University Report: Cloud Storage Service in Amazon Case Study Analysis

Verified

Added on 2020/04/29

AI Summary

This report provides a comprehensive analysis of cloud storage services, using Amazon Web Services (AWS) as a case study. It begins by outlining the core functionalities and benefits of cloud storage, followed by an examination of a significant AWS outage in September 2017. The report delves into the root causes of the outage, specifically focusing on issues related to Amazon's DynamoDB metadata service. It then explores potential solutions, including capacity adjustments, error retries, and efficient data organization, as well as the implementation of ElastiCache for static data. Furthermore, the report assesses the role of ISO/IEC 27001 and ISO/IEC 27014 certifications in enhancing information security, highlighting their benefits and limitations. The conclusion emphasizes the importance of proactive measures and the adoption of updated standards to prevent future disruptions and ensure data security in cloud environments. The document is contributed by a student to be published on the website Desklib, a platform which provides all the necessary AI based study tools for students.

Running head: REPORT
Cloud Storage Service in Amazon Case Study
Name of the Student
Name of the University
Author’s Note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1REPORT
Contents
Introduction......................................................................................................................................2
Causation of the Issue......................................................................................................................2
Solution............................................................................................................................................3
ISO/IEC 27001................................................................................................................................4
Benefits........................................................................................................................................4
Drawbacks....................................................................................................................................4
ISO/IEC 27014................................................................................................................................5
Recommendation and Conclusion...................................................................................................6
References........................................................................................................................................8

2REPORT
Introduction
The cloud storage service is availed by different organizations for maintaining,
managing, and backing their data. These data are made available to the organizations over a
network by the service providers. There are various companies that provide this service to the
organizations among which, Amazon Web Service is a popular one. The organizations mainly
has to pay for per consumption monthly rate for availing this service that is lower than building
infrastructure to support their data system. However, the security of the cloud storage is under
continuous debate due to some of the issues that recently aroused in AWS. Some of the web
service provided by AWS went down for four hours on September 2015, which caused the
companies face a tremendous loss and data loss. Some of the websites that faced major loss are
Netflix, Slack, Trello, Quora and Business Insider.
The following of the report gives an overview of the causation of the issue. It will
primarily focus on the ISO/IEC 27014, which is a certificate that provides information security.
The companies utilizes it for monitoring, evaluating, and communicating with the information
security within the organization. The later part of the report provides solution of required for
avoiding such issues in future.
Causation of the Issue
The outage of September 2017 in AWS was caused due to a problem with Amazon’s
DynamoDB metadata service for partitioning. The DynamoDB’s communication ability with the
metadata services was critically affected due to a network disruption. This type of situation
usually occurs if a single partition is accessed frequently leaving the other partitions unattended.

3REPORT
The issue with DynamoDB was soon resolved that created the actual issue. A number of storage
servers simultaneously tried to load their metadata as soon as the DynamoDB was recovered. It
created an overload in traffic that caused the metadata service responses to exceed the retrieval
and transmission time allowed by storage servers, which caused storage servers to reject and
further requests. It resulted into shutdown of the servers. However, the effect cataract through the
AWS system and dragged down the other services that use DunamoDB for storing their internal
tables. Several attempts of increasing the capacity of the metadata to decrease the load failed. It
was after six hours when the engineers were able to increase the capacity of metadata service
significantly and bring back the storage servers to its full operational mode (dailymail.co.uk.
2017).
Solution
The disruption occurred can easily be resolved by following one of more procedures
mentioned below.
The first method was utilized by AWS for solving the issue occurred. It is temporary
inclination of the amount of read or writes capacity for the partitions to overcome the short-term
spikes or bursts. The organization needs to reduce the capacity after successfully reducing the
work load (Niranjanamurthy et al. 2014). The second method is the process of implementing
error retries and exponential back off. It usually provides longer gap between retires for
consecutive error responses (Amazon Web Services 2017). Thirdly, the organizations should
organize the read and write operations evenly across the table as much possible to avoid such
breakdown (Dimovski 2013). Lastly, implementation of ElastiCache will come handy in the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4REPORT
cases where the static data are accessed in a frequent basis. The well-designed cache can
efficiently and quickly serve the query results (Stenberg 2016).
ISO/IEC 27001
AWS received the certification in 2010 that has been developed with the purpose of
protecting the organizations’ information assets (MP Azuwa, A., Ahmad, R., Sahib, S. and
Shamsuddin 2012). This in turn helps the companies in developing countermeasures to IS-related
vulnerabilities (Humphreys 2016). One can view this as an overall measure that combines risk
management, security management, governance, and compliance. The function of ISO/IEC
27001 extends in ensuring the right people, process and technologies are in right place and
provide a proactive approach in managing security and risk (Disterer 2013). The publication of
this certification was a major event in the world of information security, which is a modification
of BS 7799-2 (Sheikhpour and Modiri 2012; Anttila et al. 2012).
Benefits
This has a number of benefits that helps in resolving a number of issues that are
commonly faced by IT companies. The ISO/IEC 27001 help the company producing a
framework for the management of information security risk that further ensures the company
taking into account for legal and regulatory requirements (Hoy and Foley 2015). It further
involves in a continual improvement, engages the company to regularly review the effectiveness
of the information security management system, and takes action to address the emerging
security risks. It also makes the accessibility easy for the authorized users at the time of
requirement (Susanto, Almunawar and Tuan 2012).

5REPORT
Drawbacks
However, ISO/IEC 27001 has several identifiable drawbacks. Firstly, the firms can set
their own specification regarding the security management system (Kharchenko et al. 2012). It is
up to the company to set its own high-jump bar and it has no clear regulation in controlling the
matter. Secondly, the branding associated with certification does not identify the scope, which
often misleads the customers in thinking the organization rather a specific part of the
organization (Gürkaynak, Yilmaz and Taskiran 2014). Lastly, it gives competitive advantage in
business-to-business relationship and unlikely to influence business to customer relationship
(Mesquida and Mas 2015).
ISO/IEC 27014
ISO/IEC 27014 is an outcome of a joint effort of ITU Telecommunication
Standardization Sector and ISO/IEC JTC1 SC 27 with the aim of helping the organizations
governs their information security arrangements (Techio and Misaghi 2015; Mahncke and
Williams 2012). This is a guidance of concepts and principles for the governance of information
security (Rebollo et al. 2015). The organizations can use this for evaluating, directing,
monitoring and communicating the information security related activities in the organization
(Kaster and Sen 2014; Campbell 2016). It further ensures the alignment of information security
with strategies and objectives undertaken by the business. Achievement of visibility, agility,
efficiency, effectiveness and compliance becomes easy using this standard (Huang, Farn and Lin
2012).

6REPORT
This standard provides six principles to guide the organizations throughout their
operation that can potentially defend the organization from both external and internal threat
(Καραμανλής and Karamanlis 2016; Jung and Kim 2015). The principles are:
1. Establish a wide information security.
2. Help in formulating and adapting risk-based approach.
3. Helps setting direction of investment decisions.
4. It conforms internal and external requirements.
5. Enhance the security by fostering a positive environment (Whitman and Mattord 2012).
6. Reviews performance in relation to business outcomes (Rebollo, Mellado and Fernandez-
Medina 2014).
Organizations receive a number of benefits of using ISO/IEC 27014. Primarily, it helps in
aligning information security with the strategy and goals of the organization. Secondly, it can
increase the value delivered to the stakeholders and the board. The third benefit comes from the
effective risk management to identify and reduce the possible forthcoming threats. Moreover, the
standard helps the organization in raising all level awareness in the board. It enables the board
members to a flexible approach to risk decision making, efficient an effective investment on
information security and compliance with standards, regulations and agreements.
Recommendation and Conclusion
The company had increased the capacity of their metadata for solving the issue that
occurred in the system. However, they could have prevented the situation from ever occurring by
measuring the other necessary steps mentioned in the report. The third solution referred in the
solution section can help AWS in taking precautions and prevent the breakdown from ever

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7REPORT
occurring. Moreover, the company follows the ISO/IEC 27001 that has several shortcomings in
securing the information assets. This standard gives the organization a level of freedom in setting
the high-jump bar that exposes the company and threatens the security of the system. The later
published standard ISO/IEC 27014 is out of these errors and provides potential security to the
data system. Hence, it can be concluded from the report that the issue occurred in case of AWS
could have been avoided if they take necessary precaution narrated in the report. Moreover, the
use of back dated standard resulted in this failure which needs modification.

8REPORT
References
Amazon Web Services, Inc. 2017. Resolve Issues with Throttled DynamoDB Tables. [online]
Available at: https://aws.amazon.com/premiumsupport/knowledge-center/throttled-ddb/
[Accessed 28 Oct. 2017].
Anttila, J., Jussila, K., Kajava, J. and Kamaja, I., 2012, August. Integrating ISO/IEC 27001 and
other managerial discipline standards with processes of management in organizations.
In Availability, Reliability and Security (ARES), 2012 Seventh International Conference on (pp.
425-436). IEEE.
Campbell, T., 2016. Standards, Frameworks, Guidelines, and Legislation. In Practical
Information Security Management (pp. 71-93). Apress.
dailymail.co.uk. 2017. Amazon's cloud service partial outage affects certain websites. [online]
Available at: http://www.dailymail.co.uk/sciencetech/article-4268850/Amazons-cloud-service-
partial-outage-affects-certain-websites.html [Accessed 28 Oct. 2017].
Dimovski, D., 2013. Database management as a cloud-based service for small and medium
organizations (Doctoral dissertation, Masarykova univerzita, Fakulta informatiky).
Disterer, G., 2013. ISO/IEC 27000, 27001 and 27002 for information security
management. Journal of Information Security, 4(02), p.92.
Gürkaynak, G., Yilmaz, I. and Taskiran, N.P., 2014. Protecting the communication: Data
protection and security measures under telecommunications regulations in the digital
age. Computer law & security review, 30(2), pp.179-189.

9REPORT
Hoy, Z. and Foley, A., 2015. A structured approach to integrating audits to create organisational
efficiencies: ISO 9001 and ISO 27001 audits. Total Quality Management & Business
Excellence, 26(5-6), pp.690-702.
Huang, C.C., Farn, K.J. and Lin, F.Y.S., 2012. A study on ISMS policy: importing personal data
protection of ISMS. Journal of Computers, 23(1), pp.35-41.
Humphreys, E., 2016. Implementing the ISO/IEC 27001: 2013 ISMS Standard. Artech House.
Jung, J. and Kim, J., 2015, August. A Study on Developing Framework for Information Privacy
Protection. In Proceedings of the 17th In
Kaster, P. and Sen, P.K., 2014, September. Power Grid cyber security: Challenges and impacts.
In North American Power Symposium (NAPS), 2014 (pp. 1-6). IEEE.
Kharchenko, V.Y.A.C.H.E.S.L.A.V., Siora, A., Andrashov, A.N.T.O.N. and Kovalenko, A.,
2012. Cyber security of FPGA-based NPP I&C systems: Challenges and solutions.
In Proceeding of the 8th International Conference on Nuclear Plant Instrumentation, Control,
and Human-Machine Interface Technologies (NPIC & HMIT 2012). San Diego, CA: NPIC &
HMIT.
Καραμανλής, Μ. and Karamanlis, M., 2016. Information Security Management System
toolkit (Master's thesis, Πανεπιστήμιο Πειραιώς).
Mahncke, R. and Williams, P., 2012. Developing governance capability to improve information
security resilience in healthcare.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

10REPORT
Mesquida, A.L. and Mas, A., 2015. Implementing information security best practices on
software lifecycle processes: The ISO/IEC 15504 Security Extension. Computers & Security, 48,
pp.19-34.
MP Azuwa, A., Ahmad, R., Sahib, S. and Shamsuddin, S., 2012. Technical security metrics
model in compliance with ISO/IEC 27001 standard. The Society of Digital Information and
Wireless Communication.
Niranjanamurthy, M., Archana, U.L., Niveditha, K.T., Abdul Jafar, S. and Shravan, N.S., 2014.
The Research Study on DynamoDB–NoSQL Database Service.
Rebollo, O., Mellado, D. and Fernandez-Medina, E., 2014. Isgcloud: a security governance
framework for cloud computing. The Computer Journal, 58(10), pp.2233-2254.
Rebollo, O., Mellado, D., Fernández-Medina, E. and Mouratidis, H., 2015. Empirical evaluation
of a cloud computing information security governance framework. Information and Software
Technology, 58, pp.44-57.
Sheikhpour, R. and Modiri, N., 2012. A best practice approach for integration of ITIL and
ISO/IEC 27001 services for information security management. Indian Journal of Science and
Technology, 5(2), pp.2170-2176.
Stenberg, J., 2016. Snapple: A distributed, fault-tolerant, in-memory key-value store using
Conflict-Free Replicated Data Types.
Susanto, H., Almunawar, M.N. and Tuan, Y.C., 2012. Information security challenge and
breaches: novelty approach on measuring ISO 27001 readiness level. International Journal of
Engineering and Technology. IJET Publications UK, 2(1).

11REPORT
Techio, L.R. and Misaghi, M., 2015, May. EMSCLOUD–an evaluative model of cloud services
cloud service management. In Innovative Computing Technology (INTECH), 2015 Fifth
International Conference on (pp. 100-105). IEEE.
Whitman, M.E. and Mattord, H.J., 2012. Information Security Governance for the Non-Security
Business Executive. Journal of Executive Education, 11(1).