Formulating Methodology to Build a Trust Framework for Cloud Identity Management

The vital element in outsourcing data to the cloud is trust and trustworthiness that information is protected, unaltered and available on demand. To facilitate service expectations efficient and effective infra-structures are required to host the functional processes. A security process is identity management that provides authorization for access rights based on verification checks. In this paper cloud security architecture is reviewed by focusing on the issue of trust and the role of identity management design. Methodology is built to produce cloud artefacts and then it is theoretically applied to produce an innovative solution to assess cloud identity providers (CIdP). A design solution lays out an information security architecture that enhances utility for CIdPs and gives better options for users to make trust decisions in the cloud. The contribution of the research is to provide a generic methodology that may be applied to evaluate other security artefacts for the cloud environment

Mitigating Docker Security Issues

It is very easy to run applications in Docker. Docker offers an ecosystem that offers a platform for application packaging, distributing and managing within containers. However, Docker platform is yet not matured. Presently, Docker is less secured as compare to virtual machines (VM) and most of the other cloud technologies. The key of reason of Docker inadequate security protocols is containers sharing of Linux kernel, which can lead to risk of privileged escalations. This research is going to outline some major security vulnerabilities at Docker and counter solutions to neutralize such attacks. There are variety of security attacks like insider and outsider. This research will outline both types of attacks and their mitigations strategies. Taking some precautionary measures can save from huge disasters. This research will also present Docker secure deployment guidelines. These guidelines will suggest different configurations to deploy Docker containers in a more secure way.Comment: 11 page

Benefits and Challenges in Information Security Certification – A Systematic Literature Review

Information security certification (ISC) gets increasingly more complex. Although certain benefits, challenges and success factors have been recognized by both scholars and practitioners in the field, little has been done to consolidate the published knowledge. This systematic literature review attempts to consolidate what is currently known on the benefits of ISC, the issues and the challenges to certification, and the success factors that organizations consider while embarking on this process. Following the guidelines of Kitchenham et al., and Kuhrmann et al., we examined 42 papers that are relevant to our area of interest. We identified 12 benefits, 15 challenges, and 8 success factors. Our most important conclusion is that the current certification process is complex and suboptimal; it is expensive and it depends on the auditor’s skills. Finally, we evaluated validity threats and derived some implications for practice and for research.</p

Emerging technology and auditing practice : analysis for future directions

Purpose – The purpose of this paper is to explore the effects of emerging technology (technology adoption, perceived benefits, technological challenges and ease of use) and the auditing practice of accounting professionals. Design/methodology/approach – The primary method of data collection was a questionnaire directed to newly practicing chartered accountants who are partners of sole proprietorship or partnership firms in India. The data were analyzed by using partial least squares structural equation modeling (PLS-SEM). Findings – The findings revealed that there is a positive and significant relationship between characteristics of emerging technology (technology adoption, technological challenges and ease of use) and auditing practice, while factors of the perceived benefits had a negative relationship with auditing practice. Research limitations/implications – The study model would aid technology enabled audit research by giving a platform for a new study to investigate further detailed solutions to emerging information technology determinants. Practical implications – This study illustrates how tools technique perceived benefit motivates sole proprietorship practicing auditors to adopt emerging technology- enabled auditing software for auditing client’s financial statements. Further, this study has added to the information technology auditing literature and might add benefits to the numerous other audit firms to adopt in emerging technology tools their audit firm. Social implications – Audit firms, generally sole proprietorship and partnership firms, should be given enough awareness about the latest audit software tools to carry out their audit tasks efficiently. Originality/value – The study findings highlight benefits of emerging technology-enabled auditing practice among owners/partners of the sole proprietorship or partnership firms, which is not extensively discussed in the prior studies. Furthermore, it broadens knowledge of perceived benefit, technological challenges and ease of use in technology-enabled audit software in the auditing and accounting literature.info:eu-repo/semantics/publishedVersio

Privacy Data Decomposition and Discretization Method for SaaS Services

In cloud computing, user functional requirements are satisfied through service composition. However, due to the process of interaction and sharing among SaaS services, user privacy data tends to be illegally disclosed to the service participants. In this paper, we propose a privacy data decomposition and discretization method for SaaS services. First, according to logic between the data, we classify the privacy data into discrete privacy data and continuous privacy data. Next, in order to protect the user privacy information, continuous data chains are decomposed into discrete data chain, and discrete data chains are prevented from being synthesized into continuous data chains. Finally, we propose a protection framework for privacy data and demonstrate its correctness and feasibility with experiments

The impact of information systems auditor’s training on the quality of an information systems audit

Abstract: The significance of information technology (IT) audits in organisations is an area that has received increased focus, and it is increasingly necessary to conduct additional research into the IT audit subject area. As a result of increased dependence and spending on IT, it has effectively become a requirement for organisations to increase their level of assurance about these investments and their ability to deliver as expected. IT audits fulfil this role, and are used to examine the effectiveness of controls, security of important systems and business operations to identify weaknesses and find ways that can be used to improve and mitigate the impact of these weaknesses. However, prior research has not measured the impact that training of auditors has on the quality of IT audits. The findings of this study show that organisations play an integral role in the training programs. However, these organisations do not understand their training programs and cannot properly communicate the training requirements to IT auditors. The research findings have also shown that continuous professional development programs are additional tools in enhancing IT auditor knowledge. This research undertaking has found that generally, internal programs are more effective in delivering content to IT auditors and thus more emphasis can be put on them. Overall, this research undertaking strengthens the idea that resources should be committed to improving training programs, as improving training programs eventually leads to efficiency in all matters related to IT audit quality

Organic transformation of ERP documentation practices: Moving from archival records to dialogue-based, agile throwaway documents

Implementing enterprise resource planning (ERP) systems remains challenging and requires organizational changes. Given the scale and complexity of ERP projects, documentation plays a crucial role in coordinating operational details. However, the emergence of the agile approach raises the question of how adequate lightweight documentation is in agile ERP implementation. Unfortunately, both academia and industry often overlook the natural evolution of documentation practices. This study examines current documentation practices through interviews with 23 field experts to address this oversight. The findings indicate a shift in documentation practices from retrospective approaches to dialogue-based, agile throwaway documents, including audiovisual recordings and informal emails. Project managers who extensively engage with throwaway documents demonstrate higher situational awareness and greater effectiveness in managing ERP projects than those who do not. The findings show an organic transformation of ERP documentation practices. We redefine documentation to include unstructured, relevant information across different media, emphasizing searchability. Additionally, the study offers two vignettes for diverse organizational contexts to illustrate the best practices of agile ERP projects.Organic transformation of ERP documentation practices: Moving from archival records to dialogue-based, agile throwaway documentspublishedVersionPaid open acces

Virtualized Reconfigurable Resources and Their Secured Provision in an Untrusted Cloud Environment

The cloud computing business grows year after year. To keep up with increasing demand and to offer more services, data center providers are always searching for novel architectures. One of them are FPGAs, reconfigurable hardware with high compute power and energy efficiency. But some clients cannot make use of the remote processing capabilities. Not every involved party is trustworthy and the complex management software has potential security flaws. Hence, clients’ sensitive data or algorithms cannot be sufficiently protected. In this thesis state-of-the-art hardware, cloud and security concepts are analyzed and com- bined. On one side are reconfigurable virtual FPGAs. They are a flexible resource and fulfill the cloud characteristics at the price of security. But on the other side is a strong requirement for said security. To provide it, an immutable controller is embedded enabling a direct, confidential and secure transfer of clients’ configurations. This establishes a trustworthy compute space inside an untrusted cloud environment. Clients can securely transfer their sensitive data and algorithms without involving vulnerable software or a data center provider. This concept is implemented as a prototype. Based on it, necessary changes to current FPGAs are analyzed. To fully enable reconfigurable yet secure hardware in the cloud, a new hybrid architecture is required.Das Geschäft mit dem Cloud Computing wächst Jahr für Jahr. Um mit der steigenden Nachfrage mitzuhalten und neue Angebote zu bieten, sind Betreiber von Rechenzentren immer auf der Suche nach neuen Architekturen. Eine davon sind FPGAs, rekonfigurierbare Hardware mit hoher Rechenleistung und Energieeffizienz. Aber manche Kunden können die ausgelagerten Rechenkapazitäten nicht nutzen. Nicht alle Beteiligten sind vertrauenswürdig und die komplexe Verwaltungssoftware ist anfällig für Sicherheitslücken. Daher können die sensiblen Daten dieser Kunden nicht ausreichend geschützt werden. In dieser Arbeit werden modernste Hardware, Cloud und Sicherheitskonzept analysiert und kombiniert. Auf der einen Seite sind virtuelle FPGAs. Sie sind eine flexible Ressource und haben Cloud Charakteristiken zum Preis der Sicherheit. Aber auf der anderen Seite steht ein hohes Sicherheitsbedürfnis. Um dieses zu bieten ist ein unveränderlicher Controller eingebettet und ermöglicht eine direkte, vertrauliche und sichere Übertragung der Konfigurationen der Kunden. Das etabliert eine vertrauenswürdige Rechenumgebung in einer nicht vertrauenswürdigen Cloud Umgebung. Kunden können sicher ihre sensiblen Daten und Algorithmen übertragen ohne verwundbare Software zu nutzen oder den Betreiber des Rechenzentrums einzubeziehen. Dieses Konzept ist als Prototyp implementiert. Darauf basierend werden nötige Änderungen von modernen FPGAs analysiert. Um in vollem Umfang eine rekonfigurierbare aber dennoch sichere Hardware in der Cloud zu ermöglichen, wird eine neue hybride Architektur benötigt