Organizational Context
A community-based charity is working towards the betterment of disadvantaged section of the society by providing them with accommodation and mental health services. The charity has decided to modify its technical infrastructure for making better use of technology in the areas as data storage, data management, and operational execution. The decision has been made to move to the cloud using Software as a Service (SaaS) model. The report analyses the security and privacy aspects of inclusion of cloud in the charity.
Existing Threats – In-house HR Database
The in-house HR database of the charity is exposed to certain threats and risks. The primary risk is the SQL injection attack. It is the security attack in which an attacker makes use of malicious SQL queries to enter the database. The same approach may be followed by the attackers with HR database of the charity to capture the private and confidential employee information.
There are different forms of man in the middle attacks that have been designed. One of such attack is session hijacking that is highly probable with the in-house HR database of the charity. The replication of the IP address may be done by the attacker by sitting on the session between the server and the client (Bharti, 2013). Phishing attacks and spear phishing attack are also the attack that is likely to occur in the in-house HR database of the organization. There are social engineering techniques that are utilized to give shape to this attack (Nguyen, Rosoff & John, 2017).
The database is not protected by strong access control and authentication mechanisms. The passwords are used to provide access to the users and these are not coupled with any other mode of authentication. The use of weak passwords may lead to violation of the security of the employee data through dictionary and Brute Force attacks. There are different forms of malware that may attack the database and violate the data security (Nai Fovino, Carcano, Masera & Trombetta, 2009).
With the inclusion of SaaS application in the organization, there are additional sets of risks and attacks that may occur. The first and the foremost are the internal user threats. There will be new access rights and permission provided to the employees and SaaS application will involve multiple access points. The internal employees of the charity may pass on the information to unauthorized entities. Data loss and data leakage over the cloud is another risk that may come up due to the involvement of cloud vulnerabilities and network access points. Availability of the SaaS application may be put at risk through denial of service attacks. The application may be flooded with unwanted and garbage traffic (Sun, Zhang, Xiong & Zhu, 2014). The data storage on cloud is a form of virtual storage that involves certain cloud properties as resource sharing. Such cloud properties may lead to the occurrence of data segregation and location risks.
Core HSE Risk Issue
The table below determines the severity of the risks identified in association with the SaaS application.
|
Risk Name |
Probability (5- Critical, 4 – High, 3 – Average, 2 – Low, 1 – Very Low) |
Impact (5- Critical, 4 – High, 3 – Average, 2 – Low, 1 – Very Low) |
Rank (Probability x Impact) |
Severity |
|
SQL Injection |
4 |
4 |
16 |
High |
|
Man in the Middle Attacks – Session Hijacking |
3 |
5 |
15 |
High |
|
Phishing Attacks |
3 |
4 |
12 |
Moderate |
|
Password Attacks |
4 |
5 |
20 |
Critical |
|
Malware Attacks |
5 |
5 |
25 |
Critical |
|
Internal User Attacks |
2 |
5 |
10 |
Moderate |
|
Data Loss & Leakage |
3 |
4 |
12 |
Moderate |
|
Denial of Service Attacks |
3 |
5 |
15 |
High |
|
Segregation & Location Issues |
3 |
3 |
9 |
Low |
Existing Threats – In-house HR Database
Data breaches are common with the data and information sets of the organizations in the current scenario due to the involvement of network sharing, increased access points, and enhanced number of user roles defined. The HR database of the charity is also exposed to the breaching of the data sets that may impact the privacy of employee data (Holtfreter & Harrington, 2015).
Privacy and integrity of the employee data may be targeted by using alteration attacks on the message and media contents.
The involvement of SaaS application in the charity may bring up other forms of privacy issues. For instance, denial of service is one form of the network-based privacy attack that may occur. The application may be flooded with unwanted and garbage traffic that may break down the service availability and its privacy may be compromised as well. The occurrence of security issues, such as data loss and leakage described in the section above may lead to the privacy issues like service abuse and violation of access control.
Man in the middle attacks has the potential to impact the information security as well as its privacy. Eavesdropping attack and its types as passive and active attacks may be carried out by the attackers and the privacy of the data sets will be put at risk (Dai, Wang, Li & Wong, 2013).
The table below determines the severity of the risks identified in association with the SaaS application.
|
Risk Name |
Probability (5- Critical, 4 – High, 3 – Average, 2 – Low, 1 – Very Low) |
Impact (5- Critical, 4 – High, 3 – Average, 2 – Low, 1 – Very Low) |
Rank (Probability x Impact) |
Severity |
|
Data Breaches |
4 |
5 |
20 |
Critical |
|
Alteration Attacks |
3 |
4 |
12 |
Moderate |
|
Denial of Service Attacks |
3 |
5 |
15 |
High |
|
Service Abuse |
2 |
4 |
8 |
Low |
|
Violation of Access control |
3 |
5 |
15 |
High |
|
4 |
4 |
16 |
High |
The employees of the charity will be provided with the digital identities for accessing the applications and information sets. There will be security and privacy issues that these digital identities will be exposed to. The attackers may launch malware attacks to obtain the digital identities of the employees and may misuse the same (Holt & Malcic, 2015). Weak authentication on the digital identities may increase the likelihood of the attacks, such as Brute Force attacks and violation of access control.
There may also be use of network-based attacks to acquire the digital identities of the employees and other users. These may include the breaching issues, leakage, and eavesdropping attacks.
The operational solution and location of the provider will result in the mitigation of the risks. This is because there are varied locations that will be used for storing the data and information sets. The attacker might launch the security and privacy attacks on any of these locations. The data sets will be secure on the other locations and the measures will be immediately taken to avoid similar attacks on the other locations. Also, there will be use of data back-ups and storage of multiple copies of the data sets on varied locations. Thus, the risks will be mitigated. Encryption will also be used to support risk mitigation.
Associated Risks from Different Risk Areas
There is several security and privacy issues that have been listed above that may emerge with the involvement of SaaS cloud model. There will be ethical violations and issues with the occurrence of these risks and attacks. The charity includes ethical codes of honesty, professionalism, enhancement of quality of life, priority to the public interest, and competence in its policy. However, these codes will be violated with the emergence of security and privacy attacks, such as internal user attacks, data breaching, leakage issues, malware attacks, and likewise.
There are several normative and prescriptive ethical theories and jurisdiction defined. Some of these theories include Deontology Ethics, Consequentialism theory, Virtue Ethics, and Theory of Social Contract (Schwickert & Miller, 2005). The norms and principles defined as per these ethical theories will also be violated with the occurrence of the security issues. This will have a negative implication on the sensitivity of the data sets. For instance, if the employee id and payroll information of the employee gets exposed, then the degree of impact will be highly negative for the employee as well as for the entire organization.
Recommendations & Conclusion
It is recommended for the charity to make use of SaaS cloud along with the implementation of security controls and measures. There are certain technical security controls that shall be used and implemented in the charity. Some of these include anti-malware tools, intrusion detection tools, firewalls, and anti-denial tools. Encryption and data backups must be used and ensured so that the data sets are always protected. There shall also be security audits and reviews conducted by the senior management and security experts. This will highlight the gaps in security and the measures will be taken up accordingly. The security updates shall also be installed at regular intervals to avoid any form of security vulnerability in the applications. The users shall be informed and made aware of the security practices that they shall adopt, such as use of strong passwords for better authentication (Alani, 2014). The decision to move to the cloud will provide the charity with the benefits only when cloud security is ensured.
References
Alani, M. (2014). Securing the Cloud: Threats, Attacks and Mitigation Techniques. Journal Of Advanced Computer Science & Technology, 3(2), 202. doi: 10.14419/jacst.v3i2.3588
Bharti, A. (2013). Detection of Session Hijacking and IP Spoofing Using Sensor Nodes and Cryptography. IOSR Journal Of Computer Engineering, 13(2), 66-73. doi: 10.9790/0661-1326673
Dai, H., Wang, Q., Li, D., & Wong, R. (2013). On Eavesdropping Attacks in Wireless Sensor Networks with Directional Antennas. International Journal Of Distributed Sensor Networks, 9(8), 760834. doi: 10.1155/2013/760834
Holt, J., & Malcic, S. (2015). The Privacy Ecosystem: Regulating Digital Identity in the United States and European Union. Journal Of Information Policy, 5, 155. doi: 10.5325/jinfopoli.5.2015.0155
Holtfreter, R., & Harrington, A. (2015). Data breach trends in the United States. Journal Of Financial Crime, 22(2), 242-260. doi: 10.1108/jfc-09-2013-0055
Nai Fovino, I., Carcano, A., Masera, M., & Trombetta, A. (2009). An experimental investigation of malware attacks on SCADA systems. International Journal Of Critical Infrastructure Protection, 2(4), 139-145. doi: 10.1016/j.ijcip.2009.10.001
Nguyen, K., Rosoff, H., & John, R. (2017). Valuing information security from a phishing attack. Journal Of Cybersecurity, 3(3), 159-171. doi: 10.1093/cybsec/tyx006
Schwickert, E., & Miller, S. (2005). Gender, Morality, and Ethics of Responsibility: Complementing Teleological and Deontological Ethics. Hypatia, 20(2), 164-187. doi: 10.1353/hyp.2005.0089
Sun, Y., Zhang, J., Xiong, Y., & Zhu, G. (2014). Data Security and Privacy in Cloud Computing. International Journal Of Distributed Sensor Networks, 10(7), 190903. doi: 10.1155/2014/190903
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
