Analysis of Cloud Privacy and Security for Charity: A Report

Verified

Added on  2023/06/08

|21
|6371
|142
Report
AI Summary
This report analyzes cloud privacy and security concerns for a charity, focusing on the transition to a SaaS model. It identifies existing and potential threats to employee data security, including database injection attacks, denial-of-service attacks, malware, and legitimate privilege abuse. The report also explores additional risks associated with SaaS migration, such as data deletion, API management challenges, reduced visibility and control, and unauthorized user access. Furthermore, it categorizes the severity of these risks and provides a comprehensive overview of the charity's data sensitivity and digital identity issues. The report also addresses provider solutions and ethical considerations, offering a detailed case study and discussion to inform decision-making related to cloud adoption and data protection strategies.
Document Page
Running head: CLOUD PRIVACY AND SECURITY
Cloud Privacy and Security
Name of the Student
Name of the University
Author’s Note:
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
1
CLOUD PRIVACY AND SECURITY
Table of Contents
Introduction................................................................................................................................2
Discussion..................................................................................................................................3
Case Study..............................................................................................................................3
1. Security of Employee Data................................................................................................4
1.1 Existing Threats or Risks for the Data Security in HR Database................................4
1.2 Additional Threats and Risks after Migration to SaaS.................................................5
1.3 Severity of Threats and Risks in the Employee Data...................................................6
2. Privacy of Employee Data.................................................................................................8
2.1 Existing Threats or Risks for the Data Privacy within Database of HR......................8
2.2 Additional Risks and Threats after Migration to SaaS.................................................9
2.3 Severity of Threats and Risks in the Employee Data.................................................10
3. Digital Identities Issues....................................................................................................11
4. Provider Solutions Issues.................................................................................................12
5. Data Sensitivity................................................................................................................13
Conclusion................................................................................................................................13
References................................................................................................................................16
Document Page
2
CLOUD PRIVACY AND SECURITY
Introduction
The technology of cloud computing is defined as the most significant paradigm of IT
or information technology that allows the major access to all kinds of sharing pools of several
configurable system resources and even the higher level services (Dinh et al., 2013). All of
the services thus can be quickly and easily provisioned with the lowest effort of management
with proper Internet connection. This cloud computing significantly depends on several kinds
of resource sharing to achieve the coherences and economies of scale, which is completely
same as the public utilities. The third party cloud is responsible for enabling the companies to
focus on the main businesses and not on expending resources over the maintenance or
infrastructure of computer systems (Fernando, Loke & Rahayu, 2013). The main advantage
of cloud computing is that this helps in allowing its clients to minimize or avoid the cost of IT
infrastructures. Therefore, cloud computing i-s extremely cost effective and could be utilized
by all types of organizations. Furthermore, cloud computing even utilizes the SOA or service
oriented architectures, utility computing and hardware virtualization. The main features of the
cloud computing includes improving the organizational agility, independency of locations as
well as devices, better performance, increased productivity, cost effectiveness, higher
reliability and scalability, application maintenance, data privacy and security, business
continuity planning, disaster recovery, elasticity, resource pooling and many more (Arora,
Parashar & Transforming, 2013). The main cloud service models are IaaS or infrastructure as
a service, PaaS or platform as a service and SaaS or software as a service.
This report will be explaining a detailed and proper discussion about the Charity case
study. A small data centre is present with Windows Servers 2008 R2 and any other web
service. This charity will be joining a specific community cloud, which is eventually
provided by the vendor of public cloud to provide the various applications to their
Document Page
3
CLOUD PRIVACY AND SECURITY
administrative users and about 500 staff members. The sensitive information is needed to be
kept safe with the technology of cloud computing. The report outlines the few possible
threats and risks to those confidential data in the database of HR. Moreover, there are certain
risks that are vulnerable to the organization after proper SaaS migration and the security or
privacy of information is observed with the risks. These several risks to digital identities of
the employees of the charity for migrating to SaaS or the ethical and data sensitivity issues
will be provided in the report.
Discussion
Case Study
The Charity is the community, which is being involved to locate as well as provide
training services and support services, mental health services and accommodation services.
These types of services are provided to all types of disadvantaged persons within that
community (Hashem et al., 2015). The charity majorly runs a smaller data centre that is
consisting of some of the 50 x 64 bit server running. All of these servers are file services,
Windows Servers 2008 R2 and the databases for services of desktop. The proper
confidentiality and integrity of PII data of this charity is being maintained perfectly and this
datum includes fewer digital identities for all disadvantaged customers. The Board of Charity
gets concerned about the privacy and security of the confidential and sensitive data; this
would prevent the data breaching in that community. A decision has been taken by them to
purchase an application of personnel management and human resources from the US based
company that can provide SaaS solutions (Li et al., 2013). Furthermore, they have even
decided to move their payroll system to the application of COTS or Commercial Off The
Shelf for the purpose of managing within public cloud and also moving their intranet services
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
4
CLOUD PRIVACY AND SECURITY
to the Microsoft SharePoint PaaS to provide the intranet services in every agency within the
WofG.
1. Security of Employee Data
1.1 Existing Threats or Risks for the Data Security in HR Database
The employees’ data in the Charity eventually faces the several kinds of issues that
are related to security. These data are stored within the database of human resources and
hence the sensitive information or data is under stake (Rittinghouse & Ransome, 2016). For
the main cause of this kind of vulnerability, the proper recognition of all the existing risks or
threats is compulsory within the HR database. The most significant risks or threats to the
employees’ data security within this database of HR are as follows:
i) Database Injection Attacks: The most popular and dangerous types of threats,
which are specifically existing within the database of human resource in charity are known as
the database injection attacks. The database injection attack is the significant technique of the
code injection, which is used to attack the applications that are driven by data (Garg,
Versteeg & Buyya, 2013). With the help of this attack, the dangerous statements of SQL
could be eventually inserted in the entry fields for the perfect executions.
ii) Denial of Service Attack: The denial of service or DoS attack is considered as one
of the most dangerous and nefarious attacks that could cause major destructions within the
HR database of the charity. It is a type of cyber attack, where the perpetrator is seeking to
make the network resources or machines unavailable for the authenticated users (Xiao, Song
& Chen, 2013). This is done by disrupting the services of the host temporarily that is solely
connected to the Internet connection. The distributed denial of service can be defined as the
incoming traffic eventually floods the victim after originating from several sources.
Document Page
5
CLOUD PRIVACY AND SECURITY
iii) Malware: The third important and popular risk to the data security within the HR
database of charity is the malware. This malware is defined as a type of malicious software
that is subsequently designed to cause the various damages to computer networks, servers and
computers (Hashizume et al., 2013). The major damage to the database is done with the help
of this malicious software and it is found in a form of executable codes, executable scripts
and active content. The most popular examples of the malware mainly include ransom ware,
Trojan horses, adware, computer virus and various others. The HR database of charity could
be promptly hacked or attacked by this malware and hence the sensitive data can be stolen.
iv) Legitimate Privilege Abuse: The next significant threat or risk to the HR database
of charity is the legitimate privilege abuse (Jain & Paul, 2013). Each and every user, who has
the right to utilize the employees’ data, can quickly exploit the privileges and thus can utilize
those data from incorrect or illegal deeds. The legitimate privilege abuse is extremely
dangerous for all the databases and thus the HR database of charity is not free from the
abuses.
1.2 Additional Threats and Risks after Migration to SaaS
This charity has decided for moving their services and workloads to the cloud to bring
more profit and success in their business. Software as a service or SaaS can be defined as the
significant software licensing and delivery model, in which this software is solely licensed
based on the subscriptions (Krishna, 2013). The cloud service models are accessed by all the
users by a specific thin client via web browser. The software of CAD and Microsoft office,
the system for payroll processing and virtualization are the most important applications of
SaaS. Hence, when the workloads are getting migrated to the cloud service models, these
services could be vulnerable to several threats or risks. These risks are as follows:
Document Page
6
CLOUD PRIVACY AND SECURITY
i) Data Deletion: The first threat that can often occur when the SaaS migration is
completed is the data deletion. All the risks, which are connected to this deletion of data
subsequently, exist as the client has minimized the control or visibility, in which this data is
stored in the cloud and a reduced capability to properly verifying data security (Botta et al.,
2016). The process of data deletion is easier and hence SaaS migration occurs properly.
ii) Negotiation for the Internet Access Managing of API: The second important
threat after the migration of SaaS within charity is the negotiation in the management of
internet accessible application programming interface or API. These APIs that are used by the
clients to manage or interact with services of clouds are significantly exposed to public and
hence are extremely dangerous (Herbst, Kounev & Reussner, 2013). Several types of risks
are present in the API and hence the risks can be turned to various attacks.
iii) Reducing Visibility and Control: Another important and significant threat after
migrating to SaaS is reducing the control and visibility of the private data. When assets and
operations are being transitioned to cloud, these companies significantly lose most of the
control or visibility of data (Wei et al., 2014). The specific shift in the cloud service model
specifically direct to shifting of paradigm for the purpose of monitoring security.
iv) Self Services Inducing the Unauthorized Users: The several on demanding self
services are responsible for inducing the unauthorized or unauthenticated uses and hence
allowing the employees of the company to provision additional services. The simple SaaS
implementation and low costs are responsible for the unauthorized uses.
1.3 Severity of Threats and Risks in the Employee Data
The severity of the threats and risks for the employees’ data in Charity is clearly
observed according to the severity of these risks (Rong, Nguyen & Jaatun, 2013). All of these
threats can be divided to 4 distinct categories. These are given below:
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
7
CLOUD PRIVACY AND SECURITY
i) Maximum: The first and most dangerous category of risk for measuring severity is
the maximum category. The overall vulnerability of this particular risk is very high in respect
to other risks and the lost data cannot be easily recovered and thus the organization faces
major issues (Gao et al., 2013). This particular risk category is required to be ceased on time
for the purpose of stopping any type of vulnerabilities. From all the identified threats or risks
for the security of employee data in the charity, the most dangerous attacks are the database
injection attacks.
ii) Significant: The second risk category after maximum within the plan of risk
assessment is the category of significant. The significant risk category helps to provide severe
destruction in the database and the total data confidentiality and integrity are affected (Gupta,
Seetharaman & Raj, 2013). From all the identified threats or risks for the security of
employee data in the charity, the significant category of risk is denial of service attack. This
type of attack is extremely dangerous since the user does not have any idea about the
vulnerabilities and thus
iii) Limited: The next risk category after significant within the risk assessment plan is
the limited category. The limited risks are as vulnerable as the rest of the risks. However,
there could be serious issues to security, if proper actions are not taken in time (Almorsy,
Grundy & Müller, 2016). From all the identified threats or risks for the security of employee
data in the charity, the limited category of risk is the malwares. These malwares are certain
executable codes that are utilized for the purpose of data hacking and thus spreading the
vulnerability.
iv) Negligible: The fourth and the lowest severity risk is the negligible risk. This
particular risk category can be eventually kept as the negligible category and is not at all
vulnerable for the companies and clients. For the significant negligibility of risks, this never
Document Page
8
CLOUD PRIVACY AND SECURITY
affects the sensitivity of the data within the company (Whaiduzzaman et al., 2014). From all
the identified threats or risks for the security of employee data in the charity, the negligible
category of risk is the legitimate privilege abuse. The overall severity is absolutely lower than
the rest of the risk categories and thus mitigation techniques are not required for these issues.
2. Privacy of Employee Data
2.1 Existing Threats or Risks for the Data Privacy within Database of HR
The privacy of sensitive as well as confidential data in the database of HR in Charity
is not observed perfectly. For the negligence in data privacy, these companies eventually
undergo the vulnerabilities that are dangerous for the companies (Avram, 2014). The several
existing threats or risks for data privacy within the database of HR of this charity are as
follows:
i) Lack of Authentication: One of the most dangerous and significant threat to the
data privacy of charity HR database is the lack of authentication. Authentication is the most
important factor that helps to enable the authorized users to prevent their data from getting
hacked and thus the attackers and hackers cannot recognize the proper database users. Brute
force attack and social engineering attack are considered as the most popular strategies of
attacks in cyber world (Oliveira, Thomas & Espadanal, 2014). The perfect implementation of
passwords or two factor authentications are required for these authentication purposes. These
mechanisms of authentication for the techniques of easy to use and scalability are eventually
integrated with the significant infrastructure of user management or enterprise directory.
ii) Database Protocol Vulnerability: The next important risk is the database protocol
vulnerability. There are various vulnerabilities in database protocol that allows all types of
unauthenticated data access and leads to corruption (Xiao & Xiao, 2013). These codes could
be executed on the target database server and the attacks can be defeated by properly
Document Page
9
CLOUD PRIVACY AND SECURITY
validating the SQL communications. All of these vulnerabilities are extremely nefarious for
database as they cannot be avoided at all.
iii) Leaking Personal Data: Another significant threat to the data privacy is the
leaking of the personal data (Sanaei et al., 2014). These data can be eventually leaked or
exposed in the specific cloud and thus the confidential information significantly loses its
confidentiality. This particular threat is very common for the database of the charity.
iv) Exposing the Backup Data: The final dangerous threat to the data privacy in the
Charity database is specifically exposing the backup data. The backups should be properly
encrypted and thus few vendors provide the solution to use future DBMS or database
management system services (Tao et al., 2014). These do not support any type of
unencrypted backup data. The integrity of data is thus lost.
2.2 Additional Risks and Threats after Migration to SaaS
Since, Charity has decided to shift their services to cloud; they have chosen SaaS for
this purpose. There are several additional threats or risks that are vulnerable in nature and
could cause major issues in this purpose. They are as follows:
i) Increasing Complexities for the Staffs: All the staffs of an organization are not
equal and thus they do not have similar knowledge regarding the software as a service cloud
deployment model (O’Driscoll, Daugelaite & Sleator, 2013). This in turn increases the
several complexities for them and for the organization and they suffer from complexities.
ii) Stolen Credentials: The confidential credentials are being stolen easily after then
services are being migrated to the cloud. These stolen credentials are extremely dangerous as
the confidentiality are easily hacked and could not be prevented at any costs (Sadiku, Musa,
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
10
CLOUD PRIVACY AND SECURITY
& Momoh, 2014). The attacker or the hacker could thus easily access the services of the
authorized users to provide any resource.
iii) Inadequate Due Diligence: The inadequate due diligence are performed after the
migration of SaaS and thus moving these data to cloud. All the security measures might get
affected for this and hence all types of vulnerabilities occur.
iv) Insiders Attacks: The fourth type of threat that is dangerous for the data privacy of
the Charity database is the insiders’ attack (Khan et al., 2013). When the SaaS migration is
completed, each and every cloud vendor and organizational staffs can get the data access and
hence the data could be easily exploited and these are termed as the insiders’ attacks. These
are extremely common for the SaaS cloud model.
2.3 Severity of Threats and Risks in the Employee Data
The severity of each and every recognized threats or risks for data privacy is complete
dependent on the four categories. These risk categories are as follows:
i) Maximum: The most dangerous and the nefarious risk category is the category of
maximum. This category is as the most dangerous risk from every other risk categories
(Alshamaila, Papagiannidis & Li, 2013). From all the identified threats or risks for the
security of employee data in the charity, the maximum category of risk is the database
protocol vulnerabilities.
ii) Significant: The second nefarious risk category is the category of significant. If
any action is not taken properly, the risk could be dangerous and extremely threatening for
the company (Xia et al., 2016). From all the identified threats or risks for the security of
employee data in the charity, the significant category of risk is the exposing of all the backup
data. These attackers could be easily hacking the data and using them for wrong deeds.
Document Page
11
CLOUD PRIVACY AND SECURITY
iii) Limited: The third category of risk is the limited category. This particular category
is not as vulnerable as the previous two and could be avoided if stopped on time. From all the
identified threats or risks for the security of employee data in the charity, the limited category
of risk is the leaking of the personal data (Lian, Yen & Wang, 2014). The personal data
should not be breached at any cost and thus proper mitigation plans are required in the
organizational database to maintain the data privacy.
iv) Negligible: The fourth risk category is the category of negligible. These negligible
risks are extremely vulnerable for the database of the Charity. The organizations can easily
avoid these risks by implementing various mitigation techniques (Botta et al., 2014). From all
the identified threats or risks for the security of employee data in the charity, the limited
category of risk is the lack of authentication.
3. Digital Identities Issues
The digital identity is defined as the entities or information, which is used by several
computer systems to properly represent all the specific external agents. These few agents
could either an organization, a device, an application or a person. The sensitive data is kept in
the digital identity and thus the assessment and the authentication of users interact with the
few business systems (Chen et al., 2016). The human operators are not involved in this
process and the digital identity can allow the service access, which is provided for being
automatic. This charity has taken the decision for moving all the employees’ data to SaaS
application and thus digital identities are utilized. Several risks or threats are present for the
digital identities of the employees of this charity and these risks are as follows:
i) Poor Authentication: The first and the foremost risk to the digital identities is the
poor authentication. If the digital identities are not properly authenticated, there is always a
high chance that the confidentiality and integrity of the data would be lost (Suo et al., 2013).
chevron_up_icon
1 out of 21
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]