Cloud Security Challenges: Investigating Policies, Standards, And Guidelines In A Fortune 500 Organization

Cloud computing is quickly becoming pervasive in today's globally integrated networks. The cloud offers organizations opportunities to potentially deploy software and data solutions that are accessible through numerous mechanisms, in a multitude of settings, at a reduced cost with increased reliability and scalability. The increasingly pervasive and ubiquitous nature of the cloud creates an environment that is potentially conducive to security risks. While previous discussions have focused on security and privacy issues in the cloud from the end-users perspective, minimal empirical research has been conducted from the perspective of a corporate environment case study. This paper presents the results of an initial case study identifying real-world information security documentation issues for a Global Fortune 500 organization, should the organization decide to implement cloud computing services in the future. The paper demonstrates the importance of auditing policies, standards and guidelines applicable to cloud computing environments along with highlighting potential corporate concerns. The results from this case study has revealed that from the 1123 'relevant' statements found in the organization's security documentation, 175 statements were considered to be 'inadequate' for cloud computing. Furthermore, the paper provides a foundation for future analysis and research regarding implementation concerns for corporate cloud computing applications and services

[1]  Dimitrios Zissis,et al.  Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[2]  Mohand Tahar Kechadi,et al.  Cloud Forensics , 2011, IFIP Int. Conf. Digital Forensics.

[3]  Tim Storer,et al.  Calm Before the Storm: The Challenges of Cloud Computing in Digital Forensics , 2014, Int. J. Digit. Crime Forensics.

[4]  Mark Taylor,et al.  Digital evidence in cloud computing systems , 2010, Comput. Law Secur. Rev..

[5]  Paul T. Jaeger,et al.  Identifying the security risks associated with governmental use of cloud computing , 2010, Gov. Inf. Q..

[6]  Siani Pearson,et al.  Privacy, Security and Trust Issues Arising from Cloud Computing , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[7]  Ray Welland,et al.  Web Engineering Security (WES) Methodology , 2008, Commun. Assoc. Inf. Syst..

[8]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[9]  Gail-Joon Ahn,et al.  Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.

[10]  Siani Pearson,et al.  Taking account of privacy when designing cloud computing services , 2009, 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing.

[11]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[12]  Matt Bishop,et al.  Storm Clouds Rising: Security Challenges for IaaS Cloud Computing , 2011, 2011 44th Hawaii International Conference on System Sciences.

[13]  Ray Welland,et al.  Web engineering security: a practitioner's perspective , 2006, ICWE '06.

[14]  Tim Storer,et al.  Using Smartphones as a Proxy for Forensic Evidence Contained in Cloud Storage Services , 2013, 2013 46th Hawaii International Conference on System Sciences.

[15]  Radu Sion,et al.  Proceedings of the 2010 ACM workshop on Cloud computing security workshop , 2010, CCS 2010.

[16]  Thomas Peltier Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management , 2001 .

[17]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[18]  Lori M. Kaufman,et al.  Data Security in the World of Cloud Computing , 2009, IEEE Security & Privacy.

[19]  B. J. Oates,et al.  Researching Information Systems and Computing , 2005 .

[20]  John C. Grundy,et al.  Emerging Security Challenges of Cloud Virtual Infrastructure , 2016, APSEC 2010.

[21]  John R. Vacca,et al.  Computer Forensics: Computer Crime Scene Investigation (Networking Series) (Networking Series) , 2005 .

[22]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[23]  P. Mell,et al.  SP 800-145. The NIST Definition of Cloud Computing , 2011 .

[24]  Bernd Grobauer,et al.  Towards incident handling in the cloud: challenges and approaches , 2010, CCSW '10.

[25]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[26]  Sujeet Shenoi,et al.  Advances in Digital Forensics XII , 2007, IFIP Advances in Information and Communication Technology.

[27]  Subhajyoti Bandyopadhyay,et al.  Cloud computing - The business perspective , 2011, Decis. Support Syst..

[28]  Matt Bishop,et al.  Are Your Papers in Order? Developing and Enforcing Multi-tenancy and Migration Policies in the Cloud , 2012, 2012 45th Hawaii International Conference on System Sciences.

[29]  Frank Gens,et al.  Cloud Computing Benefits, risks and recommendations for information security , 2010 .

[30]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[31]  Luiz Carlos,et al.  INFORMATION SECURITY POLICY - A DEVELOPMENT GUIDE , 2013 .

[32]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[33]  Peng Ning,et al.  Managing security of virtual machine images in a cloud environment , 2009, CCSW '09.

[34]  Krishnashree Achuthan,et al.  Preventing Insider Attacks in the Cloud , 2011, ACC.

[35]  J. Charles Kesler Contractual and regulatory compliance challenges in grid computing environments , 2005, 2005 IEEE International Conference on Services Computing (SCC'05) Vol-1.

[36]  Ruby B. Lee,et al.  A Case for Hardware Protection of Guest VMs from Compromised Hypervisors in Cloud Computing , 2011, 2011 31st International Conference on Distributed Computing Systems Workshops.

[37]  Susan Hansche,et al.  Official (ISC)2 Guide to the CISSP Exam , 2003 .

[38]  Herbert Burkert,et al.  Some Preliminary Comments on the DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. , 1996 .

[39]  T. Grance,et al.  SP 800-144. Guidelines on Security and Privacy in Public Cloud Computing , 2011 .

[40]  Ray Welland,et al.  Secure Web Application Development and Global Regulation , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[41]  Wayne A. Jansen,et al.  Cloud Hooks: Security and Privacy Issues in Cloud Computing , 2011, 2011 44th Hawaii International Conference on System Sciences.

[42]  Marijn Janssen,et al.  Challenges for adopting cloud-based software as a service (saas) in the public sector , 2011, ECIS.