Case Study: Cloud Security and Privacy in the DAS Department

Verified

Added on 2022/10/11

AI Summary

This case study analyzes the cloud security and privacy challenges faced by the Department of Administrative Services (DAS) in an Australian State Government transitioning to a "Shared Services" approach and adopting a "Cloud first" policy. The assignment identifies existing and new security and privacy threats to employee data, including DoS attacks, SQL injection, phishing, malware, and risks associated with SaaS like self-servicing by unauthorized users, data deletion, reduction of data controls, account hijacking, and API management issues. The study assesses the severity of these risks and outlines preventive actions and contingency plans. It also addresses privacy threats like data leaks, database protocol threats, lack of authentication, insufficient data disposal, and exposure of data backups. The case study provides a comprehensive risk assessment, emphasizing mitigation strategies and the importance of data protection in a cloud environment. The assessment covers various threats and suggests preventive measures and contingency plans, making it a valuable resource for understanding cloud security and privacy concerns.

Running head: CLOUD SECURITY AND PRIVACY
Cloud Security and Privacy
Name of the Student
Name of the University
Author’s Note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1
CLOUD SECURITY AND PRIVACY
Table of Contents
1. Introduction............................................................................................................................2
2. Security of Employee Data....................................................................................................2
3. Privacy of Employee Data...................................................................................................10
4. Digital Identity Issue............................................................................................................19
5. Conclusion............................................................................................................................20
References................................................................................................................................22

2
CLOUD SECURITY AND PRIVACY
1. Introduction
Cloud computing technology eventually is helpful for the on demand accessibility as
well as availability of all kinds of computer based resources. The accessibility is being
initiated with absolutely zero involvement of the direct users’ management. The respective
clouds majorly comprise of some of the most distinctive and important functionalities that are
being dispersed to different locations from the centralized users (Baron et al., 2019). Thee
clouds are also not restricted to any one organization or company and they are available to
numerous organizations. Digital identity is the type of information about any particular
person, enterprise as well as electronic devices that help in remaining online. These are
identifiers, which could be referred to as responsible to detect each and every device and
person involved.
The sensitive information is being needed to be kept safe and digital identity has the
capability of easily providing security to such information without any type of complexities
or issues (Singh & Chatterjee, 2017). DAS can easily provide several services and products to
the various different departments of the respective government. The main services of this
organization are payroll management, contractor, procurement management, HR
management and several others. Recently, the organizational management has taken the
decision of shifting to the approach of Shared Services so that they would be able to secure
their confidential information easily. The report will be describing about the privacy as well
as security issues that could be often faced within the company of DAS. Various mitigation
strategies would also be described for these threats.
2. Security of Employee Data
2.1 Existing security threats to Employee data

3
CLOUD SECURITY AND PRIVACY
There are some of the major threats and risks that are related to security of employee
data that are provided in the following paragraphs:
S.
No
Security
Threat/Risk
Description
Likelihood
Impact
Priority
Preventive Actions Contingency
Plans
1. DoS Attacks. It
takes place
when data is
being hacked
by attackers by
making system
inaccessible
(Hashizume et
al., 2013).
Very
high
Very
high
Very
high
1. Development of
response plan.
2. Securing the
network
infrastructure
completely.
1. Ensuring a
complete BCP for
checking the
impact.
2. Prevention of
bots at any cost.
2. SQL Injection
Attack. It is
helpful for
execution of
malicious SQL
statements.
High High Very
high
1. Using the
prepared statement
for proper
parameterized
queries (Tirthani &
Ganesan, 2014).
2. Validating every
stored process to
prevent this issue.
1. Ensuring
security of the
users’ credentials
in relational
databases.
2. Successful
utilization of
stored procedure.
3. Legalized Mediu High Medium 1. Keeping a track of 1. Proper

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4
CLOUD SECURITY AND PRIVACY
Privilege
Abuse. This
takes place
when customers
are provided
permission for
access privilege
of a database.
m all permission
change.
2. Improvement of
the total system
architecture.
identification of
privileged users
(Khalil, Khreishah
& Azeem, 2014).
2. Responding to
any type of
unwanted change.
4. Phishing. It
occurs when
the attacker
poses as a legal
user via emails.
Mediu
m
Medium Medium 1. There are certain
software for
detecting phishing
activities in the
system.
2. Avoiding the
public networks is
the next effective
action.
1. Verifying each
and every SSL
credential is a
contingency plan.
2. Investing in the
appropriate
technologies is the
next plan of
contingency.
5. Malware. It
occurs when a
virus intends to
damage the
networks (Popa
et al., 2013).
Low Low Low 1. Installing
antivirus software.
2. Up gradation of
system periodically.
1. Communication
for entry
methodology.
2. Blocking
unwanted access
completely.
Likelihood - VL, L, M, H, VH

5
CLOUD SECURITY AND PRIVACY
Impact- - VL, L, M, H, VH
Priority- - VL, L, M, H, VH
A detailed description of these threats is provided in the following paragraphs:
a) DoS Attacks: It causes subsequent destruction by allowing the hacker to get into
the machine and eventually access the databases.
b) Legalized Privilege Abuses: The customers get the opportunity of exploiting
numerous kinds of privileges for malicious purposes (Chang, Kuo & Ramachandran, 2016).
c) SQL Injection Attack: Code injections take place within the databases through text
message or email.
d) Phishing: A hacker gets himself as the legal user through text message or email.
e) Malware: This risk can cause subsequent destructions in the systems, servers or
even networks.
2.2 New Security Threat to Employee data (after moving to SaaS)
Few identified security risks related data privacy of DAS are provided below:
S. No New Security
Threat/Risk of
employee data
Description
(after moving
to Saas)
Likelihood
Impact
Priority
Preventive Actions Contingency
Plans
1. Self-Servicing
Inducement of
Medium Low Medium 1. An important
preventive strategy for
1. One of the major
contingency

6
CLOUD SECURITY AND PRIVACY
the
Unauthorized
Users (Modi et
al., 2013). This
particular issue
takes place for
the core purpose
of inducement of
any kind of
unauthorized
users; thus
enabling the
company’s
personnel in
enabling
services to
successful
implement SaaS.
this issue is successful
inclusion of the all
types of planning and
strategy within the
respective business. It
is absolutely possible
by proper establishing
the security incidence
and response teams.
2. The second
strategy is using a two
factor authentication
to reduce the issue
(Khansa & Zobel,
2014).
planning would be
conducting
periodical audit to
check for the
unutilized
accounts.
2. The second
effective
contingency
planning would be
properly following
every policy
related to
termination of
staff.
2. Deletion of
Data. This issue
takes place when
any specific
client gains
major
permission to
Very
low
Low Low 1. An important
preventive strategy for
this issue is
continuous updating
applications for data
storage to be sure that
data does not gets
1. One of the
major contingency
planning would be
successful
inclusion of the
encryption
technique in the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7
CLOUD SECURITY AND PRIVACY
reduce their
visibility and
control.
deleted.
2. The second
strategy is successful
deployment of the
brand new software in
their present system to
prevent this kind of
issue.
subsequent system
and data to reduce
the total effect for
deletion of data
(Nepal & Pathan,
2014).
2. The second
effective
contingency
planning would be
creating all types
of archive files
within the
respective system
to protect the
confidential data.
3. Reduction of the
Data Controls. It
mainly takes
place as soon as
the operations
and assets are
being
transitioned to
the public cloud;
High Very
high
Very
high
1. An important
preventive strategy for
this issue is
duplication of data to
ensure effective
analysis (Donald, Oli
& Arockiam, 2013).
2. The second
strategy is efficient
1. One of the
major contingency
planning would be
subsequent loss
prevention and
hence data
elimination is
restricted.
2. The second

8
CLOUD SECURITY AND PRIVACY
hence existing a
higher chance
for losing
visibility or
control of data.
diversification of the
data.
effective
contingency
planning would be
avoidance of risks.
4. Hijacking of the
accounts. It
majorly takes
place as soon as
the cloud
account is being
hacked to
exploit data.
Very
high
Very
high
Very
high
1. An important
preventive strategy for
this issue is regular
password updates
(Booth, Soknacki &
Somayaji, 2013).
2. The second
strategy is checking of
every on demand
resource.
1. One of the
major contingency
planning would be
conducting the
malicious and
unauthenticated
activities.
2. The second
effective
contingency
planning would be
successful removal
of data leakage and
falsification.
5. Negotiating the
total
management of
application
programming
interface. It
Very
high
High High 1. An important
preventive strategy for
this issue is proper
usage of the hash
functions so that it
becomes much easier
1. One of the
major contingency
planning would be
periodical
validation and
even verification

9
CLOUD SECURITY AND PRIVACY
mainly takes
place as soon as
the interfaces
gets exposed to
the respective
clouds so that
the attackers get
major
opportunity for
hacking the data.
to access the Internet
connectivity of these
interfaces.
2. The second
strategy is not
exposing the
confidential data or
information on the
URL of the website
under any
circumstance.
of each input
parameter.
2. The second
effective
contingency
planning would be
using the functions
of HTTPS in DAS
(Kshetri, 2013).
Likelihood - VL, L, M, H, VH
Impact- - VL, L, M, H, VH
Priority- - VL, L, M, H, VH
A detailed description of these threats is provided in the following paragraphs:
a) Self Servicing Inducement of the Unauthorized Users: The respective
unauthorized users get the chance of self-servicing and the authenticated users cannot help it.
b) Negotiating the total management of application programming interface: The
API’s internet access management is being negotiated by the hackers.
c) Hijacking of the accounts: The respective accounts of the confidential users are
being hijacked completely by the attackers (Sun et al., 2014).

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

10
CLOUD SECURITY AND PRIVACY
d) Reduction of the Data Controls: The data control is being reduced and the
authorized users face issue due to this.
e) Deletion of Data: The confidential data often gets completed deleted and there
exists no method of gaining it back.
2.3 Severity of risk and threat to security employee data
A severity matrix of risk for data security within DAS is provided in the following
paragraph:
Probability
Very High - - -
Negotiating
the total
management
of
application
programmin
g interface
Hijacking of the
accounts, DoS
attack
High - - -
SQL
Injection
Attacks
Reduction of
Controls
Medium -
Self
Servicing
Inducement
of the
Unauthorize
d Users Phishing
Legalized
Privilege
Abuse -
Low Malware - - -
Very Low -
Deletion of
Data - - -
Severity Very Low Low Medium High Very High
3. Privacy of Employee Data
3.1 Existing privacy threats and risks to the privacy of employee data

11
CLOUD SECURITY AND PRIVACY
There are some of the major threats and risks that are related to privacy of employee
data that are provided in the following paragraphs:
S.
No
Privacy
Threat/Risk
Description
(Employee
data)
Likelihood
(Probability)
Impact
(Severity)
Priority
Preventive
Actions
Contingency
Plans
1. Leaking of
Private Data.
This takes
place when the
confidential
data is being
leaked or
hacked (Zhou
et al., 2017).
High Medium Medium 1. An
important
preventive
strategy for
this issue is
regular
password
updates.
2. The
second
strategy is
endpoint
privacy in
network.
1. One of the
major contingency
planning would be
involvement of
multi-step
solutions.
2. The second
effective
contingency
planning would be
successful
application of
policies.
2. Database
Protocol
Threats. This
takes place
Very
high
Very
high
High 1. An
important
preventive
strategy for
1. One of the
major contingency
planning would be
involvement of a