Lindsay Dale COIT20233 Assignment 3
Lindsay Dale
Student Number: Sxxxxxxx
Email:
COIT20233 Assignment 3
Due Date: 2 May 2015
Lecturer: Dr Jo Luck
Course Coordinator: Dr Jo Luck
Executive Summary
Cloud computing promises a transformation in the provision of IT services to businesses and other organisations. Along with many advantages to the business that include easy scalability and ubiquitous access to resources, there are many risks that a business must consider before deploying a cloud solution. These risks include a loss of control over service restoration in case of failure and possible security risks due to attack via the Internet. To mitigate against those risks businesses need to have well-written contracts, develop strict and easily understood polices to ensure the appropriate storage of information and have multi-factor authentication to access sensitive information via the Internet.
This report considers the situation of GlobDev, who are an Aid and Development organisation headquartered in Melbourne with staff in many developing countries. Using recent research, the report analyses the advantages and disadvantages of Cloud Computing, associated security risks and mitigation, and examines using cloud services to enable secure mobile computing. The report proposes a possible path to the transformation in the delivery of IT services in GlobDev through the migration to cloud based services. The report supports the use of cloud computing through mobile devices provided to field staff. The engagement in technology through social media applications and mobile technology should improve donor engagement and expand GlobDev’s opportunity for growth by increasing its supporter base.
Table of Contents
1.0 Introduction 4
1.1 Organisational Context 4
1.2 Objective and Methodology 4
1.3 Report Outline 5
2.0 Definitions of Cloud Computing 5
3.0 Advantages and Issues with Cloud Computing 6
3.1 Advantages of Cloud Computing 6
3.2 Issues with Cloud Computing 7
4.0 Security Risks in Cloud Computing 7
5.0 Opportunities for growth through Cloud Services 9
6.0 Conclusions 9
7.0 Recommendations 11
8.0 Reference list 13
1.0 Introduction
1.1 Organisational Context
Cloud computing is an increasingly popular method for delivery of software services and storing data. GlobDev is a not for profit large organisation, headquartered in Melbourne, that runs aid and development programs in underdeveloped nations. The projects are organised by people from developed nations including Australians who are part of this organisations staff. National staff in each country are also employed by the organisation. There are currently 2150 people employed in Projects across 38 nations with a further 50 people employed in administration in 10 donor countries plus a further 70 staff in the head office in Melbourne. Projects and administration costs are funded through personal and corporate donations along with contributions from the foreign aid budgets of some G-20 major economies. The company has a central server located in the Melbourne Headquarters that is only backed up locally. There are desktop computers located in donor countries and with each project. While many of the staff in donor countries have laptop computers, very few staff working in projects have any sort of mobile computing device dues to security concerns with having devices that hold extremely sensitive data that can be easily accessed if stolen. Maintaining backups of data on desktop computers in each country is extremely problematic and relies on adherence by local staff to the organisations IT policies and procedures.
1.2 Objective and Methodology
GlobDev is investigating Cloud computing to enable staff to more effectively, efficiently and securely utilise ICT resources to access, process and distribute information in a timely manner. One of the major concerns expressed by the governing board is the security of information if it is stored in locations not controlled by the organisation. The governing board also see opportunities to expand its base of donors through more open connections between staff and donors that a cloud solution might enable. The objective of this report is to provide a rationale for employing Cloud Computing services and address the security concerns of the governing board. The report will also detail opportunities for using cloud services to widen its supported base. Information contained in this report has been primarily sourced from peer-reviewed journals along with industry publications.
1.3 Report Outline
The report will first define the concept of Cloud Computing services to specify the components of a Cloud Computing solution. Second, it will detail the advantages and disadvantages of using cloud-based services. Third, it will address the security concerns of the governing board along with strategies to mitigate the risk. Fourth, it will demonstrate clear improvements in information security that Cloud Computing offers. Fifth, the opportunities to increase engagement with the existing donor base and appeal to new donors will be discussed. The report will conclude with recommendations for proceeding with Cloud Computing services.
2.0 Definitions of Cloud Computing
Cloud Computing consists of computing resources hosted on multiple networked computer servers to provide a seamless connection to resources (Mell & Grance 2011). This differs from the server specific model of providing resources where access is provided through connections to specific servers. Cloud Computing can be either public, where services are provided by an organisation to individuals or organisations, or private, where the services are provided exclusively for the organisation itself (Mell & Grance 2011). Private clouds can be hosted by the organisation or hosted by a third party (Mell & Grance 2011); the important differentiator is exclusivity and not the location of the services.
Cloud Computing is deployed using three different service models, Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (SaaS). SaaS utilises some form subscription service to access software. The cloud provider controls the software and can change the software without notice to the individual or organisation (Mell & Grance 2011). The software can reside on the provider’s infrastructure, where it is accessed through an Internet browser or a client application, or installed on the subscribers’ computer and updated through a provided mechanism. PaaS is where a provider allocates resources and an application environment on which the clients applications are hosted (Mell & Grance 2011). The client retains control over the applications while the provider contracts to support the underlying environment. IaaS is where a cloud provider supplies fundamental computing resources for a wide variety of computing uses (Mell & Grance 2011). These uses can include storage, printing, and application environments that are fully controlled by the service subscriber. Subscribers are not limited to a single service model, but can choose elements of all three models for provision of a wide variety of computing services.
3.0 Advantages and Issues with Cloud Computing
3.1 Advantages of Cloud Computing
There are many advantages from changing from a traditional networked approach to computing resources to a cloud-based model. Iyer and Henderson (2012) interviewed seven companies and identified six key benefits. First, managers were able to better focus on using IT to meet business needs rather than frequently encountering significant hurdles leveraging existing IT infrastructure. Second, the modularity in design of Cloud Computing enables faster deployment of new services and the ability to reuse existing IT infrastructure for new services. The modularity enables scalability of services with correct sizing of infrastructure to meet current needs and expand as requirements change. Third, cloud services enable multiple locations access to the same services and resources to allow seamless collaboration between different parts of a business. Fourth, cloud based applications are quicker to develop and upgrade than conventional development models. Fifth, cloud-based applications tend to have better interoperability between specialist applications due to a more standardised application environment. This allows selection of services from a diverse range of vendors that have high levels of interoperability. Sixth, cloud services allow the development of social interaction within client facing applications. This connection has delivered higher levels of customer satisfaction in other businesses. Jeon, Yvette and Byungjoo (2012) identify another key advantage for this organisation in allowing the use of mobile devices to access resources enabling field staff higher quality access to information in timelier manner that will facilitate more effective communication. Cloud computing can enable a transformation business processes and connections with field staff and donors. However, there are problems associated with cloud computing that need to be considered.
3.2 Issues with Cloud Computing
Utilising public cloud computing services poses particular risks to the organisation that must be considered. Tisnovsky (2010) identifies four risks for businesses. First, the organisation loses control over the infrastructure on which the services are hosted. Second, there is a financial incentive for cloud providers to host a maximum number of services on a particular piece of infrastructure, which can lead to contention issues with other organisations. Third, a lack of control over backup and restore processes can lead to long delays in restoring vital services. Fourth, the location of storage can be anywhere in the Internet and the organisations data may be housed on servers located in countries where the organisations information may be in conflict with the laws of that country. Another issue is the resistance of staff in changing to a cloud based model for accessing services which will necessitate training of staff to ensure a positive acceptance of the changes (Wu, Lan & Lee 2013). By far the biggest issue that must be addressed is security of information that is accessed over the Internet for both public and private cloud services (Srinivasan 2013).
4.0 Security Risks in Cloud Computing
To ensure security of information in the cloud, Fernandes et al. (2014) analysed peer reviewed literature and found six key requirements for a public cloud. First, there must be a method for identifying the requestor and then authenticating access to the cloud. Second, the cloud must have a system for controlling the level of access granted to each individual. Third, confidentiality of the information must be maintained. Fourth, audit trails are necessary to ensure the integrity of stored information. Fifth, information transferred between the individual’s end computer and the cloud must have a positive indication that both the cloud and the end computer have received the information. Sixth, the information must be available when required by an individual. With a private cloud, security concerns are less stringent as the organisation retains much greater control over information, as public sharing is more difficult (Fernandes et al. 2014). Public dissemination of information in a private cloud requires individuals to deliberately choose to act against organisational policies.
Cloud providers have a clear duty to ensure a very high level of physical security across multiple locations. Each location is very carefully chosen with many levels of redundancy across multiple site to ensure very high levels of availability (Fernandes et al. 2014). Therefore, physical access is much higher within the cloud providers than exists within the current data centre of this organisation. As the information in the cloud would be spread across geographically diverse sites, the information is far less likely to be lost than if there was a catastrophic failure at the organisation’s headquarters.
Elasticity in the allocation of resources, in both public cloud services and a virtual private cloud, is a possible security threat to the organisation. If the organisation scales down its need for storage space from a cloud provider, the organisation needs to ensure that any resources released are properly cleaned up by the cloud provider. Otherwise another organisation could access that information (Behl & Behl 2012). The security concerns surrounding dynamic allocation of resources by cloud providers is most problematic in SaaS services where storage is provided along with access to software as companies oversubscribe storage allocation as it is unlikely all subscribers will use all allocated storage space (Dou et al. 2013).
Single authentication factors, those that only rely on a password for access to resources, are a major security threat to an organisation (Weir et al. 2010). This becomes more problematic where people use multiple systems that have differing password requirements. Many people find it difficult to remember multiple passwords and tend to keep written records of passwords readily available. To mitigate these risks, password management systems need to be implemented as part of a cloud strategy (D'Costa-Alphonso & Lane 2010). For sensitive information that must be kept confidential, a multiple factor authentication needs to be incorporated (D'Costa-Alphonso & Lane 2010). Multiple factor authentication includes biometrics, access tokens and trusted devices along with a password to access resources (Sarier 2010; Weir et al. 2010). Security risk mitigation needs to be incorporated simultaneously with the implementation of Cloud Computing along with well written and strict policies and guidelines (Karadsheh 2012). These policies and guidelines will provide all staff with clear direction on the most appropriate storage services for the various types of information they generate and consume. Incorporating well designed security systems into a cloud solution will enable the use mobile devices in the organisation.
5.0 Opportunities for growth through Cloud Services
The biggest opportunity for growth from utilising cloud services lies in the enabling of high quality communication between donors and field staff through use of cloud enabled mobile technology. Tablet computers running on Android, iOS, OS-X and Windows platforms allow the installation of cloud-enabled applications that can connect to both public and private clouds. Android, iOS and OS-X also have the ability to be remotely locked and erased (Apple 2014; Google 2014). McAfee (2014) offer a secure public cloud storage solution that works on Android, OS-X and Windows platforms that uses biometric authentication to secure information. Equipping staff working in overseas projects with either Apple Mac laptops or Android tablets no longer poses a security risk to the organisation with appropriate cloud solutions. In developing applications for mobile devices for field staff, applications can then be developed for current and possible future donors. There are many benefits for project employees and donors alike with engaging applications as they increase satisfaction with the organisation, thereby increasing the likelihood of maintaining long-term relationships (Hua, Tao & Xihui 2014).
6.0 Conclusions
The research demonstrates that it is possible to utilise secure cloud computing services that will bring benefits to the GlobDev organisation. From an infrastructure perspective, migrating from the current server centric access model will more allow more responsive scalability of resources which will reduce both management costs. The costs associated with having underutilised resources will also be reduced. As cloud applications are faster to develop and deploy, GlobDev will be able to design applications that better meet the needs of the organisation and redesign those applications as business needs change. As cloud services are ubiquitous and many of GlobDev’s staff are located in very diverse locations, deploying cloud services will allow much greater collaboration between staff working on similar projects. High levels of interoperability between cloud applications will allow GlobDev to select applications from different vendors that meet particular needs of business units and projects while minimising risks of incompatibility. The social networking elements in cloud computing could be leveraged to develop a close relationship between the GlobDev project staff and the donors interested in those projects. Those close relationships should improve the morale of field staff and increase satisfaction among donors. Those relationships will then from a point of difference between GlobDev and other aid and development organisations, enabling the organisation to keep donors for significantly longer periods of time and encourage others to become donors.