ITC568 Cloud Privacy And Security

Introduction

Community based charity locates and provides training services, support services, mental health services and accommodation to the people suffering from various disadvantages. The community has decided to join a community cloud provided by a public cloud vendor for providing a number of applications to their support staffs as well as administrative users. The data contained in the applications are time sensitive and confidential. The community can also be used for storing the data possessed by charity. A database working on the SaaS model of cloud computing can be used to hold the data. The charity has selected me as their Principal consultant. I am supposed to prepare this report, which would propose the security and privacy policies for the usage of the charity. This report would also contain the risks that charity might face while planning moves in the field of HR.

Cloud computing is of great use to various organizations. The charity has decided to implement SaaS to their operations. SaaS, also known as Software as services allows users to use various applications by accessing internet. These applications are supposed to be cloud-based. SaaS is used on the policy of Pay-as-you-go (Rittinghouse & Ransome, 2016). In this policy, the users only pay for service they use, neither less nor more. Organization rents the service from a local service provider and users utilize them by connecting it by accessing internet. One of the most important advantages provided by SaaS is that it allows the employees of an organization to mobilize their work. They can connect with these applications from any device that has the ability to access internet. Along with providing advantages, SaaS also provide some risks to the organizations. These threats are mentioned below the discussion part of the report.

Discussion: Security of Employee data

Risks on employee data in HR database: HR is one of the heads of an organization who has a huge amount of data saved in database. The data is regarding, employees, how employees work, various departments in the organization, number of people needed to be recruited, the recruitment process and many more (Botta, De Donato & Persico, 2016). This data is of much importance to the HR as well as organization. The data in HR database of great importance and should be secured from cyber criminals who might steal the data and use it for bad purposes. Every organization invests a huge lump sum of money to secure the data from criminals but they find some or the other to hack accounts and steal the desired data (Botta, De Donato & Persico, 2016). Securing data in HR database is no easy task. It results in various threats to the organization. These threats are mentioned below.

• Data breaches: data breaches are considered as one of the common risks faced by various organizations. They mainly take place in databases, which support cloud. Data breaching can be defined as stealing of information that had been stored in cloud. Cyber criminals that tend to steal confidential information regarding an organization or a user usually carry out data breaching (Almorsy, Grundy & Müller, 2016). The information that can be stolen from an organization can be details regarding its employees, data about its operations, new technologies introduced by them and many more. The data that can be stolen from an individual might be credit card numbers, atm pins, phone numbers, addresses and many more. Usually people tend to save data like name, address, and credit or debit card details on sites that deals with financial transactions, this leads to data breaches. As a result, it affects a huge mass of employees. Theft of employees’ data leads to huge damages to the organization and users. Charity would face a disastrous damage if data regarding employees were stolen (Almorsy, Grundy & Müller, 2016. Employees have data saved in HR database in order to help Human resource manager to understand regarding the operations of the charity.
  
  
• Data loss: data volume of an organization keeps increasing as the company succeeds gradually; this dramatically increases the risk of data loss. International Data Corp states that the global data sphere would reach 163 zerrabytes by 2025 (Chang & Ramachandran, 2016). Data loss can occur in many ways major reason being the cyber criminals who tend peep into the database and steal them. It may also occur when some sort of technical issues take place in the database. Most of the data is saved in the cloud so if the organization does not have back of these data and the gets lost from the cloud it would be lost forever.
  
  
• Hijack of the database: the database of an HR includes a huge amount of information, which would be of great use to the organization (Rao & Selvamani, 2015). If the account of an HR is hacked, the hackers might steal a huge amount of information by changing the user password. This would disallow the user to access his own account.

Risks to employee data on migration to SaaS application: nowadays data security is the main concern of the companies. Most of the organizations move their applications into SaaS and some are still in the run to integrate it to their business (Rao & Selvamani, 2015). Every SaaS provide offers various set of capabilities to secure data. The capabilities are useful to the organization depending on its requirements. The organizations can customize the platform by adding the desired requirement. Integration of business with SaaS provides various advantages to the organization, along with that it also provide some threats to the employee data. The major disadvantage of SaaS is that it connects all the systems together. As a result, if some issue occurs in one part of the system, the whole system breaks down along with the systems connected to it. The charity might lose data while it migrates its system to SaaS. This would not allow the organizations to transfer the sensitive data (Zhang, Chen & Wong, 2017). Most of the service providers assure that the data of the organization would not be lost, but in case it is lost for any reason, they would not be held responsible for it. A proper research has to be carried out by the organization before integrating their systems with SaaS.

Consequences of the risks: data regarding employees might be lost for some reason. This creates a problem for the organization as well as its operation. The consequences of the lost data on organizations are as follows.

• Time consuming: the loss of important data from an organization might lead to time waste. If sensitive data regarding operations, financial transactions or similar to that are lost, it is tough for the organization to proceed in its operations (Zhang, Chen & Xiang, 2018). They would take steps to retrieve the data. They would request the service providers to retrieve the data if possible. The providers would try to get the data back but they cannot assure regarding the same. This process is very time consuming. It might take some days or some months.
• Information loss: the information regarding employees is very important for the organization as mentioned above. Loss of the information would be a tragedy for the organization (Baek, Vu & Liu, 2015). Sensitive information such as record of financial transactions undergone by the organizations is very helpful for future reference. Loosing this information should be avoided by taking important steps by the charity.

Privacy of Employee Data

Threats on data in HR database: HR database contains huge number of information, which is useful for organization as well as employees. Various risks can be occurred to the employee data present in the HR database. These threats are as follows:

• Platform vulnerabilities: vulnerabilities in operating system might result in access and then corruption of unauthorized data. An example of this is that the Blaster worm had taken advantage of Windows 2000 vulnerability (Wei, Zhu & Cao, 2014). This was done in order to disable targeted servers. This kind of vulnerabilities might cause in the HR database of the charity and it would be harmful for the employees and the charity.
• Weak audit: weak auditing represents the risks in factors such as deterrence, compliance, detection recovery and forensics (Sun, Zhang & Xiong, 2014). Weak auditing results in degradation of the performance of the database, which creates a way for attacks by hackers.
• Denial of service: denial of service might take place by many ways. Common techniques of DoS are buffer overflows, network flooding, resource consumption and data corruption (Ali, Khan & Vasilakos, 2015). Denial of service attack is very common among various organizations and it denies user the access to data.
• Monitoring data access: data access is usually not monitored by anyone. The data saved in HR database is very useful for employees and thus they are provided the access to data (Novotny, DePaul & Sankalia, 2015). This data access is never monitored and this might cause in internal theft of data. Internal theft of data is very harmful for the charity as whole as well as the employees. HR should monitor the access to data in order to prevent its theft. The employees that actually need the data should be allowed to access it, and the ones who do not need should not be allowed the access to it.
• Categories of data: the data saved in a database are stored randomly. This leads a way to the threat of not getting the access of a particular data when needed (Chang, Kuo & Ramachandran, 2016). Data should be categorized according to their types like the data regarding operations, financial transactions, plan, ways to implement those plans and many more. Categorizing data into various parts help in retrieving the data when needed.
• Encryption: encryption of sensitive data is a part of securing data, which is ignored by organizations very often. Every organization contains some sensitive data such as data regarding their strategies, operations, transactions carried out by them and many more. No encryption to sensitive data increases the risk of it being stolen by criminals (Pasupuleti, Ramalingam & Buyya, 2016). In the charity must encrypt its sensitive data in order to overcome this issue. Encryption of data would not give the access to data without the decryption key. This would not allow the hackers to decrypt data and steal it or misuse it.
• Social media: the involvement of social media in business has been very common nowadays. Organizations allow the employees to access the social media sites for various purposes (Zhao & Liu, 2014). Social media is also used to gain information. Sometimes employees post on social sites regarding their busy schedule at work or share about their work. This, results in people who are not related to the organization know about the organization that they are not supposed to know. Criminals may take the advantage of this information and hack the site of the organization in order to gain sensitive data. In order to prevent this, the use of social media in workplace should be limited.

Risks to employee data after migrating to SaaS: migrating the system to SaaS would be very helpful for the charity. Most of the organization has integrated their business with SaaS. SaaS service providers assure that the data would be safe. There are means by which employee data might get lost or stolen. The risks to employee data after migrating to SaaS are in huge number. They are mentioned below

• Access to employees: after migrating to SaaS, the data would be saved in cloud. This data might be accessible by others if they know the user id and password. Usually employees are allowed to access the data of other employees (Inukollu, Arsi & Ravuri, 2014). This might lead to problem for the employees. Someone might use the data of other employee for ill purpose. The employees should not be allowed to access the data of other employees without any valid reason. The level of access to the data should be limited.
• Data transparency: the service providers claim that the service provided by them is better than the service provided by others and they would not face any data breaches. They also say that they would keep the data of the organization safe, safer than the employees would keep (Samanthula, Elmehdwi & Howser, 2015). It should be remembered by the organization that not all the service providers value what they say. If data breaching takes place, they would not be responsible for it.

Consequences of the risks: the risks occurred to the employee data would have various consequences on the employees and the organization. These consequences are as follows

• Investment in data security: the risks to employee data would result in lot of investment on the data security. It would make the charity even more conscious that the security of employees depends on their own usage and their responsibility towards it (Sookhak, Gani & Talebian, 2015). They should keep their data in such a way that any unauthorized user cannot access it. The investment data security would be beneficial for the employees as well as the organization.
• Limiting the use of social media: the risks to employee data being exposed through social media are high as mentioned above. This risk can be overcome by limiting the use of social media to the employees (Manuel, 2015). The charity would take steps so that all the employees are allowed to post on the website of the charity, only selected people would be allowed to do so and they would not be posting regarding something sensitive or confidential about the company.

Digital Identity Issue

Digital identity is very useful for various organizations. It helps in securing the personal data of a user. It helps the user create a fake identity with the help of that identity the user would be able to use various applications without any fear of personal data getting lost (Chang, Benantar & Chang, 2014). The department of organization that deals with financial transactions carried out by users and the company itself attracts the hackers. The actual threat in using digital identity is that it might be hacked similar to the real identity. Identity theft is the major threat imposed by digital identity. Hackers might use a digital identity in order to mislead the digital identity of the user. Phishing is a very common threat among organizations. In this kind of threat, a particular website is attacked and users using that website are invited to log in to the website using their digital identities (Li, Li & Chen, 2015). Data theft is a dangerous threat faced by people using digital identity.

Provider Solution Issues

The migration to SaaS can be done without the identified threats by following various steps. These steps are as follows

• Know about the service provider: this one of the most important step that should be carried out before taking service from the provider. The organization should research about the provider very well (Oliveira, Thomas & Espadanal, 2014). It should know about its history. It should research about the organizations to which it has provided services and the quality of service that it provide. It should also check for some references. If other organizations refer, that vendor that indicates the provider is good.
• Different accounts: the employees should have different accounts where they can keep their data. Having various accounts of same user makes it complicated for the organization to handle the data (Rasheed, 2014). Whenever an employee joins, a new user has to be added as a result id and passwords are to be created. When an employee leaves, these ids are to be deleted so that there is less number of ids that the charity has to deal with. This makes the work of the organization easier.
• Updating applications: the applications used by the charity should be updated regularly. Backdated software might be a target for the cyber criminals.
• Measure the use: this part of the organization is very often avoided. The charity should check the usage of cloud services. The usage of cloud services should be cost effective. If it were not cost effective, it would not be worthwhile for the organization.

Data Sensitivity

Some issues of ethics, jurisdiction or data sensitivity should be followed by the charity. They are as follows

• Respect: every employee in the charily should be respected irrespective of their cast, sex, creed and religion (Rasheed, 2014). Respected provided to the employees’ would make them loyal towards the company. They would take their job seriously and show their dedication towards their work.
• Team: an organization can function properly if it divides the total number of employees in various teams according to their specifications (Shen, Zhou & He, 2017). Team spirit brings about a sense of competition among the employees as well as teams. This encourages them to work with more dedication and enthusiasm.
• Positive attitude: positive attitude among the employees is very important (Shen, Zhou & He, 2017). This encourages the employees to work harder and make their organization among the best ones.
• Dress code: a definite dress code should be maintained among the organization. This data should be kept hidden from the outsiders.  
• Promise keeping: before an employee joins an organization, he is promised some things in return of the employee’s honestly, loyalty, integrity and dedication towards the organization (Rasheed, 2014). These policies are kept confidential among the manager or HR and the employees. The promises should be kept. This would encourage the employees to dedicate their hard work to their organization. This would also result in job satisfaction among the employees.
• Fairness: every employee should equal to the organization irrespective of his or her religion, cast, creed and sex (Shen, Zhou & He, 2017). Male employees as well as female employees should be treated equally in terms of behavior and salary.

Conclusion

From this report, it can be concluded that if the charity integrates cloud computing into its business it would be beneficial for the charity but it would also impose serious threats to the company. Some disadvantages are data theft, security issues, hijacking of employee data, no control over the data and many more. These threats can be prevented by following various steps such as two-step verification process, considering some ethical issues and many  more.

References

Ali, M., Khan, S. U., & Vasilakos, A. V. (2015). Security in cloud computing: Opportunities and challenges. Information sciences, 305, 357-383.

Almorsy, M., Grundy, J., & Müller, I. (2016). An analysis of the cloud computing security problem. arXiv preprint arXiv:1609.01107.

Baek, J., Vu, Q. H., Liu, J. K., Huang, X., & Xiang, Y. (2015). A secure cloud computing based framework for big data information management of smart grid. IEEE transactions on cloud computing, 3(2), 233-244.

Botta, A., De Donato, W., Persico, V., & Pescapé, A. (2016). Integration of cloud computing and internet of things: a survey. Future Generation Computer Systems, 56, 684-700.

Chang, D. Y., Benantar, M., Chang, J. Y. C., & Venkataramappa, V. (2014). U.S. Patent No. 8,769,622. Washington, DC: U.S. Patent and Trademark Office.

Chang, V., & Ramachandran, M. (2016). Towards achieving data security with the cloud computing adoption framework. IEEE Trans. Services Computing, 9(1), 138-151.

Chang, V., Kuo, Y. H., & Ramachandran, M. (2016). Cloud computing adoption framework: A security framework for business clouds. Future Generation Computer Systems, 57, 24-41.

Inukollu, V. N., Arsi, S., & Ravuri, S. R. (2014). Security issues associated with big data in cloud computing. International Journal of Network Security & Its Applications, 6(3), 45.

Li, J., Li, J., Chen, X., Jia, C., & Lou, W. (2015). Identity-based encryption with outsourced revocation in cloud computing. Ieee Transactions on computers, 64(2), 425-437.

Li, J., Zhang, Y., Chen, X., & Xiang, Y. (2018). Secure attribute-based data sharing for resource-limited users in cloud computing. Computers & Security, 72, 1-12.

Manuel, P. (2015). A trust model of cloud computing based on Quality of Service. Annals of Operations Research, 233(1), 281-292.

Novotny, H. M., DePaul, K. E., Sankalia, A., Nta, P., & Larsen, R. (2015). U.S. Patent No. 9,137,304. Washington, DC: U.S. Patent and Trademark Office.

Oliveira, T., Thomas, M., & Espadanal, M. (2014). Assessing the determinants of cloud computing adoption: An analysis of the manufacturing and services sectors. Information & Management, 51(5), 497-510.

Pasupuleti, S. K., Ramalingam, S., & Buyya, R. (2016). An efficient and secure privacy-preserving approach for outsourced data of resource constrained mobile devices in cloud computing. Journal of Network and Computer Applications, 64, 12-22.

Rao, R. V., & Selvamani, K. (2015). Data security challenges and its solutions in cloud computing. Procedia Computer Science, 48, 204-209.

Rasheed, H. (2014). Data and infrastructure security auditing in cloud computing environments. International Journal of Information Management, 34(3), 364-368.

Rittinghouse, J. W., & Ransome, J. F. (2016). Cloud computing: implementation, management, and security. CRC press.

Samanthula, B. K., Elmehdwi, Y., Howser, G., & Madria, S. (2015). A secure data sharing and query processing framework via federation of cloud computing. Information Systems, 48, 196-212.

Shen, J., Zhou, T., He, D., Zhang, Y., Sun, X., & Xiang, Y. (2017). Block design-based key agreement for group data sharing in cloud computing. IEEE Transactions on Dependable and Secure Computing, (1), 1-1.

Sookhak, M., Gani, A., Talebian, H., Akhunzada, A., Khan, S. U., Buyya, R., & Zomaya, A. Y. (2015). Remote data auditing in cloud computing environments: a survey, taxonomy, and open issues. ACM Computing Surveys (CSUR), 47(4), 65.

Sun, Y., Zhang, J., Xiong, Y., & Zhu, G. (2014). Data security and privacy in cloud computing. International Journal of Distributed Sensor Networks, 10(7), 190903.

Wei, L., Zhu, H., Cao, Z., Dong, X., Jia, W., Chen, Y., & Vasilakos, A. V. (2014). Security and privacy for storage and computation in cloud computing. Information Sciences, 258, 371-386.

Zhang, Y., Chen, X., Li, J., Wong, D. S., Li, H., & You, I. (2017). Ensuring attribute privacy protection and fast decryption for outsourced data security in mobile cloud computing. Information Sciences, 379, 42-61.

Zhao, F., Li, C., & Liu, C. F. (2014, February). A cloud computing security solution based on fully homomorphic encryption. In Advanced Communication Technology (ICACT), 2014 16th International Conference on (pp. 485-488). IEEE.