Review of Project with Financial Sector
In the present times, IT security risk is one of the major risks faced by the business organizations. The information technology has prevailed in all the aspects of organization’s operations and; therefore, IT risk assessment is important for assuring smooth operations of an organization. Several incidences of data breach and hacking has shifted the attention of the IT managers towards security assessment and measures. Aztek is a financial company which operated in the Australian financial industry. In order to enhance the performance of the organization, the company has planned to implement several technology projects. These projects will be approved by the respective strategists and funded for deployment. The present report will focus the relocation of the business-critical application and the data sources towards an external cloud solution (Mell & Grance, 2011). The cloud is an information technology paradigm which enables ubiquitous access to shared configurable resources. The pool of shared resources can be easily shared over the internet with minimal efforts. It is the methodology which allows the users and the enterprises to share computing capabilities and store and process data over a shared cloud. The principle is to share the resources to achieve economy of scale and reduce the overall expenditure to the organization. However, this technology has increased the security concern for the business organizations (Ostermann, Iosup, Yigitbasi, Prodan, Fahringer & Epema, 2009). As it is shared resource, the third party may access the crucial and confidential information of a business organization. Other than that, the competing business organization may use this information to harm the brand image of the business organization. The clouds are maintained by a third-party vendor; therefore, maintaining the security of the information is quite challenging for the organization. In this essence, the present report will discuss all the security risk associated with the deployment of cloud system in an organization. The report will discuss the security risks associated with the financial sector, current security posture of Aztek, and a risk assessment will be conducted associated with the threats vulnerabilities of the system. The report will also shed light on various recommendations which can be used to address the situation.
The security demands in the financial industry are very high. In the financial industry, people make investment of their hard-earned money as well as they share their personal financial information with these organizations. Therefore, it is important that the financial organizations implement high level of security protocol in the organization. Aztek should also assure that it implement IT infrastructure and security policies so that the sensitive information of the organization can be protected.
Currently, cloud computing is commonly used in various industrial sectors but its adoption in the financial sector and the banking organizations is low. The cloud computing offers a variety of benefits such as flexibility, low cost and enhanced organizational efficiency; however, banks and other financial institutions are still reluctant to adopt cloud technology as they are concerned regarding sharing of data in other platforms. It is because for the financial institutions, it is very important to keep the data secure. The banking information is very sensitive and valuable and handing over such information to a third party can be extremely risky for the users as well as banking organizations (Armbrust, Fox, Griffith, Joseph, Katz, Konwinski … & Zaharia, 2010). Moreover, operational in the financial sector, the companies have to abide by very strict and stringent laws. The data protection laws often control the technology and infrastructure options for the companies. All the IT managers agree that the risk can be controlled in a much better manner in in-house operations than in cloud. Although the financial institutions have a large number of security concerns, the major issues are data confidentiality, data breach, compliance and legal issues. Other important risks are loss of governance, lack of transparency and lack of auditing features.
Review of the Project on the Current Security Posture of Aztek
When a company utilizes the cloud computing solutions, it loses control over the data which is a big cause of concern for the finance companies. Cloud in an online platform wherein different business organizations share their resources. It increases the cost-effectiveness of the business organization and they can avoid buying expensive resources for the operations of company. They contact a private vendor which leases the cloud services for the period of time and capacity required. The cost of cloud rental is determined by the usage of services (Li, Dai, Tian & Yang, 2009). However, as several organizations are sharing same resources, it becomes easier for them to access each other’s sensitive information. Other than that, the third party vendor also has instant access to the data and the information of the business organization. This information can be used by the organization for wrong purpose.
Aztek is a financial business organization which has implemented various policies related to information security to maintain the organizational security. It is important to implement novel security methodologies to reduce the risks in new technologies and software. The security measures and countermeasures are implemented to protect the organizations from security attacks. The security measures and countermeasures are used by the business organizations to protect information stored, transmitted and analyzed using online platforms. They must be able to evaluate or examine the security level in a business organization. The security measures of the organization can be grouped in three major groups, namely, physical, personal and the network security measures. At each level, the security measures focus on confidentiality, integrity and availability of data (Qian, Luo, Du & Guo, 2009). The internet is a big cause of concern for the business organizations as it increases the security threats. The criminals can access valuable organizational information by operating system weaknesses, default configuration of operating system, encryption issues and poorly written web applications. The companies use various measures such as password protection, designing safe systems, conducting screening and background checks and providing basic training to the employees (Buyya, Yeo, Venugopal, Broberg & Brandic, 2009). Aztek Solutions has also implemented various security measures to increase the security standards of the organization. The users have to submit their digital storage devices before entering the organization. This security measure is implemented so that the employees cannot obtain the sensitive information of an organization.
Other than that, installing reliable antivirus software, protecting with Firewall and installing encryption software will also be beneficial techniques for maintaining the security of a business organization. It can be critiqued that a large number of security attacks occur due to weak password protocols. The company has assured that access to various the equipment and wireless network should be guarded by using unique user names and passwords. The strong passwords contain numbers, letters and symbols which are not easy to guess. In order to design secure system, a business organization should minimize unnecessary access to hardware and software; control the individual user’s access to only required equipment and devices. The organization can also control the damage to the network by using unique set of email addresses, login, and domain name and server passwords (Armbrust, Fox, Griffith, Joseph, Katz, Konwinski,.. & Zaharia, 2009). It is also important to conduct screening test and background checks for the employees of the organization.
As discussed above, the financial organization has implemented several security measures for maintaining the security in the IT infrastructure of the organization. However, the security challenges will vary with the deployment of cloud services. In this situation, the user access and the user verification will be of utmost importance. The organization should implement different procedures to control the access of different users. The access to confidential data should be controlled for the organization’s security (Foster, Zhao, Yaicu & Lu, 2008, November). The business organizations should only provide access to the applications and data which are essentially required by the business organizations.
Currently, the organization has applied significant amount of security measures. It includes the use of firewall, encryption methods and control of the user access. However, with the frequency of user activity the organization needs more security protocols. Aztek Solutions should monitor the user activity, communicate the purpose and the user protocol clearly to the employees and collect essential background check in the employees. These initiatives can reduce the extent of the data breach in the organization. The business organizations can control the IT risk faced by the organizations; however, they are unable to control the malicious intent of the employees (Carlin & Curran, 2011). Therefore, it is important to conduct proper security check on the customers. The company should check the user activity and if they find anything suspicious, they should be careful for that employee. Moreover, it is also important that the organization conducts a background check before recruiting an employee in the organization (Zhang, Cheng and Boutaba, 2010). The organization should examine the past records with the previous employers and past criminal records. It will assist the organization is assessing the behavior of the employees and judge whether he will be able to adjust in the new organization.
Several novel and unique risks are associated with the use of cloud computing as it is a novel technology. The risks faced by the organizations implementing cloud computing can be differentiated in three different categories, namely, policy and organizational risk, technical risk and legal risk.
Lock-in
There is little advancement in portability measures in cloud computing; therefore, it becomes extremely challenging for the organization to shift the data from one provider to another provider in an in-house IT environment (Mishra, Mathur, Jain, & Rathore, 2013).
Loss of Governance
While availing the cloud services, the organization gives the information control the service provider. The service providers may prohibit the port scans and vulnerability assessment and it can result in conflicts between the user and the cloud environment (Zissis & Lekkas, 2012). The service provider may not offer a commitment to use these security protocols which can increase the organization’s vulnerability to the threats.
Compliance Challenges
The user and the service provider may operate in different countries. It can increase the challenges related to compliance (Krutz & Vines, 2010).
Cloud Service termination of failure
If the cloud service provider fails, it can increase the vulnerability of the user (Mells & Grance, 2011).
Loss of business reputation
Although resource sharing reduces the overall cost to the organization, the malicious activities carried out by one tenant might affect the reputation of other tenant (Chen, Paxson & Katz, 2010). It can deteriorate the brand image; result in issues in service delivery and data loss.
There are also a large number of technical risks involved in the deployment of cloud services in the organization.
Resource exhaustion: It can be critiqued that the cloud services are on-demand and shared services. Therefore, there is risk regarding the allocation of resources to on user or another. The resources are allocated according to statistical projections of the cloud service provider. Inaccurate allocation of resources occurs due to distortion with the allocation algorithm, improper provision of resources or lack of infrastructure (Popovi? & Hocenski, 2010, May).
Isolation failure: The primary characteristics of cloud computing are shared resources and separation between different users. The computing capacity, storage and network are shared between different users (Ogigau-Neamtiu, 2012). However, if the service provider fails to implement mechanism separating computing capacity, storage and network, it fails to provide adequate service to the users.
The cloud environment has several peculiar security issues. The security issues arising in the technology can be classified in six broad categories. These categories include infrastructure, data, access, availability, compliance and role of users. The infrastructure issues refer to the security provided to the physical devices of the organization. The cloud computing is more physically vulnerable than the traditional in-house security techniques. In the infrastructure, the physical surveillance of the cloud data centers is considered (Zissis & Lekkas, 2012). It is important that there are enough security guards and cameras inside the organization so that the risk associated with the external intrusion or attack can be reduced. The well-equipped infrastructure can reduce the risk associated with the cloud providers.
Data: In the recent time, the use of cloud based applications has enhanced. The users are using applications for storing data in cloud environment. The cloud services are also used by the government and large business organizations to store confidential information. AS a reslt, the surface area for the information has increased. Therefore, the vulnerability of the data has also increased. The unauthorized data access is the most common type of attack that occurs in the cloud based applications. It weakens the trust of the customers and the users feel insecure with the data based applications (Asma, Chaurasia & Mokhtar, 2012). It is important to assure the user that the machines, software and the user applications used by them are sufficient to establish data security. However, the cloud service providers are unable to share the information as it will increase their vulnerability to more attacks.
Access: The cloud based solutions increases the accessibility to the data and the information. The customers can gain access to the digitized information from different devices; however, with this the unauthorized access to the applications also increases. The illegal access compromise the privacy of the data as the applications are not able to access whether the user is genuine (Jensen, Schwenk, Gruschka & Iacono, 2009, September). In this regard, the application provider should provide a default device to each of the user and if the user accesses the application from other device, the organization should follow proper verification procedure.
Availability: The cloud service provider should also assure the availability to all the users who have been enrolled to use the applications. The frequency of the users who try to reach their user account or data simultaneously can increase or decrease at any given time. It is important for the provider that the cloud based service is able to adapt itself as per the number of users. The number of users must be able to access the application at any given time without any hindrance (So, 2011). Therefore, it is important that the application must be able to scale itself. The scalability feature can be performed automatically by the service provider or by manually through knowledge learning.
Compliance: The government as well as the professional bodies has put forth policies and regulations regarding security audits, operation traceability and data location. The business organizations should follow these regulations to ensure data security (Grobauer, Walloschek & Stocker, 2011). The users should also be aware regarding the number of regulations which are followed by the cloud service provider.
Proposed Security Framework
Cloud computing is considered as a computing model which enables the convenient, on-demand network access to different resources. However, the security deployment should be different from the traditional IT environment. The traditional on-house authorization and authentication framework cannot be implemented to the cloud based applications. The biggest security issue in the cloud environment is that of unauthorized access. The users store their data hoping that the information will be protected from illegal access; however, the confidentiality of the data is undermined in the cloud based system. The security vulnerabilities of the organization can be achieved with the help of framework (Chou, 2013). A security framework can be proposed which includes technical, legal and policy considerations. In this framework, an catalogue is used to calculate the vulnerability of cloud based environment to threats and attacks. With the help of threat index, the organization can analyze the performance of the cloud provider and communicate it to the user. The organization can analyze the performance of the cloud provider by collecting the data in the absence and presence of legal control, policy trends, and criminal attacks. The analysis will help the organization in increasing or decreasing the control in legal, technical and policy perspective (Dahbur, Mohammad, & Tarakji, 2011, April). The analysis will also help in identifying the policies which are flawed and the organization can improve them to enhance the reliability on the cloud-based solutions.
Figure: Cloud Security Framework
(Source: Srivastava & Kumar, 2015)
The cloud based applications have not matured and the security risk will be persistent till the cloud based applications will develop properly. There are several methods which can be used to enhance the security of the cloud based applications. It is important that the cloud providers hide some specific security related information. The security procedures should be kept confidential so that the security breaches can be minimized (Hashizume, Rosado, Fernández-Medina, & Fernandez, 2013). However, the loss of transparency can result in customer losing trust on the service providers. A governing body can be formed which can act as an interface between the cloud provider and the application users. The governing entity should be an independent unit and should not be biased with any of other organization in the procedure. They should regulate each and every action taken in the cloud environment. It is important that the cloud provider register themselves at these government bodies and they can assess the procedures used in the new technology.
It will be the responsibility of the governing body for the risk assessment, evaluating the performance of security policies and compliance related to the cloud layer. The governing body should not just assess the existing infrastructure but also provide solutions to uplift the standard of the cloud security (Almorsy, Grundy & Müller, 2016).
The governing body should also regulate the organization’s operations in the cloud environment. When the information is transferred to the cloud environment, the security risk will surge in the organization. The traditional data control methods are needed to be changed so that the security and the privacy challenge of the organization increases. The cloud service provider should guarantee that there is no data center related threat in the organization. In this regard, the organization should ensure that there is no unauthorized access in the organization. The data center is a centralized location wherein all the important information related to customers is stored. The governing body should monitor the security threats, products available to counter these threats and procure and implement them.
The organization should also focus on policy development and control to maintain the safety in the cloud based system. The governing entity should develop policies for all the layers of the cloud deployment. It should focus on all the layers and the security could encompass the firewalls, anti-virus, virtualization and hyper-visor for enhancing the security of the organization. The security features of the organization should be adapted according to the budget of the cloud service provider.
User awareness is also essential for enhancing the security of the cloud deployment. The governing body should insist on all the procedures which are required to ensure the security and privacy of the client or the service user. The governing body should filter and provide the information to the users in a manner that no confidential information is leaked through the organization. It will also increase the transparency in the organization and increases the trust of the consumers in the organization.
Numerous laws and jurisdictions are applicable to cloud computing. Cloud computing is a kind of outsourcing wherein the business organization is located at one country whereas the service provider is located in other country. Therefore, different laws established at different places are applicable on a single service provider. However, it is difficult for the service provider to abide by all the laws. These laws and jurisdictions can decrease the time-efficiency of cloud computing. Therefore, the cloud provider can utilize the service such that all the resources to ensure that the cloud services are safe, secure and efficient.
The performance evaluation is the method of evaluating the performance of the cloud according to the different types of security breaches and attack on the cloud. It should examine the performance of the cloud based on the security parameters and assist them in making decisions and providing adequate cloud services (Subashini, & Kavitha, 2011). The cloud service provider will also benefit from the evaluation as they will understand the disadvantages and the advantages regarding the implementation of security control measures and redirect resources where there is high security concern.
It is also important that the governing body provides solution architecture to the issues and the problems associated with the cloud computing framework. The solutions should be provided to the customers, service providers and the end-users. The governing body should provide solutions regarding various issues such as customer trust. If the customer lose data or unable to access it due to some mishap, thee governing body should be able provide solution. The governing body should also be able to provide solutions if the cloud service provider is no longer able to provide services or shuts down or goes bankrupts. In this situation, the confidential information related to various users will be at risk.
Conclusion:
It can be concluded that the security vulnerability has increased with the advent of information technology. Today, most of the data and information is stored in the online database and storage systems. With this, the vulnerability related to security and privacy of data has also increased. The hackers can easily access the data from the online sources. Therefore, it is important that the organization develops a security protocol to control the risk associated with the information security. Aztek Finance service is a financial service provider situated in Australia. The organization deals in financial industry and thus deals with very confidential and sensitive data. The organization is trying to deploy the cloud computing solutions as it is cost-effective and easy to use. However, it increases the security vulnerability of the organization. In the present report, several threats associated with the cloud deployment have been identified. These threats include political threat, operational threat and legislative threat. The organization should change its security protocols so that it can enhance the security of the overall system. The organization needs to analyze the current security stance and improve it so that the security vulnerability can be reduced. The organization should implement various techniques such as firewall, encryption and similar techniques to enhance the security of the system.
They can also control the user access and monitor the user activity as a further to organization’s security.
References:
Almorsy, M., Grundy, J., & Müller, I. (2016). An analysis of the cloud computing security problem. arXiv preprint arXiv:1609.01107.
Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R. H., Konwinski, A., … & Zaharia, M. (2009). Above the clouds: A berkeley view of cloud computing (Vol. 17). Technical Report UCB/EECS-2009-28, EECS Department, University of California, Berkeley.
Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., … & Zaharia, M. (2010). A view of cloud computing. Communications of the ACM, 53(4), 50-58.
Asma, A., Chaurasia, M. A., & Mokhtar, H. (2012). Cloud Computing Security Issues. International Journal of Application or Innovation in Engineering & Management, 1(2), 141-147.
Buyya, R., Yeo, C. S., Venugopal, S., Broberg, J., & Brandic, I. (2009). Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation computer systems, 25(6), 599-616.
Carlin, S., & Curran, K. (2011). Cloud computing security.
Chen, Y., Paxson, V., & Katz, R. H. (2010). What’s new about cloud computing security. University of California, Berkeley Report No. UCB/EECS-2010-5 January, 20(2010), 2010-5.
Chou, T. S. (2013). Security threats on cloud computing vulnerabilities. International Journal of Computer Science & Information Technology, 5(3), 79.
Dahbur, K., Mohammad, B., & Tarakji, A. B. (2011, April). A survey of risks, threats and vulnerabilities in cloud computing. In Proceedings of the 2011 International conference on intelligent semantic Web-services and applications (p. 12). ACM.
ENISA. (2009). Cloud Computing: Benefits, risks and recommendations for information security.
Foster, I., Zhao, Y., Raicu, I., & Lu, S. (2008, November). Cloud computing and grid computing 360-degree compared. In Grid Computing Environments Workshop, 2008. GCE’08 (pp. 1-10).
Grobauer, B., Walloschek, T., & Stocker, E. (2011). Understanding cloud computing vulnerabilities. IEEE Security & Privacy, 9(2), 50-57.
Hashizume, K., Rosado, D. G., Fernández-Medina, E., & Fernandez, E. B. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and Applications, 4(1), 5.
Jensen, M., Schwenk, J., Gruschka, N., & Iacono, L. L. (2009, September). On technical security issues in cloud computing. In Cloud Computing, 2009. CLOUD’09. IEEE International Conference on (pp. 109-116). IEEE.
Krutz, R. L., & Vines, R. D. (2010). Cloud security: A comprehensive guide to secure cloud computing. Wiley Publishing.
Li, H., Dai, Y., Tian, L., & Yang, H. (2009). Identity-based authentication for cloud computing. Cloud computing, 157-166.
Mell, P., & Grance, T. (2011). The NIST definition of cloud computing.
Mell, P., & Grance, T. (2011). The NIST definition of cloud computing.
Mishra, A., Mathur, R., Jain, S., & Rathore, J. S. (2013). Cloud computing security. International Journal on Recent and Innovation Trends in Computing and Communication, 1(1), 36-39.
Ogigau-Neamtiu, F. (2012). Cloud computing security issues. Journal of Defense Resources Management, 3(2), 141.
Ostermann, S., Iosup, A., Yigitbasi, N., Prodan, R., Fahringer, T., & Epema, D. (2009, October). A performance analysis of EC2 cloud computing services for scientific computing. In International Conference on Cloud Computing (pp. 115-131). Springer, Berlin, Heidelberg.
Popovi?, K., & Hocenski, Ž. (2010, May). Cloud computing security issues and challenges. In MIPRO, 2010 proceedings of the 33rd international convention (pp. 344-349). IEEE.
Qian, L., Luo, Z., Du, Y., & Guo, L. (2009). Cloud computing: An overview. Cloud computing, 626-631.
So, K. (2011). Cloud computing security issues and challenges. International Journal of Computer Networks, 3(5), 247-55.
Srivastava, H., & Kumar, S.A. (2015). Control Framework for Secure Cloud Computing. Journal of Information Security 6, 12-23.
Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of network and computer applications, 34(1), 1-11.
Zhang, Q., Cheng, L. and Boutaba, R. (2010). Cloud computing: state-of-the-art and research challenges. Journal of internet services and applications, 1(1), pp.7-18.
Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation computer systems, 28(3), 583-592.
Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation computer systems, 28(3), 583-592.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
