. (A bucket is a logical unit of storage in Amazon Web Services [AWS] Simple Storage Solution S3 storage service. Buckets are used to store objects, which consist of data and metadata that describes the data.) Others don't understand basic security features in Amazon such as resource-based access policies (access control lists) or bucket permissions checks, unwittingly exposing data to the public Internet. Financial publisher Dow Jones & Co. confirmed reports in July 2017 that it may have publicly exposed personal and financial information of 2.2 million customers, including subscribers to The Wall Street Journal and Barron's. The leak was traced back to a configuration error in a reposi- tory in AWS S3 security. Dow Jones had intended to provide semi-public access to select customers over the Internet. However, it wound up granting access to download the data via a URL to "authen- ticated users," which included anyone who reg- istered (for free) for an AWS account. Accenture, Verizon, Viacom, Tesla, and Uber Technologies are 11 S d other high-profile names in the steady stream of companies that have exposed sensitive information via AWS S3 security misconfigurations. Such mis- configurations were often performed by employ- ees who lacked security experience when security configurations should have been handled by skilled IT professionals. Stopping AWS bucket miscon- figurations may also require enacting policies that limit the damage caused by careless or untrained employees. Although customers have their choice of secu- rity configurations for the cloud, Amazon has been taking its own steps to prevent misconfigurations. In November 2017, the company updated its AWS dashboard, encasing public in bright orange on the AWS S3 console so that cloud customers could eas- ily see the status of access permissions to buckets and their objects. This helps everyone see more CASE STUDY QUESTIONS 1. What kinds of security problems does cloud com- puting pose? How serious are they? Explain your answer. 2. What management, organization, and technology factors are responsible for cloud security prob- lems? To what extent is cloud security a manage- ment issue? Chapter 8 Securing Information Systems 325 1000 easily when an Amazon S3 bucket is open to the public. Amazon also added default encryption to all objects when they are stored in an AWS bucket and access control lists for cross-region replication. Another new tool called Zelkova examines AWS S3 security policies to help users identify which one is more permissive than the others. Amazon Macie is a managed service that uses machine learning to detect personally identifiable information and intellectual property, and has been available for S3 since August 2017. Sources: Kathleen Richards, "New Cloud Threats as Attackers Embrace the Power of the Cloud," SearchCloudSecurity.com, April 3, 2018; "AWS S3 Security Falls Short at High-profile Companies," SearchCloudSecurity.com, April 2018; "Making a Secure Transition to the Public Cloud," McKinsey & Company, January 2018; and "Security for Cloud Computing: Ten Steps to Ensure Success," Cloud Standards Customer Council, December 2017. 3. What steps can organizations take to make their cloud-based systems more secure? 4. Should companies use the public cloud to run their mission-critical systems? Why or why not? Cloud computing is highly distributed. Cloud applications reside in large remote data centers and server farms that supply business services and data management for multiple corporate clients. To save money and keep costs low, cloud computing providers often distribute work to data centers around the globe where work can be accomplished most efficiently. When you use the cloud, you may not know precisely where your data are being hosted. Virtually all cloud providers use encryption to secure the data they handle while the data are being transmitted. However, if the data are stored on devices that also store oth panies' data it's important to ensure that these stored
Expert Answer:
Related Book For
International Marketing And Export Management
ISBN: 9781292016924
8th Edition
Authors: Gerald Albaum , Alexander Josiassen , Edwin Duerr
Posted Date:
Students also viewed these general management questions
-
Planning is one of the most important management functions in any business. A front office managers first step in planning should involve determine the departments goals. Planning also includes...
-
Introduction Dell, Inc. was the worlds market leader in personal computers using direct sales through the Internet and over the telephone until 2005. In 2006, it experienced an unexpected decline in...
-
Evaluate the integral (4e* + 2 In (2))dx.
-
What is clickstream analysis? What is it used for?
-
What is the purpose of a companys balance sheet?
-
Discuss the role of culture in HRIS implementation. How might two different organizations with very different cultures approach the same HRIS implementation differently?
-
Define each of the following terms: a. Annual report; balance sheet; income statement b. Common stockholders equity, or net worth; retained earnings c. Statement of retained earnings; statement of...
-
Using packet tracer file Configure each device with the appropriate IP address based on the network address given Configure Routing Default Static Route, Static Route or both so all devices can...
-
A firm does research and development which can also be applied in the manufacturing processes of other firms. This is an example of a . A. negative production externality B. positive production...
-
In your view, what is the most important piece of information reported on the cash flow statement?
-
a. What are assets? b. What are the three major categories of assets?
-
Explain this statement: To minimize financial risk, match the cost structure to the revenue structure.
-
Briefly explain the three major categories shown on the cash flow statement.
-
a. What is the accounting identity? b. What is the implication of the accounting identity for the numbers on a balance sheet? c. What does the accounting identity tell us about a businesss equity?
-
A recent headline reads "Trump tariffs send China nuts about Australian almonds" - Financial Review, 8/13/2018. This article provides the following details: China, which accounts for 80 per cent of...
-
In Problem use geometric formulas to find the unsigned area between the graph of y = f(x) and the x axis over the indicated interval. f(x) = x + 5; [0, 4]
-
Why might an international marketer who is involved in foreign production still have problems concerning channel control and cooperation? Would such a marketer handle channel conflict differently...
-
Exchange rate fluctuations between the Japanese yen, the euro, and the US dollar have posed serious problems for Strato Designs (the name of the company is disguised). The California company produces...
-
In 1943 a 17-year-old Swedish boy started what was to become a multibillion euro company by selling work pants and other farm supplies door-to-door. Ingvar Kamprad began selling farm implements under...
-
Net profit is calculated in the (A) Trading account (B) Profit and loss account (C) Trial balance (D) Statement of financial position
-
To find the value of closing inventory at the end of a period we (A) Do this by physically counting the inventory (i.e. stocktaking) (B) Look in the inventory account (C) Deduct opening inventory...
-
Gross profit is (A) Excess of sales over cost of goods sold (B) Sales less purchases (C) Cost of goods sold + opening inventory (D) Net profit less expenses of the period
Study smarter with the SolutionInn App