Information Technology Reference
In-Depth Information
To compensate for the loss of clues, we need security mechanisms for
access control, transparency of identity, and surveillance. The mechanisms
for access control are designed to keep intruders and mischievous agents
out. Identity transparency requires that the relationship between a virtual
agent and a physical person be carefully checked through methods such
as biometric identification. Digital signatures and digital certificates are
used for identification. Credentials are used when an entity is not known.
Credentials are issued by a trusted authority and describe the qualities of
the entity using the credential. A Doctor of Dental Surgery diploma hanging
on the wall of a dentist's office is a credential that the individual has been
trained by an accredited university and hence is capable of performing a
set of dental procedures; similarly, a digital signature is a credential used
in many distributed applications. Surveillance could be based on intrusion
detection or on logging and auditing. The first option is based on real-time
monitoring, the second on off-line sifting through audit records.
There are primarily two ways of determining trust, namely, Policies and
Reputation. Policies reveal the conditions to obtain trust and the actions to
take when some of the conditions are met. Policies require the verification
of credentials. Reputation is a quality attributed to an entity based on a rela-
tively long history of interactions with or possibly observations of the entity.
Recommendations are based on trust decisions made by others and filtered
through the perspective of the entity assessing the trust.
19.2 Security Risks
It is important to understand the risks of inadequate security so that an
enterprise can make an informed judgment about what, if any, information
should be trusted to the cloud.
Since the actual risks to a system are varied, an enterprise typically takes
a generalized approach to security and then manages exceptions separately,
for instance, identity management; it is usual for an employee to require a
user identity for access to a system when on the organization's premises. But
this access has a different set of potential vulnerabilities if the employee is
working at home or in the field. These specific situations might not apply
to the cloud provider, who will by default create security strategies that are
relevant for that type of business.
The individual security mechanisms that a number of applications use
may not transfer easily to a cloud environment, and therefore, a detailed
understanding of the approach taken toward security is required if fur-
ther, unintended vulnerabilities are not to be introduced. This situation
is not new; organizations have been outsourcing data storage and tele-
phone call centers for some time now. What is different about cloud,
Search WWH ::
Custom Search