Amazon risk assessment

Amazon Web Services (AWS) 4 2. Risk management 5 2. AWS risk management 6 2. Risk assessment on the AWS 7 2. System characterization 8 CHAPTER THREE PROCESS 9 3. The company offers shipping services for purchases from regions that do not have the local Amazon websites for e-commerce. Financial and Statistical Overview As of 2015, Amazon was the largest valuable retailer in the United States surpassing Walmart and other retail stores across the United States. It is one of the world’s most valuable companies. It is the second largest employer in the United States and employs more than 500,000 employers all over the world. A statistics released by the company president Jeff Bezos showed that Amazon had more than 100 million subscribers which are about 64 percent of the total U. The company’s net income was $3.

billion with total assets of $131. billion (Amazon Web Services, 2017). The total equity of the company as of the year ending 2017 was $27. billion. The technology is designed in such a way that subscribers have at their disposal a cluster of computers which are virtual and which they can customize according to their needs. The virtual computers are such that they emulate the working of normal real-life computers with functionalities and operates just like the physical computers do. They have a CPU, local RAM memory, GPU for processing and a storage space in the form of a hard disk. Other features of the virtual computers that resemble the real-life computers include a choice of operating systems, pre-load application software, CRM, and databases. The browser is the window with which a customer connects to the virtual computer through the physical computer.

To make the risk management process effective, there is need to integrate it with the software development lifecycle (SDLC). The five phases of the SDLC comprising of initiation, development, implementation, operation, and disposal are key for the integration. Each phase of the SDLC should have a risk management methodology and is the same through all the stages regardless of the phase. This risk management process can equally be applied to the AWS by following the development stages and enforcing risk management methodology on each phase of the AWS development and implementation processes. AWS risk management AWS provides all the necessary information about the risks that can exploit the system vulnerabilities so as to enable its customers to incorporate the necessary AWS controls in the governing framework of the system.

com begins from the topmost level of the company management. The uppermost executive play key roles in defining and establishing the company’s core values and the tone. Each and every employee gets the prescribed business code of ethics and undergoes frequent training so as to fully conform to the prescribed code of behavior and ethics. Risk assessment on the AWS This is the first process under the NIST risk assessment methodology. This part is a good starting point for organizations to determine the extent to which a potential threat can affect an IT system in the SDLC cycle. The AWS is therefore characterized as a system that depends on the internet for usage and provides services through a virtual system (Lenkala, Shetty & Kaiqi Xiong, 2013).

The risks associated with AWS will be mainly risks that are associated with system access through hacking and phishing. The threats relating to the operational environment of the AWS includes, the functional requirements of the AWS services, system users, security policies that govern the AWS, the security architecture of the AWS, the current network topology, the flow of information within the AWS and in communication with other systems, the existing operational controls, and the information storage security. Information gathering for this characterization involves document review on the available data and information about the AWS. Some of the documentation available for this report include security-related documentation available through the organization website, policy documents, a risk assessment report, system results and previous years audit report.

The way to achieve a secure AWS is by limiting the access privileges to the extent that users can only have access they need. Approve policies that users can only have a given set level of privilege in accessing the AWS accounts. Only allow a restricted level of access to get the job properly done. loose security group policies When using the AWS, the administrators sometimes may come up with loose group security policies that in essence may make the system vulnerable to attackers through the loopholes that they create. Administrators set group policies because the group permissions are simpler to set than the granular per-user permissions that would otherwise be stricter and more difficult to exploit by outsiders. Because of the simple misconfiguration of the company’s AWS S3 storage bucket which generally stores the company’s policy on reading and writes, the bots were able to gain access of the company secret data causing a spillage of more than 14 million customers’ data that the company stores.

With poor misconfiguration, attackers can easily start talking to the AWS API. If an attacker does it correctly, the attackers can then read, update and even write on the S3 bucket even without the knowledge of the bucket owner. The best approach according to Amazon is to get an adequate education on the proper configuration of the S3 so as to limit the amount of exposure to the attackers and the general public. It is easier to avoid the S3 data exposure easily if the proper configuration is done on the system. Industrial espionage Economic espionage, competitive advantage Information theft, intrusions on personal privacy, unauthorized access to the system, system penetration, and economic exploitation. Insiders Ego, intelligence, curiosity, revenge, unintentional omissions Blackmail, computer abuse, browsing proprietary information, system intrusion, system bugs, unauthorized access, malicious code, information bribery, corrupted data, system sabotage.

Vulnerability pairs Threat Threat source Threat action Terminated employees with access to the system Terminated employees Accessing proprietary information through gaining access to the company’s network Allowing guest ID into the company server past the firewall protection Unauthorized users (computer criminals, hackers, terminated employees) Browsing system files using a guest ID. New flaws identified by the vendor, new paces not yet applied Unauthorized users such as disgruntled employees, hackers, terrorists Gaining access to proprietary information and browsing sensitive system files for data. Data center physical catastrophes like fire and water Negligent persons, fire, water taps Water taps leaking, fire extinguishers and warning signs to caution negligent persons To identify system vulnerabilities, it is necessary to create a security requirements checklist that contains the basic security standards that can systematically be used in identifying and evaluating asset vulnerabilities.

Amazon. Retrieved from https://aws. amazon. com/compliance/resources/ Amazon Web Services.  Amazon Web Services: Risk and Compliance [Ebook] (1st ed. doi: 10. services. Great Speculations. How Much Can Prime Subscriptions Add To Amazon's Net Revenues?. Retrieved from https://www. Retrieved from https://d1. awsstatic. com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF. pdf.