Risk Assessment Report Sample Assignment
The paper generally focusses on “Gigantic Corporation” that faces number of cloud security related issues and challenges. The main purpose of assessing the project is to get proper understanding as well as knowledge about the risks that are associated with cloud security in order to make proper decisions for resolving the risks as well as challenges. In this paper it is identified that threat, vulnerabilities as well as consequences of cloud security that are mainly based on IT control framework are identified. The threats or vulnerabilities that are associated with cloud security are generally identified so that proper information as well as knowledge about each of the risks, including the reasons of their occurrences are elaborated. It is found that the organization “Gigantic Corporation” faces number of threats, vulnerabilities and consequences due to the factors that includes data breaches, insecure interfaces, system vulnerabilities, account hijacking, data loss, misuse of cloud services, denial of service as well as insufficient due diligence. The risks and challenges that are associated with cloud security system can be resolved by adopting significant mitigation strategies. It is found that in order to mitigate the cloud security issues, it is quite necessary to follow steps including determination of cloud provider properly, following the safety measures, evaluation of security system on regular basis, multifactor authentication, cloud security by controlling access, reviewing the permission of cloud storage, analyzing cloud security tools as well as reports. It is found that the paper also undertakes review of various journals and articles in order to get proper understanding of the protection mechanism for security and information of the organization. The utilization of such steps helps in providing proper opportunities to the organizations so that they can be able to keep the information as well as data of the organization securely. Moreover, the paper also elaborates the protection mechanism that are quite helpful in securing the information as well as data of the organization securely. Moreover, it is found that the adoption of authentication is quite significant step that assists in allowing only the authorized users to access the data and information and thus avoid third party access and misuse of confidential as well as private data of the organization. Moreover, user’s agreement must be properly read for elaborating the entire process of how the cloud storage generally works. If the organizations are unsure about the selection of the cloud services then they can take the help of the user agreement of the services in order to know more about the services in which they are involving or signing. In addition to this, strong password is one of the significant protection mechanisms that is elaborated in the paper for the organizations so that they can be able to keep the information and data secure. Additionally, the paper highlighted that process of access control is important for avoiding data access by third party which further reduces the chances of information misuse. In order to control the data access, the organization improves the access control beyond on premises which is considered to beneficial for the organization.
1. Risk assessment based on threat, vulnerabilities as well as consequences with proper mitigation strategies
1.1 Risk assessment on the basis of threat, consequences and vulnerabilities
The risks that the organization faces in context to cloud security are assessed based on threats, consequences as well as vulnerabilities that is mainly derived from an IT control framework. According to Kalaiprasath et al. (2017), IT control framework is one of the data structures that is very much helpful in categorizing the internal control of an organization which is further used in order to create proper business value within the organization for minimizing risks. It is found that IT control framework generally includes control objectives for information and related technology, ITIL as well as ISO/IEC 17799.
The organization “Gigantic Corporation” faces number of threats, vulnerabilities as well as consequences in context to cloud security. The risks as well as challenges that are faced by the organization are generally identified on the basis of IT control framework. The risks and challenges are elaborated below:
Data breaches: The threat of data breaches is faced by the organization “Gigantic Corporation” because of number of reasons including human error, poor security practices as well as application vulnerabilities. It generally involves any type of information as well as data that is mainly associated with the organization. As the organization utilizes cloud for storing data, the risk of data breach is quite high (Aljawarneh & Yassein, 2016). Due to data breach, the organization can lose important business-related data and information which can creates number of financial, security as well as privacy issues for the organizations.
Insecure interfaces: It is found that the organization “Gigantic Corporation” expose some of their software as well as user interfaces that are mainly utilized by the customers for managing as well as interacting with the cloud services. It is found that by provisioning management as well as by monitoring all the interfaces that the availability as well as the security of the cloud services are generally dependent on the security of APIs (Zhao, Li & Liu, 2014). Due to improper security, the organization can face challenges and therefore it is very much necessary for the organization to design the interfaces as well as API’s in such a way that it helps in protecting against the malicious as well as accidental attempts.
System vulnerabilities: It is found that the presence of system vulnerabilities is generally exploiting the bugs that is present within the programs that is mainly utilized by the attackers for infiltrate the system for stealing data, taking control as well as for disrupting the service operations of the organizations. It is found that the vulnerabilities that is mainly present within the various components of the OS helps in putting the security of different services as well as data at major risk (Khan & Tuteja, 2015). In addition to this, it is found that with the advent of cloud multitenancy that is used by the organization ae generally placed closed for providing access to resources as well as shared memory by creating proper attack surface.
Account hijacking: It is found that utilization of cloud facility by the organization generally increases the chances of account and service hijack. It is analyzed that if the attackers get the access to the credentials of the users then they can easily undertake unethical activities including data manipulation, falsification of information as well as redirection of the clients to different legitimate sites (Samarati et al., 2016). In addition to this, the attackers can utilize the stolen credentials in accessing different critical areas of cloud computing that generally allows them to compromise with the integrity, confidentiality as well as availability of cloud services.
Data loss: The data as well as information that are stored within the cloud can get lost due to occurrence of various types of malicious attacks. Accidental removal of cloud-based service provider generally causes loss of permanent customer data as well as information unless the provider or the cloud consumer takes proper measures to getting proper data back up by following best practices within the business.
Misuse of cloud services: The cloud services that is used by the organization are poorly secured based cloud deployments which can cause occurrence of various types of malicious attacks. It is found that the cloud computing services can be leveraged with the help of cloud computing resources for targeting users as well as organizations (Huang et al., 2015).
Denial of service: Dos attack are mainly designed for preventing the users from being accessing data or other types of applications. It is found that by forcing the cloud services which are targeted to consume excessive amount of resources including disk space, memory network bandwidth as well as processor can cause slow down within the system and thus it generally leaves all the legitimate service of the users without getting proper access of the services (Luna Taha, Trapero & Suri, 2017).
Insufficient due diligence: When business strategies as well as cloud technologies are mainly created by the executives of the business. It is found that development of proper roadmap as well as checklist for due diligence when it is found that evaluation of both technologies as well as providers helpful. It is found that if the organization “Gigantic corporation” adopts the cloud technology with the performing the act if due diligence then they can expose themselves with number of security as well as privacy related risks.
1.2 Risk mitigation and impact
It is found that in order to mitigate the risks and challenges that are associated with the organization “Gigantic Corporation” it is quite necessary to utilize proper risk mitigation strategies so that the threats as well as challenges that are associated with cloud security can be resolved quite effectively. The steps and strategies that are needed to be followed in order to resolve the risks and challenges of the organizations are elaborated below:
Determination of cloud provider properly: The most important step for mitigating as well as resolving the risks and challenges that occur to cloud security can be resolved successfully by determining the service provider quite effectively. It is necessary to look for the service provider that assists in providing proper password protection for ensuring that all the documents are kept securely (Luna, Suri, Iorga & Karmel, 2015). In addition to this, it is quite necessary for the organization to arrange proper backup as well as restoration system for keeping data quite effectively.
Following the safety measures: In order to resolve the issues that are associated with cloud security, it is very much necessary to use proper safety measures for enabling proper protection of the data and information. In addition to this, proper steps as well as strategies needed to be resolved in order to prevent the challenges and issues including utilization of standard internet safety measures as well as utilization of strong password in order to protect the information as well as data of the organization (Rasheed, 2014).
Evaluation of security system on regular basis: it is necessary to use proper checking system which are generally dependent on an application or group in order to resolve the security threats as well as risks that the organization “Gigantic Corporation” faces. It is also necessary to take the help of third party for checking the security system. In addition to this, it is necessary for the organization to maintain a security team in order to ensure that the data as well as information that are related with the organization are kept securely.
Multifactor authentication: Cloud providers generally assists in allowing the users to properly log in with the help of proper username as well as passwords so that the cloud providers can be able to support proper multi-factor authentication. (Kazim & Zhu, 2015). It is found that even the logistical constraints that are associated with the project are prevented for securing the accounts as well as administrations (Pawar et al., 2014)
Cloud security by controlling access: It is quite necessary for the organizations to control the access of important data as well as information of the organization so that the third party cannot misuse the information. In order to control the data access, the organization improves the access control beyond on premises which is considered to beneficial for the organization.
Reviewing the permission of cloud storage: It is quite necessary to review the cloud storage quite effectively for avoiding the chances of security as well as privacy issues. Review of permission is needed in order to deny the public access unless there is proper compelling reason. It is found that in order to get public access, it is very much necessary to separate storage bucket by mixing both the private as well as public data by using single storage bucket.
Analyzing cloud security tools as well as reports: It is quite necessary to analyze the security tools as well as reports of the organizations quite effectively so that the organization can be able to undertake proper actions if any type of security challenges and issues generally arises within the organisation (Durairaj, & Manimaran, 2015).
2. Literature review
According to Nanavati et al. (2014), it is very much necessary to avoid storage of sensitive information of the organization in the cloud. It is found that the organization must try for some other options where they must can store sensitive information without taking stress about the security of the data. On the other hand, it is stated that presence of proper might and other facilities are very much helpful within the optimizations..
It is opined by (Rubóczki and Rajnai (2015) that encryption is one of the important methods that generally helps in protecting data as well as information and the organization can utilize encrypted cloud service for resolving security related issues and challenges. Local encryption as well as decryption of files are helpful in reducing the problem of security issues. Moreover, it is found that the data that are present within the cloud can be kept secured by utilizing the process of encryption with the mixture of both public as well as private solutions in order to keep the data and information secured against malicious IT staff of the organization.
Additionally, the protection mechanism that are employed are useful in keeping the information secure. It is found that in order to minimize the impacts of risks, the organization must keep both the corporate as well as personal data differently. This method is quite helpful in managing both the corporate as well as personal data differently so that the chances of risk occurrence can be minimized (Kazim & Zhu, 2015). Additionally, the organization must keep the backup data so that the organizational operations does not get affected. Protecting data from authorized as well as unauthorised access is also considered as one of the significant methods of securing data and information by securing access. Implementation of policies as well as the solutions of access controls are also helpful for the authorized person to get the access of information and data that is necessary but not considered to be sufficient. (Rasheed, 2014). Moreover, monitoring as well as auditing for compliance as well as for reviewing the policy exceptions as well as accessing the database vulnerabilities are generally helpful in monitoring and auditing which further assists in reducing security risks as well as challenges.
Aljawarneh, S. A., & Yassein, M. O. B. (2016). A conceptual security framework for cloud computing issues. International Journal of Intelligent Information Technologies (IJIIT), 12(2), 12-24.
Durairaj, M., & Manimaran, A. (2015). A study on security issues in cloud based e-learning. Indian Journal of Science and Technology, 8(8), 757-765.
Huang, W., Ganjali, A., Kim, B. H., Oh, S., & Lie, D. (2015). The state of public infrastructure-as-a-service cloud security. ACM Computing Surveys (CSUR), 47(4), 68.
Kalaiprasath, R., Elankavi, R., & Udayakumar, D. R. (2017). Cloud. Security and Compliance-A Semantic Approach in End to End Security. International Journal Of Mechanical Engineering And Technology (Ijmet), 8(5).
Kazim, M., & Zhu, S. Y. (2015). A survey on top security threats in cloud computing. International Journal of Advanced Computer Science and Applications (IJACSA).
Khan, S. S., & Tuteja, R. R. (2015). Security in cloud computing using cryptographic algorithms. International Journal of Innovative Research in Computer and Communication Engineering, 3(1), 148-155.
Luna, J., Taha, A., Trapero, R., & Suri, N. (2017). Quantitative reasoning about cloud security using service level agreements. IEEE Transactions on Cloud
Luna, J., Suri, N., Iorga, M., & Karmel, A. (2015). Leveraging the potential of cloud security service-level agreements through standards. IEEE Cloud Computing, 2(3), 32-40.
Nanavati, M., Colp, P., Aiello, B., & Warfield, A. (2014). Cloud security: A gathering storm. Communications of the ACM, 57(5), 70-79.
Pawar, P. S., Sajjad, A., Dimitrakos, T., & Chadwick, D. W. (2015, May). Security-as-a-service in multi-cloud and federated cloud environments. In IFIP international conference on trust management (pp. 251-261). Springer, Cham.Computing, 5(3), 457-471.
Rasheed, H. (2014). Data and infrastructure security auditing in cloud computing environments. International Journal of Information Management, 34(3), 364-368
Rubóczki, E. S., & Rajnai, Z. (2015). Moving towards cloud security. Interdisciplinary Description of Complex Systems: INDECS, 13(1), 9-14.
Samarati, P., di Vimercati, S. D. C., Murugesan, S., & Bojanova, I. (2016). Cloud security: Issues and concerns. Encyclopedia on cloud computing, 207-219.
Singh, A., & Malhotra, M. (2015). Security concerns at various levels of cloud computing paradigm: A review. International journal of computer networks and applications, 2(2), 41-45.
Tari, Z., Yi, X., Premarathne, U. S., Bertok, P., & Khalil, I. (2015). Security and privacy in cloud computing: Vision, trends, and challenges. IEEE Cloud Computing, 2(2), 30-38.
Zhao, F., Li, C., & Liu, C. F. (2014, February). A cloud computing security solution based on fully homomorphic encryption. In Advanced Communication Technology (ICACT), 2014 16th International Conference on (pp. 485-488). IEEE.