Title
Running Head: CLOUD RISK AND COMPLIANCE ISSUES ANALYSIS 1
CLOUD RISK AND COMPLIANCE ISSUES ANALYSIS 2
Cloud Risk and Compliance Issues Analysis
Student name
Professor
Course
Date of submission
Executive summary
The report highlights the role of BallotOnline Company in response to the provision of a solution to the voting-related issues. Therefore, this framework’s objective is to convince the organization of the great need to adopt cloud-based infrastructure. Importantly, the report should extremely identify primary outlines and advantages that come along with the new adoption. Creating a sustainable and competitive advantage requires drastic change and should, therefore. It’s significant to take note of the regarding the voting issue. In a defined process of scrutiny, the document should communicate to the manager on the risk exposure, current road map initiative, and compliance procedures that will contain the cloud traction. The extensive overview, therefore, will enhance risk assessment methodology and conceptual framework realized after cloud adoption. The technology applied gives an accurate picture of the nature of electioneering outcome.
Risk of cloud adoption
Cloud computing has an advanced configuration that assures security through the technological process. In this case, the organization will realize advanced infrastructure security and data availability. Nevertheless, there has been a massive effect of the attack and cyber launched crimes in the world. BallotOnline is not an option in this case. The company is surrounded by significant risks and threats that can hinder service delivery and tallying in voting, tallying, and announcing the winner of the context. In a case analysis, the company has built trust and reputation across the globe.
The extended and service delivery framework cannot be determined without highlighting the company’s massive contribution in North America, Europe, and Asia at large. A full area of service delivery in different zones poses considerable risk and exposure (Cooper, Grey, Raymond, & Walker, 2014).
The company can have a denial of service attack that is launched between the network and the organizational database. Upon this attack, a data breach is expected to be experienced. Immediately the data transmission in the network protocols is subjected to exposure, manipulation, and insertion. In the apparent reasons, manipulation of election based data hurts the final tallying. The framework and organizational strategy should focus on this form of attack since it can cause election illegalities and irregularities. A malicious insider can access the data administration point and reduce the rate of transparency and integrity of the process.
Additionally, housing the company data in the cloud is yet another process of exposing data vulnerability. Basically, in case the company experiences hijacking and stealing of significant credential, the customer will make complains and requires for refund. If the process is not free and fair, it will lower the credibility of the institution and its desired reputation.
Risk managing guidelines
Attaining a substance and competitive advantage of cloud management is a market by advanced and effective procedures. Accomplishing a secured process is marked by the evaluation of critical systems and cloud-based protocol. National Institute of technology, as well as an international standard organization, have powered have given super methods of managing risk and raining an intense response process. In this case, ISO 31000:2018outlines the decision making and raises a compliance aspect. In response, the first step should be risk identification and extended analysis of the situation. Consequently, the organization can prepare the whole and most effective response approach (Pwsadminpwsadmin, 2020).
Evolution, treating administration analysis the negative implication cased and raises assessment formula. In this case, a disaster recovery document provides proposed frameworks for managing the situation. In the cloud challenge-based process, the organization stakeholder should embrace avoidance as well as the reduction process. The controlled sharing and retention aspect provides a solution to the significant challenge of cloud computing. The backup process in this regard plays a critical role in service retention.
Privacy issues and mitigation measures
There are several privacy concerns which the organization needs to consider when shifting to cloud computing. The organization should be aware of their data accessibility and information portability (Warren, 2017). There are concerns about the data being stored and processed in the cloud.
The second privacy issue is the erasure and destruction of data. Even if the stored information in the cloud enhances maximum availability, there is a point when the data is not required and needs to be securely archived. However, organizations may not be guaranteed the full erase of their data without maximum encryption. There are also concerns with legal, compliance, and regulatory requirements. The organization will not be sure of who will be responsible for their information on the cloud platform. Besides, the whereabouts and storage of the data will also be a concern. When data is stored in the cloud platform, there is no known about location and the nature of the storage.
Several measures can mitigate possible risks and enhance data privacy. There should be encryption of data at rest. Encryption protects the data, which is in transit or not in use. The data should be protected using firewalls and monitoring. There should also be a two-factor authentication; by combining a password with other authentication elements, the management should also eliminate all the shared accounts, including web services and cloud platform credentials. The I.T. expert should also focus on defining a well-shared responsibility model.
There should be no consideration whether the model is for software, infrastructure, and platform as a service. The organization should also utilize standard cloud assessment questions. The questions should be aimed at knowing whether the cybersecurity personnel complies with the objectives. The I.T. executives related to the cloud should consider inherent to cloud migration. Cloud migration will enhance data confidentiality and compliance-related issues. The movement also improves audibility as well as data residency issues.
Risk management matrix
Ballot online company is exposed to the risk of cloud adoption. The federal government has recently made the risk of cloud adoption a midst tenet due to its modernization strategies. Any organization which adopts cloud technology without fully implementation mitigation: Exposes itself to financial, legal, technical, and compliance risks. Cloud has its unique threats. The first threat is that consumers may have limited control and visibility. The platform demands self-service, which simplifies the process of unauthorized access. Besides, accessible internet APIS can be compromised. The separation between many tenants may fail.
There are several recommendations which the organization can utilize to mitigate cloud adoption risks. The organization should merge with a third party, which will assure cloud security regularly (Weippl et al., 2017). The company should work with industry-standard security certification. The third-party audits will help to ensure that the cloud providers being employed are following the security standards of the industry.
The organization should also aim at implementing end to end encryption. The encryption decreases the probability of the data being breached. Besides, there should be regular updates on the company’s software. Running of outdated O.S. and internet browsers expose the system to risk despite third party and encryption audits. The I.T. analysts have also recommended using a single sign-on solution, which enhances security and convenience. The administration should not have multiple login accounts and passwords; they make it more complicated for the administrator and the user. Limiting to a single login account reduces the number of potential risk exploits and weaknesses. The analysts inventing cloud solution should practice their diligence. Additionally, thorough research on potential vendors is essential. The research includes checking for references, examining their security history, and analyzing risk and vulnerabilities.
Cloud security issues
There are several issues, and challenges which are facing cloud computing, several problems include:
Security concerns: security concerns related to cloud computing accounts for 77 percent of the total difficulties. Headlines have always commented on compromised credentials, data breaches, broken authentication, and account hijacking. Moreover, there have also been cases of hacked interfaces and APIs issues.
Multi-factor authentication (MFA): The Company should consider applying the MFA platform. The platform will enhance the security of the user’s PII. The platform will also enable authentication and authorization of the users. It will secure applications and perform password-based logins (Venkatesh, 2018). However, multi-functional authentication is hard to acquire. Additionally, the platform is also challenging to develop. There are also complications in the case of testing MFA.
Cost containment and management: The second issue facing cloud computing is the cost involved. Most cloud computing can save the organization’s money. However, the demand and scalable nature of cloud services usually complicate the process of quantity and cost prediction. The company must optimize costs by evaluating effective analytics as well as reporting. Additionally, reporting, as well as automating policies for governance, is also essential.
Lack of resources and expertise: One of the major challenges companies using cloud computing may face a lack of knowledge. Organizations have continued to place more workloads in the cloud. However, cloud technology has continued to advance. Advancement in technology has led to organizations facing a hard time in keeping up with their tools. It is crucial to hold recurrent training of the I.T. teams dealing with the cloud.
Performance: Businesses that move to cloud opt to become utterly dependent on their services. Incase business, as well as cloud-based systems, fail to perform, the blame is tied to the cloud provider. Performance has led to leading cloud providers experiencing outages.
U.S. legal system and intellectual property laws
The USA has developed cybersecurity regulations and laws. The laws cover all the common issues related to cybersecurity. Several of the problems include criminal activities, corporate governance, litigation, insurance, and applicable laws.
The united states federal computer fraud and abuse act (CFAA) is the primary statutory strategy utilized for prosecuting cyber crimes (Kittichaisaree, 2017). Besides, the law also provides criminal as well as civil penalties. According to CFAA, there is a prohibition to unauthorized and exceeding authorized access to a computer obtaining security information. It is a criminal activity when an individual intentionally accesses a protected computer without legal authorization with a defraud intention. The act also prohibits intentional or reckless damage to computers.
According to the CFAA act, it illegal to transmit a threat specifically to protected computers. It also prohibits threats of obtaining information, which may compromise the state of confidentiality (Schmitt, 2016). The act has considered password trafficking as a criminal cyber offense. Additionally, there should be no cyber-extortion, which is as a result of property and money. Cybercriminal sentences may range from 20 years, depending on the specific offense.
Another cyberspace law is the electronic communication protection act (ECPA). The law offers protection for in transit and storage communications. Besides, there is a Stored Communications ACT. The law states that it is a criminal offense to access information and transmissions without authorization unintentionally. However, the law does not cover private communications.
There is also the CAN-SPAM act. The law prohibits activities that are related to spam email. According to the bill, it a criminal violation to send spam emails using malicious emails without authorization. Penalties for spam email may be up to three years in prison.
Besides, states have passed several statutes that prohibit computer crimes and hacking. New York has passed a law which forbids the utilization of computer to gain access to its materials. Hacking penalties may be up to four years in jail. Phishing is also a violation of the laws passed by CFAA (Khan, 2016). A person convicted of phishing may be sentenced up to 20 years. It is also a crime when one possesses software and hardware tools, which are a threat to cybersecurity initiatives.
In the case of cyber disputes, officials have developed a program known as cyber settle. The program is designed to make cases of resolving disputes online. The platform is automated and allows disputants to solve their issues online through arbitration and conflict resolution. It generates high-speed settlements through offers and demands matching.
Legal and compliance issues
Cloud compliance is a framework utilized in cloud computing compliance and regulations world. Cloud computing has risen to be a significant I.T. resource. A typical business will consider using at some point during their operations. However, the implications can be discussed concerning compliance with a variety of laws and regulations. This may be the case if a company intentionally process and transfer sensitive data which has exposure to legal rules. On the other hand, several cloud computing providers may hide their data location to prevent physical attacks.
Some regulations demand physical as well as technical I.T. security mechanisms. It also needs to be developed and implemented control systems, including requirements by the Sarbanes Oxley act. As the organization is implementing cloud security, the executive must be aware that there is data infrastructure that is susceptible to being intercepted. Data modification is a primary issue when it comes to compliance and storage of the cloud. The executive must consider the place the data may reside. Security and compliance issues are inhibitors of shifting to the cloud: With consideration to storage as a result of data retention regimes.
For the organization to fully comply with the cloud, the executive is recommended to be aware of the cloud type they are utilizing. Knowing the cloud type will enable the executive to judge the nature of the data moving to the cloud. The executive should keep highly confidential data in their networks due to security and compliance reasons.
The second strategy that executives should implement to comply with the cloud is looking at cloud provider contracts. If the organization implements an internal cloud, there should be internal compliance checklists. On the other hand, there should be clear identification with the provider the data being resided if it is an external cloud. Executives are also recommended to check if they have an incident response plan. The plan could be used if anything goes wrong with the data. There should also be regular benchmarks for valid checking of the security data in the cloud.
Compliance issues
Geographic compliance: Cloud systems have been developed to be international. There can be global access to data with minimal latency. However, their risks that accrue from international storage, the chances are assessed as well as mitigated through contracts. Some regulations demand the disclosure of data, which is private to government agencies. There is a difference between rules which require privacy from one country to another. Geographic considerations affect both data storage as well as data processing. Organizations must ensure that data processing meet regulations in the locations.
Industry compliance: Cloud migrations seem to flounder when it comes to industry compliance considerations. Financial and medical institutions work under strict regulations; they are typically used to any regulatory implication. Regulatory requirements include graham leach Billey, trusted internet connection compliance, and federal information processing standards. In the presence of a cloud, one cannot countenance the idea of placing, subject to regulatory oversight. Storage locations should interest officers that use private clouds to make their operations simpler (Sahandi et al., 2016). This is by centralizing data where it can be tracked and enhance effective audit.
Data compliance issues
The ballot line company should manage compliance effectively. There should be a contract with the cloud provider which covers:
Privacy: The agreement should address the measure taken to enhance data privacy and compromise.
Data and data retention: The contract should include what happens and who is responsible for the agreement’s data cessation.
Information security laws: there should be a comprehensive explanation of the responsibilities held by the service provider. The duties include notification in case of a data breach.
Liability: The section covers on who got the legal responsibility for issues related to compliance.
Information requests: The contract should contain the procedure of handling information requests from authorized and legitimate users.
Compliance program
Compliance in the cloud can imply several issues based on the organization’s functions and type of internal and external regulations. However, all the compliance requirements dictated by either the government or organizations are mainly aimed and focus on information and data privacy. Ballotonline Company should focus on internal compliance with the cloud to secure valuable organizational data, including intellectual property, business records, and strategic plans. Compliance programs are entrenched to manage the interactions between people, data, and critical I.P. Besides, the application should aim at complying with the state and federal laws and regulations.
Policies develop the cornerstone of the organization’s security program and compliance. While creating the procedures, the organization should start by developing classifications for users, data, and applications. Classifications should map the organizational impact. They should also outline the functional usage such as marketing artifacts and sales report. There should be the establishment of a matrix classification and determination of each component to be utilized in a cloud setting. Besides, theft, corruption, and destruction data in the designation represent the risk maintenance compliance. In the program, there should be inclusion, safeguards that evaluate and , conclude the data classification that resides in the cloud.
In the user’s classification program, there should be an explanation of the specific actions which can be performed by the user. The measures may include sharing, creating, and modifying the information and adata.in the program, there should be an establishment of a group user, classifications that map the authorized data usage. Acceptable usage parameters should be established for every user. However, the data matrix element should be considered. The program should also contain policy exceptions based on business needs, including individuals, roles, and business travels. The user behavior should be identified. The reaction may be unintentional risky action or possible malicious activity. The program has the responses as well as triggers that correspond to the risk levels using a rubric.
The program contains what the cloud apps will allow the business to use and the established data policies. There are identified in the application. Additionally, the program includes risk metrics that are grounded on regulatory requirements. There are also solutions to remediation with inconsistent created policies.
Conclusion
Cloud computing has risen to be an effective way of delivering computing resources. Resources range from data storage as well As processing to the software. Organizations should make sure that they assured of sound security practices. The businesses need to assess the risk involved by utilizing the cloud. Besides, it should also compare different cloud providers and evaluate the one with adequate security measures. There should also be an assurance from the specified cloud providers.
Security checklists entail all the requirements, which include legal issues, policy issues, and security affairs. Customers and cloud providers should evaluate their contract terms and assess whether they adequately address security risks. To build trust in the cloud, there should be an effect of different forms of breaching reports. There should also be the end to end confidentiality among the cloud as well as beyond.
The company should utilize several strategies for its data protection in the cloud. First, they should use evidence and forensic gathering mechanisms. They should also handle the missing incidents an application monitoring and traceability. Cloud must offer reliable information security to attain its full potential as promised by the technology. In summary, the paper has provided concrete scenarios of what cloud computing implies to Ballotonline. The scenes are in the form of network, information, data, and privacy protections. It has also covered the technical, legal, and policy implications. The most important segment is the recommendations with strategies to address risks and maximize the benefits.
References
Ali, A., Warren, D., & Mathiassen, L. (2017). Cloud-based business services innovation: A risk management model. International Journal of Information Management, 37(6), 639-649.
Islam, S., Fenz, S., Weippl, E., & Mouratidis, H. (2017). A risk management framework for cloud migration decision support. Journal of Risk and Financial Management, 10(2), 10.
Kittichaisaree, K. (2017). The public international law of cyberspace (Vol. 32). Cham: Springer.
Couzigou, I. (2018). Securing cyberspace: the obligation of States to prevent harmful international cyber operations. International Review of Law, Computers & Technology, 32(1), 37-57.
Schmitt, M. N., & Vihul, L. (2016). Respect for sovereignty in cyberspace. Tex. L., Rev., 95, 1639.
Khan, M. A. (2016). A survey of security issues for cloud computing. Journal of network and computer applications, 71, 11-29.
Venkatesh, A., & Eastaff, M. S. (2018). A study of data storage security issues in cloud computing. International Journal of Scientific Research in Computer Science, Engineering and Information Technology, 3(1), 1741-1745.
Opara-Martins, J., Sahandi, R., & Tian, F. (2016). Critical analysis of vendor lock-in and its impact on cloud computing migration: a business perspective. Journal of Cloud Computing, 5(1), 4.
Cooper,D., Grey,S., Raymond,G., & Walker,P. (2014).Project risk management guidelines: Managing risk in large projects and complex procurements. Wiley.
Pwsadminpwsadmin. (2020, April 1). Nine types of effective risk management strategies. Retrieved from https://quantumfbi.com/effective-risk-management-strategies/
A risk management synthesis: Market risk, credit risk, liquidity risk, and asset and liability management. (2013).Advanced Financial Risk Management, Second Edition, 1-14. DOI:10.1002/9781118597217.ch1
