Professional Documents
Culture Documents
COMPUTING
Chapter 8b
Acknowledgement
Author: Roger McHaney
Book: Cloud Technologies: An Overview of Cloud Computing Technologies for Managers
Publisher: Wiley
Material Title: Chapter 8b Slides
Copyright Notice
This edition first published 2021
© 2021 John Wiley & Sons, Ltd
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or
by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to
obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.
The right of Roger McHaney to be identified as the author of this work has been asserted in accordance with law.
End User Controls
■People have access to mobile devices, social media, cloud-based software
subscriptions and more.
■ IT administrators see a potential control nightmare
■Data, information, and organizational intellectual property can leak out
■Many organizations use a combination of policies, training, and software
tools to prevent data or intellectual property leakage
Measures to Control End-User Behavior
■ Policies and training: Good starting point
■ Content-limiting filters: An organization can open a subset of web sites
accessible by employees in their work environments
■ Network filtering: Can block data loss and ensure files do not leave the
organization’s secure areas
Lack of End-User Controls
Shadow IT
■Information technology applications managed by an organizational unit without formal
knowledge of the IT department
■Simple as a spreadsheet used in a department by its members or as complicated as a major
SaaS cloud-based application used to perform most of a department’s work duties
■ Some experts suggest more that 35% of IT spending in organizations takes place outside
the formal IT structure
Risks and Benefits of Shadow IT
■ Benefits
– Employees are freed from corporate systems that may be slower or less specific
– Corporate help desks may have fewer demands
■ Risks
– Data leakage, lack of controls, and data loss potential all exist
– Organizational knowledge that could be shared may not be known outside the department
– Outside regulations, audits and policies may not be conducted correctly
– Organization is still responsible, and CIO accountable for problems and breaches
■ IT administrator may have to block shadow IT applications.
■ Performing risk assessment can determine if some shadow applications are low risk
Acceptable Risk
■Risk can never be eliminated from an organization
■IT auditors consider cost, impact and probability of occurrence
■Develop a smart solution with reasonable protection against critical problems
Service Oriented Architecture (SOA) Governance
■Cloud services governance direct extension of SOA governance with new considerations such as
multitenancy and elasticity
■ Put into place to ensure service quality, predictability, visibility, and cost-effective performance
■ Ensures that policies, laws, and regulations are followed
3 Components of SOA Governance
1) SOA registry: This is a catalog listing SOA services available. It can be used internally or as a
tool to enable development of business partnerships
2) SOA policy: Principles used to ensure services do not conflict and to ensure implementation
follows good design, custom relationships, and compliant practices
3) SOA testing: A regular schedule of audits, tests, and performance metrics used to ensure
operation of SOA. It intends to ensure SOA solutions are working correctly in a secure, cost-
effective way. It also ensures regular system updates.
SOA informs cloud computing governance and security
Governance Ensuring Secure Cloud Data
1) SLAs contain clear language that verify cloud providers take strong measures to ensure cloud data are maintained
in accordance with their security guidelines and compliance policies
2) That cloud providers ensure relevant governance
3) Performance tools monitor network, database, and applications to detect suspicious access or unexpected
movement of data, particularly if large amounts are moved without prior knowledge
4) Use of data encryption tools
5) Use of multi-factor authentication approaches
6) Use of IP blocking tools for critical applications and data access
7) Use of appropriate firewalls which may include virtual as well as more traditional physical firewall devices
8) Use sound access key management practices
9) Use tokenization for authorization and access to resources when appropriate
10)Use CASB to ensure overall security of cloud resources
Cloud Provider Data Safety
■Encryption
■Sharding (break files into small chunks and encrypt each separately)
■Data Preview Modes
Encryption
■ Most effective way of securing data
■ Scrambles files, data, or other stored items according to a complex pattern based on a key
■ Only someone possessing key can unscrambled contents in a reasonable amount of time
■ Cloud provider approaches to encryption include:
– End-to-end encryption: Encrypt data prior to transmission to their cloud where it remains
encrypted until the client retrieves it
– Limited encryption: Encrypts the most sensitive data like passwords or customer credit cards
numbers
■ Encryption may be done after cloud provider receives it and is completely managed by the vendor
■ Cloud clients may wish to encrypt data themselves without involving the cloud vendor to ensure no one
working for the cloud vendor can access their data in an unencrypted form
■ Important for compliance reasons (e.g. regulations stipulate data privacy and security)
2 Encryption Types