CLOUD COMPUTING

REPORT ASSIGNMENT 2

STUDENT NAME: TRAN QUANG HUY

STUDENT ID: GCD18457
Class: GCD0703
 ASSIGNMENT 2 FRONT
SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 16: Cloud Computing

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Hoang Minh Tan Student ID GCC18172

Class GCC0901 Assessor name Thai Minh Tuan

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I
understand that making a false declaration is a form of malpractice.

Student’s signature Tan

Grading grid

P5 P6 P7 P8 M3 M4 D2 D3
❒ Summative Feedback: ❒ Resubmission Feedback:

Grade: Assessor Signature: Date:

Signature & Date:
 TABLE OF CONTENTS
INTRODUCTION....................................................................................................................................... 1
The development of Cloud Computing solutions using the service provider’s framework and open source tools2
1. The configuration Cloud Computing platform with a cloud service provider’s framework............2
1.1. Heroku registration and configuration.................................................................................2
1.2. GitHub repository configuration.........................................................................................8
1.3. Heroku cloud application registration for ATN Store......................................................9
1.4. MongoDB Atlas database configuration.............................................................................11
2. The implementation cloud platform using the open-source......................................................17
2.1. Back-end development...................................................................................................17
2.2. Front-end development..................................................................................................27
2.3. Web application deploy on Heroku............................................................................37
3. The issues and constraints one can face during the development process and how to overcome 40
3.1. Back-End issues constraint.............................................................................................40
3.2. Front-End issues constraint.............................................................................................45
3.3. Server loading.......................................................................................................48
3.4. Performance..........................................................................................................50
Analyzing the technical challenges for cloud applications and assess their risks.......................................52
1. The most common problems which arise in a Cloud Computing platform and discuss appropriate
solutions to the problems.................................................................................................. 52
2. The most common security issues in cloud environments and how to overcome security
issues when building a secure cloud platform...............................................................................58
2.1. Database URL........................................................................................................58
2.2. Sniffer attacks.......................................................................................................59
2.3. Cross-Site Scripting (XSS) attacks...................................................................................60
2.4. DoS & DDoS attacks...............................................................................................62
2.5. Cookie poisoning....................................................................................................64
3. How an organization should protect their data when they migrate to a cloud solution..............65
3.1. Know the data.................................................................................................65
3.2. Back-Up Data Locally..............................................................................................66
3.3. Setting ATN company Data Retention Policy...............................................................67
3.4. Read the Small Print of the Cloud Service Provider......................................................68
3.5. Avoid storing sensitive information in the cloud..........................................................69
 3.6. Use Cloud Services That Encrypt ATN company Data............................................70
3.7. Protect ATN company’s system with Anti-Virus & Anti-Spy.....................................71
3.8. Encrypt the Data Before Putting it on The Cloud...................................................71
3.9. Use a Strong Password / Use Two-Factor Authentication........................................72
CONCLUSION.......................................................................................................... 73
References................................................................................................................... 74
 TABLE OF FIGURES

Figure 1. How Node.js Server work..........................................................................................17

Figure 2. How ExpressJs work..................................................................................................18
Figure 3. The entity-relationship diagram of ATN database..................................................................23
Figure 4. Vendor lock-in in cloud computing..............................................................................57
Figure 5. Cross-Site Scripting (XSS) attacks......................................................................................60
Figure 6. Using Load Balance...................................................................................................63
Figure 7. Cookie poisoning. (twitter, n.d.).........................................................................................64
Figure 8. Know data in the cloud. (ebuyer, n.d.).................................................................................65
Figure 9. Cloud app security.......................................................................................................................................71
Figure 10. Use Two-Factor Authentication................................................................................................................72
 TABLE OF PICTURES

Picture 1. Heroku logo......................................................................................................2

Picture 2. Sign up on Heroku.............................................................................................2
Picture 3. Getting started on Heroku...................................................................................3
Picture 4. Download Git....................................................................................................3
Picture 5. Git setup..........................................................................................................4
Picture 6. Download Heroku CLI.........................................................................................5
Picture 7. Setup Heroku....................................................................................................5
Picture 8. Complete install Heroku CLI................................................................................6
Picture 9. Heroku CLI.......................................................................................................6
Picture 10. Heroku login....................................................................................................7
Picture 11. Heroku require login on a browser......................................................................7
Picture 12. Heroku login successful.....................................................................................7
Picture 13. GitHub logo.....................................................................................................8
Picture 14. Create a new repository on GitHub.....................................................................8
Picture 15. Create a new app on Heroku..............................................................................9
Picture 16. Heroku app manager........................................................................................9
Picture 17. Heroku connect to GitHub................................................................................10
Picture 18. MongoDB atlas logo........................................................................................11
Picture 19. Create a Project with atlas...............................................................................11
Picture 20. Create a cluster with MongoDB Atlas.................................................................11
Picture 21. Kind of clusters on MongoDB atlas....................................................................12
Picture 22. Configure cloud provider and region on MongoDB Atlas........................................12
Picture 23. Cluster Tier on MongoDB Atlas..........................................................................13
Picture 24. Addition settings MongoDB Atlas.......................................................................13
Picture 25. Dashboard MongoDB Atlas...............................................................................14
Picture 26. Add whitelist for MongoDB Atlas.......................................................................14
Picture 27. Create a MongoDB User...................................................................................15
Picture 28. Connect to Cluster..........................................................................................15
Picture 29. MongoDB connection method...........................................................................16
Picture 30. NodeJs logo.............................................................................................17
Picture 31. The constructor of the ATN Admin Panel Project..................................................19
Picture 32. Admin folder..................................................................................................19
Picture 33. models folder.................................................................................................20
Picture 34. Public folder............................................................................................20
Picture 35. React logo.....................................................................................................27
Picture 36. ATN login page...............................................................................................28
Picture 37. Main menu and dashboard...............................................................................29
Picture 38. ATN Admin Panel Category...............................................................................29
Picture 39. Create a new category.....................................................................................30
Picture 40. Filters in category...........................................................................................30
Picture 41. ATN Admin Panel Product.................................................................................31
Picture 42. Create a new product......................................................................................31
Picture 43. Filter in product..............................................................................................32
Picture 44. ATN Admin Panel Stores..................................................................................33
Picture 45. Create a new Store.........................................................................................33
Picture 46. Admin Panel User Account...............................................................................34
Picture 47. Create a new user account...............................................................................34
Picture 48. ATN Admin Panel Page....................................................................................35
Picture 49. ATN Admin Panel Comment..............................................................................35
Picture 50. ATN Admin Panel Dashboard............................................................................36
Picture 51. Dashboard in Navigation..................................................................................36
Picture 52. Push data into GitHub.....................................................................................37
Picture 53. Configuration Heroku connected to GitHub.........................................................38
Picture 54. Heroku build an application with GitHub......................................................38
Picture 55. ATN Admin Panel on Heroku.............................................................................39
Picture 56. Select version for Node.js................................................................................40
Picture 57. Update expressjs............................................................................................40
Picture 58. Current version Node.js after update.................................................................41
Picture 59. Bypass login..................................................................................................41
Picture 60. Login fail.......................................................................................................42
Picture 61. Redirect to login page.....................................................................................43
Picture 62. Refresh page still in Panel................................................................................43
Picture 63. View of Admin account and another account.......................................................45
Picture 64. HTML Checker................................................................................................46
Picture 65. Checking Server Loading.................................................................................48
Picture 66. Region Heroku configuration............................................................................49
Picture 67. Region MongoDB Atlas configuration.................................................................49
Picture 68. Performance from login to dashboard Admin Panel..............................................50
Picture 69. Create .env file...............................................................................................58
Picture 70. Install helmet packet.......................................................................................59
Picture 71. XSS Attacks...................................................................................................60
Picture 72. XSS Attack does not work on ATN Admin Panel...................................................61
Picture 73. Backup data in local with allway Sync......................................................................................................66
Picture 74. Heroku's promises to customers.............................................................................................................68
Picture 75. Password will encrypt before uploading into cloud.................................................................................69
Picture 76. Backup service IDrive......................................................................................70
 INTRODUCTION

Businesses have historically been responsible for overseeing all operations connected to the ordering,
delivery, and activation of their IT equipment. The majority of IT-related tasks are now outsourced to
companies who offer these computing services online. These firms offer computer services including
storage, database servers, software, and networking using a sizable pool of computing resources known as
cloud computing. These services are adaptable and affordable, so a user just pays for the kind of service
they use and the amount of time they utilize it.

The most showy technical advancement of the twenty-first century is perhaps cloud computing. This is
because, compared to other technologies in the field, it has had the quickest widespread acceptance. The
proliferation of smartphones and other mobile devices with internet connectivity has been the major driver
of this acceptance. The typical person may also benefit from cloud computing; it's not simply good for
corporations and organizations. We may use it to run software programs without having to install them on
our computers, save and access our multimedia material online, create and test new software without
necessarily needing servers, and more. A miracle of the twenty-first century, cloud computing is crucial in
practically every industry today.

1|Page
 The development of Cloud Computing solutions using the
service
provider’s framework and open source tools
1. The configuration Cloud Computing platform with a cloud service provider’s
framework (P5)
1.1. Heroku registration and configuration

Picture 1. Heroku logo

Create an account on Heroku.com before beginning the project. The interface is remarkably
straightforward and user-friendly at first look.

Picture 2. Sign up on Heroku

2|Page
It provides users with a wonderful Getting Started with Heroku dialog where they can locate the instructions
for each kind of app that may be deployed.

Picture 3. Getting started on Heroku

The Heroku CLI requires Git, the popular version control system.

Picture 4. Download Git

3|Page
Picture 5. Git setup

4|Page
The Heroku Command Line Interface will be installed in this action (CLI). The CLI for managing and
scalability of applications, supply of add-ons, viewing of application logs, and local running of apps.

Picture 6. Download Heroku CLI

Picture 7. Setup Heroku

5|Page
 Picture 8. Complete install Heroku CLI

Checking the Heroku CLI: On Windows, start the Command Prompt (cmd.exe) or Powershell to access
the command shell.
$ heroku

Picture 9. Heroku CLI

6|Page
Use the Heroku login command to log in to the Heroku CLI:

Picture 10. Heroku login

Picture 11. Heroku require login on a browser

7|Page
Picture 12. Heroku login successful

8|Page
 1.2. GitHub repository configuration

Picture 13. GitHub logo

A project repository functions similarly to a folder. The repository for the project has all of the project's
files as well as the revision history of each one. Within the repository, users may manage and discuss the
project's work.

Users can share ownership of repositories with other members of an organization or own repositories
independently.

Picture 14. Create a new repository on GitHub

9|Page
 1.3. Heroku cloud application registration for ToyStore
Users may quickly and easily deploy a preconfigured app that includes all of the necessary code,
customizations, and add-ons by just clicking a button. By building the first Heroku project with a button,
users can experience how user-friendly the platform is and obtain a genuine, working Node.js app that they
can explore and alter to gain more knowledge.

Picture 15. Create a new app on Heroku

Picture 16. Heroku app manager

10 | P a g
e
One of the simplest Heroku app deployment strategies, GitHub integration, will be used to distribute
the user's modified source code for the application. It is possible to set up the web-based source code
hosting service GitHub to automatically deploy code updates to Heroku.

Picture 17. Heroku connect to GitHub

Now that the application's source code is available in a GitHub repository, the user has connected it to
Heroku to enable automated deployment anytime any changes are made to the source code.

11 | P a g
e
 1.4. MongoDB Atlas database configuration
The top database for contemporary applications in the world is provided by MongoDB Atlas as a fully
automated cloud service with built-in operational and security best practices. Databases can be quickly
deployed, run, and scaled across the top cloud platforms.

Picture 18. MongoDB atlas logo

The same guys that create MongoDB also create MongoDB Atlas, a fully-managed cloud database.
Atlas manages all the complexity involved in setting up, maintaining, and repairing deployments on
AWS, Azure, and GCP clouds.

When working with MongoDB atlas, the user needs to create a project:

Picture 19. Create a Project

12 | P a g
e
Picture 20. Database Deployments

Picture 21. Connect to Cluster0

13 | P a g
e
Picture 22. Choose Driver and Version

14 | P a g
e
2. The implementation cloud platform using the open-source (P6)
2.1. Back-end development
 Node.Js:

Picture 23. NodeJs logo

JavaScript is JSON, a computer language and data format, has fundamentally altered web development.
It's becoming more popular to integrate Node.js with it to do tasks both on the server and in the browser.
We believe that these two lines need to be clarified and explained for everyone to understand. NodeJs is
therefore the finest system development tool for this project.

There are many benefits of Node.Js:

 Node JS is a server framework and is free

 It runs on Windows, Linux, Mac OS, etc.
 Node utilizes JavaScript on the server
 It contains tasks and executes them upon set events
 Generate dynamic content
 Create, open and read, or delete files on the server
 Gather and modify data in the database

Figure 1. How Node.js Server work

15 | P a g
e
  ExpressJs:

ExpressJS is a premade NodeJS framework that can assist ToyStore orver-side coding. ExpressJS is by far
the most well-known NodeJS framework, and when most people refer to NodeJS, they actually mean
NodeJS with ExpressJS. (algoworks, n.d.)

Figure 2. How ExpressJs work

The sole argument being made by the developer is that ExpressJS can reduce programming time by half.
The framework is also exceptionally scalable and adaptable since NodeJS and ExpressJS are developed in
JavaScript, a fairly simple language to learn and modify.

16 | P a g
e
The ToyStore Admin Panel Project will be constructed using a Model-View-Controller (MVC)
architecture:

Picture 24. The constructor of the ToyStore Admin Panel Project

 Admin: To store the component and option for front-end (View)

Picture 25. Admin folder

17 | P a g
e
 Models: To store the models (Database)

Picture 26. models folder

 Public: To store the image, CSS,

font

Picture 27. Public folder

18 | P a g
e
  Server.js: The main system, will connect the database and render the interface of
ToyStore application

require('./models/db');
const express = require('express');
const path = require('path');
const bodyParser = require('body-parser');
const expressHandlebars = require('express-handlebars');
const toyController = require('./controller/toyController');

var app = express();

app.use(bodyParser.urlencoded({
    extended: true
}));

app.use(bodyParser.json());
app.set('views', path.join(__dirname, '/views/'))
app.use(express.static(__dirname + '/public'));

app.engine('hbs', expressHandlebars({
    extname: 'hbs',
    defaultLayout: 'mainLayout',
    layoutsDir: __dirname + '/views/layouts/',
    runtimeOptions: {
        allowProtoPropertiesByDefault: true,
        allowProtoMethodsByDefault: true,
    },
}))

app.get('/', function (req, res) {

    res.render("toy/addOrEdit", {
        viewTitle: "ADD NEW TOY",
    })
})

19 | P a g
e
 Package.json: will store information about the package, that will make the cloud easy to
install and run.
 {
   "name": "new-folder",
   "version": "1.0.0",
   "description": "",
   "main": "index.js",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1",
     "dev": "nodemon server.js",
     "start": "node server.js"
   },
   "author": "",
   "license": "ISC",
   "dependencies": {
     "body-parser": "^1.20.0",
     "email-validator": "^2.0.4",
     "express": "^4.18.1",
     "express-handlebars": "^5.3.2",
     "mongoose": "^6.4.4",
     "nodemon": "^2.0.19"
   }
 }

20 | P a g
e
  Database schema design:

The database of ToyStore will build with NoSQL databases. NoSQL databases store data differently than
relational tables. NoSQL databases come in a variety of types based on their data model. The main
types are document, key-value, wide-column, and graph. They provide flexible schemas and scale easily
with large amounts of data and high user loads.

The database of ToyStore Company should be designed with at least 3 collections that related
to each other to create an efficient and clear database architecture that avoids repeating data or
anomaly data.

Figure 3. The entity-relationship diagram of ToyStore database

21 | P a g
e
In order to communicate between the web application interface and the data in the database, the back-end
needs some models for each collection of the database:

 Useraccounts model:

To create a User account collections in the database, the model will help the ATN system to create a
collection and type of data will store.
const mongoose = require('mongoose')
const { Schema } = mongoose
const EMAIL_REGEXP = /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i;

const validateEmail = email => EMAIL_REGEXP.test(email);

const UserSchema = new

Schema({ name: String,
email: {
type: String,
lowercase: true,
trim: true,
required: true,
validate: [validateEmail, 'Please fill a valid email address']
},
auth: {
password: {
type: String,
required: true,
},
},
role: {
type: String,
enum: ['Admin', 'Store Manager',
'Sales'], required: true
}
}, { timestamps: true })

const UserAccount = mongoose.model('UserAccount', UserSchema)

module.exports = UserAccount

22 | P a g
e
  Categories model:

To create category collections in the database, the model will help the ATN system to create collections
and type of data will store.
const mongoose = require('mongoose')

const { Schema } = mongoose

const CategorySchema = new

Schema({ Name: {
type: String,
required: true,
},
createdAt: Date,
Description: String,
}, { timestamps: true })

const Category = mongoose.model('Category',

CategorySchema) module.exports = Category

 Products model:

To create product collections in the database, the model will help the ATN system to create collections
and type of data will store.

In this product model, the data category will link with the category from the category model.
const mongoose = require('mongoose')

const { Schema } = mongoose

const ProductSchema = new Schema({

Name: String,
Description: String,
Price: Number,
category: {
type: Schema.Types.ObjectId,
ref: 'Category',
}
}, { timestamps: true })

const Product = mongoose.model('Product', ProductSchema)

module.exports = Product

23 | P a g
e
  Stores model:

To create Stores collections in the database, the model will help the ATN system to create collections and
type of data will store.

In this Stores model, the data of User will link with User from the User Account model.
const mongoose = require('mongoose')

const { Schema } = mongoose

const StoreSchema = new

Schema({ Name: {
type: String,
required: true,
},
Address: {
type: String,
required: true,
},
PhoneNumber: {
type: String,
required: true,
},
User: {
type: Schema.Types.ObjectId,
ref: 'UserAccount',
},
})

const Store = mongoose.model('Store',

StoreSchema) module.exports = Store

24 | P a g
e
 2.2. Front-end development
In ATN’s project, React JS is used in web development to build interactive elements on websites.

Picture 35. React logo

There are design patterns and the MVC pattern (Model-View-Controller), that React works as the V in MVC.
With React, the user can design all the front-end parts of the application. That means the user can
create easily all the interface of the application.

When creating an ATN React app, it’s made of two parts: components, that are the pieces that contain
HTML code and what developer want the user to see, and an HTML document where all components
will be rendered.

 Rendering and optimization: when ATN React app is loaded in the browser, all the components
that developers created are rendered. The only parts of the application that reloads (rendered again)
are the ones whose state changes.
 All the power of HTML, CSS, and Javascript together inside the component: when developers
create a React component, not only the user can use HTML and CSS as usually do, but can
also integrate Javascript in a very nice way. The developer can define methods inside components
that can use in every part the developer want.
 Every component is a Class that ATN can instantiate: That means that developer component can
receive
arguments which developer can use to customize what’s shown in the application.
 It’s asynchronous. There are no blocking actions in the application. If something hasn’t finished
loading,
other components will continue working or loading.

25 | P a g
e
The ATN’s Front-end will have 3 main pages such as Login, main menu dashboard, and input(view)
data.

 Login page:

In ATN Admin Panel will require users need to login to the system with email and password that the
administrator created before.

This Login Page will send data to the database to confirm that correct email and password. After that, if email
and password are correct the login will be successful.
const router = AdminBroExpress.buildAuthenticatedRouter(adminBro,
{ authenticate: async (email, password) => {
const user = await UserAccountModel.findOne({ email })
if (user){
if(password === user.auth.password)
return user
}
return null
},
cookieName: 'adminATN',
cookiePassword: 'LongPassword',
})

Picture 36. ATN login page

26 | P a g
e
  Main menu and Dashboard:

Picture 37. Main menu and dashboard

In main menu and dashboard, there are 2 main areas such as navigation bar and the dashboard

 Navigation bar: User can input or view information about each category, product, store
o Category: To storage information about the category, the user can create or filter to
find category.

Picture 38. ATN Admin Panel Category

27 | P a g
e
Picture 39. Create a new category

Picture 40. Filters in category

28 | P a g
e
o Product: To storage information about products, users can create or filter to find
categories.

Picture 41. ATN Admin Panel Product

Picture 42. Create a new product

29 | P a g
e
Picture 43. Filter in product

30 | P a g
e
o Store: To storage information about the store, users can create or filter to find the
store. Each store will have 1 Store manager.

Picture 44. ATN Admin Panel Stores

Picture 45. Create a new Store

31 | P a g
e
o User Account: To storage information about a user account, users can create or filter
to find a user account. Each User Account will be set with 1 role.

Picture 46. Admin Panel User Account

Picture 47. Create a new user account

32 | P a g
e
o Page:

Picture 48. ATN Admin Panel Page

o Comment:

Picture 49. ATN Admin Panel Comment

33 | P a g
e
 Dashboard: Show information about the developer and ATN Panel.

Picture 50. ATN Admin Panel Dashboard

Picture 51. Dashboard in Navigation

34 | P a g
e
 2.3. Web application deploy on Heroku
After the completed the development processes of the web front-end, back-end, and database
infrastructure, it is time to push all the web components to Heroku.

First up is push the application into GitHub:

Picture 52. Push data into GitHub

35 | P a g
e
In the Heroku configure, the repository of GitHub is connected to Heroku, so Heroku will automatically
deploy from the master of GitHub

Picture 53. Configuration Heroku connected to GitHub

Picture 54. Heroku build an application with GitHub

36 | P a g
e
The Heroku application log now got updated with the information that the web application got deployed
successfully:

The app is now available at the address: https://atnadminpanel.herokuapp.com/

In order to proceed to internal pages, the login form will require a user account with the following
details:

 Email: [email protected]
 Password: password

The source code is available at this GitHub repository: https://github.com/SuperMido/ATNStore

Picture 55. ATN Admin Panel on Heroku

37 | P a g
e
3. The issues and constraints one can face during the development process and how
to overcome. (M3-D2)
3.1. Back-End issues constraint
 Connection to ClusterATN:

Base on the Node.Js version that the server-side will connect to MongoDB Atlas. In the first time
implement application, the Node.Js is lower than 3.0, so MongoDB Atlas did not work.

In this case for ATN Admin Panel, the developer must select the right version of NodeJs so the
database will work well.

Picture 56. Select version for Node.js

Solution for overcome connection fails with MongoDB Atlas:

Update latest Node.js version:

Picture 57. Update expressjs

38 | P a g
e
 Picture 58. Current version Node.js after update

 Bypass
login:

As usual, users will have to log in to use the ATN Admin Panel system when opening the browser with the
link https://atnadminpanel.herokuapp.com/.

In another way user change application path is https://atnadminpanel.herokuapp.com/admin, with this

path, the user does not need to login but still can use the ATN Admin Panel system

Picture 59. Bypass login

With this bypass, the system will not recognize which user is using the application and make a serious
problem to the system.

39 | P a g
e
Solution for overcome Bypass

login: Setup router for server-

const router = AdminBroExpress.buildAuthenticatedRouter(adminBro,

{ authenticate: async (email, password) => {
const user = await UserAccountModel.findOne({ email })
if (user){
if(password === user.auth.password)
return user
}
return null
},
cookieName: 'adminATN',
cookiePassword: 'LongPassword',
})
side:

The application will confirm that email and password are correct then login will be successful. If the
login fails, the ATN Admin Panel will return to the login page and require the user to log in
again.

Picture 60. Login fail

With configuring the rootPath the Admin Panel will redirect to the login page:
module.exports = {
…
rootPath: '/admin',
}

app.use(adminBro.options.rootPath, router)
app.get('/', router)

40 | P a g
e
By using https://atnadminpanel.herokuapp.com/admin, now the ATN Admin Panel does not allow the user
to use the system without login and redirect to the login page

Picture 61. Redirect to login page

 Require login every

time

Whenever users using ATN Admin Panel, the application will require the user to login. But after login,
any action of the user such as refresh browser, close the application or new tab on a browser will
meet function login again.

Solution for overcome require login every time:

Using packet express-session:

By default Express requests are sequential and no request can be linked to each other. There is no
way to know if this request comes from a client that already performed a request previously.

Users cannot be identified unless using some kind of mechanism that makes it possible.

When implemented, every user of API or website will be assigned a unique session, and this allows the
application to store the user state.

It can store session data in:

 Memory
 A database: MongoDB
 A memory cache: Memcached

Picture 62. Refresh page still in Panel

41 | P a g
e
const buildAuthenticatedRouter = (
admin, auth, predefinedRouter, sessionOptions = {}, formidableOptions = {},
) => {
const router = predefinedRouter || express.Router()
router.use(session({
...sessionOptions,
secret: auth.cookiePassword,
name: auth.cookieName,
}))
router.use(formidableMiddleware(formidableOptions))
const { rootPath } = admin.options
let { loginPath, logoutPath } =
admin.options loginPath =
loginPath.replace(rootPath, '') logoutPath =
logoutPath.replace(rootPath, '')

router.get(loginPath, async (req, res) => {

const login = await admin.renderLogin({
action: admin.options.loginPath,
errorMessage: null,
})
res.send(login)
})
router.post(loginPath, async (req, res, next) => {
const { email, password } = req.fields
const adminUser = await auth.authenticate(email, password)
if (adminUser) {
req.session.adminUser = adminUser
req.session.save((err) => {
if (err) {
next(err)
}
res.redirect(rootPath)
})
} else {
const login = await admin.renderLogin({
action: admin.options.loginPath,
errorMessage: 'invalidCredentials',
})
res.send(login)
}
})
router.use((req, res, next) => {
if (AdminBro.Router.assets.find(asset => req.originalUrl.match(asset.path))) {
next()
} else if (req.session.adminUser)
{ next()
} else {
res.redirect(admin.options.loginPath)
}
})
router.get(logoutPath, async (req, res) => {
req.session.destroy(() => {
res.redirect(admin.options.loginPath)
})
})

return buildRouter(admin, router, formidableOptions)

}

42 | P a g
e
 3.2. Front-End issues constraint
 Full permission with all role user:

There are 3 main roles in the ATN Admin Panel such as Admin, Store Manager, and sales. Each role
has different permission to use Admin Panel, but when implementing this Front-End there are
some critical issues:

o Every role can create an account for the user such as Admin, Store Manager and sales
o Every role can monitor another store
o Every role can create a product, category or
store Solution for overcome full permission with all role

user: Configure permission to create a user account:

const AdminBro = require('admin-bro')
const { sort, timestamps } = require('./sort')

module.exports = {
…
list: { isAccessible: ({ currentAdmin }) => currentAdmin && currentAdmin.role === 'Admin', showInDrawer: true, },
show: { isAccessible: ({ currentAdmin }) => currentAdmin && currentAdmin.role === 'Admin', showInDrawer: true,
}, edit: { isAccessible: ({ currentAdmin }) => currentAdmin && currentAdmin.role === 'Admin', showInDrawer:
true, }, delete: { isAccessible: ({ currentAdmin }) => currentAdmin && currentAdmin.role === 'Admin',
showInDrawer: true, }, new: { isAccessible: ({ currentAdmin }) => currentAdmin && currentAdmin.role ===
'Admin', showInDrawer: true, },
}
}

With this config, only Admin role can view, create or modify user

account View of Admin account and another account:

43 | P a g
e
Picture 63. View of Admin account and another account

44 | P a g
e
  HTML Problem:

In ATN Admin Panel, there is a lot of error attribute, element, that will cause the system heavy

and not stable From Nu Checker, it shows errors and warnings for

https://atnadminpanel.herokuapp.com/

45 | P a g
e
Picture 64. HTML Checker

46 | P a g
e
Solution for overcome HTML problem:

This tool is an ongoing experiment in better HTML checking, and its behavior remains subject to
change.

By the way, check errors and warnings form:

https://validator.w3.org/nu/?doc=https://atnadminpanel.herokuapp.com/

The developer can modify or delete the unused attribute, property or element that unnecessary.

47 | P a g
e
 3.3. Server loading

Picture 65. Checking Server Loading

The application loading so slow, it’s cost too much time to load everything from the server. Then the
first open application will slow, but the next time will be faster.

48 | P a g
e
Solution for overcome server loading problem:

The application deploys on Heroku with region United States should be a move to another nearly
Viet Nam

Picture 66. Region Heroku configuration

By the way, ATN Company will be using AWS (Amazon Web Service) and relocated to Singapore. When
relocated to the server in Singapore, it is the same server with MongoDB Atlas Database.

Picture 67. Region MongoDB Atlas configuration

After that, the application will be loading faster from the server.

49 | P a g
e
 3.4. Performance
Web performance refers to the speed in which web pages are downloaded and displayed on the user's
web browser. Web performance optimization (WPO), or website optimization is the field of knowledge
about increasing web performance.

Faster website download speeds have been shown to increase visitor retention and loyalty[1][2] and
user satisfaction, especially for users with slow internet connections and those on mobile
devices.[3] Web performance also leads to fewer data traveling across the web, which in turn
lowers a website's power consumption and environmental impact. (wikipedia, n.d.)

Performance of ATN Admin Panel is not good enough, there is too much time application Idle.

Picture 68. Performance from login to dashboard Admin Panel

50 | P a g
e
Solution for overcome Performance problem:

Async / Await is a feature of JavaScript that helps us to work with asynchronous functions in a more
interesting and easier to understand way. It is built on Promises and is compatible with all API-based
Promises. Inside:

 Async - declares an asynchronous function

o Automatically convert a regular function into a Promise.
o When it calls the async function it will handle everything and return the result in its
function.
o Async allows using Await.
 Await - pause the execution of async functions.
o When placed in front of a Promise, it will wait until the Promise ends and return the
result.
o Await only works with Promises, it does not work with callbacks.
o Await can only be used inside async

functions. Using async/await to connect database:

const run = async () => {
await mongoose.connect(process.env.MONGO_URL, {
useNewUrlParser: true,
useUnifiedTopology: true
})
app.listen(process.env.PORT, () => console.log(`Admin Panel is under localhost:${process.env.PORT}`))
}

Using async/await to login into system:

const router = AdminBroExpress.buildAuthenticatedRouter(adminBro,
{ authenticate: async (email, password) => {
const user = await UserAccountModel.findOne({ email })
if (user){
if(password === user.auth.password)
return user
}
return null
},
cookieName: 'adminATN',
cookiePassword: 'LongPassword',
})

51 | P a g
e
 Analyzing the technical challenges for cloud applications and
assess their risks
1. The most common problems which arise in a Cloud Computing platform and
discuss appropriate solutions to the problems (P7)
 Data Security concern

Many concerns remain unsolved when discussing the security issue with cloud
computing. The major problems with cloud computing data security are the numerous
significant risks, such as malware attacks and hacking of the client's website. Before
implementing cloud computing for their firm, entrepreneurs must consider these
concerns. It's crucial to reassure ToyStore about the cloud's manageability and security
system because the user is sending sensitive corporate information to a third party.
When discussing the security risk of cloud technology, many things remain unresolved. The
major concerns with cloud computing data security are the numerous risks, such as virus
attacks and website hacking.

 Selecting the perfect cloud set-up

It's crucial to select the right cloud technology for your company' needs. Public, private, and
hybrid cloud configurations are the three different types. Choosing the correct cloud is the
essential key to a successful cloud installation. If ToyStore does not choose the appropriate
cloud, then ToyStore may often utilize public clouds. A few businesses want to use hybrid
clouds in a balanced manner. Select a cloud computing consulting company that is
knowledgeable about and transparent about the circumstances relating to cloud installation
and data protection. (educba, n.d.)

 Real-time monitoring requirements

It must keep an eye on its system in real time. Continuous inventory system monitoring and
upkeep are requirements for their line of work. Cloud service providers are unable to meet
the real-time system updates required by banks and some governmental organizations. For
cloud service providers, this presents a significant issue.

52 | P a g
e
  Dependency on service providers

The ToyStore firm must hire a vendor service with the necessary infrastructure and technical
know-how for uninterrupted services and good functioning. a certified vendor capable of
upholding the security requirements established by the organization's internal policies and
regulatory bodies. ToyStore must carefully examine the service level agreement and
comprehend the rules, conditions, and provisions for payment in the event of an outage or
lock-in clauses before choosing the service provider.

 Downtime

A key drawback of cloud computing is downtime. No platform provider can guarantee zero chance
of downtime. Small businesses using cloud technology are dependent on connectivity, thus
organizations with questionable internet connections may wish to reconsider using cloud
computing.

Downtime is often cited as one of the biggest disadvantages of cloud computing. Since cloud
computing systems are internet-based, service outages are always an unfortunate possibility and
can occur for any reason. (cloudacademy, n.d.)

Solution:

o AWS Direct Connect, Azure ExpressRoute, Google Cloud's Dedicated

Interconnect, or Partner Interconnect are examples of dedicated connection that
you might choose to use. These services give the ToyStore firm and the cloud
service point of presence a specialized network connection. This can lessen
vulnerability to the danger of internet-related business disruption.
o Create and implement a disaster recovery strategy that is in accordance with
corporate goals and aims for the quickest recovery time and recovery point.
o High availability and disaster recovery should be considered while designing services.
Utilize the several availability zones that cloud companies offer for infrastructure.
 Password Security

In order to ensure cloud security, diligent password management is essential. However, the
security of the cloud account decreases as the number of users increases. Anyone who is familiar
with passwords can access the data that the ToyStore firm stores there.

Multi-factor authentication should be used by businesses, and passwords should be secured and
changed frequently, especially when employees depart. Password and username access privileges
should only be granted to those who need them.

53 | P a g
e
  Data security

Costly enterprises are gradually converting to cloud technology due to the extensive infrastructure.
The infrastructure of the CSP houses data. Due to the fact that data do not live on organization
property, several difficult problems occur. The following are some of the difficult problems with
cloud data security:
o the requirement to safe guard sensitive corporate, governmental, or regulatory
information Cloud service models with multiple tenants sharing the same
infrastructure
o Data mobility and legal concerns with these laws
o Absence of guidelines for CSPs' safe disk space recycling and data erasure
o Auditing, reporting, and compliance concerns
o the disappearance of important security and operational intelligence that fed
company IT security intelligence and risk management
o A new breed of insider who isn't even employed by the organization but has
access to and influence over data
 Limited control and flexibility

Since the cloud infrastructure is entirely owned, managed, and monitored by the service
provider, it transfers minimal control over to the customer.

To varying degrees (depending on the particular service), cloud users may find they have less
control over the function and execution of services within a cloud-hosted infrastructure. A cloud
provider’s end- user license agreement (EULA) and management policies might impose limits on
what customers can do with their deployments. Customers retain control of their applications,
data, and services, but may not have the same level of control over their backend
infrastructure.

Solution:

o Consider using a cloud provider partner to help with implementing, running, and
supporting cloud services.
o Understand the responsibilities and the responsibilities of the cloud vendor in the
shared responsibility model to reduce the chance of omission or error.
o Make time to understand cloud service provider’s basic level of support. Will this
service level meet support requirements? Most cloud providers offer additional
support tiers over and above the basic support for an additional cost.
o Make sure the developer understand the SLA concerning the infrastructure and
services are going to use and how that will impact agreements with
customers.

54 | P a g
e
  Cost concerns

Adopting cloud solutions on a small scale and for short-term projects can be perceived as
being expensive. However, the most significant cloud computing benefit is in terms of IT cost
savings. Pay-as- you-go cloud services can provide more flexibility and lower hardware costs,
but the overall price tag could end up being higher than the ATN company expected. Until ATN
company is sure of what will work best for the company, it’s a good idea to experiment with a
variety of offerings. ATN might also make use of the cost calculators made available by
providers like Amazon Web Services and Google Cloud Platform.
Solution:

o Try not to over-provision services, but rather look into using auto-scaling
services.
o Ensure the ATN company has the option to scale DOWN as well as UP.
o Pre-pay and take advantage of reserved instances if ATN company have a
known minimum usage.
o Automate the process to start/stop instances to save money when they are not
being used.
o Create alerts to track cloud spending.
 Cost barrier

For efficient working of cloud computing, ATN company have to bear the high charges of the
bandwidth. Businesses can cut down the cost of hardware but they have to spend a huge amount
on the bandwidth. For smaller application cost is not a big issue but for large and complex
applications it is a major concern. For transferring complex and intensive data over the
network ATN company must have sufficient bandwidth. This is a major obstacle in front of small
organizations, which restricts them from implementing cloud technology in their business.

55 | P a g
e
  Lack of knowledge and expertise

ATN Company does not have sufficient knowledge about the implementation of cloud
solutions. They have not expertise staff and tools for the proper use of cloud technology.
Delivering the information and selecting the right cloud is quite difficult without the right
direction. Teaching ATN's staff about the process and tools of cloud computing is a very big
challenge in itself. Requiring an organization to shift its business to cloud-based technology
without having any proper knowledge is like asking for disaster. They would never use this
technology for their business functions.

 Recovery of lost data

Cloud services face an issue of data loss. A proper backup policy for the recovery of data
must be placed to deal with the loss. Vendors must set proper infrastructures to efficiently
handle server breakdown and outages. All the cloud computing service providers must set up
their servers at economically stable locations where ATN should have proper arrangements for
the backup of all the data in at least two different locations. Ideally, ATN should manage a
hot backup and a cold backup site.

 Cloud management

Managing a cloud is not an easy task. It consists of a lot of technical challenges. A lot of
dramatic predictions are famous about the impact of cloud computing. People think that the
traditional IT department will be outdated and research supports the conclusions that cloud
impacts are likely to be more gradual and less linear. Cloud services can easily change and
update by business users. It does not involve any direct involvement of the IT department. It is a
service provider’s responsibility to manage the information and spread it across the
organization. So it is difficult to manage all the complex functionality of cloud computing

56 | P a g
e
  Vendor lock-in

Vendor lock-in is another perceived disadvantage of cloud computing. Easy switching between
cloud services is a service that hasn’t yet completely evolved, and organizations may find it difficult
to migrate their services from one vendor to another. Differences between vendor platforms may
create difficulties in migrating from one cloud platform to another, which could equate to
additional costs and configuration complexities. Gaps or compromises made during
migration could also expose data to additional security and privacy vulnerabilities.

Solution:

o Design with cloud architecture best practices in mind. All cloud services provide
the opportunity to improve availability and performance, decouple layers, and
reduce performance bottlenecks. If ATN company have built services using cloud
architecture best practices, ATN is less likely to have issues porting from one
cloud platform to another.
o Properly understand what vendors are selling to help avoid lock-in challenges.
o Employ a multi-cloud strategy to avoid vendor lock-in. While this may add
both development and operational complexity to deployments, it doesn’t have
to be a deal- breaker. Training can help prepare teams to architect and select
best-fit services and technologies.
o Build-in flexibility as a matter of strategy when designing applications to
ensure portability now and in the future.
o Build applications with services that offer cloud-first advantages, such as modularity
and portability of microservices and code. Think containers and Kubernetes.

Figure 4. Vendor lock-in in cloud computing

57 | P a g
e
 2. The most common security issues in cloud environments and how to overcome
security issues when building a secure cloud platform (P8-M4)
2.1. Database URL
The connection to the database should be secure, in the source code should not has information about
databases such as user and password.

This is a bad way for ATN Admin Panel to connect to MongoDB server:
const run = async () => {
await mongoose.connect('mongodb+srv://mido:[email protected]/ATN?retryWrites=true&w=majority', {
useNewUrlParser: true,
useUnifiedTopology: true
})
app.listen(process.env.PORT, () => console.log(`Admin Panel is under localhost:${process.env.PORT}`))
}

Solution for overcome database URL:

By using the environment variable, the ATN system will be secured. The information about the connection to
the database will not show up by replacing the MongoDB server URL with
process.env.MONGO_URL

An environment variable is a variable whose value is set outside the program, typically through a
functionality built into the operating system or microservice. An environment variable is made up of a
name/value pair, and any number may be created and available for reference at a point in time.

Picture 69. Create .env file

const run = async () => {

await mongoose.connect('process.env.MONGO_URL', {
useNewUrlParser: true,
useUnifiedTopology: true
})
app.listen(process.env.PORT, () => console.log(`Admin Panel is under localhost:${process.env.PORT}`))
}

58 | P a g
e
 2.2. Sniffer attacks
Any network packet having information in plain text can be intercepted and read by the
attackers. This information can be usernames, passwords, secret codes, banking details, or any
information which is of value to the attacker. This attack is just the technical equivalent of a
physical spy. (greycampus, n.d.)

These types of attacks are launched by applications that can capture packets flowing in a network and
if the data that is being transferred through these packets are not encrypted, it can be read and there are
chances that vital information flowing across the network can be traced or captured. A sniffer program
can use the NIC (Network Interface Card) ensures that the data/traffic linked to other systems on the
network also gets recorded.

Sniffing motives:

 Getting username a passwords

 Stealing bank-related/transaction-related information
 Spying on email and chat messages
 Identity theft

Browsers can use content or MIME sniffing to adapt to different data types coming from a response. They
override the Content-Type headers to guess and process the data. While this can be convenient in
some scenarios, it can also lead to some dangerous attacks. This middleware sets the X-Content-Type-
Options header to nosniff. This instructs the browser to not bypass the provided Content-Type.

Solution for overcome sniffer attacks:

Helmet packet can help for sniffer attacks

Picture 70. Install helmet packet

const helmet = require('helmet')

…
app.use(helmet.noSniff());

59 | P a g
e
 2.3. Cross-Site Scripting (XSS) attacks
Cross-site scripting (XSS) is a frequent type of attack where malicious scripts are injected into vulnerable
pages, to steal sensitive data like session cookies or passwords.

The basic rule to lowering the risk of an XSS attack is simple: “Never trust user’s input”. A
developer should always sanitize all the input coming from the outside. This includes data coming from
forms, GET query URLs, and even from POST bodies. Sanitizing means that ATN company should find and
encode the characters that may be dangerous e.g. <, >.

Picture 71. XSS Attacks

Modern browsers can help to mitigate the risk by adopting better software strategies. Often
these are configurable via HTTP headers.

Figure 5. Cross-Site Scripting (XSS) attacks

60 | P a g
e
The solution to overcome:

The helmet helps secure Express apps by setting various HTTP headers.

The X-XSS-Protection HTTP header is basic protection. The browser detects a potential injected script
using a heuristic filter. If the header is enabled, the browser changes the script code, neutralizing
it.
const helmet = require('helmet')

…
app.use(helmet.xssFilter({}));

Picture 72. XSS Attack does not work on ATN Admin Panel

61 | P a g
e
 2.4. DoS & DDoS attacks
A DoS attack is a denial of service attack where a computer (or computers) is used to flood a server
with TCP and UDP packets. A DDoS attack is where multiple systems target a single system with a
DoS attack. The targeted network is then bombarded with packets from multiple locations.

A DoS attack is a denial of service attack where a computer (or computers) is used to flood a server
with TCP and UDP packets. During this type of attack, the service is put out of action as the packets
sent overload the server’s capabilities and make the server unavailable to other devices and users
throughout the network. DoS attacks are used to shut down individual machines and networks so that
they can’t be used by other users. (comparitech, n.d.)

There are several different ways that DoS attacks can be used:

 Buffer overflow attacks: This type of attack is the most common DOS attack experienced. Under
this attack, the attacker overloads a network address with traffic so that it is put out of
use.
 Ping of Death or ICMP flood: An ICMP flood attack is used to take unconfigured or misconfigured
network devices and uses them to send spoof packets to ping every computer within the
network. This is also known as a ping of death (POD) attack.
 SYN flood: SYN flood attacks send requests to connect to a server but don’t complete the
handshake. The result is that the network becomes inundated with connection requests that
prevent anyone from connecting to the network.
 Teardrop Attack: During a teardrop DOS attack an attacker sends IP data packet fragments to a
network. The network then attempts to recompile these fragments into their original packets.
The process of compiling these fragments exhausts the system and it ends up crashing. It crashes
because the fields are designed to confuse the system so that it can not put them back
together.

A DDoS attack is one of the most common types of DoS attacks in use today. During a DoS attack, multiple
systems target a single system with a DoS attack. The targeted network is then bombarded with
packets from multiple locations. By using multiple locations to attack the system the attacker can put
the system offline more easily. The reason for this is that there is a larger number of machines at the
attackers’ disposal and it becomes difficult for the victim to pinpoint the origin of the attack.

DDoS attacks can come in various forms including:

 UDP Floods: A UDP flood is a DDoS attack that floods the victim network with User Datagram
Protocol (UDP) packets. The attack works by flooding ports on a remote host so that the host
keeps looking for an application listening at the port. When the host discovers that there is no
application it replies with a packet that says the destination wasn’t reachable. This consumes
network resources and means that other devices can’t connect properly.
 Ping Flood: Much like a UDP flood attack, a ping flood attack uses ICMP Echo Request or ping
packets to derail a network’s service. The attacker sends these packets rapidly without waiting
for a reply in an attempt to make the network unreachable through brute force. These attacks are
particularly concerning because bandwidth is consumed both ways with attacked servers trying
to reply with their ICMP Echo Reply packets. The result is a decline in speed across the
entire network.
62 | P a g
e
  SYN Flood: SYN Flood attacks are another type of DoS attack where the attacker uses the TCP
connection sequence to make the victim’s network unavailable. The attacker sends SYN
requests to the victim’s network which then responds with an SYN-ACK response. The sender
is then supposed to respond with an ACK response but instead, the attacker doesn’t respond
(or uses a spoofed IP address to send SYN requests instead). Every request that goes unanswered
takes up network resources until no devices can make a connection.
 HTTP Flood: In an HTTP Flood attack the attacker users HTTP GET or POST requests to launch an
assault on an individual web server or application. HTTP floods are a Layer 7 attack and don’t
use malformed or spoofed packets. Attackers use this type of attack because they require less
bandwidth than other attacks to take the victim’s network out of operation.

The solution to overcome:

Load balancers are ideally suited for inclusion within a layered security model. The primary function
of a load balancer is to spread workloads across multiple servers to prevent overloading servers, optimize
productivity, and maximize uptime. Load balancers also add resiliency by rerouting live traffic from one
server to another if a server falls prey to DDoS attacks or otherwise becomes unavailable. In this way, load
balancers help to eliminate single points of failure, reduce the attack surface, and make it harder to
exhaust resources and saturate links.

Figure 6. Using Load Balance

For this strategy to be truly effective, it's necessary to ensure that the data centers are connected to
different networks and that there are no obvious network bottlenecks or single points of failure on
these networks.

63 | P a g
e
 2.5. Cookie poisoning
Cookie poisoning is the act of manipulating or forging a cookie (a small piece of data created and
stored in a user's browser that keeps track of important information regarding his or her session
information for a particular site) to bypass security measures or send false information to a server. An
attacker using cookie poisoning can gain unauthorized access to a user's account on the particular site
the cookie was created for, or potentially tricking a server into accepting a new version of the
original intercepted cookie with modified values.

Figure 7. Cookie poisoning. (twitter, n.d.)

The solution to
overcome:

 Require the user to use https (443) the entire session. This will prevent any man-in-the-middle
attacks from sniffing the cookie
 Only allow one session to be active at a time. Once the second session shows up, the first
session is invalidated.
 Require the user to provide his old password when changing the password (edit: or email
address or anything else that could allow the account to be stolen once the attacker is logged
in); this will prevent someone from hijacking the account and easily changing the
password.
 Have a very limited life for the session cookie - a few hours.

64 | P a g
e
 3. How an organization should protect their data when they migrate to a cloud solution
(D3) Nowadays most organizations migrate data to the cloud. Unsurprisingly, the large cloud vendors make
it as easy as possible to migrate data to the cloud and provide a raft of tools to help with its
migration.

Nonetheless, the ultimate responsibility for migrating data and maintaining its security belongs to the
ATN company, and ATN company must be aware of the pitfalls as well as the upsides of cloud
migration.

3.1. Know the data

In the past, enterprises would often treat their data storage like an attic or a basement in one’s home just
store it
there, and it doesn’t matter what ‘it’ is.

Figure 8. Know data in the cloud. (ebuyer, n.d.)

With data so valuable now, a potential migration is an excellent reason to take stock of exactly what
the data contains. Is it in a form that will be usable now and later? How accurately is the data
conforming to storage and retention policies within the data governance framework? And what can
ATN company safely dispose of?

There are many data management tools available to assist the process of understanding exactly what data
ATN company has in the domain. Most cloud vendors will offer their solutions to help the company
understand data, and there’s a range of paid services available on the market.

Make good use of these tools. And avoid the temptation to hoard. Too often companies hold on to
data they no longer need for. Unnecessary data retention (unless legally required) increases a company’s
liability in the event of a security breach.

65 | P a g
e
Data migration is a good opportunity to clean each ATN shop. (horizontechnology, n.d.)

66 | P a g
e
 3.2. Back-Up Data Locally
When migrating to cloud ATN company has comes to managing data to always have a backup for data.
Generally speaking, it is good practice to create electronic copies for any of the ATN company’s data so
that ATN will still be able to access them even when the original is lost or has been corrupted. There
are many cloud storage services available in the market today, which means the ATN company can
set up some cloud accounts for backup purposes.

If ATN company has data in the cloud, the ATN company should also manually backup data in an external
physical storage drive or device, like a hard disk or a thumb drive. This also allows ATN company to access
the information when ATN company have poor or no Internet connection.

Allway Sync synchronizes ATN company’s files and directories among PC, external drives, remote FTP
servers, and more with an innovative synchronization algorithm. It comes with an easy-to-use graphical
interface and can generate a report for any synchronization actions.

Picture 73. Backup data in local with allway Sync

67 | P a g
e
 3.3. Setting ATN company Data Retention Policy
Data retention policies are formulated to not just store but also to organize the information so that it can be
easily searched for and accessed at any point in the future. The other side of this objective is to get rid
of data that has outlived its usefulness. Hence, it becomes important for businesses to understand the
policies to avoid getting caught unaware and dealing with the complexities of losing sensitive and
important data.

A data retention policy, which should be clearly documented and centrally owned, is generally
designed in response to a combination of operational needs and regulatory requirements.

Core components of a well-designed data retention policy include:

 An overview of the different types of information the business handles customer data, financial
reports, legal agreements, billing information, email, strategy documents, meeting notes, marketing
collateral, and so on.
 Rules for how long different types of data should be retained and guidance on how the information
should
be stored. What’s the policy on encryption, not only for data in flight and data at rest but data
in use?
 A permissions-based framework specifying authorizations to access retained data. What is a protocol
for setting access privileges, and how are ATN company enforcing that? What about managing
vendor and contractor access to data?
 An accurate and accessible description of the regulatory landscape and an explanation of how
data retention policy ensures compliance.
 Clear protocol for the standards around the digital sanitization of the data, as well as the
physical destruction of paper and (where necessary) electronic equipment.

While data loss on the Cloud happens due to a variety of reasons (like hacking, intentional deletion, a
software malfunction, etc.), deletion due to human error tops the chart. Most businesses wrongly assume
that data on the Cloud has a permanent life and even if it gets wiped off from an application,
intentionally or otherwise, it can somehow be retrieved.

Cloud applications delete the data permanently after retaining it for a specific time.

68 | P a g
e
 3.4. Read the Small Print of the Cloud Service Provider
Besides storing ATN’s data, some cloud services allow ATN company to share photos and files with
others. This sounds appealing, but sometimes these services come with a catch. There might be some
fine print that they don’t advertise but will stuff in their Terms of Service to make it legitimate.

For Example: Back in 2011, Twitpic wrote in their TOS that sharing pictures on their service gives them the
right to ‘use or distribute‘ the pictures. They later apologized but further clarified that they can distribute the
securing- cloud-data on Twitpic and affiliated partners, although the final copyright still belongs to the
owner of the photographs.

While not exactly a dedicated cloud storage service, Twitpic puts forward a good case for why ATN
company should be cognizant of what to expect from the cloud provider, especially concerning their
security and privacy policies.

In this case of ATN company, the acceptable policy(https://www.heroku.com/policy/aup) is acceptable.

Picture 74. Heroku's promises to customers

69 | P a g
e
 3.5. Avoid storing sensitive information in the cloud
Avoid storing sensitive information on the cloud. In addition to the obvious, such as social security
numbers, copies of IDs, or important financial statements even old ones consider what other
information someone could get their hands on. Never keep racy pictures or intimate interactions with
partners in the cloud and if ATN company is sensitive about items such as diet progress pictures,
avoid posting those as well.

ATN company needs to keep only those files which the company need to access frequently and avoid
putting up documents containing passwords for various online accounts or personally identifiable
information (PII) such as credit card numbers, national identification number, home address, etc.

If the ATN company must include this information in files, make sure to encrypt them before upload
it.

For example in ATN company is the password of the user account will be encrypted before uploading to
the cloud.

Picture 75. Password will encrypt before uploading into cloud

70 | P a g
e
 3.6. Use Cloud Services That Encrypt ATN company Data
One of the easiest ways to safeguard privacy when using cloud storage services is to look for one that
offers local encryption for data. This provides an additional layer of security since decryption will be
required before the ATN company can be granted access to the data.

While keeping data encrypted in the cloud may be good enough, it would be even better if the cloud
service also ensures encryption during the uploading and downloading phases. This can be done using
military-grade Advanced Encryption Standard (AES) (256 bits), which services like DrivePop
adopt.

IDrive transfers and stores data using 256-bit AES encryption, which makes data highly secured. The IDrive
client is available for Windows, Mac OS, Android, and iOS. It’s easy to store and backup files and
folders.

Picture 76. Backup service IDrive

ATN company can back up files from multiple devices in one account and manage multiple accounts
through its client. They offer 5GB free storage.

71 | P a g
e
 3.7. Protect ATN company’s system with Anti-Virus & Anti-Spy
ATN company may be using a secure cloud service provider which the company trust, but sometimes the weakest
link happens to be the computer system that ATN company logging in from. Without proper protection for the
system, ATN company will expose to bugs and viruses that provide penetration points for hackers to access
accounts.

Take for instance the presence of a Keylogger Trojan which attempts to track all keystrokes. By embedding this
malicious software to seemingly legitimate files, hackers will be able to get hold of user ID and password if ATN’s
system isn’t well protected enough to detect it, and if the login isn’t secured and encrypted.

3.8. Encrypt the Data Before Putting it on The Cloud

If the ATN company chooses not to use a cloud service that will help the company encrypt the data,
ATN can use a third-party tool to perform the encryption. All ATN got to do is download a cloud-
protection app which will allow ATN company to apply passwords and generate secret key sequences
to files before the ATN company upload them to the cloud.

Figure 9. Cloud app security

Even if ATN company is already opting for an encrypted cloud service, it wouldn’t hurt to go through a
preliminary
round of encryption for files to get a little extra assurance.

72 | P a g
e
 3.9. Use a Strong Password / Use Two-Factor Authentication
While practices such as the principle of least privileges can protect data, ATN company should also
take the further step of enforcing two-factor authentication to reduce the risk of unauthorized access to
mission-critical data stored in the cloud. Two-factor authentication requires the use of two separate methods
of identification to gain access to restricted cloud storage or applications.

ATN company will require Password with:

 Minimum Password Length: 8

 Must Meet 1 special character: !@#$%^&*()_=+
 Must Meet 1 number: [0-9]
 Must Meet 1 uppercase character

As the first line of defense against malicious hackers out there, ATN company had better be sure that the
password can stand a hacking or cracking attempt. There are tons of tips on the Internet on what
makes for a good password. Aside from going for a strong and unique password, make sure to change it
frequently and not repeat it across all other online accounts ATN has.

Alternatively, ATN company may go for the much more secure two-step verification for login if cloud service
offers the option.

In the case of Google Drive, users have to log in to their Google account first to use the cloud storage
service. Two- step verification can be turned on for Google accounts that is a verification code sent to
the mobile phone gives the much needed added security on top of just a password to be able to
access cloud data.

Figure 10. Use Two-Factor Authentication

73 | P a g
e
 CONCLUSION
Considering the numerous benefits that cloud computing offers to organizations, a fair case can be
made that cloud computing is increasingly becoming the new normal. Cloud computing is helping
society to cope with future problems such as managing big data, cyber-security, and quality control.
In addition to this, emerging technologies such as Artificial Intelligence, distributed ledger technology,
and many other capabilities are becoming available as services through cloud computing.
Consequently, these technologies to be adaptable to various platforms such as mobile devices hence
increasing their use. Innovations based on cloud computing such as cloud automation and the Industry
cloud are also being developed to integrate cloud computing into more specific industrial activities
which will make various operations even more streamlined. The final verdict for cloud computing is that
it’s a transformational technology that has helped organizations in different jurisdictions to deliver their
products and services in a better way than before.

74 | P a g
e
 References
algoworks. (n.d.). algoworks. Retrieved from algoworks: https://www.algoworks.com/blog/why-use-expressjs-
over-nodejs-for-server-side-coding/

cloudacademy. (n.d.). cloudacademy. Retrieved from cloudacademy:

https://cloudacademy.com/blog/disadvantages-of-cloud-computing/

comparitech. (n.d.). comparitech. Retrieved from comparitech: https://www.comparitech.com/net-admin/dos-vs-

ddos-attacks-differences-prevention/

ebuyer. (n.d.). ebuyer. Retrieved from ebuyer: https://www.ebuyer.com/blog/2015/11/where-is-my-cloud-data-

stored/

educba. (n.d.). educba. Retrieved from educba: https://www.educba.com/cloud-computing-issues-challenges/

greycampus. (n.d.). greycampus. Retrieved from greycampus: https://www.greycampus.com/blog/information-

security/what-is-a-sniffing-attack-and-how-can-you-defend-it

horizontechnology. (n.d.). horizontechnology. Retrieved from horizontechnology:

https://www.horizontechnology.com/news/seven-tips-for-protecting-your-data-during-a-cloud-migration/

twitter. (n.d.). twitter. Retrieved from twitter: https://twitter.com/hashtag/cyberwarning?lang=cs

wikipedia. (n.d.). wikipedia. Retrieved from wikipedia: https://en.wikipedia.org/wiki/Web_performance

75 | P a g
e