Although cloud computing and the emerging mobile digital platform have the potential to deliver powerful benefits, they pose new challenges to system security and reliability. We now describe some of these challenges and how they should be addressed.
Security in the Cloud
When processing takes place in the cloud, accountability and responsibility for protection of sensitive data still reside with the company owning that data. Understanding how the cloud computing provider organizes its services and manages the data is critical. The Interactive Session on Technology describes how even sophisticated Web-based firms can experience security breakdowns. Cloud computing is highly distributed. Cloud applications reside in large remote data centers and server farms that supply business services and data management for multiple corporate clients. To save money and keep costs low, cloud computing providers often distribute work to data centers around the globe where work can be accomplished most efficiently. When you use the cloud, you may not know precisely where your data are being hosted.
The dispersed nature of cloud computing makes it difficult to track unauthorized activity. Virtually all cloud providers use encryption, such as Secure Sockets Layer, to secure the data they handle while the data are being transmitted. But if the data are stored on devices that also store other companies’ data, it’s important to ensure these stored data are encrypted as well. Companies expect their systems to be running 24/7, but cloud providers haven’t always been able to provide this level of service. On several occasions over the past few years, the cloud services of Amazon.com and Salesforce.com experienced outages that disrupted business operations for millions of users
.
Cloud users need to confirm that regardless of where their data are stored, they are protected at a level that meets their corporate requirements. Theyshould stipulate that the cloud provider store and process data in specific jurisdictions according to the privacy rules of those jurisdictions. Cloud clients should find how the cloud provider segregates their corporate data from those of other companies and ask for proof that encryption mechanisms are sound.It’s also important to know how the cloud provider will respond if a disaster strikes, whether the provider will be able to completely restore your data, and how long this should take. Cloud users should also ask whether cloud providers will submit to external audits and security certifications. These kinds of controls can be written into the service level agreement (SLA) before signing with a cloud provider.
Securing Mobile Platforms
If mobile devices are performing many of the functions of computers, they need to be secured like desktops and laptops against malware, theft, accidental loss, unauthorized access, and hacking attempts. Mobile devices accessing corporate systems and data require special protection. Companies should make sure that their corporate security policyincludes mobile devices, with additional details on how mobile devices should be supported, protected, and used. They will need mobile device managementtools to authorize all devices in use; to maintain accurate inventory records on all mobile devices, users, and applications; to control updates to applications; and to lock down or erase lost or stolen devices so they can’t be compromised. Firms should develop guidelines stipulating approved mobile platforms and software applications as well as the required software and procedures for remote access of corporate systems.
Companies should encrypt communication whenever possible. All mobile device users should be required to use the password feature found in every smartphone. Mobile security products are available from Kaspersky, Lookout, and DroidSecurity. Some companies insist that employees use only company-issued smartphones. BlackBerry devices are considered the most secure because they run within their own secure system. But, increasingly, companies are allowing employees to use their own smartphones, including iPhones and Android phones, for work, to make employees more available and productive (see the Chapter 5 discussion of BYOD). Protective software products, such as the tools from Good Technology, are now available for segregating corporate data housed within personally owned mobile devices from the device’s personal content.
ENSURING SOFTWARE QUALITY
In addition to implementing effective security and controls, organizations can improve system quality and reliability by employing software metrics and rigorous software testing. Software metrics are objective assessments of the system in the form of quantified measurements. Ongoing use of metrics allows the information systems department and end users to jointly measure the performance of the system and identify problems as they occur. Examples of software metrics include the number of transactions that can be processed in a specified unit of time, online response time, the number of payroll checks printed per hour, and the number of known bugs per hundred lines of program code. For metrics to be successful, they must be carefully designed, formal, objective, and used consistently. Early, regular, and thorough testing will contribute significantly to system quality. Many view testing as a way to prove the correctness of work they have done. In fact, we know that all sizable software is riddled with errors, and we must test to uncover these errors.
Good testing begins before a software program is even written by using a walkthrough a review of a specification or design document by a small group of people carefully selected based on the skills needed for the particular objectives being tested. Once developers start writing software programs, coding walkthroughs also can be used to review program code. However, code must be tested by computer runs. When errors are discovered, the source is found and eliminated through a process called debugging. You can find out more about the various stages of testing required to put an information system into operation
Security in the Cloud
When processing takes place in the cloud, accountability and responsibility for protection of sensitive data still reside with the company owning that data. Understanding how the cloud computing provider organizes its services and manages the data is critical. The Interactive Session on Technology describes how even sophisticated Web-based firms can experience security breakdowns. Cloud computing is highly distributed. Cloud applications reside in large remote data centers and server farms that supply business services and data management for multiple corporate clients. To save money and keep costs low, cloud computing providers often distribute work to data centers around the globe where work can be accomplished most efficiently. When you use the cloud, you may not know precisely where your data are being hosted.
The dispersed nature of cloud computing makes it difficult to track unauthorized activity. Virtually all cloud providers use encryption, such as Secure Sockets Layer, to secure the data they handle while the data are being transmitted. But if the data are stored on devices that also store other companies’ data, it’s important to ensure these stored data are encrypted as well. Companies expect their systems to be running 24/7, but cloud providers haven’t always been able to provide this level of service. On several occasions over the past few years, the cloud services of Amazon.com and Salesforce.com experienced outages that disrupted business operations for millions of users
.
Cloud users need to confirm that regardless of where their data are stored, they are protected at a level that meets their corporate requirements. Theyshould stipulate that the cloud provider store and process data in specific jurisdictions according to the privacy rules of those jurisdictions. Cloud clients should find how the cloud provider segregates their corporate data from those of other companies and ask for proof that encryption mechanisms are sound.It’s also important to know how the cloud provider will respond if a disaster strikes, whether the provider will be able to completely restore your data, and how long this should take. Cloud users should also ask whether cloud providers will submit to external audits and security certifications. These kinds of controls can be written into the service level agreement (SLA) before signing with a cloud provider.
Securing Mobile Platforms
If mobile devices are performing many of the functions of computers, they need to be secured like desktops and laptops against malware, theft, accidental loss, unauthorized access, and hacking attempts. Mobile devices accessing corporate systems and data require special protection. Companies should make sure that their corporate security policyincludes mobile devices, with additional details on how mobile devices should be supported, protected, and used. They will need mobile device managementtools to authorize all devices in use; to maintain accurate inventory records on all mobile devices, users, and applications; to control updates to applications; and to lock down or erase lost or stolen devices so they can’t be compromised. Firms should develop guidelines stipulating approved mobile platforms and software applications as well as the required software and procedures for remote access of corporate systems.
Companies should encrypt communication whenever possible. All mobile device users should be required to use the password feature found in every smartphone. Mobile security products are available from Kaspersky, Lookout, and DroidSecurity. Some companies insist that employees use only company-issued smartphones. BlackBerry devices are considered the most secure because they run within their own secure system. But, increasingly, companies are allowing employees to use their own smartphones, including iPhones and Android phones, for work, to make employees more available and productive (see the Chapter 5 discussion of BYOD). Protective software products, such as the tools from Good Technology, are now available for segregating corporate data housed within personally owned mobile devices from the device’s personal content.
ENSURING SOFTWARE QUALITY
In addition to implementing effective security and controls, organizations can improve system quality and reliability by employing software metrics and rigorous software testing. Software metrics are objective assessments of the system in the form of quantified measurements. Ongoing use of metrics allows the information systems department and end users to jointly measure the performance of the system and identify problems as they occur. Examples of software metrics include the number of transactions that can be processed in a specified unit of time, online response time, the number of payroll checks printed per hour, and the number of known bugs per hundred lines of program code. For metrics to be successful, they must be carefully designed, formal, objective, and used consistently. Early, regular, and thorough testing will contribute significantly to system quality. Many view testing as a way to prove the correctness of work they have done. In fact, we know that all sizable software is riddled with errors, and we must test to uncover these errors.
Good testing begins before a software program is even written by using a walkthrough a review of a specification or design document by a small group of people carefully selected based on the skills needed for the particular objectives being tested. Once developers start writing software programs, coding walkthroughs also can be used to review program code. However, code must be tested by computer runs. When errors are discovered, the source is found and eliminated through a process called debugging. You can find out more about the various stages of testing required to put an information system into operation
No comments:
Post a Comment