Cloud Computing - Modern Information and Communications Technology

List of Abbreviations

Chapter 2. Literature Review

2.8 Modern Information and Communications Technology

2.8.5 Cloud Computing

possibility of using SMS services to perform a DoS attack on the mobile infrastructure; this is expanded in Traynor et al. (2009), who illustrate a possible DoS attack on the core mobile infrastructure.

The applications that run on mobile devices, as well as the communication capabilities may be attacked and the mobile device compromised (Dwivedi, Clark, & Thiel, 2010). It is also possible to eavesdrop on the wireless channels (Nohl & Paget, 2009), or attack the mobile infrastructure in order to eavesdrop, as occurred in Greece in 2004 (Prevelakis & Spinellis, 2007). The security and IW aspects of the mobile infrastructure will be discussed in greater detail in Chapter 5, and the simulations and calculations will be expanded to the South African situation in Chapter 7.

The computing resources have the capability to be "rapidly provisioned and released with minimal management effort or service provider interaction" (Information Systems Audit and Control Association, 2009). The resource usage should be automatically monitored and controlled, with the ability to be "elastically provisioned" so that the client may increase or decrease usage at any time;

the cloud services should be accessible from any location on various platforms, including smart mobile devices (ibid.).

The deployment models for cloud computing include public, private, community, and hybrid clouds. A public cloud is owned solely by the cloud service provider, and is made available to the general public or a large industry group. Multiple organisations with a shared interest may share cloud services thus forming a community cloud; it can reside on the premises of any of the organisations, or external to all of them. The management of the community cloud may be undertaken by one or more of the organisations or outsourced to a third party (Information Systems Audit and Control Association, 2009; Red Hat, 2010). A private cloud is operated for the sole purposes for a specific organisation; the management and hosting can be provided by the organisation itself, or a third party. A combination of two or more of the above cloud deployment models is known as a hybrid cloud. The two clouds remain separate entities but are bound together by a technology that is proprietary or standardised; this allows the porting of applications or data between the two clouds (Information Systems Audit and Control Association, 2009; Red Hat, 2010).

Cloud computing typically has three service models: software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). SaaS is the ability to use and access the cloud service provider's applications through an interface such as a web browser; these applications reside on the cloud infrastructure (Information Systems Audit and Control Association, 2009; Red Hat, 2010). Google Docs is an example of this. The client's control for SaaS is limited to user-specific application settings; the client does not have any control over storage, operating systems, or the underlying infrastructure (Red Hat, 2010). IaaS provides the client the ability to access and use computing resources, such as storage, processing, and networking, and allows the client to run operating systems and applications on the infrastructure. The IaaS model places the IT functions of an organisation into the hands of the service provider (Information Systems Audit and Control Association, 2009; Red Hat, 2010). Dropbox (http://www.dropbox.com) is an example of IaaS for storage. For the IaaS model, control over the operating system, applications, and storage is given to the client, but not control of the underlying cloud infrastructure (Red Hat, 2010). PaaS provides the

client the ability to deploy applications that have been either created or acquired by the client onto the cloud infrastructure through the use of tools and programming languages which are supported by the cloud service provider (Information Systems Audit and Control Association, 2009; Red Hat, 2010). The PaaS model gives the client control over the applications and possibly some control over the hosting environment configuration; as with SaaS the client does not have control over the underlying cloud infrastructure, operating system, or storage (Red Hat, 2010).

Amazon's Elastic Compute Cloud is one of the established cloud computing infrastructures; this is an example of the IaaS model, and provides scalable resources and load balancing. There are also PaaS and SaaS elements, where multiple operating systems and software applications for a web hosting, data basing, and development are available (Amazon, 2011). Microsoft's Windows Azure cloud is aimed at running and developing applications (Microsoft Corporation, 2011c); therefore this can be considered as following the PaaS model. IBM is another provider of cloud services (IBM, c. 2011), and in South Africa Teraco provides SaaS and IaaS cloud models (Teraco, 2011).

As cloud computing is a new technology there is an element of risk involved when deploying these services as part of an IT strategy. Confidentiality of information is a concern as the information is processed or stored by applications and infrastructure which the client has very little control over;

the cloud service provider therefore responsible for the security and privacy of the information (Information Systems Audit and Control Association, 2009). In many cases, data from multiple clients may be stored together; if this is not controlled properly, it may result in an accidental data breach. Responsibility for maintaining the integrity of stored data (so that it is not altered accidentally or by unauthorised entities) also falls to the cloud service provider. Should a breach of the confidentiality or integrity of the data occur, there may be uncertainty regarding legal liability (Information Systems Audit and Control Association, 2009); the owner of the information is the client, however the storage and processing was outsourced to a third party (the cloud service provider). While the cloud provider is responsible for service delivery, the connectivity between the client and the provider may prove to be a weak point as it may be the subject of DoS attacks and attempts to intercept the information, and availability will also be reliant on the client's Internet service provider and the correct functioning of network gateways (ibid.). For those reliant on the cloud services, an outage may have severe impacts, such as when Amazon experienced outages of its cloud services in April 2011 (Brooks, 2011).

Dalam dokumen Vulnerability assessment of modern ICT infrastructure from an information warfare perspective. (Halaman 119-122)