Security and Privacy Analysis: HR Data in SaaS and On-Premise Systems
VerifiedAdded on 2020/03/01
|24
|5598
|311
Report
AI Summary
This report provides an in-depth analysis of security and privacy risks associated with HR data, comparing the vulnerabilities of traditional in-house databases with those of cloud-based SaaS applications. The report focuses on the Department of Administrative Services (DAS) in Australia, detailing the Shared Services Approach and its implications for data security. It explores risks such as excessive privileges, cyber attacks, malware, poor auditing mechanisms, and security breaches in backup disks within the in-house system. The analysis extends to the SaaS model, examining risks related to third-party access, provider instability, transparency issues, and identity theft. The report assesses the security and privacy of employee data, addresses digital identity issues, and considers data sensitivity and jurisdiction, providing a comprehensive overview of the challenges and potential mitigation strategies for protecting sensitive employee information in a cloud environment.
Running head: SECURITY AND PRIVACY
Security and privacy
Name of the Student
Name of the University
Author Note
Security and privacy
Name of the Student
Name of the University
Author Note
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Executive Summary
The following report discusses about the various security and privacy risks and threats that are
associated with the conventional HR database and the cloud based approaches. The model of
cloud approach used here is the SaaS model. The chosen organization is the Department of
Administrative Service located in Australia. The report also discusses about the digital identity
issues and the jurisdictions associated with data security and cloud computing.
The following report discusses about the various security and privacy risks and threats that are
associated with the conventional HR database and the cloud based approaches. The model of
cloud approach used here is the SaaS model. The chosen organization is the Department of
Administrative Service located in Australia. The report also discusses about the digital identity
issues and the jurisdictions associated with data security and cloud computing.
Table of Contents
Introduction:....................................................................................................................................3
Discussion:.......................................................................................................................................3
Security of employee data:..........................................................................................................4
Risks and threats in the in house HR database of the DAS:....................................................4
Risks and threats after migration to SaaS application:............................................................6
Assessment of resulting Security of Employee Data...............................................................8
Privacy of employee data:.........................................................................................................11
Risks and threats in the privacy of the data in the in house HR database:............................11
Risks and threats after the migration to SaaS applications:...................................................12
Assessment of Privacy of Employee Data:............................................................................13
Digital identity issues:...............................................................................................................17
Provider solution issues:............................................................................................................18
Data sensitivity and jurisdiction:...............................................................................................19
Conclusion:....................................................................................................................................20
References:....................................................................................................................................22
Introduction:....................................................................................................................................3
Discussion:.......................................................................................................................................3
Security of employee data:..........................................................................................................4
Risks and threats in the in house HR database of the DAS:....................................................4
Risks and threats after migration to SaaS application:............................................................6
Assessment of resulting Security of Employee Data...............................................................8
Privacy of employee data:.........................................................................................................11
Risks and threats in the privacy of the data in the in house HR database:............................11
Risks and threats after the migration to SaaS applications:...................................................12
Assessment of Privacy of Employee Data:............................................................................13
Digital identity issues:...............................................................................................................17
Provider solution issues:............................................................................................................18
Data sensitivity and jurisdiction:...............................................................................................19
Conclusion:....................................................................................................................................20
References:....................................................................................................................................22
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Introduction:
The Department of Administrative Services (DAS) is used to provide public services to
the other department s present in the Australian state government. The services that are provided
include the personnel management and HR, management of contract tendering, payroll,
procurement and contractor management. The data centre of the department is responsible for
providing such services.
This report discusses about the approach that is being made by the DAS. This approach is
the Shared Services Approach. The report also includes the securities and the privacy issues that
are associated by adopting the various intended requirements. The report also covers the identity
risks that can be associated with the approach. In addition, the risks of the provider of such
services along with the sensitivity in data are also included in the report.
Discussion:
The main concept to be applied is the Shared Services approach. The main idea of this
approach is to centralize the services that are being provided by the DAS. These services are now
been made to be provided to the whole government. The requirements of this approach are the
need of different departments of the government to migrate their resources to the central server.
The departments who were intending their data and resources for their users now need to upload
the resources to the central servers to incorporate the idea of shared services. This migration will
be done on the DAS central database. After the migration of the data and resources, the DAS will
be responsible for sharing the gathered resources among all the present departments of the
government. This approach is further strengthened by the presence of a government policy that
The Department of Administrative Services (DAS) is used to provide public services to
the other department s present in the Australian state government. The services that are provided
include the personnel management and HR, management of contract tendering, payroll,
procurement and contractor management. The data centre of the department is responsible for
providing such services.
This report discusses about the approach that is being made by the DAS. This approach is
the Shared Services Approach. The report also includes the securities and the privacy issues that
are associated by adopting the various intended requirements. The report also covers the identity
risks that can be associated with the approach. In addition, the risks of the provider of such
services along with the sensitivity in data are also included in the report.
Discussion:
The main concept to be applied is the Shared Services approach. The main idea of this
approach is to centralize the services that are being provided by the DAS. These services are now
been made to be provided to the whole government. The requirements of this approach are the
need of different departments of the government to migrate their resources to the central server.
The departments who were intending their data and resources for their users now need to upload
the resources to the central servers to incorporate the idea of shared services. This migration will
be done on the DAS central database. After the migration of the data and resources, the DAS will
be responsible for sharing the gathered resources among all the present departments of the
government. This approach is further strengthened by the presence of a government policy that
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
requires the presence of incorporation of cloud computing architecture for the updating the
services present. The payroll of the DAS will b incorporated in the COTS (Commercial off the
Shelf) application that will help in managing the payroll related services directly from the cloud.
The DAS intranet will also be incorporated in to the Microsoft SharePoint PaaS to provide the
services associated with the intranet to all the departments of the government.
To meet the intended outcomes, the DAS has decided to adopt certain services to help
facilitate the service procurement. Firstly, the DAS is responsible for purchasing a HR and
personnel management application from an US based company. The main idea is to get Software
as a service (SaaS) model. The application software is supposed to include the HR management
and the personnel management application embedded on it. To apply this, the provider of the
application has informed the DAS about their main database situated in Dublin, Ireland.
Along with the HR and personnel management, the DAS will also acquire Contractor
management application software to help visualize and manage the contractor that is being
associated in the DAS.
Security of employee data:
Risks and threats in the in house HR database of the DAS:
The in house of the HR department is subjected to many threats and risks. The traditional
database grants many privileges in case of access and this invites many forms of risks and threats
to the data and resource involved. The first risk to the HR database is the excessive or misuse of
privileges granted (Ted et al., 2013). When employees are given access to the whole system, they
may cause damage depending on the intentions of the employee involved. For example, a banker
with full access to the employee savings account may change the data of any other employee to
services present. The payroll of the DAS will b incorporated in the COTS (Commercial off the
Shelf) application that will help in managing the payroll related services directly from the cloud.
The DAS intranet will also be incorporated in to the Microsoft SharePoint PaaS to provide the
services associated with the intranet to all the departments of the government.
To meet the intended outcomes, the DAS has decided to adopt certain services to help
facilitate the service procurement. Firstly, the DAS is responsible for purchasing a HR and
personnel management application from an US based company. The main idea is to get Software
as a service (SaaS) model. The application software is supposed to include the HR management
and the personnel management application embedded on it. To apply this, the provider of the
application has informed the DAS about their main database situated in Dublin, Ireland.
Along with the HR and personnel management, the DAS will also acquire Contractor
management application software to help visualize and manage the contractor that is being
associated in the DAS.
Security of employee data:
Risks and threats in the in house HR database of the DAS:
The in house of the HR department is subjected to many threats and risks. The traditional
database grants many privileges in case of access and this invites many forms of risks and threats
to the data and resource involved. The first risk to the HR database is the excessive or misuse of
privileges granted (Ted et al., 2013). When employees are given access to the whole system, they
may cause damage depending on the intentions of the employee involved. For example, a banker
with full access to the employee savings account may change the data of any other employee to
create a nuisance in the flow of operation. In addition, when an employee is terminated, the
access to the information remains and due to the change in emotional stability, the access of such
data can create problems by hampering the operation of the company or organization involved.
This unnecessary risk arises due to the acquisitions of full access to the database involved. The
more privilege given to an employee, the more vulnerable and the more prone to attacks the
system gets.
Risks and threats are also provided when an unauthorized user tries to get access to the
system by attacking the system (Aloul et al., 2012). This is termed as a cyber attack. The HR
database is the traditional one and for accessing this in an unauthorized process, the SQL
injection attack is used. This attack gives the rogue user access to the entire database and crucial
information is unethically accessed using this process. This is also another threat as it may affect
the security related aspects of the employees. Malware is also another form of unauthorized
access and the infected system is not aware of the state of it. The employees or users still work
on the infected computer and their information is unethically accessed. This is also another risk
to the employee data as the security and privacy of the data and resources are hampered. The
more information a data centre possesses, the more vulnerable and the more prone to attacks the
system gets.
The transactions that are ongoing in any company or organization involved must be
recorded automatically in the database servers. The failure to comply with such process may lead
to problems to be associated with the organizations as well as the employees concerned (Arasu et
al., 2013). For example, the transactions of one month for salary might not be recorded and the
database may show that the employees have their salaries even in the next month and might not
avail for the salary acquisition. This may lead to employee related problems. Organizations or
access to the information remains and due to the change in emotional stability, the access of such
data can create problems by hampering the operation of the company or organization involved.
This unnecessary risk arises due to the acquisitions of full access to the database involved. The
more privilege given to an employee, the more vulnerable and the more prone to attacks the
system gets.
Risks and threats are also provided when an unauthorized user tries to get access to the
system by attacking the system (Aloul et al., 2012). This is termed as a cyber attack. The HR
database is the traditional one and for accessing this in an unauthorized process, the SQL
injection attack is used. This attack gives the rogue user access to the entire database and crucial
information is unethically accessed using this process. This is also another threat as it may affect
the security related aspects of the employees. Malware is also another form of unauthorized
access and the infected system is not aware of the state of it. The employees or users still work
on the infected computer and their information is unethically accessed. This is also another risk
to the employee data as the security and privacy of the data and resources are hampered. The
more information a data centre possesses, the more vulnerable and the more prone to attacks the
system gets.
The transactions that are ongoing in any company or organization involved must be
recorded automatically in the database servers. The failure to comply with such process may lead
to problems to be associated with the organizations as well as the employees concerned (Arasu et
al., 2013). For example, the transactions of one month for salary might not be recorded and the
database may show that the employees have their salaries even in the next month and might not
avail for the salary acquisition. This may lead to employee related problems. Organizations or
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
companies with poor auditing mechanism face difficulties in streamlining their operations. As, a
result the companies or organizations involved turn to third party providers to give access to
system that helps in auditing. However, the most important thing to consider is the user interface
and detailed mechanism. The detailed mechanism of the third party processes do not consider all
the detailed transactions and thus fail to store all the information in the database (Jeun, Lee &
Won, 2012). Moreover, the software may use different platforms like the DB2 and the MS-SQL
logs, which are not compatible with the organizational structure. This also imposes another
constraint in the process of operation and affects the security and operation of the concerned
individuals.
Employee data is also hampered during security breaches for the backup disks in the system. As
the backup data is always unprotected, the breach to get such data is always prominent (Moore,
Spink & Lipp, 2012). The information present in the hacked database affects the concerned
resource of the organization or companies involved or the employees concerned. The more
information a data centre possesses, the more vulnerable and the more prone to attacks the
system gets.
Risks and threats after migration to SaaS application:
Security is a main concern which needs considering even after the incorporation of a new
project. Though the SaaS architecture is a new model, which is being used by many business
organizations or companies, the risks and threats associated with it are always considered (Chou,
2013). The risks are due to the presence of integration of the information in its internal data
center. The more information a data centre possesses, the more vulnerable and the more prone to
attacks the system gets.
result the companies or organizations involved turn to third party providers to give access to
system that helps in auditing. However, the most important thing to consider is the user interface
and detailed mechanism. The detailed mechanism of the third party processes do not consider all
the detailed transactions and thus fail to store all the information in the database (Jeun, Lee &
Won, 2012). Moreover, the software may use different platforms like the DB2 and the MS-SQL
logs, which are not compatible with the organizational structure. This also imposes another
constraint in the process of operation and affects the security and operation of the concerned
individuals.
Employee data is also hampered during security breaches for the backup disks in the system. As
the backup data is always unprotected, the breach to get such data is always prominent (Moore,
Spink & Lipp, 2012). The information present in the hacked database affects the concerned
resource of the organization or companies involved or the employees concerned. The more
information a data centre possesses, the more vulnerable and the more prone to attacks the
system gets.
Risks and threats after migration to SaaS application:
Security is a main concern which needs considering even after the incorporation of a new
project. Though the SaaS architecture is a new model, which is being used by many business
organizations or companies, the risks and threats associated with it are always considered (Chou,
2013). The risks are due to the presence of integration of the information in its internal data
center. The more information a data centre possesses, the more vulnerable and the more prone to
attacks the system gets.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
As the step to integration of information and resources to the SaaS needs the access of
such information to the third-party service providers, the question for access and consistency
always remains the same (Hussein & Khalid, 2016). This is the reason for employee and
company problems regarding who gets the access to their information.
Another risk that is present due to the presence of SaaS application is the instability due
to unavailability of the providers. As the services provided by the SaaS applications are great,
many companies and organizations are adopting the concept (Alani, 2014). This has made a need
for competition in the market among the providers of such services. However, not all companies
can take such investments and this creates problem in the competition, which may result in loss
of business of some providers. It may happen sometimes that the services taken from the
provider are no longer available due to their unavailability. The problem for employee data as
well as organizational resource hampering is the main thing affected by such risks. This risk is to
be considered before adoption of such services and the company needs to consider their policies
of mitigating such problems.
Transparency is a concern among the organization accessing the application services
from the third-part vendors. The providers are often very secretive about their operation and
assure the clients about the services that are being provided. This is the reason of developing
distrust in the relationship among the providers and the clients (Lee, 2012). This results in less
data to be shared to them and creates vulnerabilities in security regarding the employee
information or organizational resources. Though the providers have reason to believe that hiding
the information about their centers can help in minimizing the risks associated with the
disclosure of information, the question of transparency still lies in the relationship.
such information to the third-party service providers, the question for access and consistency
always remains the same (Hussein & Khalid, 2016). This is the reason for employee and
company problems regarding who gets the access to their information.
Another risk that is present due to the presence of SaaS application is the instability due
to unavailability of the providers. As the services provided by the SaaS applications are great,
many companies and organizations are adopting the concept (Alani, 2014). This has made a need
for competition in the market among the providers of such services. However, not all companies
can take such investments and this creates problem in the competition, which may result in loss
of business of some providers. It may happen sometimes that the services taken from the
provider are no longer available due to their unavailability. The problem for employee data as
well as organizational resource hampering is the main thing affected by such risks. This risk is to
be considered before adoption of such services and the company needs to consider their policies
of mitigating such problems.
Transparency is a concern among the organization accessing the application services
from the third-part vendors. The providers are often very secretive about their operation and
assure the clients about the services that are being provided. This is the reason of developing
distrust in the relationship among the providers and the clients (Lee, 2012). This results in less
data to be shared to them and creates vulnerabilities in security regarding the employee
information or organizational resources. Though the providers have reason to believe that hiding
the information about their centers can help in minimizing the risks associated with the
disclosure of information, the question of transparency still lies in the relationship.
Identity theft is another aspect, which requires security to be implemented. The providers
of the services require payment for providing the services. This is done by taking the credit card
information and then the payment is done. The risk it implies is still an ethical issue among many
users. The unethical providers are to be recognized before passing on the information of payment
related services to them as the use of this information can be used for doing wrong things
(Prasanth, 2012). The employees associated with the adoption of such services may pass the
payment information before researching about the vendors and unethical doings can be caused
by that. This is termed as identity theft.
In addition, the information shared with the application providers are not in control of the
individuals whose information is passed (Agrawal, El Abbadi & Wang, 2013). This results in
unease and absence in mind as the employee concerned is directly impacted in case of any
actions taken that affects their security and privacy.
Assessment of resulting Security of Employee Data
S.No Security
Threat/Risk
Description
Likelihood
Impact
Priority
Preventive
Actions
Contingency
Plans
Student
1
1. Excessive or
misuse of
privileges
granted
L VH M 1. Review of
privileges
2. Daily check for
user entry
1. Backup of
data
2. Cross-
checking by
higher
authorities
2. Cyber attack VH VH VH Antivirus presence Locking of data
of the services require payment for providing the services. This is done by taking the credit card
information and then the payment is done. The risk it implies is still an ethical issue among many
users. The unethical providers are to be recognized before passing on the information of payment
related services to them as the use of this information can be used for doing wrong things
(Prasanth, 2012). The employees associated with the adoption of such services may pass the
payment information before researching about the vendors and unethical doings can be caused
by that. This is termed as identity theft.
In addition, the information shared with the application providers are not in control of the
individuals whose information is passed (Agrawal, El Abbadi & Wang, 2013). This results in
unease and absence in mind as the employee concerned is directly impacted in case of any
actions taken that affects their security and privacy.
Assessment of resulting Security of Employee Data
S.No Security
Threat/Risk
Description
Likelihood
Impact
Priority
Preventive
Actions
Contingency
Plans
Student
1
1. Excessive or
misuse of
privileges
granted
L VH M 1. Review of
privileges
2. Daily check for
user entry
1. Backup of
data
2. Cross-
checking by
higher
authorities
2. Cyber attack VH VH VH Antivirus presence Locking of data
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
to prevent
access
3. Malware H H H Presence of
antivirus
Locking of data
to prevent
access
Student
2
4. Automatic
recordings of
transaction in
the database
H M M Better
infrastructure
Backup of the
data present
5. Poor auditing
mechanism
M H H Better mechanisms
for auditing
6. Security
breaches in
backup disks
H VH VH Reviewing the
security protocols
Locks in the
disc with
encrypted
password
o Existing security threats to Employee data
Likelihood - VL, L,M, H, VH
Impact- - VL, L,M, H, VH
Priority- - VL, L, M,H, VH
access
3. Malware H H H Presence of
antivirus
Locking of data
to prevent
access
Student
2
4. Automatic
recordings of
transaction in
the database
H M M Better
infrastructure
Backup of the
data present
5. Poor auditing
mechanism
M H H Better mechanisms
for auditing
6. Security
breaches in
backup disks
H VH VH Reviewing the
security protocols
Locks in the
disc with
encrypted
password
o Existing security threats to Employee data
Likelihood - VL, L,M, H, VH
Impact- - VL, L,M, H, VH
Priority- - VL, L, M,H, VH
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
S.No New Security
Threat/Risk of
employee data
Description
(after moving to
Saas)
Likelihood
Impact
Priority
Preventive Actions Contingency Plans
Student 1 1. Access and
consistency
VH L L 1. Reviewing the terms
and conditions
2. Need to communicate
with the service provider
1. Legal actions to be
taken in case of
problems
2. Instability due to
unavailability of
the providers
M VH H Better research
regarding the service
providers
Backup of the
system
Student
2
3. Transparency VH M L Terms and conditions
reviewing
4. Identity theft VL VH H Use of different payment
account with little
balance
Legal actions
5. Loss of control of
individual data
H L L Better review of the
terms and conditions
o New Security Threat to Employee data(after moving to SaaS)
Likelihood - VL, L, M, H, VH Impact- - VL, L, M, H, VH Priority- - VL, L, M, H, VH
Threat/Risk of
employee data
Description
(after moving to
Saas)
Likelihood
Impact
Priority
Preventive Actions Contingency Plans
Student 1 1. Access and
consistency
VH L L 1. Reviewing the terms
and conditions
2. Need to communicate
with the service provider
1. Legal actions to be
taken in case of
problems
2. Instability due to
unavailability of
the providers
M VH H Better research
regarding the service
providers
Backup of the
system
Student
2
3. Transparency VH M L Terms and conditions
reviewing
4. Identity theft VL VH H Use of different payment
account with little
balance
Legal actions
5. Loss of control of
individual data
H L L Better review of the
terms and conditions
o New Security Threat to Employee data(after moving to SaaS)
Likelihood - VL, L, M, H, VH Impact- - VL, L, M, H, VH Priority- - VL, L, M, H, VH
o Severity of risk and threat to security employee data
Probability
Very High
Accessibilit
y and
consistency
Transparenc
y Cyber attack
High
Loss of
control in
user data
Transaction
recording Malware
Security breach
in backup disc
Medium
Poor
auditing
Unavailability of
providers
Low
Misuse of user
privileges
Very Low Identity theft
Severity Very Low Low Medium High Very High
Privacy of employee data:
Risks and threats in the privacy of the data in the in house HR database:
The privacy of data is an important aspect that is the main concern related to every
decision taken for doing any project. The information contained in any organization or company
is deemed private or public depending upon their credibility (WANG & MENG, 2014). The
private information is to be safeguarded and access to such information should not be given to
the unauthorized users. However, many risks and threats are associated with the privacy of such
data.
The threats to the privacy of data in the database include the integrity loss. The changes
in the database must not hamper the information present in the database. Any changes like the
insertion or deletion must not be done without fully backing up the data (Ziegeldorf, Morchon &
Wehrle, 2014). The loss of integrity is made by many deliberate or accidental actions. The loss
Probability
Very High
Accessibilit
y and
consistency
Transparenc
y Cyber attack
High
Loss of
control in
user data
Transaction
recording Malware
Security breach
in backup disc
Medium
Poor
auditing
Unavailability of
providers
Low
Misuse of user
privileges
Very Low Identity theft
Severity Very Low Low Medium High Very High
Privacy of employee data:
Risks and threats in the privacy of the data in the in house HR database:
The privacy of data is an important aspect that is the main concern related to every
decision taken for doing any project. The information contained in any organization or company
is deemed private or public depending upon their credibility (WANG & MENG, 2014). The
private information is to be safeguarded and access to such information should not be given to
the unauthorized users. However, many risks and threats are associated with the privacy of such
data.
The threats to the privacy of data in the database include the integrity loss. The changes
in the database must not hamper the information present in the database. Any changes like the
insertion or deletion must not be done without fully backing up the data (Ziegeldorf, Morchon &
Wehrle, 2014). The loss of integrity is made by many deliberate or accidental actions. The loss
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
of data needs to be modified as the use of changed data may lead to inaccurate results and fraud
detection, which might affect the performance of the serviced, involved.
The availability of the database is a major concern, as all the information pertaining to the
services is stored in the system (Raschke, Krishen & Kachroo, 2014). Database availability
means making certain parameters available to the employees or other legitimate software.
Protection of confidential information is a great concern for the HR database. The
protection of data and information from unauthorized access is termed ad confidentiality of data.
The unethical and unauthorized access to the system can lead to the violation of the privacy of
data (Basharat Azam & Muzaffar, 2012). This unprotected, unauthorized and accidental
disclosure of data and information can lead to certain problems ranging from small-scale data
breach to legal issues against the company or organization involved. The more information a
data centre possesses, the more vulnerable and the more prone to attacks the system gets.
Risks and threats after the migration to SaaS applications:
After the hosting of the data by the client, the provider needs to assure the clients
regarding the associated security and the privacy of the components (Theoharidou et al., 2013).
The provider also needs to assure the clients regarding the unauthorized access prevention to
their information. This is included in the security and privacy conditions of the associated
providers.
The privacy regarding the integrity of the data is to be considered. The application
provider needs to provide the consistency of applications and the type of information and
resources that are being uploaded in the cloud based application (Chen & Zhao, 2012). As the
client paying for the services has the right of knowing the information, the service provider needs
detection, which might affect the performance of the serviced, involved.
The availability of the database is a major concern, as all the information pertaining to the
services is stored in the system (Raschke, Krishen & Kachroo, 2014). Database availability
means making certain parameters available to the employees or other legitimate software.
Protection of confidential information is a great concern for the HR database. The
protection of data and information from unauthorized access is termed ad confidentiality of data.
The unethical and unauthorized access to the system can lead to the violation of the privacy of
data (Basharat Azam & Muzaffar, 2012). This unprotected, unauthorized and accidental
disclosure of data and information can lead to certain problems ranging from small-scale data
breach to legal issues against the company or organization involved. The more information a
data centre possesses, the more vulnerable and the more prone to attacks the system gets.
Risks and threats after the migration to SaaS applications:
After the hosting of the data by the client, the provider needs to assure the clients
regarding the associated security and the privacy of the components (Theoharidou et al., 2013).
The provider also needs to assure the clients regarding the unauthorized access prevention to
their information. This is included in the security and privacy conditions of the associated
providers.
The privacy regarding the integrity of the data is to be considered. The application
provider needs to provide the consistency of applications and the type of information and
resources that are being uploaded in the cloud based application (Chen & Zhao, 2012). As the
client paying for the services has the right of knowing the information, the service provider needs
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
to tell their client about the composition of the data and the ongoing processes for the
application.
The right to know the information is also being leveraged by the clients. The clients need
to know the place of the data center where the information of the clients is being stored.
However, the information for the location of the data centers is not always provided to the clients
(Kalloniatis et al., 2014). In addition, the service provider works by using the resources available
of other providers who have collaborated with them. This causes a risk to privacy as the client
involved needs to know the location of the data center involved with storing the information.
Assessment of Privacy of Employee Data:
Existing privacy threats and risks to the privacy of employee data
S.No Privacy
Threat/Risk
Description
(Employee
data)
Likelihood
(Probability)
Impact
(Severity)
Priority
Preventive Actions Contingency
Plans
Student 1 1. Integrity loss M H H 1. Backup of data
2. Protection of
database
1. Recovery
2. Security
protocol review
2. Database
availability
L H VH
application.
The right to know the information is also being leveraged by the clients. The clients need
to know the place of the data center where the information of the clients is being stored.
However, the information for the location of the data centers is not always provided to the clients
(Kalloniatis et al., 2014). In addition, the service provider works by using the resources available
of other providers who have collaborated with them. This causes a risk to privacy as the client
involved needs to know the location of the data center involved with storing the information.
Assessment of Privacy of Employee Data:
Existing privacy threats and risks to the privacy of employee data
S.No Privacy
Threat/Risk
Description
(Employee
data)
Likelihood
(Probability)
Impact
(Severity)
Priority
Preventive Actions Contingency
Plans
Student 1 1. Integrity loss M H H 1. Backup of data
2. Protection of
database
1. Recovery
2. Security
protocol review
2. Database
availability
L H VH
Student 2 3. Protection of
confidential
information
VH VH VH
S.No New Privacy
Threat/Risk of
employee data
Description
(after moving to
Saas)
Likelihood
Impact
Priority
Preventive Actions Contingency Plans
Studen
t 1
1. Consistency of
applications
H M H 1. Terms and condition
review
2. Researching of the
provider before application
1. Backing up of
data
2. Security protocol
review
Studen
t 2
2. Location of the
data centres
L L VH
3. Unauthorized
access
prevention
VH H VH
o New Security Threat to Employee data(after moving to SaaS)
confidential
information
VH VH VH
S.No New Privacy
Threat/Risk of
employee data
Description
(after moving to
Saas)
Likelihood
Impact
Priority
Preventive Actions Contingency Plans
Studen
t 1
1. Consistency of
applications
H M H 1. Terms and condition
review
2. Researching of the
provider before application
1. Backing up of
data
2. Security protocol
review
Studen
t 2
2. Location of the
data centres
L L VH
3. Unauthorized
access
prevention
VH H VH
o New Security Threat to Employee data(after moving to SaaS)
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Likelihood - VL, L, M, H, VH
Impact- - VL, L, M, H, VH
Priority- - VL, L, M, H, VH
o Severity of risk and threat to privacy employee data
Probability
Very High
Unauthorize
d access
prevention
Protection of
confidential
information
High
Consistency
of
application
Medium Integrity loss
Low
Location
of data
centers
Database
availability
Very Low
Severity Very Low Low Medium High Very High
Impact- - VL, L, M, H, VH
Priority- - VL, L, M, H, VH
o Severity of risk and threat to privacy employee data
Probability
Very High
Unauthorize
d access
prevention
Protection of
confidential
information
High
Consistency
of
application
Medium Integrity loss
Low
Location
of data
centers
Database
availability
Very Low
Severity Very Low Low Medium High Very High
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Fig: Solution architecture in privacy and security
(Source: created by the author)
(Source: created by the author)
Digital identity issues:
When a company or organization decides to make a change by adopting the cloud-based
architecture, the issues that will be faced are to be considered before facing the problems. The
authorities need to know the certain requirements like the requirements of various passwords and
URLs for each of the application to be accessed by each of its users.
The employees working in a SaaS service needs to identify the various passwords and the
various URLs associated with each application that they are involved (Grover, 2014). This
creates a problem of identity related issues in the minds of the employees concerned.
Incase of new employees, the company provides access to the applications that are
needed by the employees. The access to the application is often given one at a time by the
various applications. This is done by the administrator of the system and not by an IT
professional.
The employees are required authorized access to the system for functioning. It happens
that sometimes the employees may need the use of some other application for doing their work.
The access is not given to them without proper identification. This creates an issue of identity
and the administrator is required to give temporary access to the application.
The access to the application is provided in the cloud computing architecture. This
enables the remote access of the systems. However, due such access new integrations and new
passwords with URLs are to be made in to the system. This causes a hindrance to the employee
accessing the system.
As the cloud applications enable the integrations of the organizational resources in the
cloud, the need for administration is given to one department (Jang-Jaccard & Nepal, 2014). For
When a company or organization decides to make a change by adopting the cloud-based
architecture, the issues that will be faced are to be considered before facing the problems. The
authorities need to know the certain requirements like the requirements of various passwords and
URLs for each of the application to be accessed by each of its users.
The employees working in a SaaS service needs to identify the various passwords and the
various URLs associated with each application that they are involved (Grover, 2014). This
creates a problem of identity related issues in the minds of the employees concerned.
Incase of new employees, the company provides access to the applications that are
needed by the employees. The access to the application is often given one at a time by the
various applications. This is done by the administrator of the system and not by an IT
professional.
The employees are required authorized access to the system for functioning. It happens
that sometimes the employees may need the use of some other application for doing their work.
The access is not given to them without proper identification. This creates an issue of identity
and the administrator is required to give temporary access to the application.
The access to the application is provided in the cloud computing architecture. This
enables the remote access of the systems. However, due such access new integrations and new
passwords with URLs are to be made in to the system. This causes a hindrance to the employee
accessing the system.
As the cloud applications enable the integrations of the organizational resources in the
cloud, the need for administration is given to one department (Jang-Jaccard & Nepal, 2014). For
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
example, in a particular company the cloud access is administered by the IT department. This
necessitates the need for the sales department to check on their data and thus frees up their data.
This creates a problem as the administration rights, centralized data is viewed by the IT
department, and this creates the problem of identity, as every time the information is to be
accessed, the IT operation needs to provide the identification URLs.
Provider solution issues:
To meet the intended outcomes, the DAS has decided to adopt certain services to help
facilitate the service procurement. Firstly, the DAS is responsible for purchasing a HR and
personnel management application from an US based company. The main idea is to get Software
as a service (SaaS) model. The application software is supposed to include the HR management
and the personnel management application embedded on it. To apply this, the provider of the
application has informed the DAS about their main database situated in Dublin, Ireland. The
operations regarding the processing, maintenance and storage of data are to be done from
Bangalore. The service provider has advised the employees of the clients that the access to the
system and their performance will be controlled by a link included in the intranet of the DAS.
The employees will be allocated a digital identification, which will be used to provide
authenticated access in the performance and HR system. This ID will be generated by the
individual department involved. The risks discussed above in the report are not mentioned in the
provided solutions and thus the DAS needs to review the terms and conditions of the proposals
and apply for contract accordingly. The issues with digital identities are still present, as the
employees are needed to get authorized access to the system via digital identification.
Along with the HR and personnel management, the DAS will also acquire Contractor
management application software to help visualize and manage the contractor that is being
necessitates the need for the sales department to check on their data and thus frees up their data.
This creates a problem as the administration rights, centralized data is viewed by the IT
department, and this creates the problem of identity, as every time the information is to be
accessed, the IT operation needs to provide the identification URLs.
Provider solution issues:
To meet the intended outcomes, the DAS has decided to adopt certain services to help
facilitate the service procurement. Firstly, the DAS is responsible for purchasing a HR and
personnel management application from an US based company. The main idea is to get Software
as a service (SaaS) model. The application software is supposed to include the HR management
and the personnel management application embedded on it. To apply this, the provider of the
application has informed the DAS about their main database situated in Dublin, Ireland. The
operations regarding the processing, maintenance and storage of data are to be done from
Bangalore. The service provider has advised the employees of the clients that the access to the
system and their performance will be controlled by a link included in the intranet of the DAS.
The employees will be allocated a digital identification, which will be used to provide
authenticated access in the performance and HR system. This ID will be generated by the
individual department involved. The risks discussed above in the report are not mentioned in the
provided solutions and thus the DAS needs to review the terms and conditions of the proposals
and apply for contract accordingly. The issues with digital identities are still present, as the
employees are needed to get authorized access to the system via digital identification.
Along with the HR and personnel management, the DAS will also acquire Contractor
management application software to help visualize and manage the contractor that is being
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
associated in the DAS. The application provider is a German based company and they have said
that the database of the provider is located in Heidelberg, Germany. However, the maintenance
and operations will be done from the laboratory of the service provider located in Walldorf,
Germany. However, the data that is being processed is not managed by the service provider. The
DAS is responsible for ensuring the correctness and efficiency of the data that is being uploaded.
The data is supposed to be uploaded via a secure channel. The employees associated with the
DAS will enter their information credentials in to the application service via a secured URL that
will be provided by the application provider. Although the application provider addresses the risk
of providing individual data access to the client and the employees involved, the application
provider is not concerned with the correctness and the security of the data that will be uploaded
and this is a place for concern in the DAS. In case of any hindrances or grave situations, the
service provider has to be notified by the client for all the required assessment.
Data sensitivity and jurisdiction:
Data sensitivity is defined as the protection of those types of data that requires the non-
disclosure from unauthorized access. The access to these types of sensitive data should be
protected and safeguarded for various reasons like ethical and privacy related reasons (Gampala,
Inuganti & Muppidi, 2012). The sensitive information consists of all data that includes:
1. Personal information (defined by North Carolina Identity Theft Protection Act, 2005)
2. Health information protection (defined by Health Insurance Portability and
Accountability Act, 1996)
3. Educational records of the students (Family Education Rights and Privacy Act)
4. Information of customer record (Gramm Leach Bliley Act)
5. Credentials of payment (defined by Payment Card Industry Data Security Standards),
that the database of the provider is located in Heidelberg, Germany. However, the maintenance
and operations will be done from the laboratory of the service provider located in Walldorf,
Germany. However, the data that is being processed is not managed by the service provider. The
DAS is responsible for ensuring the correctness and efficiency of the data that is being uploaded.
The data is supposed to be uploaded via a secure channel. The employees associated with the
DAS will enter their information credentials in to the application service via a secured URL that
will be provided by the application provider. Although the application provider addresses the risk
of providing individual data access to the client and the employees involved, the application
provider is not concerned with the correctness and the security of the data that will be uploaded
and this is a place for concern in the DAS. In case of any hindrances or grave situations, the
service provider has to be notified by the client for all the required assessment.
Data sensitivity and jurisdiction:
Data sensitivity is defined as the protection of those types of data that requires the non-
disclosure from unauthorized access. The access to these types of sensitive data should be
protected and safeguarded for various reasons like ethical and privacy related reasons (Gampala,
Inuganti & Muppidi, 2012). The sensitive information consists of all data that includes:
1. Personal information (defined by North Carolina Identity Theft Protection Act, 2005)
2. Health information protection (defined by Health Insurance Portability and
Accountability Act, 1996)
3. Educational records of the students (Family Education Rights and Privacy Act)
4. Information of customer record (Gramm Leach Bliley Act)
5. Credentials of payment (defined by Payment Card Industry Data Security Standards),
6. Confidential data of personnel (State Personnel Act)
7. Confidential information (North Carolina Public Records Act)
These jurisdictions are in compliance to the international security standards that affects the
information on a global level. Many international agencies are concerned with the protection of
cloud-enabled services among the clients and their providers. The International
Telecommunications Union and the Internet Engineering are directing their activities for
specifying the protocols of the functions associated with the cloud computing services (Martini,
& Choo, 2012). The sensitivity of data is being undertaken by various agencies in the Australian
government such as the Australian Government Information Management office and the
Australian Computer Society.
The issues relating to the data sensitivity are the unauthorized access to the system that is
being implemented by the DAS. The sensitive information as discussed above must be followed
and access to such information must not be given without the presence of identification and
authorization. The DAS system implementation should also comply with the various
jurisdictions that are also given in the report. These jurisdictions are to be followed to avoid
unnecessary risks and threats as more information present in the system, the more vulnerabilities
the system gets.
Conclusion:
Thus, it is concluded from the report that he DAS system needs to apply the threats and
risks discussed in the report and apply them carefully to avoid the various risks of implementing
cloud-based services. The Security related threats are to be analyzed and the priorities must be
given to the employees associated, as they are the one who will be impacted by such steps taken.
7. Confidential information (North Carolina Public Records Act)
These jurisdictions are in compliance to the international security standards that affects the
information on a global level. Many international agencies are concerned with the protection of
cloud-enabled services among the clients and their providers. The International
Telecommunications Union and the Internet Engineering are directing their activities for
specifying the protocols of the functions associated with the cloud computing services (Martini,
& Choo, 2012). The sensitivity of data is being undertaken by various agencies in the Australian
government such as the Australian Government Information Management office and the
Australian Computer Society.
The issues relating to the data sensitivity are the unauthorized access to the system that is
being implemented by the DAS. The sensitive information as discussed above must be followed
and access to such information must not be given without the presence of identification and
authorization. The DAS system implementation should also comply with the various
jurisdictions that are also given in the report. These jurisdictions are to be followed to avoid
unnecessary risks and threats as more information present in the system, the more vulnerabilities
the system gets.
Conclusion:
Thus, it is concluded from the report that he DAS system needs to apply the threats and
risks discussed in the report and apply them carefully to avoid the various risks of implementing
cloud-based services. The Security related threats are to be analyzed and the priorities must be
given to the employees associated, as they are the one who will be impacted by such steps taken.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
The Privacy related issues are also to be considered as failure to comply with the jurisdictions
may result in various legal actions taken by the employees and this will give rise to the
operations of the competitors in the market.
may result in various legal actions taken by the employees and this will give rise to the
operations of the competitors in the market.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
References:
Agrawal, D., El Abbadi, A., & Wang, S. (2013, April). Secure and privacy-preserving database
services in the cloud. In Data Engineering (ICDE), 2013 IEEE 29th International
Conference on (pp. 1268-1271). IEEE.
Alani, M. M. (2014). Securing the cloud: Threats, attacks and mitigation techniques. Journal of
Advanced Computer Science & Technology, 3(2), 202.
Aloul, F., Al-Ali, A. R., Al-Dalky, R., Al-Mardini, M., & El-Hajj, W. (2012). Smart grid
security: Threats, vulnerabilities and solutions. International Journal of Smart Grid and
Clean Energy, 1(1), 1-6.
Arasu, A., Blanas, S., Eguro, K., Kaushik, R., Kossmann, D., Ramamurthy, R., & Venkatesan, R.
(2013, January). Orthogonal Security with Cipherbase. In CIDR.
Basharat, I., Azam, F., & Muzaffar, A. W. (2012). Database security and encryption: A survey
study. International Journal of Computer Applications, 47(12).
Chen, D., & Zhao, H. (2012, March). Data security and privacy protection issues in cloud
computing. In Computer Science and Electronics Engineering (ICCSEE), 2012
International Conference on (Vol. 1, pp. 647-651). IEEE.
Chou, T. S. (2013). Security threats on cloud computing vulnerabilities. International Journal of
Computer Science & Information Technology, 5(3), 79.
Agrawal, D., El Abbadi, A., & Wang, S. (2013, April). Secure and privacy-preserving database
services in the cloud. In Data Engineering (ICDE), 2013 IEEE 29th International
Conference on (pp. 1268-1271). IEEE.
Alani, M. M. (2014). Securing the cloud: Threats, attacks and mitigation techniques. Journal of
Advanced Computer Science & Technology, 3(2), 202.
Aloul, F., Al-Ali, A. R., Al-Dalky, R., Al-Mardini, M., & El-Hajj, W. (2012). Smart grid
security: Threats, vulnerabilities and solutions. International Journal of Smart Grid and
Clean Energy, 1(1), 1-6.
Arasu, A., Blanas, S., Eguro, K., Kaushik, R., Kossmann, D., Ramamurthy, R., & Venkatesan, R.
(2013, January). Orthogonal Security with Cipherbase. In CIDR.
Basharat, I., Azam, F., & Muzaffar, A. W. (2012). Database security and encryption: A survey
study. International Journal of Computer Applications, 47(12).
Chen, D., & Zhao, H. (2012, March). Data security and privacy protection issues in cloud
computing. In Computer Science and Electronics Engineering (ICCSEE), 2012
International Conference on (Vol. 1, pp. 647-651). IEEE.
Chou, T. S. (2013). Security threats on cloud computing vulnerabilities. International Journal of
Computer Science & Information Technology, 5(3), 79.
Gampala, V., Inuganti, S., & Muppidi, S. (2012). Data security in cloud computing with elliptic
curve cryptography. International Journal of Soft Computing and Engineering
(IJSCE), 2(3), 138-141.
Grover, N. (2014). A Study of Security Threats and Issues in Cloud Computing. IITM Journal of
Management and IT, 78.
Hussein, N. H., & Khalid, A. (2016). A survey of Cloud Computing Security challenges and
solutions. International Journal of Computer Science and Information Security, 14(1),
52.
Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of
Computer and System Sciences, 80(5), 973-993.
Jeun, I., Lee, Y., & Won, D. (2012). A practical study on advanced persistent threats. Computer
applications for security, control and system engineering, 339, 144-152.
Kalloniatis, C., Mouratidis, H., Vassilis, M., Islam, S., Gritzalis, S., & Kavakli, E. (2014).
Towards the design of secure and privacy-oriented information systems in the cloud:
Identifying the major concepts. Computer Standards & Interfaces, 36(4), 759-775.
Lee, K. (2012). Security threats in cloud computing environments. International Journal of
Security and Its Applications, 6(4), 25-32.
Martini, B., & Choo, K. K. R. (2012). An integrated conceptual digital forensic framework for
cloud computing. Digital Investigation, 9(2), 71-80.
curve cryptography. International Journal of Soft Computing and Engineering
(IJSCE), 2(3), 138-141.
Grover, N. (2014). A Study of Security Threats and Issues in Cloud Computing. IITM Journal of
Management and IT, 78.
Hussein, N. H., & Khalid, A. (2016). A survey of Cloud Computing Security challenges and
solutions. International Journal of Computer Science and Information Security, 14(1),
52.
Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of
Computer and System Sciences, 80(5), 973-993.
Jeun, I., Lee, Y., & Won, D. (2012). A practical study on advanced persistent threats. Computer
applications for security, control and system engineering, 339, 144-152.
Kalloniatis, C., Mouratidis, H., Vassilis, M., Islam, S., Gritzalis, S., & Kavakli, E. (2014).
Towards the design of secure and privacy-oriented information systems in the cloud:
Identifying the major concepts. Computer Standards & Interfaces, 36(4), 759-775.
Lee, K. (2012). Security threats in cloud computing environments. International Journal of
Security and Its Applications, 6(4), 25-32.
Martini, B., & Choo, K. K. R. (2012). An integrated conceptual digital forensic framework for
cloud computing. Digital Investigation, 9(2), 71-80.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 24
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.