Discuss about the Cloud Storage Service in Amazon.
The cloud storage service is availed by different organizations for maintaining, managing, and backing their data. These data are made available to the organizations over a network by the service providers. There are various companies that provide this service to the organizations among which, Amazon Web Service is a popular one. The organizations mainly has to pay for per consumption monthly rate for availing this service that is lower than building infrastructure to support their data system. However, the security of the cloud storage is under continuous debate due to some of the issues that recently aroused in AWS. Some of the web service provided by AWS went down for four hours on September 2015, which caused the companies face a tremendous loss and data loss. Some of the websites that faced major loss are Netflix, Slack, Trello, Quora and Business Insider.
The following of the report gives an overview of the causation of the issue. It will primarily focus on the ISO/IEC 27014, which is a certificate that provides information security. The companies utilizes it for monitoring, evaluating, and communicating with the information security within the organization. The later part of the report provides solution of required for avoiding such issues in future.
Causation of the Issue
The outage of September 2017 in AWS was caused due to a problem with Amazon’s DynamoDB metadata service for partitioning. The DynamoDB’s communication ability with the metadata services was critically affected due to a network disruption. This type of situation usually occurs if a single partition is accessed frequently leaving the other partitions unattended. The issue with DynamoDB was soon resolved that created the actual issue. A number of storage servers simultaneously tried to load their metadata as soon as the DynamoDB was recovered. It created an overload in traffic that caused the metadata service responses to exceed the retrieval and transmission time allowed by storage servers, which caused storage servers to reject and further requests. It resulted into shutdown of the servers. However, the effect cataract through the AWS system and dragged down the other services that use DunamoDB for storing their internal tables. Several attempts of increasing the capacity of the metadata to decrease the load failed. It was after six hours when the engineers were able to increase the capacity of metadata service significantly and bring back the storage servers to its full operational mode (dailymail.co.uk. 2017).
The disruption occurred can easily be resolved by following one of more procedures mentioned below.
The first method was utilized by AWS for solving the issue occurred. It is temporary inclination of the amount of read or writes capacity for the partitions to overcome the short-term spikes or bursts. The organization needs to reduce the capacity after successfully reducing the work load (Niranjanamurthy et al. 2014). The second method is the process of implementing error retries and exponential back off. It usually provides longer gap between retires for consecutive error responses (Amazon Web Services 2017). Thirdly, the organizations should organize the read and write operations evenly across the table as much possible to avoid such breakdown (Dimovski 2013). Lastly, implementation of ElastiCache will come handy in the cases where the static data are accessed in a frequent basis. The well-designed cache can efficiently and quickly serve the query results (Stenberg 2016).
AWS received the certification in 2010 that has been developed with the purpose of protecting the organizations’ information assets (MP Azuwa, A., Ahmad, R., Sahib, S. and Shamsuddin 2012). This in turn helps the companies in developing countermeasures to IS-related vulnerabilities (Humphreys 2016). One can view this as an overall measure that combines risk management, security management, governance, and compliance. The function of ISO/IEC 27001 extends in ensuring the right people, process and technologies are in right place and provide a proactive approach in managing security and risk (Disterer 2013). The publication of this certification was a major event in the world of information security, which is a modification of BS 7799-2 (Sheikhpour and Modiri 2012; Anttila et al. 2012).
This has a number of benefits that helps in resolving a number of issues that are commonly faced by IT companies. The ISO/IEC 27001 help the company producing a framework for the management of information security risk that further ensures the company taking into account for legal and regulatory requirements (Hoy and Foley 2015). It further involves in a continual improvement, engages the company to regularly review the effectiveness of the information security management system, and takes action to address the emerging security risks. It also makes the accessibility easy for the authorized users at the time of requirement (Susanto, Almunawar and Tuan 2012).
However, ISO/IEC 27001 has several identifiable drawbacks. Firstly, the firms can set their own specification regarding the security management system (Kharchenko et al. 2012). It is up to the company to set its own high-jump bar and it has no clear regulation in controlling the matter. Secondly, the branding associated with certification does not identify the scope, which often misleads the customers in thinking the organization rather a specific part of the organization (Gürkaynak, Yilmaz and Taskiran 2014). Lastly, it gives competitive advantage in business-to-business relationship and unlikely to influence business to customer relationship (Mesquida and Mas 2015).
ISO/IEC 27014 is an outcome of a joint effort of ITU Telecommunication Standardization Sector and ISO/IEC JTC1 SC 27 with the aim of helping the organizations governs their information security arrangements (Techio and Misaghi 2015; Mahncke and Williams 2012). This is a guidance of concepts and principles for the governance of information security (Rebollo et al. 2015). The organizations can use this for evaluating, directing, monitoring and communicating the information security related activities in the organization (Kaster and Sen 2014; Campbell 2016). It further ensures the alignment of information security with strategies and objectives undertaken by the business. Achievement of visibility, agility, efficiency, effectiveness and compliance becomes easy using this standard (Huang, Farn and Lin 2012).
This standard provides six principles to guide the organizations throughout their operation that can potentially defend the organization from both external and internal threat (Καραμανλ?ς and Karamanlis 2016; Jung and Kim 2015). The principles are:
- Establish a wide information security.
- Help in formulating and adapting risk-based approach.
- Helps setting direction of investment decisions.
- It conforms internal and external requirements.
- Enhance the security by fostering a positive environment (Whitman and Mattord 2012).
- Reviews performance in relation to business outcomes (Rebollo, Mellado and Fernandez-Medina 2014).
Organizations receive a number of benefits of using ISO/IEC 27014. Primarily, it helps in aligning information security with the strategy and goals of the organization. Secondly, it can increase the value delivered to the stakeholders and the board. The third benefit comes from the effective risk management to identify and reduce the possible forthcoming threats. Moreover, the standard helps the organization in raising all level awareness in the board. It enables the board members to a flexible approach to risk decision making, efficient an effective investment on information security and compliance with standards, regulations and agreements.
Recommendation and Conclusion
The company had increased the capacity of their metadata for solving the issue that occurred in the system. However, they could have prevented the situation from ever occurring by measuring the other necessary steps mentioned in the report. The third solution referred in the solution section can help AWS in taking precautions and prevent the breakdown from ever occurring. Moreover, the company follows the ISO/IEC 27001 that has several shortcomings in securing the information assets. This standard gives the organization a level of freedom in setting the high-jump bar that exposes the company and threatens the security of the system. The later published standard ISO/IEC 27014 is out of these errors and provides potential security to the data system. Hence, it can be concluded from the report that the issue occurred in case of AWS could have been avoided if they take necessary precaution narrated in the report. Moreover, the use of back dated standard resulted in this failure which needs modification.
Amazon Web Services, Inc. 2017. Resolve Issues with Throttled DynamoDB Tables. [online] Available at: https://aws.amazon.com/premiumsupport/knowledge-center/throttled-ddb/ [Accessed 28 Oct. 2017].
Anttila, J., Jussila, K., Kajava, J. and Kamaja, I., 2012, August. Integrating ISO/IEC 27001 and other managerial discipline standards with processes of management in organizations. In Availability, Reliability and Security (ARES), 2012 Seventh International Conference on (pp. 425-436). IEEE.
Campbell, T., 2016. Standards, Frameworks, Guidelines, and Legislation. In Practical Information Security Management (pp. 71-93). Apress.
dailymail.co.uk. 2017. Amazon's cloud service partial outage affects certain websites. [online] Available at: https://www.dailymail.co.uk/sciencetech/article-4268850/Amazons-cloud-service-partial-outage-affects-certain-websites.html [Accessed 28 Oct. 2017].
Dimovski, D., 2013. Database management as a cloud-based service for small and medium organizations (Doctoral dissertation, Masarykova univerzita, Fakulta informatiky).
Disterer, G., 2013. ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 4(02), p.92.
Gürkaynak, G., Yilmaz, I. and Taskiran, N.P., 2014. Protecting the communication: Data protection and security measures under telecommunications regulations in the digital age. Computer law & security review, 30(2), pp.179-189.
Hoy, Z. and Foley, A., 2015. A structured approach to integrating audits to create organisational efficiencies: ISO 9001 and ISO 27001 audits. Total Quality Management & Business Excellence, 26(5-6), pp.690-702.
Huang, C.C., Farn, K.J. and Lin, F.Y.S., 2012. A study on ISMS policy: importing personal data protection of ISMS. Journal of Computers, 23(1), pp.35-41.
Humphreys, E., 2016. Implementing the ISO/IEC 27001: 2013 ISMS Standard. Artech House.
Jung, J. and Kim, J., 2015, August. A Study on Developing Framework for Information Privacy Protection. In Proceedings of the 17th In
Kaster, P. and Sen, P.K., 2014, September. Power Grid cyber security: Challenges and impacts. In North American Power Symposium (NAPS), 2014 (pp. 1-6). IEEE.
Kharchenko, V.Y.A.C.H.E.S.L.A.V., Siora, A., Andrashov, A.N.T.O.N. and Kovalenko, A., 2012. Cyber security of FPGA-based NPP I&C systems: Challenges and solutions. In Proceeding of the 8th International Conference on Nuclear Plant Instrumentation, Control, and Human-Machine Interface Technologies (NPIC & HMIT 2012). San Diego, CA: NPIC & HMIT.
Καραμανλ?ς, Μ. and Karamanlis, M., 2016. Information Security Management System toolkit (Master's thesis, Πανεπιστ?μιο Πειραι?ς).
Mahncke, R. and Williams, P., 2012. Developing governance capability to improve information security resilience in healthcare.
Mesquida, A.L. and Mas, A., 2015. Implementing information security best practices on software lifecycle processes: The ISO/IEC 15504 Security Extension. Computers & Security, 48, pp.19-34.
MP Azuwa, A., Ahmad, R., Sahib, S. and Shamsuddin, S., 2012. Technical security metrics model in compliance with ISO/IEC 27001 standard. The Society of Digital Information and Wireless Communication.
Niranjanamurthy, M., Archana, U.L., Niveditha, K.T., Abdul Jafar, S. and Shravan, N.S., 2014. The Research Study on DynamoDB–NoSQL Database Service.
Rebollo, O., Mellado, D. and Fernandez-Medina, E., 2014. Isgcloud: a security governance framework for cloud computing. The Computer Journal, 58(10), pp.2233-2254.
Rebollo, O., Mellado, D., Fernández-Medina, E. and Mouratidis, H., 2015. Empirical evaluation of a cloud computing information security governance framework. Information and Software Technology, 58, pp.44-57.
Sheikhpour, R. and Modiri, N., 2012. A best practice approach for integration of ITIL and ISO/IEC 27001 services for information security management. Indian Journal of Science and Technology, 5(2), pp.2170-2176.
Stenberg, J., 2016. Snapple: A distributed, fault-tolerant, in-memory key-value store using Conflict-Free Replicated Data Types.
Susanto, H., Almunawar, M.N. and Tuan, Y.C., 2012. Information security challenge and breaches: novelty approach on measuring ISO 27001 readiness level. International Journal of Engineering and Technology. IJET Publications UK, 2(1).
Techio, L.R. and Misaghi, M., 2015, May. EMSCLOUD–an evaluative model of cloud services cloud service management. In Innovative Computing Technology (INTECH), 2015 Fifth International Conference on (pp. 100-105). IEEE.
Whitman, M.E. and Mattord, H.J., 2012. Information Security Governance for the Non-Security Business Executive. Journal of Executive Education, 11(1).