INTRODUCTION:

Cloud Computing is the industry term for delivering hosted services over a network or the internet (ODCA, 2010). However, Cloud based services do not come without potential risks and abuse which can become a major cause of concern, especially in case of financial organizations entrusted with the safe-keeping of confidential data. Companies are starting to recognize and realize the benefits and advantages of Cloud computing. “Surprising enough, our risk and security gurus were comfortable with considering the Cloud for this application”, Westpac bank's enterprise infrastructure architecture head Eugene Zaid stated (Tay, 2011). However, as with any emerging approach, there is some fear, uncertainty and concern about the technology’s maturity (Leavitt, 2009). Cloud computing has many security challenges that include network sniffing, port scanning, loss of governance whereby the service providers have more control over the data of their customers and client users, vendor lock-in risks, insecure or incomplete data deletion as well as the lack of a universal standard for data protection (Gold, 2012). One of the predominant risks involved with Cloud computing is the data being uploaded to the service provider not being in control of the customer but being in the control of the service provider (Shrum, 2012). Such a risk can not only jeopardize an organization’s invaluable data but also prove to be a huge privacy loophole. This makes Cloud service providers a high value cyber-attack target as multiple organizations can be using a single Cloud company as their primary data service (Horwath, 2012). Such issues can cause irreparable damage to an organization’s reputation and financial standing should highly sensitive customer centric data is placed in possession of unauthorized users.

TECHNOLOGY MEASURES TO SAFE GUARD DATAIN THE CLOUD

The recommended technology measures to safeguard data in the Cloud are as follows: Asymmetric Encryption based on Advanced Encryption Standard (AES), Hashing, Digital Signature, Single Sign-On, Hardened Virtual Server Images and Multi Tenancy offerings by the Cloud provider.

(i.) Asymmetric Encryption based on Advanced Encryption Standard (AES): In contrast to Symmetric Encryption, Asymmetric Encryption uses two separatekeys – public key and private key to encrypt/decrypt the data whereas the latter uses just one shared key. As every asymmetrically encrypted message has its own private-public key pair, messages that were encrypted with a private key can be correctly decrypted by any party having the corresponding public key. Any message that has been encrypted with a public key can only be decrypted by the rightful private key owner thus providing confidentiality protection (Erl, 2013).

(ii.) Hashing: The Hashing technique can be used when a one-way, non-reversible form of data protection is required such as in the case of password storage. Hashing technology can be used to derive a hashing code or message digest from a message which can be attached to the outgoing message. The recipient then applies the same hashing function to the incoming message to verify that the newly produced message digest is the same as the one attached to the message. Any alteration to the digest indicates that the message has been tampered with (Erl, 2013).

(iii.) Digital Signature: The digital signature mechanism is a means of providing data authenticity and integrity through authentication and non-repudiation (Erl, 2013). In this technique, a message is a digital signature prior to transmission which is then rendered invalid if the message experiences any subsequent unauthorized or unwarranted modifications. This technique uses both Hashing and Asymmetrical encryption to ensure data security.

(iv.) Single Sign-On: This mechanism enables one Cloud service consumer to be authenticated by a security broker which establishes a security context that is persisted while the Cloud service consumer accesses other Cloud services or Cloud based IT resources thus eliminating the need to re-authenticate time and again with every subsequent request(Erl, 2013).

(v.) Hardened Virtual Server Images: “Hardening” is the process of striping unnecessary software from a system to limit potential vulnerabilities that can be exploited by attackers (Erl, 2013). Default virtual machine images and software modules used by customers can be pre-hardened and updated with the latest patches and security settings according to fine-tuned processes (ENISA, 2012).

(vi.) Multi Tenancy offerings by the Cloud provider: This approach warrants using a separate database for each tenant onboard with the Cloud provider. In contrast to using a shared database for multiple tenants, this approach ensures all data tables and schemas remain exclusive for each tenant thereby enhancing security from the Cloud provider.

LEGISLATIVE MEASURES TO SAFE GUARD DATA IN THE CLOUD

It is imperative to safeguard personal and regulated data in the Cloud. Security of data remains the responsibility of the data owner and cloud-computing service providers are not directly liable for data loss or fines or other legal penalties suffered. Cloud-computing service providers offer shared computing services, while regulations generally mandate that the outsourcer needs to ensure its systems are securely managed through independent audit to demonstrate compliance. Until a legal framework on adequate controls in cloud environments is worked out through legislation, the outsourcer needs to be cognizant of its responsibility for protection of its data stored in the cloud (Fratto, 2009). The recommended legislative measures for safe guarding data in the Cloud are as follows:

(i.) Data Residency: Cloud computing arrangements may involve storing data in foreign jurisdictions and locations. When host country laws are different, or significantly less controlled than those of Australia or New Zealand, this can potentially lead to exposures or control inadequacies impacting data ownership, privacy, data return, service continuity etc. Irrespective of jurisdiction, data storage across multiple Cloud service providers could lead to data fragmentation, and issues with data ownership when terminating Cloud services (ODCA, 2014).

(ii.) Operational Performance: Service Level Agreements (SLAs) in place to protect against issues like latency, workload management, limited line of sight of sub-suppliers, disaster recovery and around the clock access to data.

(iii.) Vendor Lock-In: Vendor lock-in has been a perpetual challenge in IT, for example it becomes increasingly difficult to change a software product having implemented that software into a business process.

Table 1. Measures for Securing Data in Cloud

No.	Measure	Elaboration
1	Asymmetric Encryption based on Advanced Encryption Standard (AES)	Use of two separate keys – public key and private key to encrypt/decrypt the data.
2	Hashing	Protection against possibility of changes between outgoing and incoming messages through use of hashing function. Useful for Geo-synced redundant backups, data integrity and data recovery.
3	Digital Signature	Means of ensuring data authenticity and integrity through the use of authentication.
4	Single Sign-On	Enables Cloud service consumer to be authenticated by a security broker which establishes a security context that is persistent.
5	Hardened Virtual Server Images	Striping unnecessary software from a system to limitpotential vulnerabilities that can be exploited by attackers.
6	Multi Tenancy offerings by the Cloud provider	Using a separate database (with its own schema) for each tenant onboard with the Cloud provider.

RISKS IN CLOUD COMPUTING

There are numerous risks and challenges associated with the adoption of Cloud Computing which requires serious contemplation such as network sniffing, port scanning, loss of governance over stored data, vendor lock-in risks, insecure or incomplete data deletion as well as the lack of a universal standard for data protection along with geo-synchronized redundant backups (Gold, 2012). The growing usage of the mobile device has put the confidentiality, integrity and availability of corporate information at much higher risk than the traditional computing environment (Roberts & Pick, 2004; Rostern, 2005). The risks of using Cloud computing should be compared to the risks of staying with traditional solutions, such as desktop-based models. It is often possible, and in some cases advisable, for the cloud customer to transfer risk to the cloud provider. However not all risks can be transferred (ENISA, 2012). The expected compound annual growth rate of software as a service (SaaS) from 2011 to 2016 is 19.5%, platform as a service (PaaS) 27.7%, infrastructure as a service (IaaS) 41.3% and security services spending 22%. However, security and privacy are still cited by many organizations as the top inhibitors of cloud services adoption, which has led to the introduction of cloud encryption systems.While encryption is important to the secure adoption of cloud services, it should not be viewed as the "silver bullet" (Ashford, 2013). Not all data requires equal protection so businesses should categorize data intended for cloud storage and identify any compliance requirements in relation to data breach notification or if data may not be stored in other jurisdictions. If a risk leads to the failure of a business, serious damage to reputation or legal implications, it is hard or impossible for any other party to compensate for this damage. Ultimately, you can outsource responsibility but you can't outsource accountability (ENISA, 2012).Ashford (2013) identified six areas to consider as follows: Data Residency, Data Management at Rest, Data Protection in Motion, Encryption Key Management, Access Controls, and Long-term Resiliency of the Encryption System.

Table 2. Six main areas for risk mitigation in cloud computing

No.	Risk Heading	Elaboration
1	Data residency	Different host country laws can lead to data control inadequacies resulting in potential breach and/or loss of data.
2	Data management at rest	Geo-synced redundant backups, data integrity and quality, IP protection, Data recovery.
3	Data protection in motion	Secure data transportation is a must to prevent data sniffing and similar attacks.
4	Encryption key management	Secure and stringent encryption key mgmt. mechanism in place
5	Access controls	Service disruption, accessibility issues, high latency and load balancing issues.
6	Long-term resiliency of the encryption system	Different encryption keys for different data sets, use of improvised algorithms and use of DES (data encryption standard).

STATISTICAL ANALYSIS ON SECURITY CONDUCTED FOR A NEW ZEALAND BASED FINANCIAL ORGANIZATION

Statistical data analysis was performed on data collected through an on-line survey within a New Zealand based financial organization. Responses which ranged from 1 (strongly disagree) to 5 (strongly agree) on the Likert scale. Key technology stakeholders were the chosen population of choice and the sample size was 20. The aim was to gauge confidence levels of key technology stakeholders within the organization. As this financial organization handles highly sensitive customer centric data, it lays very high importance on security in order to safeguard its data. Managers are fully aware that they are held responsible for the security and regulation of the data within their realm of influence, regardless of where it is located or who has physical control. They also understand that they have a duty to protect not only the data that belongs to their company but also the data obtained from outside parties as well. When a bank moves into cloud computing, there are two primary challenges that must be addressed - security and regulatory compliance. The confidentiality and security of financial and personal data and mission-critical applications is paramount. Banks cannot afford the risk of a security breach. Also, many banking regulators require that financial data for banking customers stay in their home country.

Table 3. Responses of key technology stakeholders of a financial organization in relation to adoption of Cloud based services

Question	N (20)	Mean Stat.
1.) I am of the opinion that Cloud computing is fairly secure.	20	4.35
2.) I am confident about overall security in a Cloud computing model.	20	3.90
3.) I believe that Cloud computing is more secure than traditional models.	20	4.15
4.) I am optimistic in using or recommending Cloud computing to meet my organization’s needs.	20	4.30
5.) Cloud computing has become much more secure now than it was 7 years ago.	20	4.50

Certain compliance regulations require that data not be intermixed with other data, such as on shared servers or databases. As a result, banks must have a clear understanding of where their data resides in the cloud. The questions asked to respondents within this particular financial organization were aimed to understand their perception of security around Cloud computing and to assess how comfortable the key technology stakeholders were in adopting Cloud based services to migrate their data onto the Cloud. The survey responses obtained indicated a fair degree of confidencein individuals around security within the Cloud environment but does not fully quell security related concerns for any financial organization contemplating whole hearted adoption of Cloud model at the enterprise level. Erring on the side of caution, the target financial entitydecided to consider a design which would provide the best of both worlds i.e. benefits of Cloud while retaining control over location and sensitive data.

It decided to implement a hybrid Cloud with service level agreement (SLA) in place to ensure customized policies are upheld by the Cloud provider. In this situation, sensitive data would be placed on the Private Cloud (totally in control of the organization) whereas non-sensitive data would be placed on the Public Cloud. Another advantage of a hybrid Cloud would be to run applications that are subjected to highly changeable workloads in dynamic environments. The Cloud Bursting technique was decided to be used wherein certain applications of dynamic nature would run in private Cloud but would burst into the public Cloud when demand for computing capacity spikes. This would allow the organization to only pay for extra computing resources when they are needed yet still be able to retain exclusive control over data and applications residing in the private Cloud.

Table 4. Correlation matrix

Upon considering the relationship between security and cost, there was found to exist a statistically significant positive correlation between: Mean_Security and Cost (r=.879, n=20, p<.001) indicating an escalation in cost for increase in requirements pertaining to security. By combining dedicated and cloud resources, businesses can address many security and compliance concerns. With the implementation of a Hybrid Cloud model, businesses can place their secure customer data on a dedicated server and combine the high performance and scalability of the cloud to allow them to conduct business and transact payments online all within one seamless, agile and secure environment. Public cloud, private cloud and dedicated servers are combined and work together seamlessly as one platform. This was another reason why this financial organization decided to adopt hybrid Cloud as compared to private Cloud.Banks tend to lag other industries in cloud usage by 10-15 years. While banks don't necessarily need to be on the leading edge of cloud technology, there are lessons banks could learn from other industries who are already doing this (Crosman, 2013).

BENEFITS OF HYBRID CLOUD

Financial institutions have been highly reluctant to embrace cloud computing. With some justification, compliance teams at many banks fear moving essential functions from server-based systems to the cloud will put sensitive information at undue risk. Yet the potential benefits of the model to the financial services industry are such that for banks to reject the cloud outright would be rash. There are numerous cloud models out there, and they will continue to evolve. But the hybrid model offers banks the opportunity to get on the cloud now, benefiting from low cost, flexibility and on-demand scalability while at the same time addressing the compliance and regulatory issues so vital in their sector (Craythorne, 2014). A "hybrid cloud" model helps financial institutions keep certain data highly confidential while enabling them to enjoy the reduced expenditure, operational efficiencies and corporate flexibility cloud computing can deliver (Sinclair, 2011). Another reason why Hybrid cloud scenario suits the financial industry is considering the fact that data, traffic, and computing needs can spike suddenly in this industry the ability to provision and de-provision capacity is a must for the dynamic nature of the financial services industry. This enterprise level of scale and flexibility is a critical piece of this industry’s infrastructure scenarios. Compliance teams are typically cautious about keeping data "outside" of the bank, which they perceive to be outside of their control. While banks may have already transferred some business processes and data to private clouds (clouds within company boundaries and firewalls), they typically remain averse to exploiting public clouds (where resources are provisioned via the Internet by a third party outside company boundaries and firewalls). A hybrid cloud model overcomes many of the concerns outlined above, enabling banks to reap the benefits of cloud computing while also maintaining the security and confidentiality of their data. A hybrid cloud combines aspects of private clouds and public clouds and works by "mashing up" private and public data so financial institutions can keep certain information highly confidential while exploiting the benefits of public cloud computing (Sinclair, 2011).

THREE PILLARS OF A SECURE HYBRID CLOUD ENVIRONMENT

Dimension Data (2012) identify the three pillars of an effective hybrid cloud environment which can be broadly classified as follows: (1) Risk assessment and management: Many organizations simply assume that a move to the cloud will inevitably involve greater levels of risk. Performing an in-depth assessment of the current status of each risk before it’s moved to the cloud can allow for effective classification of each risk and be either accepted, mitigated, transferred or avoided. (2) Provider Transparency: The importance of clear and transparent communication on the part of cloud providers regarding the security embedded in their offerings shouldn’t be underestimated. For businesses, moving to the cloud is something of a leap of faith. Cloud involves relinquishing a degree of control. Providers would do well to share as much information as possible with prospects about their environment, offerings, controls and configurations in order to build a foundation of trust and alleviate any concerns early on in the customer-provider relationship. (3) Policy and Compliance: Cloud providers need to understand that simply listing compliance certifications isn’t sufficient. In line with the mantra of transparency explored in the previous point, providers should take a proactive stance to sharing their security implementations and controls. Organizations should look for providers that don’t only provide proof of their certification, but can also explain how they achieve and maintain their compliance levels, what problems they’ve encountered in this area and how these have been overcome. Together, these pillars can effectively contribute towards an organization effectively migrating to the Cloud whilst at the same time, winning a customer’s trust to maintain the relationship in the long run.

OTHER ISSUES THAT MAY RESULT IN ELEVATED RISK LEVELS WITH IN A CLOUD ENVIRONMENT

There are numerous other issues which must also be considered that could potentially result in elevated risk levels. These are listed below:

a. Limited line of sight of sub-suppliers: A contract may be signed with one Cloud provider who may have a number of different suppliers supporting their delivery and the end customer may not have visibility of such backend supporting services. This could mean that while the customer has a contract with the main Cloud provider, they would not have visibility of all the subcontracted activities.

b. Multi Tenancy offerings by the Cloud provider: Multi tenancy means that there are multiple tenants sharing common physical computing resources while remaining logically isolated. The following key aspects should be supported by multi-tenanted solutions:

(i.) Isolation of tenant data

(ii.) Isolation of tenant work space (memory)

(iii.) Isolation of tenant execution characteristics pertinent to business logic such as performance, availability etc.

(iv.) Tenant-aware aspects such as security, management and reporting.

(v.) Ability to allocate resources to tenants dynamically, as needed.

(vi.) Tenant-aware application version control

c. Geographic Distance: Huge geographic distances can result in latency issues and this performance degradation can affect certain time dependent critical system related operations.

d. Service Recovery Assurance and Downtime Minimization: Organizations should include recovery assurances as part of their service level agreements to ensure minimal downtime.

e. Technical Support: Cloud provider must have ability to provide technical support preferably in accordance with the customer’s business hours e.g. Cloud provider in USA must be able to provide technical support to customers in New Zealand region.

f. Application of customer’s security policies to data held by Cloud provider: Organizations should ensure that any customized data policies are applied to data being hosted at provider’s end to maintain consistency in dataset management on both sides.

There is growing concern in the wider community about data privacy. In May 2012, the New Zealand Government announced that they would be overhauling the 1993 Privacy Act (NZGovt, 2012). Any changes to this law may mean an adjustment to an organization’s Cloud policies. One of the most important primary responsibility is to protect user's private information and it must be no less secure in a third party's environment as it is when hosted internally within an organization. In the ordinary course of business, Cloud Service Providers do not access a client’s information. Typically, Cloud Service Providers will have enterprise level security controls in place to prevent their staff accessing client’s data. However, should a breach occur, the important factor for any organization is to have an appropriate response plan in place. A response plan will firstly assist in preventing further harm to customers and secondly, assist to protect the organization's reputation.

CONCLUSION:

Although perfect and 100% secure cloud based systems remain yet to be implemented, the above factors can contribute towards establishing a reduced risk cloud computing framework for organizations such as banks and other financial institutions whose primary concern is to safeguard sensitive data. As the cloud model evolves, it is imperative to constantly review, monitor and implement timely enhancements to the above factors. In doing so, organizations can safely and productively rely on adopting the cloud model while minimizing risk. While Cloud computing has numerous advantages such as lower software and hardware costs, the ability to access data on the go and disaster recovery through the redundancy of data, each organization needs to carefully consider security and legislative/operational measures in order to fully realize a Cloud based working model to suit individual requirements. A financial organization may have many reasons for moving to the cloud, but the primary reason will likely be applications. A key stumbling block for major investments in new technologies has always been the capital expenditure needed for new infrastructure. With cloud computing, financial institutions only have to budget for operational expenses and pay for the services they use. This makes it easier and more cost effective to test new applications on the cloud versus current traditional infrastructures. With key IT players like Microsoft, Amazon and Google offering Cloud based services to both business and consumers alike, Cloud computing is being adopted by more and more users. However, organizations involved in handling sensitive data such as banks and other financial institutions must diligently prepare a customized plan to whole heartedly adopt the Cloud services model. In doing so, organizations can safely and productively rely on adopting the cloud model while mitigating risk. Also, with the Cloud being a set of existing, new and emerging technologies and operational approaches that present differential risks compared to an enterprise’s own datacenter, an organization’s goal of risk assessment should be to fully comprehend the differential risks by introduction of compensating controls that assess those risks. This does not mean that total risk should not be considered however, the differential risk will aptly gauge organizational risk appetite and cost-benefit trade-off of the overall adoption process.

REFERENCES:

1. Ashford, W. (2013). Six security issues to tackle before encrypting cloud data. Retrieved from: http://www.computerweekly.com/news/2240180087/Six-security-issues-to-tackle-before-encrypting-cloud-data

2. Craythorne, T. (2014). Embracing the Hybrid Cloud. Retrieved from: http://www.banktech.com/cloud/embracing-the-hybrid-cloud/a/d-id/1316107

3. Crosman, P. (2013). Why the Hybrid Cloud Matters to Banks. Retrieved from: http://www.americanbanker.com/issues/178_198/

4. Dimension Data. (2012). The Three Pillars of a Secure Hybrid Cloud Environment. Retrieved from: https://www.dimensiondata.com/Global/Downloadable%20Documents/The%20Three%20Pillars%20of%20a%20Secure%20Hybrid%20Cloud%20Environment%20Best%20Practice%20Guide.pdf

5. ENISA. (2012). Cloud computing benefits risks and recommendations for information security. Retrieved from: https://resilience.enisa.europa.eu/cloud-security-andresilience/publications/cloud-computing-benefits-risks-and-recommendations-forinformation-security

6. Erl, T., Zaigham, M. & Ricardo, P. (2013). Cloud Computing Concepts, Technology & Architecture: Prentice Hall.

7. Fratto, M. (2009, January). Cloud control. InformationWeek, 1218, 30, 32, 34, 36.

8. Gold, J. (2012). Protection in the cloud: Risk management and insurance for cloud computing. Journal of Internet Law, 15(12), 1-28.

9. Horwath, C. (2012). Enterprise Risk Management for Cloud Computing. Retrieved from: http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf

10. NZGovt. (2012). Government to overhaul Privacy Act. Retrieved from: http://www.beehive.govt.nz/release/government-overhaul-privacy-act

11. Roberts, G. K., & Pick, J. B. (2004). Technology factors in corporate adoption of mobile cell phones: A case study analysis. Proceedings of the IEEE 37th Annual Hawaii International Conference on System Sciences, 9(9), 90287-90296.

12. Rostern, J. (2005). Dangerous devices: The huge storage capacity of computer removable media poses a considerable threat to sensitive corporate data. Internal Auditor. Retrieved from: http://findarticles.com/p/articles/mi_m4153/is_5_62/ai_n15756369

13. Shrum, S. M., Paul. (2012). Common Risks of Using Business Apps in the Cloud. Retrieved from: http://www.us-cert.gov/sites/default/files/publications/using-cloud-apps-forbusiness.pdf

14. Sinclair, L. (2011). Why Banks Must Not Fear the Cloud. Retrieved from: http://businessfinancemag.com/treasury/why-banks-must-not-fear-cloud

15. Leavitt, N. (2009). Is cloud computing really ready for prime time. 42(1), 15-20.

16. ODCA. (2014). Open Data Center Alliance. Retrieved from: http://www.opendatacenteralliance.org/docs/Data_Exchange_for_Software_as_a_Service_Rev1.0.pdf

17. Tay, L. (2011). Westpac bursts risk analysis to Azure. Retrieved from: http://www.itnews.com.au/News/266585,westpac-bursts-risk-analysis-to-azure.aspx

Received on 20.11.2016 Modified on 18.12.2016

Asian J. Management; 2017; 8(1):12-18.

DOI: 10.5958/2321-5763.2017.00003.8