Designing a Comprehensive Framework for Data and Network Security in Cloud Computing: Case of Kenyan Banking Industry Information Technology

Abstract

This study sought to develop a tailored framework for secure cloud computing implementation in the Kenyan banking industry, addressing the unique security challenges faced by these banks. Kenyan banks encounter distinct security challenges in cloud adoption, including concerns regarding data abstraction, multitenancy, and the increasing prevalence of cyber threats, particularly phishing attacks. Regulatory compliance adherence emerges as a critical consideration, with 87.3% of respondents recognizing its significance. Additionally, resilience and disaster recovery planning are identified as strategic imperatives, with 88.2% of participants prioritizing these aspects in their cloud adoption strategies. The framework is conceptualized based on a meticulous analysis of industry-specific requirements and an extensive literature review. It is built on the foundational principles of Identity and Access Management (IAM), Security Reference Architecture (SRA), and an Integrated Intrusion Detection and Prevention System (IDPS). Validation of the framework demonstrates its effectiveness in aligning with identified industry-specific gaps and challenges, offering a reliable solution to enhance cloud computing security. The proposed framework leverages IAM to establish robust access controls, extends SRA to create a tailored architectural blueprint, and integrates IDPS for proactive threat detection. These components operate synergistically, fortifying cloud security for the banking industry. The proposed framework stands as a blueprint for secure cloud computing implementation in the Kenyan banking industry, offering a robust solution to safeguard sensitive financial data in the cloud. By incorporating fine-grained access control, encryption, and the utilization of a Cloud Security Trusted Authority (CSTA), the framework ensures secure operations within the cloud environment. It addresses concerns regarding both data security and network security, providing a level of security equivalent to or surpassing traditional in-house IT environments.