Background: Aztek Finance in Financial Industry and Privacy Acts
In the present scenario, Information Technology (IT) has intruded the daily lives of people and has immense applications in the business operations. IT infrastructure assists the organization in increasing efficiency and productivity of the organization. Today, most of the business organizations have embraced technology to ease their business process. These business organizations cannot operate in the absence of technology as all the operations are dependent upon it. However, with the advent of technology, several risks have also arisen in the business operations of the company. Most of the risk is associated with the confidentiality and the privacy of the data stored on the online mediums. In the present times, the size of the information and the data used in the business organization has become vast. Therefore, digital mediums are commonly used to store this data or information. However, the information stored in these digital mediums can be accessed easily from any part of the world. Therefore, it is important that the business organizations adopt security protocols to prevent unauthorized mediums to secure the private information of the organization (Almorsy, Grundy & Müller, 2016). Aztek Finance is company which deals in the financial industrial sector; therefore, it is important that the business organization should implement security measures to prevent the data breach. The present report will conduct an IT risk assessment with respect to the implementation of cloud services in the company. In order to increase the efficiency and the productivity of the organization, the business organizations is taking into account a number of changes in its IT infrastructure such as BYOD (Bring your Own Device), cloud computing and use of other similar services. In these changes, cloud computing has been selected as the preferred choice as it will bring down the cost to the organization radically. The present report will conduct a risk assessment related to the deployment of cloud services, provide recommendation on how to address them and review the current stand of the organization with respect to the security of the cloud services.
Aztek is a financial corporation which deals with the financial information of the customers. Being a business organization in the financial industry, the company has to deal with the sensitive and the confidential information of the customers. The government has also developed strict policies for the companies working in the financial industry. The Privacy Act 1988 controls the collection, use and disclose of the personal data. This Act is applicable to all the companies as well as the industries. The Privacy Act is applicable to all the companies in the in private sectors and the public sectors. This Act regulates the personal information of the users and its misuse. The personal information refers to the information which can reveal the identity of an individual regardless of the point. The Act is applicable regardless of whether the information is true or the individual is named, if the information is specific and enables the identification of a person it is considered as a breach of the individual privacy. All the financial and the banking organizations are regulate by Australian Privacy Principles (APPs). The personal information encompasses the information or an opinion which can identify an individual or allow the people to work out their identity. This information may include an individual’s name, address, financial information, marital status and billing status.
Cloud Computing: Deployment and Security Concerns
Aztek collects personal information which may encompass the name, contact details, occupational details, and affiliations to the organization, payment details and enquiry details. There are also various others laws and Acts applicable which includes Anti-Money Laundering and Counter-Terrorism Act 2006 which requires the identification of clients. In this identification, the personal information is collected from different methods such as client questionnaire, interaction with the banking organization, public resources, third party and the information service providers. However, while dealing with the enormous amount of personal data and information, the organizations need to protect their data warehouse so that no breach of personal information occurs.
In order to foster growth and increase the profitability of the organization, the organization is focusing on deploying additional IT projects. There are a large number of projects under the consideration; however, in the present case, cloud computing is selected for the deployment. Cloud computing is an innovative technology which encourages the organizations to share resources so that they can operate in a cost-effective manner. It reduces the cost to the organization as the organization has to invest less in the infrastructural resources. They can rent the data storage and retrieval services from the cloud service provider. However, there are increased security concerns with the use of cloud services. The customers give control to handle the information to the service provider. Moreover, as the resources are shared, a third party can gain access over the crucial information. The present report will discuss the security issues with cloud computing and propose solutions through which these security issues can be addressed (Grobauer, Walloschek & Stocker, 2011).
The financial industry face several threats related to the data integrity and security such as data breach, identity theft and associated fraud in the industry. The issue of the data breach is a concern for types of industries; however, the financial industry is the most common victim of the situation due to the inherent value of the data collected and stored in the financial resources. Due to the inherent nature of the business, a significant amount of confidential customer and client data is stored from the daily transactions of the business.
Due to these issues, it is required for the financial industry to have more stringent data security standards in comparison to other countries. The financial companies have to regularly deal with highly sensitive and confidential financial data of its customers. It includes the bank account number, debit or credit card information and other confidential data. The loss if this information can create a serious dent on the reputation and integrity of the organization. The failure to protect the confidential and the private data of the customers can result in termination of the operations or heavy penalty from the companies. The success or the failure of a financial firm depends upon how it uses the consumer data while maintaining the privacy of the organization. It is imperative that the financial organizations have to share the consumer data to exploit the current trend in growth opportunities; however, they should also comply with the regulations regarding the consumer privacy so that no malicious use of the consumer information can be conducted (Iqbal, 2012).
Data Security Standards and Consumer Protection
Currently, there are a large number of consumer privacy regulations in Australia as well as other countries which protect the consumers from any misuse from their information. These laws set norms on how the information is stored, processed and used by these companies. The data privacy laws are present in almost all the countries and encompass various variables of consumer protection such as data security, access, data integrity, consent, disclosure and notice (Buyya, Yeo, Venugopal, Broberg, & Brandic, 2009).
The changing technology has an important role in changing privacy environment. The basic essence of the privacy laws is to protect the personal information of the consumers; however, the stringent nature of these laws can create business challenge for the business organization. The organizations need to decide and make regulations regarding data protection. The cost of data breach in the financial industry is very high.
Aztec Solution is a financial service organization. The business organization has implemented several security protocols to enhance the security of the organization. The business organization has implemented several methods as it handles crucial financial information of the customers. Aztek Solution has IT security infrastructure which controls the network anomaly and malicious behavior. The organization has implemented firewall and security `detection methods to detect abnormal behavior in the organization network. The organization has also implemented user activity control mechanism. It controls the activities of the users in the network. The access of the user in the network is controlled. The users can only access the information which is essential for them. There are several stages of information access. The users are only provided information which is essential for their operations. Other than that, the organization also monitors the users’ activity. If the activity of the users is found suspicious then his access to the system is prevented.
However, the security requirements for the system will be changed according with the implementation of the cloud computing solution. The cloud computing is implemented to reduce the potential cost to the business and increase the efficiency in the use of resources. However, failure to implement appropriate security protection methods while using the cloud services can result in high cost and loss of business which can reduce the benefits of cloud computing. There are a large number of security risks associated with the cloud computing which are discussed below:
Loss of Governance: In the public cloud deployment, the customers give control for the information access and protection to the security to the cloud service provider. The cloud service provider my not offer commitment to resolve these issues; therefore, they may leave gaps in the security defense of the organization (Saini, Saini, Yousif and Khandage, 2011).
Security Protocols Implemented by Aztec Solutions
Responsibility Ambiguity: The security responsibility over several different aspects of cloud computing may be split over the provider and the customer; therefore, some aspects of the cloud computing security may remain unguarded.
Authentication and Authorization: The information stored in the cloud services can be accessed from anywhere on the internet. Therefore, it is important to establish the identity of the user for the heightened security. In cloud computing, strong authentication and authorization has become a critical concern (Hashizume, Rosado, Fernández-Medina & Fernandez, 2013).
Isolation Failure: The primary characteristics of cloud computing are multi-tenancy and shared resources which increases the privacy and the confidentiality of the data. The risk category include the usage of storage, memory, routing and he reputation between tenants.
Compliance and Legal Risks: In cloud computing, the customer and the service provider remain at different places. Therefore, there are several compliance and legal risk associated with the cloud services. The customers must check the compliance by checking that the service provider has appropriate certificates with them.
Handling of Security Risk: The cloud service provider should be able to handle the security breaches in the service. However, the breach in the security is may impact the security breach of the customer. Therefore, it is important that the service provider should assure to inform the customers for any potential security breaches. The customers should not remain unaware or uninformed in any unacceptable manner.
Interface Vulnerability: The interface which is used to manage the public cloud service can be accessed through internet. They allow access to large set of resources; however, the perceived risk is higher due to the remote access vulnerability.
The current security mechanism of the organization is not such that the organization can implement cloud computing. The organization should explore all the issues which can potentially harm the confidentiality, integrity and the availability of the data. It is important that security architecture is set up so protect the resources of the organization such as employees, infrastructure and the IT systems.
There are several benefits of the cloud computing which includes reduction of the cost, movement from capital infrastructure to operational expenditure and agility in the operations. The risk profile of cloud computing is complex as the existing technology is maturing and new services are emerging in the technology. The cloud service providers offer different services related to monitoring, transformation, portability, provisioning and the integration of IT services. The risk associated with the cloud computing can be analyzed with the help of IT risk assessment framework. The organization should also design framework which can detect the risks in the cloud computing platforms:
Security Risks Associated with Cloud Computing Deployment
|
Risk Type |
Characteristic |
Cloud Risk |
|
Functionality |
Suitability, accurateness, interoperability, compliance and security |
The developed solution does not meet the business requirements The regulatory compliance is also important for the organization The security needs to be enforced by an external application (ENISA, 2009) |
|
Reliability |
Maturity, Fault tolerance and ability to recover from disaster |
Lack of quality, resilience, business continuity and lack of quality in system and service |
|
Usability |
The ability of the user to operate the technology The learning capability of the employees The technical and the user efforts required for the new skill |
The service is not as expected The staff members have inadequate skills to perform the roles and responsibilities There are inadequate people in to support the IT system |
|
Efficiency |
Efficiency in time (Response and processing time) Resource Behavior (Multitenant Impact) |
The system support the programming; however, it is capable to perform complex business reporting functions |
|
Maintainability |
Transparency in technicality, stability and robustness of the system Testability (the availability of test environment for the system) |
|
|
Portability |
Adaptation according to different business processes, installation and ability to replace |
The security related risk can also be assessed in the similar process. The security risk in the cloud computing are analyzed and discussed in the below section:
In the cloud computing environment, the management of IT security is a major issue. It can result in the loss of governance. In the cloud computing environment, the organization should maintain appropriate safeguards to maintain the security of the system. When the client avail the service of the cloud computing, he let go of the power to store, adapt and manipulate the data. Therefore, the cloud service provider can use this data for malicious intent or pass it on to someone else. In this regard, it is important that the service provider follows the safety standards and abide by the regulations designed for the cloud environment (Foster, Zhao, Raicu & Lu, 2008, November).
Data: In the recent times, the cloud based applications have been commonly used by the organizations to store data. However, the accessibility of the data has increased with the cloud based applications. Cloud services encourage sharing of resources. As a result, other users can accidentally or intentionally use the resource of the other organization. This information can be used for malicious purpose by the business organizations. The cloud service provider is also unable to share access information as it may increase the security vulnerability of the organization (Stewart, 2015).
Access: The cloud based solutions should increase the accessibility to the data and the information. In cloud services, the users gain access to the organization’s information from different devices; however, in order to maintain the integrity and confidentiality of the data, it is important that the identity of the user is assured before providing user access. The illegal access can compromise the confidentiality of the data if the user is not genuine.
Availability: The availability of the services all the time is another issue for the cloud service provider. The bandwidth of the services is fixed; however, the service provider manages by allocating it to different users according to their requirements. However, if the frequency of the users who try to reach the service varies with time, the service provider faces the challenge whether he will be able to provide the service or not.
Compliance: The compliance to the government regulations and laws is important in the financial industry. In order to protect the privacy and the confidentiality of the user data, the government has created various policies and laws. These regulations are regarding the security audits, operational traceability and the data access. The service user should also be aware regarding different security regulations and examine if the cloud service provider is following these regulations.
Recommendations for Addressing Security Risks
The cloud computing brings new threats to the data security. Therefore, the cloud service provider should ensure that the cloud system is in compliance with the governance and security policies. Aztek Solutions should conduct permanent monitoring of user access which may include video monitoring system, movement sensors, alarm system and trained security personnel. Other systems and infrastructural facilities which are essential for the operation of the cloud service such as internet or electricity should be designed to be redundant.
Other than that, the organization should also design fire protection system so that data center fire can be prevented. This system should be regularly tested by the IT managers. The data center should have adequate security protection methods so that protection can be provided against external elements such as storms, flood and against unauthorized access. The service provider should also provide high level of service availability if the customer requires a particularly high level of services. It should also provide backup or redundant data centers which can be used for the services if the data centers are unavailable. If the service provider is using SaaS services, then he does not handle cloud infrastructure. In this case, it should be assured that the subcontractor meet all the service requirements (Armbrust, Fox, Griffith, Joseph, Katz, Konwinski & Zaharia, 2009).
The server security is also essential to attain a secure cloud environment. The server represents the environment wherein the processes and their computation are performed. The operating system and the server should be designed so that there is minimal possibility of attack. Therefore, it is important to install only necessary software packages and any superfluous services should be disabled or uninstalled. Other than that, standard measures such as protection of host firewalls and intrusion detection system can be used to monitor the IT infrastructure system. These systems analyze the system security such as policy violations by the users, failed login attempts and malware detection. The security of the cloud system can be enhanced by using broadband connection, standardized and commonly-used transmission protocols, service oriented architecture and virtualization.
Hypervisors are commonly used for the server virtualization which controls the access of the shared resources. The virtualization machines must be made secure if the cloud service provider provides guidelines to the customers for hardening the virtualization machines.
The network security is also essential in developing an integral and secure cloud computing system. The cloud service provider should take effective security measures so that the cloud computing platforms are not misused by malware or the processing power is not used to control the command and control servers (Asma, Chaurasia & Mokhtar, 2012).
The organization should also use suitable cryptographic methods to store, process and transport sensitive information and data. In the cloud computing environment, the management of the cryptographic keys is essential; however, there are no appropriate keys which can be used for the management of the sensitive data or information. The customers should also have the option to store the data before storage. If the service provider is encrypting the data, the security measures should be implemented at each phase so that the keys generated, shared and destroyed should enhance the confidentiality, integrity and the authenticity of the data. Several management practices can be implemented to enhance the encryption of the available data. The encryption keys should be generated in a secure environment with the help of suitable key generators. The keys should not be opened in the system in an open form; however, they should be always encrypted. It will assure that the system does not lose a key. The storage should also be redundant so that no key is lost in the process.
Conclusion
It can be concluded that Aztek Solutions is a financial service provider which provide several financial services to its customers. The organization is deploying several IT projects to ease its business process and increase productivity and efficiency. In this regard, the project of cloud computing has been selected for deployment in the organization. The present report has conducted a risk assessment in which several risks encountered in the deployment of cloud services has been discussed. The present report has examined different risks such as data security, operational and legislative threat which will arise with the deployment of cloud services in the organization. The organization can use several methods such as encryption, firewall and other techniques to address the situation. Other than that, Aztek can also monitor the user activity and the user access to enhance the security of the organization.
References
Almorsy, M., Grundy, J., & Müller, I. (2016). An analysis of the cloud computing security problem. arXiv preprint arXiv:1609.01107.
Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R. H., Konwinski, A., … & Zaharia, M. (2009). Above the clouds: A berkeley view of cloud computing (Vol. 17). Technical Report UCB/EECS-2009-28, EECS Department, University of California, Berkeley.
Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., … & Zaharia, M. (2010). A view of cloud computing. Communications of the ACM, 53(4), 50-58.
Asma, A., Chaurasia, M. A., & Mokhtar, H. (2012). Cloud Computing Security Issues. International Journal of Application or Innovation in Engineering & Management, 1(2), 141-147.
Buyya, R., Yeo, C. S., Venugopal, S., Broberg, J., & Brandic, I. (2009). Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation computer systems, 25(6), 599-616.
Campbell, J., McDonald, C. and Sethibe, T., 2010. Public and private sector IT governance: Identifying contextual differences. Australasian Journal of Information Systems, 16(2).
Carden, M., 2012, August. Digital Archiving at the National Archives of Australia: Putting Principles into Practice. In International Council on Archives Congress, Brisbane, Australia, August (pp. 20-24).
Carlin, S., & Curran, K. (2011). Cloud computing security.
Chen, Y., Paxson, V., & Katz, R. H. (2010). What’s new about cloud computing security. University of California, Berkeley Report No. UCB/EECS-2010-5 January, 20(2010), 2010-5.
Chou, T. S. (2013). Security threats on cloud computing vulnerabilities. International Journal of Computer Science & Information Technology, 5(3), 79.
Dahbur, K., Mohammad, B., & Tarakji, A. B. (2011, April). A survey of risks, threats and vulnerabilities in cloud computing. In Proceedings of the 2011 International conference on intelligent semantic Web-services and applications (p. 12). ACM.
ENISA. (2009). Cloud Computing: Benefits, risks and recommendations for information security.
Foster, I., Zhao, Y., Raicu, I., & Lu, S. (2008, November). Cloud computing and grid computing 360-degree compared. In Grid Computing Environments Workshop, 2008. GCE’08 (pp. 1-10).
Grobauer, B., Walloschek, T., & Stocker, E. (2011). Understanding cloud computing vulnerabilities. IEEE Security & Privacy, 9(2), 50-57.
Hashizume, K., Rosado, D. G., Fernández-Medina, E., & Fernandez, E. B. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and Applications, 4(1), 5.
Iqbal, S., 2012. Australian Government Launches Discussion Paper on Privacy Breach Notification. Retrieved 27 September 2017 from https://www.insideprivacy.com/data-security/australian-government-launches-discussion-paper-on-privacy-breach-notification/
Leavitt, N., 2013. Today’s mobile security requires a new approach. Computer, 46(11), pp.16-19.
Saini, S.L., Saini, D.K., Yousif, J.H. and Khandage, S.V., 2011. Cloud computing and enterprise resource planning systems. In Proceedings of the world Congress on Engineering (Vol. 1, pp. 6-8).
Stewart, D., 2015. Assessing Access to Information in Australia: The Impact of Freedom of Information Laws on the Scrutiny and Operation of the Commonwealth Government.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
