Describe the Cloud Computing For Resource Isolation and Foirewall.
MS SQL server databases usually contain its own security features where each and every logical database is developed using access features such as usernames and passwords. However, these features are not enough when this critical element is moved to a foreign system consisting of public IaaS structures. The transferred content can be intercepted and interfered with thus affect the integrity of the data. Furthermore, IaaS offers extended control to the subscriber which can be exploited by intruders to affect other various systems of an organization or user (Marston, Li, Bandyopadhyay, Zhang, & Ghalsasi, 2011). Therefore, the following security components are recommended for the IaaS instance holding the MS SQL servers.
Resource isolation (hypervisor) – this security feature will isolate the IaaS instance based on the privilege levels given to the users. In this case, the employees and management of Webb’s Store will hold different access level based on their roles which enhances system accountability (Magalhaes, 2015).
Firewall – an inbound and deny all default firewall should be used, where all traffic coming into the instances is automatically denied entry unless it's outlined as an exemption in the access policy. Furthermore, traffic restrictions can be outlined using protocols, access ports and IP addresses.
Elastic storage blocks – in this feature, all the IaaS storage instances are isolated and the access is restricted based on the access levels. Moreover, data is encrypted across the channels used to improve the integrity of data used (Mogull, 2017).
Data encryption – serving as the single most important security feature, the communication and data transfer between the subscribing organization and the IaaS instance should be done via secured channels based on the encryption of data. Through this security feature, the verified users access and understand the data used.
Benefits and risks of implementing the IaaS security features
Rapid deployment of services – As an enterprise, Webb’s Stores requires to offer satisfactory services to its customers an outcome that is highly dependent on time. The security features outlined above ensure that the services provided to Webb’s customers are given using any platform as the security is in place. Therefore, minimal security resources for the host devices are needed.
Cost saving – top-notch security features minimizes system damages such as server crashes and network congestion. Therefore, the subscriber uses minimal resources to maintain and even restores damaged resources as they are in low amounts (Siasmsp, 2015).
Server and system virtualization – this is a substantial benefit as the subscriber is able to take advantage of all the conveniences of virtualization. In essence, with good security, the users can expand operations based on the flexibility, mobility and scalability features of virtualization (Shinder, 2011).
Conflicting security features – some security features will monitor systems for any variations and either report or mitigate them based on the configured parameters. This process can become a hindering factor if one security feature identifies another as an anomaly hence mitigate its functionalities (eSecurity, 2017).
Data privacy and security – most security features will require the users to verify their identity using their confidential information. This requirement greatly exposes the sensitive data owned by the user and if accessed by the wrong individuals can lead to severe damages.
Complex configuration – IaaS security features and those of cloud computing, in general, require complex implementation procedures which sometimes confuses the users. This outcome has been known to cause several data breaches as the user is not fully aware of the configurations needed to secure the cloud resource instance (Braddy, 2014).
Risks of migrating the database to the cloud
Data security – while it is true that most CSP offers better security features as compared to in-house resources, the move towards a foreign environment is always associated with many data security risks. For one, the data is stored in unknown locations and also by unknown individuals who may hold sinister objectives. Furthermore, the database systems are accessed using public channels (internet) thus can be intercepted affecting the integrity of the entire storage system (Braddy, 2014).
Complex migration process – consider the MS SQL server instance outlined in this case study where organization having more than 600 employees and several business branches migrates its entire database to a cloud infrastructure. This process would require extensive procedures to ensure all the data is migrated and has the necessary operational requirements. Therefore, there will always be a substantial risk of losing some the components during the migration process.
Database compatibility – based on the DB language and system used, the subscriber resources can fail to align with those of the CSP. If so, the functionalities of the database system can be affected which will result in poor service delivery (Healy, 2015).
Loss of system control – a contentious issue in cloud computing where the ultimate control of the cloud service is unknown. In essence, the question of whether the subscriber or CSP control the overall system emerges. Furthermore, as the IaaS resources are transferred using the online infrastructure the subscriber is unable to tag or track them. Therefore, a resource can be lost online unknowingly only to be discovered when they are needed (Whitehouse, 2017).
Instance downtime – considering that the IaaS infrastructure is supported by the internet, its operations are therefore usually dependent on the functionalities of this resource. In this case, the subscriber has to consider factors such as latency, bandwidth and goodput among many other factors. Now, in case of internet downtime, the entire IaaS infrastructure is deemed inaccessible which would defiantly halt business operations.
System complexity – while one may argue that the complexity exhibited by cloud resources improve the security, the same feature affect the conveniences of cloud computing. This complexity forces an organization to acquire specialized teams in order to minimize these complexities more so, for the business-end operations (Healy, 2015).
Communication between Webb’s Stores and CSP
Cybercrime – the communication between the CSP and Webb’s Stores will be conducted using the internet which is an open and public channel. This channel will have many users having different objectives, some of which are meant to disrupt other people’s functionalities. Therefore, the two parties will have to contend with fact that their communication processes may be intercepted and interfered with using different intrusion mechanisms e.g. malware attacks (Whitehouse, 2017).
Extended system intrusion – intruders can use the log files of the communication process to acquire access to the subscriber systems (on-premise resources). Therefore, while cybercrime is a risk affecting the online services, the compromises made in this process can affect the offline resources the main problem outlined by this risk (King, 2016).
Risks and Issues of cloud backups and archival services
Backing up data
System outages – a backup facility should serve as an impromptu resource for storing sensitive data for future recovery procedures. Therefore, as an operational resource, backup facilities must always be available. However, this requirement is not guaranteed in cloud computing as online systems can go offline (King, 2016).
Backup window – a quick comparison between the cloud backups and in-house backups (tapes) reveals the time differences used to store the backup records. In essence, the in-house resources can backup records at fast speeds as they are physically connected to the data itself. However, cloud resources are subject to internet speeds, which alters the overall backup functionality.
Size limitations – the bandwidth offered to the subscriber will determine the capacity of information transferred to the backup facility. Moreover, the cloud resource may be limited in size based on the lease agreements (Healy, 2015).
Storage of data
Data security – as stated before, the cloud resources are subject to the security limitations of online facilities. Therefore, data stored in cloud resources is usually subject to these limitations. Moreover, the data is also stored in unknown locations which intensify the risk at hand as unknown operations can be conducted on it (Prinzlau, 2017).
Data breaches/leakage – many organization today have held back on adopting cloud storage facilities due to the fear of losing their information through data leaks. Now, this outcome (data leaks) is caused by the nature of the cloud facility which exists as a multi-user environment, having shared resources. Therefore, the structures operated by the CSP can conflict exposing users’ information.
Minimal data control – in-house storage facility will enable users to track data in all the operations executed. However, the same functionality is limited when using cloud resources as the subscriber cannot track all the resources used.
Retrieving data from the cloud
Seeding and retrieval time – an extended period of time can be spent on retrieving the data stored in cloud facilities because of the limitations of size given to the subscriber based on the service agreements given. Moreover, the same problem can be caused by the limitations of online facilities such as outages and bandwidth limitations.
Lack of service level agreements – some performance parameters are not guaranteed by the CSP because they do not fall within their service agreements. These parameters include bandwidth, connection networks and online accessibility. These elements can hinder the data retrieval process as they occur as independent variables not supported by the CSP.
System intrusions – On the other hand, during the retrieval process, the subscriber gives the CSP ultimate access to the on-premise equipment in order to acquire the necessary data. This access can be exploited by intruders after compromising the cloud facilities (King, 2016).
Cloud backups and Webb’s Stores DR plan
Disaster recovery plans are meant to offer a lifeline to resources when extensive damages (disasters) occur. In the current system, Webb’s Stores uses multiple data centres to stores its information which presumably includes the DR plan having all the necessary backups i.e. recovery tapes. When the cloud backups are adopted by the organization the DR plan will shift from being a physical system to a virtualized structure having all the recovery procedures in one online system. In essence, all the recovery resources (Software, patches and hardware) will be offered by the CSP based on the lease agreement. Moreover, the DR plan will become more extensive as the resources will be readily available across all the business locations (tech, 2017)..
In terms of the backup and restoration procedures, these processes will be drastically changed because of the rapid availability of resources, where all location having an internet access will act as recovery centres. Furthermore, the recovery and backup procedures will become cost-effective as the resources needed will be leased and not fully purchased. This outcome will even lower the management cost of these processes which will improve the operational time i.e. backup and recovery time (Healy, 2015).
Cloud access protection
Privileged access – Webb’s Stores has many employees who will need to access the resources of the organization. This access should be limited or rather organized based on the roles of the employees. This strategy would limit the intrusion instances and even contain them in case they occur.
Multifactor authentication – usernames and passwords are good security features but in today’s digital world are usually reduced to simple authentication measures. Therefore, a multifactor system using passwords and other authentication methods should be used e.g. biometric scanning.
Endpoint protection – the subscriber (Webb’s) should ensure the CSP offers the best security features for the IaaS instance in their system. Similarly, Webb’s Stores should safeguard their access sections using all the necessary security parameters e.g. firewalls and intrusion detection systems (Mehtra, 2014).
Ms SQL Server 2012 R2
SQL authentication – Webb’s Store must enable all the authentication procedures for their SQL instances. This process can be done using access protocols that filter traffic accessing the servers and also by using the default access procedures designed for all logical SQL instances (usernames and passwords)
Identity and user access management – First, the SQL instances should only be accessed by the technical team in order to manage it. The rest of the employees should access the front end of the servers where the business data is contained. However, in each case, the access given should be based on the identity of the users to promote system accountability (Microsoft, 2017).
Firewalls and intrusion detection systems – these features would filter all the traffic accessing the SQL servers in order to verify their legitimacy. In all accounts, this verification would be based on a denial all default configuration with only the exemptions being given access.
Cloud network structure
Network control – this access feature would encapsulate all the procedures used to mitigate network intrusion. In the first step, the organization should limit administrative access where a few individuals should control the network operations. Through this access limitation, the safety of the network resources would be almost guaranteed as few users would access the privileged modes.
Endpoint access limitation – by default the access ports of most new networks are designed to allow all connections without regardless of their authenticity. After acquiring the cloud resources, all endpoints more so, the ports should be encrypted and protected using the utmost security features (e.g. SSH encoding). Furthermore, all unused access port should be blocked off (Mogull, 2017).
Cloud back and restoration structures
Encryption of the virtual disks and storage – since the backup facilities are hosted in the public domain, their content should be encrypted. This encryption would include features such as BitLocker which encrypt resources such as operating systems and information drives. Through these features, unverified members would not be able to access the content stored in the online facilities. Furthermore, these encryption features integrate their services with key vaults which safeguard the access keys (Sovetkin, 2017).
Centralized security management – Webb’s Stores has many business locations all of which will require the backup and restoration services. Therefore, the security of the overall infrastructure should be centralized to standardize the measures put in place. For one, the online servers used will require regular patches and configurations which can be easily done from a centralized structure. Secondly, the centralized management would facilitate the management and monitoring functionalities of the security administrators.
Braddy, R. (2014). Risks And Rewards Of Moving Data To The Cloud. Enterprise Tech, Retrieved 23 September, 2017, from: https://www.enterprisetech.com/2014/09/26/risks-rewards-moving-data-cloud/.
eSecurity. (2017). IaaS Security: Threats and Protection Methodologies. eSecurity Planet, Retrieved 23 September, 2017, from: https://www.esecurityplanet.com/network-security/iaas-security-threats-and-protection-methodologies.html.
Healy, R. (2015). The Top 5 Risks of Moving to the Cloud. Annese, Retrieved 23 September, 2017, from: https://www.annese.com/blog/top-5-risks-of-moving-to-the-cloud.
King, T. (2016). Top 4 Risks Associated with Cloud Backup. Backup and recovery, Retrieved 23 September, 2017, from: https://solutionsreview.com/backup-disaster-recovery/top-4-risks-associated-with-cloud-backup/.
Magalhaes, R. (2015). Security Best Practices for AWS (IaaS) EC2 (Part 1). TechGenix, Retrieved 23 September, 2017, from: https://techgenix.com/security-best-practices-aws-iaas-ec2-part1/.
Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., & Ghalsasi, A. (2011). Cloud computing—The business perspective. Decision Support Systems, Retrieved 23 September, 2017, from: https://www.keencomputer.com/images/KEENCOMP/CLOUD/cloud-computing-business-perspective.pdf.
Microsoft. (2017). Security best practices for IaaS workloads in Azure. Microsoft Azure, Retrieved 23 September, 2017, from: https://docs.microsoft.com/en-us/azure/security/azure-security-iaas.
Mogull, R. (2017). Cloud computing encryption and IaaS security. Tech target, Retrieved 23 September, 2017, from: https://searchcloudsecurity.techtarget.com/tip/Cloud-computing-encryption-and-IaaS-security.
Prinzlau, M. (2017). 6 security risks of enterprises using cloud storage and file sharing apps. Data insider, Retrieved 23 September, 2017, from: https://digitalguardian.com/blog/6-security-risks-enterprises-using-cloud-storage-and-file-sharing-apps.
Shinder, D. (2011). Security Considerations for Infrastructure as a Service Cloud Computing Model. TechGenix, Retrieved 23 September, 2017, from: https://techgenix.com/security-considerations-infrastructure-service-cloud-computing-model/.
Siasmsp. (2015). Benefits of Infrastructure-as-a-Service (IaaS). Secure infrastructure and services, Retrieved 23 September, 2017, from: https://www.siasmsp.com/benefits-of-infrastructure-as-a-service-iaas/.
Whitehouse, L. (2017). The pros and cons of cloud backup technologies. Tech target, Retrieved 23 September, 2017, from: https://searchdatabackup.techtarget.com/tip/The-pros-and-cons-of-cloud-backup-technologies.