IT Risk Management and Cloud Computing

Discuss about the IT Risk Management and Cloud Computing.

IT landscape has had a massive revolution in the past few years and is still in a constant phase of phase (www.economist.com, 2011). There have been a number of different buzzwords in the field of IT and one such name is Cloud Computing. It refers to the use of a network, most commonly the Internet for execution of services such as access, storage, management and transfer of information. This form of computing was earlier applicable to utility computing with a view to improve the practices, economics and agility of IT. With the set up of virtual data centres over the years, cloud computing evolved in the industrialization of IT. In the present era, cloud is being used in the digital journey for the IT world. Cloud computing has expanded in the changing IT landscape by establishing itself with Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) (Wladawsky-Berger, 2016). There is a widely acceptable security model in the area of Information Technology which is termed as the CIA Triad. It stands for Confidentiality, Integrity and Availability of the information and suggests that the same must be protected in all of the IT environments (www.doc.ic.ac.uk, 2016).

Cloud Computing has been home to a number of security risks and threats which aim to violate the three pillars of CIA Triad. Data breaches is one of the most severe security risk owing to the huge volume of data present in the cloud storage. Intruders gain unauthorized access to the secure environment and may adversely use the information gained from the system. The prime reasons of data breaches are advanced form of attacks and compromised credentials. Private keys, passwords and credentials are often shared by the users intentionally or ignorantly with a party that may misuse the same. It leads to another form of risk which is termed as broken authentication. Interfaces and APIs are used by all of the IT teams and departments to access the services that are provided by cloud. These interfaces and APIs are often hacked to break in to the security of the system and are an easy way out due to the involvement of third parties. Resource sharing is one of the prime features of cloud computing which involves the sharing of databases, memory and several other IT components. The same opens the path for exploited system vulnerabilities (Rashid, 2016). Malware Injection is a security risk that was introduced long time back and has been improving with the invention of newer and advanced malware. Attack of viruses, logic bombs, worms and Trojans on the system can cause great loss to the information present within. Denial of Service and Distributed Denial of Service attacks are introduced by the attackers on the cloud service by flooding it with unwanted data which hampers the functionality of the same and makes it unavailable for the legitimate users. Advanced Persistent Threats (APTs) are the parasitical forms of attacks that invade frameworks to set up a dependable balance, and then stealthily exhilarate information and protected innovation over an amplified timeframe. Impersonation attacks such as use of spam emails, phishing and likewise gains the trust of the user by acting like an authenticated source and acquires important information which is then misused. Man-in-the-middle attacks also occur frequently in a cloud environment. These risks and threats can have varying degree of severity that largely depends upon the category of information that is exposed to the attacker or intruder. Critical and private information, if acquired by a successful security attack can be extremely severe as it may result in legal actions against the victim organization. The scenario will be less severe if the information that is collected is public in nature. There are a number of advancements being made to improve the security mechanisms for the organizations to provide them with the ability to fight away with these risks in cloud computing. The first and the foremost step towards achieving the same are to set up improved architectural security with advancements in the components such as access management, network security and security API. The organizations must also ensure that effective governance and compliance processes exist in the form of legal and regulatory policies. A time-to-time audit of these operations and business processes must also be carried out to understand and report the level of security to the senior management. Identity management must also be automated and improved to grand user privileges and advanced authentication as well. One time passwords (OTPs), Single Sign On and Single Sign Off must also be incorporated. Data protection through creation of data asset catalog and application of identity and access management principles to all forms of data can also be very effective. Use of advanced intrusion detection and prevention on network, traffic screening and denial of service protection can aid the network security. Enhancement of physical security, use of firewalls and latest anti-malware software can also make it difficult for the attackers to break the system security (www.cloud-council.org, 2015).

Security Patches

A patch refers to a bit of the software that is specifically designed to fix the defect or bug encountered in the same. With the advancement in technology, there is an increase of security attacks to the system and in occurrence of such an event; these patches are developed to fix the damaged component without affecting the performance of the entire system. Earlier, the approach towards the installation of these patches was largely based upon the technique of Install and Forget. The patches once designed were installed and never monitored thereafter. However, this is no longer applicable in the present era looking at the vastness of data and information and the criticality of the same (Chan, 2016). Patch Management is the new concept and approach that is used by the organizations to decide whether the patches are worth installation or not and it also suggests a step-by-step methodology to perform the same. The first step in the process is the estimation of risk between patching and non-patching and also the collection of data from various sources to form a baseline. On the basis of the results of the same, a test environment is created in the second step of the patch management process. This test environment comprises of mission critical applications and test servers to analyze the functionality of the patch that has been developed in the real environment. The defects, if encountered in the activity are recorded and the patch is improved by rectification of the same. Step three involves the preparation of a back-out plan in which backup of the entire data is made along with the disaster and recovery strategy. The next step includes the patch evaluation and collection that determines the pre-requisites, requirements and critical areas of the patch. Patch distribution and installation functions are also determined in this step. The next step involves configuration management associated with the patch and the target system. Once the patch has been thoroughly tested and qualifies for deployment, the same has to be approved by the business owners and documented as well. All the details that occur during the deployment of the patch must also be covered in the document or the report for the particular patch. The last step includes the patch rollout and maintenance which deploys and releases the patch in the production environment and deals with the post-production issues and functions (www.sans.org, 2016).

References

Chan, J. (2016). Patchmanagement.org. Retrieved 11 August 2016, from http://www.patchmanagement.org/pmessentials.asp

Rashid, F. (2016). The dirty dozen: 12 cloud security threats. InfoWorld. Retrieved 11 August 2016, from http://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html

Wladawsky-Berger, I. (2016). The Continuing Evolution of Cloud Computing. WSJ. Retrieved 11 August 2016, from http://blogs.wsj.com/cio/2015/12/04/the-continuing-evolution-of-cloud-computing/

www.cloud-council.org,. (2015). Security for Cloud Computing Ten Steps to Ensure Success. Retrieved 11 August 2016, from http://www.cloud-council.org/deliverables/CSCC-Security-for-Cloud-Computing-10-Steps-to-Ensure-Success.pdf

www.doc.ic.ac.uk,. (2016). The CIA principle. Doc.ic.ac.uk. Retrieved 11 August 2016, from http://www.doc.ic.ac.uk/~ajs300/security/CIA.htm

www.economist.com,. (2011). iConsumers. The Economist. Retrieved 11 August 2016, from http://www.economist.com/blogs/babbage/2011/05/technologys_changing_landscape

www.sans.org,. (2016). Sans.org. Retrieved 11 August 2016, from https://www.sans.org/reading-room/whitepapers/bestprac/practical-methodology-implementing-patch-management-process-1206

MyAssignmentHelp.co.uk is one of the leading academic solution providers in the United Kingdom which has assisted a countless number of students to achieve their academic goals with unmatched academic writing help. With the proficient academic writing services from our expert writers, you won’t have to worry about those stringent deadlines, complicated essay topics, or clashing assignments anymore.