Risk Assessment of Public Cloud Network
Added on - 09 Oct 2019
Showing pages 1 to 4 of 20 pages
Assessment-2- Risk Assessment of Public Cloud networkAbout the CaseA community-based charity is providing healthcare and community services to thedisadvantaged people in the community. The community is having its own data centre (50*8664-bit Windows server 2008 R2) for its desktop, database and file service. For public, it runs RedHat Enterprise Linux 5 which it is using for web service.Since the requirements of storage and confidentiality of healthcare information is getting more,the charitable institution is looking for a public cloud that will solve all these issues. So in thisreport we are going to look at the current level risk, risk management in public cloud service(SaaS) and the approach of security and confidentiality in public cloud network.Employee Data SecurityThe first aspect of changing the data storage and services starts with identifying the risks andthreats relating to organizational data in the existing system. One of the key data for anorganization is “employee data”. So our first task is to find the sphere of employee data securitybreach and vulnerability in the existing HR database management. [Chen, Y.,et.al2010]Current threats and risks with employee dataOne of the key limitation of Windows 64-bit server R2 is its maximum storage limit. As theMicrosoft Inc., it can store only up to 2TB data at its best. As the company’s information, theorganization is looking for storing around 200TB data that means at least 25% or 40TB data willbe required for employees thus current system is no way efficient or eligible to fulfil theinformation requirement or data storage of the employees.Apart from the maximum limit, there are further limitations to the server systems such as-It works with single CPU system thus any additional CPU will get ignored.
It works with 8GB Ram and additional RAM inclusion is not possible thus when the dataload increases, it will hang the system which can cause loss of employee data.It consists of 15 User CALs thus if the number increases, the system will producewarning message.It allows only 50 desktop connections at a time but having an employee base of 500people, the system is vulnerable.The system can’t be virtualised.It can’t be used as Hyper V spot.It can’t be used as Domain Controller where more than 15 accounts are in the Domainand also can’t fit to the system where trust relationship exist.[Gonzalez, N et.al2012]Now, these are foundational limitations for which the management thought of HR databaseinto Public (SaaS) cloud server. But, what about the risk factors associated with existingsystem.Here we can draw 5 such risks that are present in this private cloud service-Security BreachUnlike public cloud which are managed by some IT experts with load of experience, privateclouds are managed by the organisational people only. Many at times, the organizations don’thave such experts to manage private cloud network due to resources constraints. This charityorganisation is facing the same issue. Although public clouds are on target but private cloudsare easy to hack if internal people get involved. With such healthcare organisations, thesecurity breach risk is more in order to steal confidential health data for selling to third party.[Krutz, R. L.,et.al2010]Performance ProblemBecause of dynamic nature of environment, it is very difficult to predict changing load atinfrastructural level that can affect application performance and user experience. In public,clouds the user knows the cloud bandwidth, latency, jitter and resource sharing and that can’tbe altered easily (for e.g. blockchain technology) but private clouds are having flexibility in
choosing the cloud infrastructure in terms of hardware and software thus it provides scope forthe IT manipulator or hackers to access systems easily to steal HR data or change performancefigures for personal benefit. [Sabahi, F. (2011)]Open-source platformPrivate clouds are majorly customised in nature as per the requirements and suitability to theorganisational environment. Many at times, when the private cloud network is set up, somestandard protocols are decided and that is followed for operating in the cloud. If the seniormanagement has set protocols in accordance to their personal benefit, they can manipulate HRdatabase in order to show better performance while reporting. [Dahbur, K., et.al2011] For ex- Asenior management may favour an employee by increasing his attendance over the networkusing proxy ID. This will be possible because cloud infrastructure and operation is open topeople working inside the organisation especially the senior management.Lack of visibilityPrivate cloud like Windows Server 2008 R2 may face “East-West traffic” i.e. network trafficflowing between virtual machines. [Zissis, D et.al2012] Any issues over the cloud can’t bemonitored with traditional IT monitoring tools. Suppose the HR manager tries to enter into anyunsecured website or application, the hackers can easily hack the system HR is using (if that isoperated virtually in an open Wi-Fi service). This will make employees data vulnerable.Limited servicePrivate clouds are limited due to customisation fact. It is the IT team and management who willdecide what services should be included and what shouldn’t be. Now, if the managementshows biasness while adding a specific feature or functionality for project scope, the ability toinnovate private cloud will be limited. For ex- If management allows open access to employeesfor looking at payroll and performance, the employees can try to manipulate the data if that isnot in their favour.Employee data risk and threats while shifting to SaaS
As the Charitable institution is planning to have a SaaS cloud system for management ofdatabase, it will require to shift data from the private clouds into the public cloud. While doingso, the following security threats may emerge- [Bamiah, M. A.,et.al 2011]Negligence of data transferWhen the charitable institution is going to transfer the data from its private network to thepublic cloud network, there is a high level chances of forgetfulness of the significant HR datathat may not be transferred by the personnel. In such case, such negligence (intentionally or bymistake) can cause data stealing risk. As after transfer the private network data will be erasedthus recovery of such data may not be possible later.Data transfer complexityMany at times, when the transfer takes place, the IT manager faces difficulty to transfer all datainto new systems. When the private network data is stored for a long period of time and theperson managing the data forgot the directories where the files are stored in what form, then itwill be very difficult for the IT manager to locate the files to send into new system. If the dataare not understandable, then transfer won’t take place and that may cause loss.Manipulated data transferAs long as the private network, the controller has full accessibility to see and change theinformation within the structure as he/she has the idea of the structure. But, while it is gettransferred into a public cloud (SaaS) which is not under the control, the concerned person maynot transfer the information that can be beneficial for him/her or will refrain his personalintention.Data access riskSaaS is vendor operated could service thus the vendor may access the confidential informationin HR database that can be used for profitable purpose.Instability