Thursday, November 7, 2013

Cloud Provider Assurances

How could Airange maintain a proper authentication system for its clients?

As Airange is providing only remotely accessible services, their options for authentication is severely limited. Options which are not viable include photo badge validation, physical keys to unlock the system space, and safe locks. (Jessup, Valacich, & Wade, 2003) Passwords are the most common system in use, though they only provide effective security if they are sufficiently long enough, randomized, and changed frequently. Additionally, they must be stored securely by Airange, both to be inaccessible to clients and intruders and be protected from insiders. Salting and hashing is an absolute necessity, else the weaker passwords are susceptible to rainbow tables and identifying shared passwords between users. (Goodrich & Tamassia, 2011) Encrypting the plaintext passwords would provide them the ability to provide forgotten passwords back to the users, but presents the administrators the ability to recover the passwords too.

How might Airange ensure that one client’s data is kept confidential and protected from other clients who also have access to the same data center?

One effective method of ensuring confidential and protected data is to enforce isolation through virtualization. (UMUC, 2011) Each client is provided their own virtual server to work within without the option of communicating with the host machine or other virtual servers on the system. Within the sandbox environment of the virtual server, an individual client can access, manipulate, and delete their own data, but cannot see any of the data stored by any other. This arrangement poses the risk of a client being able to escape their virtual server and directly access or impact the host system. Airange must run intrusion detection software on the host and regularly update the software, else a malicious client could gain access to the host and directly view the contents of the storage mediums, including the data stored by other clients. (Coggins & Levine, 2009)

What type of assurances would a client expect that the security of the software components and utilities provided by Airange will be consistently maintained?

Clients expect Airange to provide detailed guarantees as to the expected confidentiality, integrity assurances, and uptime or availability of the system. These details can be provided to clients, and documented, through negotiated service level agreements. (UMUC, 2011) Concerning the availability of the system, specifics as to the allowable downtime, expected maintenance time, mean time between failures, and mean time to repair will be needed to be declared ahead of time. Given that standing behind rigorous uptime guarantees is expensive, Airange will have to decide how to market their brand and provide the service. Do they want to provide budget-friendly services or strictly security focused ones?

Coggins, C. & Levine, D. (2009). Monitoring and Control Systems. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Goodrich, M. T., & Tamassia R., (2011) Introduction to Computer Security. Boston, MA: Pearson

Jessup, L. M., Valacich, J. S., & Wade, M. (2003). Information systems today. Upper Saddle River, NJ, USA: Prentice Hall.

UMUC. (2011). Preventive and Protective Strategies in Cybersecurity. CSEC-630. Retrieved from

1 comment:

  1. It’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content. Actually I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written.