2) Based on the Cloud Security Alliance Security Guidance material, answer the f

Question

2) Based on the Cloud Security Alliance Security Guidance material, answer the following question:

For the following areas:

a. Domain 3: Legal and Electronic Discovery,

b. Domain 4: Compliance and Audit

c. Domain 7: Traditional Security, Business Continuity, and Disaster Recovery

d. Domain 10: Application Security

Explain the challenges faced by companies wanting to use cloud computing in place of their current conventional computing environment. Detail any increase or decrease in risk between conventional computing and using the “cloud”.

Explanation / Answer

Based on the Cloud Security Alliance Security

Cloud Computing offers huge benefits to clients, including inexpensive access to seemingly limitless resources that are available instantly, anywhere. To prepare for the shift from computing environments that dependent on dedicated hardware to Cloud Computing the Federal Rules of Discovery should be amended to provide relevant guidelines and exceptions for particular types of shared dat in cloud computing.

A type of shared computing on both software and hardware can be called as “Cloud Computing” stores client data in large volume. so that clients can access their data or run applications from any location with an Internet connection. A Cloud provider can offer access to seemingly unlimited applications including operating systems, and hardware as services of the Cloud. Cloud Computing is becoming very popular with a broad base of consumers. Websites such as Facebook turn personal computers into portals for clients to access and share images, videos, and text online .

Cloud Computing is also becoming popular with businesses and public organizations. These entities are beginning to use Cloud Computing because it can reduce the need for IT floor space by 81% and save 61% on power costs of company , while tripling usage of IT assets. Cloud Computing also allows clients to penetrate the marketplace with relative ease because it requires less capital than would be invested in traditional location dependent hardware .

Cloud providers essentially virtualize the same physical resources to service multiple dispersed clients. Cloud providers also divide “the tasks of running applications and storing data into small chunks,” and then allocate the chunks among various distributed resources. These resources are dynamically partitioned according to client demand .

Electronically Stored Information ,The Rules state that “a party must provide to other parties . .. a copy of, or a description by category and location of, all documents, electronically stored information and retied information, and tangible things that are in the possession, custody, or control of the party .”A party may request the production of ESI “in the responding party’s possession, custody, or control . . stored in any medium from which information can be obtained.” A party does not have to provide discovery of ESI “from sources that the party identifies as not reasonably accessible because of undue burden or cost.” The use of the phrase “electronically stored information” was “intended to be broad enough to cover all current types of computer-based information, and flexible enough to encompass future changes and developments.”

b. Domain 4: Compliance and Audits

“Audits and compliance” defines to all the internal and external processes that an organization implements in order different ways to:

Identify compliance requirements such as corporate policies and standards, laws and regulations as well as customer service level agreements (SLA).

·         Which Implement policies, procedures, processes and systems to satisfy those compliance requirements.

·         Which Monitor whether these policies, procedures and processes are followed diligently.

Finally, A audit and compliance functions have always played an important role in every company, with cloud services, these functions become super-critical.

An audit or compliance check is always done against a pre-specified benchmark. For auditing an outsourced provider, the SLA is the ONLY benchmark. Ensure that all the points below are adequately covered in our cloud SLA.

The Right to Audit

While cloud providers may fall over each other to offer guided tours of their locations(usually pre-announced and staged for your visited locations), they are reluctant to have their systems audited by third parties to get benefits . They allow an audit that will be restricted to an examination of their policies and procedures, and not the effectiveness of their implementation.

C) Domain 7: Traditional Security, Business Continuity, and Disaster Recovery .

The main purpose of this domain is to defines cloud service users to share a common understanding of physical security. The Physical security can be defined as the measures taken to ensure the safety to the software and material existence of data and personnel against theft, espionage, sabotage, or harm. The cloud information security, this means about information, products, and people.

The Proper information security deploys many different layers to achieve their goal. This is referred to as "layered security." When implementing security measures managers should acknowledge that no measure is 100 percent secure. Information security uses the depth of its layers to achieve a combined level of security levels. A weakness in any one of these layers can cause security to break and high risk problems. Physical protection is the initial step in a layered approach to cloud information security. Whether it is nonexistent, weak, or exercised inconsistently, the best logical security measures will not make up for the physical security weakness, and security overall can fail.

Finally the effective physical security program flows from well-developed policies, processes, and procedures. Well-developed physical security programs will be in good result in physical security it also scalable with the business, repeatable across the organization, measurable, sustainable, defensible, continually improving, and cost-effectiveness.

d) Application security

The final level of security is application security in which the application can only be accessed by providing some kind of credentials only and by providing the type of credentials we can further divide the application security in four types

1. Identity based access

2. Role based access

3. Key based access

4. Claim based access

1. IDENTITY BASED ACCESS In identity based access a username and password is provided by the user and if they matches with the records in the database then only the access is provided otherwise the access is denied. Now the username can be of many types for example, name, email address, id proofs like driving license number, pan card number, ssn number in America, Uid number in India etc which will uniquely identify that person. In case of email id we have got additional advantage that in case of lost password we the issuing authority can send the new password to that email id. We can also enjoy the advantage of email id with other identity types if we take email id as an input at the time of registering .

2. ROLE BASED ACCESS In role based identity a role is associated with the user like administrator, developer etc and the application changes the view according to the role of that user. Other credentials are also stored while issuing the role based identity to that user for security purpose.

3. KEY BASED ACCESS

In key based identity the end user is provided a key and by using that key only the end user can access the services. This key is also stored in the database for verification. This key is encrypted and is generally very long such that no one can guess it. The level of security is very high with key based identity. It is generally associated with a time stamp and the services can only be enjoyed generally for certain amount of time only like 1 day or 6 hours, 1month etc.

4. CLAIM BASED ACCESS In claim based identity a live id is created for a particular brand and all other services provided by that particular brand are accessed by that id. This is done because the end user or customer does not want to or does not prefer to create a new id and remembering the credentials each time for using the different services of that particular brand. The end user never likes filling the form each time for different services of that particular brand. So in order to attract customer to use their services without any pain and at the same time not compromising with the security claim based identity has been introduced and efforts and cost for maintain the data also reduce to great extent and at the same time we can track the data that how many services and what type of the services has been accessed by a particular type of person and this data can be used for data warehousing purpose

Related Questions

Navigate

• Browse (All)
• Browse 2
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.