Cyber Security Policies in the Private and Public Sector

Cyber Security Policies in the Private and Public Sector Cyber Security Vulnerabilities and Associated Threats of Cloud-Computing 16-03-2013   Cloud computing is a technology through which the information services are provided on demand basis. It is like service oriented architecture. End-users access the services through the cloud as per the requirement. The cloud term basically refers internet, so services are provided through Internet. Cloud computing reduces the total cost of accessing the application.The applications are developed by the third party and the users pay per service to the third party for accessing the service. But there are lots of security risks associated with the cloud-computing. These relates to the data privacy, other vulnerabilities and associated threats. These vulnerabilities and the associated threats will be discussed in this paper. Effective Policies and procedures will also be defined in this paper which will help in managing the estimated risk of the threats. Cyber Security Vulnerabilities and Associated Threats of Cloud-Computing Cloud-ComputingThe information technology is growing these days and the managers are trying to reduce the total cost of development of the services using various means due to a number of business reasons. Cloud-computing is a technique which helps the management in reducing the total cost of development. The required resources are configured in a cloud and the users access these services through the cloud. In case of in-house development, the complete process is done inside the company premises and using the resources of the organization. So the organization has to pay for the complete resource to the vendor even if full service is not required.The license to use the product is also very costly. The organization has to pay for the complete product even if a part of the service is required. In the case of cloud computing, the users need not to pay for the entire service or product, he will pay only for the part of the service. For example, a service is created for user-id creation and as most of the organization needs this policy, so this policy is created and configured in the shared pool of resources. Now the different organizations can access the service as per their use. This helps in overall reduction of the total cost of accessing the service.These resources are configured in a shared pool of resources. These shared resources include the servers, storage, networks, services, etc. Cloud computing has many forms and these forms are mainly as described here: â€Å"Software as a Service†, â€Å"Platform as a Service†, and â€Å"Infrastructure as a service†. This technology has many advantages but it has some disadvantages too. As discussed above, that the services are provided by a third party vendor, so the responsibility to provide support and maintenance is also taken care by the third party service provider.When a company access the service using cloud- computing, the crucial business data resides in remote servers provided by the third party so there are lot of risk related to data privacy and confidentiality. The research related to analyzing the vulnerabilities and associated threats is going on and suitable actions are being taken to control the risk level. Cyber Security Vulnerabilities, Threats and Actions Vulnerabilities refer to the loop holes in the system or the flaws in the system. When an organization has decided to move on the cloud, then it should also consider the associated vulnerabilities and the threats.Some of the major vulnerabilities are discussed below: Session Hijacking It means that the cloud or the required service is hacked by the hackers using a valid session key. This key is used to gain the unauthorized access on the critical resources of the organization. Once hacked, the hackers can have the complete access on the systems, and they can perform any malicious activity they want to do, to hit the company resources. If proper and effective security measures are not followed in the infrastructure then it may cause a heavy business loss in terms of financial terms as well as the reputation of the organization.Probability of Occurrence The probability of occurrence of these types of attack is generally high. The reason being is that the attackers keep on continuously scan the system to find out the vulnerabilities in it. Once they gain the access, they just execute their jobs. Effective Policies & Procedures To mitigate this kind of risk, firewalls should be implemented in the system at the right places. Firewalls prevent unauthorized access of data. Rules and policies should be configured to protect the session keys. To increase the awareness among employees, a proper training should be given to them.For example, session monitoring should be done to keep a check on the malicious activities. Virtual Machine Access In this technology, the servers uses same resources like operating syste m, business applications, etc which are used by the virtual machines & other servers. If the attacker is successful in to gaining the unauthorized access to any of these system resources, then the whole system can be compromised easily. If other virtual machines are also located in the same configuration zone then there is a high risk of compromising other virtual machines too.This may directly hit the operating system and the host server and hence all the services hosted by the server. Probability of Occurrence The probability of occurrence of these types of attack is also high. As the flaws in the software or hardware becomes the root cause of these types of attacks. The bugs or flaws in the software are identified at a later stage and regular updates or patches needs to be applied on the software. Effective Policies & Procedures The software should be regularly updated and patches should be applied on it.Hardware flaws should be filled up using various tools. An effective network configuration is very important to mitigate this type of attacks. Service Availability This is a major weakness in cloud computing technology. No company can afford the unavailability of the required service. The company has to suffer from a huge business loss in case of downtime. The services offered by the cloud are not much reliable, any outage in the system may cause the services to stop working and hence the services will not be accessible. And this would be again responsible for a major loss to the company.Service Level Agreements (SLA) must be well defined and signed by both the involved parties and the above mentioned issues should be discussed and taken care using the SLAs. Backup plans should be carefully designed and implemented so that the risk level can be controlled. In case of any outage, let’s say electricity outage, can be taken care by switching to electricity generators or other back-up devices. Probability of Occurrence The probability of occurrence of th ese types of attack is generally low. This types of issues rarely occur in any organization.Service providers mostly keep the backup resources so that the system working remains continuous. And in case of some issues, switches to the ready back-up resources can be easily done. Effective Policies & Procedures To mitigate this kind of risk, firewalls should be implemented in the system at the right places. Firewalls prevent unauthorized access of data. Rules and policies should be configured to protect the session keys. To increase the awareness among employees, a Cryptography Flaws This flaw refers to the weakness in the cryptography techniques implemented in the cloud based system.Hackers can easily decode the encoding mechanism used in the system if there are some security gaps, for example if the key used in the encryption mechanism is not secure and strong enough then the attacker can easily gain the access to the key and hence they can easily decode the encrypted message to the original text form. Probability of Occurrence The probability of occurrence of these types of attack is generally medium. The reason being is that most of the times, attackers could not find out the key used to encrypt the data or it is difficult to decode the encoded data.Effective Policies & Procedures To mitigate this kind of risk, strong cryptography techniques should be used. Ethical hacking can be done intentionally just to test the security level of the complete system. This test will help in analyzing the security gaps in the system and then these loop holes can be filled with effective security procedures. Data Privacy When the data resides in third party servers, then this risk of data privacy always persists. As the crucial data is handled and managed by the third party, so there are high chances of risks to data privacy and confidentiality.Basically an agreement is signed-off between the parties for accessing the services. It should also include the issues related to mai ntaining privacy of data. Suppose the contract gets completed, now what would happen to the data which is stored in the third part servers? Probability of Occurrence The probability of occurrence of these types of attack is generally high. The reason being is that the data is always accessible to the service provider. Service providers take care of the support and maintenance of the data too. This risk is generally high.Research is going on so that this issue can be sort out. Effective Policies & Procedures These kinds of issues should be openly discussed with the service provider before signing any agreement. Vendor’s Technique As the technology is growing, there are lots of vendors coming up in this industry. Sometimes these vendors are immature and they follow the platform specific techniques which cause trouble in migrating to the new service or integrating with other services. The developed technology will be of no use if it cannot be updated or integrated with other ser vices as per the requirement.Probability of Occurrence The probability of occurrence of these types of attack is generally medium, as it varies with the knowledge and experience of the service provider. Effective Policies & Procedures Proper research should be done before finalizing the right vendor. The initial requirements should be crystal clear so that both the parties should understand what actually needs to be done. There should not be any communication gap between both the parties so that in case of some issues, the right action can be taken immediately to fill the gaps.Dependency on Internet As discussed above, the services are accessed through a cloud of shared resources. This cloud refers to internet. So in other word we can say that the services are accessed through the internet which means that the services are highly dependent on internet. Suppose internet goes down then the client will not be able to access the required services. Probability of Occurrence The probabili ty of occurrence of these types of attack is generally low. The reason is that backup plans are ready for the service in case of some emergency.As the service provider also realizes the importance of internet so enough resources are used so that the system does not suffer from any kind of outages. Effective Policies & Procedures To mitigate this kind of risk, backup plans should be ready and available all the time so that if at any time, the system disrupts, the backup plans can be used so that the functioning of the system does not affect in any way. There are other important security threats too which are associated with cyber-security. These are discussed below: Denial of Service (DOS) Attack Denial of Service attacks are also known as DOS attacks.Due to these attacks, the legitimate requests of the end users are not completed due to heavy loading of the host server caused by the fake calls. Attackers may hit the routers or over flood the host server using the fake calls and this prevents the legitimate calls to execute. This may cause the complete disruption in the system. Appropriate rules and filters should be configured in the firewall to mitigate the risk associated with these attacks. Customer Satisfaction Customer satisfaction increases with the implementation of the above mentioned policies and procedures.The implementation basically helps in the availability of the service in a secure environment. And customers would be happy to gain access to the required service whenever they need and as per their requirement and that too in a secure environment. Hence we can say that the implementation of the above mentioned policies and procedures helps in increasing the customer’s satisfaction level. Conclusion In this research paper, various security vulnerabilities and the associated threats related to cloud computing are discussed.Cloud computing really helps in reducing the overall cost of accessing a service. But the security risk associated with t his technology cannot be ignored. Proper security measures should be implemented in the system. Secure protocols should be designed and configured so that a balance can be achieved between the cost and the security level. References 1. Blaisdell, R. (2011, February 24). How Much Can You Save On Your Cloud Computing Implementation? Retrieved from Ezinearticles. com: http://ezinearticles. com/? How-Much-Can-You-Save-On-Your-Cloud-Computing-Implementation? amp;id=5989672 2. European Network and Information Security Agency. (2009). Cloud Computing – Benefits, risks and recommendations for information assurance. Heraklion: European Network and Information Security Agency. 3. Mell, P. , & Grance, T. (2011, September). The NIST Definition of Cloud Computing. Retrieved from US Department of Commerce National Institute of Standards and Technology, Special Publication 800-145: http://csrc. nist. gov/publications/nistpubs/800-145/SP800-145. pdf 4. Meiko Jensen ,Jorg Sehwenk et al. , â⠂¬Å"On Technical Security, Issues in cloud