Web Site Security And Cloud Computing

Published Date: 02 Nov 2017

U.S. General Services Administration . (2012). Federal Cloud Computing Strategy. Retrieved January 12, 2013, https://cio.gov/wp-content/uploads/downloads/2012/09/Federal-Cloud-Computing-Strategy.pdf

Federal Cloud Computing Strategy, Vivek Kundra (U.S. Chief Information Officer) outlines the United States Federal Government plan to leverage cloud computing as primarily a cost cutting, efficiency boosting, and increased agility measure that will be employed by all federal government agencies. For the most part the report provides a "10,000 foot" view of the plan, focusing more on the broad based foundational concepts of the plan and much less on detailed analysis of why the plan makes sense and how the plan will be implemented (in stark contrast to Bison and Rahman’s report, "An Overview of the Security Concerns in Enterprise Cloud Computing" which provides concrete research examples to support each section of the report). Surprisingly, this report also focuses much less on cloud computing security than reports generated by the private sector, even though a large portion of the information handled by the federal government requires a high level of confidentiality. The report concludes with three case studies of successful cloud technology deployments within federal government agencies (the Army, DISA or Defense Information Services Agency, and the USDA or United States Department of Agriculture), however the case studies present only the successful aspects, omitting the challenges that were inevitably encountered during the first cloud based government deployments, rendering reliability of the report suspect at best.

Schadler, T. (2009). Should Your Email Live In The Cloud? A Comparative Cost Analysis. Forrester Research.

Evaluation of IT based services such as email for a move to the relatively new cloud based IT model can be error prone due to the number of components and separate costs involved in on-premise email solutions. Ted Schadler of Forrester Research provides a relatively enlightening guide outlining cloud based email options, cost breakdown, and possible strategies companies can employ when contemplating an email service move to cloud based technologies. Even though Schadler’s report does not include mention of the unique security risks (and associated security costs) of cloud based services, the report delivers substantial value by providing the reader with knowledge on how to break down and analyze the cost of in-house verses cloud based verses hybrid solutions, including many of the often overlooked costs that must be considered when deciding whether or not to outsource a service. The cost breakdown and analysis in this report would also be useful for outsourcing services other than email such as CRM or Customer Relationship Management, where many of the hidden cost breakdown analysis components are similar to email (such as client based licensing). For any company considering moving services (especially email) to the cloud, this report is highly recommended.

Kim-Kwang Raymond, C. (2010). Cloud computing: Challenges and future directions. (cover story). Trends & Issues In Crime & Criminal Justice, (400), 1-6.

Like most technology trends that are also major paradigm shifts, cloud computing has resulted in substantial changes in the way we work and how we use technology and manage information. Understanding the direction of a trend such as cloud computing can provide insight into business decisions for the future, providing competitive advantage when the decisions are correct. In "Cloud Computing: Challenges and Future Directions," Kim-Kwang Raymond Choo presents compelling evidence from several different angles supporting the notion that new security vulnerabilities that he describes with some detail will emerge as cloud computing grows. According to Choo, government intervention is essential to cloud computing standardization with regard to both how the technology is used as well as for the purposes of security. Choo suggests that creating a "Culture of Security" through legislation patterned after the United Kingdom’s 1998 Data Protection Act, may help protect information privacy and security in the cloud. The long list of potential and future security risks outlined in this report do provide a necessary glimpse into a precarious cloud technology future if countermeasures are not taken, however recommended solutions are lacking, and include primarily government only solutions.

Huth, A., Cebula, J. (n.d.) The Basics of Cloud Computing. Retrieved January 12, 2013. http://www.us-cert.gov/reading_room/USCERT-CloudComputingHuthCebula.pdf

Understanding the basic foundational principles and concepts of cloud computing is essential prior to contemplating entrusting valuable personal and/or business information to a cloud based service provider. In "The Basics of Cloud Computing," Cebula and Huth provide a simplified explanation of cloud computing concepts including the four types of cloud computing models (private, public, hybrid and community) and the three types of services in the cloud (IaaS, SaaS and PaaS) with a brief definition of each. The article also explains the primary advantages of cloud computing and the reasons why cloud computing can be more efficient and cost effective than supporting private data centers. Security in the cloud is also covered, and while the article does not provide details regarding potential cloud based security exploits, it does correctly instruct the reader on how to choose a provider based upon the providers security profile. This article lacks the cloud technology detail that may be desired by "technosavvy" individuals, however since the objective is educating layman regarding cloud based technolgies, the article succeeds in presenting digestable information to those that would otherwise get lost in technical details.

Bisong, A., & Rahman, S. M. (2011). An Overview of the Security Concerns in Enterprise Cloud Computing. International Journal of Network Security & Its Applications , p.30-45.

The main attractions to cloud computing technologies appear to be their economy of scale resulting in a much lower cost to the consumer of cloud based services, and the ability to centralize services in a way that better facilitates the management of those services. Researchers A. Bisong and S. M. Rahman deliver a very convincing analysis of these cloud-computing benefits, providing an in-depth analysis and objective measurements to these cloud computing benefits, such as a "cost associativity" formula that can be used to explain the cloud computing cost benefits in each area of cloud computing. The article also explains that there are different types or categories of cloud computing, such as PaaS or Platform as a Service, SaaS or Software as a Service, and IaaS or Infrastructure as a Service, and compares the use and benefits of each, and also explains the hybrid, public, private and shared varieties of cloud services along with the benefits and drawbacks of each. The article also details cloud technology security issues, pointing out that along with the benefits, many new, cloud specific vulnerabilities have been identified that require careful consideration before embarking upon an enterprise cloud based IT strategy. Planning and strategy to minimize the risk of cloud technology is covered, providing the reader with specific bullet points that need to be addressed, along with recommended cloud types for each category of enterprise class information that may be stored in the cloud. Although not exhaustive, the article provides the reader with an excellent overview and analysis of cloud computing, and arms the reader with the knowledge necessary to intelligently approach the subject of cloud based IT for an enterprise.

Web Site Security and Scalability

DUSTIN, E., RASHKA, J., & MCDIARMID, D. (2002). Quality web systems: performance, security, and usability. Boston, Addison Wesley.

Designing high performance, scalable, and usable web sites and servers is a science rarely covered in a single publication. The "Quality Web Systems Performance, Security, and Usability" handbook does an excellent job covering each of these aspects, providing the reader with the information necessary to build and properly test a high performance web server that also meets web user expectations. The book is broken into sections that focus on each aspect of web server performance, presenting each in a neutral fashion that successfully eliminates advice favoring certain operating systems, programming languages and/or usability styles. Web server technology is covered from the testing perspective, and teaches the user to engineer to the test. The book addresses requirement identification, engineering design via use case analysis, generating test cases, addressing security, web browser compatibility, performance design and testing, scalability design and testing, capacity planning and load testing, along with recommendations for test tools that can cover each phase of development. This book provides solid information on web server development, design and testing, and is an excellent choice for anyone planning to develop and deploy web servers and web sites.

OWASP, (2005), A Guide to Building Secure Web Applications and Web Services, Retrieved January 12, 2013. http://iweb.dl.sourceforge.net/project/owasp/Guide/2.0.1/OWASPGuide2.0.1.pdf

"A Guide to Building Secure Web Applications and Web Services" is an impressive compilation of web site, web application and web service security information that attempts to be highly comprehensive and all-inclusive as a web technologies security guide. The combined knowledge of the authors easily possess over a century worth of web site information security research, knowledge and experience which has been thoroughly applied to this document. The guide provides in-depth information covering the most common web technology security attacks, which includes an explanation of the technology under discussion and how it works, along with detailed information on how each attack is performed and how to protect web sites, services and applications from such malicious activities. The guide serves not only as a technical security document, but also includes detailed content on management frameworks (such as Cobit), and security policy and IT governance instructions, outlines the structure for a successful web security program and deployment. The guide does lack in specifics such secure coding for the most widely used web technology programming languages (such as python, perl and javascript), however secure coding standards at a universal level are covered. This document is highly recommended for anyone interested in secure web site deployment and management.

McClure, S., Joel Scambray, J., Kurtz, G. (2006). Hacking Exposed Web Applications, Second Edition, New York: McGraw-Hill/Osborne.

Hacking Exposed Web Applications Second Edition is quite fascinating because it is written and structured to capture the reader’s full attention using a "how to" approach in introducing the web "hacking" world to the reader. Unlike the OWASP "A Guide to Building Secure Web Applications and Web Services," which attempts to be an all inclusive authority on the web site and application security topic, this book targets a relatively short list of security exploits that the authors consider to be most common in the real world. The book successfully "grips" the reader by providing instructions on how exploits are performed, accompanied by a web site where a list of downloadable web hacker tools are made available for the reader that is invited to experiment with each of the exploits in order to fully understand the concepts presented. While books such as the aforementioned OWASP guide are rich in theory, Hacking Exposed Web Applications Second Edition is equally rich in delivering a web site security "hands on" approach to the reader.

National Institute of Science and Technology. (2007). Guidelines on Securing Public Web Servers.

The "Guidelines on Securing Public Web Servers" document is a well-organized guide providing the reader with the exact, step by step directions that need to be executed in order to securely deploy a web server. Unlike the other aforementioned guides and books, including the OWASP "A Guide to Building Secure Web Applications and Web Services," and "Hacking Exposed Web Applications Second Edition," this document is very platform centric, focused less on web service and application technology security vulnerabilities and instead targets the mechanics behind web server installation from start to finish. The book is structured like an instruction manual and is very thorough in covering each aspect of secure web server deployment, from the early planning phases all the way through the web server lifecycle which includes backup, penetration testing and even recovering from security compromise, so that the reader instructed on what action to take in every area of web server administration. The book even includes a convenient checklist at the end of every chapter that the reader can use for future reference. "Guidelines on Securing Public Web Servers" is for all intents and purposes, a manual that provides comprehensive, generic web server administration guidance.

Schiffman, M. (2001). Hacker's Challenge: Test Your Incident Response Skills Using 20 Scenarios. New York: Osborne/McGraw-Hill.

"Hacker’s Challenge" is a unique publication that presents the reader with twenty different scenarios based upon real life incidents in which a network and/or network hosts were compromised, exposing an organization to serious potential or actual loss of information, confidentiality or both. Each scenario starts with a detailed description of the network, server, and configuration environment, along with a description of the administrator, management routine, and other information pertinent to the scenario. Each scenario outlines a security compromise from the view point of the administrator, providing the reader with the opportunity to exercise their forensic and security skills, and testing their knowledge of web based and network based security, and ultimately helping the reader gain the skills necessary to properly secure network hosts, such as web sites and servers, along with the environment in which they reside. Each scenario also includes a detailed explanation of how the compromise occurred from the viewpoint of the perpetrator, further educating the reader with valuable insight. This book is a must read for those interested in web site security.