Detailed PII Threat and Risk Assessment for the MyLicence Portal

Verified

Added on 2020/04/07

AI Summary

This report provides a thorough threat and risk assessment for Personal Identifiable Information (PII) within the MyLicence portal, focusing on cloud-specific vulnerabilities. It begins by defining PII and its relevance to the portal, then identifies potential vulnerabilities such as those related to cryptanalysis, service-oriented frameworks, and insufficient transparency in service provider policies. The report outlines cloud-specific threats, including exploitation of cloud computing, distributed technology concerns, data loss or leakage, and unstable APIs. A PII strategy proposal is presented, emphasizing the importance of data protection services, privacy by design, and privacy protection through service attributes. The proposed strategy also covers protecting PII data during overhaul procedures, ensuring data access management, and maintaining transparency. The report concludes by outlining steps for authorizing customers to secure their information and implement a robust PII strategy, including identifying and organizing PII, establishing acceptable use policies, and educating employees. Overall, the report provides a comprehensive framework for safeguarding PII within the MyLicence portal.

qwertyuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjklzxcvb
nmqwertyuiopasdfghjklzxcvbnmqwer
tyuiopasdfghjklzxcvbnmqwertyuiopas
dfghjklzxcvbnmqwertyuiopasdfghjklzx
cvbnmqwertyuiopasdfghjklzxcvbnmq
wertyuiopasdfghjklzxcvbnmqwertyuio
pasdfghjklzxcvbnmqwertyuiopasdfghj
klzxcvbnmqwertyuiopasdfghjklzxcvbn
mqwertyuiopasdfghjklzxcvbnmqwerty
uiopasdfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfghjklzxc
vbnmqwertyuiopasdfghjklzxcvbnmrty
uiopasdfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfghjklzxc
PII Strategy
Threat and Risk Assessment for PII in “MyLicence” Portal

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1. Introduction
Since the Australian state government has centralized the application and deployed the single
workflow of all licenses through single web portal called “MyLicence”, the threat and risk
analysis of the Personal Identifiable Information (PII) is an essential obsession. The Department
of Administrative Services (DAS) has implemented the cloud model for incorporating the shared
services like Personnel Management, contractor management, payroll solution, and Whole of
Government (WofG) development.
By the deployment of MyLicence portal, the citizens can acquire and renew their licences in a
customized way. By this way, the citizens register on the web portal and create their own
informal digital identity. But this leads to the confrontation of several security risks and
vulnerabilities of the sensitive PII data of the citizens.
This report illustrates the Threat and Risk Assessment (TRA) for the PII data stored in the
MyLicence portal. Moreover, a PII strategy proposal for the portal is drafted and the privacy and
information protection facets are considered for alleviating the identified risks and
vulnerabilities.
2. Threat and Risk Assessment (TRA) for PII data in MyLicence
Portal
2.1. Introduction to PII
Any information which is utilized to solely recognize or identify an individual is termed as
Personal Identifiable Information (PII). This data is also associated with the identical data from
external sources. The PII data comprises wide collection of information for locating the unique
individuals, like birth date, personal addresses, license numbers, bank account numbers, credit
card numbers, payroll data, etc. Even when the individuals have more concerns on the disclosure
of their personal information, this problem exists in the portal like MyLicence that contains wide
range of PII stored in it.
The examples of PII in MyLicence Include:

 First Name or Last Name
 Address of the citizen
 Age
 Telephone or Mobile Numbers
 Credit Card Numbers
 Race
 Criminal Evidence
 Birth Date
 Gender, and other unique details related to the citizens.
2.2. Cloud Identifiable Vulnerabilities
Some technologists concentrate on cloud related vulnerabilities rather than the risks and threats.
The specific cloud vulnerabilities for the PII data are given below:
 The vulnerabilities can be found inside the cryptanalysis and the service leaned
framework.
The main source of vulnerabilities can emerge from one of the cloud computing aspects like
openness, pay as you consume model, and collection of resources (Grobauer, Walloschek &
Stocker, 2011).
 Insufficient transparency in service contributor’s policy is also another issue.
2.3. Cloud Specific Threats
The cloud specific threats for PII data can be categorized as follows:
2.3.1. Exploitation and disreputable utilization of cloud computing
The IaaS contributors proffer infinite number of storage capacity, network, and compute
resources to the customers. The hackers and malevolent code developers conduct their spiteful
tasks with associated requirements. In the portal like MyLicence, the PII data can be extracted by
the attackers through password tracking methods, Distributed Denial of Service, initiating

vibrant threat points, botnet authority, congregating the malicious data, constructing mottled
tables, etc (Chu, Chow, Tzeng, Zhou & Deng, 2014).
By this way, the privacy of PII data contained in the portal will be affected. There is a possibility
of utilization of the IaaS servers by botnets for commanding activities.
2.3.2. Distributed technology concerns
The distribution of architecture comprising CPU hoard, Graphics Processing Unit (GPU), etc. is
offered by the IaaS providers. But, these architectural components are not able to provide the
isolation aspects to the multi-resident frameworks (Dabrowski & Mills, 2011).
For solving this issue, an implicit supervising component controls the access in between the
computing sources and organization operating systems. Even then, the supervising component
has revealed some imperfections such that the third party operating system can have
unacceptable access to the PII data or impact on the triggering manifesto.
2.3.3. PII Data loss or leakage
The data can be negotiated in several ways. An example is the modification of data without any
endorsement of the unique content. The PII data loss can be due to lack of authorization,
management, improper utilization of encryption keys, perseverance and arrangement
confrontations, functional errands, data center inconsistency, risk of fraternity, authentication
issues, and failure recuperation.
2.3.4. Unstable Application Programming Interface (API)
The customers use to manage the cloud services through the API provided by the cloud
suppliers. The activities like monitoring, stipulation, coordination, and administration are offered
by these software interfaces (Apecechea, Inci, Eisenbarth & Sunar, 2014). The reusable
passwords and API reliance are other examples of API threats.
3. PII Strategy Proposal
For the organization of various sizes, cloud computing provided infinite storage space and other
computing abilities. By this way, the DAS is liberated from buying, administering, and

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

upgrading their computer systems and networks. Even the provision of cloud services has offered
multiple benefits like agility, improved options, and litheness (Gargama & Chaturvedi, 2011); it
also opens the door to many privacy, data protection, and compliance issues. The users can select
private or hybrid cloud models for selecting their own dedicated data protecting needs.
Hence it is required to develop a strategy for protecting the PII data in cloud implemented
MyLicence portal. This strategy allows the portal to monitor the data collection, utilization, and
the disbursement of the PII data. DAS should make the commitments with the cloud service
provider in form of legal agreements, verification, and data protection guarantee. Moreover, the
data privacy policies should be upgraded regularly in order to govern the application like
MyLicence.
The PII strategy implemented should be able to cover the aspects as shown in the figure below:
Fig 1: PII Strategy
3.1. Fabrication of Data Protection Services
The cloud providers should be selected in such a way that they are able to provide the services
which maintains both the privacy of data and the customers (Chen & Lee, 2014).

3.1.1. Allegiance for protecting and limiting the utilization of data
The data contained in the centralized portal should be maintained by the DAS alone and should
not be utilized by the cloud providers, which should be included in the privacy agreements. Each
service should contain a data set for forming the storage and backup standards, and must be
deleted according to the requirements of the customer (Heng, Ruixuan, Xinhua & Zhang, 2014).
3.2.2. Privacy by Pattern
The privacy and data protection should be considered at each and every stage of the application
development process. This strategy contains all the processes, technologies, and the users for
improving the privacy and protection of the PII data.
A development pattern comprising seven stages should be followed by the portal developer for
enhancing the data security and privacy.
Fig 2: Proposed development pattern for portal
As data security is more crucial to privacy, this coalition of security and privacy procedures
minimize the vulnerabilities and threats in the application code, and avoid the occurrence of data
breaches (Roberts & Al-Hamdani, 2011).
PreparationProposeDeploymentValidationFeedback

The privacy evaluation is conducted in order to confirm that the privacy needs are sufficiently
dealt with.
 The availability of privacy aspects, which permits the service administrator to allocate
permissions to the persons for accessing the data, is verified.
 The privacy risks encountered in the portal should be estimated and the necessary
alleviation measures are taken.
3.2.3. Privacy Protection by Service Attributes
The enhanced data shielding and protection features must be embedded in the services
provided by the cloud providers. Hence for portal like MyLicence, the cloud providers with
incorporated data protection features like for e.g. Microsoft Azure can be employed by DAS.
The services attributes required for data protection and privacy are enlisted below:
 Amalgamated Identity and Access Administration
This provides the service administrators of DAS for administering the access to their
respective services in the portal.
 Privileges Administration Service
Using this management service, the DAS can supplement their PII data fortification
approach for securing the data by means of importunate utilization procedures within
the information without the consideration of the location of data storage.
3.4. Protecting the PII data in overhaul procedure
The well deployed cloud service will not be able to protect the PII data and privacy if it is
implemented in the unsecured environment. The cloud users will have the anticipation that their
data is not interpreted to other cloud users. Moreover, they presume that the methods utilized at
the data centers hold their information secure and private (Alcaraz Calero, Edwards, Kirschnick,
Wilcock & Wray, 2010).
3.4.1. Methods for protecting services privacy
The data access management is one of the prime methods to protect the privacy of the services.
Coherent and physical are the two phases of data access management. In physical data access

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

management, the datacenter access is monitored by means of locked server stands, video
observation, incorporated alarms, etc.
The data of the citizens can be accessed based on the requirement of the service. The access is
limited by manipulations like dual factor authorization, signing in, and reviewing the actions
performed in production service platform (Khan, Oriol, Kiran, Jiang & Djemame, 2012).
A vigorous intrinsic program should be developed for reporting the latent privacy risks, so that
the respective teams like legal, communications, and forensics work together in order to mitigate
those particular risks. For ensuring the data security and privacy between the cloud users who
hold the data in the equivalent cloud service, the data separation methods are applied for
isolating the cloud residents to create a platform where the users will be able to acquire only their
data.
3.4.2. Transparency
The data must be provided by the cloud service provider to third-party only after the acquisition
of permission from the DAS. By this way, the data transparency should be maintained in the
cloud environment.
4. Authorizing the customers to secure their information
The DAS should make sure that the personal data of the citizen is secured by incorporating
certain security policies and procedures that should be managed by both the service providers
and customers.
The cloud service contributor must consider the responsibilities regarding security and keep up
the protection of its client information—and engages its clients to actualize what's more, utilize
our administrations in a secured way (Heilig & Voss, 2014). Information security and protection
is a distributed obligation between the supplier and the clients. The supplier ought to be in charge
of the environment and responsible for making a benefit that can convene the data safety,
protection, and consistence requirements of the clients.
Clients are in charge of arranging and working their administration subsequent to stipulation,
inclusive of the administration of access accreditations and legitimate consistence, securing

applications by means of administration's constructed manipulation, information, and several
effective machines or any additional information that they utilize by means of their record
(Factor, Hadas, Hamam, Har’El, Kolodner, Kurmus & Shulman-Peleg, 2013).
5. Steps for accepting the PII Strategy
Below are five key advances each association should acquire to start the way toward
counteracting information misfortune:
 Distinguish PII the DAS should secure
 Organize PII
 Find the location of PII
 Make an acceptable user policy (AUP)
 Instruct your representatives about your AUP
It might be in various spots, repetitive on servers, portable PCs, PCs and detachable media
(Asghar, Ion, Russello& Crispo, 2011). Once the PII is discovered, the portal has to characterize
the association's AUPs for getting to and utilizing it. AUPs will shift from association to
association, however ought to finish three objectives:
 Secure PII information
 Characterize who can get to PII
 Build up regulations intended for finding the approved workers who can utilize PII
The created AUPs may be powerful if your representatives think that they have a section to make
a role in ensuring your PII. Completely instructing workers is a basic and regularly ignored
advancement (O’Hagan & Oakley, 2004). The duplicates of AUPs must be conveyed to workers,
proffer preparing gathering and make them to notice an announcement recognizing that they will
keep the strategies. This process will transform each representative a dynamic member in the
implementation of AUPs, and the association wide pushes to avert information misfortune and
the deficit of PII.
6. PII Solutions
Encryption Entire-circle encryption

 Encryption of secondary storage
devices
 Strategy centered mail cryptography
 Record share encryption
 Focal key administration and
reinforcement
 Capacity to review cryptography
prominence
Avoidance of Threats Discontinue incidental information misfortune
through checking the information for finding
out the delicate data transferred to sites,
through internet messenger or mail, and stored
on gadgets with programmed regulations, for
example,
 Record coordinating standard:
Predefined move is made in light of
name or kind of document a client is
endeavoring to acquire or
exchange (Saripalli & Walters, 2010)
 Information lead: Has information
characterization and determines the
activity considered if a client endeavors
to exchange information that conforms
with that characterizations
Data Security  Distinguish recognized and obscure
malware like virus, spyware, worms,
distrustful documents, Trojans, and
conduct, possibly undesirable
applications practically without any

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

requirement for refreshment.
 Procure antiviral software, firewall, and
gadget administration in a solitary
specialist
 Protect the majority of your stages
(Windows, Linux, Mac, and UNIX)
7. Strategy for protecting the Informal Digital Identity of users
7.1. Introduction to Informal Digital Identity
On the “MyLicence” web portal, the citizens must demonstrate their uniqueness utilizing
accreditations, for example, a secret key. This procedure is called verification, and is
fundamental to secure the "digital identity." If confirmation can be bypassed, at that point
anybody can claim to be any other individual on the web, and that can prompt significant issues.
For instance, a large portion of the real information breaks through the span of the most recent
year were expert by programmers who accessed certifications that should not be accessed
without proper authorization. Furnished with this data, they could get to acquire the frameworks
and take information on a really gigantic scale (Sendi, Cheriet, 2014).
Unmistakably, advanced digital identities are vital and should be ensured, however so that there
are very few great methods for doing as such. The vast majority of the citizens utilize keywords
for protecting their digital identities. This is a case of what is termed as one-aspect validation,
since checking the proprietor's character depends on a solitary bit of hypothetically mystery data:
the secret key. Nonetheless, passwords are famously loathsome at ensuring data despite the fact
that that isn't altogether the blame of secret keys (Solove, 2006). In principle, individuals ought
to have extraordinary, interesting passwords for each and every site that demands that the
passwords ought to be long, with a blend of character sorts, and the keywords ought to be
changed at regular intervals. An amazing number of individuals have passwords like "secret

word" or "123" in light of the fact that it would be unthinkable for a many people to really recall
their keyword on the off chance that they kept the prescribed procedures.
There are approaches to solve these issues like MyLicence portal which will recall, oversee, and
naturally enter client keywords trying to produce protected keywords exploitable. A few
individuals are notwithstanding offering specially designed, really randomized keywords that are
conveyed through physical mail. Extensively however, all together for a watchword to be
compelling, it will likewise be almost unthinkable for a person to recall (Tarin, 2015).
Accordingly, there are various distinctive strategies for protecting the entrance to computerized
identities that do not depend completely on the keywords. A significant number of individuals
utilize the dual-aspect authorization or multi-aspect validation. These sorts of frameworks utilize
few snippets of data to check a client's character (Vijayan, 2013). For instance, a PC may require
a secret key and a unique mark keeping in mind the end goal to sign in, or it might utilize facial
acknowledgment programming joined with corporeal indication.
Numerous advanced dual aspect frameworks are fusing biometric technology as the vital
components for checking a person's personality. This bodes well; the greatest number of
individuals would not anticipate that an attacker will have the capacity to take somebody's
fingerprints as effortlessly as they could a secret word. Be that as it may, this isn't the situation.
As a major aspect of the OPM attack, the attackers could take the unique mark data for more
than 5 million government workers. This is one of the greatest problems with biometric
protection. It appears to be totally refuge, yet that is not the real matter and the dream of full
safety will have hazardous ramifications.
Likewise with most of the safety advances, the engineers of computerized personality insurance
methods are gotten in a ceaseless competition with offenders who need to evade their endeavors.
Biometric protection is as yet a developing field, and the progressions are done to transform the
biometric frameworks more protective and available. Currently, the utilization of keywords is the
most prominent methods for validation on the web, yet that may modify since the issues with
keywords turn out to be more disjoin, the information breaks proceed, and innovative choices for
securing individual’s identity data wind up plainly accessible (Wright, 2011).
7.2. Privacy and Data Protection Strategy for Informal Digital Identity