Discuss about the Case Study for IT Risk Assessment Report for Aztek.
The report will discuss the topic “Migrating business-critical applications and their associated data sources to an external cloud hosting solution”.
Purpose: The purpose of this IT risk assessment report is to evaluate the adequacy of Aztek project related to using an external cloud service solution for deploying their data and business critical applications. The risk assessment will provide a detailed evaluation of this operational environment. The report will address the following aspects in relation IT risks and control measures and provide analysis and discussions:
Review of the financial services sector in relation to this project. Some of the best practices and government or industry regulation and compliance are explored.
Discuss the security posture of the project in terms of current IT security procedures.
An evaluation of risk based on threats, vulnerabilities and consequences obtained from an IT control framework in relation to the chosen project.
Assessment of risks related to data security.
Scope: The risk assessment will address the risks related to using an external cloud hosting provider for migration of business applications and databases. The usage of the system and its resources must be planned prior to implementation to protect data and applications from possible vulnerabilities, threats (internal and external) and other attack problems. This is important because if the data and vulnerabilities are not addressed, then Aztek will face negative business impact such as,
Unauthorized access to data and applications (Zissis & Likkas, 2012)
Unauthorized modification of information and systems
Services and access denied to authorized users
Business critical data and applications are lost
Due to the over dependency on IT systems and networks by Aztek, and its strategic initiatives on business expansion plans, the management decides to deploy their data and applications in a cloud service. Cloud services offer immense benefits in terms of IT management and efficiency, at the same time they have their own set of risks and problems. The report will explore existing best practices related to security safeguards with the aim of supporting the management in deciding on security related initiatives for Aztek.
A brief review of cloud migration by financial services sector and best practices
In recent years cloud computing has grown significantly due to its cost efficiencies and an attractive alternative to in-house IT infrastructure (Khajeh-Hosseini, Greenwood, & Sommerville, 2010). At an operational level using cloud service in the organization will improve innovation by freeing up resources internally and helps the company to focus on core business activities (Garrison, Kim, & Wakefield, 2012). Further, clouds are interoperable, offer collaboration and also provide immense potential for financial services to enhance their customer relationships at high levels. These benefits influenced the management in Aztek to migrate their applications and data sources to the cloud (Stamford, 2012).
In spite of all the benefits, cloud services are vulnerable to IT risks (Shaikh & Haider, 2011). Aztek prior to migrating all their data sources and applications to the cloud must deeply assess IT and cloud-related security aspects such as threats, confidentiality, data integrity, auditability and other compliance aspects. Therefore it becomes highly essential for Aztek to clearly understand the risks in cloud migration and must define necessary controls to protect all information assets before business critical data sources are deployed on the cloud (Heiser & Nicolett, 2008). In cloud computing security, privacy issues and legal matters are widely acknowledged. Most of the security and privacy issues are usually due to users’ lack of control over the physical infrastructure (Subhashini & Kavitha, 2011). Since most of these issues are not directly related to cloud, security issues arise due to web browsers and web services on the internet. Since cloud computing systems make use of world-wide-web for its services, security threats are a significant aspect in cloud migrations (Jensen, Schwenk, Gruschka, & Iacono, 2009).
The presence of technology on the internet and huge repositories of data are always an attractive target for hackers (Mondal & Sarddar, 2015). This is important for Aztek because once data is migrated it can be a target, however, cloud security measures are provided by the cloud service provider. In addition to this data is stored in multiple locations (data centers), this can limit the damage caused by attacks on the web. Therefore, it is important to note that Aztek may not focus on having an internal IT department to manage their security for data and applications but at the same time, ensure adequate agreements are in place for securing their data in the cloud (Biswas, 2011).
Cloud Security Alliance (CSA) which is an industrial group founded by big cloud vendors is formed to develop security best practices and guidelines for companies adopting cloud computing services for their operations. The guidelines provide directions for consumers (Aztek) to consider security related problems and issues that must be considered during migration. The guidelines are written for a wide range of areas such as encryption, portability, interoperability and risk management (CSA, 2009).
In addition to CSA, the European Network and Information Security Agency (ENISA) published a report to highlight the security issues normally found in cloud computing (Catteddu & Hogben, 2009). According to ENISA security issues can be categorized into,
- Issues related to policy and organizational matters, compliance challenges, vendor lock-in (Kshetri, 2013) and so on.
- Risks from technology such as data leakage, loss of encryption keys, denial of services to authorized users, authentication procedures, etc. (Kulkarni, et al. 2012).
- Legal risks in cloud migration mostly relate to data protection and software licensing matters (So, 2011).
- In addition to the above, there are risks due to hardware failure, natural calamities like earthquakes, floods, etc.
In spite of this risk categorization it must be understood that security in the cloud is much easier to implement because data protection, privacy, and availability are handled by the cloud provider (James, 2010) and can be further strengthened by defining service level agreements. Looking into the above aspects, Aztek can consider cloud deployment of their data and applications because of the fact cloud offers an advantage compared to developing an in-house security system (Armbrust, et al., 2009).
Exploring the cloud migration adoption trends in the finance sector, it can be found that many financial organizations look for infrastructure and software services on the cloud (Garg, Versteeg, & Buyya, 2013). This is because financial services cater to a range of users and services to include mobile applications, retail banking systems, online transactions, credit risk analysis solutions and high-performance computing. Further, since cloud infrastructures are developed based on industry best practice such as ITIL, COBIT, CMMI, etc., the aspect of compliance are also handled by the cloud service (Shen, et al. 2013). However, financial organizations such as Aztek must carry out a standard risk analysis to ensure their data and applications are secured in cloud-based services. Every country has its own set of compliance and security requirements and frameworks when it comes to user privacy, confidentiality, and integrity (Barlow, 2016).
In the case of Australia, the following guidance, strategies, policies and standards (Policy, 2014) are available:
- Australian government data center strategy 2010-2015 which aims to improve data center facilities
- Australian government big data strategy for better service delivery
- Cloud computing regulatory stock take
- Cloud security considerations
- Guide to implementing cloud services
- Negotiating the cloud, legal issues in cloud computing agreements
- Records management in cloud
- Australian government standards by the Joint Technical Committee
The above regulations, guidance, and policies must be evaluated by Aztek before deploying their data and applications with the cloud provider.
Assessment of current security posture and mitigation actions
In the current scenario, the number of attacks and threats against both private and public organization are rising and at the same time becoming more sophisticated and complex (Tankard, 2011). In order to deal with these threats, Aztek must effectively prioritize and develop security measures by determining which of their assets are most likely to be affected while deploying them in the cloud. A security posture must be maintained at good levels for Aztek to operate effectively in current financial industry scenario. Therefore, developing a matured information security model will depend on effective risk-based decision making. The strategy for developing effective risk-based decision making will be reliant on the evaluation of different information security risk factors. At the same time, understanding these risk factors could be quite challenging (Webb, et al. 2014).
The first step for Aztek is to evaluate the existing security scenario to identify gaps and threats and minimize loss for the company. The evaluation of existing gaps is done by determining specific risks that are specific risks that threaten business interests of Aztek. The specific risk issues will include understanding security attacks, internal and external threats and associated problems to business due to compromise of technology (Gonzalez, et al. 2012). Risk evaluation methodology can be structured as four distinct phases (Munnasar & Govardan, 2010) for the company. This includes,
- Analyzing risks in resources, controls, threats and vulnerabilities
- Implementing security countermeasures through management decisions
- Implementing countermeasures and procedures in the company
- Reviewing the risk management program periodically
Detailed analysis of threats, vulnerabilities and risks are identified for Aztek in the above phases, For instance, asset identification will identify system resources within the system boundary which requires protection. In the case of Azek, the data and information resources require protection from different forms of threats. The application will also require protection from attacks and misuse by users (Chen & Zhao, 2012). Evaluating the weaknesses in IT design, security procedures, implementation and internal controls must be authorized by security experts within the organization (Jaferian, et al. 2014). Threat identification will provide projected threats that are applicable to the system in the company. For instance, threats such as virus attacks, malware, denial of service attacks, or packet sniffing and modification are some of the threats that can negatively impact information assets in Aztek.
The security posture will determine the requirements needed for each department in the company. The IT unit will identify security requirement that is specific to software, hardware, networks and operating systems that are identified under information assets. The method of evaluating security threats that affect the confidentiality, integrity and availability of the system or cloud service is made to recommend appropriate security safeguards, management of security measures, implementation, and other security related initiatives (Rosado, et al. 2012). In addition to evaluations, controls are implemented for gaining confidence in the existing security posture. Some of the important security controls include,
- Management controls which manage IT for its risks and its acceptance (Spears & Barki, 2010).
- Operational controls that focus on mechanisms implemented and executed by people. This will also include physical security, safeguarding of all media and inventory (Julisch & Hall, 2010).
- Technical controls will provide automated protection to systems or applications. This can include implementing anti-virus software, establishing authentication procedures, deploying firewalls, etc. to protect information stored in systems (Bohn, et al. 2011).
After having identified the information assets and analyzing them for adverse effects to business, the system sensitivity requirements and security of the related asset are determined. The severity of impact or loss is determined by three main aspects of user confidentiality, integrity, and availability. For instance, confidentiality will protect users and data from unauthorized disclosure (Kurtz & Vines, 2010). Integrity will provide protection from unauthorized or unintentional modification and will verify data for its correctness from the point of origin to the point of receipt of a message (Luo & Bai, 2011). Authenticity is also closely related to data integrity (Medic & Golubovic, 2010) which verifies if the data is subject to some form of attack during transit. Lastly, availability will ensure the data and information are available to all authorized users to fulfill business requirements (Yu, et al. 2010). The risk level for each of these impacts can be further categorized under low, moderate or high depending on the level of impact to Aztek’s business objectives.
Some of the threat mitigation measures followed in financial services includes,
- Use of better data encryption tools
- A mechanism for incident reporting
- Using better auditing tools for increasing transparency
- Clarity on liability and responsibility for both Aztek and the cloud service provider
- Tools for improving privacy
- Remote audit of services
- Receive logs in real time
- Better solution for data classification
In addition to the mitigation measures, there are much more which must be considered when Aztek will consider in their decision to migrate to the cloud. By establishing a confident security posture and evaluating their assets, the company will be able to successfully assess confidentiality, integrity and availability aspects for implementing cloud services in their office. It is also important to note that by having a good idea of their comfort level while transitioning into the cloud, the company will be able to transition to the right service model that will fit their risk tolerance.
An assessment of IT risks for Aztek
This section will provide an assessment of threats, vulnerabilities, and attacks. Some of the top threats available on the internet include,
Malicious code or malware (Worms, Trojans, etc.): These threats steal user data and are common in business IT environment. Malware is becoming more sophisticated and affects sensitive components and also erases all trace making it difficult for law enforcement agencies to investigate an affected system or network. Some types of malware are known as banking Trojans which capture user information and steal passwords, account information, etc. (Ligh, et al. 2010).
Web application attacks consist of feeding vulnerable servers and mobile apps with malicious data to alter site content or breach information. This type of attack is slowly increasing (Stuartard & Pinto, 2011).
Denial of service attacks will prevent access to authorized users requesting a service from the system or network. Recently denial of service attacks has grown in sophistication and combined with another type of attacks namely virus activation, data or intellectual property theft, financial theft and so on (Beitollahi, & Deconinck, 2012).
Data breach refers to the loss of personal data on the internet. Often valuable information is lost for a user and mostly results in financial impact. A data breach can also occur due to erroneous or inadvertent actions by a user leading to disclosure of all confidential information. A data breach can be understood as an abuse of information by attackers (Romanosky, Hoffman & Acquisti, 2014).
Insider threat or insider attack is often a result of abuse by an existing employee or an ex-employee having access to critical data in the system. Insider threats can occur when a user will bypass security controls using his/her access rights to overcome existing protection. Often the best way to identify insider threats is to successfully track system logs to understand user behavior in the system. Insider threats result in high impact similar to external threats and system administrators must keep an eye on people’s behaviour to detect patterns of system usage (Kandias, Virvilis, & Gritzalis, 2011).
Identity theft and fraud is another risk where the attacker steals a user password and gains access to the system like an authorized user. This type of threat is usually common in financial transactions and data (Finklea, 2010).
Risk management strategies, policies and procedures must consider the above threats and vulnerabilities and overcome uncertainties by measuring, managing and mitigating threats (De Bakker, K., Boonstra & Wortmann, 2010). IT risk management will provide a means of IT resources and decision making in Aztek to deliver confidentiality, integrity and availability of information assets.
Confidentiality is the primary goal of cloud computing systems and refers to the availability of data and applications to all users from anywhere, anytime and on any device. Cloud systems make use of redundancy and hardening strategies to improve the availability of all applications hosted on it.
Confidentiality refers to keeping user’s data secured from unauthorized access in cloud systems. The confidentiality of cloud systems is quite challenging because applications or data in the cloud are exposed to more attacks due to their access from the internet which is a public network. Some companies make use of private cloud which provide more secure and restricted access through the internet. Hence, keeping in view of confidentiality of users, cloud vendors adopt cryptography and encryption standards which must be detained in service agreements by Aztek and the cloud service provider.
Data integrity is another aspect which is fundamental to cloud service. Integrity refers to the preservation of information from possible loss or abuse by unauthorized or authorized users in the system. Data integrity will also be defined in the contracting agreements between the company and the service provider.
Migrating business applications and data to cloud involve risks such as lack of availability, inadequate performance and external and internal threats. In some scenarios or instances, it may be noted that the security offered by the cloud service provider may be adequate for that purpose. The regulatory compliance and standards and frameworks such as ISO, ITIL, etc. are easily available with cloud service providers (Ding, 2015). However, it is always best to have adequate policies and standards within the organization to protect business critical information and assets on the cloud. After the risks and mitigation practices are considered, data and applications can be migrated to the cloud. At this time appropriate controls must be established at all levels viz, managerial, operational and technical. Adequate controls are required to regulate the use of data and applications, its infrastructure and the system. One control mechanism can be typically providing access control for users (Kuhn, Coyne & Weil, 2010). The control allows users to access the application and trust the identity of the information. In cloud, all applications will keep track of authorized users. This is done by user-centric access control, in which every user request to the service provider is integrated with the user identity and his/her entitlements. By providing user-centric controls, the aspects of confidentiality and trust are maintained in clouds (Onankunju, 2013).
Risk management in Aztek will follow a framework that continually evaluates risks to ensure its security posture is confident and robust. The following points may be considered:
A analyze the impact and categorize information stored, processed and transmitted in the cloud service for Aztek
Establish a set of security controls for risks, local conditions and assessments (Aleem & Ryan, 2012). Having controls in agreements with cloud service provider will help Aztek to have more robust security.
Review controls to verify if they are meeting security needs
Establish access controls as appropriate for all users in Aztek.
Periodically monitor security controls, this is an ongoing activity.
Risk assessment is highly critical for business operations and is an ongoing activity.
Data security, people’s role in Cloud for Aztek
Using a cloud solution implies the employees of the cloud provider will have the ability to use Aztek’s data and applications. This is important to consider because the cloud provider usually allows the company availing services to assign and manage roles and associated levels of authorization of each of their user in concurrence to their security policies. The roles and authorization rights can be provided for per resource, service or application, and different areas of data can have restricted access. For example, an employee can post transactions to the database, whereas another user can only generate reports from the system. This type of access controls is highly important in cloud migration (Padhy, Patra, & Satapathy, 2011).
In addition to access control and user levels, the cloud provider can provision unique identities for Aztek’s users and services. This function can be configured to support access to a resource or support customer applications. At the same time, a user regardless of his/her role must be monitored and logged in the system for the purposes of auditing of customer data and applications. The following points may be noted in relation to managing people’s access and controls:
Administering Aztek’s users, the cloud provider can support delegated identification. This is done through the process of identity provision and delegation.
Aztek can consider the process of identity across applications by providing single-sign-on to provide users with access to all applications and services. This can be revisited and user access can have multiple signs on with appropriate controls in each application. This can be defined in agreement with the cloud provider.
Aztek can consider the need for auditing and logging reports to monitor their service usage to fulfill compliance with regulations. The cloud provider will make available all system and application logs with Aztek for auditing purposes.
Data is highly critical for financial companies such as Aztek. Authentication mechanisms must be strong to access high-value assets hosted in the cloud. This shall ensure user privacy and confidentiality of all Aztek’s information.
Therefore, it may be noted that data is the core of all IT security issues in any organization and in whatever infrastructure it is stored. Cloud computing systems offer immense benefits, however, the security issues and problems remain the same. In clouds, data risk is of various forms such as unauthorized disclosure, tampering, internal threats, unauthorized modification of data, the risk of data loss and so on. Another aspect to note in the cloud is that data must be protected at rest and in motion (while transferred in a network). This must be considered in migrating to cloud systems, and encryption standards help in securing data in motion. In the cloud the term data also refers to applications and software where all the risks related to data apply. The need for Aztek will be to
- Perform an internal assessment to understand the problems in IT risks
- Evaluate cloud services for their service offering, especially in the area of data and applications
- Perform a thorough review of all aspects related to risks in migrating data and applications to the cloud
- Develop adequate security measures and test them for cloud migration.
- Ensure to have substantial service agreements defined with the cloud provider to protect business interests of Aztek.
The report analyzes the problems and risks of migrating data and business critical applications to a cloud provider for Aztek. The report provides a review of how cloud systems are used by the financial sector and the problems faced. The existing security posture for the company is reviewed and suggestions provided while reviewing the problems of security risks. The risk assessment provides brief discussions on the type of threats available in cloud migration in general. The data security aspects in the report provide risks with the view of how data can be secured and usage within Aztek.
Aleem, A., & Ryan Sprott, C. (2012). Let me in the cloud: analysis of the benefit and risk assessment of cloud platform. Journal of Financial Crime,20(1), 6-24.
Armbrust, M., Fox, A., Griffith, R., Joseph, A., Katz, R., Konwinski, A., et al. (2009). Above the Clouds: A Berkeley View of Cloud Computing. Technical Report. University of California at Berkeley.
Barlow, B. (2016). ?How Financial Services Protect Their Users. Retrieved October 10, 2016, from CSO: https://www.cso.com.au/article/608062/how-financial-services-protect-their-users/
Beitollahi, H., & Deconinck, G. (2012). Analyzing well-known countermeasures against distributed denial of service attacks. Computer Communications, 35(11), 1312-1332.
Biswas, S. (2011). Is Cloud Computing Secure? Retrieved October 10, 2016, from Cloud Tweaks: https://cloudtweaks.com/2011/01/the-question-should-be-is-anything-truly-secure/
Bohn, R. B., Messina, J., Liu, F., Tong, J., & Mao, J. (2011, July). NIST cloud computing reference architecture. In 2011 IEEE World Congress on Services (pp. 594-596). IEEE.
Catteddu, D., & Hogben, G. (2009). Cloud Computing: benefits, risks and recommendations for information security. Technical Report. European Network and Information Security Agency.
CSA. (2009). Security guidance for critical areas of focus in cloud computing. Cloud Security Alliance.
Chen, D., & Zhao, H. (2012, March). Data security and privacy protection issues in cloud computing. In Computer Science and Electronics Engineering (ICCSEE), 2012 International Conference on (Vol. 1, pp. 647-651). IEEE.
De Bakker, K., Boonstra, A., & Wortmann, H. (2010). Does risk management contribute to IT project success? A meta-analysis of empirical evidence.International Journal of Project Management, 28(5), 493-503.
Ding, Y. (2015). Service Delivery Standards (ITIL, COBIT, ETOM, ISO/IEC 20000, Etc.). Wiley Encyclopedia of Management.
Finklea, K. M. (2010). Identity theft: Trends and issues. DIANE Publishing.
Garg, S. K., Versteeg, S., & Buyya, R. (2013). A framework for ranking of cloud computing services. Future Generation Computer Systems, 29(4), 1012-1023.
Garrison, G., Kim, S., & Wakefield, R. L. (2012). Success factors for deploying cloud computing. Communications of the ACM, 55(9), 62-68.
Gonzalez, N., Miers, C., Redigolo, F., Simplicio, M., Carvalho, T., Näslund, M., & Pourzandi, M. (2012). A quantitative analysis of current security concerns and solutions for cloud computing. Journal of Cloud Computing: Advances, Systems and Applications, 1(1), 1.
Heiser, J., & Nicolett, M. (2008). Assessing the Security Risks of Cloud Computing . Gartner Research. ID Number: G00157782.
Jaferian, P., Hawkey, K., Sotirakopoulos, A., Velez-Rojas, M., & Beznosov, K. (2014). Heuristics for evaluating IT security management tools. Human–Computer Interaction, 29(4), 311-350.
James, B. (2010). Security and privacy challenges in cloud computing environments.
Jensen, M., Schwenk, J. O., Gruschka, N., & Iacono, L. L. (2009). On Technical Security Issues in Cloud Computing. IEEE International Conference on Cloud Computing (CLOUD-II 2009), Bangalore, India , 109-115.
Kandias, M., Virvilis, N., & Gritzalis, D. (2011, September). The insider threat in cloud computing. In International Workshop on Critical Information Infrastructures Security (pp. 93-103). Springer Berlin Heidelberg.
Khajeh-Hosseini, A., Greenwood, D., & Sommerville, I. (2010, July). Cloud migration: A case study of migrating an enterprise it system to iaas. In 2010 IEEE 3rd International Conference on cloud computing (pp. 450-457). IEEE.
Kshetri, N. (2013). Privacy and security issues in cloud computing: The role of institutions and institutional evolution. Telecommunications Policy, 37(4), 372-386.
Kuhn, D. R., Coyne, E. J., & Weil, T. R. (2010). Adding attributes to role-based access control. IEEE Computer, 43(6), 79-81.
Kulkarni, G., Gambhir, J., Patil, T., & Dongare, A. (2012, June). A security aspects in cloud computing. In 2012 IEEE International Conference on Computer Science and Automation Engineering (pp. 547-550). IEEE.
Krutz, R. L., & Vines, R. D. (2010). Cloud security: A comprehensive guide to secure cloud computing. Wiley Publishing.
Ligh, M., Adair, S., Hartstein, B., & Richard, M. (2010). Malware analyst's cookbook and DVD: tools and techniques for fighting malicious code. Wiley Publishing.
Luo, W., & Bai, G. (2011, September). Ensuring the data integrity in cloud data storage. In 2011 IEEE International Conference on Cloud Computing and Intelligence Systems (pp. 240-243). IEEE.
Medic, A., & Golubovic, A. (2010). Making secure Semantic Web. Universal Journal of Computer Science and Engineering Technology, 1(2), 99-104
Mondal, R. K., & Sarddar, D. (2015). Utility Computing. International Journal of Grid and Distributed Computing, 8(4), 115-122.
Munassar, N. M. A., & Govardhan, A. (2010). A comparison between five models of software engineering. IJCSI, 5, 95-101.
Onankunju, B. (2013). Access control in cloud computing. International Journal of Scientific and Research Publications , 3 (9).
Padhy, R. P., Patra, M. R., & Satapathy, S. C. (2011). Cloud computing: security issues and research challenges. International Journal of Computer Science and Information Technology & Security (IJCSITS), 1(2), 136-146.
Policy, A. G. (2014). Smater ICT Investment, Version 3.0. Canberra, Australia: Government of Australia.
Stamford, C. (2012, September). Gartner Says Worldwide Cloud Services Market to Surpass $109 Billion in 2012. Retrieved October 10, 2016, from Gartner Newsroom: https://www.gartner.com/newsroom/id/2163616
Romanosky, S., Hoffman, D., & Acquisti, A. (2014). Empirical analysis of data breach litigation. Journal of Empirical Legal Studies, 11(1), 74-104.
Rosado, D. G., Gómez, R., Mellado, D., & Fernández-Medina, E. (2012). Security analysis in the migration to cloud environments. Future Internet,4(2), 469-487.
Shaikh, F. B., & Haider, S. (2011, December). Security threats in cloud computing. In Internet technology and secured transactions (ICITST), 2011 international conference for (pp. 214-219). IEEE.
Shen, Y., Li, Y., Wu, L., Liu, S., & Wen, Q. (2013). Trusted Cloud Initiative Reference Architecture. Enabling the New Era of Cloud Computing: Data Security, Transfer, and Management: Data Security, Transfer, and Management, 78.
Stuttard, D., & Pinto, M. (2011). The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. John Wiley & Sons.
Spears, J. L., & Barki, H. (2010). User participation in information systems security risk management. MIS quarterly, 503-522.
So, K. (2011). Cloud computing security issues and challenges. International Journal of Computer Networks, 3(5).
Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of network and computer applications, 34(1), 1-11.
Tankard, C. (2011). Advanced persistent threats and how to monitor and deter them. Network security, 2011(8), 16-19.
Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2014). A situation awareness model for information security risk management. Computers & security, 44, 1-15.
Yu, S., Wang, C., Ren, K., & Lou, W. (2010, March). Achieving secure, scalable, and fine-grained data access control in cloud computing. InInfocom, 2010 proceedings IEEE (pp. 1-9). Ieee.
Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation computer systems, 28(3), 583-592