In-house Database System and Data Security Threats

With the introduction of the data base system it has made a place in the organizational place for storing information about the employees and about the organization as well. This is known as the in-house database system. It has significantly made the data collection and data storage efficient. Over the years, with the invention of the cloud service the process has become much more improved. Today organizations are realizing the power of cloud service and switching to it for cost effective solution for data storage and online activities.

Security of Employee Data

Today with the advancement of the technology the presence of the technology is seen everywhere. Those days are over when there were register book for keeping the records for the employees and those information was managed manually. Now this process was not so efficient and it was time consuming too. In order to bring transparency and efficiency in the process the organizations opted for the digital means of storing the information. The process of storing information in the database is a reflection to that approach. The organization considered in this context has own HR database system for storing information about the employees. Although it is an effective way for storing, retrieving, editing the employees data, there are some threats to the data security which will be considered in this section. Although there might be several possibilities for data security, there are some major threats for the in-house HR database system. However there are some serious threats for the database system while considering the assets like data storage and the technology associated with the system. The threats have been discussed in the following section

Data backup:

Today data is considered as the most important property for the organizations. It contains a lot of information for the organization as well as for the employee. It should be maintained safe and secure. The data if not secured properly might create several issues for the organization. Hence the data security is an important factor to consider. The data backup in the context of data security need to be treated as one of the major issue. Data is stored in the database and hence there should have been data backup. The major problem with local host is that it does not come with unlimited storage as the cost of storage is quite huge. Every time the data is created there should have been a copy of the data.  Due to constraint in storage, the data is often kept without backup. Now the possibilities of the data corruption is endless. It might be hacked, it might be damaged, and it might be stolen. Whatever be the reason, it does not matter. But what actually matters is that once the data is lost, if there is not proper backup created. As already specified that due to the problem in the storage in the local database, the data is often kept without backup. Hence there is always risk for data security (Cai et al., 2018).

Data Backup and Data Corruption

Email phishing:

With the advancement of technology, the means of data storage is also upgrading.  Hence new technology or better to say new means of data theft is also prevailing. There are several techniques used for the data hack and each has their own pros and cons. While assessing the techniques hackers might want to check how efficient it is, what are the implementation procedures and what are complexity of executing the technique. Among the available data breaching email phishing is one of them. The reason is that it is easier to execute and at the same time effective too. The user are pinched into opening email that has malicious code, which if run on the system might provide hackers administration access of the system (Jackson, 2016). Once the access is delivered, it is likely to alter the system setting enabling the database and the server. Now the emails are made such that it resembles emails that if not checked properly might seem authentic. Now it is obvious that not all the users will be technical expert. Hence it is much easier to take advantages of those users. It does not matter, who is the uses, what is the technical expert level. Once the access to the system is gained it is that easier to steal information from the system. Hence the technique of email phishing is a noteworthy issue for the data security and it makes a serious threat for the same.   With less technical expertise of the users, this kind of things is quite common as users does not often recognise which email is malicious and which is not. Hence this should be considered a security challenge for the system.

SQL injection:

It is true that improvements are being made for ensuring that the database is secured. This security improvement is necessary for protecting the data. In order to tackle the security measures, improvement is also being done in the ways which aims to break the security measures.one such improved approach is the SQL injection. SQL injection is aimed at breaking security of the SQL database. The HR database of the considered here also uses the SQL server for running the database. SQL injection is a way to gain control over the server. It attacks the database form the backend. This means that the once the hacker is successful to execute the process, it is then possible to modify the database as per the need. Normally the database are secured with user id and password. Normally only a registered user is able to retrieve the database, view its content and edit the database which is still subject to admin permission.  But in this case, once the SQL injection is performed, it is possible to steal the username and the password easily. The consequence is that the database will be accessible to the unauthorized users. As already specified that SQL injection is performed at the database backend, it does not require admin permission for modifying the content of the database. It means that it is possible to view and even delete the content and the data which might be important to the organization. Hence SQL injection is a serious threat for the database security which means that the security of the employee data is compromised (Jukic, 2016).

Email Phishing as a Serious Threat for Data Security

Timely update:

One of the ways to ensure the database security is to make the server more secured. It is obvious because the server is the integral part of the database design. The server used for the design of the database is Windows Server 2008 R2 for desktop services, database and file services. It also has 10 Red Hat Enterprise Linux 5 server. Now the security strength of the server varies according to the type of servers. The windows server considered here has some security issues with the static IP address as identified while running on the virtual machine. The red hat enterprise server by Linux is otherwise more secure than the windows server. It has some default security settings which are effective for enhanced database security. But the problem is every server has some bugs and this bugs are important to address to keep the security in check. These bugs are identified and the security patches is provided for the same to improve the bugs. Hence timely updates are necessary for server security which in turn ensures the database security. However, companies are not often so efficient in updating their server in time to time. Hence the security of the servers are not realised otherwise there is any activities that affect it. However, if the security updates not proper the server is often at risk of data hack. Hence, the absence of timely update is another important issue regarding the data security (Grycuk, 2015).  

Security threat impact:

The privacy of the data is another important factor to consider while assessing the performance of the in-house data base system. While considering the privacy, it is important to note that the term security and privacy may seem two different concept. However if looked closely it can be seen that both of this terms are inter related. In fact so closely that without ensuring one the other cannot be justified. The privacy of the data requires close look in the security aspect of the data. The security of the data in exact term is that the data is not accessible to one who is not authorized to access (Zhao, 2014). This is one of the primary factor while dealing with the security of the data. In fact all other security aspect of the data security is measured din relevance to this. Whether privacy of the data means that data is accessed in the exact way which was agreed while collected the data of the owner. So it is can be clearly seen that both of this terms are so closely related. The in-house data base as already discussed in the previous section has many security threats like inappropriate data backup, email phishing , SQL injection , timely update all of which have been already discussed in details. Hence it directly implies that the data privacy is a concerning factor like the security aspect of the data which consists of details like ID card, passport, date of birth and several other sensitive data like financial details including payroll and account numbers (Zhou et al., 2017).

SQL Injection as a Serious Threat for Database Security

Very cloud providers offering SaaS application support is responsive or care about incorporating strong identity services with the cloud platform. Cloud providers often compromises with the quality of the security standards for bringing down the cost (Lee & Zheng, 2015). Two of the most common digital identity threats are discussed below:

Absence of secure data connector:

In the case of the SaaS cloud service, data is sent and received through the internet. Now in order to secure this process it is necessary to ensure that the processing of the data is done in the most secure way. If the data before it is sent to the cloud storage is somehow interpreted, it will be possible to steal the data even before it is sent to the cloud server (Cao et al., 2014). The presence of the data connector will help to ensure that the data is encrypted throughout the entire session of the data transfer. The encryption is provided for both data transmission and data retrieval. In order to view the data, it must be first decrypted which requires the decryption key that is only accessible to the owner of the data. So it serves as a kind of digital identity for the owner. Now, very few cloud service provider offers this kind of security measures to secure the digital identity and this is especially applicable for service providers offering cheap cloud service (Singh & Chatterjee. 2017).

Complexity of password management:

Cloud service offers access to various applications or the services hosted on the cloud server. Now in order to ensure effective service for all of these hosted applications and most importantly to increase the security it is required to have strong password for each off the application. Not only it will make the application access secure, but it will help to protect the digital identity as well. As the password will only be known to the users, it will act like an identity of the users. Now in most of the cases it is seen that customers are not so effective in managing passwords for the applications. The passwords are often not so strong and it is easily stolen. Some cloud providers who offers premium service at much higher cost, offers professional password management service for securing the application and protecting the digital identity of the clients (Nepal & Pathan , 2014). In most of the cases, SaaS which comes at a lower cost does not have this added advantage and hence a threat to the digital identity security which is a major issue for data security and privacy.   

Server Security and Timely Updates

Security issues with SaaS:

The issues with the data security as identified in the case of the in-house database system like storage problem, timely update are improved to a large extent. However there are some security and privacy issues exclusive to the SaaS cloud service (Khan & Tuteja , 2015). These issues regarding the security and privacy concern is discussed in this section.

Data availability:

Data availability is one of the primary issue while considering the security issues with the SaaS cloud service. Data availability ensures that the data is available whenever requires.  In the cloud service lot of users are connected and the issue in the cloud will impact the service of each and every users. Hence data availability becomes very important as any disruption in the cloud service will hamper a lot of uses. The number is significantly higher in the case of cloud service rather than the in-house base system. The actual reason for the issue is not so important, but what is more important that if the data is not available when it is needed it can create a lot of issue for the organizational workflow (Puthal et al., 2015). Hence it is a major issue for the cloud service.

Data integrity:

The cloud service ensures that data is accessible anywhere anytime. Now this no doubt increase efficiency in the work process. However, it is important to note that while data is transferred to the remote cloud storage the data might get hampered. This means that the integrity of the data will be lost.  The term data integrity specifies that data contains as much information as it had before the data was transferred to the remote cloud storage. However, ensuring proper integrity is must for ensuring data security (Kalleswari et al., 2018).

Data access:

In case of the clouds service, the organizational data is transferred to the cloud storage located outside the company premise. Now the problem is that as the data is not stored inside the organization it becomes difficult to monitor whether the data is accessed as per the organizational policies applicable for the internal data access. This is likely to create compliance issue which means that it possible that the right to data access will be sometimes violated, thus compromising the data security (Durairaj & Manimaran, 2015).

Privacy issues with SaaS:

Access:

Data access in the cloud have major privacy issue. SaaS cloud service is provided over the internet, hence the connection should be properly encrypted. Otherwise, personal data communicated through internet might get hacked (Almorsy, Grundy & Muller, 2016).

Data Privacy Concerns

Storage:

Cloud storage provides the facility to store huge amount of data without having physical data storage inside the organization. However, while storing the data in the cloud it is necessary to verify whether the service provider has proper regulatory compliance for storing personal data in the cloud. If the required compliance is not there, the service provider as well as the organization might face legal issues if there is any incident of data breach (Sethi & Sruthi, 2018).

Data retention and destruction:

As the data stored in the cloud also contains several important and sensitive data, sometimes the organization might feel to delete or remove those data from cloud. Now once the data is deleted from the native devices, there is no reason think that the data gets immediately removed from the cloud storage as well. Now it might have different consequences based on the action taken from the provider side. The service provider might retain the data even after it is removed from the native machines of the organization (Aljawarneh  & Yassein, 2016). Although it is not very common, but it is possible that those data specific to a particular organization is sold to another organization for profit. Again as specified it is not very common, however there is always a possibility for that. In  most of the cases , it is not specified how long it is retain in the cloud server once it is deleted from the client site and how it is then destroyed from the cloud storage. Hence there is always a possibility for the privacy threat (Fernandes et al., 2014).

Compliance:

The cloud service as not managed internally by the organization, it is difficult to review. Every organizations has some rules and regulations about every organizational work process. Data collection and data retrieve is one them which is also associated with the organizational rules and regulations. Most of the time the cloud service does not comply with the internal privacy law applicable for all the employees. Hence, the issue of compliance is often seen with the cloud service (Khan, 2016).  

Impact of privacy issue:

The introduction of database system for maintaining the information of the employees makes the process lot easier. However, there are some security issues which has been identified in the previous section. Now another important issue which should be taken into account is the sensitivity of the data. Data sensitivity also gives impression about the importance of the data it is also an impression for the privacy of the data. Now in order to smooth the employee hiring and maintaining information base for the employees, organization often requires to store several information about the employees (Jouini & Rabai , 2016). These includes personal information. These information are helpful for identifying the employees, but these informations are used for other services as well that goes beyond the official use. Hence it is the responsibility of the organization to keep these information safe as these data is sensitive in nature as it is exclusive to every employees and any unauthorized access to these data should be avoided at anyhow (Kalaiprasat , Elankavi & Udaykumar, 2017). In addition to the personal information, there are several information regarding the financial transaction as well which is another sensitive piece of data if considered from the importance point of view and what consequences it might bring if the information are leaked. As the employees are closely related to the organization obtaining the data about the employees exposes about the functionality of the organization as well. Hence in-house HR management system serves as the significant resource for any company. The database has records about the employees of the organizations. These information as already specified is important for both the organizations as well for the employees. The need to maintain these information safe and secured should be the top most priority for the organizations. The exposure of these information to the outside users is to be met with several ethical and legal issues (Warren, 2015). These issues are discussed in details in the following section:

Digital Identity Threats in SaaS Application Support

It is expected that every organization will have some code of ethics and the all the works that the organization deals with will be a reflection of that only. Collecting information about the employee is also need to address the ethical factor. In order to make the organizational process smooth and secure, organization has the right to collect information about the employees who are part of the organization. But there is some restriction like to how much extent the information collection is permissible, better to say ethically acceptable. Now employee often have full believe in the organization and gives the permission to the organization for collecting information about them as long it is work related (Samarati et al., 2016). However, if the organization collects information about the employees without the concern of the employees, it might not be an issue previously. However, if the collected data is stolen due to flaws in the security measures, it will be an ethical issue for the organization as collecting data without the employee concern, especially data that are outside the professional context, is not supported by ethical code of conduct (Warren, 2015).

While innovation in the technology has produced several means of storing data, the security concern for this data is also increasing, as data today are valued more than ever due to the possibilities of doing things with the data. As a result the incident of data breaching is also increasing. In order to secure the information of the data and improve the privacy of the data owner, several rules and regulations have been rolled out by the government. Organizations are abide by these rules (Short, 2017). Apart from the restrictions on collecting the data, how the data is maintained and distributed is also subject to legal actions. When an organization is taking the data of the employees, it is the duty of the organization to make sure that the data is safe and accessed properly. In order to ensure that it is important to apply strong security measures for protecting the data (Wei et al., 2014). If the data is somehow stolen or accessed inappropriately, then the organization has to inform the data owner about the same. The data owner, in this case have full right to sue the organization legally if required. The responsibility of the organization will be assessed in this case and if found guilty then might have to pay the demand of the owner. As the data collected in the database has security as well privacy issue, the legal issue is also an important thing here to consider.

Ensuring Data Encryption for Secure Data Transfer

Conclusion:

The paper after discussing and comparing the in-house database system with cloud solution or the SaaS cloud service in this context, concludes that there are several issues with both the approach. As already said that even though the database system is an effective choice, it has some security issues like lack of storage for data, SQL injection for data theft, lack of proper update for database security, there are some privacy issues as well. Although the SaaS cloud service addressees some of the security issues of the in-house database system, it still has its own issues related to security and privacy. The security issues with the cloud service are data availability, data integrity and data access. While choosing a particular cloud service it is important to take the legal and ethical issues into account.  Those issues are need to be identified for protecting employee data and retaining the employee privacy. The digital identity is another important issue to consider while selecting cloud providers for the cloud service.

References:

Aljawarneh, S. A., & Yassein, M. O. B. (2016). A conceptual security framework for cloud computing issues. International Journal of Intelligent Information Technologies (IJIIT), 12(2), 12-24.

Almorsy, M., Grundy, J., & Müller, I. (2016). An analysis of the cloud computing privacy problem. arXiv preprint arXiv:1609.01107.

Cai, M., Grund, M., Gupta, A., Nagel, F., Pandis, I., Papakonstantinou, Y., & Petropoulos, M. (2018). Integrated Querying of SQL database data and S3 data in Amazon Redshift. IEEE Data Eng. Bull., 41(2), 82-90.

Cao, N., Wang, C., Li, M., Ren, K., & Lou, W. (2014). Privacy-preserving multi-keyword ranked search over encrypted cloud data. IEEE Transactions on parallel and distributed systems, 25(1), 222-233.

Durairaj, M., & Manimaran, A. (2015). A study on security issues in cloud based e-learning. Indian Journal of Science and Technology, 8(8), 757-765.

Fernandes, D. A., Soares, L. F., Gomes, J. V., Freire, M. M., & Inácio, P. R. (2014). Privacy issues in cloud environments: a survey. International Journal of Information Security, 13(2), 113-170.

Grycuk, R., Gabryel, M., Scherer, R., & Voloshynovskiy, S. (2015, June). Security challenges for storing visual data based on WCF and microsoft SQL server database. In International Conference on Artificial Intelligence and Soft Computing (pp. 715-726). Springer, Cham.

Jackson, J. (2016). Sql: the security issues individual should be aware of (Volume 1).

Jouini, M., & Rabai, L. B. A. (2016). A security framework for secure cloud computing environments. International Journal of Cloud Applications and Computing (IJCAC), 6(3), 32-44.

Jukic, N., Vrbsky, S., & Nestorov, S. (2016). Database systems: Introduction to databases security and data warehouses. Prospect Press.

Kalaiprasath, R., Elankavi, R., & Udayakumar, D. R. (2017). Cloud. Security and Compliance-A Semantic Approach in End to End Security. International Journal Of Mechanical Engineering And Technology (Ijmet), 8(5).

Kaleeswari, C., Maheswari, P., Kuppusamy, K., & Jeyabalu, M. (2018). A Brief Review on Cloud Security Scenarios.

Khan, M. A. (2016). A survey of privacy issues for cloud computing. Journal of network and computer applications, 71, 11-29.

Khan, S. S., & Tuteja, R. R. (2015). Security in cloud computing using cryptographic algorithms. International Journal of Innovative Research in Computer and Communication Engineering, 3(1), 148-155.

Lee, C. H., & Zheng, Y. L. (2015, June). The issue of digital identity of cloud computing, IEEE International Conference on (pp. 426-427). IEEE.

Nepal, S., & Pathan, M. (Eds.). (2014). Security, privacy and trust in cloud systems. Springer Berlin Heidelberg.

Puthal, D., Sahoo, B. P. S., Mishra, S., & Swain, S. (2015, January). Cloud computing features, issues, and challenges: a big picture. In Computational Intelligence and Networks (CINE), 2015 International Conference on (pp. 116-123). IEEE.

Samarati, P., di Vimercati, S. D. C., Murugesan, S., & Bojanova, I. (2016). Cloud security: Issues and concerns. Encyclopedia on cloud computing, 207-219.

Sethi, S., & Sruti, S. (2018). Cloud privacy Issues and Challenges. In Cyber Security and Threats: Concepts, Methodologies, Tools, and Applications (pp. 77-92). IGI Global.

Short, C. I. (2017). ChromaStarDB:  legal concern for SQL Database-driven Spectrum Synthesis and More. Publications of the information Society of the Pacific, 129(979), 094504.

Singh, A., & Chatterjee, K. (2017). Cloud security issues and challenges of protecting digital identity: A survey. Journal of Network and Computer Applications, 79, 88-115.

Warren, T. (2015). SQL Database Programming: The Ultimate Guide to ethical issues in storing employee data in HR Database.

Wei, L., Zhu, H., Cao, Z., Dong, X., Jia, W., Chen, Y., & Vasilakos, A. V. (2014). Security and privacy for storage and computation in cloud computing. Information Sciences, 258, 371-386.

Zhao, G., Lin, Q., Li, L., & Li, Z. (2014, November). Security challenges and privacy issue in Schema conversion model of SQL database to NoSQL. In P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), 2014 Ninth International Conference on (pp. 355-362). IEEE.

Zhou, J., Cao, Z., Dong, X., & Vasilakos, A. V. (2017). Security and privacy for cloud-based IoT: challenges. IEEE Communications Magazine, 55(1), 26-3