ITC568 Cloud Privacy and Security: Move to SaaS Application
Scenario
You are the principal consultant for a community based Charity. The Charity is involved in locating and providing accommodation, mental health services, training and support services to disadvantaged people in the community.
The Charity currently runs a small data centre that has some 50 x86 64 bit servers running mainly Windows Server 2008 R2 for desktop services, database and file services. It also has 10 Red Hat Enterprise Linux 5 servers to service public facing Web pages, Web services and support.
The Charity is considering joining a community cloud provided by a public cloud vendor in order to provide a number of applications to all 500 support staff and administrative users. A small number of the Charity's applications are mission critical and the data that those applications use is both confidential and time sensitive.
The community cloud would also be used to store the Charity's 200TB of data. The data would be held in a SaaS database run by the public cloud vendor. The Charity's data contains a considerable amount of confidential information about the people to whom the Charity provides services.
The Charity collects PII data on the clients who use its services so that it can assist them to manage their different service requirements. This PII data also includes holding some digital identity data for some of the more disadvantaged clients, particularly if they also have mental health issues.
The cloud vendor has made a presentation to management that indicates that operational costs will drop dramatically if the cloud model is adopted. However, the Board of the Charity is concerned with the privacy and security of the data that it holds on the people that it provides services to in the community. It is concerned that a data breach may cause considerable damage to substantially disadvantaged people in the community.
The Board asks that you prepare a report that proposes appropriate privacy and security policies for the Charity's data.
The charity has also decided to:
- Purchase a HR and personnel management application from a US based company that provides a SaaS solution.
- The application will provide the charity with a complete HR suite, which will also include performance management. The application provider has advised that the company's main database is in California, with a replica in Dublin, Ireland. However, all data processing, configuration, maintenance, updates and feature releases are provided from the application provider's processing centre in Bangalore, India.
- Employee data will be uploaded from the charity daily at 12:00 AEST. This will be processed in Bangalore before being loaded into the main provider database.
- Employees can access their HR and Performance Management information through a link placed on the Charity intranet. Each employee will use their internal charity digital ID to authenticate to the HR and Performance management system. The internal digital ID is generated by the charity's Active Directory instance and is used for internal authentication and authorisation.
- Move the charity payroll to a COTS (Commercial Off The Shelf) application that it will manage in a public cloud;
- Move the charity Intranet into a Microsoft SharePoint PaaS offering so that it can provide Intranet services to all agencies in the WofG.
Tasks
You have been engaged to provide a risk assessment for the planned moves to SaaS application offerings.
You are to write a report that assesses the risks to the charity for just their planned moves in the HR area:
- Consider the data and information that the charity holds on its employees in the current HR system.
- Establish the existing threats and risks to the security of that data and information contained in the in-house HR database.
- Are there any additional risks and threats to employee data that may arise after migration to an SaaS application?
- Assess the resulting severity of risk and threat to employee data.
- Consider the privacy of the data for those employees who will move to an SaaS application.
- Establish the existing threats and risks to the privacy of that data and information contained in the in house HR database.
- Are there any additional risks and threats to the privacy of the employee data after migration to an SaaS application?
- Assess the resulting severity of risk and threat to the privacy of employee data.
- Establish the existing threats and risks to the privacy of that data and information contained in the in house HR database.
- What are the threats and risks to the digital identities of charity employees from the move to SaaS applications?
- Consider the operational solution and location(s) of the SaaS provider for HR management. Does either the operational solution, or the operational location, or both, increase or mitigate the threats and risks identified for the security and privacy of employee data?
- Are there any issues of ethics, data sensitivity or jurisdiction that should be considered by the charity?
Answer:
Introduction
Community based charity locates and provides training services, support services, mental health services and accommodation to the people suffering from various disadvantages. The community has decided to join a community cloud provided by a public cloud vendor for providing a number of applications to their support staffs as well as administrative users. The data contained in the applications are time sensitive and confidential. The community can also be used for storing the data possessed by charity. A database working on the SaaS model of cloud computing can be used to hold the data. The charity has selected me as their Principal consultant. I am supposed to prepare this report, which would propose the security and privacy policies for the usage of the charity. This report would also contain the risks that charity might face while planning moves in the field of HR.
Cloud computing is of great use to various organizations. The charity has decided to implement SaaS to their operations. SaaS, also known as Software as services allows users to use various applications by accessing internet. These applications are supposed to be cloud-based. SaaS is used on the policy of Pay-as-you-go (Rittinghouse & Ransome, 2016). In this policy, the users only pay for service they use, neither less nor more. Organization rents the service from a local service provider and users utilize them by connecting it by accessing internet. One of the most important advantages provided by SaaS is that it allows the employees of an organization to mobilize their work. They can connect with these applications from any device that has the ability to access internet. Along with providing advantages, SaaS also provide some risks to the organizations. These threats are mentioned below the discussion part of the report.
Discussion: Security of Employee data
Risks on employee data in HR database: HR is one of the heads of an organization who has a huge amount of data saved in database. The data is regarding, employees, how employees work, various departments in the organization, number of people needed to be recruited, the recruitment process and many more (Botta, De Donato & Persico, 2016). This data is of much importance to the HR as well as organization. The data in HR database of great importance and should be secured from cyber criminals who might steal the data and use it for bad purposes. Every organization invests a huge lump sum of money to secure the data from criminals but they find some or the
other to hack accounts and steal the desired data (Botta, De Donato & Persico, 2016). Securing data in HR database is no easy task. It results in various threats to the organization. These threats are mentioned below.
- Data breaches: data breaches are considered as one of the common risks faced by various organizations. They mainly take place in databases, which support cloud. Data breaching can be defined as stealing of information that had been stored in cloud. Cyber criminals that tend to steal confidential information regarding an organization or a user usually carry out data breaching (Almorsy, Grundy & Müller, 2016). The information that can be stolen from an organization can be details regarding its employees, data about its operations, new technologies introduced by them and many more. The data that can be stolen from an individual might be credit card numbers, atm pins, phone numbers, addresses and many more. Usually people tend to save data like name, address, and credit or debit card details on sites that deals with financial transactions, this leads to data breaches. As a result, it affects a huge mass of employees. Theft of employees’ data leads to huge damages to the organization and users. Charity would face a disastrous damage if data regarding employees were stolen (Almorsy, Grundy & Müller, 2016. Employees have data saved in HR database in order to help Human resource manager to understand regarding the operations of the charity.
- Data loss: data volume of an organization keeps increasing as the company succeeds gradually; this dramatically increases the risk of data loss. International Data Corp states that the global data sphere would reach 163 zerrabytes by 2025 (Chang & Ramachandran, 2016). Data loss can occur in many ways major reason being the cyber criminals who tend peep into the database and steal them. It may also occur when some sort of technical issues take place in the database. Most of the data is saved in the cloud so if the organization does not have back of these data and the gets lost from the cloud it would be lost forever.
- Hijack of the database: the database of an HR includes a huge amount of information, which would be of great use to the organization (Rao & Selvamani, 2015). If the account of an HR is hacked, the hackers might steal a huge amount of information by changing the user password. This would disallow the user to access his own account.
Risks to employee data on migration to SaaS application: nowadays data security is the main concern of the companies. Most of the organizations move their applications into SaaS and some are still in the run to integrate it to their business (Rao & Selvamani, 2015). Every SaaS provide offers various set of capabilities to secure data. The capabilities are useful to the organization depending on its requirements. The organizations can customize the platform by adding the desired requirement. Integration of business with SaaS provides various advantages to the organization, along with that it also provide some threats to the employee data. The major disadvantage of SaaS is that it connects all the systems together. As a result, if some issue occurs in one part of the system, the whole system breaks down along with the systems connected to it. The charity might lose data while it migrates its system to SaaS. This would not allow the organizations to transfer the sensitive data (Zhang, Chen & Wong, 2017). Most of the service providers assure that the data of the organization would not be lost, but in case it is lost for any reason, they would not be held responsible for it. A proper research has to be carried out by the organization before integrating their systems with SaaS.
Consequences of the risks: data regarding employees might be lost for some reason. This creates a problem for the organization as well as its operation. The consequences of the lost data on organizations are as follows.
- Time consuming: the loss of important data from an organization might lead to time waste. If sensitive data regarding operations, financial transactions or similar to that are lost, it is tough for the organization to proceed in its operations (Zhang, Chen & Xiang, 2018). They would take steps to retrieve the data. They would request the service providers to retrieve the data if possible. The providers would try to get the data back but they cannot assure regarding the same. This process is very time consuming. It might take some days or some months.
- Information loss: the information regarding employees is very important for the organization as mentioned above. Loss of the information would be a tragedy for the organization (Baek, Vu & Liu, 2015). Sensitive information such as record of financial transactions undergone by the organizations is very helpful for future reference. Loosing this information should be avoided by taking important steps by the charity.
Privacy of Employee Data
Threats on data in HR database: HR database contains huge number of information, which is useful for organization as well as employees. Various risks can be occurred to the employee data present in the HR database. These threats are as follows:
- Platform vulnerabilities: vulnerabilities in operating system might result in access and then corruption of unauthorized data. An example of this is that the Blaster worm had taken advantage of Windows 2000 vulnerability (Wei, Zhu & Cao, 2014). This was done in order to disable targeted servers. This kind of vulnerabilities might cause in the HR database of the charity and it would be harmful for the employees and the charity.
- Weak audit: weak auditing represents the risks in factors such as deterrence, compliance, detection recovery and forensics (Sun, Zhang & Xiong, 2014). Weak auditing results in degradation of the performance of the database, which creates a way for attacks by hackers.
- Denial of service: denial of service might take place by many ways. Common techniques of DoS are buffer overflows, network flooding, resource consumption and data corruption (Ali, Khan & Vasilakos, 2015). Denial of service attack is very common among various organizations and it denies user the access to data.
- Monitoring data access: data access is usually not monitored by anyone. The data saved in HR database is very useful for employees and thus they are provided the access to data (Novotny, DePaul & Sankalia, 2015). This data access is never monitored and this might cause in internal theft of data. Internal theft of data is very harmful for the charity as whole as well as the employees. HR should monitor the access to data in order to prevent its theft. The employees that actually need the data should be allowed to access it, and the ones who do not need should not be allowed the access to it.
- Categories of data: the data saved in a database are stored randomly. This leads a way to the threat of not getting the access of a particular data when needed (Chang, Kuo & Ramachandran, 2016). Data should be categorized according to their types like the data regarding operations, financial transactions, plan, ways to implement those plans and many more. Categorizing data into various parts help in retrieving the data when needed.
- Encryption: encryption of sensitive data is a part of securing data, which is ignored by organizations very often. Every organization contains some sensitive data such as data regarding their strategies, operations, transactions carried out by them and many more. No encryption to sensitive data increases the risk of it being stolen by criminals (Pasupuleti, Ramalingam & Buyya, 2016). In the charity must encrypt its sensitive data in order to overcome this issue. Encryption of data would not give the access to data without the decryption key. This would not allow the hackers to decrypt data and steal it or misuse it.
- Social media: the involvement of social media in business has been very common nowadays. Organizations allow the employees to access the social media sites for various purposes (Zhao & Liu, 2014). Social media is also used to gain information. Sometimes employees post on social sites regarding their busy schedule at work or share about their work. This, results in people who are not related to the organization know about the organization that they are not supposed to know. Criminals may take the advantage of this information and hack the site of the organization in order to gain sensitive data. In order to prevent this, the use of social media in workplace should be limited.
Risks to employee data after migrating to SaaS: migrating the system to SaaS would be very helpful for the charity. Most of the organization has integrated their business with SaaS. SaaS service providers assure that the data would be safe. There are means by which employee data might get lost or stolen. The risks to employee data after migrating to SaaS are in huge number. They are mentioned below
- Access to employees: after migrating to SaaS, the data would be saved in cloud. This data might be accessible by others if they know the user id and password. Usually employees are allowed to access the data of other employees (Inukollu, Arsi & Ravuri, 2014). This might lead to problem for the employees. Someone might use the data of other employee for ill purpose. The employees should not be allowed to access the data of other employees without any valid reason. The level of access to the data should be limited.
- Data transparency: the service providers claim that the service provided by them is better than the service provided by others and they would not face any data breaches. They also say that they would keep the data of the organization safe, safer than the employees would keep (Samanthula, Elmehdwi & Howser, 2015). It should be remembered by the organization that not all the service providers value what they say. If data breaching takes place, they would not be responsible for it.
Consequences of the risks: the risks occurred to the employee data would have various consequences on the employees and the organization. These consequences are as follows
- Investment in data security: the risks to employee data would result in lot of investment on the data security. It would make the charity even more conscious that the security of employees depends on their own usage and their responsibility towards it (Sookhak, Gani & Talebian, 2015). They should keep their data in such a way that any unauthorized user cannot access it. The investment data security would be beneficial for the employees as well as the organization.
- Limiting the use of social media: the risks to employee data being exposed through social media are high as mentioned above. This risk can be overcome by limiting the use of social media to the employees (Manuel, 2015). The charity would take steps so that all the employees are allowed to post on the website of the charity, only selected people would be allowed to do so and they would not be posting regarding something sensitive or confidential about the company.
Digital Identity Issue
Digital identity is very useful for various organizations. It helps in securing the personal data of a user. It helps the user create a fake identity with the help of that identity the user would be able to use various applications without any fear of personal data getting lost (Chang, Benantar & Chang, 2014). The department of organization that deals with financial transactions carried out by users and the company itself attracts the hackers. The actual threat in using digital identity is that it might be hacked similar to the real identity. Identity theft is the major threat imposed by digital identity. Hackers might use a digital identity in order to mislead the digital identity of the user. Phishing is a very common threat among organizations. In this kind of threat, a particular website is attacked and users using that website are invited to log in to the website using their digital identities (Li, Li & Chen, 2015). Data theft is a dangerous threat faced by people using digital identity.
Provider Solution Issues
The migration to SaaS can be done without the identified threats by following various steps. These steps are as follows
- Know about the service provider: this one of the most important step that should be carried out before taking service from the provider. The organization should research about the provider very well (Oliveira, Thomas & Espadanal, 2014). It should know about its history. It should research about the organizations to which it has provided services and the quality of service that it provide. It should also check for some references. If other organizations refer, that vendor that indicates the provider is good.
- Different accounts: the employees should have different accounts where they can keep their data. Having various accounts of same user makes it complicated for the organization to handle the data (Rasheed, 2014). Whenever an employee joins, a new user has to be added as a result id and passwords are to be created. When an employee leaves, these ids are to be deleted so that there is less number of ids that the charity has to deal with. This makes the work of the organization easier.
- Updating applications: the applications used by the charity should be updated regularly. Backdated software might be a target for the cyber criminals.
- Measure the use: this part of the organization is very often avoided. The charity should check the usage of cloud services. The usage of cloud services should be cost effective. If it were not cost effective, it would not be worthwhile for the organization.
Data Sensitivity
Some issues of ethics, jurisdiction or data sensitivity should be followed by the charity. They are as follows
- Respect: every employee in the charily should be respected irrespective of their cast, sex, creed and religion (Rasheed, 2014). Respected provided to the employees’ would make them loyal towards the company. They would take their job seriously and show their dedication towards their work.
- Team: an organization can function properly if it divides the total number of employees in various teams according to their specifications (Shen, Zhou & He, 2017). Team spirit brings about a sense of competition among the employees as well as teams. This encourages them to work with more dedication and enthusiasm.
- Positive attitude: positive attitude among the employees is very important (Shen, Zhou & He, 2017). This encourages the employees to work harder and make their organization among the best ones.
- Dress code: a definite dress code should be maintained among the organization. This data should be kept hidden from the outsiders.
- Promise keeping: before an employee joins an organization, he is promised some things in return of the employee’s honestly, loyalty, integrity and dedication towards the organization (Rasheed, 2014). These policies are kept confidential among the manager or HR and the employees. The promises should be kept. This would encourage the employees to dedicate their hard work to their organization. This would also result in job satisfaction among the employees.
- Fairness: every employee should equal to the organization irrespective of his or her religion, cast, creed and sex (Shen, Zhou & He, 2017). Male employees as well as female employees should be treated equally in terms of behavior and salary.
Conclusion
From this report, it can be concluded that if the charity integrates cloud computing into its business it would be beneficial for the charity but it would also impose serious threats to the company. Some disadvantages are data theft, security issues, hijacking of employee data, no control over the data and many more. These threats can be prevented by following various steps such as two-step verification process, considering some ethical issues and many more.
References
Ali, M., Khan, S. U., & Vasilakos, A. V. (2015). Security in cloud computing: Opportunities and challenges. Information sciences, 305, 357-383.
Almorsy, M., Grundy, J., & Müller, I. (2016). An analysis of the cloud computing security problem. arXiv preprint arXiv:1609.01107.
Baek, J., Vu, Q. H., Liu, J. K., Huang, X., & Xiang, Y. (2015). A secure cloud computing based framework for big data information management of smart grid. IEEE transactions on cloud computing, 3(2), 233-244.
Botta, A., De Donato, W., Persico, V., & Pescapé, A. (2016). Integration of cloud computing and internet of things: a survey. Future Generation Computer Systems, 56, 684-700.
Chang, D. Y., Benantar, M., Chang, J. Y. C., & Venkataramappa, V. (2014). U.S. Patent No. 8,769,622. Washington, DC: U.S. Patent and Trademark Office.
Chang, V., & Ramachandran, M. (2016). Towards achieving data security with the cloud computing adoption framework. IEEE Trans. Services Computing, 9(1), 138-151.
Chang, V., Kuo, Y. H., & Ramachandran, M. (2016). Cloud computing adoption framework: A security framework for business clouds. Future Generation Computer Systems, 57, 24-41.
Inukollu, V. N., Arsi, S., & Ravuri, S. R. (2014). Security issues associated with big data in cloud computing. International Journal of Network Security & Its Applications, 6(3), 45.
Li, J., Li, J., Chen, X., Jia, C., & Lou, W. (2015). Identity-based encryption with outsourced revocation in cloud computing. Ieee Transactions on computers, 64(2), 425-437.
Li, J., Zhang, Y., Chen, X., & Xiang, Y. (2018). Secure attribute-based data sharing for resource-limited users in cloud computing. Computers & Security, 72, 1-12.
Manuel, P. (2015). A trust model of cloud computing based on Quality of Service. Annals of Operations Research, 233(1), 281-292.
Novotny, H. M., DePaul, K. E., Sankalia, A., Nta, P., & Larsen, R. (2015). U.S. Patent No. 9,137,304. Washington, DC: U.S. Patent and Trademark Office.
Oliveira, T., Thomas, M., & Espadanal, M. (2014). Assessing the determinants of cloud computing adoption: An analysis of the manufacturing and services sectors. Information & Management, 51(5), 497-510.
Pasupuleti, S. K., Ramalingam, S., & Buyya, R. (2016). An efficient and secure privacy-preserving approach for outsourced data of resource constrained mobile devices in cloud computing. Journal of Network and Computer Applications, 64, 12-22.
Rao, R. V., & Selvamani, K. (2015). Data security challenges and its solutions in cloud computing. Procedia Computer Science, 48, 204-209.
Rasheed, H. (2014). Data and infrastructure security auditing in cloud computing environments. International Journal of Information Management, 34(3), 364-368.
Rittinghouse, J. W., & Ransome, J. F. (2016). Cloud computing: implementation, management, and security. CRC press.
Samanthula, B. K., Elmehdwi, Y., Howser, G., & Madria, S. (2015). A secure data sharing and query processing framework via federation of cloud computing. Information Systems, 48, 196-212.
Shen, J., Zhou, T., He, D., Zhang, Y., Sun, X., & Xiang, Y. (2017). Block design-based key agreement for group data sharing in cloud computing. IEEE Transactions on Dependable and Secure Computing, (1), 1-1.
Sookhak, M., Gani, A., Talebian, H., Akhunzada, A., Khan, S. U., Buyya, R., & Zomaya, A. Y. (2015). Remote data auditing in cloud computing environments: a survey, taxonomy, and open issues. ACM Computing Surveys (CSUR), 47(4), 65.
Sun, Y., Zhang, J., Xiong, Y., & Zhu, G. (2014). Data security and privacy in cloud computing. International Journal of Distributed Sensor Networks, 10(7), 190903.
Wei, L., Zhu, H., Cao, Z., Dong, X., Jia, W., Chen, Y., & Vasilakos, A. V. (2014). Security and privacy for storage and computation in cloud computing. Information Sciences, 258, 371-386.
Zhang, Y., Chen, X., Li, J., Wong, D. S., Li, H., & You, I. (2017). Ensuring attribute privacy protection and fast decryption for outsourced data security in mobile cloud computing. Information Sciences, 379, 42-61.
Zhao, F., Li, C., & Liu, C. F. (2014, February). A cloud computing security solution based on fully homomorphic encryption. In Advanced Communication Technology (ICACT), 2014 16th International Conference on (pp. 485-488). IEEE.
Buy ITC568 Cloud Privacy and Security: Move to SaaS Application Answers Online
Talk to our expert to get the help with ITC568 Cloud Privacy and Security: Move to SaaS Application Answers to complete your assessment on time and boost your grades now
The main aim/motive of the management assignment help services is to get connect with a greater number of students, and effectively help, and support them in getting completing their assignments the students also get find this a wonderful opportunity where they could effectively learn more about their topics, as the experts also have the best team members with them in which all the members effectively support each other to get complete their diploma assignments. They complete the assessments of the students in an appropriate manner and deliver them back to the students before the due date of the assignment so that the students could timely submit this, and can score higher marks. The experts of the assignment help services at urgenthomework.com are so much skilled, capable, talented, and experienced in their field of programming homework help writing assignments, so, for this, they can effectively write the best economics assignment help services.