Management of Security Risks in CBA After Cloud Implementation

Verified

Added on 2020/03/23

AI Summary

This case study examines the Commonwealth Bank of Australia's (CBA) shift to cloud computing and the associated security risks. The report details CBA's cloud adoption, benefits like cost reduction and efficiency, and the multi-contributor cloud model. It analyzes the bank's IT resource genres, the transition process, and the challenges encountered, including social, supplier, and innovation challenges. A significant portion of the study focuses on cloud-related security concerns, CBA's risk assessment, and recommended threat alleviation measures. The report concludes with suggestions for mitigating these risks and ensuring data security within the cloud environment. The study emphasizes the importance of aligning cloud service providers with CBA's security standards and policies, facilitating dynamic workload transitions, and leveraging the benefits of a pay-as-you-use cloud platform. It provides a comprehensive overview of the security considerations in cloud implementation within the financial sector.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Table of Contents
Executive Summary 3
1. Introduction4
2. Benefits and Risks of Cloud Computing 4
3. Commonwealth Bank of Australia Overview 5
4. Resource genres of CBA’s IT 5
5. Shifting to Cloud Computing 6
6. Multi-Contributor Prototype of CBA 8
6.1. Cloud Model Framework of CBA 8
7. Advantages of CBA Cloud Service Model10
8. Examples of CBA’s Cloud Advantages 10
9. Difficulties of Moving to a Multi-Provider Cloud Model 11
9.1. Social Challenges11
9.2. Supplier Challenges 11
9.3. Innovation Challenges 11
10. Cloud Risks and Vulnerabilities confronted in CBA 11
10.1. Security Concerns 12
10.2. CBA Risk Assessment 12
11. Security Requisites and Recommended Threat Alleviation Measures 13
11.1. Threat Alleviation Measures 14
12. Suggestions 15
13. Conclusion 15
14. References16
2

Executive Summary
Cloud computing is the catchphrase among current technologies. Cloud computing seems to be
similar to grid computing in the implicit of processing power and storage area. But the amenities
provided by the cloud computing are comparatively higher than the grid computing model.
The financial sectors in Australia are transforming their business solutions to cloud computing
nowadays. Yet more number of organizations in Australia typically the financial firms depends
highly on their in-house framework. The financial benefits can be procured by the financial firms
by implementing both the private and public cloud prototypes (Borking & Raab, 2010).
But the risk of leaking the confidential information is wary in the cloud deployed organization.
Most of the financial firms implement the private cloud model due to the high data security when
compared to other models.
This report is the case study on Commonwealth Bank of Australia (CBA) and it illustrates the
advantages and the steps to avoid the risks encountered due to the utilization of external cloud
solution. Moreover, this case study also analyzes the method and reason for the cloud based
solution in CBA. And the cloud service contributors must align with the security standards and
policies defined by CBA in order to make a short-term agreement with the bank.
The CBA is given the litheness for dynamically transiting the work freights in between the cloud
service suppliers and to take the competitive advantage. In this manner, pay-as-you-use cloud
platform is incorporated in CBA.
Moreover, the suggestions or recommendation for mitigating the security risks associated with
the cloud solution are discussed in this report.
3

1. Introduction:
The multi-contributor cloud based solution employed for critical business applications in CBA
makes their applications to be transferred recurrently between the cloud contributors. Since CBA
moved its in-house framework to cloud strategy, the administration charges and time for
executive the business processes are significantly reduced by 40% ((Cavoukian & Crompton,
2001). For the implementation of cloud, CBA requires intrinsic abilities for designing
complicated information technology solutions, for administering the external cloud contributors,
and thereby for dominating the crafting of applications.
2. Benefits and Risks of Cloud Computing
The responsibility of the Information Technology is transformed by the implementation of Cloud
Computing. The role of “IT negotiator” is performed by the IT utility by moving their
organization’s business departments to an external, cloud based IT solution rather than the
domestic IT components. According to the cloud computing research conducted by Forester, the
international promotion became $15 billion in the year 2010, in 2014 it was $78 billion, and the
international market will accomplish about $240 billion in the year 2020 after the deployment of
cloud computing technology.
The cloud contributors like IBM, Amazon, Microsoft, and Google have persuaded the advantage
and importance of cloud computing to most of the IT companies around the globe. Yet the firms
having delegation crucial safety requirements like banks and other financial organizations are
also transferring their own IT services to the cloud. The forceful contentions of cloud computing
include efficiency, cost reduction, prospects for prompt development, and litheness.
More IT organizations are claiming that the cloud computing made their IT processes easier and
enhanced the information security. According to many business managers, the cloud
transformation enabled the innovation and modified the organizational infrastructure.
In addition to that, many concerns arise after the deployment of cloud computing. Data dominion
issues and other security issues related to the region where the cloud is deployed are addressed
by the cloud service providers. Even then, some cloud computing problems stay behind. The IT
managers agonize that the misplaced IT abilities, long-term business agreements, and
technological padlock results in higher reliance on cloud providers.
After the deployment of cloud computing, the IT managers cannot possess abilities to manage
the IT platform directly. Even though the deployment of cloud computing increases the
performance of Commonwealth Bank of Australia (CBA), the compatibility and other problems
arise for the IT managers working in the organization as it embedded the cloud computing (Hall
& Liedtka, 2007).
The IT framework costs and application provision and development costs are reduced by the
employment of external cloud solution.
The imminent provided by CBA’s cloud approach is enlisted below.
 The cloud criteria are defined and imposed across the cloud service contributors for
permitting the toggling between the contributors.
4

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

 The flexible short-term indenture made with the cloud contributors are negotiated for
providing the market pricing provision for organization at all times.
 The highly efficient IT solutions can be obtained by completely retaining all the intrinsic
capacities of the IT department in CBA. By this way, they become effective “IT
mediators” for assimilating the extrinsic and intrinsic IT components.
 The business applications, which are unable to be outsourced to the cloud, are kept
external from the cloud life cycle incidents and the cloud mitigation must be prioritized.
 The CBA embraces and implements the corporate-level high cloud standards (Horrigan,
2008).
3. Commonwealth Bank of Australia Overview
CBA is one of the largest international banks that have headquarters situated in Sydney,
Australia. It is established in the year 1911 by the federal government of Australia. And the bank
was privatized in the year 1991 (Pearson, Casassa, Crane & Herrmann, 2005). There was about
50,000 employees in 2014, where there are 6000 employees belonging to IT and operations
segments. The total properties administered by CBA are about 750 billion dollars (Jensen,
Schwenk, Gruschka & Iacono, 2014).
CBA is the reputed organization which is one of the consumers in the topmost 20 IT across the
globe. Many IT projects are accomplished by CBA for attaining this status. The major IT project
accomplished by CBA is “Which New Bank” project drafted during the year 2003-2005. An
additional important project done by CBA is CBA’s core banking system developed during the
year 2007-2012 (Google App Engine, 2017). With the evolution of cloud computing
methodology, the CBA become successful in their business which will be discussed in the
following sections.
4. Resource genres of CBA’s IT
The most complicated IT environment is in financial industrially especially banks. Achieving the
customer conviction is difficult in banks. And, the conviction depends on the IT acquiescence, IT
systems accessibility, and data security that are impacted by the cloud computing technology.
For instance, the achieving IT acquiescence is more difficult in banks while employing cloud
computing. Many authoritarian requirements are designed and CBA is functioning based on the
corresponding regulatory needs. The financial data storage in other regions except Australia is
prohibited by the Australian Federation law.
After leading the way to cloud computing, CBA faced many challenges and risks become of the
operation of cloud service providers in other country i.e. USA. Even though the factors like
accessibility, acquiescence, and data security created the complications for proceeding with
cloud computing solution, they do not depressed the approach (Rose, 2011).
Before the implementation of cloud computing approach, CBA employed two 2 types of
extrinsic IT resourcing genres. The CBA contracted out the IT requirements of the organization
to Enterprise Data Systems or Hewlett-Packard Enterprise Systems for 10-year agreement in the
first sourcing genre.
5

Cost constituents were placed in the single contributor contract but they placed long-term
contracts containing fixed charges and assured capacity.
When the first genre was followed by CBA, it has reduced the amount of intrinsic IT employees
since Enterprise Data Systems has offered most of the IT services to CBA. And because of this
working condition, CBA has mislaid some of the domestic IT abilities. This capacity loss
imposes certain confusions in the cooperation of new amenities. The IT related concerns are
faced by CBA within the internal departments of the bank and with the enterprise data system.
After facing these confronts, CBA decided to implement a schema for creating an IT
hallucination, reconstructing the IT functionality, and for retaining the IT potential. The CBA is
evoked for successfully finishing the major IT tasks after the implementation of the schema.
CBA exploited the retained IT potentials to transmit its IT services in the multi service
contributor in the second genre. By using this type of genre, the bank was able to administer all
the cloud providers using unique service level agreements.
After enhancing the technical expertise in multi provider type of environment, CBA started to
examine the cloud infrastructures by means of effective virtualization. This resulted in higher
productivity and cost savings. It made the virtual desktops to be employed quicker and manages
them easily when compared to the corporeal desktops. The IT division employees of CBA scrap
various virtual desktops through the application of insignia to a corporeal server.
But the inefficiency is encountered somewhere, since the employment of virtual desktops in
organization requires additional storage size when compared to the space of corporeal desktops.
However, the use of virtual desktops resulted in cost savings and productivity.
By the end of the year 2000, some IT framework costs were recurred. In order to promote further
cost reductions, the employment of cloud computing promoted a pay as you utilize and cost
efficient model and assists the bank to promote new business applications. A new IT
hallucination is created by CBA for distributing the IT as service by the implementation of cloud
computing.
The effectiveness and accessibility of cloud computing were very appealing to CBA since the
number of exertions in CBA is not predictable. The cloud computing has pledged CBA for
removing the additional hardware requirements and for enhancing the amalgamation of
operational process and application development.
5. Shifting to Cloud Computing
The intrinsic IT department is lead by the CIO of CBA during the year 2006-2014, Michael
Harte and his employees. The cloud computing was discussed by Harte in various technical
forums and influenced the cloud service contributors to update their delivery and deployment
models (Osterwalder, 2011).
Oracle Grid environment is the first cloud environment administered by CBA. It has dispersed
the effective and standardized database structures for the business requirements. A new database
object creation is done by modifying the configuration for knowing the source of the physical
device. The database source segregation from other database constitution is the main decision
criteria.
6

The new database objects are created immediately and inexpensively by using this configuration
in CBA. Many databases inclusive of the business critical and more exertion contained in CBA
have been moved to the cloud platform. Encouragement for drafting an administration layer
between the IT applications and IT infrastructure is mainly proffered by the Oracle Platform
(The Royal Academy of Engineering, 2007).
Oracle has strengthened the cloud apparition and the CBA’s turn is upheld to the cloud through
positive involvement. Be that as it may, The IT requirements past databases are contained in the
advancement and operations offices. The different IT stages are institutionalized by the Oracle
stage. Running starting from fundamental stages like an institutionalized LINUX condition to
states related to an institutionalized SAP ERP server was created by Oracle. A stage
demonstration needs by be actualized by CBA to its Prophet stage through the last advances.
However, it can be accomplished by the incorporation of the model having the capacity to
coordinate outside mists and in addition inside IT segment (Mowbray, 2009).
Email
Administration Application
Deployment Business
Administration Mobile Security
Constituents
50
47 68 48
43
100 47
7
3 15
4
95
Security Agency
Financial Organization
Cloud Providers
Fig 1: Adaption of Cloud in CBA for the year 2012-2014
Influencers Hindrances
Numerous suppliers are responsible for
competitive expenses in the market rather than
the couple of suppliers with forthright
understanding
Figuring of cloud by using internal social
boundaries
The showcase time diminishment by the rapid Concerns related to accessibility and safety
7

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

arrangement of new conditions
Variable exertions with higher aggregate
volume of IT
Certain information stockpiling options are
disallowed in the regulatory system of the
cloud
Duty related cloud acquirement of IT initiative
sense
Few versatility is percept to be the current
domestic hallucination
Adaptability and versatile guaranteed
expansion due to Multi-supplier cloud
Few adaptability is provided by the perception
of current regular multiprovider cloud genre
Table 1: Influences and Hindrances of multi-provider cloud model
For instance, from the table above, the multi-supplier IT genre mode is compared with the
domestic infrastructure. The boundaries that must be overcome is depicted alongside the real
drivers of CBA moving to a multi contributor cloud IT sourcing genre are abridged in Table 1.
Multi-Contributor Prototype of CBA
6.1. Cloud Model Framework of CBA
The "stateless" applications are sent which enables the execution of multi contributor cloud genre
during the year 2011 whenever it is picked. The new applications scope for the purpose of
providing versatile space is due to the composing season.
The CBA's IT costs near genuine pay for consumption is the main advantage achieved in this
model. That is, the supplanted recuperate as a consume IT costs beforehand settled or ventured
the costs recurred in IT functionality.
Likewise, the IT assets consequently scaling upon with CBA’s variable exertions are utilized by
the applications running in the cloud. At long last, significant improvement, generation
conditions, and verifications are performed by this model for appointing in minutes rather than
long term like weeks, so as to diminish time for showcase the saving money applications and
administrations (Cohen, Lindvall & Costa, 2004).
The model execution is done by the group dedicatedly formed by CBA's IT division for taking a
shot at the execution of the model. The different offices (e.g., for lawful mastery) provided
valuable assistance to these formed groups. Remotely, a few cloud suppliers and other industry
accomplices are cooperatively worked with CBA to create and command cloud benchmarks,
such as application programming interfaces (APIs), suppliers, and crosswise over applications.
This implied that, CBA required cloud suppliers to acknowledge its own measures (Lindell &
Pinkas, 2002) rather than tolerating the cloud suppliers' measures. In this manner, the cloud
supplier characteristics are gauged by the CBA to turn out this model as the common cloud
show.
Likewise, a group of cloud suppliers made adaptable on-request agreements with CBA. The
CBA-made market for IT supply does not offer authoritative adaptability to those who are unfit
8

for acknowledging the guidelines. The new applications needed to utilize the cloud gauges are
implied by the CBA to be as "administered towards the cloud. (Rousseau, Sitkin, Burt &
Camerer, 2011).
The cloud benchmarks are embraced by the best layer (CBA's applications) comprising an
arrangement of applications. The cloud-facilitated applications end clients are CBA's business
units or clients (despite the fact that they will regularly not care about the applications presently
keep running in the cloud). Distinctive gauges are utilized by these applications contingent upon
their individual necessities. For instance, CBA's SQL server standard should be agreed and
confirmed if an application needs a SQL server. The CBA's web server principles should be
confirmed with an application requiring a web server (McKinley, Samimi, Shapiro & Chiping,
2006).
Rather than committed processing assets, the business applications depend on the focal multi-
supplier cloud administration framework to progressively assign the figuring limits they require.
The model along these lines enables CBA to move applications and their exertions in a hurry,
contingent upon costs, execution and administration level assentions for security, consistence or
accessibility.
The upper layer applications are coordinated with the multi-supplier cloud administration
framework to the distributed computing lower layer foundation. The administration framework
basic objective was propelled in the year 2012 for powerfully figuring out the supplier to execute
an application and to dole out the application to that corresponding supplier. The firewall
incorporated inside the CBA contains the cloud administration framework stays so as to oversee
and control the organizational framework. As per the cloud administration framework's dynamic
distributions, the real figuring could be happened on either side of the CBA’s firewall.
The applications are provided with on-request foundation along these lines that are sourced from
any foundation gauges supported by the cloud supplier. The administration framework
manufactured based on ServiceMesh’s product technology is responsible for the effective
execution of CBA's IT division (Berney, 2010). The CBA's arrangements and contracts
administration framework are systematized and powerfully exported to export the applications
and their exertions to cloud suppliers.
The constant expenses, broad security, consistence and accessibility needs are accessed by this
administration framework. The designation crosswise the enhancement of the framework over
the suppliers on an on-going premise inside these limitations. The costs can be diminished and
the accessibility and execution of utilizations are provided by the programmed enhancement of
the framework.
The Amazon, Fujitsu, Hewlett- Packard and a few other cloud suppliers are incorporated in the
layer of this framework. The multi-supply display was additionally administered by the CBA's
claim IT section. Several cloud conditions are imposed by the suppliers in the bank, locally in
Australia or across several regions for example, the U.S. or the Singapore. The administration
sorts required by the CBA are not necessarily offered by the cloud service suppliers. Be that as it
may, the offered administrations must consent with the guidelines defined by CBA.
7. Advantages of CBA Cloud Service Model
9

The capacity to move applications between suppliers on a compensation as-you-go premise is
one of the key highlights of CBA's multi-supplier cloud demonstration at any point in time. The
key empowering influence, online coordination is attained by moving applications and exertions
promptly. Besides, the CBA is empowered by this model to stay away from high forthright
expenses and long haul responsibilities.
The ability to move applications and exertions consequently in the perspective of standard stages
enables the bank for catching the considerable esteem from distributed computing by making
"contestability" anytime. The CBA was enabled by this model for utilizing the limits of various
suppliers productively for the purpose of costs diminishment and adaptability increment.
As far as adaptability and versatility, the interior IT suppliers lies behind the multi-supplier cloud
IT sourcing model and the single-supplier courses of action or sets of non-incorporated cloud
suppliers. The physical inhouse registering limit imperatives are confronted by the internal
suppliers.
Conventional Domestic
Sourcing
CBA’s Cloud Prototype
Price Fixed Charges Original Reimburse as you
utilize service
Adaptability and Compliance Limited to domestic ability
(Kohl, 2007)
Boundless Compliancy is
achieved
Competitiveness No competitive advantage.
The competiveness is based on
the intrinsic IT functionality
Competitive advantage is
attained fully by CBA
Data Security More number of security
concerns are encountered
inside the IT segment
The data storage will be
personalized according to the
business requirements, safety
standards, and location of the
cloud contributors
Table 2: Assessment of Non-Cloud, Multi-Provider, and Single Provider Cloud Models
8. Examples of CBA’s Cloud Advantages
The official site of CBA, commbank.com.au is utilized by people and retail saving money clients
and is currently conveyed through the institutionalized web server stage. The site can be enabled
to be executed on the cloud stage by an institutionalized site as opposed to on specific devoted
equipment. The expenses of about $650,000 every year are detailed by the CBA prior to the
deployment of the cloud prototype and about $30,000 after the implementation of cloud model.
Adequately computerized arrangements of programming advancement situations are satisfied by
the CBA's and the cloud suppliers through the utilization of diagram norms for those situations.
The time take for making the condition arrangements are reduced while before the
implementation of cloud and now it takes just 10 minutes. In general, these outcomes are
lessened so as to showcase the new applications of around 4 a month and a half with the cloud
demonstration (Solove, 2006).
10

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

9. Difficulties of Moving to a Multi-Provider Cloud Model
For setting up the multi-supplier cloud platform, CBA needs to defeat a few difficulties. The
suppliers, culture and their innovation are identified by these challenges. In order to initiate with
just a piece of applications portfolio, the bank could use the cloud display. A few CBA’s
applications were not prepared for being deployed in the cloud environment.
9.1. Social Challenges
A social change occurred in CBA is responsible for a moment challenge. A move in mentalities
and dynamic change administration by IT authority causes the move to distributed computing.
The examples of remote and intrinsic communication between the individuals are modified by
the term “Distributed computing”. Scopes of outsiders are presently integrated with the CBA's IT
office rather than a solitary outsourcing accomplice.
9.2. Supplier Challenges
The cloud suppliers can be persuaded by the CBA for placing exertion in order to acknowledge
the customer idea of side institutionalization. The cloud principles provide by suppliers with
strong anxiety are embraced by the bank.
9.3. Innovation Challenges
The cloud administration framework layer of the cloud demonstration is actualized by the third
test for locating the privilege innovation. The ServiceMesh's product was tweaked to fuse some
of its own product improvements (Solove, 2006).
10. Cloud Risks and Vulnerabilities confronted in CBA
Numerous risks associated with cloud computing are identified with information security,
similarity, security standard insufficiency, and openness mainly in financial organizations, e.g.
CBA. In institutionalized and security discerning circumstances, the types of threats like
anecdotal administrations are the central focuses.
11

Fig 2: Risks related to cloud deployment in banks
10.1. Security Concerns
An investigation delineates the CBA security issues recognized in cloud computing. The
National Finance Security Association indicated that “The risks experienced with residential
foundation can be effectively controlled and operationally redressed when contrasted with cloud
innovation”. A summary on perils on the measure from 1 to 5 must be positioned by the
organizations, since the security concerns are the key idea while grasping the cloud
considerations.
The cloud based banks like CBA are related to specific type of threats and vulnerabilities. The
security dangers associated with CBA are especially worried on data arrangement, data burst,
inconsistency, and true blue issues. The banks should produce profound acknowledgement on the
organization misfortune, inaccessibility of straightforwardness, and inadequate risk assessment.
The highest vulnerabilities according to the cloud service contributors are the openness nature,
data break, and responsiveness. According to the security agencies, the inaccessibility of the
lawful security procedures is the noteworthy security concern.
Subsequently, the essential compelling segment for choosing the cloud techniques in CBA is
security concerns. For creating the related solution, the suitable reactions are inspected and the
security agencies are focusing more on the perils when contrasted with cloud donors. Hence, the
most perceived security vulnerabilities are the nonappearance of straightforwardness,
unavailability of mechanisms for exploring hazard features, and loss of data control and
reliability (Osterwalder, 2011).
10.2. CBA Risk Assessment
12