Can you please answer these 4 case study questions at the end of the case study?

Chapter 8 Securing Information Systems 325 other high-profile names in the steady stream of easily when an Amazon $3 bucket is open to the companies that have exposed sensitive information via AWS $3 security misconfigurations. Such mis- public. Amazon also added default encryption to all objects when they are stored in an AWS bucket configurations were often performed by employ- and access control lists for cross-region replication. ees who lacked security experience when security Another new tool called Zelkova examines AWS $3 configurations should have been handled by skilled security policies to help users identify which one IT professionals. Stopping AWS bucket miscon- is more permissive than the others. Amazon Macie figurations may also require enacting policies that is a managed service that uses machine learning limit the damage caused by careless or untrained to detect personally identifiable information and employees. intellectual property, and has been available for $3 Although customers have their choice of secu- since August 2017. rity configurations for the cloud, Amazon has been taking its own steps to prevent misconfigurations. In November 2017, the company updated its AWS Sources: Kathleen Richards, "New Cloud Threats as Attackers dashboard, encasing public in bright orange on the Embrace the Power of the Cloud," SearchCloudSecurity.com, April 3, 2018; "AWS $3 Security Falls Short at High-profile Companies," AWS $3 console so that cloud customers could eas- SearchCloudSecurity.com, April 2018; "Making a Secure Transition to ily see the status of access permissions to buckets the Public Cloud , " Mckinsey & Company, January 2018; and "Security and their objects. This helps everyone see more for Cloud Computing: Ten Steps to Ensure Success," Cloud Standards Customer Council, December 2017. CASE STUDY QUESTIONS 1. What kinds of security problems does cloud com- 3. What steps can organizations take to make their puting pose? How serious are they? Explain your cloud-based systems more secure? answer. 4. Should companies use the public cloud to run 2. What management, organization, and technology their mission-critical systems? Why or why not? factors are responsible for cloud security prob- lems? To what extent is cloud security a manage- ment issue?324 Part Two Information Technology Infrastructure INTERACTIVE SESSION MANAGEMENT How Secure Is the Cloud? Over the last several years, many companies have cloud services. Organizations using cloud services altered their IT strategies to shift an increasing share often need to apply additional controls at the user, of their applications and data to public-cloud infra- structure and platforms. However, using the public application, and data level. Cloud service providers have made great strides in cloud disrupts traditional cybersecurity models that tightening security for their areas of responsibility. many companies have built up over years. As a re- Amazon's security for its cloud service leaves little sult, as companies make use of the public cloud, to chance. The company keeps careful constraints they need to revise their cybersecurity practices around its staff, watches what they do every day, in order to consume public-cloud services in a way and instructs service teams to restrict access to data that enables them both to protect critical data and to through tooling and automation. Amazon also rotates fully exploit the speed and agility that these services security credentials for authentication and verifi- provide. cation of identity and changes them frequently- Managing security and privacy for cloud services sometimes in a matter of hours. is similar to managing traditional IT infrastructures. The biggest threats to cloud data for most com- However, the risks may be different because some, panies involve lack of software patching or miscon- but not all, responsibilities shift to the cloud service figuration. Many organizations have been breached provider. The category of cloud service (laaS, Paas, because they neglected to apply software patches to or Saas) affects exactly how these responsibilities are newly identified security vulnerabilities when they shared. For laaS, the provider typically supplies and became available or waited too long to do so. (See is responsible for securing basic IT resources such the discussion of patch management earlier in this as machines, storage systems, and networks. The chapter.) Companies have also experienced security cloud services customer is typically responsible for breaches because they did not configure aspects its operating system, applications, and corporate data of cloud security that were their responsibility. placed into the cloud computing environment. This Some users forget to set up AWS bucket password means that most of the responsibility for securing protection. (A bucket is a logical unit of storage in the applications and the corporate data falls on the Amazon Web Services [ AWS] Simple Storage Solution customer. $3 storage service. Buckets are used to store objects, Cloud service customers should carefully review which consist of data and metadata that describes their cloud services agreement with their cloud the data.) Others don't understand basic security provider to make sure their applications and data features in Amazon such as resource-based access hosted in cloud services are secured in accordance policies (access control lists) or bucket permissions with their security and compliance policies. But checks, unwittingly exposing data to the public that's not all. Although many organizations know Internet. how to manage security for their own data center- Financial publisher Dow Jones & Co. confirmed they're unsure of exactly what they need to do reports in July 2017 that it may have publicly when they shift computing work to the cloud. They exposed personal and financial information of need new tool sets and skill sets to manage cloud 2.2 million customers, including subscribers to security from their end to configure and launch The Wall Street Journal and Barron's. The leak was cloud instances, manage identity and access con- traced back to a configuration error in a reposi- trols, update security controls to match configu- tory in AWS $3 security. Dow Jones had intended ration changes, and protect workloads and data. to provide semi-public access to select customers There's a misconception among many IT depart- over the Internet. However, it wound up granting ments that whatever happens in the cloud is not access to download the data via a URL to "authen- their responsibility. It is essential to update security ticated users," which included anyone who reg- requirements developed for enterprise data centers istered (for free) for an AWS account. Accenture, to produce requirements suitable for the use of Verizon, Viacom, Tesla, and Uber Technologies are