Author: noora Mirzakhani

Ensuring data security with cloud encryption

Ensuring data security with cloud encryption

 

fijx3pjopcew62uiuhhm

Cryptography has been with us since the dawn of human civilization.  People have wanted to keep sensitive information…

from prying eyes long before the invention of the complex, computer-based encryption methods that we utilize today.  The ancient Greek protected their secret messages by tattooing them on the shaved head of a messenger.  The messenger’s hair would grow back while traveling to their destination and render the message invisible.  The receiver of message would just need to know a good barber in order to read the secret message upon arrival.

So what does this have to do with companies putting sensitive data in the cloud?  Just like the   ancient Greek, we are trying to keep our secrets safe from prying eyes.  The methods have changed, but the goal remains the same.  One of the best ways to ensure confidential data is protected in the cloud is to utilize encryption for data in transit and data at rest.  There are still potential issues with encryption that need to be considered when investigating cloud services.  Almost all cloud service providers support encryption for data in transit, but few offer support for data at rest. The cloud encryption capabilities of the service provider need to match the level of sensitivity of the data being hosted.

 

download

Cloud encryption options                                                        

The basic business model of the typical cloud services provider is based on the idea of scalability:  The more customers that can utilize shared resources the better the profit margin for the cloud services provider. This idea works in reverse as well:  The more customers that can utilize shared resources, the lower the cost paid by each of the customers.  These facts play a critical role in the decision of the cloud provider to offer encryption services.  Encryption consumes more processor overhead, so it lowers the number of customers per resource and increases overall costs.  Most cloud providers will only offer basic encryption on a few database fields, such as passwords and account numbers, for this reason.  There are usually options available from the cloud provider to encrypt the entire database, but this will dramatically increase cost to the point where cloud hosting is more expensive than internal hosting.

Some cloud providers have been offering alternatives to encryption that don’t have the same performance impact.  These techniques include redacting or obfuscating confidential data.  This can sound appealing, but is just another form of “security through obscurity:”  Neither technique is effective in securing confidential data because both are easily bypassed.

Another cloud encryption alternative that may be offered by service providers in order to reduce the encryption performance penalty will be its own custom encryption solution.  This is a major red flag for potential customers for several reasons.  The current encryption standards have been thoroughly tested and verified over many years and by many brilliant engineers and cryptographers.  A cloud service provider is unlikely to fund this level of development of a proprietary encryption standard and won’t receive the same level of public scrutiny and feedback as the currently accepted standards.  This creates the strong possibility of a cryptographic mistake, which could leave the customer data vulnerable to exposure.  Proprietary encryption standards should be avoided at all costs.

The cloud provider that offers a standard-based encryption solution may still have other risks that need to be considered.  Encrypted data is only as secure as the private key used to encrypt it.  Key management becomes a critical issue and the cloud provider must have policies and procedures in place for storage, generation and archival of private keys.  It’s important to keep in mind that anyone that possesses that private key has access to your confidential data.

ssl-cloud-big-data-security1

Additional cloud encryption considerations

There are still other operational encryption issues that must be considered when utilizing a cloud service provider.  These operational processes include the policies and procedures for the encryption of tape backups and other removable media, such as DVD-R and USB devices.  Your data may be safely encrypted in the provider’s database, but if it uses unencrypted media in its operations you may still be at risk of exposure;  it’s important to understand these operational risks before putting your data in the provider’s care.

Finally, there are still other areas where technology does not permit encryption.  The actual processing of the data by the cloud provider will require that the data be decrypted at some point.  This may be changing with the advent of homomorphism encryption, which was demonstrated by IBM in 2009 and allowed data to be processed while still being encrypted.  This is a future technology, but it would certainly increase the security capabilities of cloud providers.

 

Cloud encryption and compliance

So the million-dollar question becomes: “Should regulated data be put into the cloud?”  It’s certainly possible to maintain compliance with regulations while utilizing cloud services.  Encryption plays a big role in compliance as many regulations require specific data elements to be encrypted.  This type of requirement is present in GLBAPCI DSS and HIPAA, to name a few.  The most important guidance on encryption is publically available from NIST 800-111 and FIPS-140-2.  These standards can help you evaluate the encryption capabilities of a cloud provider for compliance with regulations.

Encryption is a powerful tool that can be used effectively to protect a company’s confidential data in the cloud.  It’s important for a company to investigate and understand how the cloud provider utilizes encryption in their operational procedures.  Only then can a company confidently utilize cloud providers knowing that their confidential data is protected by encryption.  Modern encryption algorithms far surpass the protections that were available to the ancient Greeks for their sensitive data –and no one will need their head shaved.

Cloud Concepts and the Impact on Business Analysts

Cloud Concepts and the Impact on Business Analysts

Cloud Computing is generating significant interest and momentum. The cloud eco-system requires new considerations for the business analysis community to fully take advantage of cloud computing opportunities.

This article provides links to key NIST Reference Architectures to provide a stable cloud foundation, identifying just some of the key considerations for business analysts in a “cloudy world”.

 

Cloud Basics
Almost all cloud computing approaches use the National Institute of Standards for Technology (NIST), an agency under the U.S. Department of Commerce, as a core foundation from which solutions are defined.
The accepted NIST definition for cloud computing is: 

 

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”
Figure 1.0 represents a simplified model, containing the characteristics, service models, deployment models and very important hosting options that also need careful consideration for business analysts.

 

mag11-1

Figure 1.0 NIST Cloud Basic Core Terminology
Hosting considerations are separate from the deployment models. For example, you can have a Private Deployment that is hosted internally, within your organization OR hosted externally by a third party. This is a critical consideration when the organization may desire a private cloud, but does not want the physical infrastructure within their facility.
The NIST Cloud Computing Reference Architecture is a “role-based” perspective. There are five basic roles: cloud consumer, cloud provider, cloud auditor, cloud broker and cloud carrier.
Business analysts can provide valuable insights to clarify opportunities and identify associated risks that require consideration to optimize the solution.
Most frequently, the business analysts will clarify the business requirements for the cloud consumer and help identify the “best fit” cloud provider. The business analysts may perform “functional fit” analysis to determine the configuration, customization and acceptance testing efforts for the selected solution. Business analysts may also participate in value, pricing and costing analysis.
That brings us to a common concern that impacts cloud adoption: “security and privacy”.
Security and Privacy are of Everyone’s Concern
In 2013 the updated NIST Reference Architecture evolved to clarify that security and privacy are not just of concern to the cloud provider, but to all the roles in the cloud ecosystem.

Therefore, figure 2.0 represents a draft model, better communicating that privacy and security are “cross cutting” considerations.
mag11-2

Figure 2.0 Draft Updated NIST Cloud Computing Reference Architecture for 2013
NIST is also generating a Cloud Computing Security Reference Architecture that is due for release April 2014.
Other NIST Cloud Computing publications available or being worked on include: Cloud Roadmaps, Security & Privacy, Service Level Agreements, Cloud Carrier, Metrics and Standards. Many documents are available and free for download from www.nist.gov.
Pricing and Costing
Cloud computing solutions can result in tremendous cost savings when planned and implemented properly. When poorly planned and/or pricing is blurred (obscured due to clouds), then cloud computing benefits may be realized, or it may result in higher costs than traditional solutions.
Pricing and costing of cloud computing solutions is often complex with various pricing options, service levels and terms and conditions that directly impact core decisions moving forward.
Business analysis can help provide core context and considerations that help estimate the Total Cost of Ownership, which is a core measure to help focus value and cost discussions.

Of course, many other benefits exist from cloud, but price is often at the forefront.

Summary

Value-focused business analysis will remain a core and necessary activity to balance business needs and the technical solutions. However, the role will evolve to analyze cloud computing solutions in conjunction with business objectives, opportunities and risks.
A Guide to the Business Analysis Body of Knowledge® (BABOK® Guide) already contains the basics for cloud computing analysis. Some extensions and clarification will be developed as the cloud eco-system becomes more accepted and common place. Many organizations such as NIST are clarifying the cloud models, opportunities, risks and plans.
The cloud computing market share will continue to increase, therefore business analysts will need to be comfortable with the cloud eco-system, recognizing specific opportunities and challenges in the cloud.

7 stages of an ongoing process: Requirements Engineering

7 stages of an ongoing process: Requirements Engineering

The primary measure of success of any software is the degree to which it meets the purpose for which it was intended. Requirements engineering is the process of discovering that purpose by identifying customer needs for the system and the constraints under which it is to be developed and operated.

1. Groundwork: Requirement Engineering is often known as a front-end activity. However, variety of contexts, including market-driven product development and development for a specific customer should also be considered. The identification of a suitable process for requirement engineering and the selection of methods and techniques should also be carried out before collecting requirements.

2. Requirement Elicitation: Identify the stakeholders and understanding the system boundaries. Various techniques like interviews, questionnaires, observation, document review, group workshops and brainstorming are useful in requirement gathering. One simply needs to select the technique or techniques most suitable for the elicitation process.

3. Requirement Analysis and Feasibility Study: Analysis is a repetitive activity in the software development. This phase gives the answers of questions how, what, who, why and when and also test the feasibility and accuracy of existing requirements. Initial design like use-cases can be prepared as a work product of this process.

4. Define Scope: Identify the events inside and outside the system, the information that flows between the system and the actors outside the system and the major functions included in the system.

5. Communication: Documenting requirements at each and every stage of requirement engineering is very crucial for communication. Writing formal and informal documents like Minutes of meeting (MoM), Vision and scope document, System Requirement Specification (SRS) document and taking the approval from stakeholders ensure validation and avoid ambiguity as well as conflicts at the later stages.

6. Change Management: Requirements change throughout the SDLC. How these changed requirements should be accommodated in the software is very challenging task. Each proposed change should be evaluated in terms of existing requirements and architecture so that the trade-off between the cost and benefit of making a change can be assessed.

7. Requirement Traceability: Whatever requirements have been gathered and agreed should be traceable in the final software product to be delivered. Requirements should be reviewed and checked at the each phase of SDLC

Noora Mirzakhani

Noora Mirzakhani

passport-photo

 

Hi there, being a member of Magnificent 11 team, I am feeling super awesome! It is my pleasure!

We have a competent combination of professionals, ready to help our customers with any kind of problem!

Telling more about myself, I am Noora Mirzakhani , professional Business Analyst in Industry and Engineering oriented projects, My study background is MBA and Electronics Engineering and I have been working in different business and industries for more that 8 years. also, using my managerial skills in business area, I’m an entrepreneur, running my own business, and like helping people running and managing their small and big businesses. My analytical mind and management abilities help me to manage different challenges and work effectively in both self managed and team based situations.I have keen interest in learning new concepts and knowing what is going on beyond my immediate discipline.

I am passionate about communicating with people, nature, travelling, bush walking, yoga, photography and whatever makes me enjoying every single second of life! my favorite quote is this:

You must be the change you wish to see in the world”

Working as business analyst, I can use my experience, talents and professions to make benefit for people, companies, and whoever needs help in boosting their business success!

So, any kind of issue you have at your business now, all you need to do: come to us, count up to 10, relax, and just see Magnificent 11’s magic! all done!

Cheers,

Noora

email: noora@magnificent11.com