Cloud Privacy and Security Assignment (Doc)
32 Pages9650 Words39 Views
Added on 2020-03-16
Cloud Privacy and Security Assignment (Doc)
Added on 2020-03-16
ShareRelated Documents
Running Head: Cloud Privacy and Security: The DAS Case 1
APPENDIX A: Cloud Privacy and Security: The DAS Case
Name
Date
APPENDIX A: Cloud Privacy and Security: The DAS Case
Name
Date
Running Head: Cloud Privacy and Security: The DAS Case 2
Introduction and Background
Due to the developments in technology and the increasing amounts of data that agencies
must handle, along with the need for reduced costs and better management, agencies such as DAS
are increasingly changing and modernizing their information systems (Akella, Buckow & Rey,
2009) https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/it-architecture-
cutting-costs-and-complexity . This is achieved through measures such as consolidation of IT
systems, modernization of information systems, outsourcing some services, such as hardware
devices, computing power, and backup, and re-aligning information systems (Bond, 2015). Many
organizations are transforming their legacy systems by migrating to the cloud and making use of
technologies such as PaaS (platform as a service), SaaS (software as a service), and IaaS
(infrastructure as a service). These moves have their benefits, including better service delivery,
reducing workload for staff be enabling on-line self service portals, reduced costs as well as reduced
complexity of information systems (Akella, Buckow & Rey, 2009), (Bond, 2015). These benefits of
information systems (IS) modernization through consolidation and using outsourced services also
come with associated risks. Cloud computing environments are highly scalable as well as being
highly available and reliable, making them attractive propositions, especially for public
organizations that have to handle large amounts of public data and manage thousands of employees.
Migrating applications to the cloud helps public organizations run their internal systems better and
serve the public better (Antonopoulos & Gillam, 2017).
By handling public information on individuals with personal and personal identifiable
information (PII), these IS become increasingly attractive for malicious entities such as hackers.
The information system repositories and portals hold information valuable for hackers such as their
contacts, addresses, biometric information, and even financial information details such as credit
card numbers an details (Mather, Kumaraswamy & Latif, 2010). As such, consolidating and
migrating services to cloud portals carriers with attendant risks and threats to the security and
privacy of PII and even staff information at these agencies. To ensure a safe migration to modern
computing platforms, agencies and organization need to fully understand the risks that storing PII in
such platforms as online portals (cloud computing) carries through undertaking a risk and threat
analysis, for example. Based on such an analysis, the organization will be aware of the risk faced in
having PII and organization data stored in cloud platforms and running some of their operations on
cloud platforms such as PaaS and IaaS (Pfleeger & Pfleeger, 2012). The threat and risk analysis will
help the organization make informed decisions and develop appropriate measures to protect their
data and well as the PII of people (citizens in the case of government bodies or clients/ customers in
the case of private/ corporate organizations). Moving data and applications to the cloud is a major
Introduction and Background
Due to the developments in technology and the increasing amounts of data that agencies
must handle, along with the need for reduced costs and better management, agencies such as DAS
are increasingly changing and modernizing their information systems (Akella, Buckow & Rey,
2009) https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/it-architecture-
cutting-costs-and-complexity . This is achieved through measures such as consolidation of IT
systems, modernization of information systems, outsourcing some services, such as hardware
devices, computing power, and backup, and re-aligning information systems (Bond, 2015). Many
organizations are transforming their legacy systems by migrating to the cloud and making use of
technologies such as PaaS (platform as a service), SaaS (software as a service), and IaaS
(infrastructure as a service). These moves have their benefits, including better service delivery,
reducing workload for staff be enabling on-line self service portals, reduced costs as well as reduced
complexity of information systems (Akella, Buckow & Rey, 2009), (Bond, 2015). These benefits of
information systems (IS) modernization through consolidation and using outsourced services also
come with associated risks. Cloud computing environments are highly scalable as well as being
highly available and reliable, making them attractive propositions, especially for public
organizations that have to handle large amounts of public data and manage thousands of employees.
Migrating applications to the cloud helps public organizations run their internal systems better and
serve the public better (Antonopoulos & Gillam, 2017).
By handling public information on individuals with personal and personal identifiable
information (PII), these IS become increasingly attractive for malicious entities such as hackers.
The information system repositories and portals hold information valuable for hackers such as their
contacts, addresses, biometric information, and even financial information details such as credit
card numbers an details (Mather, Kumaraswamy & Latif, 2010). As such, consolidating and
migrating services to cloud portals carriers with attendant risks and threats to the security and
privacy of PII and even staff information at these agencies. To ensure a safe migration to modern
computing platforms, agencies and organization need to fully understand the risks that storing PII in
such platforms as online portals (cloud computing) carries through undertaking a risk and threat
analysis, for example. Based on such an analysis, the organization will be aware of the risk faced in
having PII and organization data stored in cloud platforms and running some of their operations on
cloud platforms such as PaaS and IaaS (Pfleeger & Pfleeger, 2012). The threat and risk analysis will
help the organization make informed decisions and develop appropriate measures to protect their
data and well as the PII of people (citizens in the case of government bodies or clients/ customers in
the case of private/ corporate organizations). Moving data and applications to the cloud is a major
Running Head: Cloud Privacy and Security: The DAS Case 3
long term term trend, but fraught with challenges and risks, not least the threats to PII and enterprise
data and information (Mahmood, 2014). When data and information, including PII is migrated to
cloud platforms there are inherent risks due to the nature and sensitivity of the information; the
threat and risks to migrating to the cloud start right before the migration begins, when data is being
stored in the cloud platforms, and when there is exchange of data and information between the
cloud environment and access points.
This paper will evaluate the threats and risks that the Department of Administrative Services
(DAS) would face when consolidating and migrating its applications and data, including PI for its
staff and members of the general public, to a cloud environment. In the DAS scenario, there is a
new cloud first policy in which the DAS wants to consolidate all the services offered to the public
by various departments including contractor management and procurement, as well as licensing to
its own data centers. Further, the DAS wants to migrate its application services including HR and
personnel management, contract tendering management, payroll, procurement, and contractor
management to a consolidated data center; a strategy that will see the ful adoption of the shared
services model. DAS will centralize several services for the whole of government (WofG) such that
every Agency or Department that offers any of the targeted services for its internal users and for
members of the public, will have to migrate them into the DAS data center where it will all be
consolidated into the DAS database. These services will then be centrally provided by DAS to all
other government departments. DAS has commenced the switch to the cloud first policy and is
presently implementing the following services;
A HR and personnel suite in the SaaS model,
A Contractor management suite also in the SaaS model
A COTS Payroll solution implemented in the AWS cloud
A Share Point PaaS platform that is the basis of its intended Intranet platform for the WofG
Further, a decision has been made for all applications for, and renewal of licenses form various
government agencies to be taken to a single web portal, named MyLicense. Citizens will then be
encouraged to register in the MyLicense portal for renewal of nearly all licenses, and have designed
this process to follow one process flow for all licenses. The Government will use the portal to better
view licenses held by every citizen thereby having PII for citizens in its web portal and exposing
citizens data to possible data risks. This paper will develop a suitable data protection and data
privacy policy for DAS staff and for citizens with relation to PII. In this paper, a threat and risk
assessment for PII data in the MyLicense portal is developed with regard to privacy and protection
of this data. Thereafter, a PII strategy proposal for the MyLicense portal is also developed for
threats and risks to the PII data and measures for control. The paper also develops a strategy for the
long term term trend, but fraught with challenges and risks, not least the threats to PII and enterprise
data and information (Mahmood, 2014). When data and information, including PII is migrated to
cloud platforms there are inherent risks due to the nature and sensitivity of the information; the
threat and risks to migrating to the cloud start right before the migration begins, when data is being
stored in the cloud platforms, and when there is exchange of data and information between the
cloud environment and access points.
This paper will evaluate the threats and risks that the Department of Administrative Services
(DAS) would face when consolidating and migrating its applications and data, including PI for its
staff and members of the general public, to a cloud environment. In the DAS scenario, there is a
new cloud first policy in which the DAS wants to consolidate all the services offered to the public
by various departments including contractor management and procurement, as well as licensing to
its own data centers. Further, the DAS wants to migrate its application services including HR and
personnel management, contract tendering management, payroll, procurement, and contractor
management to a consolidated data center; a strategy that will see the ful adoption of the shared
services model. DAS will centralize several services for the whole of government (WofG) such that
every Agency or Department that offers any of the targeted services for its internal users and for
members of the public, will have to migrate them into the DAS data center where it will all be
consolidated into the DAS database. These services will then be centrally provided by DAS to all
other government departments. DAS has commenced the switch to the cloud first policy and is
presently implementing the following services;
A HR and personnel suite in the SaaS model,
A Contractor management suite also in the SaaS model
A COTS Payroll solution implemented in the AWS cloud
A Share Point PaaS platform that is the basis of its intended Intranet platform for the WofG
Further, a decision has been made for all applications for, and renewal of licenses form various
government agencies to be taken to a single web portal, named MyLicense. Citizens will then be
encouraged to register in the MyLicense portal for renewal of nearly all licenses, and have designed
this process to follow one process flow for all licenses. The Government will use the portal to better
view licenses held by every citizen thereby having PII for citizens in its web portal and exposing
citizens data to possible data risks. This paper will develop a suitable data protection and data
privacy policy for DAS staff and for citizens with relation to PII. In this paper, a threat and risk
assessment for PII data in the MyLicense portal is developed with regard to privacy and protection
of this data. Thereafter, a PII strategy proposal for the MyLicense portal is also developed for
threats and risks to the PII data and measures for control. The paper also develops a strategy for the
Running Head: Cloud Privacy and Security: The DAS Case 4
protection of informal digital identities created by users in the MyLicense portal for privacy and
data protection, along with measures to mitigate the identified risks. Finally, a governance plan will
be developed PII data for both the public and DAS staff.
Threat Risk Assessment for PII Data in MyLicense Portal
Internal and External Threats
The cloud platform amplifies internal threats to PII data security and privacy in the cloud; the figure
below illustrates the threats due to external factors and those due to internal factors;
Source: Cipher Cloud
The threats and risks will be discussed in the context of both internal and external threats;
while internal threats pose the biggest risks, the external threats usually have the biggest impacts,
such as ransomware attacks, and most external attacks occur as a result of internal human factors,
such as poor strategies, deliberate actions, and mistakes/ ignorance (Vohradski, 2012). The nature of
the cloud means that the attack surface can only get bigger and wider, so reducing the attack surface
is not an option. The threats and risks are discussed below;
Malicious Insiders
protection of informal digital identities created by users in the MyLicense portal for privacy and
data protection, along with measures to mitigate the identified risks. Finally, a governance plan will
be developed PII data for both the public and DAS staff.
Threat Risk Assessment for PII Data in MyLicense Portal
Internal and External Threats
The cloud platform amplifies internal threats to PII data security and privacy in the cloud; the figure
below illustrates the threats due to external factors and those due to internal factors;
Source: Cipher Cloud
The threats and risks will be discussed in the context of both internal and external threats;
while internal threats pose the biggest risks, the external threats usually have the biggest impacts,
such as ransomware attacks, and most external attacks occur as a result of internal human factors,
such as poor strategies, deliberate actions, and mistakes/ ignorance (Vohradski, 2012). The nature of
the cloud means that the attack surface can only get bigger and wider, so reducing the attack surface
is not an option. The threats and risks are discussed below;
Malicious Insiders
Running Head: Cloud Privacy and Security: The DAS Case 5
An example of this is the Edward Snowden case in which lots of the NSA information was
made public, creating headlines around the world (Waxman, 2017). When there is a malicious
employee insider an organization with a a huge cloud portal having lots of information, the risks are
magnified several times over. The insiders can steal information and sell it for financial benefit or
just to get back at their employee, or for the Snowden case, to operationalize a private crusade.
Employees can also modify data or delete them irretrievably, especially those trusted to manage
such data. Further, its possible for employees to leave backdoors or vulnerabilities that allow
external collaborators to access PII for use for other purposes, either for profit or due to
disgruntlement (Subashini & Kavitha, 2011).
Breaches to PII Data
Cloud computing entails having the data in different states; data at rest, data in transit, and
data under use in the cloud platform. Cloud computing has forced malicious entities to innovate
new ways of circumventing security protocols in the cloud and administer new attack methods.
Breaches to PII has serious consequences, including legal, reputation, and financial; it is also
embarrassing for the top person in the organization to have to face an irate public and the media and
try to explain what happened and what they will do (Metheny, 2017). Cloud Service Providers
(CSPs) usually provide strong and rigorous security protocols to guard against such attacks, cyber
criminals still always find a way through, such s the recent case of Equifax (Gressin, 2017).
However, the same threats that traditional IS (information systems ) face also pose threats to PII in
the cloud. Inherent weaknesses such as side channeling timing exposure, where a user in a VM
(virtual machine) is able to listen to activity signaling that an encryption key has arrived on another
VM sharing the same host can result in sensitive data for the DSA falling into the wrong hands,
more so because of the cloud nature where many users share services and resources (Ren, Wang &
Wang, 2012).
Loss of Data Permanently
Data breaches are due to intrusive actions or the result of malicious action, including by
insiders in the organization. The loss of data means that information is lost an a manner in which it
cannot be retrieved or recovered, for instance a disk drive dying/ failing when no backup for the
data stored in it was created; this is especially a risk for DAS in a hybrid cloud architecture. It is
also possible for data to be permanently lost when the data owner of encrypted data loses the
decryption key, or forgets it (LeClair & Keeley, 2015). An example is when some data (small) were
lost by AWS when Amazon’s EC2 Cloud suffered whet they termed a re-mirroring storm caused by
an error by a human operator in 2011(Goldman, 2011). data can also be lost due to deliberate
actions of insiders deleting or modifying data by encrypting it, or externally due to malware attacks
An example of this is the Edward Snowden case in which lots of the NSA information was
made public, creating headlines around the world (Waxman, 2017). When there is a malicious
employee insider an organization with a a huge cloud portal having lots of information, the risks are
magnified several times over. The insiders can steal information and sell it for financial benefit or
just to get back at their employee, or for the Snowden case, to operationalize a private crusade.
Employees can also modify data or delete them irretrievably, especially those trusted to manage
such data. Further, its possible for employees to leave backdoors or vulnerabilities that allow
external collaborators to access PII for use for other purposes, either for profit or due to
disgruntlement (Subashini & Kavitha, 2011).
Breaches to PII Data
Cloud computing entails having the data in different states; data at rest, data in transit, and
data under use in the cloud platform. Cloud computing has forced malicious entities to innovate
new ways of circumventing security protocols in the cloud and administer new attack methods.
Breaches to PII has serious consequences, including legal, reputation, and financial; it is also
embarrassing for the top person in the organization to have to face an irate public and the media and
try to explain what happened and what they will do (Metheny, 2017). Cloud Service Providers
(CSPs) usually provide strong and rigorous security protocols to guard against such attacks, cyber
criminals still always find a way through, such s the recent case of Equifax (Gressin, 2017).
However, the same threats that traditional IS (information systems ) face also pose threats to PII in
the cloud. Inherent weaknesses such as side channeling timing exposure, where a user in a VM
(virtual machine) is able to listen to activity signaling that an encryption key has arrived on another
VM sharing the same host can result in sensitive data for the DSA falling into the wrong hands,
more so because of the cloud nature where many users share services and resources (Ren, Wang &
Wang, 2012).
Loss of Data Permanently
Data breaches are due to intrusive actions or the result of malicious action, including by
insiders in the organization. The loss of data means that information is lost an a manner in which it
cannot be retrieved or recovered, for instance a disk drive dying/ failing when no backup for the
data stored in it was created; this is especially a risk for DAS in a hybrid cloud architecture. It is
also possible for data to be permanently lost when the data owner of encrypted data loses the
decryption key, or forgets it (LeClair & Keeley, 2015). An example is when some data (small) were
lost by AWS when Amazon’s EC2 Cloud suffered whet they termed a re-mirroring storm caused by
an error by a human operator in 2011(Goldman, 2011). data can also be lost due to deliberate
actions of insiders deleting or modifying data by encrypting it, or externally due to malware attacks
Running Head: Cloud Privacy and Security: The DAS Case 6
that deletes all data, as happened to the Saudi State Oil Company or Ransomware as happened to
the UK National Health Service.
Hijacked Accounts
This would normally be expected to happen in traditional computing; but it is also a major
risk in the cloud environment. Accounts in the cloud can be hijacked through loss of credentials and
passwords, such as when employee devices they use to access cloud services containing PII are lost.
It can also happen due to exploitation of vulnerabilities in software, for instance, buffer flow attacks
or through Phishing and Social Engineering attacks (Pearson & Benameur, 2010). Intruders that
hijack accounts of DAS staff can manipulate transactions, eavesdrop, give false damaging
information, or simply steal crucial information such as addresses and credit card numbers, or
obtain information to use for other nefarious acts such as identity theft. If the account(s) with PII is
connected to other accounts, there can be a quick loss of control over other accounts as well. The
passwords given or developed by the users can also be weak and lead to their passwords being
stolen. Further, its common for citizens to access government cloud portals such as MyLicense
portal using their devices, the work/ office device, or a public portal and even forget to sign out. If
these devices had malware that steals passwords, the user account can be hijacked and the password
changed (Robinson, 2011).
Hacking of Interfaces and APIs that are Insecure
Another major threat is interfaces and APIs that are weak/ insecure that get hacked; the
MyLicense platform aims at providing services to millions through various government agencies
and also attempting to limit the damage these millions of users can cause the service, given they
they are mostly anonymous users. The solution lies in developing APIs (application programming
interfaces) that are ‘public facing’ that define how third parties connect to applications (Abraham &
Thampi, 2013)in the MyLicense portal service. Further, communication with other cloud services
also utilize APIs in many cases meaning that the APIs security also have direct impacts on the
security of PI in the cloud. Chances of these APIs increase when access to the APIs are granted to
third parties and the result would be the loss of PII or having the exposed to the general public (loss
of privacy) (Dinh, Lee, Niyato & Wang, 2013).
DDoS (Distributed Denial of Service) Type Attacks
DDoS are common forms of cyber attacks; however, when targeted at cloud platforms, the
effects can be devastating as these attacks affect the ability of DAS and government agencies to run
critical services while consuming significant amounts of resources, including processing power,
raising bills for cloud services (Yu, 2013).
Cloud Services Abuse
that deletes all data, as happened to the Saudi State Oil Company or Ransomware as happened to
the UK National Health Service.
Hijacked Accounts
This would normally be expected to happen in traditional computing; but it is also a major
risk in the cloud environment. Accounts in the cloud can be hijacked through loss of credentials and
passwords, such as when employee devices they use to access cloud services containing PII are lost.
It can also happen due to exploitation of vulnerabilities in software, for instance, buffer flow attacks
or through Phishing and Social Engineering attacks (Pearson & Benameur, 2010). Intruders that
hijack accounts of DAS staff can manipulate transactions, eavesdrop, give false damaging
information, or simply steal crucial information such as addresses and credit card numbers, or
obtain information to use for other nefarious acts such as identity theft. If the account(s) with PII is
connected to other accounts, there can be a quick loss of control over other accounts as well. The
passwords given or developed by the users can also be weak and lead to their passwords being
stolen. Further, its common for citizens to access government cloud portals such as MyLicense
portal using their devices, the work/ office device, or a public portal and even forget to sign out. If
these devices had malware that steals passwords, the user account can be hijacked and the password
changed (Robinson, 2011).
Hacking of Interfaces and APIs that are Insecure
Another major threat is interfaces and APIs that are weak/ insecure that get hacked; the
MyLicense platform aims at providing services to millions through various government agencies
and also attempting to limit the damage these millions of users can cause the service, given they
they are mostly anonymous users. The solution lies in developing APIs (application programming
interfaces) that are ‘public facing’ that define how third parties connect to applications (Abraham &
Thampi, 2013)in the MyLicense portal service. Further, communication with other cloud services
also utilize APIs in many cases meaning that the APIs security also have direct impacts on the
security of PI in the cloud. Chances of these APIs increase when access to the APIs are granted to
third parties and the result would be the loss of PII or having the exposed to the general public (loss
of privacy) (Dinh, Lee, Niyato & Wang, 2013).
DDoS (Distributed Denial of Service) Type Attacks
DDoS are common forms of cyber attacks; however, when targeted at cloud platforms, the
effects can be devastating as these attacks affect the ability of DAS and government agencies to run
critical services while consuming significant amounts of resources, including processing power,
raising bills for cloud services (Yu, 2013).
Cloud Services Abuse
Running Head: Cloud Privacy and Security: The DAS Case 7
The cloud platform means resources and services are shared by different users; including
hackers who can use the same cloud services and their processing power and resources cause
attacks, such as decrypting encryption keys within a short time. Cloud servers that are shared can
also be used by cyber criminals to launch attacks such as DDoS, serve malware to steal or
compromise PII. While CSPs are responsible for cloud services use, it may be difficult for them to
detect abuse and improper use (Daimi et al., 2017), (Ren, Wang & Wang, 2012)
Weak identity and Authentication Management
Failure to implement strong identity and authentication protocols has been a major cause of
PII data being breached. There is always a challenge for organizations to manage identity and
authentication to access various IS resources commensurate with their job roles. If these credentials
and authentication methods are weak, cyber criminals can hijack or crack them, resulting in them
breaching and accessing millions of PII data that they can use for any other malicious purpose. If
identity management is poor, huge cyber security holes is the result, leaving the system at the mercy
of hackers and cyber attackers (Ghorbel, Ghorbel & Jmaiel, 2017), (Mock & Desai, 2013).
Advanced Persistent Threats
These are parasitic types of attacks where APT s infiltrate the DAS IS infrastructure and
establish a foothold. The APT s then extract and ex-filtrate PII data and information over long term
periods. APT s move across networks laterally; the fact that DAS will use a PaaS Share Point
Intranet further compounds this problem because the APT s can move laterally across its entire IS
network. Because APT s easily blend with normal traffic making their detection difficult. APT s
gain entry into enterprise networks through infected external storage drives, direct attacks, and
spear Phishing (Auer & Zutin, 2017).
PaaS Intranet Vulnerabilities
DAS will build an Intranet using a PaaS platform; this increases the attack surface due to
resource sharing and the risk of the root access to servers that will be running many of the instances
on MyLicense portal. If cyber criminals gain unauthorized access to this infrastructure, they can
change configurations and breach PII or even cause data loss and modification. Failure to properly
configure security and other settings in the PaaS platform will escalate threats of cyber attacks;
PaaS provides a self service platform, implying that DAS must undertake all protocols to ensure
safety and security, including installing and updating anti malware software (Korshed & Wasimi,
2012).
Insufficient Diligence
Migrating and having PII on cloud portals with external access by millions of anonymous
users will greatly expose their PII data to attacks and breaches. If DAS does not fully understand the
The cloud platform means resources and services are shared by different users; including
hackers who can use the same cloud services and their processing power and resources cause
attacks, such as decrypting encryption keys within a short time. Cloud servers that are shared can
also be used by cyber criminals to launch attacks such as DDoS, serve malware to steal or
compromise PII. While CSPs are responsible for cloud services use, it may be difficult for them to
detect abuse and improper use (Daimi et al., 2017), (Ren, Wang & Wang, 2012)
Weak identity and Authentication Management
Failure to implement strong identity and authentication protocols has been a major cause of
PII data being breached. There is always a challenge for organizations to manage identity and
authentication to access various IS resources commensurate with their job roles. If these credentials
and authentication methods are weak, cyber criminals can hijack or crack them, resulting in them
breaching and accessing millions of PII data that they can use for any other malicious purpose. If
identity management is poor, huge cyber security holes is the result, leaving the system at the mercy
of hackers and cyber attackers (Ghorbel, Ghorbel & Jmaiel, 2017), (Mock & Desai, 2013).
Advanced Persistent Threats
These are parasitic types of attacks where APT s infiltrate the DAS IS infrastructure and
establish a foothold. The APT s then extract and ex-filtrate PII data and information over long term
periods. APT s move across networks laterally; the fact that DAS will use a PaaS Share Point
Intranet further compounds this problem because the APT s can move laterally across its entire IS
network. Because APT s easily blend with normal traffic making their detection difficult. APT s
gain entry into enterprise networks through infected external storage drives, direct attacks, and
spear Phishing (Auer & Zutin, 2017).
PaaS Intranet Vulnerabilities
DAS will build an Intranet using a PaaS platform; this increases the attack surface due to
resource sharing and the risk of the root access to servers that will be running many of the instances
on MyLicense portal. If cyber criminals gain unauthorized access to this infrastructure, they can
change configurations and breach PII or even cause data loss and modification. Failure to properly
configure security and other settings in the PaaS platform will escalate threats of cyber attacks;
PaaS provides a self service platform, implying that DAS must undertake all protocols to ensure
safety and security, including installing and updating anti malware software (Korshed & Wasimi,
2012).
Insufficient Diligence
Migrating and having PII on cloud portals with external access by millions of anonymous
users will greatly expose their PII data to attacks and breaches. If DAS does not fully understand the
Running Head: Cloud Privacy and Security: The DAS Case 8
cloud environment and its risks, or adopt an unsuitable policy, starting from migration and how this
data is accessed, managed and used in the cloud based web portal, there are risks of the PII data
being breached (Herold, 2011). Everything must be carefully planned, starting with the clod
architecture, the migration policy, control policies, and management of users
After evaluating the threats, a TRA is undertaken to create a threat profile for PII on the MyLicense
portal, as shown in the Figure below;
Threat Risk Analysis
Below is the TRA for the threats and risks inherent to using cloud service platforms (the
PaaS and SasS) and the use of public clouds and a data center for storing public information and
software suite instances
Threat/ Risk
Number
Threat /Risk Rank
1 Malicious Insiders Extreme
2 Breaches to PII Data Extreme
3 Insufficient Diligence Extreme
4 Weak identity and Authentication
Management
Extreme
5 Advanced persistent Threats Extreme
6 Loss of Data Permanently Very High
7 Hijacked Accounts Very High
8 PaaS Intranet Vulnerabilities Very High
9 Hacking of Interfaces and APIs that are
Insecure
High
10 Cloud Services Abuse High
Conclusions
Agencies are increasingly migrating to the cloud because of its inherent benefits, including a
highly scalable platform, greater security, streamline operations, ability to share resources,
consolidation of IT systems, and providing users an easy form to access services through self
cloud environment and its risks, or adopt an unsuitable policy, starting from migration and how this
data is accessed, managed and used in the cloud based web portal, there are risks of the PII data
being breached (Herold, 2011). Everything must be carefully planned, starting with the clod
architecture, the migration policy, control policies, and management of users
After evaluating the threats, a TRA is undertaken to create a threat profile for PII on the MyLicense
portal, as shown in the Figure below;
Threat Risk Analysis
Below is the TRA for the threats and risks inherent to using cloud service platforms (the
PaaS and SasS) and the use of public clouds and a data center for storing public information and
software suite instances
Threat/ Risk
Number
Threat /Risk Rank
1 Malicious Insiders Extreme
2 Breaches to PII Data Extreme
3 Insufficient Diligence Extreme
4 Weak identity and Authentication
Management
Extreme
5 Advanced persistent Threats Extreme
6 Loss of Data Permanently Very High
7 Hijacked Accounts Very High
8 PaaS Intranet Vulnerabilities Very High
9 Hacking of Interfaces and APIs that are
Insecure
High
10 Cloud Services Abuse High
Conclusions
Agencies are increasingly migrating to the cloud because of its inherent benefits, including a
highly scalable platform, greater security, streamline operations, ability to share resources,
consolidation of IT systems, and providing users an easy form to access services through self
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
Threat and Risk Assessment for PII ( Personal Identifiable Information )lg...
|20
|6165
|318
Department of Administrative Services : Case Studylg...
|4
|638
|239
Threat and Risk Assessment for MyLicense Portal - Deskliblg...
|11
|2635
|488
Migration to SaaS Cloud Computing Platform - Land Titles Agencylg...
|18
|1135
|269
The Department of Administrative Services for Cloud Computing Systemslg...
|15
|4412
|475
Case Study- Department of Administrative Serviceslg...
|4
|527
|74