MohamedHashem_BCA_CTIS_SEM6
docx
keyboard_arrow_up
School
CUNY Hunter College *
*We aren’t endorsed by this school
Course
428
Subject
Information Systems
Date
Nov 24, 2024
Type
docx
Pages
8
Uploaded by KidSquid1731
CASE STUDY
on
“ON-PREMISE INFRASTRUCTURE SECURITY”
submitted in partial fulfilment of the requirements
of
the degree of
Bachelor of Computer Applications [CTIS-SEM6]
by
MOHAMED HASHEM AHMED HAMAD
URN NO: 2019-B-23111997
DATE: 7/April2020/
2020
1
A. Introduction:
Recent advances have witnessed the success and popularity of cloud computing, which
represents a new business model and computing paradigm. The feature of on demand
provisioning of computational, storage, and bandwidth resources has driven modern businesses
into cloud services. The cloud is considered cutting edge technology and it is solely relied on by
many large technology, business, and media companies such as Netflix. In addition, the issue for
cloud adopters is no longer where your data sits in AWS, on-premises, Azure, Salesforce, or
what have you. The important questions are: Who has access to it, and how is it protected?
However, in addition to the benefit at hand, security issues have been a long-term concern for
cloud computing and are the main barriers of the widespread use of cloud computing. In this
paper, I briefly describe some basic security concerns in on-premises infrastructure and cloud
computing.
B. What is Cloud Computing?
Cloud computing is the on-demand delivery of compute power, database storage, applications,
and other IT resources through a cloud services platform via the Internet with pay-as-you-go
pricing. Whether you are running applications that share photos to millions of mobile users or
you’re supporting the critical operations of your business, a cloud services platform provides
rapid access to flexible and low-cost IT resources. With cloud computing, you don’t need to
make large upfront investments in hardware and spend a lot of time on the heavy lifting of
managing that hardware. Instead, you can provision exactly the right type and size of computing
resources you need to power your newest bright idea or operate your IT department. You can
access as many resources as you need, almost instantly, and only pay for what you use. Cloud
computing provides a simple way to access servers, storage, databases and a broad set of
application services over the Internet. A cloud services platform, such AWS, owns and maintains
the network connected hardware required for these application services, while you provision and
use what you need via a web application.
2
C. On-premises infrastructure VS AWS As a cloud services
platform:
On-premises servers are the traditional enterprise computing model. In this implementation, all
hardware and software reside in house. A business purchases and maintains its own servers,
located in a secure, climate-controlled room onsite. The company needs specialized IT support to
manage the equipment, as well as appropriate HVAC systems to keep the equipment in working
order. IT professionals must stay up to date with the latest software updates and perform regular
backups. As the business expands, it needs to procure new hardware to meet its growing
demands. In the past couple of decades, cloud computing has emerged as an alternative or
compliment to on-premises infrastructure. In contrast to on-premises, cloud solutions mean that
businesses rely on servers that exist offsite sometimes hundreds or even thousands of miles away
from their offices. By paying a monthly fee for access to massive data centers, a business can
store its data on a small portion of those remote servers. The cloud provider takes care of
maintenance, backups, software updates, power, and HVAC. The customer then relies on the
internet to access its IT systems. Today’s leading cloud providers are large multinational
corporations such as AWS, Google Cloud, and Microsoft Azure.
D. What is the difference between on-premises and cloud
computing?
FACTOR
ON-PREMISE
CLOUD COMPUTING
FLEXIBILITY.
When you buy/ make changes
to your infrastructure, the cost
incurred will be by the
organization.
You can quickly
upgrade your
infrastructure to your needs
without having to make large
investments
in
costly
hardware every time.
DEPLOYMENT
Every resource deployed is
within the infrastructure. The
enterprise will be responsible
for maintaining and handling
the related process. The
access is limited to the
Organization only.
In Public Cloud, resources are
deployed at the service
providers end and accessed by
the public. In Private Cloud,
resources
are
deployed
according to the customer’s
need and can be accessed by
them only.
COST
The cost incurred is for the
servers, hardware, storage
devices, software, power
consumption and also space
In Cloud Computing you only
need to pay for the resources
you use. There are no
maintenance
charge,
no
3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
where your architecture is
built.
upfront charge, and no
upkeep costs associated.
SECURITY
Organizations who have
sensitive data E.g. Banks
must use a certain level of
security. The security is
taken
care
by either a third
party or by a group of staff
using an external tool.
The secure environment is
provided
by
the
Cloud
Service
providers.
There is a broad set of
policies and technologies
provided by the CSPs. These
take care of the security of
your data.
MAINTENANCE
The user is responsible for
maintaining
the
server
hardware and software, the
data backups, storage devices,
and disaster recovery.
Cloud Computing provides
greater flexibility as the
user/organization only pay for
what they use and can easily
scale to meet the demand.
E.
Time to leave the legacy in the past
:
Many businesses still heavily rely on on-premises, legacy IT infrastructure often for reasons out
of their control. Some are restricted by budgets a problem particularly evident across the public
sector while others use bespoke, mission-critical applications often seen as incompatible with the
cloud. There are also many organizations that persist with old technologies because it hasn’t
broken so why fix it? Well, there is a catch with using this approach to IT infrastructure. here is
an example to prove it: January 14, 2020, marked the ‘end of life’ for Windows 7, a software
which is still widely used across the public and private sector. This essentially means that
Microsoft has stopped providing security updates and support for it, so users will either need to
pay for extended support, upgrade to the current version of Windows, or keep using it regardless
of the increased security risks it will present in the future. Evidently, this is not an effective or
secure long-term strategy. And counterpart to that one large example, there also exists many
smaller yet similar issues in the industry that are no less important. For industries such as finance
or government, moving to private cloud, where the solution is solely dedicated to the needs of an
individual client or organization, delivers the most up-to-date hardware, software and services,
removing the legacy burden and allowing users to benefit from the latest product features and
performance improvements.
F. Cloud security Challenges:
4
Security and privacy are the two major concerns about cloud computing. In the cloud computing
world, the virtual environment lets user access computing power that exceeds that contained
within their physical world. To enter this virtual environment a user is required to transfer data
throughout the cloud. Consequently, several security concerns arise:
1)
Information Security:
It is concerned with protecting the confidentiality, integrity and availability of data regardless of
the form the data may take Losing control over data: Outsourcing means losing significant
control over data. Large banks don’t want to run a program delivered in the cloud that risk
compromising their data through interaction with some other program. Amazon Simple Storage
Service (S3) APIs provide both bucket- and object level access controls, with defaults that only
permit authenticated access by the bucket and/or object creator. Unless a customer grants
anonymous access to their data, the first step before a user can access data is to be authenticated
using HMAC-SHA1 signature of the request using the user’s private key. Therefore, the
customer maintains full control over who has access to their data.
2)
Network Security:
Network security measures are needed to protect data during their transmission, between
terminal user and computer and between computer and computer. Distributed Denial of Service
(DDOS) Attack: In DDOS attack servers and networks are brought down by a huge amount of
network traffic and users are denied the access to a certain Internet based Service. In a
commonly recognized worst-case scenario, attackers use botnets to perform DDOS. In order to
stop hackers to stop attacking the network, subscriber or provider face blackmail. Amazon Web
Service (AWS) Application Programming Interface (API) endpoints are hosted on large,
Internet-scale, world-class infrastructure that benefits from the same engineering expertise that
has built Amazon into the world’s largest online retailer. Proprietary DDOS mitigation
techniques are used. Additionally, Amazon’s networks are multi-homed across several providers
to achieve Internet access diversity.
IP Spoofing:
Spoofing is the creation of TCP/IP packets using somebody else’s IP address. Intruder gain
unauthorized access to computer, whereby he sends messages to a computer with an IP address
indicating that the message is coming from a trusted host. Amazon EC2 instances cannot send
spoofed network traffic. The Amazon-controlled, host-based firewall infrastructure will not
permit an instance to send traffic with a source IP or MAC address other than its own.
Port Scanning: 5
If the Subscriber configures the security group to allow traffic from any source to a specific port,
then that specific port will be vulnerable to a port scan. Since a port is a place where information
goes into and out of the computer, port scanning identifies open doors to a computer. There is no
way to stop someone from port scanning your computer while you are on the Internet because
accessing an Internet server opens a port which opens a door to your computer. Port scans by
Amazon Elastic Compute Cloud (EC2) customers are a violation of the Amazon EC2 Acceptable
use Policy (AUP). Violations of the AUP are taken seriously, and every reported violation is
investigated. Customers can report suspected abuse. When port scanning is detected it is topped
and blocked. Post scans of Amazon EC2 instances are generally ineffective because, by default,
all inbound ports on Amazon EC2 instances are closed and are only opened by the customer.
3)
Security Issues:
They are more complex in a virtualized environment because you now must keep track of
security on two tiers: the physical host security and the virtual machine security. If the physical
host server’s security becomes compromised, all of the virtual machines residing on that
particular host server are impacted. And a compromised virtual machine might also wreak havoc
on the physical host server, which may then have an ill effect on all of the other virtual machines
running on that same hos
Host Operating System:
Administrators with a business need to access the management plans are required to us multi-
factor authentication to gain access to purpose-built administration hosts. These administrative
hosts are systems that are specifically designed, built, configured, and hardened to protect the
management plane of the cloud. All such access is logged and audited. When an employee no
longer has a business need to access the management plane, the privileges and access to those
hosts and relevant systems are revoked.
4)
General Security Issues:
In addition to the above-mentioned issues there are few other general security issues that are
delaying cloud computing adoption and needs to be taken care of. Data Location: When user
uses the cloud, user probably won’t know exactly where his data is hosted, what country it will
be stored in Amazon does not even disclose where their data centers are located. They simply
clam that ach data center is hosted in a nondescript building with a military-grade perimeter.
Even if customer know that their database server is in the us-east-1a availability zone, customer
do not know where that data center behind that availability zone is located, or even which of the
three East Coast availability zones us-east-1a represents.
6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
G.Possible Defenses:
To prevent this type of breach, the Cloud Security Alliance (CSA) admonishes organizations to
disallow users and services from sharing account credentials between themselves, and in addition
to employ multi-factor authentication requirements when feasible. However, both these changes
may make systems more difficult to use, more expensive, and slower. Multi-factor authentication
is authentication demanding at least two of the following: knowledge, or something one knows;
possession, or something one has; and inference, or something one is. Thus, multi-factor
authentication places much more of a burden on users and services than single-factor
authentication. And if users and services are disallowed from directly sharing credentials, cloud
service providers may have to construct secure channels (an expensive undertaking) or hire a
third party for communication between users and services (likewise expensive).
H. Conclusion
:
In this paper, I provide an overview of cloud and on-premises security in various aspects. I first
review the On-premises infrastructure and AWS. The unique forms of services offered through
cloud services for modern business use. Using Amazon Web Services as a case study, we can
implore some of the basic terms and concepts of cloud computing. We then proceed to discuss
data security, API concerns, account hijacking, and other security concerns. These general
concerns are shown to be of interest to cloud security. The main differences between traditional
services and cloud services are compared from a security perspective. Service and account
hijacking are covered, as well as possible defenses. The study in this paper provides a guideline
of research on cloud services and security issues. Finally, i give some ideas on how to build a
more secure cloud. my future work will focus on the security concerns in cloud services. It will
include the privacy protection of data information stored in cloud, data integrity with multiple
backups for services purpose, etc.
7
References:
1)
Amazon: Amazon Glacier. http://aws.amazon.com/glacier/
2)
Amazon: Amazon Web Services. http://aws.amazon.com
3)
The
Cloud
Security
Conundrum:
Assets
vs.
Infrastructure
Andrew
Williams:
https://www.darkreading.com/cloud/the-cloud-security-conundrum-assets-vs-
infrastructure---/a/d-id/1332871?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
4)
John Viega, McAffee, Cloud Computing and the Common Man,” published on the IEEE
Journal ON Cloud Computing Security, pp. 106-108, August 2009.
Service Infrastructure: On-Premise and in the Cloud, originally published: 27 September 2015,
Author: Thomas Erl
5)
John Harauz, Lori M. Kaufman, Bruce Potter, “Data Security in the World of Cloud
Computing,” published on the IEEE Journal on Cloud Computing Security, July/August
2009, Vol. 7, No.4, pp. 61-64.
6)
John W. Rittenhouse, James F. Ransoms, “Cloud Computing Implementation, Management,
and Security”, CRC Press, August 17, 2009, ISBN 9781439806807, pp. 147-158, 183-212
7)
Practical Cloud Security by. Chris Dotson. Released March 2019, Publisher(s): O'Reilly
Media, Inc, ISBN: 9781492037507.
8