Security and Privacy in Cloud Computing
Name: Vamshi Ravula
Date: 29th February 2016
Address: Vamshi Ravula
1266 Teaneck red, apt2A
TEANECK, NJ 07666
Table of Contents
Cloud computing is a paradigm in computing that allows third party service providers to offer a centralized pool of configurable resources to the end-users. Those end-users are individuals and enterprises, and they make on-demand accesses to the resources in the cloud and utilize them to deploy their services in light of their ever-changing requirements. In that way, the end-users have no need of implementing and managing their computing services, therefore, enabling fast deployment as well as minimum functional and management overheads (Pearson & Benameur, 2010). While cloud computing offers promising benefits to businesses and individuals, it also introduces security and privacy challenges. Those issues may include how the data owners could be sure that their data have usage in an authorized manner, how the confidentiality of data is protected while at the same time allowing legitimate data access. Other issues may include how the trustworthiness of metering services can be assured so that the end-users are not unfairly charged.
Cloud computing can bring some attributes that need special attention when it comes to trusting this system. The trust of the cloud computing system is based on the data protection and privacy as well as the prevention techniques leveraged in it (Neisse et al., 2011). There are numerous tools and as well as techniques for ensuring there is the protection of privacy and security in the cloud, but those tools have not been successful in removing the hurdle of trust that remains with cloud computing. Security is a combo of many assets including information disclosure, prevention of unauthorized access, integrity, and availability. The major issues in the cloud regarding security and information privacy include resource management, resource security, and resource monitoring (Kshetri, 2013). The paper will help the businesses understand about the best technique that can be useful in ensuring privacy and confidentiality in the cloud computing paradigm.
Business Need and Current Situation
Currently, the cloud computing paradigm lacks the standard rules and regulations required for deploying applications in the cloud plus a lack of standardization in the cloud (Pearson & Benameur, 2010). There have been numerous novel techniques implemented in the cloud although those techniques have not been adequate in ensuring total security and privacy due to the dynamism of the cloud computing environment. Enterprise needs to operate in an environment that is free of nay security and privacy issues, and so it is vital to come up with the mechanisms that can help them develop confidence and be assured of it by the cloud computing providers (Chen & Zhao, 2012). The paper highlights the inherent issues regarding data security, privacy, management and governance in light of control in the cloud computing environment. There will be the highlighting of the best available ways of the ensuring security and privacy in the cloud computing environment. The paper proposes a data security and privacy framework for the cloud computing networks.
- To help the cloud computing providers have a full knowledge of the privacy and security issues that pertains the cloud computing paradigm
- To provide a security and privacy framework that can help the providers implement the required security and privacy in the cloud computing environment.
- To help the providers understand the constraints that they can face in implementing the new framework
Scope and Out of Scope
The scope of this paper is to highlight the security and privacy issues faced in the cloud computing environment, and then propose a new security and privacy framework that can help in addressing the currently issues effectively. The paper does not include the addressing of other issues that are not related to the privacy and security of customer data in the cloud computing environment. It also does not entail the proper security management or hardware and software on the users’ side.
The deliverable of this document is a list of security and privacy issues that are faced in the cloud computing environment. The other deliverable for the project is a market analysis and a feasibility study for the proposed framework as well as the alternative frameworks of solving the impending problem being discussed. There is also the deliverable of a framework that can adequately and effectively address the issue of privacy in the computing environment.
The stakeholders in this project will include the project managers, the business analysts, the technical team and the cloud computing providers. The project manager is to offer the projected management advice (Ferraro, 2012), the technical team is to design the framework and to make sure that it works as desired; the business analyst is to analyze the current security and privacy issues and documents them for the other stakeholders. The cloud computing providers have the responsibility of giving their opinions concerning the new implementation and the architecture of their systems.
The project requires some resources that will make it a success. There is a need for financial resources since the implementation of the proposed model will have to cost money regarding the purchase of some technologies, salaries for the developers and any other costs that may be necessary. Project management and other personnel are also required to accomplish the project development and management so that it will be a success in the long run.
The project is aligned with the business requirements of operating in an environment that is free of security and privacy threats. Businesses want to assure their customers that their details are kept in a secure manner, and it is used appropriately. It is also a legal requirement for companies to make sure that they have properly policies and procedures for ensuring the security of their information systems. Otherwise, they will be legible to face prosecution. The project will help the businesses to achieve the compliance requirements as they also gain a competitive advantage by proper administration and management of their data and assets.
The cloud computing environment is facing many challenges regarding the security and the privacy mechanism that are relevant for each provider. Many cloud computing providers exist, and those providers are trying their best to make sure that they incorporate mechanisms for ensuring privacy and security. The cloud computing services are becoming a booming business because nowadays many companies want to avoid the costly devices and the complexities of managing their many distributed IT systems. The providers offering entrepreneurs, mom-and-pop outfits, and SOHOs access to sophisticated technologies that makes it needless to hire IT consultants or technology workers. The cloud computing services can include infrastructure as a service, platform as a service, and software as a service. Businesses and individuals can use any of these services depending on the capability that they want in their business environment. Those services also come with their issues regarding privacy and security of data. Some of the providers of cloud services include DropBox, Windows Azure, salefroce.com, Google, Amazon, Rackspace, among others.
The potential customers for the project include all the cloud computing providers and businesses that are having plans for moving into the cloud. That is because the cloud users and the providers are both concerned about security in the cloud computing paradigm. The main issue that exists is that there are difficulties in the selection and implementing the right security and privacy mechanisms in this computing environment so as to resolve the issues that are currently being faced. The resolution of the issues through the proposed solution in this project will thus be highly impressive to the users and providers.
Alternatives (business, technical, and procurement)
The success of this project will have achievement by addressing each security and privacy issue independently as there are many technologies and techniques that are specific to every issue including data integrity, privacy, data storage, availability, reliability, monitoring, identity management, averting attacks among others. Because each issue requires a different approach, there will be the usage of various techniques for addressing the problem. Businesses can also implement a single technology or platform that has most of the capabilities and then begin configuring the system slowly to incorporate the other features. The businesses may alternatively implement security at the other levels of hardware and software in their systems if the one at the cloud is not sufficient.
Business and Operational Impacts
A plethora of impacts is possible with the implementation of this project in organizations including the cloud providers and the consumers of the cloud computing services. The benefits will result from the efforts that will be carried out in ensuring that the information security and privacy are assured in the cloud computing paradigm. The cloud computing providers will get more clients because many fear to move to the cloud due to the impending security and privacy issues. The clients who are enterprises will also conduct their business without the fear of losing their data or the fear of it being used inappropriately to endanger the privacy and confidentiality of the same.
Risk Assessment and Analysis
There are some risks that involve the accomplishment of the project under development. It is therefore of paramount importance that those risks be adequately addressed to make sure that the project is a success. The technical team responsible for technical tasks is likely to lack the appropriate technical skills regarding the new technologies that will be used in the development of the new security framework. The technologies are also likely to change during the period of project implementation since there are new technologies that are being developed, and they are better than the current ones. The other risk for this project is the requirements for more expenditure than the one projected for due to the changes in requirements.
Feasibility Assessment and Analysis
The costs of acquiring the systems such as the monitoring systems and the encryption technologies, the development personnel salaries, and other miscellaneous expenditure will total to $50 million. The cost of the development cannot be equated to the benefits that will accrue from the project. For instance the cloud computing companies will have a high turnout of clients; there will be improved profit margins in turn. There will also be easy of management due to the usage of more reliable technologies and automation of many of the tasks in the cloud computing environment.
The proper planning of project from the beginning is what can result in success and not the development task itself. Without proper planning and strategies, the project may end up taking more time, consuming more resources and facing a lot of challenges than the ones that were anticipated. There will be conducting of the nay always of the cloud computing environments in the market to understand the requirement for each system. All the stakeholders will have active involvement in the implementation because their input can result in the desired success. There will be through testing to make sure that the implemented applications offer the projected for benefits and capabilities.
Project Review and Approval Process
The implementation of the project in the cloud computing environment requires an active involvement of the quality assurance officers and the cloud computing experts. They will be the ones to review the developed project to check if all the development and the coding principles were duly followed. They will also make sure that the user specifications and the system specifications as required for the examination of the systems and user specification documents.
The cloud computing environment is faced with challenges regarding the security and privacy of data, and so it is essential to address those challenges effectively so that many organizations and individuals will be attracted. Security and privacy are crucial for the information technology because the violation of any requirements can result in a legal action being taken against the victims or the organizations may lose their good reputation and customers. The project should, therefore, have implementations in all the organizations that are using cloud computing so that they can better perform their tasks and effectively address the issues that have been bedeviling them. The business leaders should be educated to understand the benefits that will accrue from this project implementation so that will offer the required support for its successful implementation such as funding.
The sign-off of a project is the approver’s acceptance of the project contents as well as the overall intention of this business case, including the commitments described for a successful delivery of this initiative. The approver also confirms that this business case is compliant with the relevant policies, procedures, strategies and the regulatory requirements (Information Systems Audit and Control Association, 2010). The sign-off of this business case should only be done by the incumbent authorized persons to act as representatives of the business area where the role resides.
Chen, D. & Zhao, H. (2012). Data security and privacy protection issues in cloud computing. In Proceeding of the International Conference on Computer Science and Electronics Engineering (ICCSEE '12), vol. 1, pp. 647–651, Hangzhou, China, March 2012.
Ferraro, J. (2012). Project management for non-project managers. New York: AMACOM.
Information Systems Audit and Control Association. (2010). The business case guide: Using Val IT 2.0. Rolling Meadows, IL: ISACA.
Kshetri, N. (2013). Privacy and security issues in cloud computing: the role of institutions and institutional evolution. Telecommunications Policy, 37( 4-5), 372–386.
Mahajan, P. et al. (2011). Depot: cloud storage with minimal trust. ACM Transactions on Computer Systems, 29(4).
Pearson, S. & Benameur, A. (2010). Privacy, security and trust issues arising from cloud computing. In Proceedings of the 2nd IEEE International Conference on Cloud Computing Technology and Science (CloudCom '10), pp. 693–702, IEEE, December 2010.
R. Neisse, R., Holling, D. & Pretschner, A. (2011). Implementing trust in cloud infrastructures. In Proceedings of the 11th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGrid '11), pp. 524–533, IEEE Computer Society, May 2011.
Iteration 1: The Employment Process at Sriven Technologies
The iteration of the employment process at Sriven Technologies, Inc will involve the inquiry process to find how this company conducts the employment process particularly regarding the employment of web-based applications developers. The process of accomplishing this iteration will have involvement of the company human resource personnel from the company although I will also leverage the Web to find more information on the same. The iteration is planned to take two weeks whereby the working hours will be from 8 am to 5 pm, the normal office hours.
I planned to draw the objectives for this iteration before commencing anything in light of the duties that lay ahead of me concerning web-based applications programming. My objectives learning about the employment process, what is required in the process, who are involved, and what I would do so as to meet all the requirements for me to become qualified for the same. The human resource would help me understand how to make an application for employment into the company, what are the qualifications they look for and where the company advertises their employment opportunities. I planned to know if the company makes advertisements via word of mouth, on the newspapers of they do on the Web. That was because companies have different platforms on which they make their advertisements and each of them follows a unique process of finding and recruiting new employees.
I would also try to understand from the human resource personnel what experience is required for the web-base application programmers and how the company measures that experience. I would also understand if the company recruits fresh graduates and what they would expect of them. The other thing that I planned to ask the human resource personnel to address is the people that are responsible for recruiting the various types of employees. That is because there are many areas of professionalism including IT, human resource, finance, research, and innovation, etc., and there should be specific managers that should be responsible for employing people in a given area. Other companies do just leave the work or recruiting entirely to the human resource manager (Monroe, H. Personal Communications, February 05, 2016). That would be problematic especially when a company has only a single human resource manager who obviously does not have competence in all the areas of professionalism.
I met with the human resource manager on the day when I was to commence my internship in the Sriven Technologies, Inc. The human resource manager, first of all, introduced me to the human resource personnel of the company so as to help me prepare adequately for the task that lied ahead of me, understanding the recruitment process. He helped me to understand the types of human resource personnel that the company had including the operational human resource manager, the transformational human resource manager, and the relational human resource manager. He also explained to me their roles, whereby the operational HR is responsible for the administrative tasks, the relational HR was for supporting the business processes, and the transformational HR was concerned with the strategic HR tasks like knowledge management (Delbridge & Keenoy, 2010). I also came to understand that the task of the human resource management sector is the one that handles the issues related to people like compensation, recruitment, organizational development, benefits, performance management, communication, training, administration, safety, employee motivation and wellness of the employees.
The human resource personnel collaborated in helping me understand the employment process in the organization and who were involved in accomplishing this employment process. The ones responsible are the three of them, that is, the operational, the relational and the transformational human resource managers. The process of getting a job in the company involved making an application for the position advertised, attending an interview session, and then receiving employment depending on the score of the interview session. During the interview process, the company involves the staff that has training in the given area where an interview is seeking employment (Johnson, K. Personal Communications, February 12, 2016). For instance, my interview would involve the web-based application programmers who will be working in conjunction with the human resource personnel to accomplish the process of employment.
They helped me understand that the interview tested mostly on the practical skills in the area that one was seeking for employment in the company. The company could hire even the fresh graduates provided that they had the competence required to execute their duties as required (Magdalene, O. Personal Communications, February 13, 2016). That gave me a chance to one of the candidates in case the company would have that position soon. They also helped me understand the experience required for a web-based application programmer so that I would prepare to acquire those skills ahead of my employment process in the company. I also learned that the company made their advertisements for job positions in the Web platform as well as the newspaper so as to reach a wide spectrum of applicants for the position. That helped them get the one that is most competent for that position. That also helped me to strive and acquire the necessary skills as I would be competing with several people for the same position.
Organizations are relying on human capital because it is the most valued and treasured asset for the performance of an organization (Bhoganadam & Rao, 2014). I observed that the human resource management department is an essential sector in an organization because it is responsible for ensuring that everything runs well. They ensure that the employees are highly motivated for their tasks, they get the right terms regarding payment, and they ensure that they replace the employees that leave a job for one reason or another (Perry & Debra, 1997). The human resource managers had many involvements in the company, and they had to do everything they could to ensure that the employees exploit their potential and make the performance of the organization be at the top. The researcher also observed that the employment process in organization entails a lot other than just making an application and waiting to be called for interview. I thought the iteration would involve only the interview and orientation into the company, but I observed that there were many things that I had to know.
I observed that understanding the employment process in an organization can help one know how to go about in meeting the specific requirements so as to stand at a high chance of getting an employment opportunity in a given organization. I observed that I would use this iteration to prepare adequately for employment process in the company. I observed that so many people apply wherever there is an advertisement of a vacancy in the organization, but what differentiates the applicants is the competence they have in executing their duties as required by the organization. Because of the many applicants, I observed that an interview is very important in filtering them out so as to get the ones that meet the desired qualifications and practical skills (Billikopf, 2006).
The iteration and my meeting with the company human resource personnel were very helpful because I was able to meet my objectives that I formulated at the beginning of the iteration. It gave me profound knowledge and experience regarding human resource management, web-based applications programming and knowledge reading the employment process in an organization. I not only received the knowledge and experience of the employment process, but I also got to know what to do so as to stand at a better chance of getting the employment as compared with the applicants that might have applied for a similar job. I came to realize that the employment process in an organization is vital because that is what helps an organization get the right people for the position advertised (Johnson, K. Personal Communications, February 18, 2016). The employment process iteration was very enriching with information that would help me prepare adequately in the acquisition of web-based programming skills aimed at garnering that position.
Their things that did not go as I had anticipated during this iteration of the employment process in Sriven technologies. I also did not get to learn the other things that were on my list due to time limitations. For one, I had a plan of doing a search on the Web as an integral activity in the meetings in the company but is did not do that. That must have made me leave out vital information that would be helpful in my research. In the future, I will make an improvement to that so as to ensure that I use all the available media and platforms to gather the necessary information to accomplish my tasks adequately. I also discovered that the company did not have a technical recruiter that should be responsible for recruiting the technical personnel. I suggest that the company have three types of human resource personnel plus some specific recruiters so as to accomplish the employment process in the right way.
Bhoganadam, S. & Rao, D. (2014). A study on recruitment and selection process of Sai global Yarntex (India) Private Limited. International Journal of Management Research & Review, 4(10), 996-1006.
Billikopf, G. (2006). Practical Steps to Employee Selection. Retrieved from https://nature.berkeley.edu/ucce50/ag-labor/7labor/02.htm
Delbridge, R., & Keenoy, T. (2010). Beyond managerialism?. The International Journal of Human Resource Management, 21(6), 799-817.
Perry, L. & Debra, J. (1997). Strategic Human Resource Management, Public Personnel Management: Current Concerns, Future Challenges (2nd Ed.). Carolyn Ban and Norma M. Riccucci. New York: Longman. Pp. 21-34.
Literature reviews and proposal
In a couple of years, there has been increasing the popularity of web based applications. There are some factors that contribute to that tremendous rise in their use by organizations and individuals in the provision of access to a variety of services. Today many organizations and individuals use the web-based applications to in securing critical environments like financial, medical and military systems. Web-based systems consist of infrastructure components like databases and servers, as well as application specific codes like server-side CGI programs and HTML-embedded scripts (Kalani & Kalani, 2004). Experienced programmers are the ones that develop infrastructure components, and the programmers have little security training and have to develop the codes under a strictly time constraint. As a result, they develop and deploy to the whole Internet web-based applications that are vulnerable, creating easily exploitable points that can lead to compromising of the entire networks. The amelioration of those security issues of web-based applications requires that you design and develop a web-based application that is secure. Testing of the web-based application also vital but it cannot take pace minus a thorough analysis of the current security threats.
Overview of Web-based Application
Today many enterprises are utilizing the web-based application as a solution that offers low-cost as well as a flexible way of distributed collaborative work. A web-based application not only disseminates work, but it also interacts with the users in the processing for their business tasks so that they can accomplish their business goals. Thus, programming and analysis of web-based application need an approach that is different from the one for websites that offer information in a uni-directional manner on the user’ requests (Nielsen, 1995). Programming the web application requires that the developer emphasizes on a good visual design and offer a systematic way of designing the logical structure of the application. There also exists a method for designing a web-based application. Those models are very useful in the modeling of kiosk-type applications that help in navigating the users to the desired information on the web in a systematic manner.
However, for the users of web-based applications, the access of particular information they want is only part of their business goals. There are other business goals such as processing of their business data, communicating and collaborating with their colleagues through the use of the web-based application. The formal methods that exist do not provide solutions to critical questions pertaining the programming and analyzing of the web-based application (Kolˇsek, 2002). Some of those questions that remain unanswered include, “How can users achieve their business goals while using web-based applications?” “How do users interact with their colleagues while using the web-based application?” Maintenance is also another crucial issue as websites are increasing in size. Tools that exist such as the WebAnalyzer are useful in identifying the broken vulnerabilities, but they fail to offer a solution to or the way of avoiding those problems. Organizations can reduce their maintenance costs if they can detect errors in the design and analysis phases (Davis, 1990; Humphrey, 1989).
There has been a continuous evolution of technologies for implementing web-based applications since the inception of the first mechanism for creating dynamic websites. In the subsequent paragraphs, there are the steps in that evolution.
Common Gateway Interface
The Common Gateway Interface (CGI) was the one of the first mechanisms used in the generation of content (Laverty & Scarpino, 2009). The common gateway standard defines a mechanism the server uses in interacting with external applications. It specifies the rules of that interaction; however, it does not dictate the usage of a specific technology for implementing those external applications. That means the programmer can write the CGI programs in any language and execute them on virtually all web servers. The goals of invoking the CGI were to offer a web-based interaction with the legacy systems (Kalani & Kalani, 2004). In that case, a CGI program functions as a gateway between the legacy system and the web server. There is the CGI specification that defines various ways on how the web server communicates with a CHI program.
Embedded Web Application Frameworks
Nowadays, the most common method of approaching the implementation of a web-based application is the use of a middle way between the CGI mechanism and the sever-specific APIs (Umar, 1997). In this technology, you provide the web server with an extension that implements the frameworks for developing web applications. Examples of those frameworks include the compiler or interpreter that is useful in encoding the application’s components and defining the rules that control the interaction between the application components and the server. Frameworks do vary greatly depending on the support provided by the application developer. There are frameworks that only provide mechanisms for handling HTTP-specific features like cookies, connection handling, and authenticating mechanism among others. These web application frameworks have provision through such programming languages such as Perl, Python, PHP, Java, Visual Basic, and JScript and C # (Keig, 2013).
Importance of Web-based Application
Web-based applications are the way to take advantage of the current technology in enhancing the productivity and efficiency in organizations. They provide businesses with an opportunity of accessing their information from anywhere across the globe anytime (Grove, 2010). It also helps the organizations to save money and time as well as in improving the interactivity with their clients and partners. A web-based application also allows the administration staff to perform their duties from any location and the sales staff has the ability for accessing the information from a remote location 24 hours a day and seven days a week (Curphey et al., 2005). The only thing that one needs is to have their computers connected to the Internet, have a web browser, the username, and the password and then they can access the corporate systems from anywhere.
A web-based application is easy to use, and it can have an implementation without any interruption to the existing work process of the organization. Whether an organization requires an e-commerce system or a content managed solution, they can develop a customized web application that can meet their business requirements (Grove, 2010). The web-based software enables companies to interact with their applications as well as their data in a highly responsive and fluid manner. With the right expertise in the creation and implementation of a web-based application, a company can have an edge over its competitors.
My internship in Sriven Technologies will help in performing web-based applications programming and analysis that will be of benefit to the organization at large and me. I will have an engagement in critical tasks such as the review of codes, the design, development, testing and supporting of the web-based applications. The internship will consist of five iterations with each having a cycle of planning, acting observing and reflecting to offer an opportunity to refine further the actions.
Iteration 1: The Employment Process at Sriven Technologies
In this first iteration at Sriven Technologies Inc, I will carry out an inquiry to find out the employment process in the company in light of programming and analysis of web-based applications. I will meet with the human resource personnel from the company, and they will guide me through the employment process as a web-based application programmer and developer. The Web will also be of great help as it will be the platform of interacting with those resource persons.
Iteration 2: Brainstorming
In this iteration on brainstorming, I will meet with the company’s web-based application developers who will take me through the skills I require to qualify to be an expert in web-based application programming and analysis. Many web-based application developers will be in the meeting so as to provide me with the knowledge of the skills I require to be competent in the area of web-based application design, development, and analysis.
Iteration 3: Training
In the training iteration, I will meet with the web-based analysts and the project manager to help me in understanding how to conduct a web-based application development and analysis. They will train me on various approaches to developing a web-based application and enhancing the proper security features on the same. The project manager will also guide me trough the stages of project development and the deliverables in the various stages of the work breakdown structure.
Interpretation 4: Understanding the Analysis and Design of a Web-application
In this iteration on understanding the analysis and design of a web-based application, I will meet with the web application developers, and they will help me with the way to go and the right methodology to use in designing and analyzing a web-based application. That will be the background for the next phase of performing a penetration test project on a client’s web application. The method I will understand is the one that entails entity relations analysis, scenario analysis, and architecture design since it is one of the most reliable methods of analyzing and designing a web-based application.
Iteration 5: Project on Penetration testing of the Client’s Website
In this iteration, I will have involvement in conducting a penetration test for one of the company’s clients as my main project in the company. I will use the skills gained from the previous iterations and ensure that I perform comprehensive penetration tests for the client. I will carry out this task with one of the company’s junior web-based application analyst to act as my supervisor. I will carry out all my activities while consulting that supervisor. The quality assurance team will then help in the remediation of any vulnerability found as will deem appropriate.
Nielsen, J. (1995). Multimedia and Hypertext the Internet and Beyond. Academic Press.
Laverty, J. & Scarpino, J. (2009). Web Application Security Instructional Paradigms and the IS Curriculum. Issues in Information Systems, 10(1), 87-96.
Kolsek, M. (2002). Session Fixation Vulnerability in Web based Applications. Technical report, ACROS Security.
Curphey, M., Wiesman, A., Van der Stock, A. & Stirbei, R. (2005). A Guide to Building Secure Web Applications and Web Services. OWASP.
Grove, R. F. (2010). Web-based application development. Sudbury, Mass: Jones and Bartlett Publishers.
Umar, A. (1997). Application (re)engineering: Building web-based applications and dealing with legacies. Upper Saddle River, N.J: Prentice-Hall.
Kalani, A., & Kalani, P. (2004). Exam Cram 2: Developing and implementing web applications with Visual c# .Net and Visual Studio .Net ; [exam 70-315]. Indianapolis, Ind.: Que Certification.