This chapter sets out to explore new trends in cyber and cloud security, and their implications for businesses. First, the terminology and assumptions related to cloud computing are stated. Next, the chapter reports on contemporary research around the awareness of security issues, and the security processes within the cloud computing realm. Cyber security poses a different challenge to local small and medium sized organizations, which may seem to have less at stake financially. However, they are more vulnerable, due to fewer resources dedicated toward prevention. A series of serious security incidents may even keep them out of business. Furthermore, security needs to be understood and handled differently in a cloud based environment. Therefore, the chapter identifies unique security practices and recommendations for these businesses to run their IT resources safely in the cloud.
TopIntroduction
First, it is important to define and differentiate certain key terms before the narrower topic of cloud security is investigated. Three traditional terms are frequently used: information security, computer security, and cyber security. Information security involves defending private and sensitive information “from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability” (National Institute of Standards and Technology, 2013a, p. 94). This broad definition implies that the information can take any form: physical, print, analog, electronic, digital, etc. In comparison, computer security focuses particularly on protecting computer hardware and the data that the computers hold (Emberton, 2016). Cyber security is “the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and [the] organization and user’s assets” (International Telecommunication Union, 2016). This seems to include computers and digital information in general; however, the cyber environment (cyberspace) primarily consists of “the interdependent network of information systems infrastructures including the Internet and telecommunications networks” (National Institute of Standards and Technology, 2013a, p. 58).
One of the early definitions of cloud computing security is “the set of control-based technologies and policies designed to adhere to regulatory compliance rules and protect information, data applications and infrastructure associated with cloud computing use” (Rouse & Cole, 2012). The National Institute of Standards and Technology, i.e. NIST, (2013a) states that cloud computing use entails network access to a shared pool of configurable IT capabilities and resources. Furthermore, according to NIST (2013a, p. 35) the cloud consists of “five essential characteristics (on-demand self-service, ubiquitous network access, location independent resource pooling, rapid elasticity, and measured service); three service delivery models (Software as a Service, Platform as a Service, and Infrastructure as a Service); and four enterprise access models.” Another definition of cloud security is “the set of procedures, processes and standards designed to provide information security assurance in a cloud computing environment” (Janssen, 2016).
Cloud security is a recent term, and encompasses issues and protection of a range of online services using any one of the cloud computing delivery models. Therefore, cloud security is a subset of cyber security. Information technology virtualization is an important technology that powers cloud computing. Virtualization enables a piece of hardware (for example, a server) to be segmented and provisioned as multiple devices and resources. The four cloud enterprise access models are Private Cloud, Community Cloud, Public Cloud, and lastly Hybrid Cloud, which is emerging and may offer advantages in terms of security. As opposed to cyberspace in general, “the cloud” and its backup facilities appear to leave less room for certain risks, e.g., destruction of data by insiders within the client business. On the other hand, in cloud computing, shared resources inherently involve various risks such as access control and privacy. These major risks are covered in this chapter, by exploring their prevalence and the applicable solutions.