IT Risk Assessment: Migrating Aztek's Applications to the Cloud
VerifiedAdded on 2020/03/23
|19
|6022
|37
Report
AI Summary
This report presents an IT Risk Assessment for the migration of Aztek's business-critical applications and data to an external Cloud hosting solution. As a financial service provider, Aztek is regulated by the Australian Prudential Regulation Authority (APRA), which mandates compliance with outsourcing regulations, including Prudential Standard SPS 231 and CPS 231. The assessment identifies potential risks such as data breaches, compromised credentials, insecure interfaces, system vulnerabilities, and denial-of-service attacks, using the STRIDE threat model. The report examines the project's impact on Aztek's security posture, particularly regarding faster security provisioning, and the alignment of application, security, and operations teams. It also addresses compliance with the Australian Privacy Act and APRA guidelines, emphasizing the need for thorough due diligence and risk management to maintain service quality and data security while adhering to legislative and prudential requirements. Despite the identified risks, the report concludes that the benefits of cloud adoption, including cost savings, outweigh the challenges.
Migrating business-critical applications and their associated data sources to an external Cloud
hosting solution
<Name>
<Institution>
hosting solution
<Name>
<Institution>
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Executive Summary
Cloud computing has concurrently transformed government and business’ deployment of IT
infrastructure and introduced new security threats, at an unprecedented pace. With cloud
computing, delivery of business-supporting technologies is currently more efficient than never
before. The technology approach has made it possible for businesses and especially startups to
deployed advanced computing services and application with zero spending on server
infrastructure. The advances have however introduces a myriad of security challenges, while
amplifying the existing forms of vulnerabilities.
This paper presents an IT Risk Assessment for the intended migration of the Aztek’s business-
critical applications and data to an external Cloud hosting solution. Aztek being a financial
service provider is under the regulation of the Australian Prudential Regulation Authority
(APRA). APRA considers cloud computing as a form of outsourcing, and requires that all
organizations that fall under it to conform to set rules and regulations that govern outsourcing.
The project has to comply with a number of personal data protection laws and regulations.
One particular legal regulation that the project has to comply with is Australia’s Privacy Act and
its enhanced version; The Privacy Amendment (Enhancing Privacy Protection) Act 2012. The
Act outlines thirteen key Australian Privacy Principles (APPS). The Australian Privacy Act
primarily regulates the collection and handling of personal information of individuals.
Before the project can commence, Aztek must comply with measures put in place by APRA,
which enable outlines prudent practices, which have to be put in place before adopting the
technology. The main standards passed by APRA include the Prudential Standard SPS 231
introduced in 2012 and Prudential Standard CPS 231 published in 2014. The standards obligate
an entity like Aztek to carry out thorough due diligence, approval and continuous monitoring of
any arrangements relating to outsourcing of services. The standards also require that an
enterprise mush identify risks and means of managing them, to ensure that an institution is able
to meet its obligations to its beneficiaries. Other requirements include;
Aztek has to demonstrate the ability to continue with normal operations even when
accesses to cloud services are interrupted for one reason or another.
Demonstrate that even with a migration to the cloud or outsourcing, an entity still
maintains the level of quality of services and security of sensitive data and information.
Cloud computing has concurrently transformed government and business’ deployment of IT
infrastructure and introduced new security threats, at an unprecedented pace. With cloud
computing, delivery of business-supporting technologies is currently more efficient than never
before. The technology approach has made it possible for businesses and especially startups to
deployed advanced computing services and application with zero spending on server
infrastructure. The advances have however introduces a myriad of security challenges, while
amplifying the existing forms of vulnerabilities.
This paper presents an IT Risk Assessment for the intended migration of the Aztek’s business-
critical applications and data to an external Cloud hosting solution. Aztek being a financial
service provider is under the regulation of the Australian Prudential Regulation Authority
(APRA). APRA considers cloud computing as a form of outsourcing, and requires that all
organizations that fall under it to conform to set rules and regulations that govern outsourcing.
The project has to comply with a number of personal data protection laws and regulations.
One particular legal regulation that the project has to comply with is Australia’s Privacy Act and
its enhanced version; The Privacy Amendment (Enhancing Privacy Protection) Act 2012. The
Act outlines thirteen key Australian Privacy Principles (APPS). The Australian Privacy Act
primarily regulates the collection and handling of personal information of individuals.
Before the project can commence, Aztek must comply with measures put in place by APRA,
which enable outlines prudent practices, which have to be put in place before adopting the
technology. The main standards passed by APRA include the Prudential Standard SPS 231
introduced in 2012 and Prudential Standard CPS 231 published in 2014. The standards obligate
an entity like Aztek to carry out thorough due diligence, approval and continuous monitoring of
any arrangements relating to outsourcing of services. The standards also require that an
enterprise mush identify risks and means of managing them, to ensure that an institution is able
to meet its obligations to its beneficiaries. Other requirements include;
Aztek has to demonstrate the ability to continue with normal operations even when
accesses to cloud services are interrupted for one reason or another.
Demonstrate that even with a migration to the cloud or outsourcing, an entity still
maintains the level of quality of services and security of sensitive data and information.
Demonstrate that such a move will not go against any legislative and prudential
requirement
And that such a move does not introduce any technical, contractual or jurisdictional
issues which may inhibit APRA’s ability to carry out its regulatory duties.
For purposes of risk assessment the STRIDE threat model will be used. The model classifies the
threats from the viewpoint of an attacker – primarily focusing on what motivates an attacker. The
model focuses on six fundamental areas of security, Spoofing Identity, Tampering with Data,
Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege.
The identified risks include;
Data breaches
Compromised credentials and broken authentication
Insecure cloud Interfaces and APIs
System Vulnerabilities
Account and service hijacking
Malicious insiders
Advanced Persistent Threats (APTs)
Data Loss
Insufficient Due Diligence
Cloud service abuses
Denial of Service Attacks
Shared Technology Vulnerabilities
The identified and classified security risks are critical especially for a financial institution.
However, counter-measures available to mitigate risks, and the cost saving realized through
deployment of applications on a cloud platform outweighs the risks. As such, an adoption of the
cloud model is necessary and advisable.
requirement
And that such a move does not introduce any technical, contractual or jurisdictional
issues which may inhibit APRA’s ability to carry out its regulatory duties.
For purposes of risk assessment the STRIDE threat model will be used. The model classifies the
threats from the viewpoint of an attacker – primarily focusing on what motivates an attacker. The
model focuses on six fundamental areas of security, Spoofing Identity, Tampering with Data,
Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege.
The identified risks include;
Data breaches
Compromised credentials and broken authentication
Insecure cloud Interfaces and APIs
System Vulnerabilities
Account and service hijacking
Malicious insiders
Advanced Persistent Threats (APTs)
Data Loss
Insufficient Due Diligence
Cloud service abuses
Denial of Service Attacks
Shared Technology Vulnerabilities
The identified and classified security risks are critical especially for a financial institution.
However, counter-measures available to mitigate risks, and the cost saving realized through
deployment of applications on a cloud platform outweighs the risks. As such, an adoption of the
cloud model is necessary and advisable.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1.0 Introduction
This paper presents an IT Risk Assessment for the intended migration of the Aztek’s business-
critical applications and data to an external Cloud hosting solution. Aztek operates in the
Australian Financial Services sector. The sensitive of data held by a financial institution
necessitates that a thorough risk assessment be carried out, followed by development of risk
management plans. Aztek being a financial service provider is under the regulation of the
Australian Prudential Regulation Authority (APRA). APRA considers cloud computing as a
form of outsourcing, and requires that all organizations that fall under it to conform to set rules
and regulations that govern outsourcing. One of the requirements for APRA regulated
institutions is a mandatory risk assessment and documentation before outsourcing any of their
operations.
Before moving any operations to the cloud, the company has to carry out adequate assessments,
to identify if such a move will go against any of the laws governing the operations of a financial
institution. This is because the institution is also bound by Australia’s Privacy Act, which puts
strict regulations on collection and handling of personal and sensitive information.
With all these regulations to be complied with, this paper identifies the risks associated with
migrating data processing and storage to a third party, in this case migrating to the cloud. The
goal is to identify risks associated with cloud computing, and specifically as they apply to the
case of Aztek.
2.0 A review of the project with respect to the Financial Services sector laws and
regulations
This project intends to migrate business-critical applications and their associated data sources to
an external Cloud hosting solution. As the company operates in the Financial Service sector, the
project must first through various tests to ascertain if it conforms with set laws, and industry
regulations. The project has to comply with a number of personal data protection laws and
regulations. One particular legal regulation that the project has to comply with is Australia’s
Privacy Act and its enhanced version; The Privacy Amendment (Enhancing Privacy Protection)
Act 2012. The Act outlines thirteen key Australian Privacy Principles (APPS). The Australian
This paper presents an IT Risk Assessment for the intended migration of the Aztek’s business-
critical applications and data to an external Cloud hosting solution. Aztek operates in the
Australian Financial Services sector. The sensitive of data held by a financial institution
necessitates that a thorough risk assessment be carried out, followed by development of risk
management plans. Aztek being a financial service provider is under the regulation of the
Australian Prudential Regulation Authority (APRA). APRA considers cloud computing as a
form of outsourcing, and requires that all organizations that fall under it to conform to set rules
and regulations that govern outsourcing. One of the requirements for APRA regulated
institutions is a mandatory risk assessment and documentation before outsourcing any of their
operations.
Before moving any operations to the cloud, the company has to carry out adequate assessments,
to identify if such a move will go against any of the laws governing the operations of a financial
institution. This is because the institution is also bound by Australia’s Privacy Act, which puts
strict regulations on collection and handling of personal and sensitive information.
With all these regulations to be complied with, this paper identifies the risks associated with
migrating data processing and storage to a third party, in this case migrating to the cloud. The
goal is to identify risks associated with cloud computing, and specifically as they apply to the
case of Aztek.
2.0 A review of the project with respect to the Financial Services sector laws and
regulations
This project intends to migrate business-critical applications and their associated data sources to
an external Cloud hosting solution. As the company operates in the Financial Service sector, the
project must first through various tests to ascertain if it conforms with set laws, and industry
regulations. The project has to comply with a number of personal data protection laws and
regulations. One particular legal regulation that the project has to comply with is Australia’s
Privacy Act and its enhanced version; The Privacy Amendment (Enhancing Privacy Protection)
Act 2012. The Act outlines thirteen key Australian Privacy Principles (APPS). The Australian
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Privacy Act primarily regulates the collection and handling of personal information of
individuals (Khoury, 2017).
According to the Privacy Act, personal information is defined as any information can identifies
an individual directly or can be used to reveal the identity of the individual with some analysis
(Khoury, 2017). The Act classifies some personal information as being sensitive; this includes;
information about an individual’s health, genetics information, race, financial information such
as credit rating, religion, philosophical or political beliefs and affiliations, race and ethnicity
among many more (Khoury, 2017). Before migrating to the cloud, Aztek has to provide
certainty that the privacy of such information is not compromised in anyway.
With regards to the industry’s regulations and compliance, Aztek’s cloud migration project has
to comply with the guidelines given by the Australian Prudential Regulation Authority (APRA).
APRA understands that while cloud-computing brings substantial benefits to enterprises, such as
ease of scalability, increased agility and economics of scale, adopting cloud computing exposes a
financial service provide to the inherent information systems risks; thereby necessitating a
greater degree of supervisory interest and caution (Khoury, 2017). Despite the risks, APRA has
put measures that enable entities controlled by it – also referred a Registrable Superannuation
Entity (RSE) , such as Aztek – to adopt cloud computing, by outlining prudent practices, which
have to be put in place before adopting the technology (Ramsay, 2015).
The need to give guidance to the industry has seen APRA pass a number of regulations that
relates to outsourcing of services for RSE licensees. In November of the year 2012, APRA
published the Prudential Standard SPS 231 which was followed up by the passing of the
Prudential Standard CPS 231 in August 2014. The published standards obligate an entity like
Aztek to carry out thorough due diligence, approval and continuous monitoring of any
arrangements relating to outsourcing of services (Ramsay, 2015). The standards also require that
an enterprise must identify risks and means of managing them, to ensure that an institution is
able to meet its obligations to its beneficiaries.
One requirement for an APRA-regulated entity is that it can only uptake outsourcing - and by
extension cloud computing - after evaluating and understanding the risks associated with the
individuals (Khoury, 2017).
According to the Privacy Act, personal information is defined as any information can identifies
an individual directly or can be used to reveal the identity of the individual with some analysis
(Khoury, 2017). The Act classifies some personal information as being sensitive; this includes;
information about an individual’s health, genetics information, race, financial information such
as credit rating, religion, philosophical or political beliefs and affiliations, race and ethnicity
among many more (Khoury, 2017). Before migrating to the cloud, Aztek has to provide
certainty that the privacy of such information is not compromised in anyway.
With regards to the industry’s regulations and compliance, Aztek’s cloud migration project has
to comply with the guidelines given by the Australian Prudential Regulation Authority (APRA).
APRA understands that while cloud-computing brings substantial benefits to enterprises, such as
ease of scalability, increased agility and economics of scale, adopting cloud computing exposes a
financial service provide to the inherent information systems risks; thereby necessitating a
greater degree of supervisory interest and caution (Khoury, 2017). Despite the risks, APRA has
put measures that enable entities controlled by it – also referred a Registrable Superannuation
Entity (RSE) , such as Aztek – to adopt cloud computing, by outlining prudent practices, which
have to be put in place before adopting the technology (Ramsay, 2015).
The need to give guidance to the industry has seen APRA pass a number of regulations that
relates to outsourcing of services for RSE licensees. In November of the year 2012, APRA
published the Prudential Standard SPS 231 which was followed up by the passing of the
Prudential Standard CPS 231 in August 2014. The published standards obligate an entity like
Aztek to carry out thorough due diligence, approval and continuous monitoring of any
arrangements relating to outsourcing of services (Ramsay, 2015). The standards also require that
an enterprise must identify risks and means of managing them, to ensure that an institution is
able to meet its obligations to its beneficiaries.
One requirement for an APRA-regulated entity is that it can only uptake outsourcing - and by
extension cloud computing - after evaluating and understanding the risks associated with the
move, and putting in place adequate measures to mitigate or manage the risks (Ramsay, 2015).
Other measures that need to be put in place include;
An entity has to demonstrate the ability to continue with normal operations even when
accesses to cloud services are interrupted for one reason or another.
Demonstrate that even with a migration to the cloud or outsourcing, an entity still
maintains the level of quality of services and security of sensitive data and information.
Demonstrate that such a move will not go against any legislative and prudential
requirement (Ramsay, 2015).
And that such a move does not introduce any technical, contractual or jurisdictional
issues which may inhibit APRA’s ability to carry out its regulatory duties.
3.0 The Project’s impact on the current security posture of Aztec
Migrating to the cloud will certainly have great impacts on Aztec’s current security posture.
Currently the company has all its IT functions locally hosted, and has all controls over storage,
processing and transmission of its data. Migrating to the cloud will shift the control to a third
party. This may, to some extent impact the company’s security posture.
With the assumption that the company is currently at the highest level of security maturity
model, otherwise called the Visionary level, migrating to the cloud will impact the organization
in some ways. Appropriate mitigation strategies will therefore be required to return the
organization to the highest level.
At the “Visionary” level of the security maturity model, an organization is characterized by the
fact that decisions are made from the perspective of a critical applications in the data center.
Each and every stakeholder within the organization, including the application team, network
operation team and the security teams know the requirements of the business and the
implications security has on the business. In addition to that, the teams are well aligned using
automated and streamlined business processes.
Migrating mission critical and data to the cloud will affect the security posture of the
organization as they do not have direct control over data, connectivity and security. The main
areas that will be affected include;
Other measures that need to be put in place include;
An entity has to demonstrate the ability to continue with normal operations even when
accesses to cloud services are interrupted for one reason or another.
Demonstrate that even with a migration to the cloud or outsourcing, an entity still
maintains the level of quality of services and security of sensitive data and information.
Demonstrate that such a move will not go against any legislative and prudential
requirement (Ramsay, 2015).
And that such a move does not introduce any technical, contractual or jurisdictional
issues which may inhibit APRA’s ability to carry out its regulatory duties.
3.0 The Project’s impact on the current security posture of Aztec
Migrating to the cloud will certainly have great impacts on Aztec’s current security posture.
Currently the company has all its IT functions locally hosted, and has all controls over storage,
processing and transmission of its data. Migrating to the cloud will shift the control to a third
party. This may, to some extent impact the company’s security posture.
With the assumption that the company is currently at the highest level of security maturity
model, otherwise called the Visionary level, migrating to the cloud will impact the organization
in some ways. Appropriate mitigation strategies will therefore be required to return the
organization to the highest level.
At the “Visionary” level of the security maturity model, an organization is characterized by the
fact that decisions are made from the perspective of a critical applications in the data center.
Each and every stakeholder within the organization, including the application team, network
operation team and the security teams know the requirements of the business and the
implications security has on the business. In addition to that, the teams are well aligned using
automated and streamlined business processes.
Migrating mission critical and data to the cloud will affect the security posture of the
organization as they do not have direct control over data, connectivity and security. The main
areas that will be affected include;
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3.1 Faster security provisioning of data center applications
At this level of security maturity model, an organization is characterized by its ability to quickly
and securely enable mission critical applications to have connectivity, with the aim of ensuring
maximum server availability and delivery. Organizations have the capability to accelerate and
simplify changes in policy enabling the security to be in sync with the changing business
platform (Gottschalk, 2006).
Migrating to the cloud will affect this aspect as security controls are all in the control of the
cloud provider. Firewalls rules are largely controlled by the provider, hindering the company
from enabling automatic translation of application connectivity requirements into appropriate
firewall rules and accelerating policy changes (Gottschalk, 2006).
Mitigating this possible scenario would require the security teams at Aztek and the teams at the
cloud service provider to work together to facilitate the necessary changes, while ensuring that
such changes do not affect the security of other clients hosted on the same platform.
3.2 Aligning of the Application, security and operations teams
At the Visionary level of the security maturity model, an organization like Aztek has all the
major teams aligned and have a unified view an approach to security policy management, which
is primarily application-centric. The approach is accommodative of all the players, enabling them
work in harmony pushing towards a single goal (Gottschalk, 2006).
With the intended migration to the cloud, a number of pillars are removed from the unified stand
of the current security posture. This is because the applications are moved to the cloud and
security is shifted from the organization’s team to the cloud environment. While the operations
and applications teams experiences no significant changes, the security team is left without much
control, thus the alignment is distorted as security controls shifts to the cloud.
Mitigating the likely fall of the alignment that helps an organization remain at the highest level
of the security maturity model would necessitate the IT security team to focus on maintaining
security relating to the use of the applications and not necessary the full control they had with an
At this level of security maturity model, an organization is characterized by its ability to quickly
and securely enable mission critical applications to have connectivity, with the aim of ensuring
maximum server availability and delivery. Organizations have the capability to accelerate and
simplify changes in policy enabling the security to be in sync with the changing business
platform (Gottschalk, 2006).
Migrating to the cloud will affect this aspect as security controls are all in the control of the
cloud provider. Firewalls rules are largely controlled by the provider, hindering the company
from enabling automatic translation of application connectivity requirements into appropriate
firewall rules and accelerating policy changes (Gottschalk, 2006).
Mitigating this possible scenario would require the security teams at Aztek and the teams at the
cloud service provider to work together to facilitate the necessary changes, while ensuring that
such changes do not affect the security of other clients hosted on the same platform.
3.2 Aligning of the Application, security and operations teams
At the Visionary level of the security maturity model, an organization like Aztek has all the
major teams aligned and have a unified view an approach to security policy management, which
is primarily application-centric. The approach is accommodative of all the players, enabling them
work in harmony pushing towards a single goal (Gottschalk, 2006).
With the intended migration to the cloud, a number of pillars are removed from the unified stand
of the current security posture. This is because the applications are moved to the cloud and
security is shifted from the organization’s team to the cloud environment. While the operations
and applications teams experiences no significant changes, the security team is left without much
control, thus the alignment is distorted as security controls shifts to the cloud.
Mitigating the likely fall of the alignment that helps an organization remain at the highest level
of the security maturity model would necessitate the IT security team to focus on maintaining
security relating to the use of the applications and not necessary the full control they had with an
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
in-house data center. This will maintain the alignment of the team and their focus on application-
centric security policy management, even when full control has been taken by a third-party.
4.0 Risk Assessment
4.1 Assessment Model: STRIDE MODEL
For purposes of risk assessment the STRIDE threat model will be used. Developed by Microsoft,
STRIDE can be defined as a classification scheme for categorizing known security threats
(Albakri et. Al., 2014). The model classifies the threats from the viewpoint of an attacker –
primarily focusing on what motivates an attacker and the exploits used in attacks (Shostack,
2014). The model focuses on six fundamental areas of security, Spoofing Identity, Tampering
with Data, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege
(Shostack, 2014).
Spoofing identity: Illegal access and use of authentication information of another user
such as passwords and usernames (Shostack, 2014).
Tampering with data: entails modification of data maliciously either when the data is on
transit over the internet or in storages such as data held in databases (Shostack, 2014).
Repudiation: Threats that come about by the inability to prove that a given user
performed a certain illegal action on the system. With repudiation, a user may perform an
illegal action and deny ever doing it, while the other party may have no means of proving
that the user performed the action (Shostack, 2014).
Information disclosure: this category of threat involves unauthorized information
exposure to unauthorized individuals; such as the ability of an intruder to access and read
data being transmitter over the internet (Shostack, 2014).
Denial of service: involves denying service access to valid users; affects the reliability
and availability of the service or system.
Elevation of privilege: having privileged access to the entire system by unprivileged
user; this may occur when a hacker penetrates the defenses of a system and accesses the
system as a trusted system or user (Shostack, 2014).
centric security policy management, even when full control has been taken by a third-party.
4.0 Risk Assessment
4.1 Assessment Model: STRIDE MODEL
For purposes of risk assessment the STRIDE threat model will be used. Developed by Microsoft,
STRIDE can be defined as a classification scheme for categorizing known security threats
(Albakri et. Al., 2014). The model classifies the threats from the viewpoint of an attacker –
primarily focusing on what motivates an attacker and the exploits used in attacks (Shostack,
2014). The model focuses on six fundamental areas of security, Spoofing Identity, Tampering
with Data, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege
(Shostack, 2014).
Spoofing identity: Illegal access and use of authentication information of another user
such as passwords and usernames (Shostack, 2014).
Tampering with data: entails modification of data maliciously either when the data is on
transit over the internet or in storages such as data held in databases (Shostack, 2014).
Repudiation: Threats that come about by the inability to prove that a given user
performed a certain illegal action on the system. With repudiation, a user may perform an
illegal action and deny ever doing it, while the other party may have no means of proving
that the user performed the action (Shostack, 2014).
Information disclosure: this category of threat involves unauthorized information
exposure to unauthorized individuals; such as the ability of an intruder to access and read
data being transmitter over the internet (Shostack, 2014).
Denial of service: involves denying service access to valid users; affects the reliability
and availability of the service or system.
Elevation of privilege: having privileged access to the entire system by unprivileged
user; this may occur when a hacker penetrates the defenses of a system and accesses the
system as a trusted system or user (Shostack, 2014).
With the guidance of the STRIDE model, the following risks were identified and classified as
critical to the project of migrating data and mission-critical systems to the cloud;
4.2 Data breaches
Cloud environment faces similar threats as those facing convectional corporate networks.
However, the huge amount of data stored on cloud servers acts as a motivating factor and
attraction for attackers (CSA, 2016). Severity of this risk largely depends on the sensitivity of
data. For the case of a financial institution like Aztek, a data breach would be extremely
damaging. This risk has the potential of not only revealing personal information but also critical
personal financial information, which may be used illegally leading to financial losses to the
company’s customers (CSA, 2016).
4.2.1 Business Impacts to Aztek
Data breaches that have occurred in the past have resulted in financial losses by the company
affected due to fines, litigations and compensations to clients who may have lost money from the
incidence (CSA, 2016). The resulting mandatory breach investigations are also costly increasing
financial losses. Indirect effects may have long term effects to the company such as loss of
business and brand damage. Although various cloud services providers invest heavily in
deploying security controls for protecting their platforms, the ultimate responsibility is on the
company to protect its data in the cloud.
4.3 Compromised credentials and broken authentication
The main cause of data breaches is laxity in authentication, poor management of certificates and
keys and weak passwords (CSA, 2016). Identity management is a major issue to most
organizations, as they face challenges in allocating permissions that coincide with the user’s
roles in an organization. Critically, organizations tend to fail to remover user accounts when a
user leaves the organization or their job roles changes.
The threat of compromised credentials touches on both the cloud provider and the company
deploying on the cloud (Chou, 2015). As such, Aztek has to vet the security measures deployed
by the service provider for protecting the identity platform. While some cloud providers offers a
critical to the project of migrating data and mission-critical systems to the cloud;
4.2 Data breaches
Cloud environment faces similar threats as those facing convectional corporate networks.
However, the huge amount of data stored on cloud servers acts as a motivating factor and
attraction for attackers (CSA, 2016). Severity of this risk largely depends on the sensitivity of
data. For the case of a financial institution like Aztek, a data breach would be extremely
damaging. This risk has the potential of not only revealing personal information but also critical
personal financial information, which may be used illegally leading to financial losses to the
company’s customers (CSA, 2016).
4.2.1 Business Impacts to Aztek
Data breaches that have occurred in the past have resulted in financial losses by the company
affected due to fines, litigations and compensations to clients who may have lost money from the
incidence (CSA, 2016). The resulting mandatory breach investigations are also costly increasing
financial losses. Indirect effects may have long term effects to the company such as loss of
business and brand damage. Although various cloud services providers invest heavily in
deploying security controls for protecting their platforms, the ultimate responsibility is on the
company to protect its data in the cloud.
4.3 Compromised credentials and broken authentication
The main cause of data breaches is laxity in authentication, poor management of certificates and
keys and weak passwords (CSA, 2016). Identity management is a major issue to most
organizations, as they face challenges in allocating permissions that coincide with the user’s
roles in an organization. Critically, organizations tend to fail to remover user accounts when a
user leaves the organization or their job roles changes.
The threat of compromised credentials touches on both the cloud provider and the company
deploying on the cloud (Chou, 2015). As such, Aztek has to vet the security measures deployed
by the service provider for protecting the identity platform. While some cloud providers offers a
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
centralized repository for identity management, such a service is risky as it may become a high
value target (Chou, 2015).
A third dimension of this risk relates to secure development of systems that are to be deployed
on the cloud. If for example Aztek’s systems are vulnerable, then no matter the amount of
protection offered by the cloud provider, such systems may easily be compromised.
Developers may make a mistake of embedding cryptographic keys and credentials in the code,
which can easily be recovered through reverse engineering of the code (Chou, 2015). As such,
credentials and keys require that they are appropriately protected.
4.3.1 Business Impacts
Malicious attackers camouflaged as genuine users, developers or operators can snoop on data,
read, modify and delete data and even assign access roles to malicious accounts. Consequently
the risk of insufficient or compromised identity, key and credential manager can facilitate access
to data by unauthorized users leading to damaging and catastrophic effects to the business.
4.4 Insecure Interfaces and APIs
Current cloud service providers offer application and service APIs and interfaces which are used
by IT experts to interact and manage services on the cloud. The interfaces and APIs offer access
to services such as cloud monitoring, orchestration, management and cloud provisioning (CSA,
2016). The security of the APIs play a critical role as cloud services availability and security –
from activity monitoring, encryption to access control and authentication. If weak APIs are
provided by a cloud provider, they can expose an organization to a myriad of security
vulnerabilities related to accountability, availability, integrity and confidentiality (Drissi,
Houmani & Medromi, 2013). This is primarily because a weakness on the APIs can easily be
exploited as they are generally accessible from the internet; hence they are the most exposed part
of a system.
4.5 System Vulnerabilities
These are bugs in software applications which be used as points of infiltration to a computer
system, with the aim of disrupting operation of services, taking control of the system or stealing
data (Drissi, Houmani & Medromi, 2013). In a case where a service provider's operating system
value target (Chou, 2015).
A third dimension of this risk relates to secure development of systems that are to be deployed
on the cloud. If for example Aztek’s systems are vulnerable, then no matter the amount of
protection offered by the cloud provider, such systems may easily be compromised.
Developers may make a mistake of embedding cryptographic keys and credentials in the code,
which can easily be recovered through reverse engineering of the code (Chou, 2015). As such,
credentials and keys require that they are appropriately protected.
4.3.1 Business Impacts
Malicious attackers camouflaged as genuine users, developers or operators can snoop on data,
read, modify and delete data and even assign access roles to malicious accounts. Consequently
the risk of insufficient or compromised identity, key and credential manager can facilitate access
to data by unauthorized users leading to damaging and catastrophic effects to the business.
4.4 Insecure Interfaces and APIs
Current cloud service providers offer application and service APIs and interfaces which are used
by IT experts to interact and manage services on the cloud. The interfaces and APIs offer access
to services such as cloud monitoring, orchestration, management and cloud provisioning (CSA,
2016). The security of the APIs play a critical role as cloud services availability and security –
from activity monitoring, encryption to access control and authentication. If weak APIs are
provided by a cloud provider, they can expose an organization to a myriad of security
vulnerabilities related to accountability, availability, integrity and confidentiality (Drissi,
Houmani & Medromi, 2013). This is primarily because a weakness on the APIs can easily be
exploited as they are generally accessible from the internet; hence they are the most exposed part
of a system.
4.5 System Vulnerabilities
These are bugs in software applications which be used as points of infiltration to a computer
system, with the aim of disrupting operation of services, taking control of the system or stealing
data (Drissi, Houmani & Medromi, 2013). In a case where a service provider's operating system
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
or its components have vulnerabilities, the security of all hosted applications and services is
compromised.
Although bugs have existed from the inception of computers, their exploitability has come of age
with the widespread use of networks (CSA, 2016). Cloud computing raises the threat with its
multi-tenancy nature, as one server can host numerous applications and databases creating an
attractive attack surface for hackers.
While damages from exploitation of vulnerabilities are substantial, the attacks can easily be
mitigated by use of primary IT processes, such as prompt installation of security patches and
upgrade of systems as well as periodic vulnerability assessments (CSA, 2016).
4.5.1 Business Impacts
Vulnerabilities on critical systems can have profound ramifications on the security of systems
hosted on the cloud. But with most cloud providers away of this, measures to protect the systems
are constantly updated. The cost of assessing and repairing vulnerabilities is minimal, by
comparison to other IT processes.
4.6 Account hijacking
Although service hijacking is an old security threat, convectional and basic methods of attack
such as fraud, phishing and vulnerabilities exploitation are still successful (Erturk & Rajan,
2017). In an environment where stringent passwords and credential policies are not in place,
users re-use the passwords over and over, enabling and amplifying the impact of such attacks
(CSA, 2016). Cloud computing a new dimension to the threat; if attackers use phishing to get
user’s credentials, they can access and modify data, manipulate transactions and eavesdrop on
activities. Access to the cloud platform can give attackers a platform for launching attacks (CSA,
2016).
4.6.1 Business Impacts
Service and account hijacking resulting from stolen credentials is a major threat on the cloud.
This is because access to cloud computing services is over the internet, meaning an attacker can
easily access the services from anywhere. Such an attacker has access to data, information and
services, thus compromising integrity, confidentiality and even steals data – affecting the brand
and reputation of companies hosted on the platform and the cloud provider as well.
compromised.
Although bugs have existed from the inception of computers, their exploitability has come of age
with the widespread use of networks (CSA, 2016). Cloud computing raises the threat with its
multi-tenancy nature, as one server can host numerous applications and databases creating an
attractive attack surface for hackers.
While damages from exploitation of vulnerabilities are substantial, the attacks can easily be
mitigated by use of primary IT processes, such as prompt installation of security patches and
upgrade of systems as well as periodic vulnerability assessments (CSA, 2016).
4.5.1 Business Impacts
Vulnerabilities on critical systems can have profound ramifications on the security of systems
hosted on the cloud. But with most cloud providers away of this, measures to protect the systems
are constantly updated. The cost of assessing and repairing vulnerabilities is minimal, by
comparison to other IT processes.
4.6 Account hijacking
Although service hijacking is an old security threat, convectional and basic methods of attack
such as fraud, phishing and vulnerabilities exploitation are still successful (Erturk & Rajan,
2017). In an environment where stringent passwords and credential policies are not in place,
users re-use the passwords over and over, enabling and amplifying the impact of such attacks
(CSA, 2016). Cloud computing a new dimension to the threat; if attackers use phishing to get
user’s credentials, they can access and modify data, manipulate transactions and eavesdrop on
activities. Access to the cloud platform can give attackers a platform for launching attacks (CSA,
2016).
4.6.1 Business Impacts
Service and account hijacking resulting from stolen credentials is a major threat on the cloud.
This is because access to cloud computing services is over the internet, meaning an attacker can
easily access the services from anywhere. Such an attacker has access to data, information and
services, thus compromising integrity, confidentiality and even steals data – affecting the brand
and reputation of companies hosted on the platform and the cloud provider as well.
4.7 Malicious insiders
Insider threat is one of the most difficult to control security aspect (CSA, 2016). This can be a
former employee, a business partner, a contractor or even a current employee, with legitimate
access to the system. Such an individual can misuse the access in a way that affects the
availability of the information systems, as well as confidentiality and integrity of data hosted on
the platform; mostly driven by an agenda to revenge or steal data (CSA, 2016). The danger with
this risk is that it cannot be contained by convectional security measures such as encryption,
since one can be a legitimate system user, with privileged access on the system.
4.8 Advanced Persistent Threats
Advanced Persistent Threats (APTs) are cyber attacks that take the form of a parasite, to
infiltrate computer systems and establish a footing in an organizations IT infrastructure, from
where they remit data and intellectual property to an attacker, without being noticed (CSA,
2016). This form of parasitic attack is very sophisticated as they are able to stealthily camouflage
as legitimate processes, helping them adopt their operations to the set security measures put in
place to defend the system (Chou, 2015). The main points of entry of APTs include delivery of
attack code in a USB device, unsecured networks, and system hacking and spear phishing.
Detecting and eliminating APTs are difficult, but proactive security measures can help in
stopping them. This may include sensitizing system users on social engineering techniques
commonly used to inject APTs into the systems.
4.9 Permanent data loss
The possibility of losing data permanently is very terrifying for a business and even an
individual. On a cloud platform, besides malicious attacks, data can be deleted accidentally by
the service provider, or in the worst case, an occurrence of a catastrophic event such as a fire or
an earthquake (Chou, 2015). The problem can be more devastating if the cloud provider does not
have an offsite backup. However, with maturity of the cloud computing services, incidences
relating to permanent loss of data are extremely rare.
Insider threat is one of the most difficult to control security aspect (CSA, 2016). This can be a
former employee, a business partner, a contractor or even a current employee, with legitimate
access to the system. Such an individual can misuse the access in a way that affects the
availability of the information systems, as well as confidentiality and integrity of data hosted on
the platform; mostly driven by an agenda to revenge or steal data (CSA, 2016). The danger with
this risk is that it cannot be contained by convectional security measures such as encryption,
since one can be a legitimate system user, with privileged access on the system.
4.8 Advanced Persistent Threats
Advanced Persistent Threats (APTs) are cyber attacks that take the form of a parasite, to
infiltrate computer systems and establish a footing in an organizations IT infrastructure, from
where they remit data and intellectual property to an attacker, without being noticed (CSA,
2016). This form of parasitic attack is very sophisticated as they are able to stealthily camouflage
as legitimate processes, helping them adopt their operations to the set security measures put in
place to defend the system (Chou, 2015). The main points of entry of APTs include delivery of
attack code in a USB device, unsecured networks, and system hacking and spear phishing.
Detecting and eliminating APTs are difficult, but proactive security measures can help in
stopping them. This may include sensitizing system users on social engineering techniques
commonly used to inject APTs into the systems.
4.9 Permanent data loss
The possibility of losing data permanently is very terrifying for a business and even an
individual. On a cloud platform, besides malicious attacks, data can be deleted accidentally by
the service provider, or in the worst case, an occurrence of a catastrophic event such as a fire or
an earthquake (Chou, 2015). The problem can be more devastating if the cloud provider does not
have an offsite backup. However, with maturity of the cloud computing services, incidences
relating to permanent loss of data are extremely rare.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 19
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.