Part 1: IaaS instance hosted by AWS/Azure

The case study presents that Webb’s Stores is a successful retailer. The two main warehouses for the company are Melbourne and Sydney. The report suggests that there are two key issues or business challenges for the organization. The first issue is the operational complexity and the second issue is the management of data. Therefore, it is important that the suggested issue of cloud computing should solve these two business challenges for the company. The management of the company should understand that any migration is a difficult task that must be handled strategically. However, there would be long term benefits of migration. The case study suggests that the organization should focus on hybrid cloud. It means that part of the infrastructure would be on cloud and the part of the infrastructure would be on premise. The high level logical diagram of hybrid cloud can be shown as:

This report is divided into various sections. The various sections of this report can be discussed as:

One of the critical step for Webb’s would be migration of MS SQL Server 2012 R2 database to IaaS instance in the cloud. This migration would be a three-step process. These three steps can be discussed as:

Step 1: Data Extraction – Extraction of data from the current SQL database. This step is the easiest of all the three steps. However, the migration activity should ensure that all the data is extracted and any data is not missed (Ghosh & Ghosh, 2015).

Step 2: Data Massaging – This step includes the formatting of the data as per the target database (Varia, 2010). In this case, the target database could be Amazon Web Services or Microsoft Azure.

Step 3: Deployment – Once the data format is set, the next step is the deployment in the new of targeted server. It is suggested that the deployment should first happen in development environment and they it should be moved to production environment. The diagrammatic representation of IaaS can be shown as:

There are various security controls that should be implemented as a part of IaaS infrastructure. There are various global security control standards that should be followed by and Cloud Service provider. Some of the measures and suggestions can be discussed as:

• One of the most important Security control is that Webb stores must uses their own encryption and tokenization as well as control their keys (Rahumed, et al., 2011). The service provider, AWS or Microsoft Azure would have their own encryption mechanism. However, it would be good if Webb’s can have an additional layer of encryption over this.
• As a part of IaaS infrastructure, the company should use multifactor authentication in place. It is recommended that Webb’s should not rely only on passwords of users. For example, company can use the services like OTP or Google authenticator to establish the system of multiple access points (Wang & He, 2014).
• As a part of IaaS infrastructure, the organization should limit the read and write access of users. The management of Webb’s should give different edit rights to different set of people. For example, only the leaders should have access to confidential information of employees.

There are various advantages and disadvantages or limitations of above security controls.  It is important that the management of Webb’s should analyse all the benefits and challenges. The key advantages and disadvantages can be discussed as:

The tight security of the system is the biggest benefit. With this system in place it is not possible for intruders or hackers to hack into the system (Dlodlo, 2011). With this system in place users cannot access the information because the data is encrypted. It would ensure that that confidential data and information of the organization is not leaked.

One of the biggest challenge or disadvantage is that the establishment of this system is a costly affair. Webb’s may have to invest a lot to develop this kind of system. Moreover, the company would need to give two-way authenticator token to all the employees. In certain cases, the efficiency of system can also suffer as there are multiple layers in between (Ramachandran & Chang, 2016).

Security Controls implemented by Aws/Azure to protect IaaS instance

The database migration is a difficult task and there are various risks involved across the process of data migration. There are risks associated at different levels. For example, some of the risks exist at the migration level and some risks exist at infrastructure level. Some of the risks can be discussed as:

At the migration level, there are two key risks that exists. These two risks can be discussed as:

1. Data loss risk: This is probably one of the biggest risks to the database. For example, migration involves data extraction and massaging. Data massaging is nothing but the transformation (Rahumed, et al., 2011). In such cases, there will be risk of data loss. Also, the cloud provider also needs to have proper interface for injecting the data. It is also possible that not all the data is extracted due to some reason or some data becomes non-functional after transformation 
2. Data portability is another big risk. If Webb stores decide to change their CSPs for some reason, then there would be problem.

At IaaS infrastructure level, there are three key risks that must be addresses. These risks can be discussed as:

1. Data Compliance risks: Each CSPs is having their own security systems, capabilities and compliance mechanism and, there are numerous compliance and regulations like HIPAA, SOX, CIPA, PCI DSS that each organization must comply with. Now, Cloud providers will ensure the security of the data however compliance requires shared service models between cloud and the organization about what data will be stored on the cloud.
2. Insider Threat risk: In terms of infrastructure level, the insider threat is a big risk. The infrastructure set up in cloud environment provides flexibility to individuals and organizations. With this flexibility comes the problem that people can store information on their personnel systems which they are not supposed to (Claycomb, & Nicoll, 2012). People who are planning to exit from the country can store data on their personnel systems by accessing applications through their personnel systems
3. Availability of Cloud: Both Amazon Web Services and Microsoft Azure are reliable in terms of availability. However, there is always an availability threat as there could be rare chances when the cloud support system is not available.

The third aspect of the risk is the risk that exist between the communication channel. There are two major risks that can occur in the communication channel. These risks can be discussed as:

1. Data theft risk: There is always a risk of attack form some external hacker. In recent time, there has been an increased number of ransomware attacks (Subhashini, & Kavitha, 2011), In case of any external attack, the cloud environment is more dangerous as compared to on premise installation. Therefore, it can be said that the data theft risks are one of the biggest risk for Webb’s
2. Lack of controls like Firewall: Webb’s may want to have firewall in place. However, it is very difficult to set up the firewalls in cloud environment.

It would be correct to say that data backing should be a strategic pillar of IT strategy of Webb’s. It is recommended that the organizations should also have a back-up copy maintained that they can access in case of any failure. The certain part of this section can be discussed as:

Cloud backup, also known as online backup, is a strategy for backing up data that involves sending a copy of the data over a proprietary or public network to an off-site server It is highly recommended that Webb’s should back up the data on cloud. Both Microsoft Azure and AWS offers good data back features. A good CSP is one that can provide the provision of real time data backup (Claycomb & Nicoll, 2012). It is important to mention that backing the data in the cloud is different than the storing the data in the cloud. The real-time data backing means that the stored data is getting backed up on real time. Today, most of the CSPs provide this facility where the backup copy is created on real time.

With the use of CPS, storage of data on cloud comes naturally. However, there are few risks associated with storage of data in the cloud that should be addresses. These issues can be discussed as:

1. Data privacy risk: The data storage happens on real time basis (Alhazmi, & Malaiya, 2013). There is a continuous threat form external attack or hack.
2. Data compliance or the Location risks: Every country has their own laws with respect to data compliance. However, the good thing for Webb’s is that it would have its information shared across Australia. It is important that the organizations must comply with all the local laws of data (Subhashini, & Kavitha, 2011).
3. Data removal risk: The data is not stored in a singular manner. In fact, for data security, the cloud would store the data in form of distributed mesh(Tang, Lee, Lui, & Perlman, 2012). The data may be removed from cloud primary databases but it may be stored somewhere else in some other form because clouds don’t have shredders that can permanently destroy the data.

The retrieval of data form cloud may not be a difficult task. However, there exists a dependency on the cloud service provider. Clouds systems must ensure that the retrieval requests are coming from the authentic sources and users are authorized for that information (Kandukuri, & Rakshit, 2009). It is suggested that the employees of Webb’s should be trained on the method to retrieve the data for the cloud.

In case of any loss of data, recovery is the key. Therefore, it is important that the organization must have good recovery plan in place (Ristov, Gisev, & Kostoska, 2012). Webb’s store must have a contingency plan in place that would also cover the data recovery plan. It has to conduct pilot methods for replicating the backups and also regular conduct drills so as to check if the RTO (Recovery time objective) promised by the cloud vendor is feasible or not. There should also be proper escalation and penalty mechanism (Alhazmi, & Malaiya, 2013) in place in case something goes wrong.    

Benefits and Limitations of the Security Controls

This section would discuss the way Webb’s store protect access to the services that they are now moving to the Cloud. The key themes under this section can be discussed as:

It is important that Webb’s should have a full control over their IaaS infrastructure (Dahbur, Mohammad, & Tarakji, 2011). The organization can protect the infrastructure using device, location and user: This means that person can access the data as long as he is in one country but not able to access data if he is in another country. Also, devices that belongs to organization should be able to access documents and download however this is not possible thought the devices belonging to the organization or there are different privileges like downloading of data is not allowed from outside systems due to insider threat

It is suggested that the SQL cloud instance should be encrypted in nature. The use of encryption would ensure that the access is limited to authorized user only. The two way authentication process and user profiling of users across different levels would ensure that encrypted cloud instance is strong in nature.

It is recommended that Webb’s They must use virtual machine and DLP programs which means even if data is loss, it can’t be comprehended or readable making it useless. Cloud service providers must keep their security systems up to date with latest tools and techniques and must monitor the malicious attacks on a constant basis (Dahbur, et al., 2011).

As discussed above, backup is the key across any cloud set up. The real time back up strategy should be used to back up the data (Jarvelainen, 2012). Another thing it must have service level agreements beyond which CSPs will be liable for penalty.

Conclusion

The above paper discusses the case study of Webb’s store. With the above discussion, it can be said that organization and decision holder should have a strong involvement in the implementation of cloud. The above paper discusses various risks and mitigation strategies that should be used. The risks are mainly technical in nature that could be overcome. The key thing for Webb’s is to have a strong data back-up strategy in place.  

References

Alhazmi, O. H., & Malaiya, Y. K. (2013, January). Evaluating disaster recovery plans using the cloud. In Reliability and Maintainability Symposium (RAMS), 2013 Proceedings-Annual (pp. 1-6). IEEE.

Claycomb, W. R., & Nicoll, A. (2012, July). Insider threats to cloud computing: Directions for new research challenges. In Computer Software and Applications Conference (COMPSAC), 2012 IEEE 36th Annual (pp. 387-394). IEEE.

Dahbur, K., Mohammad, B., & Tarakji, A. B. (2011, April). A survey of risks, threats and vulnerabilities in cloud computing. In Proceedings of the 2011 International conference on intelligent semantic Web-services and applications (p. 12). ACM.

Dlodlo, N. (2011, April). Legal, privacy, security, access and regulatory issues in cloud computing. In Proceedings of the European Conference on Information Management & Evaluation (pp. 161-168).

Ghosh, N., Ghosh, S. K., & Das, S. K. (2015). SelCSP: A framework to facilitate selection of cloud service providers. IEEE transactions on cloud computing, 3(1), 66-79.

Järveläinen, J. (2012). Information security and business continuity management in interorganizational IT relationships. Information Management & Computer Security, 20(5), 332-349.

Kandukuri, B. R., & Rakshit, A. (2009, September). Cloud security issues. In Services Computing, 2009. SCC’09. IEEE International Conference on (pp. 517-520). IEEE.

Rahumed, A., Chen, H. C., Tang, Y., Lee, P. P., & Lui, J. C. (2011, September). A secure cloud backup system with assured deletion and version control. In Parallel Processing Workshops (ICPPW), 2011 40th International Conference on (pp. 160-167). IEEE.

Ramachandran, M., & Chang, V. (2016). Towards performance evaluation of cloud service providers for cloud data security. International Journal of Information Management, 36(4), 618-625.

Ristov, S., Gusev, M., & Kostoska, M. (2012). Cloud computing security in business information systems. arXiv preprint arXiv:1204.1140.

Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of network and computer applications, 34(1), 1-11.

Tang, Y., Lee, P. P., Lui, J. C., & Perlman, R. (2012). Secure overlay cloud storage with access control and assured deletion. IEEE Transactions on dependable and secure computing, 9(6), 903-916.

Varia, J. (2010). Migrating your existing applications to the aws cloud. A Phase-driven Approach to Cloud Migration.

Wang, F. K., & He, W. (2014). Service strategies of small cloud service providers: A case study of a small cloud service provider and its clients in Taiwan. International Journal of Information Management, 34(3), 406-415.