CLOUD

COMPUTING
Chapter 8b
Acknowledgement
Author: Roger McHaney
Book: Cloud Technologies: An Overview of Cloud Computing Technologies for Managers
Publisher: Wiley
Material Title: Chapter 8b Slides

Copyright Notice
This edition first published 2021
© 2021 John Wiley & Sons, Ltd
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or
by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to
obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.
The right of Roger McHaney to be identified as the author of this work has been asserted in accordance with law.
End User Controls
■People have access to mobile devices, social media, cloud-based software
subscriptions and more.
■ IT administrators see a potential control nightmare
■Data, information, and organizational intellectual property can leak out
■Many organizations use a combination of policies, training, and software
tools to prevent data or intellectual property leakage
Measures to Control End-User Behavior
■ Policies and training: Good starting point
■ Content-limiting filters: An organization can open a subset of web sites
accessible by employees in their work environments
■ Network filtering: Can block data loss and ensure files do not leave the
organization’s secure areas
Lack of End-User Controls
Shadow IT
■Information technology applications managed by an organizational unit without formal
knowledge of the IT department
■Simple as a spreadsheet used in a department by its members or as complicated as a major
SaaS cloud-based application used to perform most of a department’s work duties
■ Some experts suggest more that 35% of IT spending in organizations takes place outside
the formal IT structure
Risks and Benefits of Shadow IT
■ Benefits
– Employees are freed from corporate systems that may be slower or less specific
– Corporate help desks may have fewer demands
■ Risks
– Data leakage, lack of controls, and data loss potential all exist
– Organizational knowledge that could be shared may not be known outside the department
– Outside regulations, audits and policies may not be conducted correctly
– Organization is still responsible, and CIO accountable for problems and breaches
■ IT administrator may have to block shadow IT applications.
■ Performing risk assessment can determine if some shadow applications are low risk
Acceptable Risk
■Risk can never be eliminated from an organization
■IT auditors consider cost, impact and probability of occurrence
■Develop a smart solution with reasonable protection against critical problems
Service Oriented Architecture (SOA) Governance

■Cloud services governance direct extension of SOA governance with new considerations such as
multitenancy and elasticity
■ Put into place to ensure service quality, predictability, visibility, and cost-effective performance
■ Ensures that policies, laws, and regulations are followed
3 Components of SOA Governance
1) SOA registry: This is a catalog listing SOA services available. It can be used internally or as a
tool to enable development of business partnerships
2) SOA policy: Principles used to ensure services do not conflict and to ensure implementation
follows good design, custom relationships, and compliant practices
3) SOA testing: A regular schedule of audits, tests, and performance metrics used to ensure
operation of SOA. It intends to ensure SOA solutions are working correctly in a secure, cost-
effective way. It also ensures regular system updates.
SOA informs cloud computing governance and security
Governance Ensuring Secure Cloud Data
1) SLAs contain clear language that verify cloud providers take strong measures to ensure cloud data are maintained
in accordance with their security guidelines and compliance policies
2) That cloud providers ensure relevant governance
3) Performance tools monitor network, database, and applications to detect suspicious access or unexpected
movement of data, particularly if large amounts are moved without prior knowledge
4) Use of data encryption tools
5) Use of multi-factor authentication approaches
6) Use of IP blocking tools for critical applications and data access
7) Use of appropriate firewalls which may include virtual as well as more traditional physical firewall devices
8) Use sound access key management practices
9) Use tokenization for authorization and access to resources when appropriate
10)Use CASB to ensure overall security of cloud resources
Cloud Provider Data Safety
■Encryption
■Sharding (break files into small chunks and encrypt each separately)
■Data Preview Modes
Encryption
■ Most effective way of securing data
■ Scrambles files, data, or other stored items according to a complex pattern based on a key
■ Only someone possessing key can unscrambled contents in a reasonable amount of time
■ Cloud provider approaches to encryption include:
– End-to-end encryption: Encrypt data prior to transmission to their cloud where it remains
encrypted until the client retrieves it
– Limited encryption: Encrypts the most sensitive data like passwords or customer credit cards
numbers
■ Encryption may be done after cloud provider receives it and is completely managed by the vendor
■ Cloud clients may wish to encrypt data themselves without involving the cloud vendor to ensure no one
working for the cloud vendor can access their data in an unencrypted form
■ Important for compliance reasons (e.g. regulations stipulate data privacy and security)
2 Encryption Types
SYMMETRIC KEY ALGORITHMS:
THESE PROVIDE EITHER IDENTICAL
OR VERY SIMILAR KEYS FOR BOTH
ENCRYPTION AND DECRYPTION
OPERATIONS.
ASYMMETRIC KEY ALGORITHMS:
UNRELATED, COMPLETELY DIFFERENT
KEYS ARE USED FOR ENCRYPTION AND
DECRYPTION OPERATIONS. A VERY
COMMONLY USED APPROACH TO
ENCRYPTION, PUBLIC KEY
CRYPTOGRAPHY, FALLS INTO THIS
CATEGORY. KEYS NOT TRANSMITTED.
SYMMETRIC KEY EXAMPLE
ASYMMETRIC KEY EXAMPLE: STEP 1
ASYMMETRIC KEY EXAMPLE: STEP 2
ASYMMETRIC KEY EXAMPLE: STEP 3
Secure Sockets Layer (SSL)
■Approach for securing communications between a browser and web server
■Intended to reduce chances someone will intercept communications
■Transparent to users and this helps ensure its wide use
■A protocol, used to provide a secure channel between two applications or
devices
■When used with web-based communication, the website’s address is changed
to start with HTTPS instead of just HTTP
First 2 Steps in Using SSL
Step 3 in Using SSL
Steps 4 and 5 in Using SSL
Process Used by Certificate Authority
Key Management

■ Critical task for IT administrator

■ Typical organization has their own private keys and several shared keys from cloud vendors and other
business partners
■ Keys should never be stored with encrypted data
■ Keys should be backed up and stored in secure locations safe from harm that may befall an organization’s
IT infrastructure
■ Key security practices should be audited regularly to ensure the latest technologies and threats are
understood
■ Keys need to be changed regularly and their expiration dates monitored to avoid unexpected problems
■ Cloud computing does not change premise of using keys, but adds new complications, challenges, and
concerns
Key Services
■HSM (Hardware Security Module): Traditionally on-premise key management practices
using a hardware approach. Harder to use in cloud environments
■ KMS (Key Management System): Software solution for securing and managing an
organization’s keys that can maintain keys in the cloud environment and secured using
algorithms and best practice procedures
■Hybrid Approach: Combines HSMs with KMSs where cloud providers offer a physical
HSM device within their cloud data center
■HSM as a Service: Cloud vendors and third-party software companies have combined
HSM capabilities with cloud service models
Example Key Management System Products
■Google KMS: Software based, hosted KMS aimed to replace on-premise key
systems with Cloud IAM integration and audit logging system.
■AWS KMS: Amazon’s key management system integrates with its other cloud
management systems to permit assigning permissions, tracking use, setting up
alerts, monitoring and performing analysis.
■Azure Key Vault: Encrypt keys and safeguards passwords. Ensures key contents
are not seen or extractable by Microsoft or its employees at the data centers.
Chapter 8 Summary
■Overview of ways organizations seek to ensure IT operations use best practices that make
financial sense as well as ensure data and applications are safe from adverse events and comply
with laws and regulations
■Cloud Governance starts with guiding principles used to shape the approach to organizational
computing
■Good governance responsible for setting a tone for users and ensuring policies cover
requirements appropriately
■IT auditors ensure policies match requirements and the systems in place accomplish what is
needed
■Auditors in cloud environments focus on new challenges such as data safety, shadow IT, end-
user controls, data encryption, key management, and others