Introduction:
After the identification of the risk in the architecture of the cloud the functioning of the ISO 27001 performs computing. This report includes the factor that the architecture of the cloud computing with the help of the infrastructural efficiency that causes the fact of the data being protected from the threat that are approaching the data regarding the fat of the security. The standard methodology also acts as the major reason of the robustness of the database of the architecture of the cloud computing system. The efficiency of the architecture of the database of the system causes the fact that database of the cloud computing has been acting as the major reason for the analysis of the threats in the processing of the risk management of the architecture of the cloud computing system. The cloud computing system architecture has been facing severe threats of the imposters who deal with the fact of hacking the architecture of the cloud computing of the organization. This fact ensures the terminology that are related to the robustness of the architecture of the cloud computing of the database. The CVE of the infrastructure of the framework ensures the fact that the cloud computing of the organization ensures that the data stays protected from the threats that are approaching towards the organization. Another aspect of detecting the threat with eth help of the ISO 27001 has been acting as the best process of protecting the data that are stored in the framework of the cloud computing architecture. This fact assures the methodology of the risk assessment factor of the cloud computing architecture.
Risk Analysis
Risk analysis of the architecture of the cloud computing system has been ac ting as the, major reason that has been acting from the main reason for the processing of the risks that are due to the fact of the cloud computing of the data base of the organization. This ensures the fact that the updation of the model of the IISO 287001 has been acting as the main aspect for the protection of the data that are present in the architecture of the data base. The database of the cloud computing system of the organization ensures the fact that the data are safe from the intruders only when the fact are ISO 27001 is updated to the latest version of the cloud computing database system. This fact has been acting as the major source of support for the data that are stored in the database of the architecture of the cloud computing structure of the organization.
Type of assets:
The assets are differentiated in two integral parts namely the primary asset and the secondary asset. The fact that the data system of the cloud computing system has been differentiated as the asset that is primary in nature has been acting as a platform that is supporting the infrastructure of the cloud computing system. In case of the usage of the secondary asst the usage of the primary asset has been acting to the fact of the performance pf teh secondary asset. The performance of the secondary assets are completely dependent on the function in goof the primary assets. The fact proves that the efficiency of the secondary asset is completely dependent on the structure of the architecture of the cloud computing of the organization. the fact that the aspiration of the data that is stored in the architecture of the cloud computing of the organization is aspired with the facts that the betterment of the security system pf the architecture of the cloud computing system has been acting as the major reason for the
Owner specification:
|
Specific speculations
|
Dealers
|
|
Cloud storage
|
CTERA
|
|
Customer database
|
MEDHOST
|
|
Firewall
|
Juniper networks
|
|
Firmware
|
Compuware
|
|
implicit server
|
Google
|
|
Intranetworking
|
F7
|
|
Mail server
|
Amazon
|
|
verification of cloud server
|
Symantec
|
Threats for each asset:
Threats with cloud storage:
There are many third party software’s that provides the cloud services to the users and hence the users uploads personal documents in it, but not knowing the fact that the user is not the admin here and the data of the user can be stolen each time. (Almorsy, Grundy and Muller 2016). There may be many flaws in the servers which may lead to the theft of the data and also the hackers can penetrate to the users system without proper credentials.
Threats with cybernetic servers:
The cybernetic servers are the servers that stores massive amount of the data and requires a very strong knowledge for the administration process. In case, of the administrator does not have the proper knowledge of the administration can lead to devastating network faults. The servers needs regular security patches otherwise can have a chance to become some of the basic target of the hackers. (Jokar, Arianpoo and Leung 2016).
Threats with firewall:
Firewall protects the internal network from the external threats like malicious attacks which are carried out with the help of the external internet. However, it is not appropriate for defending the network from the threats that is due to the flaws in the internal security.
In case external communication like receiving emails from the outside sources is allowed by the system, it is not possible for the firewall to prevent the communication by analyzing the flaws and nature of the communication (Singh, Jeong and Park 2016).
Threats with the intranet:
The concept of the intranet is used for the purpose of the connection of the networks in a particular institute or office. Due to this many people think that it is not possible for other outside the network to access the intranet and uses weak or no passwords for saving the personal security’s, and hence becomes some of the major targets of the hackers and the crackers. (Wang, Wei and Vagary 2014).
Threats with web and mail servers:
There are too many flaws and vulnerability that the hacker may exploit that belongs to the firewall used. Also it has one stop solutions for the protection of the web servers. IF the hacker gets into the web mails then can access the personal information of the users as well as the data of the network. (Wang, Wei and Vangury 2014).
Threats with the firmware and the admin and user pc:
The firmware does have the option for the encryption process and is one of the easily hack able thing. IT is possible for the hackers to easily penetrate to the internal hardware’s by breaking the security of the firmware. The admin as well as the network comes to danger because of this.(Singh, Jeong and Park 2016) .
Vulnerabilities for each asset:
CVE-2016-9245
The exposure is connected with the F5 BIG-IP systems. This platform uses the virtual servers for the working procedures. IN this vulnerability all that the attackers needs to do is to request HTTP profile for restarting the TMM of the servers. This can expose all the big-IP A Pm profiles, despite of the HTTPS servers. This helps in disrupting the traffic and trough the injection of malicious software’s (Cve.mitre.org 2018). The systems make the use of the hard code that is implemented for accessing the databases. With the proper knowledge of the hard codes it is possible for any hacker to directly access the databases without the admin checking and change any file in the data base. The DMS account can be connected with the Postgre SQL which enables the hackers to access to the database DMS.AS a result while the system flash anyone can get into the systems and can effortlessly make alteration in the firmware settings. It is very easy to be done also all the user needs is the Phoenix “UEFI update program”. This malware is easily available in the internet and can be used by any one. With the help of this the hacker can easily corrupt the system and make a DDOS attack on the servers.
CVE-2017-8514
This type of the exposure is linked through intranet network which is used for the connections of the internal device. The Microsoft SharePoint is one of the major example of this. One of the major issue that is associated with the MS SharePoint is, the security standards are not robust adequately for protection of the network. Therefore it can be said that the privacy policy of the data can be compromised hence the data can be accessed by the unauthorized users. One of the major risk in this is the fact once the hackers are in the network can user the identity of the user for getting access to the entire system (Cve.mitre.org 2018).
This exposure is also applicable to the Amazon Web Services also known as the AWS which provides web and mail facility(Cve.mitre.org 2018). . The bootstrap implement bundle called Cloud Formation that enables the users to execute codes in arbitrary fashion with root access while the same exposure cards the foul players to generate local files in the system. This exposure was initially discovered by the CTERA cloud storage, associated with the cross site scripting or the XSS. This vulnerability helps in the injection of the arbitrary web scripts.
Level computation, using Boston gird:
Impact table specification:
|
Security issues
|
Impact
|
|
Interface attack
|
Medium
|
|
Protection of data
|
Low
|
|
Virtualization of hardware
|
Medium
|
|
SSH attack
|
Medium
|
|
Virtualization of software
|
High
|
|
Utility computing
|
High
|
|
Malicious code
|
Low
|
|
SLA
|
High
|
Risk credentials with the risk level, by Boston grid:
|
Identified risk
|
Risk level
|
|
Confidentiality
|
Medium
|
|
API attack
|
Medium
|
|
User credential attack
|
Medium
|
|
Signature Attack
|
Low
|
|
Credential attack
|
Medium
|
|
Publisher credential attack
|
High
|
|
MAC spoofing
|
High
|
|
ARP Spoofing
|
Medium
|
|
Hack of computer system
|
Low
|
|
Client attacks
|
High
|
|
Script
|
Low
|
|
Hacking
|
High
|
Reference
Alebrahim, A., Hatebur, D., Fassbender, S., Goeke, L. and Côté, I., 2015. A pattern-based and tool-supported risk analysis method compliant to iso 27001 for cloud systems. International Journal of Secure Software Engineering (IJSSE), 6(1), pp.24-46.
Almorsy, M., Grundy, J., & Müller, I. (2016). An analysis of the cloud computing security problem. arXiv preprint arXiv:1609.01107.
Cruz, Z.B., Fernández-Alemán, J.L. and Toval, A., 2015. Security in cloud computing: A mapping study. Computer Science and Information Systems, 12(1), pp.161-184.
Cruz, Z.B., Fernández-Alemán, J.L. and Toval, A., 2015. Security in cloud computing: A mapping study. Computer Science and Information Systems, 12(1), pp.161-184.
Cve.mitre.org. (2018). CVE -CVE-2016-9245. [online] Available at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9245 [Accessed 18 April. 2018].
Cvedetails.com. (2018). CVE-2013-2639 : Cross-site scripting (XSS) vulnerability in CTERA Cloud Storage OS before 3.2.29.0, 3.2.42.0, and earlier allows remote. [online] Available at: https://www.cvedetails.com/cve/CVE-2013-2639/ [Accessed 18 April. 2018].
Faniyi, F. and Bahsoon, R., 2016. A systematic review of service level management in the cloud. ACM Computing Surveys (CSUR), 48(3), p.43.
Faniyi, F. and Bahsoon, R., 2016. A systematic review of service level management in the cloud. ACM Computing Surveys (CSUR), 48(3), p.43.
Fonseca, N. and Boutaba, R., 2015. Cloud services, networking, and management. John Wiley & Sons.
Fonseca, N. and Boutaba, R., 2015. Cloud services, networking, and management. John Wiley & Sons.
Hoy, Z. and Foley, A., 2015. A structured approach to integrating audits to create organisational efficiencies: ISO 9001 and ISO 27001 audits. Total Quality Management & Business Excellence, 26(5-6), pp.690-702.
Hua, X. and Sixin, X., 2018. A framework for risk assessment of cloud digital archives. Comma, 2016(1-2), pp.215-224.
Hua, X. and Sixin, X., 2018. A framework for risk assessment of cloud digital archives. Comma, 2016(1-2), pp.215-224.
Jokar, P., Arianpoo, N. and Leung, V., 2016. A survey on security issues in smart grids. Security and Communication Networks, 9(3), pp.262-273.
Kurnianto, A., Isnanto, R. and Widodo, A.P., 2018. Assessment of Information Security Management System based on ISO/IEC 27001: 2013 On Subdirectorate of Data Center and Data Recovery Center in Ministry of Internal Affairs. In E3S Web of Conferences (Vol. 31, p. 11013). EDP Sciences.
Pulier, E., Martinez, F. and Hill, D.C., ServiceMesh Inc, 2015. System and method for a cloud computing abstraction layer. U.S. Patent 8,931,038.
Semantic Approach in End to End Security. International Journal Of Mechanical Engineering And Technology (Ijmet), 8(5).
Semantic Approach in End to End Security. International Journal Of Mechanical Engineering And Technology (Ijmet), 8(5).
Singh, S., Jeong, Y.S. and Park, J.H., 2016. A survey on cloud computing security: Issues, threats, and solutions. Journal of Network and Computer Applications, 75, pp.200-222.
Sivasubramanian, Y., Ahmed, S.Z. and Mishra, V.P., 2017. Risk Assessment for Cloud Computing. International Research Journal of Electronics and Computer Engineering, 3(2), pp.7-9.
Sivasubramanian, Y., Ahmed, S.Z. and Mishra, V.P., 2017. Risk Assessment for Cloud Computing. International Research Journal of Electronics and Computer Engineering, 3(2), pp.7-9.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.
Wang, Y., Wei, J. and Vangury, K., 2014, January. Bring your own device security issues and challenges. In Consumer Communications and Networking Conference (CCNC), 2014 IEEE 11th (pp. 80-85). IEEE.
