IT Governance And Cloud Computing Security

IT Governance: IT Governance is what a company want to make sure that they achieve the information technology strategies and goals. The main concept of IT governance providing a perfect balance between Information Technology and Business functions of the organization. We use a governance framework designed that provide a direction to enhance the performance of the organization.

The frameworks such as ISO 38500 and COBIT. COBIT is designed to provide the structure for governance decision making, it explicitly defines that organization’s success depends on both the IT functions and other support functions equally (De Haes, 2013). Security in Cloud Computing:When we start speaking of security, it’s defines a combination of confidentiality, integrity, prevention of unauthorized access, deletion, withholding and disclosure of information. The major issues of security in cloud computing include resource security, management and monitoring. The most important aspects of cloud security include, data privacy, data protection, data availability, data location and secure transmission. For the all the above threats include data loss, service disruption and outside malicious attacks. Providing data security access control mechanisms for a cloud computing environment can be divided into the following aspects:

1. Access control based on virtualization Technology: We implement a virtual machine manager which can control communications between multiple virtual machines which work on a single physical node. Using Trusted Virtual Domain (TVD’s) where security is inter-domain communication. TVD’s use virtualization and overlay technologies that are designed to form a protection layer around the computing entity which performs a service, regardless of the physical configurations of the machine. With this happening the internal execution becomes a isolated transaction from any malicious and unintentional side effects for the external applications that have access to the cloud data (Bussani, et al. , 2005).
2. Cross-domain access control: Users accessing resources cross-domain need the certification services within the domain boundaries to make a unified identity management for accessing the shared services. Therefore, when each trusted domain has its own access policies, we need them to support the strategies. With various domains having their trusted certificates, which are used for cross-domain access with the synthesis of access control policies. The common problem we have with data is encryption and then when there is data on the server in the encrypted ciphertext format the retrieval of that data is critical problem that needs to be addressed.

Retrieval of ciphertext is much bigger problem and can be done by the below discussed methods:

1. Linear Searching Method: This uses conversion of ciphertext data into plain text messages with the symmetric encryption algorithm. Each ciphertext information corresponds to a specific key-word which generates a bunch of pseudo-random sequence and a check sequence determined by the pseudo random sequence and the ciphertext. The sum of the pseudorandom sequence and the test sequence is equal to the ciphertext sequence. However, this methodology has an obvious drawback, which is for the searched data to give its desired result, the ciphertext information much successfully match and the time complexity is very high and is difficult to apply to large datasets for searching (D. Song, 2000).
2. Public Key based on keyword searching method: The main idea for this concept is to encrypt the data with a public key encrypt, it first generates a public key and then the private key which are then encrypted into plaintext keywords. These plaintext keywords are stored with public key to generate the ciphertext that can used for search. And during the process of search, it encrypts the plaintext sequence provided by the user to search with the public key and then carries out the ciphertext keyword that is matching with the user search criteria. Network security:Network security focuses on maintaining the data on the servers over the network. To control the network flow efficiently, the following levels of security must be considered:

• Network level
• Prevent intrusion into the network
• Server level – access rights and security policies, User identification
• Database level – access level for host and server
• Encryption level – Uses public keys and only the use of right encryption key to access the data.

The layer that is closer data is the Access Right, which controls resources which is the information and what users can do with that information, this control also applies partitions, folders and files. The next layer is the most common and effective method of network security which is Password/Login. Commonly used security layers in network servers The administrator has full access and controls user activity. The next layer is the Data Encryption which is done with a certain algorithm which encrypts the data into public key and private keys and even in a case of data loss, the hacker would not be able to decrypt the data without the encryption key associated with the data. The last line of defense is the Firewall protection which prevents intrusions and filters unwanted packets. A firewall is usually should have the following basic functions: should have the following basic functions:

• Manage and control network traffic
• Protect resources
• Authenticate access
• Record and report events

The network traffic can be controlled by inspection of a packet which is the process of handling the data based on the access rules for incoming and outgoing traffics. Packet filtering: The firewall operates with a TCP/IP protocol and works with an algorithm to split data, we receive data from the packets by running the protocols. (Telnet, STMP, DNS, SMNP, NFS). Using stateful firewall products CISCO PIX A firewalls improves the overall performance of the firewall. Sample packet information described in the image below: Source: (JM, 2005)

Physical security: Setting up physical security measures such as Infrastructure security, Access levels for certain users and physical security level for access of working floors in the data center. Use biometrics for access to determine the access levels for the users who access the patient level data as well the data from the claims. Setting up surveillance cameras for the highly compromised data can be suggested to reduce suspicious activity from the employee within the organization. Provide relevant training materials for the employees to with stand spoofing emails that would always end up in the mail box.