O 324 Part Two Information Technology Infrastructure INTERACTIVE SESSION MANAGEMENT How Secure Is the Cloud? Over...
Fantastic news! We've Found the answer you've been seeking!
Question:
Transcribed Image Text:
O 324 Part Two Information Technology Infrastructure INTERACTIVE SESSION MANAGEMENT How Secure Is the Cloud? Over the last several years, many companies have altered their IT strategies to shift an increasing share of their applications and data to public-cloud infra- structure and platforms. However, using the public cloud disrupts traditional cybersecurity models that many companies have built up over years. As a re- sult, as companies make use of the public cloud, they need to revise their cybersecurity practices in order to consume public-cloud services in a way that enables them both to protect critical data and to fully exploit the speed and agility that these services provide. Managing security and privacy for cloud services is similar to managing traditional IT infrastructures. However, the risks may be different because some, but not all, responsibilities shift to the cloud service provider. The category of cloud service (IaaS, PaaS, or SaaS) affects exactly how these responsibilities are shared. For IaaS, the provider typically supplies and is responsible for securing basic IT resources such as machines, storage systems, and networks. The cloud services customer is typically responsible for its operating system, applications, and corporate data placed into the cloud computing environment. This means that most of the responsibility for securing the applications and the corporate data falls on the villid VA metreye puituam customer. Cloud service customers should carefully review their cloud services agreement with their cloud provider to make sure their applications and data hosted in cloud services are secured in accordance with their security and compliance policies. But that's not all. Although many organizations know how to manage security for their own data center- they're unsure of exactly what they need to do when they shift computing work to the cloud. They need new tool sets and skill sets to manage cloud security from their end to configure and launch cloud instances, manage identity and access con- trols, update security controls to match configu- ration changes, and protect workloads and data. There's a misconception among many IT depart- ments that whatever happens in the cloud is not their responsibility. It is essential to update security requirements developed for enterprise data centers to produce requirements suitable for the use of cloud services. Organizations using cloud services often need to apply additional controls at the user, application, and data level. Cloud service providers have made great strides in tightening security for their areas of responsibility. Amazon's security for its cloud service leaves little to chance. The company keeps careful constraints around its staff, watches what they do every day, and instructs service teams to restrict access to data through tooling and automation. Amazon also rotates security credentials for authentication and verifi- cation of identity and changes them frequently- sometimes in a matter of hours. The biggest threats to cloud data for most com- panies involve lack of software patching or miscon- figuration. Many organizations have been breached because they neglected to apply software patches to newly identified security vulnerabilities when they became available or waited too long to do so. (See the discussion of patch management earlier in this chapter.) Companies have also experienced security breaches because they did not configure aspects of cloud security that were their responsibility. Some users forget to set up AWS bucket password protection. (A bucket is a logical unit of storage in Amazon Web Services [AWS] Simple Storage Solution S3 storage service. Buckets are used to store objects, which consist of data and metadata that describes the data.) Others don't understand basic security features in Amazon such as resource-based access policies (access control lists) or bucket permissions checks, unwittingly exposing data to the public Internet. Financial publisher Dow Jones & Co. confirmed reports in July 2017 that it may have publicly exposed personal and financial information of 2.2 million customers, including subscribers to The Wall Street Journal and Barron's. The leak was traced back to a configuration error in a reposi- tory in AWS S3 security. Dow Jones had intended to provide semi-public access to select customers over the Internet. However, it wound up granting access to download the data via a URL to "authen- ticated users," which included anyone who reg- istered (for free) for an AWS account. Accenture, Verizon, Viacom, Tesla, and Uber Technologies are 11 S d other high-profile names in the steady stream of companies that have exposed sensitive information via AWS S3 security misconfigurations. Such mis- configurations were often performed by employ- ees who lacked security experience when security configurations should have been handled by skilled IT professionals. Stopping AWS bucket miscon- figurations may also require enacting policies that limit the damage caused by careless or untrained employees. Although customers have their choice of secu- rity configurations for the cloud, Amazon has been taking its own steps to prevent misconfigurations. In November 2017, the company updated its AWS dashboard, encasing public in bright orange on the AWS S3 console so that cloud customers could eas- ily see the status of access permissions to buckets and their objects. This helps everyone see more CASE STUDY QUESTIONS 1. What kinds of security problems does cloud com- puting pose? How serious are they? Explain your answer. 2. What management, organization, and technology factors are responsible for cloud security prob- lems? To what extent is cloud security a manage- ment issue? Chapter 8 Securing Information Systems 325 1000 easily when an Amazon S3 bucket is open to the public. Amazon also added default encryption to all objects when they are stored in an AWS bucket and access control lists for cross-region replication. Another new tool called Zelkova examines AWS S3 security policies to help users identify which one is more permissive than the others. Amazon Macie is a managed service that uses machine learning to detect personally identifiable information and intellectual property, and has been available for S3 since August 2017. Sources: Kathleen Richards, "New Cloud Threats as Attackers Embrace the Power of the Cloud," SearchCloudSecurity.com, April 3, 2018; "AWS S3 Security Falls Short at High-profile Companies," SearchCloudSecurity.com, April 2018; "Making a Secure Transition to the Public Cloud," McKinsey & Company, January 2018; and "Security for Cloud Computing: Ten Steps to Ensure Success," Cloud Standards Customer Council, December 2017. 3. What steps can organizations take to make their cloud-based systems more secure? 4. Should companies use the public cloud to run their mission-critical systems? Why or why not? Cloud computing is highly distributed. Cloud applications reside in large remote data centers and server farms that supply business services and data management for multiple corporate clients. To save money and keep costs low, cloud computing providers often distribute work to data centers around the globe where work can be accomplished most efficiently. When you use the cloud, you may not know precisely where your data are being hosted. Virtually all cloud providers use encryption to secure the data they handle while the data are being transmitted. However, if the data are stored on devices that also store oth panies' data it's important to ensure that these stored O 324 Part Two Information Technology Infrastructure INTERACTIVE SESSION MANAGEMENT How Secure Is the Cloud? Over the last several years, many companies have altered their IT strategies to shift an increasing share of their applications and data to public-cloud infra- structure and platforms. However, using the public cloud disrupts traditional cybersecurity models that many companies have built up over years. As a re- sult, as companies make use of the public cloud, they need to revise their cybersecurity practices in order to consume public-cloud services in a way that enables them both to protect critical data and to fully exploit the speed and agility that these services provide. Managing security and privacy for cloud services is similar to managing traditional IT infrastructures. However, the risks may be different because some, but not all, responsibilities shift to the cloud service provider. The category of cloud service (IaaS, PaaS, or SaaS) affects exactly how these responsibilities are shared. For IaaS, the provider typically supplies and is responsible for securing basic IT resources such as machines, storage systems, and networks. The cloud services customer is typically responsible for its operating system, applications, and corporate data placed into the cloud computing environment. This means that most of the responsibility for securing the applications and the corporate data falls on the villid VA metreye puituam customer. Cloud service customers should carefully review their cloud services agreement with their cloud provider to make sure their applications and data hosted in cloud services are secured in accordance with their security and compliance policies. But that's not all. Although many organizations know how to manage security for their own data center- they're unsure of exactly what they need to do when they shift computing work to the cloud. They need new tool sets and skill sets to manage cloud security from their end to configure and launch cloud instances, manage identity and access con- trols, update security controls to match configu- ration changes, and protect workloads and data. There's a misconception among many IT depart- ments that whatever happens in the cloud is not their responsibility. It is essential to update security requirements developed for enterprise data centers to produce requirements suitable for the use of cloud services. Organizations using cloud services often need to apply additional controls at the user, application, and data level. Cloud service providers have made great strides in tightening security for their areas of responsibility. Amazon's security for its cloud service leaves little to chance. The company keeps careful constraints around its staff, watches what they do every day, and instructs service teams to restrict access to data through tooling and automation. Amazon also rotates security credentials for authentication and verifi- cation of identity and changes them frequently- sometimes in a matter of hours. The biggest threats to cloud data for most com- panies involve lack of software patching or miscon- figuration. Many organizations have been breached because they neglected to apply software patches to newly identified security vulnerabilities when they became available or waited too long to do so. (See the discussion of patch management earlier in this chapter.) Companies have also experienced security breaches because they did not configure aspects of cloud security that were their responsibility. Some users forget to set up AWS bucket password protection. (A bucket is a logical unit of storage in Amazon Web Services [AWS] Simple Storage Solution S3 storage service. Buckets are used to store objects, which consist of data and metadata that describes the data.) Others don't understand basic security features in Amazon such as resource-based access policies (access control lists) or bucket permissions checks, unwittingly exposing data to the public Internet. Financial publisher Dow Jones & Co. confirmed reports in July 2017 that it may have publicly exposed personal and financial information of 2.2 million customers, including subscribers to The Wall Street Journal and Barron's. The leak was traced back to a configuration error in a reposi- tory in AWS S3 security. Dow Jones had intended to provide semi-public access to select customers over the Internet. However, it wound up granting access to download the data via a URL to "authen- ticated users," which included anyone who reg- istered (for free) for an AWS account. Accenture, Verizon, Viacom, Tesla, and Uber Technologies are 11 S d other high-profile names in the steady stream of companies that have exposed sensitive information via AWS S3 security misconfigurations. Such mis- configurations were often performed by employ- ees who lacked security experience when security configurations should have been handled by skilled IT professionals. Stopping AWS bucket miscon- figurations may also require enacting policies that limit the damage caused by careless or untrained employees. Although customers have their choice of secu- rity configurations for the cloud, Amazon has been taking its own steps to prevent misconfigurations. In November 2017, the company updated its AWS dashboard, encasing public in bright orange on the AWS S3 console so that cloud customers could eas- ily see the status of access permissions to buckets and their objects. This helps everyone see more CASE STUDY QUESTIONS 1. What kinds of security problems does cloud com- puting pose? How serious are they? Explain your answer. 2. What management, organization, and technology factors are responsible for cloud security prob- lems? To what extent is cloud security a manage- ment issue? Chapter 8 Securing Information Systems 325 1000 easily when an Amazon S3 bucket is open to the public. Amazon also added default encryption to all objects when they are stored in an AWS bucket and access control lists for cross-region replication. Another new tool called Zelkova examines AWS S3 security policies to help users identify which one is more permissive than the others. Amazon Macie is a managed service that uses machine learning to detect personally identifiable information and intellectual property, and has been available for S3 since August 2017. Sources: Kathleen Richards, "New Cloud Threats as Attackers Embrace the Power of the Cloud," SearchCloudSecurity.com, April 3, 2018; "AWS S3 Security Falls Short at High-profile Companies," SearchCloudSecurity.com, April 2018; "Making a Secure Transition to the Public Cloud," McKinsey & Company, January 2018; and "Security for Cloud Computing: Ten Steps to Ensure Success," Cloud Standards Customer Council, December 2017. 3. What steps can organizations take to make their cloud-based systems more secure? 4. Should companies use the public cloud to run their mission-critical systems? Why or why not? Cloud computing is highly distributed. Cloud applications reside in large remote data centers and server farms that supply business services and data management for multiple corporate clients. To save money and keep costs low, cloud computing providers often distribute work to data centers around the globe where work can be accomplished most efficiently. When you use the cloud, you may not know precisely where your data are being hosted. Virtually all cloud providers use encryption to secure the data they handle while the data are being transmitted. However, if the data are stored on devices that also store oth panies' data it's important to ensure that these stored
Expert Answer:
Answer rating: 100% (QA)
Answer INTERACTIVE SESSION MANAGEMENT How Secure Is the Cloud 1 Security Problems in Cloud Computing Cloud computing poses various security challenges including data breaches misconfigurations and una... View the full answer
Related Book For
International Marketing And Export Management
ISBN: 9781292016924
8th Edition
Authors: Gerald Albaum , Alexander Josiassen , Edwin Duerr
Posted Date:
Students also viewed these general management questions
-
Tener o venir Complete these sentences with tener of venir. 1. Mi madrastra de Alemania el proximo jueves. 2. Los gemelos razon, no debemos correr en la casa. 3. Yo al estadio todos los fines de seman
-
Planning is one of the most important management functions in any business. A front office managers first step in planning should involve determine the departments goals. Planning also includes...
-
Introduction Dell, Inc. was the worlds market leader in personal computers using direct sales through the Internet and over the telephone until 2005. In 2006, it experienced an unexpected decline in...
-
Evaluate the integral (4e* + 2 In (2))dx.
-
What is meant by dynamic segmentation?
-
The parallel filamentary conductors shown in Figure 7.21 lie in free space. Plot |H| versus y,4 < y < 4, along the line x = 0, z = 2. Figure 7.21 (0, -1, 0) (0, 1, 0) 1A/ 1A
-
The Clarence Oil Company provides the following information for the year ended December 31, 2017: REQUIRED: a. Prepare a ceiling test and an entry, if necessary, for the write-off of capitalized...
-
E.F. Lynch Company is a diversified investment company with three operating divisions organized as investment centers. Condensed data taken from the records of the three divisions for the year ended...
-
There are 16 squares and 4 circles. What is the simplest ratio of circles to total shapes?
-
General Electric (GE) disclosed the following non-GAAP reconciliation for its Industrial segment from its 2018 Form 10-K. $ illions 2018 2017 2016 GE Industrial earnings (loss) $(20,587) $(1,841)...
-
1) what has changed to the percentage of common-law families without children from 1981 to 2006? Speculate why you think this change has taken place. Census, the Vanier Institute tracked the changes...
-
Explain three Empirical Reviews separately on how international trade contributes to economic development giving support from a literature review. Module: International trade and economics Topic:...
-
Convert the following BNF to EBNF: A | B | C + * | | ( ) |
-
How can conflict resolution frameworks, such as the Thomas-Kilmann Conflict Mode Instrument or the Dual Concern Model, be adapted and customized to suit the unique dynamics of specific industries or...
-
Gyro company sells its only product for $ 7 2 . variable costs per unit are $ 3 6 . total costs are $ 3 3 0 , 0 0 0 . the company is currently selling 1 2 , 0 0 0 units. Determine the operating...
-
what is the difference between Activity Based Costing and Traditional Costig ?
-
Assume Isuzu produces a car in Japan for 1.8 million. On June 1, when new models are introduced, the exchange rate is 150/USD. Consequently, the automaker sets the sticker price for the car at USD...
-
If you want to solve a minimization problem by applying the geometric method to the dual problem, how many variables and problem constraints must be in the original problem?
-
Why might an international marketer who is involved in foreign production still have problems concerning channel control and cooperation? Would such a marketer handle channel conflict differently...
-
Exchange rate fluctuations between the Japanese yen, the euro, and the US dollar have posed serious problems for Strato Designs (the name of the company is disguised). The California company produces...
-
In 1943 a 17-year-old Swedish boy started what was to become a multibillion euro company by selling work pants and other farm supplies door-to-door. Ingvar Kamprad began selling farm implements under...
-
It is impossible to have a standard management accounting system as it needs to match the needs of an operation. Discuss this statement from the perspective of hospitality, tourism or events...
-
What is the difference between cash and profits?
-
From the perspective of either a hotel manager, events manager, or a tour operator discuss the role strategic managerial accounting can have in aiding management decision making.
Study smarter with the SolutionInn App