Employee Data Security:
Threats and Risk:
It is necessary for each and every company to secure the data of its employees as the data contain personal information as well as the information about the company. There are many kind of different threats and risks are there for the informations and data in the HR in-house database. The database system of the cloud having several known threats that are affecting the cloud computing technology. It contains large amount of sensitive data which are the main target for the cyber attackers (Kshetri, 2013). These issues cause several network concerns for the organization. In this report the charity is also having a big amount of database and for this there are several threats are possessed. Several threats and the risks that are associated with the cloud computing technology is given bellow:
Data Breach: Data breach is one of the threat that is common for the cloud computing technology. Because of the data breach the attackers got the information of the victim or the association as because the sensitive data are stored in the cloud database (Wei et al., 2014). The credentials of the user are also exposed by the hackers like the name, address, bank information and many other personal details. A data breach can affect millions of people at a time.
APIs: API is the application programme interface by which the communication with the cloud can be established by the users. The company that are providing the cloud storage are implied advance security to the APIs so that it secure from the attackers. But there is always a possibility of vulnerabilities to access the administrator areas of the APIs.
Hijacking account: in an attempt of hijacking the attackers attacks the victim to get the control of the victims account. This hijacking mainly done by the use of phishing method. Phishing basically search for the loop hole in the security systems and enter into the network to violate the accounts on the network. By this method the information and the data stored in the cloud can be easily accessed by the attackers (Suo et al., 2013).
When a data storage is migrating to a SaaS application many risks are generated and one of the main threat is the security of the data. It is possible with every SaaS application that the data get breached. When migrating to the SaaS application the main responsibility of the data is taken care of by the provider of the SaaS. It is not sure that they will take of our data as the highest priority so the safety of the data may not be there in the SaaS application (Hashizume et al., 2013). It is necessary that the provider of the SaaS application must take care of those data.
When the organisation will move to the SaaS application, there will be risk of more down time. As all the data are moved to the provider of the SaaS so the user have to rely on the providers to keep up the running of data. The user will no longer have the control on data. any mishap if happen in data controlling so it will impact a lot in the particular organization. This the main risk of transferring the data to the SaaS application. It is necessary for the SaaS providers to work with a lower downtime so that the risks can mitigated (Sen, 2014).
The locational risk is another function like if a data is moved in the SaaS provider of another country so there will be several risks will become with this move. In that case legal risks are also can be possessed on the migrated data.
Results of Threats:
Threats and the risks that are associated with the technology is already discussed above. The threats can be affect the individuals as well as the organisations. The headache of the organizations in the recent days is the security of data. The vulnerability is getting higher day by day as the cyber attackers are using the latest technology and for that in the last year many data beaches happen in the whole world (Ryan, 2013). The data breach has a major impact on the human being as the data contains confidential information of the person like the bank details. The data breach has a huge impact on the human being. So it is necessary secure the data of the personal network by taking proper measurement. The phishing can expose all the account details to the attacker and the attacker can exploit and destroy the data as per his/ her choice. In the recent years the number of devices used by the user are getting higher and higher. This left a huge space for the cyber attackers. First the attackers target the victim and watches their activities then they asses the network of the persons. Any kind of small loop whole can impact huge for the individuals.
Employee Data Privacy:
Data privacy of the employees is the main concern for the organizations as the data contains the information about the individual and the information of the company as well. There are many company in the market that monitor the internet activities like the mail. The purpose of company is valid but they have to make sure that the data will not be disclosed at any cost. The organization have to make sure that no employee can use the devices or the information of another employee, as this offence can be treated as the criminal offence (Heath, 2013). The information of the employees is also contains health information which is highly confidential for any individuals.
There are many threats that are existing for the security of the in house database. The threats of the in house database is discussed below:
Malware: malware is a perennial threat for the in house database. Malware mainly attacks the devices that are infected and then steal the data that are sensitive from the database.
Human Factor: the main reason behind the data breaches is because of the negligence of the data. Many reports says that the humans are needed to be more cautious about their network system. As any kind of shortcoming in the network can impact huge for the device (Rittinghouse & Ransome, 2016).
Unmanaged Data: there are several companies that are struggled to manage the data of the employees properly. As the people who maintain the database sometime forget to store a data, and most of the cases the data contains sensitive and important data (Rewagad & Pawar, 2013). These data will not be monitored by the database security team so these can be exposed by the violators.
Excessive Permissions: if one employee gets the excessive privilege to use the database then it can be risky for the organization. Many researchers says that only minimum permission will be given to the employees. When an employee get the excessive privilege then he can do uncertain things which is not in their expertise do the data can be lost or can be exploit. So it is necessary to give the privilege to the employee that they required only not more than that or less than that limit (Rong, Nguyen & Jaatun, 2013).
Injection Attacks in Database:
Injection attacks are performed on the database to exploit the database and the breach the data. These attackers mainly targets two types of database one is the traditional database another is the NoSql.
There are several risks that are associated when the employee data is moved to the SaaS. The risks with the data security is given bellow:
Immature Management of Identity: the cloud providers are not that sophisticated about the service identity that are behind the firewall of the enterprise. As there are several third party application which can access the data in the SaaS as several data do not have the identity. Access control and the identity management is the main challenge that the information technology is facing in the recent time (Li et al., 2013).
Weak Cloud Standard: after auditing the SAS 70, the cloud vendors are touting about the security credentials. There are no safety of the data in the SaaS as because the standard is low. The company must adapt the security that is having high security for the employee data when it is migrated to the SaaS.
Secrecy: The main problem with the vendor of cloud is that they show that they are capable of giving more security to the data than they actually can. And most of the people thinks that the SaaS security is that good. The customers of the cloud vendors do not believe that the SaaS providers are secretive about their processes of the security.
Most of the cloud vendors do not shows the actual amount of data centres and the operations they actually provides. As they do not disclose all the necessary information to the customers so there is a chance of compromising with the security. Customers and analysts of the industry is tired by the response by the SaaS providers (Modi et al., 2013). The customer must not give their data for the security if the vendor is not transparent.
Result of Risks:
The risks that are associated is already discussed above, there are many outcomes of these threats that are affecting human being. The malware attack in the database can cause a major data breach in the company and can affect most people by just one malware. The people must be securing themselves so that their system must get protected from any kind of malware attack. Around 30 per cent data breaches happens because of the human negligence towards their personal data (Sun et al., 2014). This can happen because of lacking knowledge about the security issues. To secure the network, it is necessary for the human to install required measures for defending any kind of cyber-attacks. The company must organize their data of the employee properly so that any data will not remain managed because the un managed data do not comes under the security so these data can be exploit the details of the company or the personal. The company must remove the devices that are infected because the attackers targets the devices which are infected and it is easy to exploit the data of the injected device as there are many loopholes created in the security of the network. It is also necessary for the company to manage the privilege of the security officer (Yan et al., 2013). So that the officers will not get excessive permission to access the database.
Digital Identity Issue:
The chances are high that when the data is migrated to the SaaS application a chance that digital identity might get exposed. Digital identity stored in the database of cloud when we use any kind of network or online resource. The digital identity is used mainly for the data security and for cyber-crime prevention. There are many kind of threats that are possessed when the digital identity is moved to SaaS application.
If the identity is compromised then several risks can be generated. The attack on any online identity will lead towards a real harm to the human being. Though the online websites make sure that the all system is secured, but many identity I leaked some time because of less attention towards the data security (Xia et al., 2016). The main identity happen in the department of finance where if the identity is revealed then the attacker can earn a huge amount of revenue. The consequences of leaked identity is many. The system holds all the credentials of the digital identity. The attacker mainly targets the social websites for getting the passwords as many people uses same passwords for multiple account on the internet. There are several websites that changes the password of the user account automatically so the risk is less on those websites that the identity get leaked. A wide range of threats is possessed on the websites which targets the privacy and the property of the user.
The main thing that came up in the recent time with the identity leak is many websites tracks the activity of the user and stored the digital identity of that individual. The way in which they track the data is very sophisticated and the individuals is not aware of the fact that his/ her data is being tracked (Rahimi et al., 2014).
One of the main threat that possessed on the digital identity is the identity theft. The cyber attackers uses he digital identity of various individual to impersonate them. The identity theft manly done using the attack called “Phising” which will take the identity of the victim and then the identity will used further for other attacks.
Another issue that is related with the digital identity is the identity tampering. This kind of attack can only be prevented by the integrity property. Many standards are proposed to prevent the identity tampering, mainly the digital identity tampered because of the sharing of the standard key between the sender and receiver (Zhang et al., 2017).
Another issue is the personal data theft in which the confidential data is being theft by the attackers. The digital identity like the passwords and the data of biometric is a data which is needed to be kept secret. The property of confidentiality says that the private data is only to be used by the person owns it and no other unauthorized user will be able to use the data without the permission of the concerned user (Fernando, Loke & Rahayu, 2013).
Authorization property is also there in the digital identity. There are specific rights that the authorization factor have. This case is comes under the solution of classic access control. The number of threats that are associated with the property of authorization is called as privilege escalation (Stojmenovic & Wen 2014). The attackers tried to gain the maximum access on the victim’s system.
The claims on identity is changing over the time as many identities are misused by the attackers. The revocation is necessary when the digital identity is used for accessing the data which is sensitive. The period of revocation has a limited validity to prevent the unauthorized use of sensitive data.
Provider Solution Issues:
It is already discussed that the risks and threats that are associated with SaaS application. In the recent time number of malicious attacks has been grown up rapidly on the public network, web mail and that affecting individuals in many way. The data security is becoming more complex than before. To provide optimum security of data it necessary to mitigate all the risk that are associated with. SaaS provide security to the data of big, medium, and small companies and the partner of the provider. In is necessary for the provider to manage the data security properly (Almorsy, Grundy & Müller, 2016). The SaaS provider must available 24x7 so the experts of the security can provide data security whenever required. Several mitigation method of the threats and risk associate with employee data security in SaaS is discussed below.
Key Cloud Provider:
First and the fore most requirement of the data security is to find a proper provider of cloud. Different vendor of cloud has different security plans and different techniques of data management (Shahzad, 2014). The vendors who provide the cloud must be established well, having data security experience, high standards and regulation. So it will be secure that the data vendor will not be closed.
The contract will be made with the cloud vendor must be clear. If the contract is clear then any kind of error can be mitigated from both side.
The vendors of cloud must provide best policies for the facilities of recovery. So the data if lost in any situation can be recovered immediately so the data will not be lost forever.
Infrastructure of Enterprise:
To grow the enterprise it is necessary to have a better infrastructure and the facilities. Proper security infrastructure must be implemented in the in the enterprise for data security.
The vendor of cloud must use the encryption method while storing the data on the cloud. If the data is encrypted properly then the cloud vendor will not have that worry about data breach because encrypted data cannot be accessed by unauthorized persons (Arora, Parashar, & Transforming, 2013). The security offices must identify the required encryption method for each of the data so the data stay safe in the database of cloud.
Business Service of Security:
Mainly designed for the customers of small business but it is also applicable for the bigger companies as well. These security service protects all the devices that are connected within the network of office, company on and road (Ali, Khan & Vasilakos, 2015).
Data Flow Chart:
A chart must be maintained by cloud vendors regarding the flow of data. This will give idea to the data managers that where the data is going and where the data is stored and sharing measures of data. A total data analysis have to be performed for the employee data security.
In the database of cloud several people store several different types of data. Not all data can be considered as the sensitive data, there are specialization of data which can be called as the sensitive data and it is necessary for the cloud vendor to protect the sensitive data in the cloud storage. Information that are stored by the individuals can be termed as the sensitive data as the information may store several information about their account, bank credentials and many other important data (Botta et al., 2014). These data must be protected from the third party to access without their concern. Health information of the individuals is the most confidential data that a person can have. These data are also stored in the cloud database and needed optimum security from the vendor of the cloud provider. There are many techniques by which the data can be protected from the unauthorized users. It is the main duty of the company to protect the data of their employee (Whaiduzzaman et al., 2014). The data security have multiple issues like the legal issue and ethical issues.
From several research it has been seen that the most of the organizations use the record of employee to calculate the effort of the employee and performance. The use of employee data must be done to a certain limit so that the use says within a limit and the data will not leaked to outside. It is the duty of the HR to implement ethical policy that which information of the employee will be collected and for which purpose. As the tech popularity is growing rapidly so the chance is high of getting the data easily (Cuzzocrea, 2014). The HR must control the access of the employee data to gain the trust of employee. There are many company that tracks the activities of their employees without their concern, these are beyond ethics of the company. The HR must analyse the intention of the employee who collecting the data of other employees so any data must not be used for wrong purpose. If the data get leaked then the trust of employee will get lost and the HR must not allow that happen. These issues get more complex as the time goes. To mitigate these complexities data security had to be expanded otherwise it will become impossible for the company to secure the employee data which is unethical (Tari, 2014).
Cloud database storage contains data about the employees and of company. So the protection of data is necessary because every company has certain information which needed to be kept confidential. It is the duty of HR to manage the data of employee and issues related to management. As an outcome issues of confidentiality is more complex and multitiered (Ahmed, & Hossain, 2014).
The personal of HR department must understand the value of these confidential data as it contains sensitive information. Legal issue can be applied if any confidential data is leaked. There are several legal action which can be implied on the people who will hack like theft of identity, notification of data breach, and many other privacy laws against the unauthorized users of employee data. The confidentiality must be maintained by the HR so that the data stay safe in the database. The individuals has the right to impose legal action if any data. The employee of the company must be aware that which data is being used by the company (Khan et al., 2013). As the charity secured data of many people so it is necessary for the charity to impose the legal issues to the all people who are associated with the charity. it will help the charity as more people will be engage with the charity as because it will generate a trust between the people about the charity. Legal action is necessary in case of any data breach because the data contains such information that can harm the individual or the whole company. The affect can be huge so it is necessary for the all employee to be aware of the legal fact (Chang, & Ramachandran, 2016).
From the above discussion it can be concluded that data are the most important aspect for any individual or any company. It is necessary to protect the data of the company in order to stay safe. From the above report it also seen that when the data is moved from normal system to the SaaS application then many risks are associated with this. The report also discusses the value of digital identity and the risks that are associated with this. The main objective is to mitigate the risk that are associated with the data which are stored in the HR personal cloud database. It is necessary for the employee to keep their data in a privacy so any data cannot be used by the unauthorized person. The report also says the solution for the issues that are generated when the data is migrated into the SaaS application. The charity here needed to apply security measurement for the data of the employee that are associated with the charity so any data cannot breached and use without any authentication. As a principle consultant it was my duty to asses assess all the threats and the risks that are associated with HR in-house data and I provided the required solution for the same.
Ahmed, M., & Hossain, M. A. (2014). Cloud computing and security issues in the cloud. International Journal of Network Security & Its Applications, 6(1), 25.
Ali, M., Khan, S. U., & Vasilakos, A. V. (2015). Security in cloud computing: Opportunities and challenges. Information sciences, 305, 357-383.
Almorsy, M., Grundy, J., & Müller, I. (2016). An analysis of the cloud computing security problem. arXiv preprint arXiv:1609.01107.
Arora, R., Parashar, A., & Transforming, C. C. I. (2013). Secure user data in cloud computing using encryption algorithms. International journal of engineering research and applications, 3(4), 1922-1926.
Botta, A., De Donato, W., Persico, V., & Pescapé, A. (2014, August). On the integration of cloud computing and internet of things. In Future internet of things and cloud (FiCloud), 2014 international conference on (pp. 23-30). IEEE.
Chang, V., & Ramachandran, M. (2016). Towards achieving data security with the cloud computing adoption framework. IEEE Trans. Services Computing, 9(1), 138-151.
Cuzzocrea, A. (2014, November). Privacy and security of big data: current challenges and future research perspectives. In Proceedings of the First International Workshop on Privacy and Secuirty of Big Data (pp. 45-47). ACM.
Fernando, N., Loke, S. W., & Rahayu, W. (2013). Mobile cloud computing: A survey. Future generation computer systems, 29(1), 84-106.
Hashizume, K., Rosado, D. G., Fernández-Medina, E., & Fernandez, E. B. (2013). An analysis of security issues for cloud computing. Journal of internet services and applications, 4(1), 5.
Heath, S. (2013). U.S. Patent Application No. 13/712,919.
Khan, A. N., Kiah, M. M., Khan, S. U., & Madani, S. A. (2013). Towards secure mobile cloud computing: A survey. Future Generation Computer Systems, 29(5), 1278-1299.
Kshetri, N. (2013). Privacy and security issues in cloud computing: The role of institutions and institutional evolution. Telecommunications Policy, 37(4-5), 372-386.
Li, M., Yu, S., Zheng, Y., Ren, K., & Lou, W. (2013). Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption. IEEE transactions on parallel and distributed systems, 24(1), 131-143.
Modi, C., Patel, D., Borisaniya, B., Patel, A., & Rajarajan, M. (2013). A survey on security issues and solutions at different layers of Cloud computing. The journal of supercomputing, 63(2), 561-592.
Pearson, S. (2013). Privacy, security and trust in cloud computing. In Privacy and Security for Cloud Computing (pp. 3-42). Springer, London.
Rahimi, M. R., Ren, J., Liu, C. H., Vasilakos, A. V., & Venkatasubramanian, N. (2014). Mobile cloud computing: A survey, state of art and future directions. Mobile Networks and Applications, 19(2), 133-143.
Rewagad, P., & Pawar, Y. (2013, April). Use of digital signature with diffie hellman key exchange and AES encryption algorithm to enhance data security in cloud computing. In Communication Systems and Network Technologies (CSNT), 2013 International Conference on (pp. 437-439). IEEE.
Rittinghouse, J. W., & Ransome, J. F. (2016). Cloud computing: implementation, management, and security. CRC press.
Rong, C., Nguyen, S. T., & Jaatun, M. G. (2013). Beyond lightning: A survey on security challenges in cloud computing. Computers & Electrical Engineering, 39(1), 47-54.
Ryan, M. D. (2013). Cloud computing security: The scientific challenge, and a survey of solutions. Journal of Systems and Software, 86(9), 2263-2268.
Sen, J. (2014). Security and privacy issues in cloud computing. In Architectures and protocols for secure information technology infrastructures (pp. 1-45). IGI Global.
Shahzad, F. (2014). State-of-the-art survey on cloud computing security Challenges, approaches and solutions. Procedia Computer Science, 37, 357-362.
Stojmenovic, I., & Wen, S. (2014, September). The fog computing paradigm: Scenarios and security issues. In Computer Science and Information Systems (FedCSIS), 2014 Federated Conference on (pp. 1-8). IEEE.
Sun, Y., Zhang, J., Xiong, Y., & Zhu, G. (2014). Data security and privacy in cloud computing. International Journal of Distributed Sensor Networks, 10(7), 190903.
Suo, H., Liu, Z., Wan, J., & Zhou, K. (2013, July). Security and privacy in mobile cloud computing. In Wireless Communications and Mobile Computing Conference (IWCMC), 2013 9th International (pp. 655-659). IEEE.
Tari, Z. (2014). Security and Privacy in Cloud Computing. IEEE Cloud Computing, 1(1), 54-57.
Wei, L., Zhu, H., Cao, Z., Dong, X., Jia, W., Chen, Y., & Vasilakos, A. V. (2014). Security and privacy for storage and computation in cloud computing. Information Sciences, 258, 371-386.
Whaiduzzaman, M., Sookhak, M., Gani, A., & Buyya, R. (2014). A survey on vehicular cloud computing. Journal of Network and Computer Applications, 40, 325-344.
Xia, Z., Wang, X., Zhang, L., Qin, Z., Sun, X., & Ren, K. (2016). A privacy-preserving and copy-deterrence content-based image retrieval scheme in cloud computing. IEEE Transactions on Information Forensics and Security, 11(11), 2594-2608.
Xiao, Z., & Xiao, Y. (2013). Security and privacy in cloud computing. IEEE Communications Surveys & Tutorials, 15(2), 843-859.
Yan, G., Wen, D., Olariu, S., & Weigle, M. C. (2013). Security challenges in vehicular cloud computing. IEEE Transactions on Intelligent Transportation Systems, 14(1), 284-294.
Zhang, Y., Chen, X., Li, J., Wong, D. S., Li, H., & You, I. (2017). Ensuring attribute privacy protection and fast decryption for outsourced data security in mobile cloud computing. Information Sciences, 379, 42-61.