Security of Employee Data

Cloud computing is currently the most talked about and widely used technology all around the world by different organizations as well as different individuals. It is a process by which instead of physical existence of storage, management and processing of data; the entire process is saved into the network hosted by Internet. However, there are several risks associated with it as well, from both the perspectives of an organization and an individual. Since there is no physical existence of the entire data storage and the public clouds are generally owned by third-party cloud service providers, there are high chances of mishandling of data and other issues like data breaches and ransomware attacks (Kaleeswari et al., 2018). Thus the following assignment would present the topic of the risks associated with the Cloud and the Security and Privacy Maintenance in a cloud environment from the perspective of an organization. In the current project scenario, a consultant has been appointed to provide support and suggestions to a charity based organization that provides support to the underprivileged. The number of people that the organization has currently been providing services to is nearly 500 and has their own data centre using the Linux based operating system by Red Hat (Younis, Kifayat & Merabti, 2014). The servers are however owned by vendors providing cloud services. It has also been noted that the cloud storage capacity for the entire organization ranges up to 200 TB of memory. The consultant has been approached to report the entire security and privacy policy procurement for the organization given the fact that the company has been purchasing personal management application from a US based company working under SaaS environment. Thus, the entire report regarding the deliverables of the consultant would be based on several processes that would help in analyzing the levels of security of different aspects of the organization. This would be represented in the report as the security of the employee data, which is an important aspect as the database that stores the confidential data of each employee can be extremely problematic if exposed to public servers (Islam, Manivannan & Zeadally, 2016). The privacy functionalities of the employee data in the organization would be analyzed next to ensure that the organization has been utilizing proper measures to secure the data associated with each employee. Further analysis would be presented on the Digital Identity issues that the organization is currently been facing and the provider of solution issues. The latter will be described from the perspective of the Saas application that has been providing service to the organization for personal management. Finally, the report would include the data sensitivity issues which evaluate the data according to the organization’s control of data.

Impending risks and threats

Employee data in any organization is an extremely intricate property since this not only contains personal information of an employee including their contact information and other confidential information, but also the personal information of an employee can be linked to classified information of the organization as well (Rao & Selvamani, 2015). The HR in-house database has the ability to hold the information about different employees, but there are impending risks with this database hosting in the cloud on the other hand. The consulting company has noticed that there have been several problems associated with the cloud computing technology in holding the employee data. These are described in details as below:

Breaching of Data: Cloud computing possesses the basic threat of breaching of data which is very common in this technology. Cloud database is the hub of information therefore, by hacking into it; any malicious attacker can access the intricate detailed information about an organization or an individual user very easily (Sethi & Sruti, 2018). This information can be of any kind, starting from name, address, contact information, bank details and any other detailed credentials, that remain open to the attackers for misuse. This is the reason that many people are affected at the same time by data attackers due to cloud computing environment.

APIs: An API is an application program interface that establishes communication between a user and the cloud. Mostly the private organizations that provide cloud storage servers to other companies maintain the advanced security to the API technology, so that they can secure these networks from any kind of malicious attacker (Aggarwal, 2018). However, possibilities still remain for any kind of vulnerabilities in this regard from the administrative areas of the APIs.

Account hijacking: It is a common phenomenon in the cloud environment that to get into a cloud server of any company or an individual, the attacker might gain access to an entire account. This is mainly done with the help of a phishing method. The act of phishing accounts mainly occurs due to the vulnerabilities of security systems in the cloud environment of an individual or a company so that the networks handling them can be easily violated (Singh et al., 2016). This creates a loophole in the system for the attackers to easily breach into the cloud servers and get access to the accounts that is generally unauthorized to them.

SaaS Risks: It sometimes occurs in an organization that when the entire business process is migrating to a new technology of SaaS, data security threats are attached with the entire implementation. Every Saas Application is vulnerable to data breaches. To mitigate this risk, it is mainly the responsibility of the SaaS network providers that this impending risk is taken into account and the entire transformation program is taken care of to protect confidential data (Chhabra & Dixit, 2015). However, a SaaS network technology does not have an in-built feature of protecting data, so this criterion is to be fulfilled by the people or the service providers who are taking care of the network. Otherwise, the SaaS applications would not take into account the data protecting feature on its own. It can further be noticed that when an organization is planning on movement to a SaaS application in exchange of its previously used applications there is a noticeable risk in down time. As all the data are moved to the provider of the SaaS so the users have to rely on the providers to keep up the running of data (Tang & Liu, 2015). The user will no longer have the control on data. Any mishap if happen in data controlling so it will impact a lot in the particular organization. This the main risk of transferring the data to the SaaS application. It is necessary for the SaaS providers to work with a lower downtime so that the risks can be mitigated. Another risk in the SaaS application environment is that the proper implementation plan needs to be according to the standards set by the technical laws of the country the organization is set in. If it does not abide by said laws and orders, there might be a risk of legal actions been taken on the organization.

Accumulated results of the threats: In the above discussion, all the threats and the impending risks have been discussed in details regarding the problems. The primary threat that these risks possess has the ability to attack a single entity user as well as an entire organization. With more and more time passing, these risks are becoming larger in number since the cyber attackers are increasingly using latest technologies for attacking the cloud servers (Seethamraju, 2015). This can also been noticed since there has been reports of increasing amounts of data breaches in the recent times belting the reports from the entire world. This is a major threat as intricate information and data belonging to a company or an individual or an employee associated with a company is highly confidential. These can contain such valuable information that an entire company can be demolished with the help of these as well as an individual’s bank accounts can be violated to extort out money or causing any other kind of harm. Therefore, it is absolutely essential that proper measures are taken to protect these data and information so that they do not fall into the hands of these malevolent attackers easily (Díaz, Martín & Rubio, 2016). The phishing attacks can cause a person or an organization to lose a highly important data and an attacker can use them for their own benefit. This is also a problem as the latest times have witnessed a huge and exponential rise in the uses of networking and communicating devices by an individual user and organizations as well. This is a huge risk as the cyber attackers get a huge domain to exploit data devoid of physical existence. They get time and space to assess their target and pursue their attacking activities. Therefore, any loophole in the system can cause a huge problem for an individual as well as an organization.

Maintaining the privacy of data is extremely important for a company since this can cause further problems firstly to the employees and then to the organizations as a result if the data is breached by a cyber attacker. Cyber attackers can assess any company in the market and monitor them by their internet activities. One such activity is the one that a company performs through the exchange of mails (Jungck & Rahman, 2015). Using a mail to exchange information needs to be extremely cautious as it has to be made sure by an individual as well by an entire organization that no confidential information is passed through emails. In addition to this, it has also to be made sure that the people using emails do not click on to any unsolicited link from an unauthorized source that they receive in mails. This is also to be made sure by the company that no other employee can access the data of anyone else until and unless they are authorized to do so. If it is found to be still operated in the organization, strict action should be taken against the person responsible, even treating it as a criminal offense (Roy et al., 2015). This can be any information of an individual employee, including the health information of the person.

While protecting an in-house database, there are a huge set of threats existing in the security systems that needs to be taken care of (Tiwari & Joshi, 2016). These threats are to be discussed in details as below:

Malware threats: Malwares are malicious softwares or software containing viruses that are designed to barge into any computer by clicking into undesignated links and haltering the entire system or leaking out information and data that are otherwise kept under secured environment (Ab Rahman & Choo, 2015). This is a perennial threat for any kind of in house database that is protected by an organization. Malwares have a capability to infect a connecting device and steal all the sensitive data that the databases hold.

Human Threats: This threat is classified as the human interaction of a person with any device. This occurs due to the negligence of an individual in handling their designated device in the organization. Due to this problem, data breaches occur at random. It is implied that a person needs to be much more cautious in order to handle a device and for that proper training should be given to each one of them (Mushtaq et al., 2017). It has been reported that unsolicited links being clicked have added to cause such problems. Many phishing emails that are designed to breach data have been clicked out of curiosity which should have otherwise been kept untouched altogether. Therefore, any person should be focused while using a device or it can create a huge problem both for the device as well as the information it contains affecting the organization in accordance to it.

Unmanaged data threats: Many companies have been found to be negligent in handling user data, employee data as well as important data for the organization. Human involvement in storage of data for the employees creates this problem as most of the time it has been found that human errors have caused data breaches in an organization (Mishra et al., 2018). Unmanaged data thus have a huge risk of being violated and exposed by any kind of malicious hacker accessing the network for a supposed attack. This is like an open opportunity for them to barge into the network and get hold these unmanaged data.

Threats due to excessive permissions: This threat occurs when an employee is given too much of accessing permissions in an organization. The suggested method is that an employee should be given as much access to user and employee database as needed. It has been found that when an employee is given too much access over a network that he or she is able to take peek into any employee information, there is a possibility that he or she might perform unsolicited activities that can cause loss of data or even make it vulnerable to further exploitation by the cyber attackers (Aikat et al., 2017). So it is necessary to give the privilege to the employee that they required only not more than that or less than that limit.

Database injection threats: The injection attacks are performed to a database in order to breach data by exploiting them. This is done by a malicious attacker by barging into vulnerable accounts holding these important databases (Rittinghouse & Ransome, 2016). Mostly these are the two typical types of databases comprising of traditional databases and the NoSql Database.

While transferring employee data in SaaS application, many threats can be associated with it. These threats are described in details as below:

Faulty Identity Management: It has been often found that the private organizations that are responsible to provide cloud server identities are not that sophisticated when it comes to respect the dignity of these service identities that reside behind the firewall of several enterprises (Pham et al., 2017). This is because; there are many third party applications that have the ability to access the data in the SaaS as these data do not have identity. This forms one of the major risks that cloud environment is facing in the contemporary times.

Downfall in cloud standards: Security credentials are a standard that the cloud vendors have been advertizing about in the recent times. This has found to be a problem after SAS 70 has been audited. The cloud standard becomes very low in these matter, thus there is no security of data in SaaS Applications (Kavis, 2014). Therefore, it is required that an organization adapts to the security standards that are required when a data is transferred to SaaS Applications.

Data Security Threats: The main problem with the vendor of any cloud server is that they put forward their capability of giving more security to the data much more than they are capable of.  Due to this, most organizations tend to have the idea that the SaaS security is that good in securing employee data. However, the customers of the cloud vendors do not believe that the SaaS providers are secretive about their processes of the security (Ali, Khan & Vasilakos, 2015). Most of the cloud vendors do not show the actual amount of data centres and the operations they actually provides. Since, they do not disclose all the necessary information to the customers so there is a chance of compromising with the security. Customers and analysts of the industry are at rageby the response by the SaaS providers. The customer must not give their data for the security if the vendor is not transparent.

Malware attacks happening in a database can cause several problems to the employees and further affecting a database.  This should be taken care of by individual employees so that they do not fall prey to further phishing attacks by malevolent cyber attackers (Hsu et al., 2014). It has been found that 35 per cent of the attacks and phishing problems are mostly caused due to the human negligence. Lack of knowledge in using this kind of database forms these threats; therefore, it is essential that the human activity behind handling the database is controlled. The employees need to be trained accordingly to make them aware of the threats and risks so that they can be more cautious while handling them.

Digital identity is at a higher risk of getting exposed while data is being migrated from a traditional database to a SaaS application. When a network or an online resource is being used, digital identity of a data gets stored in a database (Botta et al., 2016). Normally, a data identity is used to protect data from potential data threats and cyber crimes. Thus, losing the integrity of data can s=cause several problems. It is to be thus made sure that all the online websites must be used cautiously so that data identity integrity is kept intact.

For example, while accessing a banking website, it is to be made sure that all the account information of an individual is to be kept totally under wraps. If any negligence is paid heed to, there must be a huge risk of losing all the account information to a malicious hacker who might barge into the bank account of a non-suspecting person and cause severe harm to the individual (Garg, 2017). For this, a hacker mostly targets innocent individuals through their social accounts where identity is a vulnerable issue. The main thing that has been in focus in the contemporary times in accordance to the threat of  identity leak is many websites tracks the activity of the user and stored the digital identity of that individual. The way in which they track the data is very sophisticated and the individuals are not aware of the fact that a particular user data is being tracked.

Therefore, it is absolutely necessary to protect the identity of a person in the digital world or the cyber world as the data in this environment is extremely sensitive.

SaaS applications are provided via a private server owned by a third-party organization. However, it cloud implementation of SaaS application, protecting a data is becoming more and more complex as the hackers are implementing revolutionary ways to hack any kind of vulnerable data they find. To provide optimum security of data it necessary to mitigate all the risk those are associated with. SaaS provide security to the data of big, medium, and small companies and the partner of the provider (Wu et al., 2015). It is necessary for the provider to manage the data security properly. There have been several mitigation processes utilized to protect sensitive employee data so that they do not fall vulnerable to the risk of being hacked and breached. These mitigation processes are listed as below:

Primary cloud provider: In this era of innumerable cloud providers, it is important to find a feasible cloud provider with all the realized data security and risk mitigation functionalities (Marinescu, 2017). These vendors are identified with their unique quality of well established nature including experience in data security standards and regulation of protecting data.

Cloud provider contracts: The contracts that is made between and organization and cloud service provider should be made clear about all the amenities to be provided (Purcell, 2014). This should be an open ended contract where error would be able to be mitigated from both sides.

Recovery of facilities: Data recovery is the best policy that a cloud provider can offer to its client organization. This is to assure the client that even if there is any loss of data, it can be easily recovered so that the client does not have to suffer further losses.

Encryption of data: If the data is encrypted properly then the cloud vendor will not have that worry about data breach because encrypted data cannot be accessed by unauthorized persons (Safa et al., 2015). This assurance makes a cloud service provider appear safer than the others and reliable enough to be approached.

Business Service Security: The cloud service provider having the best cloud security services are the right ones to approach (Chang et al., 2016). For employee data in HR systems, this is essentially necessary as there have already been many discussions before in the report with regards to data integrity of an employee in an organization and that any breaching of employee data can in turn cause crumble to the entire organization as a whole.

In an organization, different databases hold innumerable data regarding the daily transactions and actions of a company. Not all of these data can be regarded as sensitive. However, employee data in the HR system database is to be regarded as highly sensitive data. This is because employee data in an organization contains the personal information of an individual employee including their contact details and sometimes even the bank account details. If any of these data is exposed in the vulnerable cloud environment, there are high chances that these data can be mishandled and misused by malicious cyber attackers. On an individual perspective this is very dangerous, since all the personal information would be exposed to and unauthorized personnel. On the other hand, the data would also be exposed about the organization where the employee is designated to (Avram, 2014). Breaching of sensitive data about the employees has a potential of crumbling an entire organization, and this have been reported to actually take place in the recent times. There are also multiple implications imposed on the hacking of sensitive data from a legal and ethical point of view. Ethically, in an organization it is only a designated Human Resource team member who is most likely to have access to employee data. Therefore, they must maintain the ethical laws in handling these data so that they do not fall under the garbs of any unauthorized person initially. Maintaining the ethical way of handling these data would maintain the initial integrity of the sensitivity of these data.

Conclusion

Therefore, it can be concluded that transferring an existing HR system with all relevant employee data can be problematic and have a huge set of impending risks and threats while the transformation is going on. In the following assignment it has been presented that the topic of the risks associated with the Cloud and the Security and Privacy Maintenance in a cloud environment is generally taken from the perspective of an organization. In the current project scenario, a consultant has been appointed to provide support and suggestions to a charity based organization that provides support to the underprivileged. The number of people that the organization has currently been providing services to is nearly 500 and has their own data centre using the Linux based operating system by Red Hat. The servers are however owned by vendors providing cloud services. It has also been noted that the cloud storage capacity for the entire organization ranges up to 200 TB of memory. The consultant has been approached to report the entire security and privacy policy procurement for the organization given the fact that the company has been purchasing personal management application from a US based company working under SaaS environment. Thus, the entire report regarding the deliverables of the consultant has been based on several processes that have helped in analyzing the levels of security of different aspects of the organization. This have been represented in the report as the security of the employee data, which is an important aspect as the database that stores the confidential data of each employee can be extremely problematic if exposed to public servers. The privacy functionalities of the employee data in the organization has further been analyzed next to ensure that the organization has been utilizing proper measures to secure the data associated with each employee. Further analysis has been presented on the Digital Identity issues that the organization is currently been facing and the provider of solution issues. The latter has been described from the perspective of the Saas application that has been providing service to the organization for personal management. Finally, the report included the data sensitivity issues which evaluate the data according to the organization’s control of data. After the analysis of all these aspects have been done, it was found that risk occurs in several levels of the transformation process right from the employee data to the cloud servers. The risks that can cause further issues in the entire process have thus been described in details so that this report can be taken as a reference for mitigating the risks further. The consultant team has been successful in analyzing the entire matter that has been stated in the case study thus jotting out all the possible risks in the entire transfer process.

References

Ab Rahman, N. H., & Choo, K. K. R. (2015). A survey of information security incident handling in the cloud. Computers & Security, 49, 45-69.

Aggarwal, R. (2018). Resource Provisioning and Resource Allocation in Cloud Computing Environment.

Aikat, J., Akella, A., Chase, J. S., Juels, A., Reiter, M., Ristenpart, T., … & Swift, M. (2017). Rethinking security in the era of cloud computing. IEEE Security & Privacy.

Ali, M., Khan, S. U., & Vasilakos, A. V. (2015). Security in cloud computing: Opportunities and challenges. Information sciences, 305, 357-383.

Avram, M. G. (2014). Advantages and challenges of adopting cloud computing from an enterprise perspective. Procedia Technology, 12, 529-534.

Botta, A., De Donato, W., Persico, V., & Pescapé, A. (2016). Integration of cloud computing and internet of things: a survey. Future Generation Computer Systems, 56, 684-700.

Chang, V., Kuo, Y. H., & Ramachandran, M. (2016). Cloud computing adoption framework: A security framework for business clouds. Future Generation Computer Systems, 57, 24-41.

Chhabra, S., & Dixit, V. S. (2015). Cloud computing: State of the art and security issues. ACM SIGSOFT Software Engineering Notes, 40(2), 1-11.

Díaz, M., Martín, C., & Rubio, B. (2016). State-of-the-art, challenges, and open issues in the integration of Internet of things and cloud computing. Journal of Network and Computer Applications, 67, 99-117.

Garg, S. (2017). Survey on Cloud Computing and Data Masking Techniques.

Hsu, P. F., Ray, S., & Li-Hsieh, Y. Y. (2014). Examining cloud computing adoption intention, pricing mechanism, and deployment model. International Journal of Information Management, 34(4), 474-488.

Islam, T., Manivannan, D., & Zeadally, S. (2016). A classification and characterization of security threats in cloud computing. Int. J. Next-Gener. Comput, 7(1).

Jungck, K., & Rahman, S. (2015). Cloud computing avoids downfall of application service providers. arXiv preprint arXiv:1512.00061.

Kaleeswari, C., Maheswari, P., Kuppusamy, K., & Jeyabalu, M. (2018). A Brief Review on Cloud Security Scenarios.

Kavis, M. J. (2014). Architecting the cloud: design decisions for cloud computing service models (SaaS, PaaS, and IaaS). John Wiley & Sons.

Marinescu, D. C. (2017). Cloud computing: theory and practice. Morgan Kaufmann.

Mishra, N., Sharma, T. K., Sharma, V., & Vimal, V. (2018). Secure Framework for Data Security in Cloud Computing. In Soft Computing: Theories and Applications (pp. 61-71). Springer, Singapore.

Mushtaq, M. F., Akram, U., Khan, I., Khan, S. N., Shahzad, A., & Ullah, A. (2017). Cloud Computing Environment and Security Challenges: A Review. International Journal of Advanced Computer Science and Application, 8(10), 183-195.

Pham, V. V. H., Liu, X., Zheng, X., Fu, M., Deshpande, S. V., Xia, W., … & Abdelrazek, M. (2017, May). PaaS-black or white: an investigation into software development model for building retail industry SaaS. In Software Engineering Companion (ICSE-C), 2017 IEEE/ACM 39th International Conference on (pp. 285-287). IEEE.

Purcell, B. M. (2014). Big data using cloud computing. Journal of Technology Research, 5, 1.

Rao, R. V., & Selvamani, K. (2015). Data security challenges and its solutions in cloud computing. Procedia Computer Science, 48, 204-209.

Rittinghouse, J. W., & Ransome, J. F. (2016). Cloud computing: implementation, management, and security. CRC press.

Roy, A., Sarkar, S., Ganesan, R., & Goel, G. (2015). Secure the cloud: From the perspective of a service-oriented organization. ACM Computing Surveys (CSUR), 47(3), 41.

Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers & Security, 53, 65-78.

Sainadh, P. S. V., Kumar, U. S., & Reddy, S. H. (2017). Security Issues in Cloud Computing.

Seethamraju, R. (2015). Adoption of software as a service (SaaS) enterprise resource planning (ERP) systems in small and medium sized enterprises (SMEs). Information systems frontiers, 17(3), 475-492.

Sethi, S., & Sruti, S. (2018). Cloud Security Issues and Challenges. In Cyber Security and Threats: Concepts, Methodologies, Tools, and Applications (pp. 77-92). IGI Global.

Singh, S., Jeong, Y. S., & Park, J. H. (2016). A survey on cloud computing security: Issues, threats, and solutions. Journal of Network and Computer Applications, 75, 200-222.

Tang, C., & Liu, J. (2015). Selecting a trusted cloud service provider for your SaaS program. Computers & Security, 50, 60-73.

Tiwari, P. K., & Joshi, S. (2016). Data security for software as a service. In Web-Based Services: Concepts, Methodologies, Tools, and Applications (pp. 864-880). IGI Global.

Wu, D., Rosen, D. W., Wang, L., & Schaefer, D. (2015). Cloud-based design and manufacturing: A new paradigm in digital manufacturing and design innovation. Computer-Aided Design, 59, 1-14.

Younis, Y. A., Kifayat, K., & Merabti, M. (2014). An access control model for cloud computing. Journal of Information Security and Applications, 19(1), 45-60.