IAC 2024 - IA Fast Track to Search Focused AI Solutions
Cloud Computing
1. MIS 6326: DATA MANAGEMENT
1
Research topic: CLOUD COMPUTING AND DATABASE SYSTEMS
Submitted by:
Research Group 6
=================================================================
Introduction:
“We believe we’re moving out of the Ice Age, the Iron Age, the Industrial Age, the Information
Age, to the participation age. You get on the Net and you do stuff. You IM, you blog, you take
pictures, you publish, you podcast, you transact, you distance learn, you telemedicine. You are
participating on the Internet, not just viewing stuff. We build the infrastructure that goes in the
data center that facilitates the participation age. We build that big friggin’ Webtone switch. It
has security, directory, identity, privacy, storage, compute, the whole Web services
stack.” - Scott McNealy, former CEO, Sun Microsystems. This statement by the former CEO
of Sun microsystems sums up pretty much what the cloud computing is. Cloud computing is
not an innovation, but a means to constructing IT services that use advanced computational
power and improved storage capabilities. The main focus of cloud computing from the
provider's view as extraneous hardware connected to support downtime on any device in the
network, without a change in the users' perspective. Also, the users' software image should be
easily transferable from one cloud to another. Though cloud computing is targeted to provide
better utilization of resources using virtualization techniques and to take up much of the work
load from the client, it is fraught with security risks [1]
.
The benefits of cloud computing are hard to dispute but the vulnerabilities it possess are also
hard to neglect. GTRA research showed that the most common concern about implementing
cloud programs was security and privacy, a finding supported by an IDC study of 244 CIOs on
cloud computing, in which 75% of respondents listed security as their number-one concern[2]
.
Security within cloud computing is an especially worrisome issue because of the fact that the
devices used to provide services do not belong to the users themselves.
Security risks of databases in the cloud
The increase in popularity of cloud computing in recent years has caused a tremendous growth
of the systems which also poses more security risks. Increasing the size or adding capabilities
to the cloud leaves the system to be exposed to many internal and external conflicts. With many
security risks, keeping the dependency on cloud computing becomes a big challenge for many
firms attempting to grow their databases.
The following are the most common security risk cloud databases possess:
Data Breach: One of the most common security risks cloud computing faces are data breaches
in the system. Data breaches are incidents where sensitive or confidential data are accessed by
unauthorized parties. Once that data has been breached, whoever accesses them may view,
steal, use, or even manipulate the data to their advantage. These individuals or “groups of
organized criminal elements [are] looking to rapidly monetize information [or] have a social
2. MIS 6326: DATA MANAGEMENT
2
or other agendas” (Green, 2013). Many retail stores face this issue when storing data pertaining
to customer credit cards. Dealing with the security of these databases in the cloud for many
firms becomes a challenge preventing data breaches.
Data loss: Another common security risk cloud computing face are data loses. Since the data
is stored in a combined database on a cloud, there is a likely chance multiple authorized users
can gain access to a single piece of data. With that power, one person can go in a purposely
delete the piece of data making it disappear from the database permanently. Data loss can also
occur externally from hackers gaining unauthorized access to the system. Once hackers have
entered the cloud database, they can manually go in and change data points or wipe out data
that is stored causing data loss.
Service Hijacking: A third common security risk is service hijacking causing hackers to gain
full control of the service and use it to their control. With advanced cloud computing and
complex systems, attackers will be able to access the database and hijack the service. Intruders
will be able to exploit the service and weaken its security even further making it more
vulnerable for other risks. Hackers can gain control of eavesdropping on users and change or
delete data that can damage future records. Hijacking causes huge data breaches and data losses
for any organization and can severely damage an organizations reputation. Overcoming
hijacking can cause difficulty since the database is comprised and vulnerable for more attacks.
Security breaches in the past and how it was overcomed
Home depot:
Issue: Breach of database security leading to leakage of customer’s credit card information.
Information used by hackers for malicious practices.
Steps taken: “We apologize to our customers for the inconvenience and anxiety this has
caused, and want to reassure them that they will not be liable for fraudulent charges,” said
Frank Blake, chairman and CEO. This statement was issued by Chairman and CEO of Home
depot as soon as the investigations revealed a breach in the database security. The company
took few steps to regain the lost confidence by the customers. A press release by Home Depot
which reads as “The company’s new payment security protection locks down payment data
through enhanced encryption, which takes raw payment card information and scrambles it to
make it unreadable and virtually useless to hackers. Home Depot’s new encryption technology,
provided by Voltage Security, Inc., has been tested and validated by two independent IT
security firms.” [3]
Home depot also decided to use EMV “Chip and PIN” technology after this major breach of
security which compromised the users information and lead to loss of faith in the company.
EMV refers to payment chip cards that contain an embedded microprocessor, a type of small
computer that provides strong security features and other capabilities not possible with
traditional magnetic stripe cards [4]
. EMV relies on chip present in the card and the pin supplied
by the customer at the merchant purchases rather than verifying signatures to validate the
transactions.
3. MIS 6326: DATA MANAGEMENT
3
Target:
Issue: Breach in the network of Target Corporation during the timeline of thanksgiving
discounts for a period of 2 weeks. It is approximated that around 70 million records were
compromised leading to customers information being used by hackers for unauthentic
transactions.
Steps taken: The retail giant took significant actions to strengthen its network and regain the
lost confidence in customers, few of the steps include [5]
:
Enhancing monitoring and logging
Includes implementation of additional rules, alerts, centralizing log feeds and enabling
additional logging capabilities
Installation of application whitelisting point-of-sale systems
Includes deploying to all registers, point-of-sale servers and development of
whitelisting rules
Implementation of enhanced segmentation
Includes development of point-of-sale management tools, review and streamlining of
network firewall rules and development of a comprehensive firewall governance
process
Includes decommissioning vendor access to the server impacted in the breach and
disabling select vendor access points including FTP and telnet protocols
Includes coordinated reset of 445,000 Target team member and contractor passwords,
broadening the use of two-factor authentication, expansion of password vaults, disabled
multiple vendor accounts, reduced privileges for certain accounts, and developing
additional training related to password rotation
Target also announced its initiative to shift to the chip-and-PIN enabled cards. It planned to
invest around $100 million to expedite the process of transition to chip and pin enabled cards
and install supporting softwares and payment devices across all its stores.
How to overcome security challenges of cloud computing
Despite the limitations and security vulnerabilities, cloud computing continues to be a game
changer for small and big enterprises. The security challenges can be overcomed by the
following methods:
Data Encryption
Major cloud service providers, such as Microsoft, Yahoo and Google have implemented data
encryption settings of the end-users' data that they are hosting and managing. For example,
Google Cloud Storage can now realize the automatic encryption to the new data written into
the disk, and this server-side encryption will soon be used in the old data stored in the Google
cloud, in order to protect the security of all data. Microsoft announced they will strengthen the
encryption settings of all services provided by Microsoft, including Outlook.com, Office 365,
4. MIS 6326: DATA MANAGEMENT
4
SkyDrive and Windows Azure, etc. This method is extremely important for the security of data
which is transmitted between enterprise users and suppliers.
The key management and data ownership
Only if key management system is safe, the data encryption will be safe. When the cloud
service provider uses encryption method, the user needs to know: If the cloud supplier leaks
user’s data, or give the keys over to someone else, their data will be stolen. This concern has
stimulated one method to protect the security of the cloud, which has enabled business users
who are making use of cloud services to own their data key, and understand key management
procedures when data is being used or transferred. More and more cloud providers, such as
Vaultive, CipherCloud, TrendMicro and HyTrust have provided appropriate tools that allow
business users to have greater control in the use of cloud services. For example, CipherCloud
provides a gateway technology that allows business users to encrypt data when in transmission
or storage. Meanwhile, the gateway allows enterprises to store the key and manage encrypted
data stored in the cloud. The merge of this technique means that any departments can only get
the data by the owner of the data, its purpose is to eliminate the behaviour that cloud service
providers reveal the key to the third party.
Regionalization
People have been always worrying about the server in the United States or other foreign
countries because these suppliers are too far away from those enterprises. This concern caused
many business users, especially those non-US business users prefer to use the cloud service
suppliers in the local area in order to avoid the risk brought by the long distance. In Asia and
Africa, especially in China, Many companies are very worried about the technology of these
providers. They are now choosing cloud service suppliers outside the United States. Now the
global cloud computing providers are distributed everywhere. In the past few years, in different
parts of the world, there are hundreds of small public cloud service providers have sprung up,
to serve in the local market. Many cloud service providers implement regionalization in order
to improve the agility and performance.
Conclusion:
One of the biggest security worries with the cloud computing model is the sharing of resources.
Cloud service providers need to inform their customers on the level of security that they provide
on their cloud. Data security is major issue for Cloud Computing. There are many security risks
that are associated with the implementation of cloud computing as a software service [6]
. Risks
can severely damage an organizations reputation and tarnish their cloud databases from
recovering. Many organizations have already faced major security breaches and had to
strategically overcome those barriers to strengthen their security. As cloud computing systems
become more advanced and complex, there needs to be an increase on attention when scanning
for possible attacks on those servers. Using different techniques and investing the skills to
forecast future attacks will help organizations overcome security challenges and benefit from
the database in cloud computing.
5. MIS 6326: DATA MANAGEMENT
5
References:
[1]: Vahid Ashktorab, , Seyed Reza Taghizadeh. (October 2012).Security threats and
countermeasures in Cloud computing. Retreived from International Journal of
Application or Innovation in Engineering & Management (IJAIEM)
[2]: “IT Cloud Services User Study,” IDC, Inc., October 2008.
[3]: Press release. (September 2014). Retrieved from Press release for home depot
https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf
[4]: About EMV. Retrieved from http://www.emvco.com/about_emv.aspx
[5]: Press release. (April 2014). Retrieved from “Target Appoints New Chief Information
Officer, Outlines Updates on Security Enhancements”,
http://pressroom.target.com/news/target-appoints-new-chief-information-officer-
outlines-updates-on-security-enhancements
[6]: Rabi Prasad Padhy, Manas Ranjan Patra, Suresh Chandra Satapathy. (December
2011). Cloud Computing: Security Issues and risk challenges. Retrieved from IRACST
- International Journal of Computer Science and Information Technology & Security
(IJCSITS).
Green, S. (2013, March 12). The Companies and Countries Losing Their Data.
Retrieved November 1, 2014, from http://blogs.hbr.org/2013/03/the-companies-and-
countries-lo/
Neumann, P. G. (2014). Risks and Myths of Cloud Computing and Cloud Storage.
Communications of the ACM, 57(10), 25-27. doi:10.1145/2661049
Phil Kernick, Chief Technology Officer , Balkanization of the Internet, Retrieved
NOVEMBER ,15, 2013 from http://cqraustralia.blogspot.com/2013/11/balkanization-
ofinternet.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%
3A+SecurityBloggersNetwork+%28Security+Bloggers+Network%29
Ten ways to protect the data in cloud.(2013).In TechTargetChina. Retrieved
August,23,2013,fromhttp://www.searchcloudcomputing.com.cn/showcontent_75964.
htm
6. MIS 6326: DATA MANAGEMENT
6
Questions to audience
Do you think the cost of implementing new security measures will increase as the
complexity of the database in the cloud increases?
Do you know any other major breach in security in the past and how did they tackle?
What are your methods for backing up our data? What offerings are available to back
up data?