ITC596 IT Risk Management : The Aztec Resources Limited

tructure’s implementation cost can be restricted as financial service sector can keep its focus on all significant projects  ("How Cloud is Being Used in the Financial Sector: Survey Report", 2015).

Improvement in management

The cloud computing technology services makes many adjustments to the resources of the financial service sectors for all the unexpected and oscillating business policies as well as fastly their applications gets uploaded in online. It need not required to be maintained ("THE BENEFITS OF CLOUD COMPUTING FOR THE BANKING & FINANCIAL INDUSTRY", 2017).

Resilient

The migration of critical applications to the cloud computing service are very helpful for banks and financial service sector related companies because of the capability for the creation of big enterprise which widely helps in the continuation of a business venture. The continuation of the business venture is considered to be the significant part in financial service sectors.

Scalable

The Scalability is an important feature in the banking and financial sectors. Large amount of acquisitions and mergers are very often in the banking and in the financial service sectors. The Cloud service is considered to be the concept which can scale the IT operations for the needs of the company and this concept is also considered to be an affordable concept.

Accessible

The Cloud computing technology has some limitations in client server systems which is not applicable in accessing the stored data and the applications that are available in other computers can be achieved at anywhere during any time.

The data that is stored in the cloud environment offered a context to investigate the customers impact of the financial services sector. The restrictions regarding the regulations are considered as another top most hurdle for the companies that relies on the cloud services. 71 % of the financial service sector companies has considered Compliance as a hurdle for keeping controls in-house and for not migrating the data to cloud services. Most of the financial service companies follow certain regulations and some specific standards to adopt the migration of the critical applications to the cloud computing technology. The top most responses that are critical in achieving compliance during the migration to cloud services are as follows

1. Detection of Malware
2. Audit Authorization
3. Encryption of data

The notable regulations and the top measures are ranked in a list. The ranked list of top measures are represented below in a pictorial representation.

• Implementing the security measures is found as 66%.
• Auditing the Authorization is 57%
• Tokenization of the data is about 46%
• Encryption of the data is about 46%
• Penalty for some of the incidents is about 42%
• No data about the customer in cloud is 20%

Compliance is encountered as a critical operation requirement with banking and financial service sectors. It is found that the companies assure the compliance with cloud providers through the criteria known as Contract Clauses about 48%, Service level Agreements (SLA) for about 44% and the audits of about 8%. The CSA Cloud Control Matrix is the tool which is used for compliance in common in these areas. The Compliance that is ensured by the cloud service providers are represented in the pie-chart below  ("How Cloud is Being Used in the Financial Sector: Survey Report", 2015).

• Blue Colour in the pie-chart represents the Specific clauses in the contract of about 48%
• Maroon colour in the pie-chart represents the Service Level Agreements which is 44%.
• Yellow colour in the pie-chart represents the others which is 8%.

Encryption or Tokenization of the data

The data protection is the most common concern for all the companies that relies on the services of the cloud. Encryption and tokenization of the data is considered as a top security tool that is in need for the financial institutions. The Encryption and anonymization of the data is represented in the below diagram  ("How Cloud is Being Used in the Financial Sector: Survey Report", 2015).

The adopters and users of the cloud computing technology in the earlier stage desire the abilities of the encryption. Among all the cloud service providers, only about 42 percentage of the respondents implement the solutions of the data encryption for the cloud. 61 percentage of the cloud service providers ensured that the owner of the encryption keys is a consideration. The critical data should be kept confidential, if the hacker gets the access of the encryption key then it makes him to access the data stored in the cloud. So it is safe to own the encryption keys outright on the premises of the cloud than hosting in the cloud. The anonymization techniques for the data are called as tokenization or masking. Some of the organizations are currently adopting such techniques during the migration of the critical applications to the cloud. The anonymization techniques of tokenization of the data and masking of the data is used frequently for the protection of the critical customer information. Therefore the Encryption and tokenization techniques of the data protection play a significant and also a critical role in the financial service sectors to protect the in-house computations and for the migration of the critical applications to the cloud services. The usage of these anonymization techniques is expected to be increased in the future. Customers of the cloud needs to be assured and proved that the cloud service providers have controls in the places like traditional providers of hosting. This is true for the companies that builds the clouds of their own to fulfil their own auditing needs. Most of the auditors do not know the virtualization or cloud computing which becomes as a complicated issue in future. By considering these issues, it is found that the compliance creates more pain to the organization than making gains to the managers and professionals of IT organization. A survey on cloud services particularly about the compliance audit, it is determined that 3 of 5 IT professionals are not ready for it. For adopting this type of migration the Aztec can make their IT professionals to work under a procedure of root canal, work during holidays, live without electricity for one week. So the compliance audit in the cloud computing services is that much difficult than the mentioned tasks of the IT professionals. Anonymization techniques like tokenization or encryption of the data helps the cloud computing applications in a manageable way. Thus the selected IT project of the migration of the critical application of Aztec into a cloud computing technology is reviewed with respect to the financial service sectors which includes the compliance issue of the cloud service technology  ("How Cloud is Being Used in the Financial Sector: Survey Report", 2015).

Impact on the Security Posture 

Security Posture in an organization provides a point-in-time validation through the methods called vulnerability assessment and the method of test in Penetration. The migration of the data and critical applications to the cloud computing services do not restrict the existing requirements of the security  ("Security Posture Assessment | Locuz", 2017). The only change that occurs in the migration is that the responsibility of maintaining the day to day security in the data is given to the cloud service providers. This also reveals that the technical staffs of the onsite will be handling uncovered potential risks, so if the applications are migrated to cloud then it is easy to avoid those potential risks. The risks has to managed by the Aztec organization is shifted to the cloud service providers. The migration of the critical applications to the cloud service makes lot of changes in the IT security at the basic level. This results that the business needs to make some changes to their business applications for handling the data security once implementing the cloud platform. A clear cut view should be reviewed between the responsibilities of the organization and of the cloud service providers. In the business process of Aztec, the fundamentals of IT has created the sense making for that organization. The experts say that the sense making is considered as one of the important process in the companies that rely on the financial service sector. Sense making is the process of scanning the entire surrounding and interact with every one in a proper way. The interactive approach helps to take necessary actions (Lindqvist, 2013). The IT basics outsourcing for Aztec is the significant method to maintain security and the process of operations. When the migration of critical applications to the cloud computing services takes place, then the access is given to the cloud service providers which makes an interactive approach. The On-premise solutions are the solutions that are created in the traditional way. Servers, Operating System and other hardware services may be included but these all happen only within the data center. The outsourcing is given to the integrator who integrates the service, but there is a need to offer physical security to the data, the electricity and the entries of balance sheet for carrying the assets. When the critical application are hosted into a cloud, then it is the responsibility of the cloud service provider. The service providers of the cloud are agreed or contracted over a tenure and they offer some special functions for the organization. The cloud service providers host the data in many locations, but the locations of the cloud are known to the organization and it is fixed. The cloud service providers are responsible for all the offers that they provide to the organization. The future impacts or any issues are responsible for them only. The critical application hosting provider offers all the support and the configuration that is required for the application. If the organization Aztec cannot offer as much as staff who are expertise, then it is best to adopt the cloud service offerings. If the organization has to provide services and support for 24 hours in all the 7 days of the week, then it is best to select the cloud service rather than trusting on the labours. The IT operations of the Aztec on premise has to rely on the man power for the security policies and procedures. It may not be fair that every time the person may be alert. Human beings are liable to make errors. So it is best to believe a system called Cloud computing service than having belief in a person. The system can also make errors but it can be recovered. Then the cloud service providers are responsible for the errors that they make. So the organization may be stress free. The persons with less expertise can be appointed for the cloud computing services. Thus the review is performed in the project of migrating the critical applications to be hosted in the cloud in the basis of security posture. The current security policies and postures of the Aztec is compared in contrast with cloud computing services ("On-premise vs. cloud-based solutions", 2017).

Threats, Vulnerabilities and Consequences

In today's world there are new inventions and improvements in the information technology. The organization that are operating in the financial service sector is undergoing into many problems and challenges in innovations and adoptions of the new technologies (Dahbur, Mohammad & Tarakji, 2011). The upcoming sections describes about the threats, vulnerabilities and consequences that rely on the IT service outsourcing in Aztec organization (Lindqvist, 2013).

Threats of IT operations 

The threats that affect the security in financial service sector organizations like Aztec are in increased rate (Grundey, 2008). To secure the entire system of the Aztec organization that is connected with the public network is not that much easy. A single system that is maintained by the organization is not a secured system and so the organization has planned to migrate the applications to the cloud service. The different types of services and offerings are provided by the cloud service providers. The information has been hacked in an increasing rate in today's technology. As the advantages of the technology becomes more reliable, the chance of hacking is also increased. Different types of attacks like spamming, malware injection, spoofing and other attacks like DDoS, man in the middle and eavesdropping are in the increasing rate. It is significant in the financial service sector to protect the system and credentials, they need to take high measures for securing those information. Aztec should make sure that their information are secured and the customers of the organization should believe the system that it is secured. When the organization migrates the critical applications to the cloud services, the organization should make sure that the credentials and transactions of the customers are confidential. The organization should make sure of the data recovery in case of any failures (Javaid, 2013).

Vulnerabilities in IT Operations Outsourcing

The organization Aztec that is under the financial service sector may get misloaded because of the exposure of the security risks and also becomes a victim for the security breach. When the applications of the organization is migrated to a cloud, it is not sure that the service providers will illegally monitor the transactions and the credentials of the customers of the organization. The cloud service provider may not perform any illegal actions but there are possibilities in hacking the cloud computing service. The hackers may use the system of cloud to steal the information of the customers. Because of this hacking, there may be a leakage of the customer information, hacking the personal credentials like username and password, personal data extraction from the customer database that is being stored in the cloud computing services, authentication risks and also they may sell these information to other organizations which makes the loss in business operations and affects the growth of Aztec. This information shows that the vulnerability in the IT services of the organization is the weakness or less concentration on the security of the assets. As it is financial organization, there is a chance of withdrawal of the funds by using the user's credentials. There may be vulnerability in the security breach as the system and data is totally based on the cloud service providers (Sheetlani, 2017).

Breach of data

The data breach or loss in data occurs only when the important area of the data of the client gets accessed by the hacker or any unauthorized person. The organization has to do periodic monitoring process to make sure that there is no leakage in the customer information (Rao & Selvamani, 2015).

Location of the data

In some organizations, the customer do not know where their data is physically located. Aztec must make sure of the location of the data physically (Rao & Selvamani, 2015).

Storage of the data

The data that is stored in the cloud can be divided into 2 divisions such as The data that is stored in the IaaS environment and the data that is stored in the PaaS or SaaS environment which is related to the cloud computing applications. The data of the organization that is stored in the cloud environment should be considered in 3 different aspects like confidentiality, integrity and availability (Omotunde, Adekogbe, Ernest & Uchendu, 2016).

Archival of the Data

Archiving for the data that is being focused on the storage of the cloud either to offer the storage in off-site or in the storage duration. If the service providers of the cloud computing environment does not offer archiving in the off-sit, then there occurs the threat in the data availability (Omotunde, Adekogbe, Ernest & Uchendu, 2016).

Assessing the consequences of IT operations

The threats and the vulnerabilities that are involved in the organization is discussed above. To avoid or handle those threats and vulnerabilities, the company has to follow a risk management plan in an organized way. The risk management plan should be able to make interaction with customers and the Aztec via the applications (Balbás & Garrido, 2014). The risk management plan includes the steps as follows

Risk Identification

The threats and vulnerabilities that are included in the service provided by the organization should be identified through a regular monitoring process (Douglass, 2009).

Risk Assessment

The Aztec should perform and develop a matrix on the identified threats and vulnerabilities. Aztec should find the different varieties of the threats and vulnerabilities.

Treating the Risk

The identified risk has to be treated. Different strategies should be followed for different threats. Each and every risk has to be handled in different ways like mitigation, transfer and avoidance.

Risk Report

Aztec has to maintain a log to keep track of the risks and their strategies how they solved it, so that they can find if similar risk is identified in future (Balbás & Garrido, 2014).

Risks in Data Security

Data Security is the common thing for any type of service or technology. But it becomes a big challenge for the organization and user who rely on their service providers. In SaaS, the data that is provided by the organization is frequently being processed in the form of plaintext and it is stored in the cloud technology. The critical aspect in the use of SaaS service provider is that the backing up the data which is used in recovery in the future during any disasters (Omotunde, Adekogbe, Ernest & Uchendu, 2016).

Generation of the Data

Data generation is being included in the ownership of the data. If the data critical applications is migrated into the cloud computing technology then it should be taken into account that how to maintain the ownership of data (Rai, Bunkar & Mishra, 2014).

Transfer of Data

Transfer of the data does not require any encryption. During the data transmission, the data confidentiality and integrity should be made sure to secure the data from the unauthorized access. The confidentiality and integrity should be maintained in the cloud storage devices (Rai, Bunkar & Mishra, 2014).

Deletion of the Data

When the data is not required then the unused data should be destroyed. Because of the physical characteristics of the medium of the storage, there is a chance in the existence of the deleted data and it can be restores (Omotunde, Adekogbe, Ernest & Uchendu, 2016).

Type of data

Aztec is the organization that is operating under the financial service sector. So the data that is to be stored by Aztec may be the user credentials like the username and the password. The transactions of the user data like withdrawal of money, online transactions like online purchase or booking tickets. Therefore all the data of the customer that is stored by the Aztec should be kept very confidential.

Hijacking the Account

Customers of the Aztec uses password to access the resources of the cloud services, if their accounts gets hijacked or being stolen then the password of the user credential gets misused or modified by the hacker (Rao & Selvamani, 2015).

DoS attack

Some of the organizations require their system or data to be available all the 24 hrs in 7 week days. The cloud service providers provide the sources that are being distributed among all the clients. If the hacker make use of the sources provided by the service providers, then it is known as the denial of service attack (Rao & Selvamani, 2015).

Thus the project of the migration of critical applications to the cloud computing services is being reviewed by addressing the data security issues by considering the type of the data, data flow and access to the data.

Conclusion

The project of migrating the critical applications to the cloud which is decided by the Aztec is taken for the analysis. The threats and the vulnerabilities that may arise because of this migration is discussed. The Security posture that is occurred in the current IT policies and procedures of the Aztec is compared in contrast with the migration to the cloud services. The Data Security in the cloud computing is being discussed and the type of data, access to the data is mentioned. Thus it is concluded that the host offerings of the cloud may be beneficial in some aspects and it is critical for achieving the security in customer data. The organization may think twice to adopt this kind of migration.

References

2013). A COMPREHENSIVE SURVEY ON SECURITY ISSUES IN CLOUD COMPUTING AND DATA PRIVACY LAW IN INDIA. International Journal ofResearch in Engineering and Technology, 02(01), 11-18. doi:10.15623/ijret.2013.0201003

Balbás, A., & Garrido, J. (2014). Special Issue on Risk Management Techniques for Catastrophic and Heavy-Tailed Risks. Risks, 2(4), 467-468. doi:10.3390/risks2040467

Dahbur, K., Mohammad, B., & Tarakji, A. (2011). Security Issues in Cloud Computing. International Journal of Cloud Applications and Computing, 1(3), 1-11. doi:10.4018/ijcac.2011070101

Douglass, M. (2009). 10 steps to managing risk in long-term care. Perspectives in Healthcare Risk Management, 12(3), 15-21. doi:10.1002/jhrm.5600120307

Elavarasan. G, & Dr. Veni. S. (2015). A Review on Security Threats and Vulnerabilities in Cloud Computing. International Journal of Engineering Research and, V4(07). doi:10.17577/ijertv4is070073

Grobauer, B., Walloschek, T., & Stocker, E. (2011). Understanding Cloud Computing Vulnerabilities. IEEE Security & Privacy Magazine, 9(2), 50-57. doi:10.1109/msp.2010.115

Grundey, D. (2008). Simulative Research in a Financial Institution: Improving Service Quality in Lithuanian Banking Sector. JOURNAL OF INTERNATIONAL STUDIES, 1(1), 36-45. doi:10.14254/2071-8330.2008/1-1/4

Gupta, K., & Katiyar, V. (2016). Energy Aware Virtual Machine Migration Techniques for Cloud Environment. International Journal of Computer Applications, 141(2), 11-16. doi:10.5120/ijca2016909551

Hashizume, K., G Rosado, D., Fernández-Medina, E., & B Fernandez, E. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and Applications.

How Cloud is Being Used in the Financial Sector: Survey Report. (2015).

Huang, D., Yi, L., Song, F., Yang, D., & Zhang, H. (2013). A secure cost-effective migration of enterprise applications to the cloud. International Journal of Communication Systems, 27(12), 3996-4013. doi:10.1002/dac.2594

Javaid, M. (2013). Top Threats to Cloud Computing Security. SSRN Electronic Journal. doi:10.2139/ssrn.2325234

122. Sunitha, K., V. Tejaswini, V., & S.K. Prashanth, S. (2012). Ensuring Availability and Integrity of Data Storage in Cloud Computing. Paripex - Indian Journal Of Research, 2(2), 119-122. doi:10.15373/22501991/feb2013/40

Kaufman, L. (2009). Data Security in the World of Cloud Computing. IEEE Security & Privacy Magazine, 7(4), 61-64. doi:10.1109/msp.2009.87

Kumar, N., & Saxena, S. (2015). Migration Performance of Cloud Applications- A Quantitative Analysis. Procedia Computer Science, 45, 823-831. doi:10.1016/j.procs.2015.03.163

Lindqvist, K. (2013). Making sense of financial incentive as a policy tool for the independent arts sector. Public Policy and Administration, 28(4), 404-422. doi:10.1177/0952076713483300

Omotunde, A., Adekogbe, F., Ernest, O., & Uchendu, P. (2016). Cloud Computing: An Overview of Data Security Issues. Communications on Applied Electronics, 5(9), 14-19. doi:10.5120/cae2016652363

On-premise vs. cloud-based solutions. (2017). .

Papanikolaou, N., Pearson, S., Mont, M., & Ko, R. (2014). A toolkit for automating compliance in cloud computing services. International Journal of Cloud Computing, 3(1), 45. doi:10.1504/ijcc.2014.058830

Rai, D., Bunkar, R., & Mishra, V. (2014). Data Security and Privacy Protection Issues in Cloud Computing. IOSR Journal of Computer Engineering, 16(1), 39-44. doi:10.9790/0661-16193944

Rao, R., & Selvamani, K. (2015). Data Security Challenges and Its Solutions in Cloud Computing. Procedia Computer Science, 48, 204-209. doi:10.1016/j.procs.2015.04.171

Rashid, F. (2017). The dirty dozen: 12 cloud security threats. InfoWorld.

Security Posture Assessment | Locuz. (2017). Locuz.

Singh, J., Powles, J., Pasquier, T., & Bacon, J. (2015). Data Flow Management and Compliance in Cloud Computing. IEEE Cloud Computing, 2(4), 24-32. doi:10.1109/mcc.2015.69

Sheetlani, D. (2017). The Vulnerabilities of Cloud Computing: Security Threats. IOSR Journal of Computer Engineering, 19(02), 36-43. doi:10.9790/0661-1902053643

Survey on Cloud Computing Security Algorithms. (2016). International Journal of Science and Research (IJSR), 5(4), 1865-1867. doi:10.21275/v5i4.nov161684

THE BENEFITS OF CLOUD COMPUTING FOR THE BANKING & FINANCIAL INDUSTRY. (2017). Global Banking And Finance Review Magazine – Financial & Business Insights.

Tripwire, I. (2017). Regulatory Compliance in the Cloud. The State of Security.

Wang, X., & Wang, L. (2016). A cloud-based production system for information and service integration: an internet of things case study on waste electronics. Enterprise Information Systems, 1-17. doi:10.1080/17517575.2016.1215539

What is Cloud Compliance? - Definition from Techopedia. (2017). Techopedia.com.

Yimam, D., & Fernandez, E. (2016). A survey of compliance issues in cloud computing. Journal of Internet Services and Applications, 7(1). doi:10.1186/s13174-016-0046-8

Zanoon, N. (2015). Toward Cloud Computing: Security and Performance. International Journal on Cloud Computing: Services and Architecture, 5(5/6), 17-26. doi:10.5121/ijccsa.2015.560