Shared Services Approach

Question:

Discuss about the various security and privacy risks and threats that are associated with the conventional HR database and the cloud based approaches.

The Department of Administrative Services (DAS) is used to provide public services to the other department s present in the Australian state government. The services that are provided include the personnel management and HR, management of contract tendering, payroll, procurement and contractor management. The data centre of the department is responsible for providing such services.

This report discusses about the approach that is being made by the DAS. This approach is the Shared Services Approach. The report also includes the securities and the privacy issues that are associated by adopting the various intended requirements. The report also covers the identity risks that can be associated with the approach. In addition, the risks of the provider of such services along with the sensitivity in data are also included in the report.

The main concept to be applied is the Shared Services approach. The main idea of this approach is to centralize the services that are being provided by the DAS. These services are now been made to be provided to the whole government. The requirements of this approach are the need of different departments of the government to migrate their resources to the central server. The departments who were intending their data and resources for their users now need to upload the resources to the central servers to incorporate the idea of shared services. This migration will be done on the DAS central database. After the migration of the data and resources, the DAS will be responsible for sharing the gathered resources among all the present departments of the government. This approach is further strengthened by the presence of a government policy that requires the presence of incorporation of cloud computing architecture for the updating the services present. The payroll of the DAS will b incorporated in the COTS (Commercial off the Shelf) application that will help in managing the payroll related services directly from the cloud. The DAS intranet will also be incorporated in to the Microsoft SharePoint PaaS to provide the services associated with the intranet to all the departments of the government.

To meet the intended outcomes, the DAS has decided to adopt certain services to help facilitate the service procurement. Firstly, the DAS is responsible for purchasing a HR and personnel management application from an US based company. The main idea is to get Software as a service (SaaS) model. The application software is supposed to include the HR management and the personnel management application embedded on it. To apply this, the provider of the application has informed the DAS about their main database situated in Dublin, Ireland.

Procurement of Services

Along with the HR and personnel management, the DAS will also acquire Contractor management application software to help visualize and manage the contractor that is being associated in the DAS.

Risks and threats in the in house HR database of the DAS:

The in house of the HR department is subjected to many threats and risks. The traditional database grants many privileges in case of access and this invites many forms of risks and threats to the data and resource involved. The first risk to the HR database is the excessive or misuse of privileges granted (Ted et al., 2013). When employees are given access to the whole system, they may cause damage depending on the intentions of the employee involved. For example, a banker with full access to the employee savings account may change the data of any other employee to create a nuisance in the flow of operation. In addition, when an employee is terminated, the access to the information remains and due to the change in emotional stability, the access of such data can create problems by hampering the operation of the company or organization involved. This unnecessary risk arises due to the acquisitions of full access to the database involved. The more privilege given to an employee, the more vulnerable and the more prone to attacks the system gets.

Risks and threats are also provided when an unauthorized user tries to get access to the system by attacking the system (Aloul et al., 2012). This is termed as a cyber attack. The HR database is the traditional one and for accessing this in an unauthorized process, the SQL injection attack is used. This attack gives the rogue user access to the entire database and crucial information is unethically accessed using this process. This is also another threat as it may affect the security related aspects of the employees. Malware is also another form of unauthorized access and the infected system is not aware of the state of it. The employees or users still work on the infected computer and their information is unethically accessed. This is also another risk to the employee data as the security and privacy of the data and resources are hampered. The more information a data centre possesses, the more vulnerable and the more prone to attacks the system gets.

The transactions that are ongoing in any company or organization involved must be recorded automatically in the database servers. The failure to comply with such process may lead to problems to be associated with the organizations as well as the employees concerned (Arasu et al., 2013). For example, the transactions of one month for salary might not be recorded and the database may show that the employees have their salaries even in the next month and might not avail for the salary acquisition. This may lead to employee related problems. Organizations or companies with poor auditing mechanism face difficulties in streamlining their operations. As, a result the companies or organizations involved turn to third party providers to give access to system that helps in auditing. However, the most important thing to consider is the user interface and detailed mechanism. The detailed mechanism of the third party processes do not consider all the detailed transactions and thus fail to store all the information in the database (Jeun, Lee & Won, 2012). Moreover, the software may use different platforms like the DB2 and the MS-SQL logs, which are not compatible with the organizational structure. This also imposes another constraint in the process of operation and affects the security and operation of the concerned individuals.

Security Risks

Employee data is also hampered during security breaches for the backup disks in the system. As the backup data is always unprotected, the breach to get such data is always prominent (Moore, Spink & Lipp, 2012). The information present in the hacked database affects the concerned resource of the organization or companies involved or the employees concerned. The more information a data centre possesses, the more vulnerable and the more prone to attacks the system gets.

Security is a main concern which needs considering even after the incorporation of a new project. Though the SaaS architecture is a new model, which is being used by many business organizations or companies, the risks and threats associated with it are always considered (Chou, 2013). The risks are due to the presence of integration of the information in its internal data center. The more information a data centre possesses, the more vulnerable and the more prone to attacks the system gets.

As the step to integration of information and resources to the SaaS needs the access of such information to the third-party service providers, the question for access and consistency always remains the same (Hussein & Khalid, 2016). This is the reason for employee and company problems regarding who gets the access to their information.

Another risk that is present due to the presence of SaaS application is the instability due to unavailability of the providers. As the services provided by the SaaS applications are great, many companies and organizations are adopting the concept (Alani, 2014). This has made a need for competition in the market among the providers of such services. However, not all companies can take such investments and this creates problem in the competition, which may result in loss of business of some providers. It may happen sometimes that the services taken from the provider are no longer available due to their unavailability. The problem for employee data as well as organizational resource hampering is the main thing affected by such risks. This risk is to be considered before adoption of such services and the company needs to consider their policies of mitigating such problems.

Transparency is a concern among the organization accessing the application services from the third-part vendors. The providers are often very secretive about their operation and assure the clients about the services that are being provided. This is the reason of developing distrust in the relationship among the providers and the clients (Lee, 2012). This results in less data to be shared to them and creates vulnerabilities in security regarding the employee information or organizational resources. Though the providers have reason to believe that hiding the information about their centers can help in minimizing the risks associated with the disclosure of information, the question of transparency still lies in the relationship.

Excessive or Misuse of Privileges Granted

Identity theft is another aspect, which requires security to be implemented. The providers of the services require payment for providing the services. This is done by taking the credit card information and then the payment is done. The risk it implies is still an ethical issue among many users. The unethical providers are to be recognized before passing on the information of payment related services to them as the use of this information can be used for doing wrong things (Prasanth, 2012). The employees associated with the adoption of such services may pass the payment information before researching about the vendors and unethical doings can be caused by that. This is termed as identity theft.

In addition, the information shared with the application providers are not in control of the individuals whose information is passed (Agrawal, El Abbadi & Wang, 2013). This results in unease and absence in mind as the employee concerned is directly impacted in case of any actions taken that affects their security and privacy.

	S.No	Security Threat/Risk Description	Likelihood	Impact	Priority	Preventive Actions	Contingency Plans
Student 1	1.	Excessive or misuse of privileges granted	L	VH	M	1. Review of privileges 2. Daily check for user entry	1. Backup of data 2. Cross-checking by higher authorities
2.	Cyber attack	VH	VH	VH	Antivirus presence	Locking of data to prevent access
3.	Malware	H	H	H	Presence of antivirus	Locking of data to prevent access
Student 2	4.	Automatic recordings of transaction in the database	H	M	M	Better infrastructure	Backup of the data present
5.	Poor auditing mechanism	M	H	H	Better mechanisms for auditing
	6.	Security breaches in backup disks	H	VH	VH	Reviewing the security protocols	Locks in the disc with encrypted password

Likelihood –   VL, L,M, H, VH

Impact- –   VL, L,M, H, VH

Priority- –   VL, L, M,H, VH

	S.No	New Security Threat/Risk of employee data Description (after moving to Saas)	Likelihood	Impact	Priority	Preventive Actions	Contingency Plans
Student 1	1.	Access and consistency	VH	L	L	1. Reviewing the terms and conditions 2. Need to communicate with the service provider	1. Legal actions to be taken in case of problems
2.	Instability due to unavailability of the providers	M	VH	H	Better research regarding the service providers	Backup of the system
Student 2	3.	Transparency	VH	M	L	Terms and conditions reviewing
4.	Identity theft	VL	VH	H	Use of different payment account with little balance	Legal actions
5.	Loss of control of individual data	H	L	L	Better review of the terms and conditions

Likelihood –   VL, L, M, H, VH Impact- –   VL, L, M, H, VH Priority- –   VL, L, M, H, VH

Probability
Very High		Accessibility and consistency	Transparency		Cyber attack
High		Loss of control in user data	Transaction recording	Malware	Security breach in backup disc
Medium				Poor auditing	Unavailability of providers
Low					Misuse of user privileges
Very Low					Identity theft
Severity	Very Low	Low	Medium	High	Very  High

Risks and threats in the privacy of the data in the in house HR database:

The privacy of data is an important aspect that is the main concern related to every decision taken for doing any project. The information contained in any organization or company is deemed private or public depending upon their credibility (WANG & MENG, 2014). The private information is to be safeguarded and access to such information should not be given to the unauthorized users. However, many risks and threats are associated with the privacy of such data.

The threats to the privacy of data in the database include the integrity loss. The changes in the database must not hamper the information present in the database. Any changes like the insertion or deletion must not be done without fully backing up the data (Ziegeldorf,  Morchon & Wehrle, 2014). The loss of integrity is made by many deliberate or accidental actions. The loss of data needs to be modified as the use of changed data may lead to inaccurate results and fraud detection, which might affect the performance of the serviced, involved.

The availability of the database is a major concern, as all the information pertaining to the services is stored in the system (Raschke, Krishen & Kachroo, 2014). Database availability means making certain parameters available to the employees or other legitimate software.

Unauthorized System Access

Protection of confidential information is a great concern for the HR database. The protection of data and information from unauthorized access is termed ad confidentiality of data. The unethical and unauthorized access to the system can lead to the violation of the privacy of data (Basharat Azam & Muzaffar, 2012). This unprotected, unauthorized and accidental disclosure of data and information can lead to certain problems ranging from small-scale data breach to legal issues against the company or organization involved. The more information a data centre possesses, the more vulnerable and the more prone to attacks the system gets.

After the hosting of the data by the client, the provider needs to assure the clients regarding the associated security and the privacy of the components (Theoharidou et al., 2013). The provider also needs to assure the clients regarding the unauthorized access prevention to their information. This is included in the security and privacy conditions of the associated providers.

The privacy regarding the integrity of the data is to be considered. The application provider needs to provide the consistency of applications and the type of information and resources that are being uploaded in the cloud based application (Chen & Zhao, 2012). As the client paying for the services has the right of knowing the information, the service provider needs to tell their client about the composition of the data and the ongoing processes for the application.

The right to know the information is also being leveraged by the clients. The clients need to know the place of the data center where the information of the clients is being stored. However, the information for the location of the data centers is not always provided to the clients (Kalloniatis et al., 2014). In addition, the service provider works by using the resources available of other providers who have collaborated with them. This causes a risk to privacy as the client involved needs to know the location of the data center involved with storing the information.

Existing privacy threats and risks to the privacy of employee data

	S.No	Privacy Threat/Risk Description (Employee data)	Likelihood (Probability)	Impact (Severity)	Priority	Preventive Actions	Contingency Plans
Student 1	1.	Integrity loss	M	H	H	1. Backup of data 2. Protection of database	1. Recovery 2. Security protocol review
2.	Database availability	L	H	VH
Student 2	3.	Protection of confidential information	VH	VH	VH

	S.No	New Privacy Threat/Risk of employee data Description (after moving to Saas)	Likelihood	Impact	Priority	Preventive Actions	Contingency Plans
Student 1	1.	Consistency of applications	H	M	H	1. Terms and condition review 2. Researching of the provider before application	1. Backing up of data 2. Security protocol review
Student 2	2.	Location of the data centres	L	L	VH
3.	Unauthorized access prevention	VH	H	VH

Likelihood –   VL, L, M, H, VH

Impact- –   VL, L, M, H, VH

Priority- –   VL, L, M, H, VH

Probability
Very High				Unauthorized access prevention	Protection of confidential information
High			Consistency of application
Medium				Integrity loss
Low		Location of data centers		Database availability
Very Low
Severity	Very Low	Low	Medium	High	Very  High

Fig: Solution architecture in privacy and security

(Source: created by the author)

When a company or organization decides to make a change by adopting the cloud-based architecture, the issues that will be faced are to be considered before facing the problems. The authorities need to know the certain requirements like the requirements of various passwords and URLs for each of the application to be accessed by each of its users.

Failure to Automatically Record Transactions

The employees working in a SaaS service needs to identify the various passwords and the various URLs associated with each application that they are involved (Grover, 2014). This creates a problem of identity related issues in the minds of the employees concerned.

Incase of new employees, the company provides access to the applications that are needed by the employees. The access to the application is often given one at a time by the various applications. This is done by the administrator of the system and not by an IT professional.

The employees are required authorized access to the system for functioning. It happens that sometimes the employees may need the use of some other application for doing their work. The access is not given to them without proper identification. This creates an issue of identity and the administrator is required to give temporary access to the application.

The access to the application is provided in the cloud computing architecture. This enables the remote access of the systems. However, due such access new integrations and new passwords with URLs are to be made in to the system. This causes a hindrance to the employee accessing the system.

As the cloud applications enable the integrations of the organizational resources in the cloud, the need for administration is given to one department (Jang-Jaccard & Nepal, 2014). For example, in a particular company the cloud access is administered by the IT department. This necessitates the need for the sales department to check on their data and thus frees up their data. This creates a problem as the administration rights, centralized data is viewed by the IT department, and this creates the problem of identity, as every time the information is to be accessed, the IT operation needs to provide the identification URLs.

To meet the intended outcomes, the DAS has decided to adopt certain services to help facilitate the service procurement. Firstly, the DAS is responsible for purchasing a HR and personnel management application from an US based company. The main idea is to get Software as a service (SaaS) model. The application software is supposed to include the HR management and the personnel management application embedded on it. To apply this, the provider of the application has informed the DAS about their main database situated in Dublin, Ireland. The operations regarding the processing, maintenance and storage of data are to be done from Bangalore. The service provider has advised the employees of the clients that the access to the system and their performance will be controlled by a link included in the intranet of the DAS. The employees will be allocated a digital identification, which will be used to provide authenticated access in the performance and HR system. This ID will be generated by the individual department involved. The risks discussed above in the report are not mentioned in the provided solutions and thus the DAS needs to review the terms and conditions of the proposals and apply for contract accordingly. The issues with digital identities are still present, as the employees are needed to get authorized access to the system via digital identification.

Access to Backup Data

Along with the HR and personnel management, the DAS will also acquire Contractor management application software to help visualize and manage the contractor that is being associated in the DAS. The application provider is a German based company and they have said that the database of the provider is located in Heidelberg, Germany. However, the maintenance and operations will be done from the laboratory of the service provider located in Walldorf, Germany. However, the data that is being processed is not managed by the service provider. The DAS is responsible for ensuring the correctness and efficiency of the data that is being uploaded. The data is supposed to be uploaded via a secure channel. The employees associated with the DAS will enter their information credentials in to the application service via a secured URL that will be provided by the application provider. Although the application provider addresses the risk of providing individual data access to the client and the employees involved, the application provider is not concerned with the correctness and the security of the data that will be uploaded and this is a place for concern in the DAS. In case of any hindrances or grave situations, the service provider has to be notified by the client for all the required assessment. 

Data sensitivity is defined as the protection of those types of data that requires the non-disclosure from unauthorized access. The access to these types of sensitive data should be protected and safeguarded for various reasons like ethical and privacy related reasons (Gampala, Inuganti & Muppidi, 2012). The sensitive information consists of all data that includes:

1. Personal information (defined by North Carolina Identity Theft Protection Act, 2005)
2. Health information protection (defined by Health Insurance Portability and Accountability Act, 1996)
3. Educational records of the students (Family Education Rights and Privacy Act)
4. Information of customer record (Gramm Leach Bliley Act)
5. Credentials of payment (defined by Payment Card Industry Data Security Standards),
6. Confidential data of personnel (State Personnel Act)
7. Confidential information (North Carolina Public Records Act)

These jurisdictions are in compliance to the international security standards that affects the information on a global level. Many international agencies are concerned with the protection of cloud-enabled services among the clients and their providers. The International Telecommunications Union and the Internet Engineering are directing their activities for specifying the protocols of the functions associated with the cloud computing services (Martini, & Choo, 2012). The sensitivity of data is being undertaken by various agencies in the Australian government such as the Australian Government Information Management office and the Australian Computer Society.

The issues relating to the data sensitivity are the unauthorized access to the system that is being implemented by the DAS. The sensitive information as discussed above must be followed and access to such information must not be given without the presence of identification and authorization. The DAS system implementation should also comply with the various jurisdictions that are also given in the report. These jurisdictions are to be followed to avoid unnecessary risks and threats as more information present in the system, the more vulnerabilities the system gets.

Risk of Service Interruption

Conclusion:

Thus, it is concluded from the report that he DAS system needs to apply the threats and risks discussed in the report and apply them carefully to avoid the various risks of implementing cloud-based services. The Security related threats are to be analyzed and the priorities must be given to the employees associated, as they are the one who will be impacted by such steps taken. The Privacy related issues are also to be considered as failure to comply with the jurisdictions may result in various legal actions taken by the employees and this will give rise to the operations of the competitors in the market.

References:

Agrawal, D., El Abbadi, A., & Wang, S. (2013, April). Secure and privacy-preserving database services in the cloud. In Data Engineering (ICDE), 2013 IEEE 29th International Conference on (pp. 1268-1271). IEEE.

Alani, M. M. (2014). Securing the cloud: Threats, attacks and mitigation techniques. Journal of Advanced Computer Science & Technology, 3(2), 202.

Aloul, F., Al-Ali, A. R., Al-Dalky, R., Al-Mardini, M., & El-Hajj, W. (2012). Smart grid security: Threats, vulnerabilities and solutions. International Journal of Smart Grid and Clean Energy, 1(1), 1-6.

Arasu, A., Blanas, S., Eguro, K., Kaushik, R., Kossmann, D., Ramamurthy, R., & Venkatesan, R. (2013, January). Orthogonal Security with Cipherbase. In CIDR.

Basharat, I., Azam, F., & Muzaffar, A. W. (2012). Database security and encryption: A survey study. International Journal of Computer Applications, 47(12).

Chen, D., & Zhao, H. (2012, March). Data security and privacy protection issues in cloud computing. In Computer Science and Electronics Engineering (ICCSEE), 2012 International Conference on (Vol. 1, pp. 647-651). IEEE.

Chou, T. S. (2013). Security threats on cloud computing vulnerabilities. International Journal of Computer Science & Information Technology, 5(3), 79.

Gampala, V., Inuganti, S., & Muppidi, S. (2012). Data security in cloud computing with elliptic curve cryptography. International Journal of Soft Computing and Engineering (IJSCE), 2(3), 138-141.

Grover, N. (2014). A Study of Security Threats and Issues in Cloud Computing. IITM Journal of Management and IT, 78.

Hussein, N. H., & Khalid, A. (2016). A survey of Cloud Computing Security challenges and solutions. International Journal of Computer Science and Information Security, 14(1), 52.

Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80(5), 973-993.

Jeun, I., Lee, Y., & Won, D. (2012). A practical study on advanced persistent threats. Computer applications for security, control and system engineering, 339, 144-152.

Kalloniatis, C., Mouratidis, H., Vassilis, M., Islam, S., Gritzalis, S., & Kavakli, E. (2014). Towards the design of secure and privacy-oriented information systems in the cloud: Identifying the major concepts. Computer Standards & Interfaces, 36(4), 759-775.

Lee, K. (2012). Security threats in cloud computing environments. International Journal of Security and Its Applications, 6(4), 25-32.

Martini, B., & Choo, K. K. R. (2012). An integrated conceptual digital forensic framework for cloud computing. Digital Investigation, 9(2), 71-80.

Moore, J. C., Spink, J., & Lipp, M. (2012). Development and application of a database of food ingredient fraud and economically motivated adulteration from 1980 to 2010. Journal of Food Science, 77(4).

Prasanth, A. (2012). Cloud computing services: a survey. International Journal of Computer Applications, 46(3), 0975-8887.

Raschke, R. L., Krishen, A. S., & Kachroo, P. (2014). Understanding the components of information privacy threats for location-based services. Journal of Information Systems, 28(1), 227-242.

Ted, E., Goldberg, H. G., Memory, A., Young, W. T., Rees, B., Pierce, R., … & Essa, I. (2013, August). Detecting insider threats in a real corporate database of computer usage activity. In Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining (pp. 1393-1401). ACM.

Theoharidou, M., Papanikolaou, N., Pearson, S., & Gritzalis, D. (2013, December). Privacy risk, security, accountability in the cloud. In Cloud Computing Technology and Science (CloudCom), 2013 IEEE 5th International Conference on (Vol. 1, pp. 177-184). IEEE.

WANG, L., & MENG, X. F. (2014). Location privacy preservation in big data era: a survey. Journal of Software, 25(4), 693-712.

Ziegeldorf, J. H., Morchon, O. G., & Wehrle, K. (2014). Privacy in the Internet of Things: threats and challenges. Security and Communication Networks, 7(12), 2728-2742.