World is moving towards becoming completely digital world and Cloud Computing is making big contribution in this transformation. Everyone is connected to the internet and is becoming the integral part of the life for every individual or the organization. Cloud Computing also works through connecting to the internet network and helping in promoting the industries to be more efficient in calculation and improving the business. Rapid rise in technology usage has led to the necessity of any third party to be involved into the system for managing those data and information related to the operational activities, information about the employees and the customers, and transactional matters data etc. This implementation set free the organization from the burden of managing the information and data. This makes the organization to be completely relied on the third party and if any error or misplace happens there is one to be blamed for the mistake and the organization can look after other serious concerns.
Cloud Computing is improving the way of working for the financial industries however, still there are certain industries lacking behind in adopting Cloud Computing services. More than 80% of the financial industries have already adopted Cloud Computing however, it can be said that most them are still not aware of the services that Cloud Computing can offer. Based on the survey made by () There are around 50% of the Australian finance industries that are using hybrid Cloud Computing service that can be stated as the hybrid of the public Cloud and private Cloud services that will be discussed later in this report. Whereas, 40% of the industries among the financial industries with Cloud Computing services system have in-house IT infrastructure for managing the information and data related to the operational activities.
This report focuses on the assessment of the risks that could be raised during and/or after the implementation of the Cloud Computing within the Aztek that is an Australian finance industry. This report also emphasis on the regulations and policy introduced by the Australian Government that could be incorporated and considered while making the agreement with a vendor or any third party for the Cloud services. Compliance of the policy related to the organization, government , and service provider all should be on the same track in manner to make the agreement legally approved and be secured from any law allegations that could hamper the reputation of any organization. However, despite of all the advantages and benefits, there are certain risks to the information security in this implementation that cannot be neglected. Data security should be the prior concern for any organization as the information can be referred as the backbone for any organization in any sector. Related to the risks and concerns that could be raised due to this implementation a risk assessment has been proposed in this report that could be helpful in rating the risks (which risk should be mitigated first and which should be concerned for later) and based on that how information security system can be enhanced. Very important concern related to the data security has been explained in this report with the solutions that are capable of mitigating such issues.
Cloud computing can be stated as on-demand service that helps the user in enabling convenient, on-demand, and available network access to a bunch of configurable Computing devices such as servers, applications, networks, storage, and many other services. Establishing configuration for this implementation needs very minimal management effort and could be established rapidly. “This Cloud model promotes availability and is comprised of five key characteristics, three delivery models and four deployment models” (Erl, Cope & Naserpour, 2015). There are various benefits of this service as it is much flexible and able to provide scaling flexibility through using multi-tenant model, which can be billed and metered according to the usage made by the organization. Cloud Computing services are being delivered through mainly three delivery models that are; SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service) (Bansal & Sharma, 2015). There are various vendors in the market that are capable of providing such services that can be listed as: Salesforce.com, Google Docs, and many others provides services for SaaS, Google App Engines, Microsoft Azure, and others for PaaS, and Rackspace, NYSE Euronext CMPC, Amazon EC2, and many others provide service for the IaaS. There are many delivery models that are being offered by the vendors but there are mainly three models that most of the industries are using that can be listed as: Public Cloud, Private Cloud, and Hybrid cloud.
Public cloud: This service is available for every individual that is connected to the internet.
Private Cloud: This is service is available for the trusted users of the industries that are being managed by either the organization or the Cloud service provider.
Community Cloud: “It is accessible to the members or individuals of a wider community that is composition of more than one industry or firm” (Rani & Ranjan, 2014).
Hybrid Cloud: This is the most favorable service for the industries because of its flexibility and information security that has been a challenge in the above services. This is the recommended service for the Aztek that should be incorporate within the organization.
Several legal issues might affect the reputation of the organization if not properly followed to the Australian policy and regulations. Hosting Cloud application and using Cloud Computing services from the third party as a new source and delivery model and that is based on the conditions made by the third party. There should be proper compliance of the conditions that are being made by the service provider should with the policies and regulations made for the organization. This is one of the critical situations that should be considered before complying Cloud services with the existing policy of the organization. Another challenge related to the implementation of Cloud Computing into the existing system is that the Service Legal Agreements that should clear, compatible with the existing policy of the organization, should cover the information security (Gangwar & Date, 2016). Most of the consumers prefer outsider service provider in manner to be much secured from data exchange between the competitors that led to the Cross-border issues. This could even lead to the seizing of data and information due to the regulations and policies of other country and change in government and many other factors. There are certain laws presented by the Australian government that could be incorporated within the Aztek finance industry in manner to protect the information (Srinivasan, 2014). Following are the list of policies related to the Cloud Computing, Big Data, and cyberspace:
As stated in the above discussion implementation of Cloud Computing within the organization could lead several issues related to the information and data and for this, there is a need of information management system within the organization. There are several issues, which will be discussed later in this report. First concern should be given on managing information security in manner to minimize or eliminate the threats that will be raised (Rittinghouse & Ransome, 2016). Six P’s of the information management system could be much helpful in managing these threats and issues.
This is the very first step in the information security management that states to create model and step on how to determine the threats. Which sector should be given the most priority and which should not, proper planning of assessment should also be made earlier including the budget and cost that will be spent on the risk identification and risk assessment. Common steps in this approach are designing, creating and implementing the strategies within a fixed interval of time (Chandra, Challa & Hussain, 2014). The types of information security can be described as Policy planning, Business continuity planning, Security program planning, Incident response planning, Technology rollout planning, Risk management planning, and Disaster recovery planning Personnel planning
One of the most important aspect as stated earlier related to the rules, regulations, and laws of the Australian government and the service provider and consumer. There is the possibility that the agreement that is being offered by the service provider does not fulfil the requirements of the policies made by the organization or industry itself. The Aztec that will be dedicating to the change in behaviour after migrating to Cloud Computing services should also introduce a set of guidelines. For Aztec following are the list of policies that can be recommended are (Rivery et al., 2015): Issue-Specific Security Policy (ISSP), Enterprise Information Security Policy (EISP), System-Specific Policies (SysSPs). Before and/or after implementing Cloud Computing Aztec should follow these policies.
Aztec should consider the programs related to the Information Security Management as the integral part of the organization and should be executed as a culture of the organization. Some programs like SETA Security Education Training and Awareness, technology use motivational, and many others should be enrolled with the operational activities within the system (Aikat et al., 2017). These will be helpful in improving the security system of the management including the physical security, phishing attack and others identification before it hampers the organization. This will help in ensuring that the attacks are at least identifiable by the employees.
Protection in the very most concern as it will cover from the physical security, IT infrastructure and many others, including encryption of data and information. Other concerning factors that are included in this section are risk assessment for the issues and threats that have been identified, protection mechanism, control, and technologies. The activities that are included in this section will be helpful in enhancing the security system for the information and data that is about to be uploaded into the cloud (Haimes et al., 2015).
The fifth P is the information security management that concerns about the stakeholders that are connected to the organization in any way. It can be said that it is most critical link for achieving the maximum information security management after the implementation of the Cloud Computing within the system of Aztec. Each individual is contributed with proper roles and responsibilities in the information security management are the focus of this approach. It can also be stated as the approach is “security personnel and the security of the personnel including the aspects of the SETA program”.
This approach discusses on the identification and controlling that could be incorporated within the IT infrastructure and within the wok environment for managing the threats related to the threats and issues with Cloud adoption and how to mitigate them. Another activity that makes it important is regular audit on the technologies and monitoring the employees’ report card on the production and many more management. Rao et al. (2016) stated, “For this case of Cloud adoption information system cannot be described as a project rather it can be defined as a process in which each element should be managed as a project.” All the activities should be chained or interconnected to each other and should be a series of project.
This section covers the controls of the management, operation technology for enhancing the security o the data and information that are being migrated to the cloud. These three controls have been discussed as following:
This security control focuses on assessing the risks in a management way that includes planning, initiating, execution, evaluation and regular audit (Layton, 2016). It can also be described as administrative controls in manner to improve the information security management. The actives that are comprised in management controls are:
Risk Assessments: Risk assessment is an activity that can be helpful in making quantitative and qualitative analysis of the risks within the Cloud adoption in the organization. This also plays an important role in prioritising the risks that are most important or least important. In this case, quantitative analysis can be described as the monetary value of the assets and budget values for the technologies and related issues while implementing Cloud Computing within the organization (McCrie, 2015). Whereas, qualitative risk assessment can be stated as “it is based on the impact and probability of the risks that have been identified during the risk assessment.”
Vulnerability Assessment: It can be described as an attempt towards discovering the current weaknesses or vulnerabilities to the information security. It can be recommended that Aztec should implement additional controls in manner to reduce or eliminate the threats and issues related to the information security.
Penetration Tests: A further approach after the vulnerability assessment that is capable of exploiting vulnerabilities that will be raised due to the application of Cloud storage. Example of penetration test and vulnerability assessment is “the server is not up-to-date but the penetration test will make an attempt in compromising the server through exploiting several of the un-patched vulnerabilities.”
This emphasizes on controlling the operations that are being performed while the implementation of Cloud Computing and migration towards Cloud storage and complying them with the whole security plan. Following is the list of activities that are being controlled by the personnel:
Technical Control emphasizes on protecting the computers and servers from unauthorized user or intruders or hackers. Proper encryption to the files and data before uploading to the Cloud is the most important factor that is being done in this control including update versions of the software and operating systems (Peppard & Ward, 2016). Recommendation can be made in this control is to use anti-malware, anti-virus, anti-malware, updated firewall, and IDSs (Intrusion detection systems).
A risk assessment table has been proposed in manner to prioritize the risks based on their impact and probability. Following table includes threats, vulnerabilities and consequences along with their impact and severity.
|
Sl. No. |
Risks |
Explanation |
Probability |
Impact |
Priority |
|
R. a |
Conflicts in the agreement |
Sometimes the service becomes unable to provide the services as per the agreement made (Theoharidou, Tsalis & Gritzalis, 2013). |
M |
M |
M |
|
R. b |
Supply Chain management Failure |
Organizations depend on the third party t]after proper researching on them and sometimes service providers hire third party for them to share servers that might results in vulnerabilities |
L |
M |
M |
|
R. c |
Lock-in |
Once availing service from a third party becomes difficult and costly to move to other party for the services (Albakri et al., 2014). |
H |
M |
H |
|
R. d |
Interface compromises |
Due to an unwanted or unauthorized user manipulated the coding of the Cloud hosted applications that lead to such issues. |
M |
VH |
H |
|
R. e |
Intellectual property issues |
Organizational assets like systems, IT infrastructure, proper internet connection lacks in incorporating Cloud Computing services into the system (Theoharidou et al., 2013). |
L |
M |
M |
|
R. f |
Phishing Attacks |
A trick that intruder uses to gain control over the data and information saved in the system through sending malicious codes via emails or other messaging application. |
M |
H |
M |
|
R. g |
Loss of Governance |
Once bonded with the third party, all personal data and information get into their hand and without their permission even owner cannot avail the information again (Carlson, 2014). |
VH |
VH |
VH |
|
R. h |
Malicious Insider |
This could happen to both service provider and consumer. Formal employees or other stakeholders having credentials and access to the data and information could misuse the data for personal use. |
H |
VH |
H |
|
R. i |
Intercepting data in transit |
Attempts made by intruder can block the user from availing online services and bringing it back to track consumes more time (Latif et al., 2014). |
M |
H |
M |
|
R. j |
Ineffective deletion |
Data on the Cloud never completely disappears or deleted |
H |
VH |
H |
|
R. k |
Technical risks |
Not maintaining the IT infrastructure properly could lead to such vulnerabilities. |
M |
M |
M |
|
R. l |
Isolation Failure |
Not properly uploaded or downloaded file becomes corrupted to gain the access and recovery is a time taking process (Craig & Shackelford, 2013. |
H |
H |
M |
|
R. m |
Service Engine Compromised |
The most critical part of the IT infrastructure is the service engine and an intruder could get all the accesses if engines are compromised. |
L |
VH |
H |
|
R. n |
DDOS (Distributed Denial of Service) |
This is a general attack that a hacker can attempt to make through sending many requests via single or more than one application (Rewagad & Pawar, 2013). |
M |
VH |
M |
|
R. o |
Loss of Cryptographic keys |
All data and information are being encrypted before uploading on the Cloud and to access the information cryptographic keys are needed to decrypt those files and loss of these could make the user loss of data or took much time recover the same file (Djemame et al., 2016). |
L |
H |
M |
|
R. p |
Loss of Backups |
Again this could happen to both the consumer and the service provider. There are activities that could lead to the loss of data and there is always a backup of data and if this is lost again organization might have suffer serious issues. |
L |
H |
M |
|
R. q |
Economic Denial of Service (EDOS) |
This attack could lead to the manipulation of several data and information. |
L |
H |
M |
|
R. r |
Natural Disasters |
Lightning, earthquake or any other natural calamities could lead to the loss of data at once |
VL |
VH |
M |
|
R. s |
Cloud-specific network related technical attacks or failures |
Failures are not common if proper attention I provider however looking to the current situation of the internet hacking or breaching have become common. |
M |
M |
M |
|
R. t |
Risks from changing jurisdictions |
Change in jurisdictions of the service provider could lead to the seizing of data for many conditions. |
H |
H |
H |
|
R. u |
Data protection services |
The agreement should be made regarding the Australian government policies and should be incorporated with the organization policy (Inukollu, Arsi & Ravuri, 2014). |
H |
H |
H |
|
Probability |
Very High |
R. g |
||||
|
High |
R. c |
R. l R. t R. u |
R. h R. j |
|||
|
Medium |
R. a R. k R. s |
R. f R. i |
R. d R. n |
|||
|
Low |
R. b R. e |
R. o R. p R. q |
R. m |
|||
|
Very Low |
R. r |
|||||
|
Very Low |
Low |
Medium |
High |
Very High |
||
|
Impact |
The data and information those being migrated on the cloud are vulnerable to various security issues. Another problem can be stated as the data integrity as the data that has been transmitting from/to cloud storage data could suffer damage. Data should be kept away from unauthorized users and prevent it from being manipulated. There should be detecting system if any data is getting manipulated or altered however this will be discussed in the next paragraph. Let’s firstly discuss the issues related to the data security on adopting cloud computing within the finance industries:
Data breaches: the most concerning topic is data breaches in the matter of data security as it could be seen that the rapid growth in data breaches that could lead to the expose, manipulation, and loss of data (Hashem et al., 2015). Unauthorized user is capable of entering into the systems and through malicious coding could affect the data in all the way.
Data loss or manipulation: This is a very less happening unwanted event that could impact very high to the reputation and performance of the organization. This could be done by an unauthorized user or by an insider. Losing the device or stolen by someone could lead to serious issues to the data and information.
Un-trusted Remote Server Performing Computation: Involving third party to manage the data and information and putting all sake on them without proper enquiring could also lead to serious data security issues (Hashizume et al., 2013).
Insecure APIs: Virtualization technology is being used to create a boundary between the consumers that it has many issues and intruders could take benefits of this and allow different user to access other’s data (Modi et al., 2013).
Service or Account Hijacking: This is a common act of losing credentials and any unauthorized user is using to access the data and thus he could also manipulate and alter the data and information those are being saved into the server or database (Stojmenovic & Wen, 2014).
Service Level Agreements (SLAs):
The services that are being offered by the service provider should compliance with the policies and regulations that have been pre-existing within the organization (Arora, Parashar & Transforming, 2013). It is mandatory that the service provider is providing same concern to the data security as the organization is caring about.
Proper research about the service provider:
Before making any contract with the service provider there should be proper enquiry about the service provider about their reputation in the market and about their services (Almorsy, Grundy & Muller, 2016). It is very important to research about them as they are not going to reveal how and where the data is being stored and what are the precautions they are taking to protect the data and the information.
Data Backups:
Data loss may happen due to the data breach or any natural calamities and for a financial industry data and information is all about the organization (Ahmed & Hossain, 2014). There should be proper backup of the data that is being provided to the service provider and service provider should always keep a backup of the data that they are collecting on regular basis.
Data encryption:
As stated above data breaches and data losses are not the generally happening unwanted event but there are probabilities that these could happen and could impact much higher to the organization (Hashem et al., 2015). The files encryption will block the access to the files that had been already recovered by the intruder and need the unique cryptographic keys to access the file and the information.
IT Infrastructure of Aztek:
A strong and secured IT infrastructure is a must factor for any organization that is concerning about the data security. There should be proper configuration, wired network connection, updated firewalls, and updated anti-virus including original operating systems (Rao & Selvamani, 2014).
Cloud computing Security:
Cloud security is the most important aspect in the data security sector that can be stated as the evolving sub-domain of network security, computer security, and more broadly information security. This refers to the technologies, set of policies, and controls that has been deployed to protect the application, data, and IT infrastructure of Cloud Computing (Zhao, Li & Liu, 2014).
Conclusion:
Based on the above report it can be concluded that involving third party within the system of the Aztek could be helpful in many ways. This is much cheaper than any in-house IT infrastructure for managing the data and information related to the operational activities of the organization. This also eliminates the maintenance cost and allows access to the data 24×7 via connecting to the internet from anywhere. However, there are several issues that could be raised related to the security and privacy of the data that could affect the proper functioning of the organization. This report presents a risk assessment management and a table comparing the impact and property along with the severity matrix. The Aztec could implement hybrid cloud computing service model within the organization for the betterment of the data managements and this report data can be used to assess the raised issues.
References:
Ahmed, M., & Hossain, M. A. (2014). Cloud Computing and security issues in the cloud. International Journal of Network Security & Its Applications, 6(1), 25.
Aikat, J., Akella, A., Chase, J. S., Juels, A., Reiter, M. K., Ristenpart, T., … & Swift, M. (2017). Rethinking Security in the Era of Cloud Computing. IEEE Security & Privacy, 15(3), 60-69.
Albakri, S. H., Shanmugam, B., Samy, G. N., Idris, N. B., & Ahmed, A. (2014). Security risk assessment framework for Cloud Computing environments. Security and Communication Networks, 7(11), 2114-2124.
Almorsy, M., Grundy, J., & Müller, I. (2016). An analysis of the Cloud Computing security problem. arXiv preprint arXiv:1609.01107.
Arora, R., Parashar, A., & Transforming, C. C. I. (2013). Secure user data in Cloud Computing using encryption algorithms. International journal of engineering research and applications, 3(4), 1922-1926.
Carlson, F. R. (2014). Security analysis of Cloud Computing. arXiv preprint arXiv:1404.6849.
Craig, A. N., & Shackelford, S. J. (2013). Hacking the planet, the dalai lama, and you: managing technical vulnerabilities in the Internet through polycentric governance. Fordham Intell. Prop. Media & Ent. LJ, 24, 381.
Djemame, K., Armstrong, D., Guitart, J., & Macias, M. (2016). A risk assessment framework for Cloud Computing. IEEE Transactions on Cloud Computing, 4(3), 265-278.
Erl, T., Cope, R., & Naserpour, A. (2015). Cloud Computing design patterns. Prentice Hall Press.
Gangwar, H., & Date, H. (2016). Critical Factors of Cloud Computing Adoption in Organizations: An Empirical Study. Global Business Review, 17(4), 886-904.
Hashem, I. A. T., Yaqoob, I., Anuar, N. B., Mokhtar, S., Gani, A., & Khan, S. U. (2015). The rise of “big data” on Cloud Computing: Review and open research issues. Information Systems, 47, 98-115.
Hashem, I. A. T., Yaqoob, I., Anuar, N. B., Mokhtar, S., Gani, A., & Khan, S. U. (2015). The rise of “big data” on Cloud Computing: Review and open research issues. Information Systems, 47, 98-115.
Hashizume, K., Rosado, D. G., Fernández-Medina, E., & Fernandez, E. B. (2013). An analysis of security issues for Cloud Computing. Journal of Internet Services and Applications, 4(1), 5.
Inukollu, V. N., Arsi, S., & Ravuri, S. R. (2014). Security issues associated with big data in Cloud Computing. International Journal of Network Security & Its Applications, 6(3), 45.
Latif, R., Abbas, H., Assar, S., & Ali, Q. (2014). Cloud Computing risk assessment: a systematic literature review. In Future Information Technology (pp. 285-295). Springer, Berlin, Heidelberg.
Layton, T. P. (2016). Information Security: Design, implementation, measurement, and compliance. CRC Press.
McCrie, R. (2015). Security operations management. Butterworth-Heinemann.
Müller, I. (2016). An analysis of the Cloud Computing security problem. arXiv preprint arXiv:1609.01107.
Rani, D., & Ranjan, R. K. (2014). a comparative study of SaaS, PaaS and IaaS in Cloud Computing. International Journal of Advanced Research in Computer Science and Software Engineering, 4(6), 458-461.
Rao, J. R., Chari, S. N., Pendarakis, D., Sailer, R., Stoecklin, M. P., Teiken, W., & Wespi, A. (2016). Security 360°: Enterprise security for the cognitive era. IBM Journal of Research and Development, 60(4), 1-1.
Rao, R. V., & Selvamani, K. (2015). Data security challenges and its solutions in Cloud Computing. Procedia Computer Science, 48, 204-209.
Rewagad, P., & Pawar, Y. (2013, April). Use of digital signature with diffie hellman key exchange and AES encryption algorithm to enhance data security in Cloud Computing. In Communication Systems and Network Technologies (CSNT), 2013 International Conference on (pp. 437-439). IEEE.
Rhodes-Ousley, M. (2013). Information security the complete reference. McGraw Hill Professional.
Rittinghouse, J. W., & Ransome, J. F. (2016). Cloud Computing: implementation, management, and security. CRC press.
Rivera, J., Yu, H., Williams, K., Zhan, J., & Yua, X. (2015, May). Assessing the security posture of Cloudservice providers. In Proceedings of the 5th International Conference on IS Management and Evaluation—ICIME (pp. 103-110).
Sreeramaneni, A., Seo, B., & Chan, K. O. H. (2017). A Business Driven Scalable Cloud Computing Service Platform (PaaSXpert). 15(1), 35-44.
Srinivasan, S. (Ed.). (2014). Security, Trust, and Regulatory Aspects of Cloud Computing in Business Environments. IGI Global.
Stojmenovic, I., & Wen, S. (2014, September). The fog Computing paradigm: Scenarios and security issues. In Computer Science and Information Systems (FedCSIS), 2014 Federated Conference on (pp. 1-8). IEEE.
Theoharidou, M., Papanikolaou, N., Pearson, S., & Gritzalis, D. (2013, December). Privacy risk, security, accountability in the cloud. In Cloud Computing Technology and Science (CloudCom), 2013 IEEE 5th International Conference on (Vol. 1, pp. 177-184). IEEE.
Theoharidou, M., Tsalis, N., & Gritzalis, D. (2013, June). In Cloudwe trust: Risk-Assessment-as-a-Service. In IFIP International Conference on Trust Management (pp. 100-110). Springer, Berlin, Heidelberg.
Zhao, F., Li, C., & Liu, C. F. (2014, February). A Cloud Computing security solution based on fully homomorphic encryption. In Advanced Communication Technology (ICACT), 2014 16th International Conference on (pp. 485-488). IEEE.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download