In the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, recession-hit companies are increasingly realizing that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost. But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about just how safe an environment it is. This paper discusses security issues, requirements and challenges that cloud service providers (CSP) face during cloud engineering. Recommended security standards and management models to address these are suggested for technical and business community.
Sections:
Introduction
Cloud Computing background
Securing the Cloud
Virtualization
Mobile Cloud Computing
User safety & energy consumption
Author’s proposal
Conclusion
In order to make cloud computing to be adopted by users and enterprises, security concerns of users should be rectified by making cloud environment trustworthy, discussed by Latif et al. in the assessment of cloud computing risks[2].
We address the questions related to:
security concerns and threats over general cloud computing,
(2) the solutions for these problems and
(3) mobile users safety in convergence with energy consumption.
Cloud here means data and encryption means to secure the data. In this ppt you can get to know about various encryption algorithms which are used to secure the data.
This presentation gives a detailed overview about Cloud Computing, its features and challenges faced by it in the market. It gives an insight into cloud security and privacy issues and its measures.
Sections:
Introduction
Cloud Computing background
Securing the Cloud
Virtualization
Mobile Cloud Computing
User safety & energy consumption
Author’s proposal
Conclusion
In order to make cloud computing to be adopted by users and enterprises, security concerns of users should be rectified by making cloud environment trustworthy, discussed by Latif et al. in the assessment of cloud computing risks[2].
We address the questions related to:
security concerns and threats over general cloud computing,
(2) the solutions for these problems and
(3) mobile users safety in convergence with energy consumption.
Cloud here means data and encryption means to secure the data. In this ppt you can get to know about various encryption algorithms which are used to secure the data.
This presentation gives a detailed overview about Cloud Computing, its features and challenges faced by it in the market. It gives an insight into cloud security and privacy issues and its measures.
Cloud Computing offers an on-demand and scalable access to a shared pool of resources hosted in a data center at providers’ site. It reduces the overheads of up-front investments and financial risks for the end-user. Regardless of the fact that cloud computing offers great advantages to the end users, there are several challenging issues that are mandatory to be addressed.
Cloud computing is using the internet to access someone else's software running on someone else's hardware in someone else's data center.
OUTLINE-
Definitions of Cloud computing
Architecture of Cloud computing
Benefits of Cloud computing
Opportunities of Cloud Computing
Cloud computing – Google Apps
Grid computing vs Cloud computing
starts with an introduction to mobile cloud computing with a definition, architecture, and advantages/disadvantages. At the next sections, continues with the applications of MCC, detailed challenges in mobile environment and solutions. Lastly the document concludes the main issues about the mobile cloud computing with the conclusion part.
The encryption mechanism is a digital coding system dedicated to preserving the confidentiality and integrity of data. It is used for encoding plain text data into a protected and unreadable format.
Slide on Cloud Security. This defines the possible aspects on Cloud Security. Images are taken from different Websites which are mentioned on references section.
Cloud Computing offers an on-demand and scalable access to a shared pool of resources hosted in a data center at providers’ site. It reduces the overheads of up-front investments and financial risks for the end-user. Regardless of the fact that cloud computing offers great advantages to the end users, there are several challenging issues that are mandatory to be addressed.
Cloud computing is using the internet to access someone else's software running on someone else's hardware in someone else's data center.
OUTLINE-
Definitions of Cloud computing
Architecture of Cloud computing
Benefits of Cloud computing
Opportunities of Cloud Computing
Cloud computing – Google Apps
Grid computing vs Cloud computing
starts with an introduction to mobile cloud computing with a definition, architecture, and advantages/disadvantages. At the next sections, continues with the applications of MCC, detailed challenges in mobile environment and solutions. Lastly the document concludes the main issues about the mobile cloud computing with the conclusion part.
The encryption mechanism is a digital coding system dedicated to preserving the confidentiality and integrity of data. It is used for encoding plain text data into a protected and unreadable format.
Slide on Cloud Security. This defines the possible aspects on Cloud Security. Images are taken from different Websites which are mentioned on references section.
Congresso Sociedade Brasileira de Computação CSBC2016 Porto Alegre (Brazil)
Workshop on Cloud Networks & Cloudscape Brazil
João Gondim, Luis Pacheco and Priscila Solis (University of Brasilia, Brazil)
Unpublished, novel research work related to the latest challenges, technologies, solutions and techniques related to networking within the cloud and to the efficient and effective cloud deployment and hosting of the various emerging applications and services.
Effective solutions related to the placement, sizing, bursting, and migration of compute, storage, and data resources within the cloud network(s) become critical to the deployment of elastic and agile applications.
Challenges with Cloud Security by Ken Y ChanKen Chan
As more businesses move to cloud services, they are facing with new challenges in IT security. This presentation outlines the key challenges in cloud security, and my observations and recommendations
This presentation will give complete information regarding security issues related to cloud computing. To learn cloud computing fill up a simple form.
http://bit.ly/aDegGN
Trust based Mechanism for Secure Cloud Computing Environment: A Surveyinventionjournals
Ubiquitous computing has revolutionized interaction of humans and machines. Cloud computing has been mainly used for storing data and various computational purposes. It has changed the face of using the internet. But, as we know every technology has its pros and cons. Securing cloud environment is the most challenging issue for the researchers and developers. Main aspects which cloud security should cover are authentication, authorization, data protection etc. Establishing trust between cloud service providers (CSP) is the biggest challenge, when someone is discussing about cloud security. Trust is a critical factor which mainly depends on perception of reputation and self-assessment done by both user and CSP. The trust model can act as security strength evaluator and ranking service for cloud application and services. For establishing trust relationship between two parties, mutual trust mechanism is reliable, as it does verification from both sides. There are various trust models which mainly focuses on securing one party i.e., they validate either user or service node. In this survey paper, the study of various trust models and their various parameters are discussed.
Data Stream Controller for Enterprise Cloud ApplicationIJSRD
Cloud computing is an emerging computing paradigm where computing resources are provided as services over Internet while residing in a large data center. Even though it enables us to dynamically provide servers with the ability to address a wide range of needs, this paradigm brings forth many new challenges for the data security and access control as users outsource their sensitive data to clouds, which are beyond the same trusted domain as data owners. The occupier need not be concerned with how the Paas system achieves expansion under high load.MAC systems differ as security policy is defined for the entire system, typically by administrators. Information flow control (IFC) is a MAC approach, developed originally from military information management methodologies. IFC can be used to enforce more general policies, using appropriate labeling and checking schemes. The labels can be used to manage both confidentiality and integrity concerns, tracking “secrecy†and “quality†of data, respectively. Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flow between the pieces of application and the outside world. As applied to privacy DIFC allows un trusted software to compute with private data while trusted security code controls the release of that data. As applied to integrity DIFC allows trusted code to protect un trusted software from unexpected inputs.
Cloud Computing Security Issues and ChallengesCSCJournals
Cloud computing is a set of IT services that are provided to a customer over a network on a leased basis and with the ability to scale up or down their service requirements. Usually cloud computing services are delivered by a third party provider who owns the infrastructure. It advantages to mention but a few include scalability, resilience, flexibility, efficiency and outsourcing non-core activities. Cloud computing offers an innovative business model for organizations to adopt IT services without upfront investment. Despite the potential gains achieved from the cloud computing, the organizations are slow in accepting it due to security issues and challenges associated with it. Security is one of the major issues which hamper the growth of cloud. The idea of handing over important data to another company is worrisome; such that the consumers need to be vigilant in understanding the risks of data breaches in this new environment. This paper introduces a detailed analysis of the cloud computing security issues and challenges focusing on the cloud computing types and the service delivery types.
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...cscpconf
Deployment of using cloud services as a new approach to keep people's platforms, Infrastructure and applications has become an important issue in the world of communications technology. This is a very useful paradigm for humans to obtain their essential needs simpler, faster ,more flexible, and safer than before. But there are many concerns about this system challenge. Security is the most important challenge for cloud systems. In this paper we design and explain the procedure of implementation of a new method for cloud services based on multi clouds on our platform which supplies security and privacy more than other clouds. We introduce some confidentiality and security methods in each layer to have a secure access to requirements. The architecture of our method and the implementation of method on our selected platform for each layer are introduced in this paper.
Design and implement a new cloud security method based on multi clouds on ope...csandit
Deployment of using cloud services as a new approach to keep people's platforms,
Infrastructure and applications has become an important issue in the world of communications
technology. This is a very useful paradigm for humans to obtain their essential needs simpler,
faster ,more flexible, and safer than before. But there are many concerns about this system
challenge. Security is the most important challenge for cloud systems. In this paper we design
and explain the procedure of implementation of a new method for cloud services based on multi
clouds on our platform which supplies security and privacy more than other clouds. We
introduce some confidentiality and security methods in each layer to have a secure access to
requirements. The architecture of our method and the implementation of method on our selected
platform for each layer are introduced in this paper.
Cloud data security and various cryptographic algorithms IJECEIAES
Cloud computing has spread widely among different organizations due to its advantages, such as cost reduction, resource pooling, broad network access, and ease of administration. It increases the abilities of physical resources by optimizing shared use. Clients’ valuable items (data and applications) are moved outside of regulatory supervision in a shared environment where many clients are grouped together. However, this process poses security concerns, such as sensitive information theft and personally identifiable data leakage. Many researchers have contributed to reducing the problem of data security in cloud computing by developing a variety of technologies to secure cloud data, including encryption. In this study, a set of encryption algorithms (advance encryption standard (AES), data encryption standard (DES), Blowfish, Rivest-Shamir-Adleman (RSA) encryption, and international data encryption algorithm (IDEA) was compared in terms of security, data encipherment capacity, memory usage, and encipherment time to determine the optimal algorithm for securing cloud information from hackers. Results show that RSA and IDEA are less secure than AES, Blowfish, and DES). The AES algorithm encrypts a huge amount of data, takes the least encipherment time, and is faster than other algorithms, and the Blowfish algorithm requires the least amount of memory space.
SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...ijccsa
The introduction of Internet of Things (IoT) applications into daily life has raised serious privacy concerns
among consumers, network service providers, device manufacturers, and other parties involved. This paper
gives a high-level overview of the three phases of data collecting, transmission, and storage in IoT systems
as well as current privacy-preserving technologies. The following elements were investigated during these
three phases:(1) Physical and data connection layer security mechanisms(2) Network remedies(3)
Techniques for distributing and storing data. Real-world systems frequently have multiple phases and
incorporate a variety of methods to guarantee privacy. Therefore, for IoT research, design, development,
and operation, having a thorough understanding of all phases and their technologies can be beneficial. In
this Study introduced two independent methodologies namely generic differential privacy (GenDP) and
Cluster-Based Differential privacy ( Cluster-based DP) algorithms for handling metadata as intents and
intent scope to maintain privacy and security of IoT data in cloud environments. With its help, we can
virtual and connect enormous numbers of devices, get a clearer understanding of the IoT architecture, and
store data eternally. However, due of the dynamic nature of the environment, the diversity of devices, the
ad hoc requirements of multiple stakeholders, and hardware or network failures, it is a very challenging
task to create security-, privacy-, safety-, and quality-aware Internet of Things apps. It is becoming more
and more important to improve data privacy and security through appropriate data acquisition. The
proposed approach resulted in reduced loss performance as compared to Support Vector Machine (SVM) ,
Random Forest (RF) .
Abstract: Cloud computing model are obtaining ubiquitous authorization due to the heterogeneous convenience they provide. Although, the
security & privacy problems are the main considerable encumbrance holding back the universal adoption of this new emerging technology.
Various researches are concentrated on enhancing the security on Software as well as Hardware levels on the cloud. But these interpretations do
not mainly furnish the complete security way and therefore the data security compute (measure) are still kept under the access control of service
provider. Trusted Computing is another research concept. In actuality, these furnish a set of tools controlled by the third party technologies to
secure the Virtual Machines from the cloud computing providers. These approaches provides the tools to its consumers to assess and monitor the
aspects of security their data, they don’t allocate the cloud consumers with high control capability. While as the new emerging DCS approach
aims to provide the security of data owners of their data. But the DCS approach concept is elucidate in many ways and there is not a
standardized framework of cloud computing environment model for applying this approach.
In cloud computing IT (Information Technology) related resources like infrastructure, platform and software can be utilized using web based tools and application through internet. Here Organizations are moving to the cloud computing some faster than others. However, moving to the cloud presents the organization with a number of risks to assess. Information security is the most critical risk for many organizations. This is because the intellectual property, trade secrets, personally identifiable information,
or other sensitive information can be powered by protecting information. This paper classified cloud
security based on the three service models of cloud computing SaaS, PaaS and IaaS. Attributes for each
type of security has also identified and briefly described here. We compared securities provided in different
services by world's best known cloud service providing companies such as Amazon AWS, Google App Engine, Windows Azure etc. considering cloud security category. Furthermore, we included recommendations for organizations who have decided to move their data into the cloud, but confused to choose the best service provider for their organization regarding information security.
A proposed Solution: Data Availability and Error Correction in Cloud ComputingCSCJournals
Cloud Computing is the hottest technology in the market these days, used to make storage of huge amounts of data and information easier for organizations. Maintaining servers to store all the information is quite expensive for individual and organizations. Cloud computing allows to store and maintain data on remote servers that are managed by Cloud Service Providers (CSP) like Yahoo and Google. This data can then be accessed through out the globe. But as more and more information of individuals and companies is placed in the cloud, concerns are beginning to grow about just how safe an environment it is. In this paper we discussed security issues and requirements in the Cloud and possible solutions of some the problems. We develop an architecture model for cloud computing to solve the data availability and error correction problem.
Cloud computing is a model which uses the mixture concept of “software-as-a-service” and “utility computing”, and provides
various on-demand services in a convenient way requested end users. It is internet based where resources are shared and the
information is available for on demand service users. Security issue in Cloud computing is the important and critical issues
because the resources are distributed. Both the Cloud provider and the cloud consumer should be fully sure that the cloud is safe
enough from all the external threats so that the customer does not face any kind of problem like loss or theft of their valua ble
data. There is also a possibility where a malicious user can penetrate the cloud by imitate an authorized user, and affect with a
virus to the entire cloud and affects many customers who are sharing the infected cloud. In this paper we firstly lists the
parameters that affects the security of the cloud then it explores the security issues of cloud computing and the troubles faced by
providers and consumers about their data, privacy, and infected application and security issues. It also presents some security
solutions for tackling these issues and problems.
Challenges and Security Issues in Future IT Infrastructure ComponentsMubashir Ali
Over the past 2 decades, the information technology infrastructure has gone through an exponential change with the introduction and evolution of new technologies and trends. Organizations previously having their data on-premise and their infrastructure comprising of multiple server machines on multiple server racks and dedicated client personal computers (PCs) are moving towards cloud computing & virtualization to Smartphone and tablets. This rapid advancement and constant change, although increasing productivity for the organizations is resulting in a rising number of challenges and security issues for the organizations, their managers, IT administrators and technology architects. This paper discusses the future IT infrastructure components and the challenges & security issues that arise after their implementation that needs to be taken care of in order to get the full advantage of IT.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Similar to Cloud computing security issues and challenges (20)
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 3
Cloud computing security issues and challenges
1. Cloud computing security issues and challenges
Krešimir Popović, Željko Hocenski
Institute of Automation and Process Computing
Faculty of Electrical Engineering Osijek
Kneza Trpimira 2b, Osijek, 31000, Croatia
Phone: (+385) (0)31-234 810 Fax: (+385) (0)31 224 605 E-mail:popovic@etfos.hr
Abstract - In the last few years, cloud computing has grown
from being a promising business concept to one of the fastest
growing segments of the IT industry. Now, recession-hit
companies are increasingly realizing that simply by tapping
into the cloud they can gain fast access to best-of-breed
business applications or drastically boost their
infrastructure resources, all at negligible cost. But as more
and more information on individuals and companies is
placed in the cloud, concerns are beginning to grow about
just how safe an environment it is. This paper discusses
security issues, requirements and challenges that cloud
service providers (CSP) face during cloud engineering.
Recommended security standards and management models
to address these are suggested for technical and business
community.
I. INTRODUCTION
Cloud service providers (CSP) (e.g. Microsoft, Google,
Amazon, Salesforce.com, GoGrid) are leveraging
virtualization technologies combined with self-service
capabilities for computing resources via the Internet. In
these service provider environments, virtual machines from
multiple organizations have to be co-located on the same
physical server in order to maximize the efficiencies of
virtualization. Cloud service providers must learn from the
managed service provider (MSP) model and ensure that
their customers’ applications and data are secure if they
hope to retain their customer base and competitiveness.
Today, enterprises are looking toward cloud computing
horizons to expand their on-premises infrastructure, but
most cannot afford the risk of compromising the security of
their applications and data.
International Data Corporation (IDC) conducted a
survey [1] (see Fig.1.) of 263 IT executives and their line-of-
business colleagues to gauge their opinions and
understand their companies’ use of IT cloud services.
Security ranked first as the greatest challenge or issue of
cloud computing.
Corporations and individuals are concerned about how
security and compliance integrity can be maintained in this
new environment. Even more concerning, though, is the
corporations that are jumping to cloud computing while
being oblivious to the implications of putting critical
applications and data in the cloud. Moving critical
applications and sensitive data to a public and shared
cloud environment is a major concern for corporations that
are moving beyond their data center’s network perimeter
defense. To alleviate these concerns, a cloud solution
provider must ensure that customers can continue to have
the same security and privacy controls over their
applications and services, provide evidence to these
customers that their organization and customers are secure
and they can meet their service-level agreements, and show
how can they prove compliance to their auditors.
Fig. 1. Results of IDC ranking security challenges (3Q2009,
n=263)
Regardless of how the cloud evolves, it needs some form
of standardization (e.g. Information Technology
Infrastructure Library -ITIL, ISO/IEC 27001/27002, Open
Virtualization Format (OVF) [2][3][4]) so that the market can
evolve and thrive. Standards should allow clouds to
interoperate and communicate with each other no matter
which vendor provides cloud services.
This professional paper discusses security and privacy
issues as challenges, and recommends control objectives
to technical and business community. It also highly
recommends OVF standard as vendor and platform
independent, open, secure, portable, efficient and
extensible format for the packaging and distribution of
software to be run in virtual machines (software stack that
incorporates the target applications, libraries, services,
configuration, relevant data, and operating system).
II. SECURITY IN THE CLOUD
A. Security issues and challenges
Heightened security threats must be overcome in order
to benefit fully from this new computing paradigm. Some
security concerns are listed and discussed below:
2. 1) Security concern #1: With the cloud model control
physical security is lost because of sharing computing
resources with other companies. No knowledge or control
of where the resources run.
2) Security concern #2: Company has violated the law
(risk of data seizure by (foreign) government).
3) Security concern #3: Storage services provided by one
cloud vendor may be incompatible with another vendor’s
services if user decides to move fromone to the other (e.g.
Microsoft cloud is incompatible with Google cloud). [5]
4) Security concern #4: Who controls the
encryption/decryption keys? Logically it should be the
customer.
5) Security concern #5: Ensuring the integrity of the data
(transfer, storage, and retrieval) really means that it
changes only in response to authorized transactions. A
common standard to ensure data integrity does not yet
exist.
6) Security concern #6: In case of Payment Card Industry
Data Security Standard (PCI DSS) data logs must be
provided to security managers and regulators. [6][7][8]
7) Security concern #7: Users must keep up to date with
application improvements to be sure they are protected.
8) Security concern #8: Some government regulations
have strict limits on what data about its citizens can be
stored and for how long, and some banking regulators
require that customer’s financial data remain in their home
country.
9) Security concern #9: The dynamic and fluid nature of
virtual machines will make it difficult to maintain the
consistency of security and ensure the auditability of
records.
10) Security concern #10: Customers may be able to sue
cloud service providers if their privacy rights are violated,
and in any case the cloud service providers may face
damage to their reputation. Concerns arise when it is not
clear to individuals why their personal information is
requested or how it will be used or passed on to other
parties.
Privacy sensitive information: [9]
- Personally identifiable information (PII [10]): any
information that could be used to identify or
locate an individual (e.g. state, name, address) or
information that can be correlated with other
information to indentify an individual (e.g. credit
card number, Internet protocol (IP) address).
- Information on religion, race, health, union
membership, sexual orientation, job performance,
financial information, biometric information or any
other information that may be considered
sensitive.
- Data collected from computer devices (e.g.
notebook, smartphone, iPad).
- Information uniquely traceable to a user device
(e.g. IP address, Radio Frequency Identity (RFID)
MAC address).
Additional considerations to be aware of:
- Access: Data subjects have a right to know what
personal information is held and, in some cases,
can make a request to stop processing it. If a data
subject exercises this right to ask the organization
to delete his data, will it be possible to ensure that
all of his information has been deleted in the
cloud?
- Compliance: What are the applicable laws,
regulations, standards, and contractual
commitments that govern this information, and
who is responsible for maintaining the
compliance? Clouds can cross multiple
jurisdictions in multiple states.
- Storage: Where is the data in the cloud stored?
Was it transferred to another data center in
another country? Privacy laws in various
countries place limitations on the ability of
organizations to transfer some types of personal
information to other countries.
- Retention: How long is personal information (that
is transferred to the cloud) retained? Who
enforces the retention policy in the cloud, and
how are exceptions to this policy (such as
litigation holds) managed?
- Destruction: How can we know that the cloud
service provider (CSP) didn’t retain additional
copies? Did the CSP really destroy the data, or
just make it inaccessible to the organization? Is
the CSP keeping the information longer than
necessary so that it can mine the data for its own
use?
- Audit and monitoring: How can organizations
monitor their CSP and provide assurance to
relevant stakeholders that privacy requirements
are met when their PII is in the cloud?
- Privacy breaches: How can we ensure that the
cloud service provider (CSP) notifies us when a
breach occurs, and who is responsible for
managing the breach notification process (and
costs associated with the process)? If contracts
include liability for breaches resulting from
negligence of the CSP, how is the contract
enforced and how is it determined who is at fault?
B. Security management standards
Standards that are relevant to security management
practices in the cloud are Information Technology
Infrastructure Library (ITIL), ISO/IEC 27001/27002 and
Open Virtualization Format (OVF).
1) Information Technology Infrastructure Library (ITIL): it
is set of best practices and guidelines that define an
integrated, process-based approach for managing
information technology services. ITIL can be applied
across almost every type of IT environment including
cloud operating environment. ITIL seeks to ensure that
effective information security measures are taken at
strategic, tactical, and operational levels. Information
security is considered an iterative process that must be
controlled, planned, implemented, evaluated, and
maintained.
3. ITIL provides a systematic and professional approach to
the management of IT service provision. Adopting its
guidance offers users a huge range of benefits that include:
- Reduced costs
- Improved IT services through the use of proven
best practice processes
- Improved customer satisfaction through a more
professional approach to service delivery
- Standards and guidance
- Improved productivity
- Improved use of skills and experience
- Improved delivery of third party services through
the specification of ITIL or ISO 20000 as the
standard for service delivery in services
procurements
- ITIL helps you separate administrative tasks and
technical tasks so that you assign the most
appropriate resources
- better measure technical support performance
The ITIL-process Security Management describes the
structured fitting of information security in the management
organization. It is based on the code of practice for
information security management now known as ISO/IEC
27002.
ITIL breaks information security down into:
- Policies: The overall objectives an organization is
attempting to achieve
- Processes: What has to happen to achieve the
objectives
- Procedures: Who does what and when to achieve
the objectives:
- Work instructions: Instructions for taking specific
actions
A basic goal of security management is to ensure
adequate information security. The primary goal of
information security, in turn, is to protect information
assets against risks, and thus to maintain their value to the
organization. This is commonly expressed in terms of
ensuring their confidentiality, integrity and availability,
along with related properties or goals such as authenticity,
accountability, non-repudiation and reliability.
Note: Organizations and management systems cannot be
certified as “ITIL-compliant.” Only practioners can be
certified.
2) International Organization for Standardization (ISO)
27001/27002: ISO/IEC 27001 formally defines the
mandatory requirements for an Information Security
Management System (ISMS). It is also a certification
standard and uses ISO/IEC 27002 to indicate suitable
information security controls within the ISMS.
Essentially, the ITIL, ISO/IEC 20000, and ISO/IEC
27001/27002 frameworks help IT organizations internalize
and respond to basic questions such as:
- “How do I ensure that the current security levels
are appropriate for your needs? “
- “How do I apply a security baseline throughout
your operation? “
Simply to say, they help to respond to the question:
“how do I ensure that my services are secure?”
3) Open Virtualization Format: OVF enables efficient,
flexible, and secure distribution of enterprise software,
facilitating the mobility of virtual machines and giving
customers vendor and platform independence. Customers
can deploy an OVF formatted virtual machine on the
virtualization platformof their choice.
With OVF, customers’ experience with virtualization is
greatly enhanced, with more portability, platform
independence, verification, signing, versioning, and
licensing terms. OVF lets you:
- Improve your user experience with streamlined
installations
- Offer customers virtualization platform
independence and flexibility
- Create complex pre-configured multi-tiered
services more easily
- Efficiently deliver enterprise software through
portable virtual machines
- Offer platform-specific enhancements and easier
adoption of advances in virtualization through
extensibility
The rising investments to virtual appliances (IBM,
Microsoft, Hewlett-Packard, Dell, VMware, and XenSource)
not only simplify the deployment of applications for
individual users but also power next-generation cloud
computing architectures. Rather than the considerable time
required to build a specialized distribution with
applications, most cloud computing infrastructures provide
ready-to-deploy virtual appliances to satisfy any need.
And because a virtual appliance is simply a file with a
wrapper (the XML description), it's easy to replicate and
distribute such appliances with all security and privacy
configurations.
In the future, clouds that are enabled by a
virtualization layer will provide new go-to-market
opportunities, and software appliances (software products
that integrate operating system and layered software into
an easily managed composite package that can be
deployed aboard industry-standard client or server
hardware, either on a virtual machine or directly on the
hardware) will help simplify this transition. Cloud
computing, in conjunction with software appliances, will
also create new business models that will allow companies
to sell a single product on premises, on demand, or in a
hybrid deployment model. While both of these
technologies remain relatively immature, it is necessary to
start understanding the new dynamics that will start to
emerge to sell software and hardware to end users.
Note: Software appliances market should exceed
revenue of $360.9 million by the end of 2010, $1,184.4 billion
by the end of 2012. [11]
4. C. Security management models
This section describes twenty recommended security
management models and their requirements for cloud
computing that cloud service providers should definitely
consider as they develop or refine their compliance
programs.
1) Software-as-a-Service (SaaS) security: SaaS is the
dominant cloud service model for the foreseeable future
and the area where the most critical need for security
practices and oversight will reside. Just as with a managed
service provider, corporations or end users will need to
research vendors’ policies on data security before using
vendor services to avoid losing or not being able to access
their data. The technology analyst and consulting firm
Gartner lists [12] seven security risks which one should
discuss with a cloud-computing vendor:
- Privileged user access: Get as much information
as you can about the people who manage your
data. Ask providers to supply specific information
on the hiring and oversight of privileged
administrators, and the controls over their access.
- Regulatory compliance: Make sure that the
vendor is willing to undergo external audits and/or
security certifications.
- Data location: When you use the cloud, you
probably won't know exactly where your data is
hosted. In fact, you might not even know what
country it will be stored in. Ask providers if they
will commit to storing and processing data in
specific jurisdictions, and whether they will make a
contractual commitment to obey local privacy
requirements on behalf of their customers.
- Data segregation: Make sure that encryption is
available at all stages, and that these encryption
schemes were designed and tested by experienced
professionals.
- Recovery: Even if you don't know where your data
is, a cloud provider should tell you what will
happen to your data and service in case of a
disaster. Any offering that does not replicate the
data and application infrastructure across multiple
sites is vulnerable to a total failure. Ask your
provider if it has "the ability to do a complete
restoration, and how long it will take."
- Investigative support: Investigating inappropriate
or illegal activity may be impossible in cloud
computing. Cloud services are especially difficult
to investigate, because logging and data for
multiple customers may be co-located and may
also be spread across an ever-changing set of
hosts and data centers. If you cannot get a
contractual commitment to support specific forms
of investigation, along with evidence that the
vendor has already successfully supported such
activities, then only safe assumption is that
investigation and discovery requests will be
impossible.
- Long-term viability: Ideally, your cloud
computing provider will never go broke or get
acquired and swallowed up by a larger company.
But you must be sure your data will remain
available even after such an event. Ask potential
providers how you would get your data back and
if it would be in a format that you could import
into a replacement application.
To address the security issues listed above, SaaS
providers will need to incorporate and enhance security
practices used by the managed service providers and
develop new ones as the cloud computing environment
evolves.
2) Security management (People): One of the most
important actions for a security team is to develop a formal
charter for the security organization and program. The
charter should be aligned with the strategic plan of the
organization or company the security team works for. Lack
of clearly defined roles and responsibilities, and agreement
on expectations, can result in a general feeling of loss and
confusion among the security team about what is expected
of them, how their skills and experienced can be leveraged,
and meeting their performance goals.
3) Security governance: A security steering committee
should be developed whose objective is to focus on
providing guidance about security initiatives and alignment
with business and IT strategies. This committee must
clearly define the roles and responsibilities of the security
team and other groups involved in performing information
security functions.
4) Risk management: Risk management entails
identification of technology assets [13]; identification of
data and its links to business processes, applications, and
data stores; and assignment of ownership and custodial
responsibilities. Actions should also include maintaining a
repository of information assets. Owners have authority
and accountability for information assets including
protection requirements, and custodians implement
confidentiality, integrity, availability, and privacy controls.
5) Risk assessment: Security risk assessment is critical to
helping the information security organization make
informed decisions when balancing the dueling priorities of
business utility and protection of assets [14][15]. A formal
information security risk management process should
proactively assess information security risks as well as plan
and manage them on a periodic or as-needed basis. More
detailed and technical security risk assessments in the form
of threat modeling should also be applied to applications
and infrastructure.
6) Security awareness: People are the weakest link for
security. Knowledge and culture are among the few
effective tools to manage risks related to people. Not
providing proper awareness and training to the people who
may need them can expose the company to a variety of
security risks for which people, rather than system or
application vulnerabilities, are the threats and points of
entry. Social engineering attacks, lower reporting of and
slower responses to potential security incidents, and
inadvertent customer data leaks are all possible and
probable risks that may be triggered by lack of an effective
security awareness program.
7) Education and training: Programs should be developed
that provide a baseline for providing fundamental security
and risk management skills and knowledge to the security
5. team and their internal partners. This entails a formal
process to assess and align skill sets to the needs of the
security team and to provide adequate training and
mentorship-providing a broad base of fundamental
security, inclusive of data privacy, and risk management
knowledge.
8) Policies and standards: Many resources and templates
are available to aid in the development of information
security policies and standards. A cloud computing
security team should first identify the information security
and business requirements unique to cloud computing,
SaaS, and collaborative software application security.
Policies should be developed, documented, and
implemented, along with documentation for supporting
standards and guidelines. To maintain relevancy, these
policies, standards, and guidelines should be reviewed at
regular intervals or when significant changes occur in the
business or IT environment.
9) Third party risk management: Lack of a third-party risk
management program may result in damage to the
provider’s reputation, revenue losses, and legal actions
should the provider be found not to have performed due
diligence on its third-party vendors.
10) Vulnerability assessment: Classifies network assets to
more efficiently prioritize vulnerability-mitigation programs,
such as patching and systemupgrading.
11) Security image testing: Virtualization-based cloud
computing provides the ability to create “Test image” VM
secure builds and to clone multiple copies. Gold image VMs
also provide the ability to keep security up to date and
reduce exposure by patching offline. Offline VMs can be
patched off-network, providing an easier, more cost-
effective, and less production-threatening way to test the
impact of security changes.
12) Data governance: This framework should describe
who can take what actions with what information, and
when, under what circumstances, and using what methods.
13) Data security: Security will need to move to the data
level so that enterprises can be sure their data is protected
wherever it goes. For example, with data-level security, the
enterprise can specify that this data is not allowed to go
outside of the European Union. It can also force encryption
of certain types of data, and permit only specified users to
access the data. It can provide compliance with the
Payment Card Industry Data Security Standard (PCI DSS).
14) Application security: This is where the security
features and requirements are defined and application
security test results are reviewed. Application security
processes, secure coding guidelines, training, and testing
scripts and tools are typically a collaborative effort
between the security and the development teams.
Although product engineering will likely focus on the
application layer, the security design of the application
itself, and the infrastructure layers interacting with the
application, the security team should provide the security
requirements for the product development engineers to
implement.
15) Virtual machine security: In the cloud environment,
physical servers are consolidated to multiple virtual
machine instances on virtualized servers. Not only can data
center security teams replicate typical security controls for
the data center at large to secure the virtual machines, they
can also advise their customers on how to prepare these
machines for migration to a cloud environment when
appropriate.
16) Identity Access Management (IAM): identity and
access management is a critical function for every
organization, and a fundamental expectation of SaaS
customers is that the “principle of least privilege” is
granted to their data. The principle of least privilege states
that only the minimum access necessary to perform an
operation should be granted, and that access should be
granted only for the minimumamount of time necessary.
17) Change management: The security team can create
security guidelines for standards and minor changes, to
provide self-service capabilities for these changes and to
prioritize the security team’s time and resources on more
complexand important changes to production.
18) Physical security: Since customers lose control over
physical assets, security model may need to be
reevaluated. The concept of the cloud can be misleading at
times, and people forget that everything is somewhere
actually tied to a physical location. The massive investment
required to build the level of security required for physical
data centers is the prime reason that companies don’t build
their own data centers, and one of several reasons why
they are moving to cloud services in the first place. Some
samples of controls mechanisms:
- 24/7/365 onsite security.
- Biometric hand geometry readers.
- Security cameras should monitor activity
throughout the facility.
- Heat, temperature, air flow, and humidity should
all be kept within optimumranges for the computer
equipment.
- Policies, processes, and procedures are critical
elements of successful physical security that can
protect the equipment and data housed in the
hosting center.
19) Disaster recovery: In the SaaS environment, customers
rely heavily on 24/7/365 access to their services and any
interruption in access can be catastrophic. Using the
virtualization software virtual server can be copied, backed
up, and moved just like a file (live migration). Benefits are:
- Quickly reallocating computing resources without
any downtime
- Ability to deliver on service-level agreements and
provide high-quality service
20) Data privacy: A privacy steering committee should
also be created to help make decisions related to data
privacy. The security compliance team, if one even exists,
will not have formalized training on data privacy. The
answer is to hire a consultant in this area, hire a privacy
expert, or have one of your existing team members trained
properly. This will ensure that your organization is
prepared to meet the data privacy demands of its customers
and regulators.
6. III. CONCLUSION
We have argued that it is very important to take security
and privacy into account when designing and using cloud
services. In this paper security in cloud computing was
elaborated in a way that covers security issues and
challenges, security standards and security management
models.
- Security issues indicate potential problems which
might arise.
- Security standards offer some kind of security
templates which cloud service providers (CSP)
could obey. The most promising standard for the
future would be OVF format which promises
creation of new business models that will allow
companies to sell a single product on premises, on
demand, or in a hybrid deployment model.
- Security management models offer
recommendations based on security standards
and best practices. [16]
These are all very important topics which will be
certainly discussed in the upcoming years of cloud
computing. Based on IDC survey [17] the security and
vulnerability market should exceed revenue of $4.4 billion
by the end of 2013, with a climbing annual growth rate
resulting in a compound annual growth rate (CAGR) of
10.8%. This survey shows that products that fall within the
security and vulnerability management market will remain in
high demand.
REFERENCES
[1] International Data Corporation, http://blogs.idc.com/ie/wp-
content/uploads/2009/12/idc_cloud_challenges_2009.jpg,
2009
[2] Information Technology Infrastructure Library,
http://www.itil-officialsite.com/home/home.asp
[3] International Organization for Standardization,
http://www.iso.org/iso/home.htm
[4] Distributed Management Task Force,
http://www.dmtf.org/standards/published_documents/DSP2
017_1.0.0.pdf, 22.02.2009
[5] M. Casassa-Mont, S. Pearson and P. Bramhall, “Towards
Accountable Management of Identity and Privacy: Sticky
Policies and Enforceable Tracing Services”, Proc. DEXA
2003, IEEE Computer Society, 2003, pp. 377-382
[6] https://www.pcisecuritystandards.org/index.shtml
[7] http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_
Security_Standard, 24 January 2010
[8] J. Salmon, “Clouded in uncertainty – the legal pitfalls of
cloud computing”, Computing, 24 Sept 2008,
http://www.computing.co.uk/computing/features/2226701/cl
ouded-uncertainty-4229153
[9] S. Pearson, “Taking Account of Privacy when Designing
Cloud Computing Services”, CLOUD’09, May 23, 2009,
Vancouver, Canada
[10] Wikipedia, 20 January 2010,
http://en.wikipedia.org/wiki/Personally_identifiable_informat
ion
[11] International Data Corporation, B. Waldman, A. Gillen
http://www.novell.com/rc/docrepository/public/37/basedocu
ment.2009-07-28.4081031793/IDC-
The%20Market%20for%20Software%20Appliances_en.pdf
, July 2009
[12] Gartner: Seven cloud-computing security risks, 02 July
2008, http://www.infoworld.com/d/security-central/gartner-
seven-cloud-computing-security-risks-853?page=0,0
[13] Wikipedia, 6 February 2010,
http://en.wikipedia.org/wiki/Risk_management
[14] Wikipedia, 27 January 2010,
http://en.wikipedia.org/wiki/Risk_assessment
[15] D. Catteddu, Giles Hogben: European Network and
Information Security Agency, November 2009,
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-
computing-risk-assessment
[16] Cloud Security Alliance, Security Guidance for Critical
Areas of Focus in Cloud Computing V2.1,
http://www.cloudsecurityalliance.org/, December 2009
[17] International Data Corporation, Worldwide Security and
Vulnerability Management 2009–2013 Forecast and 2008
Vendor Shares,
http://vulnerabilitymanagement.com/docs/IDC_MA_2009.p
df