Computer Systems Security: Risk Analysis and Protection Strategies for Expedia Inc.
VerifiedAdded on 2023/06/10
|16
|5254
|141
AI Summary
This article discusses the risk analysis and protection strategies for Expedia Inc. in the field of computer systems security. It explores the use of cloud computing and AWS services, and the protection against risks like malware attacks, insider threats, and breach of privacy contracts. The article also covers the identification and prioritization of assets, identification of threats and vulnerabilities, analysis of controls, determination of probability and impact, and prioritization of information security risk. The subject is Computer Systems Security, and the course code is not mentioned. The college/university is not mentioned.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Computer Systems Security
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Table of Contents
MAIN BODY..................................................................................................................................3
TASK – 1.........................................................................................................................................3
Profile, existing IT infrastructure and pertinent issues –.............................................................3
TASK – 2.........................................................................................................................................5
Risk analysis and protection against those risks –.......................................................................5
TASK – 3.........................................................................................................................................9
Key aspects of security policy of Expedia and Cryptography –..................................................9
TASK – 4.......................................................................................................................................12
Assessment of securities and critical Evaluation of legal, social and ethical issues in security
of cloud computing:...................................................................................................................12
REFERENCES................................................................................................................................1
MAIN BODY..................................................................................................................................3
TASK – 1.........................................................................................................................................3
Profile, existing IT infrastructure and pertinent issues –.............................................................3
TASK – 2.........................................................................................................................................5
Risk analysis and protection against those risks –.......................................................................5
TASK – 3.........................................................................................................................................9
Key aspects of security policy of Expedia and Cryptography –..................................................9
TASK – 4.......................................................................................................................................12
Assessment of securities and critical Evaluation of legal, social and ethical issues in security
of cloud computing:...................................................................................................................12
REFERENCES................................................................................................................................1
MAIN BODY
TASK – 1
Profile, existing IT infrastructure and pertinent issues –
Owned by Expedia Group, Expedia Inc. is an American online travel booking or travel
shopping company having its headquarters in Seattle. It is an online travel agency which has its
own website and mobile application which provides services in form of booking of flight tickets,
reservations of hotels, rentals of car, cruise ships and packages of vacation destinations
(Krasnodebski, 2020). Its website utilizes the online tool of Metasearch engine for its travel
agency business.
Expedia Inc. utilizes the services of Amazon Web Service (AWS) to cater to its customers
globally in the Asia-Pacific region as it provided the required global infrastructure that Expedia
required and therefore, it was able to achieve proximity to its customer (Bhatt and et.al., 2021).
Using AWS as its foundation, Expedia developed its ESS services and also expanded its services
in the US and the EU regions. This AWS base resulted in the reduction of average network
latency from 700 milliseconds to mere 50 milliseconds and even less which therefore, resulted in
faster loading of the website and the vast improvement in the experience of the visitor of the
website (Hashemipour and Ali, 2020). Deploying of AWS services in the IT infrastructure of
Expedia Inc. led to faster development of applications, resulted in processing of larger volumes
of data, issues were troubleshot quickly and new infrastructure for the new initiatives were
created quickly.
Services used in the AWS includes Amazon EC2 (Amazon Elastic Compute Cloud).
Another service used is Amazon CloudFront. Amazon RDS (Relational Database Service) as the
name suggests allows a relational database to be set up, operate and scale easily in the cloud.
CloudFormation is another service of AWS which provisions all the resources of the
infrastructure in the cloud environment as a common language.
There are certain issues faced by Expedia which is using AWS service which includes
protection of data from viruses and hackers, high cost maintenance of cloud computing thus it
should create a central cloud team to manage the usage and costs, compliance in place for the
TASK – 1
Profile, existing IT infrastructure and pertinent issues –
Owned by Expedia Group, Expedia Inc. is an American online travel booking or travel
shopping company having its headquarters in Seattle. It is an online travel agency which has its
own website and mobile application which provides services in form of booking of flight tickets,
reservations of hotels, rentals of car, cruise ships and packages of vacation destinations
(Krasnodebski, 2020). Its website utilizes the online tool of Metasearch engine for its travel
agency business.
Expedia Inc. utilizes the services of Amazon Web Service (AWS) to cater to its customers
globally in the Asia-Pacific region as it provided the required global infrastructure that Expedia
required and therefore, it was able to achieve proximity to its customer (Bhatt and et.al., 2021).
Using AWS as its foundation, Expedia developed its ESS services and also expanded its services
in the US and the EU regions. This AWS base resulted in the reduction of average network
latency from 700 milliseconds to mere 50 milliseconds and even less which therefore, resulted in
faster loading of the website and the vast improvement in the experience of the visitor of the
website (Hashemipour and Ali, 2020). Deploying of AWS services in the IT infrastructure of
Expedia Inc. led to faster development of applications, resulted in processing of larger volumes
of data, issues were troubleshot quickly and new infrastructure for the new initiatives were
created quickly.
Services used in the AWS includes Amazon EC2 (Amazon Elastic Compute Cloud).
Another service used is Amazon CloudFront. Amazon RDS (Relational Database Service) as the
name suggests allows a relational database to be set up, operate and scale easily in the cloud.
CloudFormation is another service of AWS which provisions all the resources of the
infrastructure in the cloud environment as a common language.
There are certain issues faced by Expedia which is using AWS service which includes
protection of data from viruses and hackers, high cost maintenance of cloud computing thus it
should create a central cloud team to manage the usage and costs, compliance in place for the
security of data in the form of laws and regulations needs to be complied with like General Data
Protection Regulation, etc.
Choice of technology which can be proposed to be used in upgrading the IT infrastructure
of Expedia is Cloud Computing. In a layman’s language cloud computing includes services of
computing namely, servers, databases, storage, analytics, software, networking and even
intelligence services over the internet commonly known as ‘cloud’ which will allow quicker
innovation, flexibility of resources and most importantly, economies of scale (Sharma and et.al.,
2019). It is to be noted that cloud computing is a broader term and includes AWS within itself
along with other like Azure, GCP, rackspace, digital ocean, HP, CA, IBM cloud and the list is
endless. Cloud computing is basically providing software or hardware over the internet as a
service. Cloud computing by Google cloud is one of the largest networks globally and also
reasonable on price and is much more flexible as compared to AWS. AWS is owned by Amazon
whereas Google cloud is owned by Google. Also the cloud computing services are very secure
and reliable (Srivastava and Khan, 2018). It is natural that both AWS and Google Cloud compete
with each other to have access to the big market share in the field of cloud computing. Google
Cloud platform has a large and extensive customer base with some big clients like YouTube,
Gmail, Google search, PayPal, Bloomberg, HSBC, 20th Century Fox, etc.
In the environment of cloud computing, there are various assets along with information
assets which will need protection and also there are various vulnerabilities like access of
privileged users lacks multi factor authentication, no multi factor authentication for the addition
of new devices in the cloud like password, PIN, non-duplicable device like a phone, biometrics
such as a fingerprint, etc., misconfigurations of S3 bucket which will lead to security breaches in
the cloud, deletion of data shall not be incomplete and this can happen because of invisibility of
the data as to where it is stored in the cloud and thus no way to know whether the data has been
deleted securely, lambda command injection in the server less computing which is prone to
security threats, application user interfaces (APIs) when unsecured can be a target point of
various vulnerabilities and malicious attackers (Alam, 2020). Critical assets in the cloud
computing IT infrastructure will include cloud storage, application user interfaces (APIs),
intellectual property (IP), etc.
Protection Regulation, etc.
Choice of technology which can be proposed to be used in upgrading the IT infrastructure
of Expedia is Cloud Computing. In a layman’s language cloud computing includes services of
computing namely, servers, databases, storage, analytics, software, networking and even
intelligence services over the internet commonly known as ‘cloud’ which will allow quicker
innovation, flexibility of resources and most importantly, economies of scale (Sharma and et.al.,
2019). It is to be noted that cloud computing is a broader term and includes AWS within itself
along with other like Azure, GCP, rackspace, digital ocean, HP, CA, IBM cloud and the list is
endless. Cloud computing is basically providing software or hardware over the internet as a
service. Cloud computing by Google cloud is one of the largest networks globally and also
reasonable on price and is much more flexible as compared to AWS. AWS is owned by Amazon
whereas Google cloud is owned by Google. Also the cloud computing services are very secure
and reliable (Srivastava and Khan, 2018). It is natural that both AWS and Google Cloud compete
with each other to have access to the big market share in the field of cloud computing. Google
Cloud platform has a large and extensive customer base with some big clients like YouTube,
Gmail, Google search, PayPal, Bloomberg, HSBC, 20th Century Fox, etc.
In the environment of cloud computing, there are various assets along with information
assets which will need protection and also there are various vulnerabilities like access of
privileged users lacks multi factor authentication, no multi factor authentication for the addition
of new devices in the cloud like password, PIN, non-duplicable device like a phone, biometrics
such as a fingerprint, etc., misconfigurations of S3 bucket which will lead to security breaches in
the cloud, deletion of data shall not be incomplete and this can happen because of invisibility of
the data as to where it is stored in the cloud and thus no way to know whether the data has been
deleted securely, lambda command injection in the server less computing which is prone to
security threats, application user interfaces (APIs) when unsecured can be a target point of
various vulnerabilities and malicious attackers (Alam, 2020). Critical assets in the cloud
computing IT infrastructure will include cloud storage, application user interfaces (APIs),
intellectual property (IP), etc.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
TASK – 2
Risk analysis and protection against those risks –
Any project, any business whether it is related to information technology (IT) or not shall be
having some risk which are needed to be analysed for their successful operation and working
without any hindrance in between the processes (Talha, Sohail and Hajji, 2020). Therefore, risk
analysis lies at the heart of any successful IT project this can be proven through the following
importance of risk analysis phase in any IT project:
For reduction and management of such risks.
For effective and efficient development of a response or action plan in case of any IT crisis.
To adhere to the legal obligations towards the privacy, staff training and electronic
transactions which materially influence the strategies of risk management in case of IT.
To handle and tackle the failure of software and hardware.
To reduce the chances of human error, viruses and malicious attacks.
To handle the after effects of natural disasters like floods, fires or earthquakes.
To have a business continuity plan for faster recovery from any IT crisis.
There are various IT risks like general IT threats which includes software & hardware failure,
viruses, malware, phishing, spam & scams and human errors, criminal IT threats which includes
fraud, hackers, denial of services, password thefts, staff dishonesty and security breaches, natural
disasters and IT systems which includes loss and damage from natural calamities like fire,
cyclone, floods, earthquakes, etc. The IT risk will include threat, vulnerability, impact and
likelihood and can be presented the risk equation i.e., Risk = Threat X Vulnerability X Asset
(Yang and et.al., 2018). It is to be noted that such risk analysis process shall be performed by
extensive internal IT teams or by the team to whom such work has been outsourced.
Risk analysis process will entail the following process:
1. Identification and prioritization of the assets like servers, partner documents which are
sensitive, contact information of the client, trade secrets, etc. Information for each asset like
interface, hardware, software, users, data, functional requirements, security policies, security
architecture, flow of information, controls of technical security, protection of information
storage, criticality, etc. shall gathered.
Risk analysis and protection against those risks –
Any project, any business whether it is related to information technology (IT) or not shall be
having some risk which are needed to be analysed for their successful operation and working
without any hindrance in between the processes (Talha, Sohail and Hajji, 2020). Therefore, risk
analysis lies at the heart of any successful IT project this can be proven through the following
importance of risk analysis phase in any IT project:
For reduction and management of such risks.
For effective and efficient development of a response or action plan in case of any IT crisis.
To adhere to the legal obligations towards the privacy, staff training and electronic
transactions which materially influence the strategies of risk management in case of IT.
To handle and tackle the failure of software and hardware.
To reduce the chances of human error, viruses and malicious attacks.
To handle the after effects of natural disasters like floods, fires or earthquakes.
To have a business continuity plan for faster recovery from any IT crisis.
There are various IT risks like general IT threats which includes software & hardware failure,
viruses, malware, phishing, spam & scams and human errors, criminal IT threats which includes
fraud, hackers, denial of services, password thefts, staff dishonesty and security breaches, natural
disasters and IT systems which includes loss and damage from natural calamities like fire,
cyclone, floods, earthquakes, etc. The IT risk will include threat, vulnerability, impact and
likelihood and can be presented the risk equation i.e., Risk = Threat X Vulnerability X Asset
(Yang and et.al., 2018). It is to be noted that such risk analysis process shall be performed by
extensive internal IT teams or by the team to whom such work has been outsourced.
Risk analysis process will entail the following process:
1. Identification and prioritization of the assets like servers, partner documents which are
sensitive, contact information of the client, trade secrets, etc. Information for each asset like
interface, hardware, software, users, data, functional requirements, security policies, security
architecture, flow of information, controls of technical security, protection of information
storage, criticality, etc. shall gathered.
2. Identification of threats like natural disasters, hardware failure, malicious behaviour which
includes interference interception and impersonation, malware, hackers, etc. shall be done
skilfully to be able to perceptive of coming threats and dangers.
3. Identification of vulnerabilities that will leave the organisation prone to such threats as
discussed above. Such identification can be done through audit reports, analysis, NIST
vulnerability database, information security test, data of vendors, penetration testing, and
automated scanning tools.
4. Analysis of controls which are put in place by the organization to safeguard from the threat
entering through a vulnerability. There are 2 types of controls namely – technical controls
which will include mechanism of intrusion detection, encryption and authentication &
identification solutions and non-technical controls which will include policies and procedures
regarding security of the IT assets, administrative actions to be taken in case of a threat or
vulnerability, and environmental and physical mechanisms (Wut, Xu and Wong, 2021). Such
controls can be either preventive i.e., can be prevented before happening or detective which
will discover the threats and vulnerabilities which has already taken place.
5. Determination of probability of the incident i.e., probability that a threat might be actually
be prevalent or vulnerability might actually be exploited.
6. Assessment of impact of a potential threat along with the sensitivity of the affected asset,
its value in the organization and any dependent processes on such an asset and its mission.
7. Prioritization of information security risk i.e., level of risk to be determined on the basis
of its impact on the organization.
8. Recommendation of controls on the basis of the level of risk by taking into consideration
policies of the organization, feasibility, etc.
Now there are various security risks pertaining to cloud computing thus these risks need to be
discussed along with the protection policies and methods which are as follows:
RISKS PROTECTION AGAINST THE RISKS
There is a risk of intellectual property being
lost or stolen. Such loss or theft of sensitive
data is a serious concern. It mostly happens
when the data is stored without any encryption
or multi factor authentication to allow the
Appropriate policies regarding privacy and
compliances shall be devised, implemented and
monitored. A proper chain of responsibility or
chain of authority shall be established in the
organisation. Such policies and responsibilities
includes interference interception and impersonation, malware, hackers, etc. shall be done
skilfully to be able to perceptive of coming threats and dangers.
3. Identification of vulnerabilities that will leave the organisation prone to such threats as
discussed above. Such identification can be done through audit reports, analysis, NIST
vulnerability database, information security test, data of vendors, penetration testing, and
automated scanning tools.
4. Analysis of controls which are put in place by the organization to safeguard from the threat
entering through a vulnerability. There are 2 types of controls namely – technical controls
which will include mechanism of intrusion detection, encryption and authentication &
identification solutions and non-technical controls which will include policies and procedures
regarding security of the IT assets, administrative actions to be taken in case of a threat or
vulnerability, and environmental and physical mechanisms (Wut, Xu and Wong, 2021). Such
controls can be either preventive i.e., can be prevented before happening or detective which
will discover the threats and vulnerabilities which has already taken place.
5. Determination of probability of the incident i.e., probability that a threat might be actually
be prevalent or vulnerability might actually be exploited.
6. Assessment of impact of a potential threat along with the sensitivity of the affected asset,
its value in the organization and any dependent processes on such an asset and its mission.
7. Prioritization of information security risk i.e., level of risk to be determined on the basis
of its impact on the organization.
8. Recommendation of controls on the basis of the level of risk by taking into consideration
policies of the organization, feasibility, etc.
Now there are various security risks pertaining to cloud computing thus these risks need to be
discussed along with the protection policies and methods which are as follows:
RISKS PROTECTION AGAINST THE RISKS
There is a risk of intellectual property being
lost or stolen. Such loss or theft of sensitive
data is a serious concern. It mostly happens
when the data is stored without any encryption
or multi factor authentication to allow the
Appropriate policies regarding privacy and
compliances shall be devised, implemented and
monitored. A proper chain of responsibility or
chain of authority shall be established in the
organisation. Such policies and responsibilities
access. will tell how to communicate the information.
The threats are more prevalent where there are
non-compliances of the policies and
procedures set by a regulatory body. Such non-
compliance can result into trouble for the
companies. Employees must be informed of
the repercussions of such non-compliances and
the risk of sharing of the data unauthorized.
To keep the non-compliances in the
organization in check, first and foremost step
can be conduct of audit time to time. Such
check can be of any malware or any phishing
attacks. IT system audit will keep a check on
the system vendors or data in servers on cloud.
Most important aspects to be audited are
security in the cloud, audit trail & its
accessibility and internal environment of
control of the cloud.
There is a great risk of attack of malware
through data exfiltration. There are various
new methods of such malware attacks as the
protection systems are evolving like and all
these methods shall be kept in check to avoid
any malware attack and resultant loss of data.
Naturally, there should be protocols and
guidelines as to who will have the access to the
sensitive software and data information on the
cloud by the employee. Also, the system shall
be ensured to be secured enough to tackle the
attack if any.
Organisation is prone to the risk of insider
threats i.e., sharing of insider information on
the cloud and accessing them for illegitimate
purposes. In the current market scenarios,
insider threats have become very prevalent.
The organisations are prone to risks when
private data is exposed on the public servers.
Such a risk of exposure of private data on the
public servers requires implementation of
policies regarding privacy and protection of
such private data. In case of inadequate
measures of security private data shall not be
uploaded on the cloud of the company.
There is a risk of breach of privacy contracts
by the employees entered by the company with
the clients (Chen and et.al., 2021). Such a
breach leads to possibility of legal action. Such
a breach is very common in the case when
right to share is allowed of the data with others
on the cloud.
Different policies and guidelines shall be made
for different nature of data stored in the cloud.
Rendering of services on the cloud according
to the need of the user shall be done to avoid
breach of contracts like IaaS, SaaS or PaaS.
The threats are more prevalent where there are
non-compliances of the policies and
procedures set by a regulatory body. Such non-
compliance can result into trouble for the
companies. Employees must be informed of
the repercussions of such non-compliances and
the risk of sharing of the data unauthorized.
To keep the non-compliances in the
organization in check, first and foremost step
can be conduct of audit time to time. Such
check can be of any malware or any phishing
attacks. IT system audit will keep a check on
the system vendors or data in servers on cloud.
Most important aspects to be audited are
security in the cloud, audit trail & its
accessibility and internal environment of
control of the cloud.
There is a great risk of attack of malware
through data exfiltration. There are various
new methods of such malware attacks as the
protection systems are evolving like and all
these methods shall be kept in check to avoid
any malware attack and resultant loss of data.
Naturally, there should be protocols and
guidelines as to who will have the access to the
sensitive software and data information on the
cloud by the employee. Also, the system shall
be ensured to be secured enough to tackle the
attack if any.
Organisation is prone to the risk of insider
threats i.e., sharing of insider information on
the cloud and accessing them for illegitimate
purposes. In the current market scenarios,
insider threats have become very prevalent.
The organisations are prone to risks when
private data is exposed on the public servers.
Such a risk of exposure of private data on the
public servers requires implementation of
policies regarding privacy and protection of
such private data. In case of inadequate
measures of security private data shall not be
uploaded on the cloud of the company.
There is a risk of breach of privacy contracts
by the employees entered by the company with
the clients (Chen and et.al., 2021). Such a
breach leads to possibility of legal action. Such
a breach is very common in the case when
right to share is allowed of the data with others
on the cloud.
Different policies and guidelines shall be made
for different nature of data stored in the cloud.
Rendering of services on the cloud according
to the need of the user shall be done to avoid
breach of contracts like IaaS, SaaS or PaaS.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Each and every party to an agreement is
responsible for the security of the cloud i.e.,
service provider, client, partners, etc. Apart
from service providers, it is the responsibility
of the clients to protect their passwords and
keep the access to the cloud restricted.
Clients are expected to keep their sensitive data
protected and unshared after the service
provider has already taken major steps for the
security of the data from their end. Thus clients
are required to take precautions for the
protection of their sensitive data.
The risk analysis of Expedia Inc. on the basis of above risk can be evaluated as follows:
RISK IDENTIFIED LIKELIHOOD IMPACT ACTION IN
RESPONSE
Lost or theft of
intellectual property
Very Likely High Policies regarding
compliances and
privacy shall be
formed along with
proper chain of
authority, appropriate
chain of responsibility
and fair chain of
command.
Non-compliances of
policies and
procedures
Likely Medium By conduct of regular
audit of IT systems so
as to look for any
current or potential
malware or phishing
attacks. Data on the
servers will kept on
check by focussing on
security, audit trail
and their accessibility.
Malware attack
through data
Very Likely High Such a risk can be
mitigated through
responsible for the security of the cloud i.e.,
service provider, client, partners, etc. Apart
from service providers, it is the responsibility
of the clients to protect their passwords and
keep the access to the cloud restricted.
Clients are expected to keep their sensitive data
protected and unshared after the service
provider has already taken major steps for the
security of the data from their end. Thus clients
are required to take precautions for the
protection of their sensitive data.
The risk analysis of Expedia Inc. on the basis of above risk can be evaluated as follows:
RISK IDENTIFIED LIKELIHOOD IMPACT ACTION IN
RESPONSE
Lost or theft of
intellectual property
Very Likely High Policies regarding
compliances and
privacy shall be
formed along with
proper chain of
authority, appropriate
chain of responsibility
and fair chain of
command.
Non-compliances of
policies and
procedures
Likely Medium By conduct of regular
audit of IT systems so
as to look for any
current or potential
malware or phishing
attacks. Data on the
servers will kept on
check by focussing on
security, audit trail
and their accessibility.
Malware attack
through data
Very Likely High Such a risk can be
mitigated through
exfiltration restrictions on the
access to sensitive
data on the cloud and
data to be secured to
tackle such
exfiltration in the
system.
Risk of insider threats Very Likely High Policies and
procedures regarding
protection and privacy
of private data shall
be established.
Breach of privacy
contracts
Likely Medium Rendering of services
according to the needs
of the client so as to
avoid breach of
privacy contract.
Responsibility of
client for security of
data
Very Likely High Although service
provider is
responsible for the
security of the data on
the cloud but clients
are also expected to
take precautions for
the safeguarding of
data.
TASK – 3
Key aspects of security policy of Expedia and Cryptography –
There are various security policies adopted by Expedia Inc. which are listed and explained as
follows:
access to sensitive
data on the cloud and
data to be secured to
tackle such
exfiltration in the
system.
Risk of insider threats Very Likely High Policies and
procedures regarding
protection and privacy
of private data shall
be established.
Breach of privacy
contracts
Likely Medium Rendering of services
according to the needs
of the client so as to
avoid breach of
privacy contract.
Responsibility of
client for security of
data
Very Likely High Although service
provider is
responsible for the
security of the data on
the cloud but clients
are also expected to
take precautions for
the safeguarding of
data.
TASK – 3
Key aspects of security policy of Expedia and Cryptography –
There are various security policies adopted by Expedia Inc. which are listed and explained as
follows:
Information Security Policy – It says that the company shall have its policies regarding
information security documented and approved by an appropriate authority like management
or governance committee thus defining the responsibilities for protection of information
assets. Such policies shall be up to the standards of industry best practices.
Information Security Organization – All the group companies must adhere to the
company’s requirements, standards, policies and procedures of information security i.e.,
adherence to documentation, enforcement and adoption of such information security matters.
In case the third party is allowed to access the information of Expedia, it shall be ensured that
agreement shall be complied with regards to not sharing of such sensitive data to other
people and parties.
Manner of Storage of Information – The company shall store the information of Expedia in
such locations and in such manner where there is a total protection of the information from
effects of natural calamities, possibility of theft, unauthorized and unlawful physical access,
technical issues like cooling, proper ventilation or possibility of power failures.
Deletion of information on request – The company shall have in place proper processes to
immediately destroy the information of Expedia on receiving any request regarding such
deletion of information. Such information can be in any format i.e., soft copy or hard copy.
Malware Protection – All the protection protocols deployed by the company to protect the
information of Expedia shall be enabled and regularly updated and kept up to date to allow
detection, removal and protection of such information from the malicious software.
Automatic updates shall be enabled and regular scans shall be done by the system
automatically.
Access Control – The Expedia information shall be restricted to the access by any
unauthorized user i.e., only authorized users shall be allowed to access the information when
the data is kept in the environments which are managed by Expedia. And access to the
information by the group companies shall be as per appropriate policies and procedures in
place thus resulting into appropriate controls by the company.
Now the main aim of the above security policies devised and implemented is to protect the
organization against the security risks such as malware attacks, breach of privacy contracts, loss
or theft of intellectual property, non-compliance of policies and procedures, risk of insider
threats, etc. which are discussed earlier in this report.
information security documented and approved by an appropriate authority like management
or governance committee thus defining the responsibilities for protection of information
assets. Such policies shall be up to the standards of industry best practices.
Information Security Organization – All the group companies must adhere to the
company’s requirements, standards, policies and procedures of information security i.e.,
adherence to documentation, enforcement and adoption of such information security matters.
In case the third party is allowed to access the information of Expedia, it shall be ensured that
agreement shall be complied with regards to not sharing of such sensitive data to other
people and parties.
Manner of Storage of Information – The company shall store the information of Expedia in
such locations and in such manner where there is a total protection of the information from
effects of natural calamities, possibility of theft, unauthorized and unlawful physical access,
technical issues like cooling, proper ventilation or possibility of power failures.
Deletion of information on request – The company shall have in place proper processes to
immediately destroy the information of Expedia on receiving any request regarding such
deletion of information. Such information can be in any format i.e., soft copy or hard copy.
Malware Protection – All the protection protocols deployed by the company to protect the
information of Expedia shall be enabled and regularly updated and kept up to date to allow
detection, removal and protection of such information from the malicious software.
Automatic updates shall be enabled and regular scans shall be done by the system
automatically.
Access Control – The Expedia information shall be restricted to the access by any
unauthorized user i.e., only authorized users shall be allowed to access the information when
the data is kept in the environments which are managed by Expedia. And access to the
information by the group companies shall be as per appropriate policies and procedures in
place thus resulting into appropriate controls by the company.
Now the main aim of the above security policies devised and implemented is to protect the
organization against the security risks such as malware attacks, breach of privacy contracts, loss
or theft of intellectual property, non-compliance of policies and procedures, risk of insider
threats, etc. which are discussed earlier in this report.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
The enabling of automatic update and regular scanning will be helpful in protecting the
system from the risk of malware attacks and prevent malicious software from entering the cloud.
The above risk of insider threat can be cope up by devising the access controls in the system and
restricting the unauthorized user to access the sensitive data. The security policy of storing the
information in such a place where there is absolute protection and thus will prevent loss and theft
of intellectual property and adverse effects of natural calamities. The security policy of
organization of information security of adhering to policies, procedures, standards and
requirements and not sharing of sensitive data to other parties will lead to the resolution of
security risk issues of non-compliance of policies and procedures and breach of privacy contracts
by the employees and the personnel working in the organization.
Cryptography in simple terms is the use of coding to protect the information and data that is
communicated between parties so that only the intended users of the information can read it and
further process it. In this algorithms which are mathematical concepts and calculations which are
rule-based are used to make the data and information which are hard to decipher and crack
(Sharma and Mittal, 2019). The purpose of cryptography of security of data and information is
achieved through the objectives like confidentiality in which the information cannot be accessed
by the unauthorized user, integrity in which information when in transit i.e., between the sender
and the receiver cannot be altered without such detection of the activity, non-repudiation in
which the intentions of the sender of the information cannot be denied with after sending the
information and authentication in which both sender and receiver can authenticate the identities
of each other.
Cryptographic approach which can be proposed is the technique involving encryption and
decryption of data sent from the sender to the receiver respectively. In this, original format of
information i.e., plaintext which is non-encrypted data is encrypted and converted into cipher
text and sent to the destination to the receiver and thereafter, decrypted into plaintext which is a
readable format for the receiver of the information (Importance of Encryption decryption. 2022).
Such conversion of plain text into cipher text will prevent theft of sensitive data in the transit by
the hackers and prevent them from using such information as they will not be able to decrypt
such information and thus it will be useless for the hackers to use this information which cannot
be understood or decrypted.
system from the risk of malware attacks and prevent malicious software from entering the cloud.
The above risk of insider threat can be cope up by devising the access controls in the system and
restricting the unauthorized user to access the sensitive data. The security policy of storing the
information in such a place where there is absolute protection and thus will prevent loss and theft
of intellectual property and adverse effects of natural calamities. The security policy of
organization of information security of adhering to policies, procedures, standards and
requirements and not sharing of sensitive data to other parties will lead to the resolution of
security risk issues of non-compliance of policies and procedures and breach of privacy contracts
by the employees and the personnel working in the organization.
Cryptography in simple terms is the use of coding to protect the information and data that is
communicated between parties so that only the intended users of the information can read it and
further process it. In this algorithms which are mathematical concepts and calculations which are
rule-based are used to make the data and information which are hard to decipher and crack
(Sharma and Mittal, 2019). The purpose of cryptography of security of data and information is
achieved through the objectives like confidentiality in which the information cannot be accessed
by the unauthorized user, integrity in which information when in transit i.e., between the sender
and the receiver cannot be altered without such detection of the activity, non-repudiation in
which the intentions of the sender of the information cannot be denied with after sending the
information and authentication in which both sender and receiver can authenticate the identities
of each other.
Cryptographic approach which can be proposed is the technique involving encryption and
decryption of data sent from the sender to the receiver respectively. In this, original format of
information i.e., plaintext which is non-encrypted data is encrypted and converted into cipher
text and sent to the destination to the receiver and thereafter, decrypted into plaintext which is a
readable format for the receiver of the information (Importance of Encryption decryption. 2022).
Such conversion of plain text into cipher text will prevent theft of sensitive data in the transit by
the hackers and prevent them from using such information as they will not be able to decrypt
such information and thus it will be useless for the hackers to use this information which cannot
be understood or decrypted.
Encryption is a part or tool of cybersecurity which makes it literally impossible for the
cybercriminals or hackers to decipher or read the information. This is because of the reason that
such information can be deciphered by only those who have the decryption key and only the
receiver of such information has the decryption key and thus no one else can do this decryption
besides him. It is basically used in safeguarding of passwords and other sensitive data of the
employees in the organizations (The Importance Of Encryption For Your Business. 2021). It also
allows security of important numbers like social security number, bank account credentials, etc.
as such data cannot be decrypted without the decryption key and thus the sensitive data is safe
and kept confidential.
Expedia Inc. shall use the proposed techniques of encryption and decryption in case of
sensitive and confidential information of its employees like contact numbers, back account
credentials, passwords, etc. and also in the gateways where the customers process their payments
to the company for the transactions of airline booking, hotel reservations, train ticket booking,
holiday packages bookings, etc. which will safeguard the customer’s bank account credentials,
their personal information like address, contact number, ID number, etc. also the bank account
credentials of the company itself and prevent loss or theft of the money from the same.
TASK – 4
Assessment of securities and critical Evaluation of legal, social and ethical issues in security of
cloud computing:
Layered security approach as the name suggests is a security approach layered into the
multiple components and uses the multiple components for protection of operations of the
organization on multiple level and layers. In this approach, it is believed that multiple strategies
will be more effective in security and protection of the systems of the organisation. The aim is to
safeguard each individual component and to tackle any and every risk and issues in the various
layers of the security of the organization (Aydos, Vural and Tekerek, 2019). There can be
various layers which can be implemented in the security system and which includes web
protection, data encryption, patch the executives, antivirus programming, vulnerability
evaluation, email security and documentation, digital endorsements, firewalls, privacy controls,
etc.
An organisation under cloud computing can implement various types of cloud security
namely – private cloud which is for transactions only within the organisation, public cloud which
cybercriminals or hackers to decipher or read the information. This is because of the reason that
such information can be deciphered by only those who have the decryption key and only the
receiver of such information has the decryption key and thus no one else can do this decryption
besides him. It is basically used in safeguarding of passwords and other sensitive data of the
employees in the organizations (The Importance Of Encryption For Your Business. 2021). It also
allows security of important numbers like social security number, bank account credentials, etc.
as such data cannot be decrypted without the decryption key and thus the sensitive data is safe
and kept confidential.
Expedia Inc. shall use the proposed techniques of encryption and decryption in case of
sensitive and confidential information of its employees like contact numbers, back account
credentials, passwords, etc. and also in the gateways where the customers process their payments
to the company for the transactions of airline booking, hotel reservations, train ticket booking,
holiday packages bookings, etc. which will safeguard the customer’s bank account credentials,
their personal information like address, contact number, ID number, etc. also the bank account
credentials of the company itself and prevent loss or theft of the money from the same.
TASK – 4
Assessment of securities and critical Evaluation of legal, social and ethical issues in security of
cloud computing:
Layered security approach as the name suggests is a security approach layered into the
multiple components and uses the multiple components for protection of operations of the
organization on multiple level and layers. In this approach, it is believed that multiple strategies
will be more effective in security and protection of the systems of the organisation. The aim is to
safeguard each individual component and to tackle any and every risk and issues in the various
layers of the security of the organization (Aydos, Vural and Tekerek, 2019). There can be
various layers which can be implemented in the security system and which includes web
protection, data encryption, patch the executives, antivirus programming, vulnerability
evaluation, email security and documentation, digital endorsements, firewalls, privacy controls,
etc.
An organisation under cloud computing can implement various types of cloud security
namely – private cloud which is for transactions only within the organisation, public cloud which
can be accessed by more than one organization at a time and managed by a third party i.e., a
typical rental cloud services and hybrid cloud system which is a hybrid of both public as well as
private cloud system and is the most efficient one although it is a little expensive than other
systems.
Assessment of the security of cloud computing infrastructure leads us to the critical
aspects like - data security is prone to security breaches especially if utilizing the public cloud
where there is access to third party as well which may not be healthy for any organization and
will also take time to be detected. Although it is the responsibility of the service provider to
avoid such breaches but it will still occur and thus hybrid cloud system is better and cloud
computing has made it possible to access the information and data from anywhere in the world at
any time which results in better management of remote work. But it also demands careful
handling and management of the data. Cloud storage system is thus beneficial.
The term cloud computing security is also known as cloud security, it is a collection of
applications, technologies, policies and controls that are used with the perspective to protect
virtual IP, services company provides, data of users and company, and related infrastructure.
Legal issues that arise in cloud computing are: Security Procedures – Most of the companies
using cloud computing does not have proper arrangements for approving the cloud applications
that are used. This expose the company to the issues of their data being leak (Mallikarjuna and
Krishna, 2018). The data of company includes data of its users which when breached will result
in company to face legal consequences. Third Party Access Issues – The usage of same cloud
services by everyone results in exposure of risk of third party access. Access of crucial and
confidential information of company to any third party is highly risky for the company any
statements regarding the upcoming strategic decisions of company can be leaked to the
competitors.
Intellectual Property Rights – Another legal issue that is related to cloud computing is
that the laws regarding intellectual property rights are different in every nation. So it is difficult
to decide the laws that applies on the same. Confidential Data Theft Attacks - Cloud
computing faces the issue of high level of possibility that the data stored gets steal. Data theft is a
serious issue that concerns both the management and the users of the company’s products and
services as valuable their valuable information is stored in the company’s database (Arul Xavier
and Annadurai, 2019). Privacy and Confidentiality – The utilization of cloud system by
typical rental cloud services and hybrid cloud system which is a hybrid of both public as well as
private cloud system and is the most efficient one although it is a little expensive than other
systems.
Assessment of the security of cloud computing infrastructure leads us to the critical
aspects like - data security is prone to security breaches especially if utilizing the public cloud
where there is access to third party as well which may not be healthy for any organization and
will also take time to be detected. Although it is the responsibility of the service provider to
avoid such breaches but it will still occur and thus hybrid cloud system is better and cloud
computing has made it possible to access the information and data from anywhere in the world at
any time which results in better management of remote work. But it also demands careful
handling and management of the data. Cloud storage system is thus beneficial.
The term cloud computing security is also known as cloud security, it is a collection of
applications, technologies, policies and controls that are used with the perspective to protect
virtual IP, services company provides, data of users and company, and related infrastructure.
Legal issues that arise in cloud computing are: Security Procedures – Most of the companies
using cloud computing does not have proper arrangements for approving the cloud applications
that are used. This expose the company to the issues of their data being leak (Mallikarjuna and
Krishna, 2018). The data of company includes data of its users which when breached will result
in company to face legal consequences. Third Party Access Issues – The usage of same cloud
services by everyone results in exposure of risk of third party access. Access of crucial and
confidential information of company to any third party is highly risky for the company any
statements regarding the upcoming strategic decisions of company can be leaked to the
competitors.
Intellectual Property Rights – Another legal issue that is related to cloud computing is
that the laws regarding intellectual property rights are different in every nation. So it is difficult
to decide the laws that applies on the same. Confidential Data Theft Attacks - Cloud
computing faces the issue of high level of possibility that the data stored gets steal. Data theft is a
serious issue that concerns both the management and the users of the company’s products and
services as valuable their valuable information is stored in the company’s database (Arul Xavier
and Annadurai, 2019). Privacy and Confidentiality – The utilization of cloud system by
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
company gives exposure of its sensitive data and confidential information over the serves that
belongs to third parties. There exists limited knowledge with the owner of the information
regarding its control.
Encountering unresponsive cloud providers – Another issue that is related with cloud
computing is what if the cloud service provider becomes unresponsive to the data stored or
discontinue providing such services, this will users of the services in great trouble. They will not
be able to access the data stored. This issue generally concerns the small firms as they are also
not able to arrange good lawyer on timely basis to deal with such situation this is an ethical issue.
Inability to monitor and have control over the movement of data – The another type of issue
that is linked with security in cloud computing is social issue. Social issue is the issue that
concerns the society. The providers of these services are the ones who actually controls the data
of the service. The users of services cannot keep track of their data and how it is managed and
moved by their service providers (Siddiqui, Darbari and Yagyasen, 2019). So there is issue that
concerns the society, using cloud computing services. Hence there are three major type of issues
that obstacles the free use of services like cloud computing these includes social, legal and
ethical issue at security levels.
belongs to third parties. There exists limited knowledge with the owner of the information
regarding its control.
Encountering unresponsive cloud providers – Another issue that is related with cloud
computing is what if the cloud service provider becomes unresponsive to the data stored or
discontinue providing such services, this will users of the services in great trouble. They will not
be able to access the data stored. This issue generally concerns the small firms as they are also
not able to arrange good lawyer on timely basis to deal with such situation this is an ethical issue.
Inability to monitor and have control over the movement of data – The another type of issue
that is linked with security in cloud computing is social issue. Social issue is the issue that
concerns the society. The providers of these services are the ones who actually controls the data
of the service. The users of services cannot keep track of their data and how it is managed and
moved by their service providers (Siddiqui, Darbari and Yagyasen, 2019). So there is issue that
concerns the society, using cloud computing services. Hence there are three major type of issues
that obstacles the free use of services like cloud computing these includes social, legal and
ethical issue at security levels.
REFERENCES
Books and Journals
Alam, T., 2020. Cloud Computing and its role in the Information Technology. IAIC Transactions
on Sustainable Digital Innovation (ITSDI). 1(2). pp.108-115.
Arul Xavier, V. M. and Annadurai, S., 2019. Chaotic social spider algorithm for load balance
aware task scheduling in cloud computing. Cluster Computing. 22(1). pp.287-297.
Aydos, M., Vural, Y. and Tekerek, A., 2019. Assessing risks and threats with layered approach
to Internet of Things security. Measurement and Control. 52(5-6). pp.338-353.
Bhatt, S. and et.al., 2021. Attribute-based access control for aws internet of things and secure
industries of the future. IEEE Access. 9. pp.107200-107223.
Chen, Y. and et.al., 2021. Understanding inconsistent employee compliance with information
security policies through the lens of the extended parallel process model. Information
Systems Research. 32(3). pp.1043-1065.
Hashemipour, S. and Ali, M., 2020, August. Amazon web services (aws)–an overview of the on-
demand cloud computing platform. In International Conference for Emerging
Technologies in Computing (pp. 40-47). Springer, Cham.
Krasnodebski, J., 2020. The Voice of Major E-Tourism Players: An Expedia Group
Perspective. Handbook of e-Tourism. pp.1-26.
Mallikarjuna, B. and Krishna, P. V., 2018. A nature inspired bee colony optimization model for
improving load balancing in cloud computing. Int. J. Innov. Technol. Exploring Eng. 8.
pp.51-54.
Sharma, A. K. and Mittal, S. K., 2019, January. Cryptography & Network Security Hash
Function Applications, Attacks and Advances: A Review. In 2019 Third International
Conference on Inventive Systems and Control (ICISC) (pp. 177-188). IEEE.
Sharma, S. and et.al., 2019. Cloud and IoT-based emerging services systems. Cluster
Computing. 22(1). pp.71-91.
Siddiqui, S., Darbari, M. and Yagyasen, D., 2019. A comprehensive study of challenges and
issues in cloud computing. Soft Computing and Signal Processing, pp.325-344.
Srivastava, P. and Khan, R., 2018. A review paper on cloud computing. International Journal of
Advanced Research in Computer Science and Software Engineering. 8(6). pp.17-20.
Talha, M., Sohail, M. and Hajji, H., 2020. Analysis of research on amazon AWS cloud
computing seller data security. International Journal of Research in Engineering
Innovation. 4(3). pp.131-136.
Wut, T. M., Xu, J. B. and Wong, S. M., 2021. Crisis management research (1985–2020) in the
hospitality and tourism industry: A review and research agenda. Tourism
Management. 85. p.104307.
Yang, M. and et.al., 2018. Research on Cloud Computing Security Risk Assessment Based on
Information Entropy and Markov Chain. Int. J. Netw. Secur. 20(4). pp.664-673.
1
Books and Journals
Alam, T., 2020. Cloud Computing and its role in the Information Technology. IAIC Transactions
on Sustainable Digital Innovation (ITSDI). 1(2). pp.108-115.
Arul Xavier, V. M. and Annadurai, S., 2019. Chaotic social spider algorithm for load balance
aware task scheduling in cloud computing. Cluster Computing. 22(1). pp.287-297.
Aydos, M., Vural, Y. and Tekerek, A., 2019. Assessing risks and threats with layered approach
to Internet of Things security. Measurement and Control. 52(5-6). pp.338-353.
Bhatt, S. and et.al., 2021. Attribute-based access control for aws internet of things and secure
industries of the future. IEEE Access. 9. pp.107200-107223.
Chen, Y. and et.al., 2021. Understanding inconsistent employee compliance with information
security policies through the lens of the extended parallel process model. Information
Systems Research. 32(3). pp.1043-1065.
Hashemipour, S. and Ali, M., 2020, August. Amazon web services (aws)–an overview of the on-
demand cloud computing platform. In International Conference for Emerging
Technologies in Computing (pp. 40-47). Springer, Cham.
Krasnodebski, J., 2020. The Voice of Major E-Tourism Players: An Expedia Group
Perspective. Handbook of e-Tourism. pp.1-26.
Mallikarjuna, B. and Krishna, P. V., 2018. A nature inspired bee colony optimization model for
improving load balancing in cloud computing. Int. J. Innov. Technol. Exploring Eng. 8.
pp.51-54.
Sharma, A. K. and Mittal, S. K., 2019, January. Cryptography & Network Security Hash
Function Applications, Attacks and Advances: A Review. In 2019 Third International
Conference on Inventive Systems and Control (ICISC) (pp. 177-188). IEEE.
Sharma, S. and et.al., 2019. Cloud and IoT-based emerging services systems. Cluster
Computing. 22(1). pp.71-91.
Siddiqui, S., Darbari, M. and Yagyasen, D., 2019. A comprehensive study of challenges and
issues in cloud computing. Soft Computing and Signal Processing, pp.325-344.
Srivastava, P. and Khan, R., 2018. A review paper on cloud computing. International Journal of
Advanced Research in Computer Science and Software Engineering. 8(6). pp.17-20.
Talha, M., Sohail, M. and Hajji, H., 2020. Analysis of research on amazon AWS cloud
computing seller data security. International Journal of Research in Engineering
Innovation. 4(3). pp.131-136.
Wut, T. M., Xu, J. B. and Wong, S. M., 2021. Crisis management research (1985–2020) in the
hospitality and tourism industry: A review and research agenda. Tourism
Management. 85. p.104307.
Yang, M. and et.al., 2018. Research on Cloud Computing Security Risk Assessment Based on
Information Entropy and Markov Chain. Int. J. Netw. Secur. 20(4). pp.664-673.
1
Online
Importance of Encryption decryption. 2022. [Online]. Available through: <
https://safebytes.com/importance-encryption-decryption/>
The Importance Of Encryption For Your Business. 2021. [Online]. Available through: <
https://shredcube.com/importance-of-encryption/>
2
Importance of Encryption decryption. 2022. [Online]. Available through: <
https://safebytes.com/importance-encryption-decryption/>
The Importance Of Encryption For Your Business. 2021. [Online]. Available through: <
https://shredcube.com/importance-of-encryption/>
2
1 out of 16
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.