We cannot attribute the beginning of cloud computing to a particular person or time. It evolved with the evolution of Internet and enterprise computing. We may be able to trace its roots all the way back when Dr. Larry Roberts developed the ARPANET in 1969. (Whitman & Mattord, 2016)
While the evolution of ARPANET, to Ethernet and then to Internet happened, enterprises were discovering new ways to compute from mainframes to multi-tier computing. During the early stages of enterprise computing, enterprises were purchasing hardware and software to host internally. Though not in the form that we see today, enterprises had an early version of cloud in the form of networked mainframe systems with dumb terminals. They then slowly began to outsource their information systems to Internet Service Providers (ISPs) and Application Service Providers (ASPs).
The concept of using computing, as a utility was probably first proposed by Professor Noah Prywes of the University of Pennsylvania in the Fall of 1994 at a talk at Bell Labs. “All they need is just to plug in their terminals so that they receive IT services as a utility. They would pay anything to get rid of the headaches and costs of operating their own machines, upgrading software, and what not.” (Faynberg, Lu, & Skuler, 2016). It came to fruition when Amazon launched its limited beta test of Elastic Cloud Compute Cloud (EC2) in 2006. Meanwhile, Salesforce.com has already mastered how to deliver an enterprise application using a simple website. Continue reading “Cloud Computing and Data Security”
Some of the regulations that needs to be considered while building an Enterprise Data Warehouse in North America are SOX and GLB of the US, Bill 198 and PIPEDA of Canada and PCI. A brief explanation and its implications are given below.
Sarbanes-Oxley (SOX) and Bill 198: According to SOX, the CEO and CFO need to certify that the financial statements and disclosures of an institution are fairly presented, in all material respects, the operations and financial condition of the issuer. The management of the institution is responsible for establishing and maintaining an adequate internal control structure. An assessment of the effectiveness of the internal control structure and procedures need to be done at the end of the issuer’s fiscal year.
Bill 198 creates civil liability for the first time for continuous disclosure in the secondary market in Ontario, creating personal liability for directors and experts for misrepresentations and failure to make timely disclosure
Gramm-Leach-Bailey (GLB) and Personal Information Protection and Electronic Documents Act (PIPEDA): These regulations insure the security and confidentiality of customer records and information. They mandate institutions to protect against any anticipated threats or hazards to the security or integrity of such records. Access controls needs to be in place to protect against unauthorized access to or use of such records or information
Payment Card Industry (PCI): This regulation has everything to do with credit cards. An institution needs to be concerned of this regulation if their business uses credit cards and related systems. Some of the highlights of the regulation are –
- Install and maintain a firewall configuration to protect data
- Protect stored data
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer acess
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Regulatory Compliance – Implications
The above regulations have a lot of implications that needs to be considered while designing an EDW.
- Evaluate data usage requirements for all users. Create a data usage control policy that defines what, where, when, and how each type of data may be used by each user.
- Record database activity and report on deviations from the data usage control policy.
- Alert (and where appropriate block) user activity when a deviation from usage control policy represents a threat to data privacy or integrity.
- Identify and prevent storage of sensitive data to demonstrate compliance.
- Application controls to ensure the completeness of financial transactions
- Provide comprehensive data security for databases used to generate financial reports.
- Assure secure, stable and reliable performance of the data warehouse environment.
- Ability to test security systems and processes.
- Ensure that complete detailed information about user activity is gathered and maintained.
- Ability to verify that only users with legitimate need have to data.
- Ensure that only appropriate individuals can alter or access critical information
- Access controls within networks or applications to ensure that that only appropriate individuals can access or alter financial data.
- Controls should be in place to examine live database traffic and create profiles of all legitimate activity for each user or application that accesses the database.
- Enforcement of need-to-know access policy based on business activities.
Incident Management & Disaster Recovery
- Incident management to address responses and initiates continuous improvement.
- The system should have the ability to implement controls by notifying administrators about suspicious activity in real time, and even preventing known malicious activity as it occurs in the IT environment.
- Network Controls
- Network firewall and IPS should be in place to protect data warehouse.
- Web Application firewall that provides a layer of defense to protect applications.
- Permit ongoing real-time monitoring and enforcement of corporate and IT controls.
- Logging permits ongoing real-time monitoring of systems, evidence of security vulnerabilities, evidence for forensic investigation (audit trails), and incident investigation.
- Ability to audit access of sensitive data and alert administrators of suspicious activities.
- Monitor and report shared user accounts and other potential user account violations.
- All notifications of security incidents to Information Security should be documented and contain explicit, clear and concise information.