Information Assurance and Cloud Computing, Research Paper Example
Words: 2789Research Paper
The emerging trend in the tech world is cloud computing which has progress to be adopted not only by the private sector, but also the public sector. The implementation of cloud computing has transformed not only the tech world but also the business world. The shift to cloud technology provides newer means of technology that allow users to forward and store information into the “cloud”. Information assurance and business managers realize that technology and disasters go hand in hand, and must prepare for disasters that occur in all shapes and sizes. Cloud computing exists to assist in the areas of risk management, disaster recovery, and in the increasingly amount of malware and intruder prevention. Cloud computing has the possibility to help managers in this area, the concepts, and methods that provide enough mechanisms to enhance information assurance practice and planning. The purpose of this paper is to explore the possibilities of cloud computing and how it can assist with information assurance in the areas of threats, vulnerabilities, and preventing initial risks where cloud computing can improve service delivery.
TABLE OF CONTENTS
Executive Summary. 1
Assets of Value. 5
Facets/Goals/Services of IA.. 7
Initial Risks. 10
Recommendations for Controls. 10
Recommendation (Residual Risks). 10
Contingency Plan. 11
Cloud has been the leading buzzword for several years now as many businesses and services have increased their demand for cloud computing. Cloud computing helps to deliver services and information to users that pay for the services. Cloud computing has become a scalable service delivery platform for users that vary from consumers to enterprises. Cloud Computing has proven to be utilized in various aspects that include commercial services offerings and supporting collaborative scientific research. The main purpose of Cloud Computing is to enable resource sharing within the cloud value chain for users. Cutting through all the hype for Cloud Computing, it is taking advantage of the ubiquitous global network that provides service provides means to economically deliver network-based computing services. As various as the many valuable services and uses are, Cloud Computing has sparked concerns in not only security risks, but privacy, and business integrity.
As the business world and other enterprises look to a balance of risk and benefit for Cloud Computing, it has been noted as the next stage in the evolution of the internet. Information assurance is used as a means of protecting the information systems. However, what is not carefully checked in longevity is the amount of variability given to Cloud Computing that can keep the mechanisms used in protecting from vulnerabilities, risks, and their potential impacts. This paper will provide information on Cloud Computing and Information Assurance in the areas of national security, enterprises, and to the consumer. The scholarly use of reliable books, articles, and other resources written by experts in their field will help to back up opinions, verifiable facts, notions, and recommendations in this paper.
Overview of Cloud Computing
Cloud Computing is a newer means of delivery of technology. Breaking down Cloud Computing, computing is defined by any goal-oriented activity in regards to benefiting or creating computers. It involves building and designing software systems and hardware for a wide range of purposes; managing, structuring, and processing numerous types of information. These actions range from making intelligent behaving computer systems, finding and gathering relevant information, creating media, and other possibilities. Cloud Computing has open availability that provides a variety of services, where site specific software and hardware installations are not directly needed. The NIST SP 800-145 defines Cloud Computing as,
“merely a model for enabling convenient, on-demand network access to shared data pool(s) of configurable computing resources (e.g.,, networks, servers, storage, application, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (Scholz, 2013, pg.145).
Cloud Computing model can come in various forms that include, SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service), like those offered from Terramark, Rackspace, and Savvis. According to NIST the cloud computing model consists of five essential characteristics that include, three service models, and four deployment models. The essential characteristics are: on-demand self-service where the user can provision computing capabilities as needed without the need of human interaction from the service provider. Broad network access that is providing capabilities over the network through mechanisms that promote the use of various platforms. Rapid elasticity that provide a scalable system where it is automatically controlled and optimized by leveraging a metered service. (NIST 800-145, 2011, pg.7) The cloud can be deployed on four various backgrounds that include a private cloud that is typically owned by business units, community cloud, public cloud, and a hybrid cloud that is a composition of two or more types of clouds. (NIST 800-145, 2011, pg. 7)
Cloud Computing offers the use of technology over the internet with central remote servers in order to maintain applications and data. Users are able to access the cloud with application installation on their computers, and provide access from anywhere. The benefits range from faster speeds in deployment, lower computing costs of software services, and IT infrastructure expenses. The companies pay for only what they use which gives independence against internal IT resources, a plethora of application collaboration, low-end devices that have the accessibility options as high-end devices, and scalability through on-demand ubiquitous computing access. While Cloud Computing has brought several opportunities presented to the consumer and enterprises in order to reduce capital, it has also raised several risks.
Assets of Value
The Department of Defense is well aware of the many attributes and contributions that can be made from Cloud Computing. One of the biggest risks that that Cloud Computing contains no single or standard architectural method. The services that Cloud Computing provide a range from data storage, processing software such as emails, accessing confidential and collaborative files from anywhere, and other notable values of assets of companies. (ENISIA, 2010, pg.1) Now that the cloud can be accessed from the general public, or hybrid clouds, it makes it harder for implementing security measures. The DOD (Department of Defense) has some of the biggest issues when switching to Cloud Computing, data migration allows for the delivery of multi-source information using diverse application formats, and other sensitive data that can be accessed in the cloud. (Defense, 2011, pg.8) According to DHS, the assets, “With cloud computing, IT infrastructure resources are pooled and shared across large numbers of applications and organizations” (Kundra, 2011, pg. 11). While there is several material that area available in the public domain, there are several that is controlled unclassified information (CUI) that is sensitive enough to warrant placing “For Official Use Only” or “Sensitive But Unclassified” label. This information as defined as sensitive information by the Computer Security Act of 1987 (NIST, 2011) can range from technical documents from military departments and other classified departments. These types of files are accessed through the cloud, and can be a security risks if accessed by the wrong user.
Facets/Goals/Services of IA
According to the NSA, one of the fundamental risks that need to be considered with cloud computing is how the cloud affects the trust boundary. (NSA, 2009, pg. 2) Information Assurances are prone to be protected against threats to the infrastructure. The cloud will contain sensitive information that includes CUI, SBU, and other classified information that is not privy to the general public. The IA must be designed, as “measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation” (PRIM, n.d). The IA must provide successful protection of the assets that require compliance policy and an understanding of the vulnerabilities that are faced when interaction with information systems. According to Techopedia, the purpose of Information Assurances is to protect information systems through maintaining: integrity, availability, authentication, confidentiality, and nonrepudiation. (Techopedia, nd) In managing the cloud it uses technical and physical administrative controls in order to accomplish these goals. While relying on the benefits of cloud computing to help out enterprises, as Shared by IAC, one of the fundamental problems with cloud computing adoption is the availability of security resources. In addition, the information assurances that those resources provide and maintain while in the cloud. (IAC, 2010, pg.6) In accordance with the IA, integrity must ensure that the information systems remained unharmed and untampered with as the purpose of implanted anti-viral software in its place to minimize malicious attacks. IA must guarantee to keep the information confidential, which allows for only those that are authorized can access it. Authentication ensures that users are whom they say they are, and for identifying data messages and devices. Availability of IA is where the information within the cloud is available for access, and protection against potential threats. Nonrepudiation advised through IA is needed so that users cannot deny completing an action because there will be evidence within the cloud. (Techopedia, n.d) Information Assurance is needed within infrastructures such as, Department of Defense that rely on an impenetrable system where attacks are minimized.
On the internet and particularly in the cloud, there are potential threats that impact the infrastructure of a corporation or someone’s identity. The first of these threats includes data breaches which can be evident, due to lack of training of policies for employers on devices, and access controls. (CSA, 2013) Data loss and data leakage are apparent when challenged with addressing the problem. They are considerable risks that can see valuable and confidential data disappear. Hackers will target out of spite wiping the data out, causing data that are available in the cloud to be lost which could lead to potential legal issues and security issues. According to CSA, “if an attacker gains access to your credentials, he or she can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. (CSA, 2013). This combat the five main categories of availability, authentication, nonrepudiation, integrity, and confidentiality. This threat that are numerous in number including, malware, spyware, viruses, phishing, and other threats can lead to detrimental results if classified information leaked from outside or inside threats due to incompetent employees were accessed.
While it is enough to see the outside risks and threats to cloud computing, it is also fair to place some importance on internal threats of vulnerability to the system. The challenges that cloud computing places on the enterprises is the lack of standard architecture that can lead to security issues such as the threats listed above. Weak encryptions, anti-virus software, and flaws in clients’ application can lead to attacks obtaining data from users and corporations. (CSA, 2013) Attackers can gain access to credentials by employees not complying with policies for network devices and leaving confidential information out for others to see. This exposes vulnerabilities that can lead to account or service traffic hijacking. This can leverage the power of corporations’ reputations to launch attacks on other enterprises. The human interactions that lead to carelessness from untrained, or unknowledgeable individuals provides further harm to the technology. Technology needs to be available so that users can customize their needs to those of the business, so that the application can be developed to suit the needs of the business. The inclusion of up to date software such as firewall protection can protect against the vulnerabilities of cloud computing.
The impact of cloud computing is justified through its many benefits that lead to savings and low cost with the infrastructure of cloud computing. The threats and vulnerabilities that are exposed however, due to the technical, human, and uncontrollable actions of parties involved place the IA at risk, as well as the organizations. The impact of these factors affects the users’ ability to obtain necessary credentials for application, accreditation, business continuity, and security management that lead to attacks, data breaches, loss, and leakage. (NSA, 2009)
When migrating to cloud computing there are several initial risks that must be taken into consideration when implementing security measures. Risks include the trust boundary, boundaries that utilize layers of providers, access control of the cloud environment. IA maintains and controls the specific cloud environment however, it can also be controlled by the wrong users. Complexity of an application that complicates the technology for the users, operational and financial issues for data storage and data backup. (NSA, 2009) Initial risks of security that include data loss and data access by unauthorized users creates main concerns for the consumers.
Recommendations for controls
In order to combat the risks and threats that are presented against cloud security, the NSA has developed countermeasures. These include; limiting the use, by not placing sensitive data over public clouds. Better encryption data be uploaded into the cloud, which provides a means for better data storage, Obtain information and security answers from the vendor in order to gauge expectations and measurements of the cloud. Adhere to policies and standards of safe web surfing practices in order to thwart would be attackers, and use private clouds in order to exchange sensitive data equipped with firewalls and other protection. (NSA, 2009)
Recommendation (Residual Risk)
Other recommendations for residual risks include placing a risk management plan in place to deal with new and old risk to the cloud infrastructure, according to Ryan and Ryan (1995). The risks will significantly impact the organization has adverse effects, by applying the formula for counter measures, where risk is equal to the threat times vulnerability times the impact divided by the proposed countermeasures. (Ryan & Ryan, 1995) Recommendations to combat these factors is providing better training, policies, and technology for employees. Implementing a no-nonsense device and confidentiality agreement with the company can help to maintain security protocols. Better encryption, user keys, and rotating authentication that keeps hackers and other outside factors at bay.
The contingency plan implemented is dependent on the platform utilized however, for every cloud environment, back up data, storage, and internet access is a must. Conduct a risk assessment, which can be aided by the risks, threats, and vulnerabilities outlined here. From this information that would place on the risk assessment, have backups in place to mitigate data to a new source. In case of natural or disasters, the best plan for cloud computing is to have protocols in place that keep on the power long enough, have data storage and backups available, and have a place for any hardware to go. The employee team listed to stay behind will be properly trained in emergency tactics, and know what to do, this will ensure that the contingency plan lines up with the scope of the disaster recovery plan.
In summary, Cloud Computing is a vital step in the evolution of the internet. It is not a new product, but a new use of technology that has already been around. Cloud Computing allows for collaborative and easy access to files from anywhere at any time. While this has proven to be beneficial to businesses and consumers it also raises several security risks, as the government has transition to cloud computing. This puts national security potentially at risk for possible infiltration, attacks, and other threats that need to be address. Cloud computing must rely on information assurance of the Department of Defense in order to ensure that access is kept confidential, authenticated, available, and other factors that play into risk management. While there are several threats, risk, and vulnerabilities of cloud computing, by having countermeasures in place, and a contingency plan, Cloud Computing will be beneficial to any organization.
Cloud Computing -Overview of Information Assurance Concerns and Opportunities. (2009). NSA. Retrieved from http://www.nsa.gov/ia/_files/support/Cloud_Computing_Guidance.pdf
Cloud computing: benefits, risks and recommendations for information security. (2010). ENISA. Retrieved from http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/cy-activity-interface-2010/presentations/Outlook/Udo%20Helmbrecht_ENISA_Cloud%20Computing_Outlook.pdf
CSA. (2013). The Notorious Nine: Cloud Computing Top Threats in 2013. Retrieved from https://cloudsecurityalliance.org/.
CSA. (2012). Cloud Controls Matrix. Retrieves from https://cloudsecurityalliance.org/.
DOD. (2012). Cloud Computing Strategy. Retrieved at http://www.defense.gov/news/DoDCloudComputingStrategy.pdf
DOD. (2012). Memorandum. Department of Defense Cloud Computing Strategy. Retrieved at http://www.defense.gov/news/DoDCloudComputingStrategyMemorandum.pdf.
DOD. (2012). Memorandum. Designation of the Defense Information Systems Agency as the Department of Defense Enterprise Cloud Service Broker. Retrieved at http://www.defense.gov/news/DISADesignation.pdf.
Greer, Michael. (2010). Survivability and Information Assurance in the Cloud. Lockheed Martin. Retrieved from http://download.101com.com/GIG/Custom/Stand/Cloud/LMSurvivabilityInformationAssuranceinCloud.pdf
IAC. (2010). Establishing Trust in Cloud Computing. IAC. Retrieved from http://iac.dtic.mil/csiac/download/Vol13_No2.pdf
Information Assurance (IA). (n.d). PRIM. Retrieved from http://www.prim.osd.mil/cap/cio-ia.html
Information Assurance (IA). (n.d). Techopedia. Retrieved from http://www.techopedia.com/definition/5/information-assurance-ia
Kundra, Vivek. (2010). 25 Point Implementation Plan to Reform Federal Information Technology Management. DHS. Retrieved from http://www.dhs.gov/sites/default/files/publications/digital-strategy/25-point-implementation-plan-to-reform-federal-it.pdf
Kundra, Vivek. (2011). Federal Cloud Computing Strategy. Retrieved at https://cio.gov/building-a-21st-century-government/cloud/
NIST. (2011). The NIST Definition of Cloud Computing. NIST. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
Ryan, D. and Ryan, J. (1995). Risk Management and Information Security. Presented at the 11th Computer Security Applications Conference. New Orleans, Louisiana
Samson, Tom. (2013). 9 top threats to cloud computing security. Info World. Retrieved from http://www.infoworld.com/t/cloud-security/9-top-threats-cloud-computing-security-213428
Scholz, James. (2013). Enterprise Architecture and Information Assurance: Developing a Secure Foundation. CRC Press.
Vicuso, Patrick. (2011). Controlled Unclassified Information (CUI). NIST. Retrieved from http://csrc.nist.gov/groups/SMA/forum/documents/forum-Oct2011-CUI-briefing_PViscuso.pdf
Wang, Chenxi. (2009). Forrester: A Close Look At Cloud Computing Security Issues. CSO. Retrieved from http://www.csoonline.com/article/496388/forrester-a-close-look-at-cloud-computing-security-issues
Zack Phillips. (2007) Security Theater. GovExec. Retrieved from http://www.govexec.com/story_page.cfm?filepath=/features/0807-01/0807-01s3.htm.
Time is precious
don’t waste it!