Many traditional application protocols, including email and web access, do most of their work by exchanging files between hosts. Each web page is handled as a file when retrieved by a browser. Individual email messages are treated as files when being exchanged between hosts. The protocols exchange the files reliably by using TCP connections. If data is lost while traveling across the network, the hosts negotiate to retransmit the data. Although this occasionally introduces delays in a response, it generally provides acceptable service for traditional internet applications.

Traditional applications generally follow the client/server model. We use email client software to retrieve or send email, and we use a web browser (client) to retrieve data from web servers. The clients initiate connections to servers and not vice versa.

As internet services have expanded to provide streaming audio and video media, protocol designers have developed new techniques to provide effective network service. Streaming media do not work well with traditional internet protocols. We examine this problem briefly in Section 14.5.3.

An internet server presents a large and inviting attack surface. Many enterprises employ third-party service providers to host their internet services and to keep the servers secure. The service providers offer a range of management and security services. Lowest-cost internet service provides a managed host with basic server software. To host a service, the enterprise provides and manages the site’s contents, including specialized services like web “content management systems.” (See Section 15.4.) The service provider may provide, secure, and maintain additional server software packages for a higher cost.

Many service providers offer cloud computing, which reacts flexibly to extreme changes in server traffic. Traditionally, services are assigned a fixed amount of computing resources in terms of RAM and processor cores. A cloud computing service can allocate additional resources as the demand for services increases, and it can release those resources as demand decreases. While some enterprises host their own private cloud service, many rely on third-party hosting services.

From a security standpoint, we compare third-party hosting with other types of outsourcing, like renting office space in a building. The rental management company takes responsibility for the building’s physical plant and basic physical security. The enterprise itself manages security within its offices.

Basic third-party services offer a similar level of security to low-cost office space. There is a lock on the office door. There may be additional security outside of business hours, like locking the building’s outside doors. The customer adds burglar alarms and surveillance within the offices, if needed. The third-party internet service relies on password-protected administrative accounts. If the customer requires additional security measures, the customer provides them.

A full-service cloud computing vendor offers a broad range of software services and security measures. Customers may still arrange for a bare-bones level of service, or they may use vendor-managed authentication, access control, and crypto key management.

An enterprise that outsources internet services must be assured that the vendor provides the expected levels of service and security. A service-level agreement (SLA) can cover explicitly identified features and performance levels. It is harder to assure the trustworthiness of internet services, so many enterprises today rely on standards administered by the American Institute of Certified Public Accountants (AICPA). These involve audits that yield Service and Organization Control (SOC) standardized reports, which help service providers give customers confidence in their cybersecurity controls. There are three levels of reports:

• ■   SOC 1—Shows that internal cybersecurity controls are in place that are relevant to financial reporting.

• ■   SOC 2—Provides broad cybersecurity assurance for customers in terms of the AICPA’s published trust principles. The report provides control and implementation details that may not be appropriate for public distribution.

• ■   SOC 3—Provides broad cybersecurity assurance for customers in terms of the AICPA’s published trust principles. The report provides a general statement of the system’s security intended for public distribution.

Reports SOC 2 and SOC 3 are often provided by cloud service providers. Both reflect the same level of internal review and audit; the principal difference is the level of detail provided in the reports.

Outsourcing does not eliminate security problems. Recent studies argue that security breaches of cloud-based systems are most often a result of configuration errors by the cloud customer. For example, the enterprise may transfer a sensitive company database to the cloud service provider but fail to restrict access to its data. The enterprise must reliably identify and address security gaps between what the service vendor provides by default and the security the data demands.