Glossary

From Cybersecurity Wiki
Revision as of 11:40, 20 May 2010 by WikiSysop (talk | contribs) (New page: ==Glossary of Core Ideas== ===Accountability=== Accountability requires that business actively take ownership of the responsible management of their information, no matter where it resid...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Glossary of Core Ideas

Accountability

Accountability requires that business actively take ownership of the responsible management of their information, no matter where it resides or is processed. Accountability does not substitute for data protection or privacy law. An accountable organization complies fully with applicable laws and regulation governing the collection and use of data. But it goes further, putting in place sound information management and privacy practices that enhance the development and protection of the business’ brand, reputation and relationship with its customers.

References:

Additional Computing Power

Cloud Computing makes an unprecedented amount of computing power available at an affordable rate by pooling the resources of numerous heavy users and allotting computing power temporarily to individual users only at specific times when they need such power, and then retracting it after those times.

See also:

  • Concentration of Security Experience
  • Dynamic Scalability
  • Economies of Scale
  • Eliminating Redundancies
  • IT Outsourcing
  • Metered Service
  • Multiple Tenancy

References:

Authentication

In Cloud Computing, an essential part of consumer protection is to implement security authentication, either through self-regulatory measures or through government intervention.

References:

Attribution

When using shared resources to do business-critical computations, it becomes harder to attribute malicious or unethical activity. Thus, the lack of attribution in cloud computing represents a new, major security challenge.

References:

"as a service"

Cloud computing can be understood as a series of specific computing services offered by vendors: Infrastructure as a Service (IaaS), Platforms as a Service (PaaS), and Software as a Service (SaaS).

See also:

  • NIST Definition

References:

Infrastructure as a Service (IaaS)/Computing as a Service (CaaS)

When a vendor offers infrastructure as a service, the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software. Examples include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components.

References:

Platform as a Service (PaaS)/Applications as a Service (AaaS)

When a vendor offers platform as a service, the capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

References:

Software as a Service (SaaS)

When the vendor offers software as a service, the capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

References:

Availability/Reliability

Users will expect the Cloud to be a reliable resource, especially if a cloud provider takes over the task of running 'mission-critical' applications. As consumers rely on Cloud providers to supply more of their computing needs, they will require specific and consistent levels of quality of service to be maintained by their providers.

See also:

References:

B2C/B2B

References:

Business to Business

Business to Business, or B2B, refers to computing services designed for businesses as clients.

References:

Business to Consumer

Business to Consumer, or "B2C," refers to computing services designed for private, individual consumers as clients.

References:

Transition from B2C to B2B

Like many new technologies, Cloud Computing has been directed towards private Internet users (e.g., Gmail), but economic forces create a premium for developers who can apply the same technological advances into services which deliver new value to larger entities.

References:

Black Hat

A black hat is a computer hacker who works to harm others (e.g., steal identities or spreading computer viruses).

Clarification of Law

The laws that affect the rise of Cloud Computing are currently ambiguous. Clarifying the law will help facilitate the growth of Cloud Computing by providing companies with a predictable legal landscape against which to invest.

References:

Click-To-Run

Software online is relatively easy to start up. Cloud programs can start running at full functionality after only a few clicks.

References:

Cloud Types

There are different types of clouds, depending on who can access them, and what kind of standards and protocols they run on. There are private, community, and public clouds, and there are hybrids which combine these three models.

References:

Commmunity Clouds

On community clouds, the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.

References:

Hybrid Cloud

With hybrid clouds, the cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability.

References:

Private Cloud

With private clouds, The loud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Private clouds are not accessed through the Internet or accessible by the public. Private clouds generally use similar software and hardware to operate as public clouds, and can technically be quite similar. However, since the resources are not typically shared, a private cloud really amounts to nothing more than a private hosted software application with a cloud architecture. Since private clouds are by this definition not accessible through the Internet, and do not share underlying resources, they can be treated like any other private network with regard to privacy and security concerns.

References:

Public Cloud

With public clouds, the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

References:


Collaboration

One of the most important characteristics of Cloud Computing is that it enables new types of collaboration, largely because of online storage and the additional computing power which new models yield.

References:

Compliance

Virtually every government worldwide has regulations that mandate protections for certain data types. Compliance with these regulations is costly for companies, but essential for consumer trust.

References:

Concentration of Security Expertise

Centralization of IT expertise allows network security professionals to perform the maintenance and the upgrades on a single system and then distribute the standardized products of that expertise across the network. This increases the return on any given security expert's knowledge and skill.

See also:

  • Additional Computing Power
  • Dynamic Scalability
  • Economies of Scale
  • Eliminating Redundancies
  • IT Outsourcing
  • Metered Service
  • Multiple Tenancy

References:

Confidentiality

Critics argue that third party access to sensitive information endangers confidentiality. Cloud Computing providers argue that they have less of an incentive to abuse their access than in-house IT experts who would know better how to use the information to personal advantage.

See also:

  • Conflicts of Interest
  • Multiple Tenancy

References:

Conflicts of Interest

When competitors both employ the same Cloud Computing service, there are inherent conflicts of interest for the vendors, who should be incentivized to provide the best, most efficient service to all of their clients.

See also:

  • Confidentiality
  • Multiple Tenancy

References:

Data Loss

An essential guarantee which Cloud Computing vendors must provide is that clients retain the data they store in the Cloud.

References:

Data Ownership

A major question about protecting data, especially under U.S. law, is who ultimately owns data which is created, or stored, in the cloud.

References:

Data Portability

See Interoperability/Data Portability/Exportability

Default

Privacy advocates argue that the default privacy setting has significant influence over the protection and security of numerous Cloud Computing clients. If clients are forced to consciously opt for privacy settings which they believe would come standard, some might not protect their data to their own liking.

References:

Device Independence

Users can access the Cloud through any device that has access to the internet: a laptop, a cellphone, a smartphone.

References:

Device Portability

See Simpler Devices/Device Portability

Disruptive Change

Radical technological change has the tendency to disrupt some business models and societal structures en route to creating new ones.

References:

Down Time

Down Time refers to time during which Cloud Computing clients cannot access their services. Cloud Computing vendors should minimize Down Time.

See also:

References:

Dynamic Scalability

Cloud Computing vendors offer an infinitely scalable service: they can rapidly increase and decrease the storage and processing services they offer, as a client's needs vary.

See also:

  • Additional Computing Power
  • Concentration of Security Experience
  • Economies of Scale
  • Eliminating Redundancies
  • IT Outsourcing
  • Metered Service
  • Multiple Tenancy

References:

Case Examples:

Economies of Scale

Cloud Computing provides computer power at a lower cost than traditional computing models by eliminating redundancies. As Cloud Computing expands, there will cost-savings shared by vendors and clients alike.

See also:

  • Additional Computing Power
  • Concentration of Security Experience
  • Dynamic Scalability
  • Eliminating Redundancies
  • IT Outsourcing
  • Metered Access
  • Multiple Tenancy

References:

Eliminating Redundancies

By sharing standardized resources through multi-tenant software and shared hardware over a network, cloud users can concentrate their resources to lower their costs and utilize their capacity more efficiently.

See also:

  • Additional Computing Power
  • Concentration of Security Experience
  • Dynamic Scalability
  • Economies of Scale
  • IT Outsourcing
  • Metered Service
  • Multiple Tenancy

References:

Encryption

The best way to protect data stored online is to encrypt it. Encryption, however, is a costly process, and it would decrease the returns potentially realized by widespread adoption of Cloud Computing.

References:

Exorbitant Jurisdiction

Jurisdiction is exorbitant when the court which takes it does not possess a sufficient connection with the parties to the case, the circumstances of the case, the cause or subject of the action, or fails to take account of the principle of the proper administration of justice. An exorbitant form of jurisdiction is one which is solely intended to promote political interests, without taking into consideration the interests of the parties to the dispute.

References:

Exportability

See Interoperability/Data Portability/Exportability

Graphics

Grid Computing

Grid computing enables the sharing, selection, and aggregation of a wide variety of geographically distributed resources including supercomputers, storage systems, data sources, and specialized devices owned by different organizations for solving large-scale resource-intensive problems in science, engineering, and commerce. Inspired by the electrical power Grid’s pervasiveness, ease of use, and reliability, the motivation of Grid computing was initially driven by large-scale, resource (computational and data)-intensive scientific applications that required more resources than a single computer (PC, workstation, supercomputer) could have provided in a single administrative domain. Due to its potential to make impact on the 21st century as much as the electric power Grid did on the 20th century, Grid computing has been hailed as the next revolution after the Internet and the World Wide Web.

References:

Identity Fraud/Theft

The most concrete effects of lax data security or privacy measures is the threat that malevolent third parties can exploit unwarranted access to clients' or consumers' identities.

References:

Identity Management

Identity management is a user-centric concept. By fully controlling the details of disclosures to each individual site a user frequents, identity management systems provide real consumer choice over the proper balance between risk of over-disclosure and the benefits of that disclosure.

References:

Informational Self-determination

Informational Self-determination is a human rights concept that people have an inherent prerogative to control the release and spread of any or all personal information.

References:

Informed Consent

A major concern with respect to privacy measures is that Cloud Computing clients and consumers do not have a chance to fully comprehend and agree to the real risks of disclosing so much personal information online.

References:

Interoperability

See Lock-In/Stickiness v. Interoperability

IT Outsourcing

Cloud Computing allows large companies to save money and resources by outsourcing their internal IT, and to redirect their technology budgets, and the IT professionals whose functions are not outsourced, toward more productive endeavors.

See also:

  • Additional Computing Power
  • Concentration of Security Experience
  • Dynamic Scalability
  • Economies of Scale
  • Eliminating Redundancies
  • Metered Service
  • Multiple Tenancy

References:

Location Independence

Users can access the Cloud anywhere thanks to the internet and mobile devices, which eliminates geographic restraints.

References:

Lock-In/Stickiness v. Interoperability

If Cloud Computing clients can move their data to other vendors easily, and collaborate their online projects between different clouds and different vendors, Cloud Computing will realize a great increase in cost-savings thanks to market competition and unhindered flow of data. If not, Cloud Computing will take a different form, and it moving costs will render the process of scaling down Cloud Computing services or moving clients' away from its vendor overly complicated and too costly (which is also known as "lock in" or "stickiness").

References:

Lock-In

"The lack of market standards leads to issues to do with lock-in (and lack of transferability within the cloud). As Naone (2009b) notes, once you’ve committed to a particular cloud provider, an organisation is locked in to that provider. This is not a contractual lock-in but a logistical one. Getting data out and moved to a different cloud provider is difficult (but not impossible, and third party firms have entered the market to solve this problem). Thus, there are switching costs if you change cloud provider." (Powell)

References:

Interoperability/Data Portability/Exportability

"If cloud computing attempts to become a dominant force in computing, more involved standards need to be in place, in order to assure that there is no excessive vendor dependency and that vendors can be exchanged with minimal disruption to operations. Since there are many startup vendors in the cloud computing space, it is important for the industry that buyer organizations are confident about the openness of their solutions, and it would be beneficial to both if buyers and vendors collaborate in this area." (Bandyopadhyay)

References:

Managing Expectations

Some cloud computing evangelists claim that cloud computing makes programs accessible anywhere, anytime. Other observers stress that downtime and reliance on internet connectivity will create challenges, and warn that cloud providers cannot currently provide the same level of availability as traditional in-house providers in large enterprises. The IT industry needs to be realistic and careful about the hype and about overpromising.

See also:

References:

Metered Service/Per-Use Subscription/On-demand Computing Utilities

Monitoring and charging clients usage more precisely, according to resources used, rather than those initially purchased in bulk, represents the optimal solution for many clients who only want to pay for minor Cloud Computing projects.

See also:

  • Additional Computing Power
  • Concentration of Security Experience
  • Dynamic Scalability
  • Economies of Scale
  • Eliminating Redundancies
  • IT Outsourcing
  • Multiple Tenancy

References:

Multiple Tenancy

Cloud vendors often serve multiple clients on the same infrastructure.

See also:

  • Additional Computing Power
  • Concentration of Security Experience
  • Dynamic Scalability
  • Economies of Scale
  • Eliminating Redundancies
  • IT Outsourcing
  • Metered Service

References:

Mutual Auditability

Multiple Tenancy creates a need for mutual auditability, whereby vendors need to authenticate clients and clients need to authenticate vendors, because both parties in any given Cloud Computing transaction are vulnerable to one another.

References:

NIST Definition

This is the standard technological definition of Cloud Computing. It was promulgated by the National Institute for Standards and Technology.

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

Those five core characteristics are (1) on-demand self-service, (2) broad network access, (3) resource pooling, (4) rapid elasticity, and (5) measured service.

The current cloud computing landscape leverages five different distribution/pricing models: (1) free of charge with advertising revenues, (2) free of charge with sale of user data, (3) flat monthly subscription fee, (4) subscription fees determined by amount and type of services, and (5) cloud charges as part of a larger package of IT services.

It deploys four different types of technological models: private cloud (one organization), community organization (several organizations with similar needs), public cloud (open to the public or a large number of organizations with differing needs), and hybrid cloud (Standardized technology binds two of the first three models together).

Cloud computing consists of three (severable) components: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).

See also:

  • as a service

References:

Offshoring

Storing and processing which takes place beyond U.S. and Euoprean jurisdictions are particularly alarming to privacy advocates, who worry that long chains of contractors and subcontractors will dilute accountability and regulatory reach.

References:

On-demand Computing Utilities

See Metered Service/Per-Use Subscription/On-demand computing utilities

Open Standards

There is a major debate about whether Cloud Computing vendors should adopt open standards that are publicly available and transparent.

References:

OS Neutrality

Because Cloud Computing applications are usually operating-system neutral, it is possible for individuals with Windows, Mac, and Linux operating systems to use the same applications.

References:

Password Weakness

Some of the most detrimental security threats Cloud Computing are due to human errors, such as easily guessable passwords which protect vital stores of confidential information stored online.

References:

Per-Use Subscription

See Metered Service/Per-Use Subscription/On-demand computing utilities

Phishing

Cloud Computing security can be rendered vulnerable by the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

References:

PETs (Privacy Enhancing Technologies)

By adding digital privacy into the design of products, rather than regulating around them, privacy can be attained in a cost-effective manner.

References:

PII (Personally Identifiable Information)

PII is any information that can be traced to a particular individual, such as a phone number or social security number.

References:

Practical Obscurity

Ann Cavoukian explains that identifiability is impractical in many circumstances, and that the absence of searchability or widespread repute can be a useful tool for many.

References:

Privacy as a Fundamental Right

In the U.S. court system, privacy has been described as a fundamental right. The contents of that right are up for debate, especially in the context of digital privacy.

References:

Privacy Tiers

Data has varying levels of sensitivity, and realizing the economic gains from cloud computing requires clients distinguishing between data that can be stored externally and that which must be stored locally.

References:

Quality of Service

See Availability/Reliability

Reputation Fate-Sharing

The problem with Cloud Computing is that long chains of contractors and client businesses lose out when one chain in the link is compromised. If a cloud computing vendor hires a subcontractor who subjects clients to a privacy breach, the vendor shares the reputational costs.

References:

Reliability

See Availability/Reliability

Resiliency

Cloud Computing providers claim that standard data backups and diffusion of information create a higher probability of data retention during disruptive emergencies, such as natural disasters. The provider may also be in a better position to ensure continuity than an individual business if the provider backs up data in multiple locations and can shift to another part of its system when the equipment at one location goes down.

References:

Revenue Models

There is a wide variety of models for generating profit from the provision of Cloud services.

References:

Advertising Revenue

One model provides individuals with free services, and the customers are clients who pay to advertise to the users, usually with targeted ad programs determined by the content of user data.

References:

Selling Personal Information

Another revenue model is to sell the personal information of customers to third parties who can use it legally to conduct their own advertising or market research.

References:

Selling Behavioral Information

A third model is to sell information about the consumer preferences and online behavior of users to third parties.

References:

Subscription

Finally, Cloud Computing companies can charge customers directly for the services they provide.

See also:

References:

Risk Management Programs

In an environment where privacy has become paramount to enterprise customers, unauthorized access to data in the cloud is a significant concern. When embarking on an agreement with a cloud provider, an enterprise must take an inventory of its information assets, ensure that data are properly classified and labeled, and be cognizant of the consequences of foregoing the most extensive privacy protections for themselves or for their client base merely to save costs.

References:

Shared Resource Environment

Cloud Computing vendors serve multiple customers, who invest in and share joint resources, such as outsourced computing infrastructure.

References:

Simpler Devices/Device Portability

Cloud Computing permits individuals to outsource heavy storage and processing needs, which permits them to use simpler and lighter devices to perform essential tasks.

References:

SMEs

The Cloud is changing the possibilities for computing by giving individuals and small and mid-sized businesses access to an array of powerful applications and services through the internet that were once unavailable to all but the largest enterprises. Small and medium-sized businesses are especially likely to benefit from public clouds and the computing power they offer.

References:

Stickiness

See Lock-In/Stickiness v. Interoperability

Three Cloud Scenarios

As Michael R. Nelson put it: "It is useful to consider three possible scenarios for the Cloud. The first, the “Clouds scenario” will result if a handful of companies are able to take advantage of economies of scale, proprietary standards, and government policies to control the market. They are likely to create separate, unconnected cloud platforms based on proprietary technologies. While such a scenario would provide some efficiencies, because it would be very difficult for data and software on one company’s cloud to be combined with data and software on another cloud, much of the potential for new applications and closer collaboration would be lost.

"A second scenario, the “Cloudy Skies scenario,” would still be dominated by large cloud service providers using proprietary systems, but in this future, data could move between the different clouds. But there would not be common middleware, like single sign-on authentication, that would make it easy for users to combine data and services operating in different clouds.

"The third scenario, the “Blue Skies scenario,” would use open standards, open interfaces, and open source software to enable thousands of different organizations to link their infrastructure into a single, global Cloud. Such a scenario would maximize collaboration and enable users to easily assemble software and data into services that meet their particular needs. In this scenario, new authentication, security, and privacy-enhancing technologies could be deployed globally."

References:

Three Phases of Computing

There are three basic historical phases of computing:

  • Phase One: In the first phase, computers were stand-alone devices in which software and data were stored in the machine; typical applications were word processing and spread sheets.
  • Phase Two: Phase two was marked by the emergence of the World Wide Web, which made it possible to access a wealth of data on the Internet, even though most users still relied on software that ran on individual machines; the quintessential application was the Web browser.
  • Phase Three: In phase three most software as well as data will be accessed over the Internet; a wide variety of applications will proliferate because users will no longer have to install applications software on their machines.

The history of computing is becoming cyclic. Users once all connected to a central mainframe to do their computing, only to later have that paradigm eventually shift towards desktop computing, with each user having their own computer. Cloud computing completes this cycle, as computing returns toward a centralized source.

References:

Trust Chain

In many instances, your cloud service provider will not be the cloud operator. But it may be providing a value-added service on top of another cloud provider’s service. Cloud companies will farm out specific functions to other cloud companies, so risk mitigation entails monitoring multiple service providers. The chain of contracts or subcontractors must all be audited with background checks, etc.

References:

Utility/Commodity

Another way to describe services offered in the cloud is to liken them to that of a utility. Just as enterprises pay for the electricity, gas and water they use, they now have the option of paying for IT services on a consumption basis. Another popular way of phrasing this is that computing moves from a capital expense to an operational expense, because many (primarily small and medium at the moment) businesses can avoid heavy upfront costs of purchasing and upkeeping their own infrastructure. This concept was first introduced to Cloud Computing by Nicholas Carr in an article for the Harvard Business Review.

References:

Virtualization/Virtual Machines

A virtual machine is an emulated computing platform which, for all practical purposes, behaves like an independent system. Unlike a physical system, however, it can be configured on demand, and maintained and replicated very easily. The computing infrastructure is much better utilized, leading to lower upfront and operational costs. While the concept of virtualization has been prevalent since the 1960’s, it is only in the recent past that computing power and networking resources have caught up to deliver the level of seamless performance in the emulated system that users have grown accustomed to on personal computers. Virtualization allows a single physical server to run many independent virtual servers and is a necessary part of gaining the efficiencies (built on economies of scale) that cloud computing can offer those running datacenters.

References:

Virtual Machines

See Virtualization/Virtual Machines