Risk Management in Project Management

  

Refer to the documents attached.
report_3.docx

sample_paper.doc

report_3.docx

Unformatted Attachment Preview

Risk Management is an important part of Project Management. In this report
consider the different types of risks that a project manager has to contend with. Identify
one project each in Health Care and Transportation that has greater relevance to the
Houston economy. Write a detailed analysis of the risks involved in these two industries
and the mitigation techniques that you could recommend for each identified risk. Base your
references on these two industries only.
For writing this report you should check both print and online resources. You may use
any information from newspapers, only to the extent that you can corroborate them from other
reliable sources. Include 5 to 10 references and list the reference details such as author(s),
volume, page numbers, year of publication or web link, as the case may be. Use at least two
references from print sources such as a journal.
IS SECURITY REALISTIC IN CLOUD COMPUTING?
ABSTRACT
Cloud computing is well received because of the benefits it offers but many users are not clear
about the scope of security in cloud computing. Many surveys point out that security in the cloud
remains the top concern for businesses in their decision making consideration in spite of the cost
advantages it offers. In order to identify the security concerns we analyzed over 50 research
articles and industry white papers published over the past five years. In this paper we focus on
the question “Is security realistic in cloud computing?” In presenting the justification that it is
possible to expect adequate security features in the cloud we address several related issues. First,
we briefly describe the three types of cloud services – SaaS, PaaS and IaaS. Then we focus on
the security aspects that businesses must pay attention to in order to succeed. Next, we consider
the importance of trust in the service providers and how they could build customer trust in their
services. This discussion leads to service reliability in the cloud and how the cloud providers
could build trust in light of the cloud outages. Also, we highlight how the security features
offered in the cloud support compliance requirements. We conclude the paper with some relevant
information on the legal aspects related to cloud computing.
INTRODUCTION
Cloud computing today is benefiting from the technological advancements in
communication, storage and computing. The basic idea in cloud computing is to take advantage
of economies of scale if IT services could be provided on demand with a decentralized
infrastructure. This idea is a natural evolution from the IT time-share model of the 1960s and
1970s. Today, technology has advanced significantly and many more organizations have
computing demands that are elastic in nature. Organizations large and small require reliable
computing resources in order to succeed in business. Large businesses deal with complex
systems where as Small and Medium sized Enterprises (SMEs) need access to affordable
computing resources. Based on these aspects we can summarize some of the rationale for today’s
cloud computing needs as follows:
• acquiring and managing the IT resources requires specialized skills
• maintaining a reliable IT infrastructure is expensive
• rapid technology advancements make it difficult to keep current the IT expertise
• internet has opened up many opportunities for individuals as well as small businesses
• number of entities requiring computing resources has grown exponentially
• SMEs’ demand for computing resources varies significantly over time
• providing data security is a complex undertaking
In the above paragraph we have identified some of the major reasons as to why cloud
computing would be advantageous to use. When a significant part of the business depends on a
type of service that the business does not fully control, the question arises as to how the business
can meet its obligations to its customers. As highlighted above, IT services are essential to the
success of the business but it would be cost prohibitive for the business to manage an IT center
with the required expertise and fluctuating demand on resources for processing and storage.
Thus, a business using cloud computing must understand the security challenges that it would be
responsible for and how cloud computing could help in this regard. We address the security
challenges by first noting the differences in the types of cloud computing that a business might
be using.
In order to address the security challenges associated with cloud computing, we need to
understand first the meaning of cloud computing. The primary reason for this is that the term
‘cloud computing’ is used as a catch-all for a wide ranging array of services. After a careful
analysis of numerous sources in the literature we have arrived at the following working
definition of ‘cloud computing’ based primarily on the National Institute of Standards and
Technology definition: Cloud computing consists of both the infrastructure and services that
facilitate reliable on-demand access to resources that can be allocated and released quickly by
the user without provider intervention using the pay-as-you-go model (NIST, 2011). It is worth
noting in this context that Mell and Grance further amplified on this general definition in their
NIST report that is now widely accepted as one of the important definitions of cloud computing
(Mell, 2011).
Today’s cloud computing has three basic types: Software as a Service (SaaS), Platform as a
Service (PaaS) and Infrastructure as a Service (IaaS). In the simplest of terms ‘cloud computing’
has come to embody SaaS. Similar to the IT time-share model mentioned earlier, SaaS provides
both the server hardware and software to an organization without any of the complications of
managing an IT system. The simplest example of SaaS service would be email for an
organization. The cloud provider benefits from the economies of scale in managing a large
infrastructure because of their strength in that area and is able to provide the necessary
computing resources to the user, majority of who are SMEs, at an affordable cost. SaaS leaves
the full control of the computing system with the provider. Some of the major commercial SaaS
providers are Amazon, Google, Microsoft and SalesForce.
PaaS provides the customer a platform, such as the Windows operating system with the
necessary server capacity to run the applications for the customer. PaaS is used mainly by
developers who need to test their applications under a variety of conditions. The PaaS cloud
service provider manages the system for its upkeep and provisioning of tools such as .NET and
Java whereas the customer is responsible for the selection of applications that run on the
platform of their choice using the available tools. Thus, the customer is responsible for the
security challenges associated with the applications that they run. For example, a customer
running a SQL Server database on the platform should be aware of the vulnerabilities of the
database system. Hence, the customer should have the expertise to manage such applications on
the platform used under this pay-as-you-go model. The benefit to the customer is that if their
hardware needs change or if they require a Linux/UNIX platform for some other applications,
then provisioning them takes only a few days as opposed to few weeks to make the new system
operational. Major PaaS cloud service providers are Google App Engine and Windows Azure.
IaaS provides the customer the same features as PaaS but the customer is fully responsible
for the control of the leased infrastructure. IaaS may be viewed as the computing system of the
customer that is not owned by them. Unlike PaaS, IaaS requires the organization to have the
necessary people with extensive computing expertise. The IaaS customer would be responsible
for all security aspects of the system that they use except physical security, which would be
handled by the cloud provider. Amazon and IBM are examples of IaaS providers. Combining the
information presented so far about these three types of cloud services with additional cloud
service providers, we have Table 1.1 that provides a quick snapshot of the available resources.
Table 1.1 Summary of cloud service providers
Provider
Amazon
Google
Microsoft
Salesforce.com
Rackspace
IBM
EMC
Apple
AT & T
VMware
Type of
service
SaaS
PaaS
IaaS
SaaS
PaaS
PaaS
SaaS
PaaS
PaaS
IaaS
SaaS
IaaS
IaaS
SaaS
SaaS
IaaS
Product name
AWS
Elastic Beanstalk
EC2, S3
Gmail, GoogleDocs
App Engine
Azure
Sales Cloud
Force.com
Rackspace Cloud
Rackspace Cloud
CloudBurst
Blue Cloud
Atmos
iCloud
Synaptic Hosting
vCloud Director
It is worth noting that these three types of services are gaining ground. According to the
Ponemon Institute/CA Technologies 2011 study, among cloud service providers, SaaS accounts
for 55 percent, PaaS accounts for 11 percent and IaaS accounts for 34 percent. Besides these
three service types available, a potential user must also consider the four different cloud
deployment models for meeting their computing needs. The four cloud deployment models are
public cloud, private cloud, hybrid cloud, and community cloud. The most common cloud
deployment model is the public cloud. In the public cloud the customer shares the resources with
other customers. On the other hand, in a private cloud the resource are dedicated to the
organization and has greater security because the computing resources are not shared with other
customers. Private cloud is affordable only for large organizations. A natural evolution from
public cloud and private cloud service models is the hybrid cloud which uses both proprietary
computing resources and/or private cloud resources that the organization manages directly and
the public cloud for some of the computing requirements, especially the ones with varying
demands on resources (Bhattacharjee, 2009). Two of the major hybrid cloud providers currently
are VMware and HP. Another important statistic to note is that 65 percent of the cloud service
customers use public cloud service while 18 percent each use private cloud and hybrid cloud
services. These three types of cloud services aim to meet the customer requirements at different
levels of engagement in managing the computing hardware and software. This has a direct
correlation to the size of the organization in choosing the type of cloud service. For this reason
we can broadly classify the cloud computing users as belonging to either the public cloud or the
private cloud. Small and medium sized businesses typically use the public cloud and large
organizations use the private cloud. All the cloud service providers mentioned earlier provide
both public and private cloud services. In the private cloud, a large organization which has a data
center to manage, is able to use large amounts of storage and computing power dedicated to just
their organization only. The private cloud facilitates the large organization to handle demand
elasticity similar to the public cloud provider.
The community cloud is used by organizations with a common focus such as health care,
automotive and financial services. The community cloud represents a vertical market in which
the organizations stand to benefit by having a dedicated server that addresses the specialized
needs of that sector. For example, in the media industry companies are looking for ways to
simplify content production at low-cost. This requires collaboration among a large group of
people. A community cloud facilitates the location of necessary computing resources for content
production and editing. By using a community cloud dedicated to the media industry this need is
met. Windows Azure platform is used as a public cloud for this community cloud architecture.
Having provided a brief overview of the three basic cloud types and the four deployment
models, let us next review the security aspects in the cloud as discussed in several research
articles and industry white papers. One of the main reasons for the cloud to provide cost
efficiencies is its ability to leverage the economies of scale in their hardware and their ability to
offer Virtual Machines (VMs) on a single hardware for multiple clients. Moreover, cloud
providers enable visibility to the customer on the location of their VM in the cloud. How this
feature is exploited by attackers to launch side-channel attacks on the cloud is the major
contribution of Ristenpart, Tromer, Schacham and Savage. In their oft cited paper “Hey, You,
Get off of my cloud,” these UC San Diego and MIT researchers highlight the security concerns
of many businesses. They point out the data leakage aspect in a public cloud (Ristenpart, 2009).
In a multi-tenant environment on a physical infrastructure, which is very common in a public
cloud, such attacks are capable of extracting encryption keys. Thus, one of the heavily relied
upon defense to secure data storage in the cloud becomes vulnerable. Armbrust et al discuss in
their paper the top 10 obstacles to cloud adoption. These UC Berkeley researchers show the
current status of the cloud service and how the technology needs to improve further to address
customer security concerns. This paper points out how, in spite of advancements in
interoperability among different platforms, the storage APIs tend to be proprietary. This basically
locks in a cloud customer from switching to another cloud service provider easily (Armbrust,
2010). Providing very high reliability of service in the cloud requires extensive infrastructure
deployment with plenty of redundancy built-in. Major service providers like Amazon, Google,
Microsoft and Salesforce have the ability to assure very high availability of their services. All
these services have experienced some well publicized outages which cause concern for
businesses in their desire to switch to the cloud.
The significance of cloud security is the focus of one of the four parts of the book Cloud
Computing by Antonopoulos and Gillam. In this edited book the authors have included several
chapters on cloud security (Antonopoulos, 2010). In particular, the work of Durbano, Rustvold,
Saylor and Studarus focus on the significance of standards in enabling cloud security. Their work
points out the gaps in ISO 27002 security controls (Durbano, 2010). Chen, Paxson and Katz
answer the question of ‘What is new about cloud computing security?’ Their analysis shows that
many of the cloud security issues are not really new except that they hinge upon multi-tenancy
trust considerations and auditability of service providers’ ability to back up their claims with data
on security aspects (Chen, 2010).
One of the challenges for any new technology is the availability of global standards. Cloud
computing is evolving rapidly but there are not many commonly accepted standards yet. ISO
27001, NIST and Cloud Security Alliance are all working toward providing guidelines for the
cloud industry. One of the Cloud Security Alliance guidelines involves the Top 9 Cloud
Computing Threats in 2013. Some of these threats relate to data breaches in the cloud, data loss
due to data leakage, insecure APIs and abuse of cloud services (Cloud Security Alliance, 2013).
We already pointed out one such abuse from the work of Ristenpart et al involving side channel
attacks. Next we look at the literature review article of Yang and Tate in which they classify 205
articles that appeared in cloud computing (Yang, 2012). They started this line of research in 2009
when they reviewed 54 articles. Since then the field has grown significantly and they included
several of the articles that we are examining in this brief review. Similar to Yang and Tate’s
work, Idziorek and Tannian surveyed all research articles in the area of public cloud computing
and focused on cloud computing security. This article points out several reasons on the
impediments still facing cloud computing adoption (Idziorek, 2012). Likewise, Modi et al
surveyed the issues affecting cloud computing adoption and their vulnerabilities. This paper
identifies some solutions to strengthen security and privacy in the cloud (Modi, 2013). Related to
this work is the technical book by Trivedi and Pasley on Cloud Computing Security. As
developers of cloud security solutions with a major technology company these authors identify
several security solutions based on cloud architecture, design and the way the customers deploy
their cloud based solutions (Trivedi, 2012). Continuing this line of research on cloud computing
security, Zissis and Lekkas propose the creation of a trusted third party focused on cloud
security. The authors point out that this arrangement would create a security mesh for all cloud
users that will lead to a trusted environment (Zissis, 2012).
Many businesses use cloud computing for data storage. This feature provides the business a
cost effective solution to store as much data as necessary and at the same time provide related
data backup, recovery and business continuity benefits. However, it also introduces the risk of
not having full control over the data storage as it is physically outside the control of the business.
This has led to several risks for businesses. To address this concern Wang et al propose a flexible
distributed method. In their approach they propose a method that achieves storage correctness
and supports dynamic operations such as data update and delete (Wang, 2009). John Viega from
a major security service firm analyzed the security aspects of the three major cloud services –
SaaS, PaaS and IaaS. His analysis shows that in the case of SaaS the main concern for the
customer relates to the service providers’ ability to protect the infrastructure from attack and
ensure non-leakage of data in the multi-tenant environment. In PaaS, even though the developers
who subscribe to this service will be able to develop their own security solutions, they are still
dependent on the service providers’ way of protecting the service below their application level
for intrusion prevention. For IaaS, the major concern is the way the virtual machines are
configured. A related concern with IaaS service is the reliability of the service provider (Viega,
2009). Mark Ryan has a special focus in his paper on privacy concerns related to the cloud
because his paper addresses an area of interest for many academic researchers. The goal of
Ryan’s paper is on the privacy aspects related to the two major conference management systems
in use – EDAS and EasyChair. The paper highlights the many benefits of the conference
management systems on the cloud and also highlights some concerns such as the leakage of
reviewer information, cumulative success records of many researchers related to their
submissions for a variety of conferences over a long period of time and aggregated reviewing
profile of the reviewers. These data could be accidentally or maliciously disclosed by systems
administrators on these cloud systems where they are privy to large volumes of data. Even
though this is a very small segment of the cloud service industry, this paper’s focus is on the
potential privacy concerns for data stored on the cloud (Ryan, 2011).
The next set of papers that we examine relates to cloud computing risks and how they are
addressed. Gartner Research identifies seven cloud computing risks that are quite common.
These are presented in the context of a potential cloud customer evaluating a cloud service. Some
of these concerns relate to how the service provider handles privileged access to system
resources, their regulatory compliance activities related to physical security of the system and
third party audit such as SAS 70 Type II audit report, where they store the data and how they
segregate belonging to different customers so that they do not co-mingle (Brodkin, 2008). In
summarizing the cloud security concerns of many European par …
Purchase answer to see full
attachment