IT Risk Assessment Report

IT Risk Assessment Report

IT Risk Assessment Report

IT Risk Assessment Report – Migration of critical IT applications and data sources to external cloud in Aztec

Executive Summary

Aztec is a prominent financial services sector company which is contemplating of implementing a number of various IT projects in order to make their operations smooth and seamless. Additionally cost saving is another key driver behind carrying out variousIT project. From the project portfolio one very important exercise which Aztec is planning to carry out is migrating its business critical applications and associated data sources to an external cloud.

Cloud computing that is hugely being used nowadays that is actually a newer and faster way to get in touch with resources rather than considered to be as a technology. E-mail handling that includes stuffs like data storage and processing of software, now become a service that is commitment free and on-demand (Mell and Grance, 2009). Nowadays the world is going through such tight situation of cost cutting. From that point of view cloud computing is said that it has already acquired a firm ground and investors all around the world are ready to invest into it.

IT Risk Assessment Report

Cloud’s economies of scale and flexibility to handle situation as both friend and foe from the security point of view is the key ingredient of this paper. It is found out from the earlier studies that, a massive resource or data always remain as the most favourite targets for the attackers. But if designed carefully, cloud system can also be much more robust, cost effective and acceptable in the view of scaling. An informed assessment is reflected through this report regarding the benefits and threats of the cloud system which is providing security guidance for both the potential and existing users of the cloud computing system (Wiggs, 2010).

The assessment of risk is based on three scenarios or models. They are considered to be as use-case.

  1. Migration of applications and data sources into the external cloud computing system.
  2. Impact on the financial system resilience by external cloud.
  3. Cloud within organization.

Reduction of cost and flexibility of the cloud computing makes it a reason to be accepted by many organizations. According to a survey named an SME perspective on cloud computing, the liability of incidents regarding the infrastructure and security of the confidential information are the most important causes for the organisations for their migration into the cloud computing system (MCCUAIG, 2008).

For the cost effectiveness and chance for increase of capability many financial organizations are thinking to migrate into the cloud computing system. Though there are many obstacles for the movement of financial services applications to the cloud system from both legal and regulatory point of view.  But the organizations know this fact that their employees will use the cloud computing based system even if it is not included in official policy.

For reaching the utmost bound of cloud computing it should be secured firmly for the information inside it. In this report it is going to be explained the meaning of cloud for networking, data protection and privacy. The policy and legal implications and technical issues regarding the cloud are covered by us along with the risks and benefits too. But supreme focus is given into pin pointing the risks and maximization of benefits.

Most important features considered to be integral parts of a cloud system is the services like, SaaS or software /application as a service, Paas or platform as a service and IaaS or infrastructure as a service. The benefits and risks are also different for these services. The next section will reflect the benefits and risks for implementation of different models of cloud.

Top Recommendations

Assurance for Cloud Customers

The users of cloud computing want a secure and sound level of security from the service providers for the problems like DDos attack which is a threat for both customers and service provider. So they are need of this because it helps a lot for making a better business decision or to maintain and obtain a security certification (Mather, 2009).  The need of audit makes the providers so busy that opened a way to standardize the questions which come out as recommendation by reports. This list can be used for both obtaining and providing assurance to the customers.

Check list for the customers intended to:

  1. Risk assessment while adopting a cloud system.
  2. Comparison of offerings of different service providers.
  3. Acquisition of assurance of selected service providers.
  4. Reduction of burden on providers regarding assurance.

The check list is intended to cover all issues regarding legal, technical, policy issues along with security of physical means.

Recommendations from Legal Point of View

During the evaluation of contract when comparisons are made between different service providers and also in negotiations the issues regarding law will be solved. The most common practice for cloud computing is to select the service providers in the market according to the offers given by them. IT actually opposes the philosophy of negotiation. However, contract of negotiation is open there for prospective customers of the cloud computing system. The nature of cloud computing opens a way for additional review for standard contract and that is very different from the conventional internet service system. If any kind of breach is found in service system them the customers who are also in contract may give special attention to their legal rights and obligations. It is also applicable for data transfer, derivation of works performed, change of control and access of data by law enforcement authorities (European Network and Information Security Agency (ENISA), 2009). The cloud is a very powerful media to outsource the internal infrastructure that is critical too. Any interruption to this infrastructure can cause wide ranging effects that’s why allocations of liability should be considered in the light of standard limitations for the parties with responsibility. The customers and service providers should go through the terms of contract about the security risks until any legal matter occurs about specific security related concern of the cloud system.

Financial Services Sector review

Aztec is an established financial service institution which handles multi-million dollar transactions regularly and is one of the most risk averse and conservative organisations. The company takes utmost care in protecting the confidentiality and integrating and availability of its information and data. Aztec intends to move its critical IT operations and data sources to an external cloud hosting solution. Cost saving can be seen as the most important driving factor behind the intention of Aztec for moving its IT operations to cloud but the migration project needs to be critically evaluated for risks and vulnerabilities associated with the cloud computing in terms of legal, reputational and compliance frameworks of Australia. Being a financial services company the data and information which Aztec handles is often highly confidential and sensitive. There has to be extensive thought process involved in each and every decision taken by the Aztec management especially if the decision is regarding and IT project which may consist of working with or exposing sensitive information. Such decisions may expose the organization to extreme risks and vulnerabilities. A single lapse in the data security can cause the company huge damages in form of money, reputation, compliance and can attract penalties from the government regulators.

Although the Australian government encourages moving the IT assets of corporate or non-corporate organizations to cloud specially for cost saving purpose, Aztec need to review the cloud migration project thoroughly on the following lines:

  • Are all the applications required to be moved to cloud?
  • Will the cloud migration be a value for money proposition based on the Commonwealth Procurement Rules?
  • Will the project comply with the guidelines as defined in the Protective Security Frameworks?

By means of Cloud computing businesses are enabled to have convenient network access to a pool of various computing assets such as services, networks, storage, servers etc. which can be quickly provisioned and are available on-demand (Gentry, 2009).  The primary characteristics of a Cloud based infrastructure are:

  • Services can be self-provisioned by the customer based on demand.
  • The offerings are available over internet and can be accessed from almost anywhere with appropriate authentication.
  • The cloud based resources can be pooled and shared across multiple consumers.
  • The cloud based resources and services are scalable, often automatically.
  • The usage of services is metered which is based on pay per use model and is transparent to the consumer.

Cloud computing services are provided with three types of service models which include Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). In the SaaS model, the consumer is provided with the capability to use software applications form the provider which are executed on a cloud based infrastructure e.g. a web based e-mail. The infrastructure is managed by the provider and the consumer is charged based on usage of the services. In Paas model, the consumer either provisions or acquires tools, services, libraries, applications orprogramming language developed by the cloud provider. In this model also, the infrastructure is managed by the provider with the consumer controlling the deployed applications and associated configurations of the environment. In the Iaas model, the providers give the consumer’s capabilities to provision their computing infrastructure such as servers, networks, storage etc. which the consumer can manage and use to deploy and execute the software as and when required (Schneier, 2009).

Cloud Deployment models

  • Private cloud: In this model, a single organization owns, manages and operates a cloud infrastructure which is used by multiple consumers which are often the various business units of the organization.
  • Community Cloud:In this model, the cloud infrastructure is managed and operated by more than one organizations which constitute a community of cloud users. Such communities often have similar kind of computing requirements.
  • Public cloud: The cloud infrastructure is in this model is open to be used by the common public. The cloud infrastructure in this model is often owned, operated and managed by a government institution, academic organization or a business. The infrastructure resides on the premises of the cloud service providers.
  • Hybrid cloud: This model comprises of a combination of more than one cloud infrastructure deployment models. These distinct cloud models are often bound by a standardized technology which interlinks both types of cloud infrastructures. Such integration allows for data portability and load balancing among the clouds (Cellan-Jones, 2009).

The major IT applications and services identified by Aztec for being migrated to cloud are the following:

  • E-mail and messaging applications
  • Desktop Applications
  • Project and portfolio management
  • Payroll and HR applications
  • Sales and Customer Relationship Management
  • Finance and Accounting
  • Custom applications and their development
  • Identity management

Being a financial services company, Aztec is bound to a number of regulatory, legal and compliance obligations associated with each aspect of its business. Hence the cloud migration of IT applications, if happens will need to be carried out in a very thoughtful manner. A number of things would need to be considered before taking the decision to carry out the migration. One very important decision which will need to be taken will be of selecting the type of service model and deployment model of the cloud infrastructure for their applications. From the applications identified for migration, a number of them such as e-mail and messaging applications can be moved to cloud as SaaS. E-mails often carry sensitive business communications, hence utmost care needs to be taken while selecting the cloud service provider fit for the job. Similarly the custom applications and their development can be selected for cloud migration as PaaS model. The organization should look for keeping any sensitive data such as payroll and customer information inside on-premises servers thereby isolating the risk sensitive data from the applications and data being migrated (European Network and Information Security Agency (ENISA), 2009). The Australian government also regulates the use of cloud services via a number of guidelines and regulatory frameworks. The Australian government cloud computing policy provides clear guidance and best practices associated with the usage of cloud infrastructure and services. The Australian Government Big Data Strategy and Protective Security Policy Framework consist of rules, regulations and mandatory obligations to be followed by the organizations when adopting the cloud services.

Security Posture Review

Currently AzTec manages all its IT applications and resources on its own which very much defines its security posture as being in a closed perimeter. Access to the organizational information resources is subject to being connect to the company network which is managed, owned and operated by Aztec itself. Even for the employees working remotely or for the resources exposed to the customers, extensive authentication and access management mechanisms are employed. This provides Aztec a huge benefit of being able to monitor, manage, and change the security framework based on its own will. Although such kind of security posture carries its own kind of risks but it gives the organization an assurance of their data being secured (Mell and Grance, 2009).

If Aztec decides to move its Information assets such as applications and database, the kind of impact the cloud migration will have on its security posture will greatly depend on the type of service model and the deployment model Aztec decides to go with. The Public cloud deployment model and community cloud deployment model will extend the security perimeter of the organization to the cloud infrastructure provider as they will be managing the infrastructure and the resources of the organisation now will also include provider’s resources (ISO 27005:2008). It becomes essentially critical for Aztec to understand the security related obligations of the cloud provider when they move their IT applications to cloud. These obligations will include SLAs, reporting, network security arrangements etc. should be clearly communicated in a contract. The responsibility of security should be clearly shared between the provider and the consumer. Hosting critical data such as personal and payroll information of employees or account details of customers on cloud can expose the organization to greater risks of attacks and data theft. The security responsibility sharing agreement becomes even more critical in this case. A public cloud can be a viable choice if the organization wants to migrate information which should be made available for public consumption and carries lower risks. The public cloud infrastructures are better equipped with security measures for information with low risks. This may improve the security posture related to infrastructure in comparison to the current posture. A community cloud can be a viable option for applications with medium level of risks because it carries the characteristics of a public cloud while improving upon the security requirements. The systems which handle specifically high risk data such as customer account information cannot be trusted with a public or a community cloud as it would lead to a loss of control over security and infrastructure (Google, 2010). A private cloud becomes the best option for handling such sensitive information which helps in minimizing the risks and challenges at the same time negating the impacts on the current security posture.

Benefits of Cloud Computing in terms of Security

Security and Scale’s Benefit
All types of security measures when taken into large scale from small one become cheaper, therefore the same amount of investment in it followed by a better quality of security . Defensive measures such as patch management, hardening of hypervisors and virtual machine, filtering are also considered into it along with multiple locations, edge networks which makes content get delivered or processed to the destination closer to it and timeliness. These are extra benefits of scale (Shankland, 2009).

Managed Security Services and its Standardized Interfaces
A standardized and open interface is also beneficial for managed security service. This is provided by the large providers of cloud computing system. It helps to create a more open market in the view of security services and availability.

Smart Scaling of Resources with Rapidness
Reallocation capability of resources used for authentication, filtering, traffic shaping, encryption dynamically specially for the problems like DDos attack, this is certainly an advantage for resilience of the cloud system.

Evidence Gathering System and Audit
A dedicated, pay per use images of virtual machine can be provided by the cloud computing which also implements the philosophy of virtualization. These are done by taking less down time for forensic analysis and without making the infrastructure off line (Buck, K., D. Hanf, 2010,).  This system also opens a way for a very cost effective way for logging without compromising to the quality of service provided by the cloud.

Threats, vulnerabilities and consequences assessment

Process of Risk Assessment
The estimation of risk is done by the likelihood of a disaster scenario which is measured against negative impact. This negative impact is also estimated. The impact of each scenario and its effect on business can be provided by the consultation of experts which also be helpful for an architect to design a cloud of particular model.

A scale of 0 to 8 is used to measure the impact on business and likelihood of the incidents faced and it is measured against the risk acceptance criteria. The scale is as follows;

  1. High risks (6-8)
  2. Medium risks (3-5)
  3. Low risks(0-2)

The most important specific type of risks faced in cloud system discussed here are;

Governance Loss
In cloud computing system the customers always try to take the control from the cloud provider or CP regarding many issues those can seriously affect the security system of that cloud. But the SLAs sometimes are not capable to provide the same on behalf of the cloud provider. That’s why there is a change of a security breach in the defence system (ISACA, 2009).

Probability

VERY HIGH

Impact on Security Posture

Very High in IaaS

Low in SaaS

Vulnerabilities

  • Undecided parts and accountabilities
  • Poor implementation of role demarcations
  • Matching accountabilities or promised responsibilities external to cloud
  • SLA sections with inconsistent undertakings to various stakeholders
  • Deficiency of standard technologies and solutions
  • Data centres in numerous jurisdictions and dearth of transparency
  • Undecided ownership of assets

Affected assets

  • Reputation of Aztec
  • Customer Data
  • Employee Personal Data
  • Delivery of Services
  • Customer Trust

Risk

HIGH

   

Lock In
Nowadays there is very little to be offered as tools for standard data formats and procedures, tools from the point of view of guarantee of data, portability and serviceability. This can make things difficult for a customer to change of provider, migration of data to an in house information technology environment (ISACA. 2009). This also opens a way for dependency on a particular cloud provider especially if portability is enabled.

Probability

VERY HIGH

Impact on Security Posture

High

Vulnerabilities

  • Deficiency of standard technologies and solutions
  • Poor selection of cloud provider

Affected assets

  • Reputation of Aztec
  • Customer Data
  • Employee Personal Data
  • Delivery of Services
  • Customer Trust

Risk

HIGH

   

Failure Due to Isolation
Cloud computing system is recognized by its sharing capability and also for multi-tenancy. The risk is prevalent if failures occur in memory, routing, storage separation system, reputation between more tenants also known as guest hopping attack.  However study says it is tougher for a hacker to isolate the resource of a cloud than to do it in traditional OS (GARTNER, 2010).

Probability

LOW (Private Cloud)

MEDIUM (Public Cloud)

 

Impact

VERY HIGH

Vulnerabilities

  • Vulnerabilities due to hypervisor VMs
  • No reverse and/or reputational isolation
  • Probability of cloud network probing or attacks
  • Probability of co-residence checks

Affected assets

  • Reputation of Aztec
  • Customer Data
  • Employee Personal Data
  • Delivery of Services
  • Customer Trust

Risk

HIGH

    

Risk of Compliance
On the way to achieve the certification like industrial standards or requirement of regulatory authority, the investment also makes a risk if data are sent into cloud for migration.

  1. If the cloud provider is unable to provide the appropriate service for the requirement.
  2. If the audit by cloud customers is not accepted by the cloud provider.

It is also should be known in certain cases certain compliances like PCI DSS (4) cannot be achievable by public cloud infrastructure.

Probability

VERY HIGH – Depending on Compliance frameworks

 

Impact

HIGH

Vulnerabilities

  • Audits not being available to customers
  • Absence of standardization in technologies
  • Data centres in multiple jurisdictions and lack of transparency  in  information on jurisdictions
  • No transparency in terms of use

Affected assets

Certification and Accreditation

Risk

HIGH

    

Compromise of Management Interface
Customer interfaces and management in cloud system open a broader accessibility of resources through the internet. This is even broader than the traditional way. That’s why risk is increased if vulnerabilities of web browser and remote access are combined too (GARTNER, 2010).

Probability

MEDIUM

 

Impact

VERY HIGH

Vulnerabilities

  • Provision of remote access to management console
  • Issues with Applications and poor management of system patches
  • Mis-configuration

 

Affected assets

  • Reputation of Aztec
  • Customer Data
  • Employee Personal Data
  • Delivery of Services
  • Customer Trust

Risk

MEDIUM

    

Protection of Data
For customers and even for the cloud provider cloud system has many risks for data protection. This can be a big problem for the customer if he is also a data controller to check provider’s way to handle the data in a lawful way. Generally this happens when data is routed by multiple transfer ways like federated clouds (IOR, Institute of Operational Risk., 2010). Some cloud providers provide their policy and procedure of handling data. Some providers do same by providing the summary of their certificates on data processing and control in their place as SAS70 certification.

Probability

HIGH

Impact

HIGH

Vulnerabilities

Data centres located in multiple jurisdictions and lack of transparency about their information

Affected assets

  • Reputation of Aztec
  • Customer Data
  • Employee Personal Data
  • Delivery of Services
  • Customer Trust

Risk

HIGH

Insecure and Incomplete Deletion of Data
When a request of deletion of data is made in to cloud, it is not about delete the data truly from the system. Timely deletion of data is not possible and not desirable for a customer because at the time of requirement the data is in cloud but cannot be accessed and to free up space for other customers it is wiped out.

Probability

MEDIUM

 

Impact

Very HIGH

Vulnerabilities

 Sensitive cleansing of devices and media

Affected assets

Personal sensitive data

Risk

Medium

    

Insider of Malicious Nature
It is one of the big threats for clouds and the architects should take responsibility to design the cloud in the view of CP system administration and managed security service.

It is also noted that in some cases it often possible for a customer to transfer the risk to the CP, sometimes it is advisable too. But it depends on the type of risk, if it is about losing business or losing reputation or serious damage or serious legal problems then the risks can be transferred to the cloud. It is not like that every type of risk can be transferred into cloud as per customers wish. It’s about outsourcing responsibility but not accountability (ERNST &YOUNG., 2009).

Probability

MEDIUM (Lower than traditional)

 

Impact

VERY HIGH (Higher than traditional)

Vulnerabilities

  • Improper role definitions and implementation
  • No Application of crucial security principals
  • Inappropriate procedures for physical and information security
  • No encryption in data processing

Affected assets

  • Reputation of Aztec
  • Customer Data
  • Employee Personal Data
  • Delivery of Services
  • Customer Trust

Risk

HIGH

    

Data Security

On the basis of the risk assessment carried out in the sections above, it can be recommended that keeping in mind the risks associated with the security of data, the IT services migration to cloud should be outsources to three different cloud service providers each providing a different service model and hosting various types of applications. This will minimize the centralization of information at a single provider and thus the risks of data loss can be minimized. All the services would be linked by the means of a federated identity management solution. Such a cloud hosting model can be termed as a federated cloud.

In this model, cloud provider #1 will provide cloud infrastructure as SaaS model for applications such as desktop applications, messaging and email systems. The data centers for these application may be located across locations around the globe. The second cloud service provider will be offering services for hosting PaaS model which will include hosting the development and execution of custom applications. Cloud service provider #3 would offer infrastructure on top of cloud for hosting applications and data sources such as HR CRM, accounting and finance etc. under the model IaaS. Initially Aztec would be responsible for handling the mechanisms of disaster recovery and continuity of business for the applications migrated under IaaS and PaaS models by the means of existing infrastructure. For the applications migrated using the SaaS model, the provider will be responsible for business continuity and back up of services and data for a specific period. For the medium and long term, disaster recovery and backup services can be bought from the cloud service providers for each of three service models.

With more than one cloud service providers being at the helm of handling IT services, applications, and infrastructure for Aztec, it becomes inevitable for the organization to have an effective identity management solution which is both reliable and scalable. For the purpose of identity management, an internal directory solution may not be an appropriate choice. Instead the company should choose a solution which would offer Single sign-on/off, A unified directory for all services, A single application and interface for all sort of identity management needs, Secure management of encryption keys and signatures, Enforcement of appropriate access control policies.

A solution which can guarantee that all the users of the IT systems including the employees, vendors, customers etc. comply with the security policies and requirements of Aztec would be required in the long run. These policies will need to be enforced by means of user profiles and permission framework. Hence in order to fulfil all the requirements listed above, the organization should contemplate moving towards a federated identity management solution which would interlink the various security accounts provided by various cloud hosting providers.

References

Mell, P. and T. Grance, October 2009, “The NIST Definition of Cloud Computing,” Version csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc.
Wiggs, J., January 2010, “Crypto Services and Data Security in Windows Azure,” MSDN Magazinehttp://msdn.microsoft.com/en-us/magazine/ee291586.aspx.
Mather, T., S. Kumaraswamy, S. Latif, September 2009, “Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance (Theory in Practice),” O’Reilley.
Gentry, C., June 2009, “Fully Homomorphic Encryption Using Ideal Lattices,” Proceedings of the 41st Annual ACM Symposium on Theory of Computing, Association of Computing Machinery.
Schneier, B., “Homomorphic encryption breakthrough,” Schneier on Security http://www.schneier.com/blog/archives/2009/07/homomorphic_enc.html, July 2009.
Cellan-Jones, R., October 13, 2009, “The Sidekick Cloud Disaster,” BBC News http://www.bbc.co.uk/blogs/technology/2009/10/the_sidekick_cloud_disaster.html.
European Network and Information Security Agency (ENISA), November 2009, Cloud Computing: Benefits, Risks, and Recommendations for Information Security.