Lindsay Dale Student Number: Sxxxxxxx Email: [email protected] COIT20233 Assignment 3 Due Date: 2 May 2015 Lecturer: Dr Jo Luck Course Coordinator: Dr Jo Luck Executive Summary Cloud computing promises a transformation in the provision of IT services to businesses and other organisations. Along with many advantages to the business that include easy scalability and ubiquitous access to resources, there are many risks that a business must consider before deploying a cloud solution. These risks include a loss of control over service restoration in case of failure and possible security risks due to attack via the Internet. To mitigate against those risks businesses need to have well-written contracts, develop strict and easily understood polices to ensure the appropriate storage of information and have multi-factor authentication to access sensitive information via the Internet. This report considers the situation of GlobDev, who are an Aid and Development organisation headquartered in Melbourne with staff in many developing countries. Using recent research, the report analyses the advantages and disadvantages of Cloud Computing, associated security risks and mitigation, and examines using cloud services to enable secure mobile computing. The report proposes a possible path to the transformation in the delivery of IT services in GlobDev through the migration to cloud based services. The report supports the use of cloud computing through mobile devices provided to field staff. The engagement in technology through social media applications and mobile technology should improve donor engagement and expand GlobDev’s opportunity for growth by increasing its supporter base. Table of Contents 1.0Introduction 2 1.1 Organisational Context 2 1.2 Objective and Methodology 3 1.3 Report Outline 3 2.0 Definitions of Cloud Computing 4 3.0 Advantages and Issues with Cloud Computing 4 3.1 Advantages of Cloud Computing 4 3.2 Issues with Cloud Computing 5 4.0 Security Risks in Cloud Computing 6 5.0 Opportunities for growth through Cloud Services 7 6.0 Conclusions 8 7.0 Recommendations 9 8.0 Reference list 11 1.0 Introduction 1.1 Organisational Context Cloud computing is an increasingly popular method for delivery of software services and storing data. GlobDev is a not for profit large organisation, headquartered in Melbourne, that runs aid and development programs in underdeveloped nations. The projects are organised by people from developed nations including Australians who are part of this organisations staff. National staff in each country are also employed by the organisation. There are currently 2150 people employed in Projects across 38 nations with a further 50 people employed in administration in 10 donor countries plus a further 70 staff in the head office in Melbourne. Projects and administration costs are funded through personal and corporate donations along with contributions from the foreign aid budgets of some G-20 major economies. The company has a central server located in the Melbourne Headquarters that is only backed up locally. There are desktop computers located in donor countries and with each project. While many of the staff in donor countries have laptop computers, very few staff working in projects have any sort of mobile computing device dues to security concerns with having devices that hold extremely sensitive data that can be easily accessed if stolen. Maintaining backups of data on desktop computers in each country is extremely problematic and relies on adherence by local staff to the organisations IT policies and procedures. 1.2 Objective and Methodology GlobDev is investigating Cloud computing to enable staff to more effectively, efficiently and securely utilise ICT resources to access, process and distribute information in a timely manner. One of the major concerns expressed by the governing board is the security of information if it is stored in locations not controlled by the organisation. The governing board also see opportunities to expand its base of donors through more open connections between staff and donors that a cloud solution might enable. The objective of this report is to provide a rationale for employing Cloud Computing services and address the security concerns of the governing board. The report will also detail opportunities for using cloud services to widen its supported base. Information contained in this report has been primarily sourced from peer-reviewed journals along with industry publications. 1.3 Report Outline The report will first define the concept of Cloud Computing services to specify the components of a Cloud Computing solution. Second, it will detail the advantages and disadvantages of using cloud-based services. Third, it will address the security concerns of the governing board along with strategies to mitigate the risk. Fourth, it will demonstrate clear improvements in information security that Cloud Computing offers. Fifth, the opportunities to increase engagement with the existing donor base and appeal to new donors will be discussed. The report will conclude with recommendations for proceeding with Cloud Computing services. 2.0 Definitions of Cloud Computing Cloud Computing consists of computing resources hosted on multiple networked computer servers to provide a seamless connection to resources (Mell & Grance 2011). This differs from the server specific model of providing resources where access is provided through connections to specific servers. Cloud Computing can be either public, where services are provided by an organisation to individuals or organisations, or private, where the services are provided exclusively for the organisation itself (Mell & Grance 2011). Private clouds can be hosted by the organisation or hosted by a third party (Mell & Grance 2011); the important differentiator is exclusivity and not the location of the services. Cloud Computing is deployed using three different service models, Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (SaaS). SaaS utilises some form subscription service to access software. The cloud provider controls the software and can change the software without notice to the individual or organisation (Mell & Grance 2011). The software can reside on the provider’s infrastructure, where it is accessed through an Internet browser or a client application, or installed on the subscribers’ computer and updated through a provided mechanism. PaaS is where a provider allocates resources and an application environment on which the clients applications are hosted (Mell & Grance 2011). The client retains control over the applications while the provider contracts to support the underlying environment. IaaS is where a cloud provider supplies fundamental computing resources for a wide variety of computing uses (Mell & Grance 2011). These uses can include storage, printing, and application environments that are fully controlled by the service subscriber. Subscribers are not limited to a single service model, but can choose elements of all three models for provision of a wide variety of computing services. 3.0 Advantages and Issues with Cloud Computing 3.1 Advantages of Cloud Computing There are many advantages from changing from a traditional networked approach to computing resources to a cloud-based model. Iyer and Henderson (2012) interviewed seven companies and identified six key benefits. First, managers were able to better focus on using IT to meet business needs rather than frequently encountering significant hurdles leveraging existing IT infrastructure. Second, the modularity in design of Cloud Computing enables faster deployment of new services and the ability to reuse existing IT infrastructure for new services. The modularity enables scalability of services with correct sizing of infrastructure to meet current needs and expand as requirements change. Third, cloud services enable multiple locations access to the same services and resources to allow seamless collaboration between different parts of a business. Fourth, cloud based applications are quicker to develop and upgrade than conventional development models. Fifth, cloud-based applications tend to have better interoperability between specialist applications due to a more standardised application environment. This allows selection of services from a diverse range of vendors that have high levels of interoperability. Sixth, cloud services allow the development of social interaction within client facing applications. This connection has delivered higher levels of customer satisfaction in other businesses. Jeon, Yvette and Byungjoo (2012) identify another key advantage for this organisation in allowing the use of mobile devices to access resources enabling field staff higher quality access to information in timelier manner that will facilitate more effective communication. Cloud computing can enable a transformation business processes and connections with field staff and donors. However, there are problems associated with cloud computing that need to be considered. 3.2 Issues with Cloud Computing Utilising public cloud computing services poses particular risks to the organisation that must be considered. Tisnovsky (2010) identifies four risks for businesses. First, the organisation loses control over the infrastructure on which the services are hosted. Second, there is a financial incentive for cloud providers to host a maximum number of services on a particular piece of infrastructure, which can lead to contention issues with other organisations. Third, a lack of control over backup and restore processes can lead to long delays in restoring vital services. Fourth, the location of storage can be anywhere in the Internet and the organisations data may be housed on servers located in countries where the organisations information may be in conflict with the laws of that country. Another issue is the resistance of staff in changing to a cloud based model for accessing services which will necessitate training of staff to ensure a positive acceptance of the changes (Wu, Lan & Lee 2013). By far the biggest issue that must be addressed is security of information that is accessed over the Internet for both public and private cloud services (Srinivasan 2013). 4.0 Security Risks in Cloud Computing To ensure security of information in the cloud, Fernandes et al. (2014) analysed peer reviewed literature and found six key requirements for a public cloud. First, there must be a method for identifying the requestor and then authenticating access to the cloud. Second, the cloud must have a system for controlling the level of access granted to each individual. Third, confidentiality of the information must be maintained. Fourth, audit trails are necessary to ensure the integrity of stored information. Fifth, information transferred between the individual’s end computer and the cloud must have a positive indication that both the cloud and the end computer have received the information. Sixth, the information must be available when required by an individual. With a private cloud, security concerns are less stringent as the organisation retains much greater control over information, as public sharing is more difficult (Fernandes et al. 2014). Public dissemination of information in a private cloud requires individuals to deliberately choose to act against organisational policies. Cloud providers have a clear duty to ensure a very high level of physical security across multiple locations. Each location is very carefully chosen with many levels of redundancy across multiple site to ensure very high levels of availability (Fernandes et al. 2014). Therefore, physical access is much higher within the cloud providers than exists within the current data centre of this organisation. As the information in the cloud would be spread across geographically diverse sites, the information is far less likely to be lost than if there was a catastrophic failure at the organisation’s headquarters. Elasticity in the allocation of resources, in both public cloud services and a virtual private cloud, is a possible security threat to the organisation. If the organisation scales down its need for storage space from a cloud provider, the organisation needs to ensure that any resources released are properly cleaned up by the cloud provider. Otherwise another organisation could access that information (Behl & Behl 2012). The security concerns surrounding dynamic allocation of resources by cloud providers is most problematic in SaaS services where storage is provided along with access to software as companies oversubscribe storage allocation as it is unlikely all subscribers will use all allocated storage space (Dou et al. 2013). Single authentication factors, those that only rely on a password for access to resources, are a major security threat to an organisation (Weir et al. 2010). This becomes more problematic where people use multiple systems that have differing password requirements. Many people find it difficult to remember multiple passwords and tend to keep written records of passwords readily available. To mitigate these risks, password management systems need to be implemented as part of a cloud strategy (D'Costa-Alphonso & Lane 2010). For sensitive information that must be kept confidential, a multiple factor authentication needs to be incorporated (D'Costa-Alphonso & Lane 2010). Multiple factor authentication includes biometrics, access tokens and trusted devices along with a password to access resources (Sarier 2010; Weir et al. 2010). Security risk mitigation needs to be incorporated simultaneously with the implementation of Cloud Computing along with well written and strict policies and guidelines (Karadsheh 2012). These policies and guidelines will provide all staff with clear direction on the most appropriate storage services for the various types of information they generate and consume. Incorporating well designed security systems into a cloud solution will enable the use mobile devices in the organisation. 5.0 Opportunities for growth through Cloud Services The biggest opportunity for growth from utilising cloud services lies in the enabling of high quality communication between donors and field staff through use of cloud enabled mobile technology. Tablet computers running on Android, iOS, OS-X and Windows platforms allow the installation of cloud-enabled applications that can connect to both public and private clouds. Android, iOS and OS-X also have the ability to be remotely locked and erased (Apple 2014; Google 2014). McAfee (2014) offer a secure public cloud storage solution that works on Android, OS-X and Windows platforms that uses biometric authentication to secure information. Equipping staff working in overseas projects with either Apple Mac laptops or Android tablets no longer poses a security risk to the organisation with appropriate cloud solutions. In developing applications for mobile devices for field staff, applications can then be developed for current and possible future donors. There are many benefits for project employees and donors alike with engaging applications as they increase satisfaction with the organisation, thereby increasing the likelihood of maintaining long-term relationships (Hua, Tao & Xihui 2014). 6.0 Conclusions The research demonstrates that it is possible to utilise secure cloud computing services that will bring benefits to the GlobDev organisation. From an infrastructure perspective, migrating from the current server centric access model will more allow more responsive scalability of resources which will reduce both management costs. The costs associated with having underutilised resources will also be reduced. As cloud applications are faster to develop and deploy, GlobDev will be able to design applications that better meet the needs of the organisation and redesign those applications as business needs change. As cloud services are ubiquitous and many of GlobDev’s staff are located in very diverse locations, deploying cloud services will allow much greater collaboration between staff working on similar projects. High levels of interoperability between cloud applications will allow GlobDev to select applications from different vendors that meet particular needs of business units and projects while minimising risks of incompatibility. The social networking elements in cloud computing could be leveraged to develop a close relationship between the GlobDev project staff and the donors interested in those projects. Those close relationships should improve the morale of field staff and increase satisfaction among donors. Those relationships will then from a point of difference between GlobDev and other aid and development organisations, enabling the organisation to keep donors for significantly longer periods of time and encourage others to become donors. GlobDev will need to carefully consider which resources and information it migrates to a private cloud, which is located in the head office, which resources and information are migrated into a virtual private cloud and what public cloud services could be utilised. This need for a multi-modal approach is due to there being risks and benefits in each mode where the needs of the various parts of the organisation need to be assessed to determine the best fit. Staff training needs would also need careful consideration to ensure a positive acceptance of the changes in processes and minimise the reduction in productivity during migration. Security remains a major concern with any Internet based service. Those risks can be minimised through the careful selection of service providers, the identification of the security requirements surrounding the various types of information stored by the organisation and the setting of well written and clearly specified IT policies relating to document storage. When selecting service providers, the authentication processes employed by the providers and their policies in relation to cleaning up reallocation of resources must be clearly written into service contracts. This would also maximise the security of information. Of critical importance to GlobDev is the location of information stored by a cloud provider to avoid the possibility of sensitive information creating legal difficulties in countries in which GlobDev has current and possible future projects. Multi factor authentication should be a key requirement in assessing the offering by a cloud provider to eliminate the risk of compromised passwords allowing unauthorised access to sensitive information. A password management system will also be necessary in a multi-modal solution due to the requirement for authentication for each resource to avoid staff having to keep a physical record of all their passwords. The greatest benefit in moving to a cloud solution lies in enabling project staff to acquire highly secure mobile technology. Cloud enabled devices from Apple and those built on an Android platform offer GlobDev the ability to erase a device that is lost or stolen. This will give the organisation a high degree of confidence that sensitive information cannot be accessed from a lost device and makes it more secure than the printed information project staff currently carries with them. Mobile devices will allow project staff to have easy access to required information and significantly reduce the time they currently spend in the office attending to administrative matters. In summary, cloud computing has the ability to transform GlobDev and it is recommended that cloud services replace the existing computing information resources. 7.0 Recommendations Based on the advantages to GlobDev and the available strategies for mitigating risks to the security of the organisation, it is recommended that GlobDev start migrating from its server centric Information Technology resources to a Cloud Computing solution. The Cloud Computing model would also allow project staff access to secure mobile devices. In the first stage of a proposed migration, an audit of all software would need to be performed to understand which applications that staff currently use are suitable in a cloud environment. Those applications that are unsuitable will need to be researched to discover if suitable replacement applications are commercially available or if those applications will need to be written specifically for GlobDev. Cloud specific commercially available direct replacements of current software, for example Microsoft Office, should also be investigated to see if cloud licencing is a more cost effective option than the current licencing fees. Simultaneously all existing information will need to be classified according to its sensitivity and availability requirements. Such an audit would then provide information about the modes of Cloud-Computing and the sizing requirements for each mode of the solution. As the organisation has some information that is both time critical and security critical, that information would need to be stored in an on-site private cloud so that access and recovery is completely controlled by GlobDev. For information that requires a high level of security but is not time critical, that information can be stored in an IaaS solution using a virtual private cloud. The ensure that the information is not housed on servers that are located in countries where the information might have negative consequences, a contract with the supplier of the IaaS solution must stipulate the location of with the information would be housed. The contract must also stipulate who in the suppliers’ company has access to GlobDev’s information both in physical access to the servers and virtual access through the supplier’s network. There should also be a two-factor authentication process for access to this information to eliminate the risk of unauthorised access due to compromised passwords. Dual-factor authentication should also be implemented where access to the on-site cloud is via the Internet. Information that is neither security critical nor time critical could be housed both through a SaaS solution and the virtual Private Cloud. There would need to be strict and clearly defined policies surrounding written to define the categories of information as it is created as to where it should be located. After writing new policies and procedures a training plan along with materials for all staff needs to be developed to ensure minimal loss of productivity during the transition. After migration to the cloud is completed, then new social media applications should be written to engage with donors. This should increase satisfaction levels with donors and help maintain long-term relationships with GlobDev. Simultaneously, project staff should then be offered Android Tablets or Apple Mac Books depending on their business requirements. Those devices allow for high security of data stored on the devices and the ability to remotely wipe them should they be lost or stolen. While training for field staff might be difficult, well designed written and multi media packages should enable project staff to quickly adopt the new technology. Equipping staff in this way will foster close connections between project staff and donors that encourages long-term commitments and fosters the growth of the supporter base. Following through with these recommendations will see the growth of GlobDev and transform the business into a modern, responsive organisation. 8.0 Reference list Apple 2014, iCloud: Use lost mode, Apple Inc, viewed 30 April 2014, http://support.apple.com/kb/PH2700 Behl, A & Behl, K 2012, 'An analysis of cloud computing security issues', Information and Communication Technologies (WICT), 2012 World Congress on, Oct. 30 2012-Nov. 2 2012. D'Costa-Alphonso, M-M & Lane, M 2010, 'The adoption of single sign-on and multifactor authentication in organisations -- A critical evaluation using TOE framework', Issues in Informing Science & Information Technology, vol. 7, pp. 161-189. Dou, W, Qi, L, Zhang, X & Chen, J 2013, 'An evaluation method of outsourcing services for developing an elastic cloud platform', Journal of Supercomputing, vol. 63, no. 1, pp. 1-23. Fernandes, D, Soares, L, Gomes, J, Freire, M & Inácio, P 2014, 'Security issues in cloud environments: a survey', International Journal of Information Security, vol. 13, no. 2, pp. 113-170. Google 2014, Android Device Manager, viewed 30 April 2014, https://support.google.com/accounts/answer/3265955?p=android_device_manager&rd=1 Hua, DAI, Tao, HU & Xihui, Z 2014, 'Continued use of mobile technology mediated services: a value perspective', Journal of Computer Information Systems, vol. 54, no. 2, pp. 99-109. Iyer, B & Henderson, JC 2012, 'Business value from clouds: Learning from users', MIS Quarterly Executive, vol. 11, no. 1, pp. 51-60. Jeon, S, Yvette, EG & Byungjoo, P 2012, 'Next generation cloud computing issues and solutions', International Journal of Control & Automation, vol. 5, no. 1, pp. 63-70. Karadsheh, L 2012, 'Applying security policies and service level agreement to IaaS service model to enhance security and transition', Computers & Security, vol. 31, no. 3, pp. 315-326. McAfee 2014, McAfee Livesafe, McAfee Inc, viewed 30 April 2014 2014, http://home.mcafee.com/root/landingpage.aspx?lpname=mls_info&affid=0 Mell, P & Grance, T 2011, The NIST Definition of Cloud Computing, 800-145, National Institute of Standards and Technology, Gaithersburg, MD, viewed 15 April 2014, http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf. Sarier, ND 2010, 'Improving the accuracy and storage cost in biometric remote authentication schemes', Journal of Network and Computer Applications, vol. 33, pp. 268-274. Srinivasan, S 2013, 'Is security realistic in cloud computing?', Journal of International Technology & Information Management, vol. 22, no. 4, pp. 47-66. Tisnovsky, R 2010, 'Risks versus value in outsourced cloud computing', Financial Executive, vol. 26, no. 9, pp. 64-65. Weir, CS, Douglas, G, Richardson, T & Jack, M 2010, 'Usable security: User preferences for authentication methods in eBanking and the effects of experience', Interacting with Computers, vol. 22, no. 3, pp. 153-164. Wu, W-W, Lan, LW & Lee, Y-T 2013, 'Factors hindering acceptance of using cloud services in university: a case study', Electronic Library, vol. 31, no. 1, pp. 84-98.