Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Cloud Security Risk Assessment for Aztec

Verified

Added on 2020/03/23

AI Summary

This assignment delves into a cloud security risk assessment for a hypothetical financial institution named Aztec. It employs the STRIDE threat modeling framework to identify potential risks such as data breaches, system vulnerabilities, and insider threats. The analysis highlights the criticality of these risks but also emphasizes the mitigating countermeasures and cost savings associated with cloud adoption. Ultimately, the assignment concludes that despite the inherent risks, transitioning to a cloud model is both necessary and advisable for Aztec.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Migrating business-critical applications and their associated data sources to an external Cloud
hosting solution
<Name>
<Institution>

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Executive Summary
Cloud computing has concurrently transformed government and business’ deployment of IT
infrastructure and introduced new security threats, at an unprecedented pace. With cloud
computing, delivery of business-supporting technologies is currently more efficient than never
before. The technology approach has made it possible for businesses and especially startups to
deployed advanced computing services and application with zero spending on server
infrastructure. The advances have however introduces a myriad of security challenges, while
amplifying the existing forms of vulnerabilities.
This paper presents an IT Risk Assessment for the intended migration of the Aztek’s business-
critical applications and data to an external Cloud hosting solution. Aztek being a financial
service provider is under the regulation of the Australian Prudential Regulation Authority
(APRA). APRA considers cloud computing as a form of outsourcing, and requires that all
organizations that fall under it to conform to set rules and regulations that govern outsourcing.
The project has to comply with a number of personal data protection laws and regulations.
One particular legal regulation that the project has to comply with is Australia’s Privacy Act and
its enhanced version; The Privacy Amendment (Enhancing Privacy Protection) Act 2012. The
Act outlines thirteen key Australian Privacy Principles (APPS). The Australian Privacy Act
primarily regulates the collection and handling of personal information of individuals.
Before the project can commence, Aztek must comply with measures put in place by APRA,
which enable outlines prudent practices, which have to be put in place before adopting the
technology. The main standards passed by APRA include the Prudential Standard SPS 231
introduced in 2012 and Prudential Standard CPS 231 published in 2014. The standards obligate
an entity like Aztek to carry out thorough due diligence, approval and continuous monitoring of
any arrangements relating to outsourcing of services. The standards also require that an
enterprise mush identify risks and means of managing them, to ensure that an institution is able
to meet its obligations to its beneficiaries. Other requirements include;
 Aztek has to demonstrate the ability to continue with normal operations even when
accesses to cloud services are interrupted for one reason or another.
 Demonstrate that even with a migration to the cloud or outsourcing, an entity still
maintains the level of quality of services and security of sensitive data and information.

 Demonstrate that such a move will not go against any legislative and prudential
requirement
 And that such a move does not introduce any technical, contractual or jurisdictional
issues which may inhibit APRA’s ability to carry out its regulatory duties.
For purposes of risk assessment the STRIDE threat model will be used. The model classifies the
threats from the viewpoint of an attacker – primarily focusing on what motivates an attacker. The
model focuses on six fundamental areas of security, Spoofing Identity, Tampering with Data,
Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege.
The identified risks include;
 Data breaches
 Compromised credentials and broken authentication
 Insecure cloud Interfaces and APIs
 System Vulnerabilities
 Account and service hijacking
 Malicious insiders
 Advanced Persistent Threats (APTs)
 Data Loss
 Insufficient Due Diligence
 Cloud service abuses
 Denial of Service Attacks
 Shared Technology Vulnerabilities
The identified and classified security risks are critical especially for a financial institution.
However, counter-measures available to mitigate risks, and the cost saving realized through
deployment of applications on a cloud platform outweighs the risks. As such, an adoption of the
cloud model is necessary and advisable.

1.0 Introduction
This paper presents an IT Risk Assessment for the intended migration of the Aztek’s business-
critical applications and data to an external Cloud hosting solution. Aztek operates in the
Australian Financial Services sector. The sensitive of data held by a financial institution
necessitates that a thorough risk assessment be carried out, followed by development of risk
management plans. Aztek being a financial service provider is under the regulation of the
Australian Prudential Regulation Authority (APRA). APRA considers cloud computing as a
form of outsourcing, and requires that all organizations that fall under it to conform to set rules
and regulations that govern outsourcing. One of the requirements for APRA regulated
institutions is a mandatory risk assessment and documentation before outsourcing any of their
operations.
Before moving any operations to the cloud, the company has to carry out adequate assessments,
to identify if such a move will go against any of the laws governing the operations of a financial
institution. This is because the institution is also bound by Australia’s Privacy Act, which puts
strict regulations on collection and handling of personal and sensitive information.
With all these regulations to be complied with, this paper identifies the risks associated with
migrating data processing and storage to a third party, in this case migrating to the cloud. The
goal is to identify risks associated with cloud computing, and specifically as they apply to the
case of Aztek.
2.0 A review of the project with respect to the Financial Services sector laws and
regulations
This project intends to migrate business-critical applications and their associated data sources to
an external Cloud hosting solution. As the company operates in the Financial Service sector, the
project must first through various tests to ascertain if it conforms with set laws, and industry
regulations. The project has to comply with a number of personal data protection laws and
regulations. One particular legal regulation that the project has to comply with is Australia’s
Privacy Act and its enhanced version; The Privacy Amendment (Enhancing Privacy Protection)
Act 2012. The Act outlines thirteen key Australian Privacy Principles (APPS). The Australian

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Privacy Act primarily regulates the collection and handling of personal information of
individuals (Khoury, 2017).
According to the Privacy Act, personal information is defined as any information can identifies
an individual directly or can be used to reveal the identity of the individual with some analysis
(Khoury, 2017). The Act classifies some personal information as being sensitive; this includes;
information about an individual’s health, genetics information, race, financial information such
as credit rating, religion, philosophical or political beliefs and affiliations, race and ethnicity
among many more (Khoury, 2017). Before migrating to the cloud, Aztek has to provide
certainty that the privacy of such information is not compromised in anyway.
With regards to the industry’s regulations and compliance, Aztek’s cloud migration project has
to comply with the guidelines given by the Australian Prudential Regulation Authority (APRA).
APRA understands that while cloud-computing brings substantial benefits to enterprises, such as
ease of scalability, increased agility and economics of scale, adopting cloud computing exposes a
financial service provide to the inherent information systems risks; thereby necessitating a
greater degree of supervisory interest and caution (Khoury, 2017). Despite the risks, APRA has
put measures that enable entities controlled by it – also referred a Registrable Superannuation
Entity (RSE) , such as Aztek – to adopt cloud computing, by outlining prudent practices, which
have to be put in place before adopting the technology (Ramsay, 2015).
The need to give guidance to the industry has seen APRA pass a number of regulations that
relates to outsourcing of services for RSE licensees. In November of the year 2012, APRA
published the Prudential Standard SPS 231 which was followed up by the passing of the
Prudential Standard CPS 231 in August 2014. The published standards obligate an entity like
Aztek to carry out thorough due diligence, approval and continuous monitoring of any
arrangements relating to outsourcing of services (Ramsay, 2015). The standards also require that
an enterprise must identify risks and means of managing them, to ensure that an institution is
able to meet its obligations to its beneficiaries.
One requirement for an APRA-regulated entity is that it can only uptake outsourcing - and by
extension cloud computing - after evaluating and understanding the risks associated with the

move, and putting in place adequate measures to mitigate or manage the risks (Ramsay, 2015).
Other measures that need to be put in place include;
 An entity has to demonstrate the ability to continue with normal operations even when
accesses to cloud services are interrupted for one reason or another.
 Demonstrate that even with a migration to the cloud or outsourcing, an entity still
maintains the level of quality of services and security of sensitive data and information.
 Demonstrate that such a move will not go against any legislative and prudential
requirement (Ramsay, 2015).
 And that such a move does not introduce any technical, contractual or jurisdictional
issues which may inhibit APRA’s ability to carry out its regulatory duties.
3.0 The Project’s impact on the current security posture of Aztec
Migrating to the cloud will certainly have great impacts on Aztec’s current security posture.
Currently the company has all its IT functions locally hosted, and has all controls over storage,
processing and transmission of its data. Migrating to the cloud will shift the control to a third
party. This may, to some extent impact the company’s security posture.
With the assumption that the company is currently at the highest level of security maturity
model, otherwise called the Visionary level, migrating to the cloud will impact the organization
in some ways. Appropriate mitigation strategies will therefore be required to return the
organization to the highest level.
At the “Visionary” level of the security maturity model, an organization is characterized by the
fact that decisions are made from the perspective of a critical applications in the data center.
Each and every stakeholder within the organization, including the application team, network
operation team and the security teams know the requirements of the business and the
implications security has on the business. In addition to that, the teams are well aligned using
automated and streamlined business processes.
Migrating mission critical and data to the cloud will affect the security posture of the
organization as they do not have direct control over data, connectivity and security. The main
areas that will be affected include;

3.1 Faster security provisioning of data center applications
At this level of security maturity model, an organization is characterized by its ability to quickly
and securely enable mission critical applications to have connectivity, with the aim of ensuring
maximum server availability and delivery. Organizations have the capability to accelerate and
simplify changes in policy enabling the security to be in sync with the changing business
platform (Gottschalk, 2006).
Migrating to the cloud will affect this aspect as security controls are all in the control of the
cloud provider. Firewalls rules are largely controlled by the provider, hindering the company
from enabling automatic translation of application connectivity requirements into appropriate
firewall rules and accelerating policy changes (Gottschalk, 2006).
Mitigating this possible scenario would require the security teams at Aztek and the teams at the
cloud service provider to work together to facilitate the necessary changes, while ensuring that
such changes do not affect the security of other clients hosted on the same platform.
3.2 Aligning of the Application, security and operations teams
At the Visionary level of the security maturity model, an organization like Aztek has all the
major teams aligned and have a unified view an approach to security policy management, which
is primarily application-centric. The approach is accommodative of all the players, enabling them
work in harmony pushing towards a single goal (Gottschalk, 2006).
With the intended migration to the cloud, a number of pillars are removed from the unified stand
of the current security posture. This is because the applications are moved to the cloud and
security is shifted from the organization’s team to the cloud environment. While the operations
and applications teams experiences no significant changes, the security team is left without much
control, thus the alignment is distorted as security controls shifts to the cloud.
Mitigating the likely fall of the alignment that helps an organization remain at the highest level
of the security maturity model would necessitate the IT security team to focus on maintaining
security relating to the use of the applications and not necessary the full control they had with an

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

in-house data center. This will maintain the alignment of the team and their focus on application-
centric security policy management, even when full control has been taken by a third-party.
4.0 Risk Assessment
4.1 Assessment Model: STRIDE MODEL
For purposes of risk assessment the STRIDE threat model will be used. Developed by Microsoft,
STRIDE can be defined as a classification scheme for categorizing known security threats
(Albakri et. Al., 2014). The model classifies the threats from the viewpoint of an attacker –
primarily focusing on what motivates an attacker and the exploits used in attacks (Shostack,
2014). The model focuses on six fundamental areas of security, Spoofing Identity, Tampering
with Data, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege
(Shostack, 2014).
 Spoofing identity: Illegal access and use of authentication information of another user
such as passwords and usernames (Shostack, 2014).
 Tampering with data: entails modification of data maliciously either when the data is on
transit over the internet or in storages such as data held in databases (Shostack, 2014).
 Repudiation: Threats that come about by the inability to prove that a given user
performed a certain illegal action on the system. With repudiation, a user may perform an
illegal action and deny ever doing it, while the other party may have no means of proving
that the user performed the action (Shostack, 2014).
 Information disclosure: this category of threat involves unauthorized information
exposure to unauthorized individuals; such as the ability of an intruder to access and read
data being transmitter over the internet (Shostack, 2014).
 Denial of service: involves denying service access to valid users; affects the reliability
and availability of the service or system.
 Elevation of privilege: having privileged access to the entire system by unprivileged
user; this may occur when a hacker penetrates the defenses of a system and accesses the
system as a trusted system or user (Shostack, 2014).

With the guidance of the STRIDE model, the following risks were identified and classified as
critical to the project of migrating data and mission-critical systems to the cloud;
4.2 Data breaches
Cloud environment faces similar threats as those facing convectional corporate networks.
However, the huge amount of data stored on cloud servers acts as a motivating factor and
attraction for attackers (CSA, 2016). Severity of this risk largely depends on the sensitivity of
data. For the case of a financial institution like Aztek, a data breach would be extremely
damaging. This risk has the potential of not only revealing personal information but also critical
personal financial information, which may be used illegally leading to financial losses to the
company’s customers (CSA, 2016).
4.2.1 Business Impacts to Aztek
Data breaches that have occurred in the past have resulted in financial losses by the company
affected due to fines, litigations and compensations to clients who may have lost money from the
incidence (CSA, 2016). The resulting mandatory breach investigations are also costly increasing
financial losses. Indirect effects may have long term effects to the company such as loss of
business and brand damage. Although various cloud services providers invest heavily in
deploying security controls for protecting their platforms, the ultimate responsibility is on the
company to protect its data in the cloud.
4.3 Compromised credentials and broken authentication
The main cause of data breaches is laxity in authentication, poor management of certificates and
keys and weak passwords (CSA, 2016). Identity management is a major issue to most
organizations, as they face challenges in allocating permissions that coincide with the user’s
roles in an organization. Critically, organizations tend to fail to remover user accounts when a
user leaves the organization or their job roles changes.
The threat of compromised credentials touches on both the cloud provider and the company
deploying on the cloud (Chou, 2015). As such, Aztek has to vet the security measures deployed
by the service provider for protecting the identity platform. While some cloud providers offers a

centralized repository for identity management, such a service is risky as it may become a high
value target (Chou, 2015).
A third dimension of this risk relates to secure development of systems that are to be deployed
on the cloud. If for example Aztek’s systems are vulnerable, then no matter the amount of
protection offered by the cloud provider, such systems may easily be compromised.
Developers may make a mistake of embedding cryptographic keys and credentials in the code,
which can easily be recovered through reverse engineering of the code (Chou, 2015). As such,
credentials and keys require that they are appropriately protected.
4.3.1 Business Impacts
Malicious attackers camouflaged as genuine users, developers or operators can snoop on data,
read, modify and delete data and even assign access roles to malicious accounts. Consequently
the risk of insufficient or compromised identity, key and credential manager can facilitate access
to data by unauthorized users leading to damaging and catastrophic effects to the business.
4.4 Insecure Interfaces and APIs
Current cloud service providers offer application and service APIs and interfaces which are used
by IT experts to interact and manage services on the cloud. The interfaces and APIs offer access
to services such as cloud monitoring, orchestration, management and cloud provisioning (CSA,
2016). The security of the APIs play a critical role as cloud services availability and security –
from activity monitoring, encryption to access control and authentication. If weak APIs are
provided by a cloud provider, they can expose an organization to a myriad of security
vulnerabilities related to accountability, availability, integrity and confidentiality (Drissi,
Houmani & Medromi, 2013). This is primarily because a weakness on the APIs can easily be
exploited as they are generally accessible from the internet; hence they are the most exposed part
of a system.
4.5 System Vulnerabilities
These are bugs in software applications which be used as points of infiltration to a computer
system, with the aim of disrupting operation of services, taking control of the system or stealing
data (Drissi, Houmani & Medromi, 2013). In a case where a service provider's operating system

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

or its components have vulnerabilities, the security of all hosted applications and services is
compromised.
Although bugs have existed from the inception of computers, their exploitability has come of age
with the widespread use of networks (CSA, 2016). Cloud computing raises the threat with its
multi-tenancy nature, as one server can host numerous applications and databases creating an
attractive attack surface for hackers.
While damages from exploitation of vulnerabilities are substantial, the attacks can easily be
mitigated by use of primary IT processes, such as prompt installation of security patches and
upgrade of systems as well as periodic vulnerability assessments (CSA, 2016).
4.5.1 Business Impacts
Vulnerabilities on critical systems can have profound ramifications on the security of systems
hosted on the cloud. But with most cloud providers away of this, measures to protect the systems
are constantly updated. The cost of assessing and repairing vulnerabilities is minimal, by
comparison to other IT processes.
4.6 Account hijacking
Although service hijacking is an old security threat, convectional and basic methods of attack
such as fraud, phishing and vulnerabilities exploitation are still successful (Erturk & Rajan,
2017). In an environment where stringent passwords and credential policies are not in place,
users re-use the passwords over and over, enabling and amplifying the impact of such attacks
(CSA, 2016). Cloud computing a new dimension to the threat; if attackers use phishing to get
user’s credentials, they can access and modify data, manipulate transactions and eavesdrop on
activities. Access to the cloud platform can give attackers a platform for launching attacks (CSA,
2016).
4.6.1 Business Impacts
Service and account hijacking resulting from stolen credentials is a major threat on the cloud.
This is because access to cloud computing services is over the internet, meaning an attacker can
easily access the services from anywhere. Such an attacker has access to data, information and
services, thus compromising integrity, confidentiality and even steals data – affecting the brand
and reputation of companies hosted on the platform and the cloud provider as well.

4.7 Malicious insiders
Insider threat is one of the most difficult to control security aspect (CSA, 2016). This can be a
former employee, a business partner, a contractor or even a current employee, with legitimate
access to the system. Such an individual can misuse the access in a way that affects the
availability of the information systems, as well as confidentiality and integrity of data hosted on
the platform; mostly driven by an agenda to revenge or steal data (CSA, 2016). The danger with
this risk is that it cannot be contained by convectional security measures such as encryption,
since one can be a legitimate system user, with privileged access on the system.
4.8 Advanced Persistent Threats
Advanced Persistent Threats (APTs) are cyber attacks that take the form of a parasite, to
infiltrate computer systems and establish a footing in an organizations IT infrastructure, from
where they remit data and intellectual property to an attacker, without being noticed (CSA,
2016). This form of parasitic attack is very sophisticated as they are able to stealthily camouflage
as legitimate processes, helping them adopt their operations to the set security measures put in
place to defend the system (Chou, 2015). The main points of entry of APTs include delivery of
attack code in a USB device, unsecured networks, and system hacking and spear phishing.
Detecting and eliminating APTs are difficult, but proactive security measures can help in
stopping them. This may include sensitizing system users on social engineering techniques
commonly used to inject APTs into the systems.
4.9 Permanent data loss
The possibility of losing data permanently is very terrifying for a business and even an
individual. On a cloud platform, besides malicious attacks, data can be deleted accidentally by
the service provider, or in the worst case, an occurrence of a catastrophic event such as a fire or
an earthquake (Chou, 2015). The problem can be more devastating if the cloud provider does not
have an offsite backup. However, with maturity of the cloud computing services, incidences
relating to permanent loss of data are extremely rare.

This risk is properly handled by most cloud services providers by having distributed application
and data centers across multiple geographical sites, which can even be on different continents
(Chou, 2015). This is combined with measures and policies that ensure disaster recovery and
business continuity. Although the risk is largely on the cloud provider to mitigate, an
organization whose data are hosted on the cloud has the duty of excising caution as losing an
encryption key on data that was encrypted and uploaded to the cloud would result in permanent
loss of the data (Chou, 2015).
4.9.1 Business Impacts
Although very rare, a permanent loss of data would be detrimental to a financial services
provider like Aztek. Data and information is the lifeblood of a Financial Services company and
loosing data may result in financial losses, law suits and may result to failure to comply with
regulatory policies, which stipulate how long an organization must retain certain data such as
audit records.
4.10 Insufficient Due Diligence
Before embracing cloud computing, there is need to fully understand the environment and risks
associated with it (Chou, 2015). An organization migrating to the cloud without understanding
the many risks in compliance, legal, technical, financial and commercial risk that come with
adopting a cloud based solution, exposes itself to failure (Brodkin, 2008). As such due diligence
has to be applied when considering adopting cloud computing, which is key to understanding the
risks associated with each cloud service.
4.10.1 Business Impact
Technically, an organization may face challenges when trying to deploy applications that were
not designed by individuals unfamiliar with cloud computing technologies.
Legal: cloud computing traverses international borders, and data held on a foreign location may
subject an organization to regulatory redress (Paxton, 2016).
Compliance: with cloud computing, internal security controls on data and network-level data
privacy may be lost, rendering an organization non-compliant to some industry regulations

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

4.11 Cloud service abuses
Any security weakness on a cloud platform - especially cloud services such as SaaS, PaaS and
IaaS - may expose the platform to malicious use (Chou, 2015). This may include of the cloud
platform to launch attacks such as Denial of Service attacks and hosting of malicious websites.
Owing to the fact that cloud computing provides access to superior computing platforms and
higher processing power, the platforms can also be used to break encryption keys (CSA, 2016).
4.11.1 Business Impacts
Customers hosted on the same platform where malicious activities are running may have their
services interrupted. An attack on a cloud provider makes them unable to provide required
services thus affecting customers hosted on the platform (Paxton, 2016). This risk impacts the
availability of services of companies hosted on the platform.
4.12 Denial of Service Attacks
Denial-of-service (DoS) and DDoS attacks inhibits user access to computing resources and
services, by inducing intolerable system slowdown. The general nature of cloud computing is
that a customer pays for services used (CSA, 2016). With this, an attack can be launched on an
organization with the intention of increasing the bill that will be changed by the cloud service
provider. This is a form of economic DoS, which acts in a way that increases resource
consumption by a customer's applications, resulting in a huge bill - which a startup company
may not be able to pay (CSA, 2016).
4.12.1 Business Impacts
DoS cause frustrations, and may lead to loss of business if customers access an organization's
services online. Cloud billing is based on consumed resources such as disk space and compute
cycles; a DoS may be launched without completely shutting the service, but with the intention of
consuming more resources, which translates to a huge amount to be paid to the provider (Paxton,
2016). DoS attacks are also used to camouflage and facilitate other attacks; as security teams
concentrate on DoS resolution, more severe attacks take place unnoticed.
4.13 Shared Technology Vulnerabilities

A cloud platform facilitates scalability of services by utilizing multi-tenancy approach, where
applications, platforms and infrastructure are shared (CSA, 2016). Sometimes underlying
hardware components such as GPUs and CPUs may not be capable of offering strong isolation
properties for a shared platform. This may result in exploitable shared technology vulnerabilities
(CSA, 2016). An attacker may access data being processed by a CPU. Such vulnerabilities in
shared technology pose substantial risks to cloud computing (Erturk & Rajan, 2017).
4.14 Business Impacts
Any compromise of any part of the shared technology such as a shared application, platform or
hypervisor results in a system-wide compromise, exposing the entire computing environment
(Pearson, 2013). Such a compromise may result in data breach. This risk is particularly
dangerous as it can affect all customers hosted on a given cloud.
5.0 Data Security
In terms data security, a migration to a cloud platform will mean that data – including critical and
personal information, leaves the corporate network to a third-party platform (Erturk & Rajan,
2017). The cloud provider may provide more advanced data protection measures than even in-
house data centers, but the main issues arises with data being transmitted over the internet.
Conventionally, with an in-house data center, data flows from the staff’s workstations to the
servers over a secure local area network. With the adoption of cloud computing, data will have to
be sent to an external location. Most cloud computing service providers facilitates establishment
of secure modes of accessing data, such as us of private virtual networks (VPN), ensuring data
security even when it leaves the boundaries of an organization. VPNs therefore provides a means
of mitigating security threats inherent on the internet, that would otherwise expose the

organization’s data as it flows from users to the storage location in the cloud (Erturk & Rajan,
2017).
A second major threat to data on transit is the hijacking of data, when attackers are able to
compromise the VPN. This is a major risk considering the fact that personal, and especially
personal financial data will be flowing from the organization’s network to the cloud service
provider. Information hijacked while on transit would have a huge negative ramification on the
company.
To mitigate this risk, most cloud service providers and cloud service customers have to use
secure encryption and key management policies while transmitting data. With a secure
encryption scheme, even in the event that data is hijacked, information contained in such data
cannot be revealed to the attackers.
6.0 Conclusion
This paper has outlined risks associated with migrating to a cloud service platform. While cloud-
computing brings substantial benefits to enterprises, such as ease of scalability, increased agility
and economics of scale, adopting cloud computing exposes a financial service provide to the
inherent information systems risks; thereby necessitating a greater degree of supervisory interest
and caution. Aztek being a financial service provider is under the regulation of the Australian
Prudential Regulation Authority (APRA). The institution is also bound by Australia’s Privacy
Act, which puts strict regulations on collection and handling of personal and sensitive
information. The standards obligate an entity like Aztek to carry out thorough due diligence,
approvals and continuous monitoring of any arrangements relating to outsourcing of services. It
also obligates an enterprise to identify risks and means of managing them, to ensure that such an
institution is able to meet its obligations to its beneficiaries.
Migrating to the cloud will certainly have great impacts on Aztec’s current security posture. For
purposes of risk assessment the STRIDE threat model was used. The main risks identified
include; Data breaches, vulnerabilities on systems, Insecure Interfaces and APIs, Malicious

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

insiders, Denial of Service Attacks, Shared Technology Vulnerabilities, Advanced Persistent
Threats and Data loss.
The identified and classified security risks are critical especially for a financial institution.
However, counter-measures available to mitigate risks, and the cost saving realized through
deployment of applications on a cloud platform outweighs the risks. As such, an adoption of the
cloud model is necessary and advisable.
References
Albakri, et Al. (2014). Security risk assessment framework for cloud computing
environments. Security and Communication Networks, 7(11), 2114-2124.
Brodkin, J. (2008). Gartner: Seven cloud-computing security risks. Infoworld, 2008, 1-3.

Chou, D. C. (2015). Cloud computing risk and audit issues. Computer Standards &
Interfaces, 42, 137-142.
CSA Top Threats Working Group. (2016). The Treacherous 12: Cloud Computing Top Threats
in 2016. Cloud Security Alliance (CSA), Feb.
Ramsay, D. (2015). Legal risk what, why and how?. Governance Directions, 67(2), 90.
Drissi, S., Houmani, H., & Medromi, H. (2013). Survey: Risk assessment for cloud
computing. International Journal of Advanced Computer Science and
Applications, 4(12), 2013.
Erturk, E., & Rajan, A. (2017). Web Vulnerability Scanners: A Case Study. arXiv preprint
arXiv:1706.08017.
Gottschalk, P., & Solli-Sæther, H. (2006). Maturity model for IT outsourcing
relationships. Industrial Management & Data Systems, 106(2), 200-212.
Khoury, F. (2017). Expanded risk management requirements for responsible
entities. Governance Directions, 69(8), 484.
Latif, R., Abbas, H., Assar, S., & Ali, Q. (2014). Cloud computing risk assessment: a systematic
literature review. In Future Information Technology (pp. 285-295). Springer, Berlin,
Heidelberg.
Pearson, S. (2013). Privacy, security and trust in cloud computing. In Privacy and Security for
Cloud Computing (pp. 3-42). Springer London.

Paxton, N. C. (2016, November). Cloud security: a review of current issues and proposed
solutions. In Collaboration and Internet Computing (CIC), 2016 IEEE 2nd International
Conference on (pp. 452-455). IEEE.
Shostack, A. (2014). Threat modeling: Designing for security. John Wiley & Sons.

1 out of 19

+13062052269

info@desklib.com

Cloud Security Risk Assessment for Aztec

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Cloud Computing: Security & Privacy

Cloud Computing Security and Risks

IT Risk Assessment Case Study

Cloud Computing Security Analysis

IT Risks Associated with Cloud Computing and a Case Study of Data Breach Attack on Svitzer

Mitigating Risks in Cloud Computing