The Benefits of It Governance for an Organization’s Management

Abstract

IT Governance can be described as the set of processes that can ensure the effective and efficient use of IT which can deliver the organization to deliver its goals. This paper describes about the IT Governance concepts that enables the organization leaders to look at the progress of the project at the higher management perspective. Managing cloud-based system and providing security for the data is it self a challenging aspect of the project and this paper proposes the techniques that can avoid the bottlenecks that can be caused to access data as well as discuss about the authentication, access levels and technical issues related to data security with connectivity and network security playing the major role to have all the communications.

IT Governance: IT governance providing a perfect balance between Information Technology and Business functions of the organization. We use a governance framework designed that provide a direction to enhance the performance of the organization (De Haes, 2013).

Security in Cloud Computing: When we start speaking of security, it’s defines a combination of confidentiality, integrity, prevention of unauthorized access, deletion, withholding and disclosure of information. The major issues of security in cloud computing include resource security, management and monitoring. Thinking about cloud security, we should include The most important aspects of cloud security include, data privacy, data protection, data availability, data location and secure transmission. For the all the above threats include data loss, service disruption and outside malicious attacks. Providing data security access control mechanisms for a cloud computing environment can be divided into the following aspects:

1. Access control based on virtualization Technology: We implement a virtual machine manager which can control communications between multiple virtual machines which work on a single physical node. Using Trusted Virtual Domain (TVD’s) where security is inter-domain communication. TVD’s use virtualization and overlay technologies that are designed to form a protection layer around the computing entity which performs a service, regardless of the physical configurations of the machine. With this happening the internal execution becomes a isolated transaction from any malicious and unintentional side effects for the external applications that have access to the cloud data (Bussani, et al. , 2005).
2. Cross-domain access control: Users accessing resources cross-domain need the certification services within the domain boundaries to make a unified identity management for accessing the shared services. Therefore, when each trusted domain has its own access policies, we need them to support the strategies. With various domains having their trusted certificates, which are used for cross-domain access with the synthesis of access control policies. The common problem we have with data is encryption and then when there is data on the server in the encrypted ciphertext format the retrieval of that data is critical problem that needs to be addressed.

1. Linear Searching Method: This uses conversion of ciphertext data into plain text messages with the symmetric encryption algorithm. However, this methodology has an obvious drawback, which is for the searched data to give its desired result, the ciphertext information much successfully match and the time complexity is very high and is difficult to apply to large datasets for searching (D. Song, 2000).
2. Public Key based on keyword searching method: This first generates a public key and then the private key which are then encrypted into plaintext keywords. These plaintext keywords are stored with public key to generate the ciphertext that can used for search. And during the process of search, it encrypts the plaintext sequence provided by the user to search with the public key and then carries out the ciphertext keyword that is matching with the user search criteria.

Network security: Network security focuses on maintaining the data on the servers over the network.

• Network level
• Prevent intrusion into the network
• Server level – access rights and security policies, User identification
• Database level – access level for host and server
• Encryption level – Uses public keys and only the use of right encryption key to access the data.

The layer that is closer data is the Access Right, which controls resources which is the information and what users can do with that information, this control also applies partitions, folders and files. The next layer is the most common and effective method of network security which is Password/Login. Commonly used security layers in network servers The administrator has full access and controls user activity. The next layer is the Data Encryption which is done with a certain algorithm which encrypts the data into public key and private keys and even in a case of data loss, the hacker would not be able to decrypt the data without the encryption key associated with the data. The last line of defense is the Firewall protection which prevents intrusions and filters unwanted packets. A firewall is usually should have the following basic functions: should have the following basic functions:

• Manage and control network traffic
• Protect resources
• Authenticate access
• Record and report events

The network traffic can be controlled by inspection of a packet which is the process of handling the data based on the access rules for incoming and outgoing traffics.

Packet filtering: The firewall operates with a TCP/IP protocol and works with an algorithm to split data, we receive data from the packets by running the protocols. (Telnet, STMP, DNS, SMNP, NFS). Using stateful firewall products CISCO PIX A firewalls improves the overall performance of the firewall.

Sample packet information described in the image below:

Physical security: Setting up physical security measures such as Infrastructure security, Access levels for certain users and physical security level for access of working floors in the data center. Use biometrics for access to determine the access levels for the users who access the patient level data as well the data from the claims. Setting up surveillance cameras for the highly compromised data can be suggested to reduce suspicious activity from the employee within the organization. Provide relevant training materials for the employees to with stand spoofing emails that would always end up in the mail box.

Summary: With the above techniques and concepts, the application level security can be obtained and physical security having to be the main and first line of defense for any physical threats that the organization can have. The next step is taking the application level security taking all the hackers and phishing attacks into consideration the application is built robust enough to withstand any kind of internal as well as external attacks.