ITC568 Cloud Privacy and Security
Assessment 2 Risk Assessment
Lecturer Name: Purvi Mehta
Name: Sai Rohith Paladugu
Student ID: 11628719
Software Platform Recommendations for Charity Works
What is Charity? What is its main activity?
Charity Mission mainly works for the welfare of the community and offers services to the people, who need assistance for accommodation, mental health services, training and support service to disadvantaged people in community. It works as non- profitable organization without any charge of penne from the people, who used the service or help from the charity. It is much more near to the public, by allowing public to access the charity mission to get help. So, all the data relating to the public is recorded into the database storage. In database all the data regarding the information about public, who seeking the help, the financial status of the charity and the donor’s information, who deposits money to the charity for functioning.
As charity is performing public services and for effective management of data and for accessing ability to various people, it is consider to join the hybrid cloud service consisting Community Cloud and Public Cloud.
What are Community Cloud and Public Cloud? Why is it necessary?
Community cloud is defined as the cloud infrastructure, which is provisioned to a group or community of people with authentication rights by organization or welfare group owned or operated by one or more organization bodies or third body or any of the combinations. This service is available on or off premises1.
Public cloud is defined as the cloud infrastructure, which is provisioned to the public as open access which is maintained by the organization, or government or third party organization. This service is available on premises only1.
Here, in charity infrastructure, the community cloud services are provided to the charity administration staff with each application to each person with authentication login and password provided to them. In these services, they are going to manage their profile and update their work progress. The staff and HR will observe their charity progress work and can have look of the pending progress work. It gives quick view about the progress up to which extend the services are provided and can help in grabbing and progressing the raw material and resources for the next remaining future tasks. If the security login and passwords are leaked or hacked, then the third person or hacker can gain the access of the information and data about the project. So the verification process is carried out while authorizing into the Profile of charity administration staff, either by sending a text to their phone or by sending the pincode to their phone as the second level of security.
The public cloud is implemented into the cloud services for the public usage to register into the charity web domain, where authorizing login ID and password are provided, and complete the application with the necessary information which may contain the sensitive information like digital identity or personally identifiable information. This sensitive information is stored in the encrypted form into the data base in order to place out of reach of any data theft attacks or any other form of attempts. The data is stored into the public cloud platform and the applications are sorted in the order of the services requested by the public. This cloud services are preferred to store in on premises location due to consisting of the sensitive information.
SaaS(Software as a Service): In this service model, the provider provides the software as the service to cloud infrastructure to the consumer. Consumer can use the software to its client’s usage and are programmed to store in the cloud. The consumer cannot affect the software, server, operating system or any other features. It is very economical service compared to the other service models in the cloud1.
As the systems connecting to the internet has increased with the rise of the Electronic Business also known as E-Commerce, the treats or attacks to the system have increased. If any systems are vulnerable to the attack, then the reputation and the confidence of the organization or business get reduced. So the security and risks of the system is high on the in-site HR database. The chances of leakage of data regarding the financial information about the monetary transfer from the donor and the banking details may be vulnerable to get theft2. If it happens, then the trust on the charity gets lost. This effect in future for arranging any funds to the charity or to provide any service to the consumer. If the HR database consisting the sensitive data regarding the consumers Personal Identifiable Information or Digital Identity, then behind providing service it will be more complex of the data loss and vulnerability of misuse of the individual information. It leads to the civil charges to the charity trust and the assurance on the charity trust gets minimized and gets mislead. This will change the entire functioning of the charity trust in the society. The data loss of the administrative staff details leads to the great loss of the human power with losing confidence on the charity trust. So the effective firewall security and the firm protection of the security from spam mails, irrelevant mails and many other sources of attack has to be prevented and the database has to be protected.
1.1 The main threats and risks to the existing in-house HR Database:
There are few threats involved to the in- house HR database, because it is more attractive for the hackers to get access to the information or data consisting in the database. Some of the threats and risks to the HR Database are listed below:
1. The vulnerability of attacking the backup data storage.
2. The leakage of the copy of data in form of discs and tapes.
3. The copying of data into the weak device, which is more possibility of attacking the device.
4. The injection of malware into the database.
5. The fake injections of the data into the database, like links, advertisements, software updates, financial portals and many more.
6. More chances of getting attacked, while database is set for any software or hardware developments into the database.
7. There is more chances of getting attacked without any proper punctual checking and testing the database2.
1.2 The possibilities of threats and risks of the employee data after migrating into SaaS application:
As there are benefits of transferring data from the in-house data storage to SaaS cloud computing model, like reducing the maintenance of data storage and the economical of maintaining data. There are few more threats and risks to the HR Database, like:
1. There are chances of getting the information leaked, during the transfer of data from database to the SaaS cloud application.
2. The strong access to the cloud, with either tampering or spying while getting access to the cloud storage.
3. Editing or changing the data in the cloud storage with access of any staff Login ID.
4. The accidental loss of data by the staff member without proper knowledge about the cloud application or the platform.
5. Data loss or data misuse in the cloud storage by the service provider.
6. Possibilities of gaining access to the application by password hacking, malware, sperm links or many other forms.
7. The data breach into the system, by accessing the application from unsafe or public systems3.
1.3 Severity of risks and threats to employee’s data:
The maintenance of the employee’s data in the company’s data base is immense task for the companies or charities, offering HR and the payroll services. There is a massive impact on the companies, when any data relating to the staff gets leaked. It results too many complications and loosing assurance on the organization itself.
The severity of the threats and risks to the breach of employee’s data:
1. By gaining the access to the employee’s data, there is a chance of manipulation of the employee’s data.
2. The leakage of the employee’s data in the company’s or organization gets chances of effecting employees by the rival companies.
3. The misuse of employee’s data leads to participation of unethical activities.
4. Loss of assurance among the employees about the organization.
5. Great loss of organization’s reputation in the market.
6. The effect of payments like more or less salary paid to the employee.
7. Loss of credentials gained by the employee in his professional career.
8. Unethical activities are done by force on the employee by blackmailing or threatening them, by showing their available data4.
2.1 The present threat and risk to the privacy of information contained in the in house HR database:
The present common present threats and risks to the data base are:
1. Excessive Access to the Network: When excess of access is given to the staff more than the required to their job application, then the mistakes, accidents or misuse of data in the database can happen. It’s going to affect the company when the employee lefts the organization or any other staff attempts it.
2. Misuse of data: When employee attempts to gain access into the data base for misuse of data for unethical activities through hacking the network or by misusing the colleagues login access into the network.
3. Injection Method: The major chances of threat to the database are through the injection model into the database in order to gain access of the data in it. The injection procedures can happen through SQL process for the traditional database and non-SQL process for the Bigdata platforms. This injection model gives unconditional access to the database.
4. Usage of Malware: There is more chance of vulnerability to attack the exiting database with the usage of the weak device consisting of the malware in it.
5. Vulnerability of Storage media: During the back up process or any maintenance process, the database data is stored in the backup media like discs and tapes. Then the target of the information of the database will be on the storage devices. It has more vulnerability to attack the devices.
6. The Human factor: There are estimated nearly 30% of the threats and risks to the database by the interference of the humans in organizations, companies and many other places around the world5.
2.2 The additional risks and threats regarding privacy of the employee’s data after migrating into SaaS application:
Under the process of transferring the data from the in-house database to the cloud platform can largely minimize the possibilities of the threats and risks in the cyber attacks. But, still there are small chances of the attacks even on the cloud platform.
1. Unfleged Cloud: The cloud is trending technology into the market without proper security measures of controlling passwords and access to the cloud.
2. Recovery of Cloud: The proper recovery procedures are to be maintained or implemented into the cloud to rescue from the unknown cyber attack.
3. Veteran Infrastructure: If the network or the software is old enough far from the upgrading to the latest version. The vulnerability to attack the database is more.
4. Maturing Risks: As the trends of the software and hardware is upgrading, then the attacking process of the database is also increasing.
5. Complex organizations: If the organization is large complex, then the concentration on the maintenance or upgrading the database is minimized, which is the great chance for the hackers or malicious unknown individuals to attack on the database.
6. Weak Standards of Cloud: If the infrastructure and privacy of the cloud are weak then it makes more possibilities for the attackers to perform threats to the database.
7. Assured employees: The employees in the organization are to be loyal towards the institution, in order not to perform any misuse or mislead of data in the database.
8. Dynamic System: The network or system of the organization has to be dynamic, inorder to counterattack or recover from the attack performed by the individual.
9. As the cloud offers the service on the different multiple devices, the data gets accessed on the different devices. So the possibilities of the privacy issues are vast.
10. The overlapping of the data between the two customers has to be regulated by the cloud service provider, in order to regulate the data leakage and many other parameters.
2.3 Severity of risk and threat to the privacy of employee data:
As defined in the cloud, the cloud services can be accessed over multiple devices located in the different locations around the world. In SaaS, the software is provided as the service to the consumer. So there is more vulnerability to access the data from one of the devices, which are previously accessed to the network.
Impact on privacy loss of the employee data in SaaS application:
1. Reduction in the morality of the employee when privacy data is lost.
2. Lack of confidence with the loss of the personal private information.
3 The work progress of the employee gets reduced, with the privacy loss.
4. Employees may not submit their original personal information, once the data is lost in the organization.
5. The external factors might attempt to create fear or blackmail the employees to participate into criminal activities.
6. The fear of getting trapped or fishing gets developed in the employees once the data gets leaked.
7. The personal life of the families of employees gets disturbed with this activity.
8. The lack of trust among the organization management by accessing into the data from external devices or other systems.
9. Bad reputation gets developed on the organization with the loss of the crucial employee’s data.
10. The communication distance between the employees and the organizational top level management gets developed, which affects the progress of work.
11. The employee’s personal life and professional life gets available to the unethical cyber criminal groups.
3. The threats and risks to the digital identities of charity employees from the move to SaaS applications:
Digital Identity is always considered as the important identity in the Internet especially for the government agencies, departments, citizens and unethical groups. It’s very important for the government to control every individual holding digital identity. For every access to the digital identity there need to be authentication. Governments consider authorization of the digital identity and access to the digital identity as the top priority. So the main security layers are form in the authentication layer as more complex. So, once the security layers are breached, all the data in the digital identity are leaked to the cyber criminals.
The Government employees have to provide more security to safe guard the digital identity from any attacks and attempts to theft. The employees don’t need any identification or passwords for protecting or safeguarding the traditional database. For SaaS application process, the access of the digital identities can occur from any network or system, without respect to location. So, the vulnerability or the possibility of occurring threats to the network through SaaS application is more.
As Charity Mission, is planning to migrate from the in-house database to the SaaS application, helps the governments, agencies and other department to share the data among them from any system. It will benefit in gaining access to the network, sharing the resources and observe the progress of the work, which has been achieved. In such process of accessing the data, the channels and routes have to be maintained carefully and observed by the experts. If any data loss or attempt of any unusual activity has to be prevented to avoid great loss of the data. So the service provider has to be more responsible for avoiding any data loss or any unusual attacks.
4. Provider Solution Issue:
The organization has to consider two primary aspects of the data management, one, who is going to operate and, two, where the operation is going to be continued. The American organization has agreed to provide the complete set of solution to the HR department. The HR department presents the solution and progress of the charity activities to the Service provider. The service provider has mentioned that the data base server is located in California. But two more data servers are located one in Bangalore, for allowing any changes in the data, other in Dublin, is considered as the replica of the main database server. So the jurisdiction laws of the following countries are to be considered, by the service provider. The service provider will face the law, if the data loss or the data privacy effects in the respective countries.
As the main database server (California) and the replica data base server (Dublin, Ireland) are placed in two different countries, then the risk of the data loss and privacy issues are to be considered by the service provider.
The updating of the data, maintenance of data or any other changes are done by the service provider at Bangalore, where the vulnerability of the data leaks or misuse of the data might happen. The employees at the workspace or any other form of attack on the data can happen. Where the possibilities of the data misuse might happen is very high.
As all the data changes or the processing of the data are carried on the links provided by the service provider. If the authentication process is hacked then the entire network of the service provider consisting the charity employee’s data is fallen into the risk. It has to be dynamically functioned to make smart decisions and avoid the data loss.
As the data servers of the same functions are presented in various locations around the world, would lead to the easy access into the data server or data misuse might happen when communicating between the two servers. In order to avoid such activities, high accurate inspection has to be undertaken, which is more cost factor and complex in functioning of the data.
The secured URL has to be created and used by the service provider to undergo all data functioning of the data. In order to avoid any misfortune and control the data misuse which leads to the loss of the privacy to the personal data.
From considering the above, with the service providers plan the cost of preserving data is minimized which is a benefit in the cost factor. But, more concern and care has to be provided by the service provider while supervising or handling the sensitive data of the client.
5. Data Sensitivity:
As the information technology and computing is progressing decades to decades, the storage of data has also been modified. Firstly, the data in the systems are saved as a copy to the personal data servers. Here data is retrieved, updated or modified as the choice of the organization. Now, data is saved into the cloud to access or modify it from any system across the world. With this progress, the process of gaining access to the data, misuse of privacy of the personal data and leakage of the individual data is progressed in the world.
The service provider has to consider some factors for preserving the data privacy and avoiding the data loss:
Handling the sensitive data:
In cloud computing, the features create advantages to the company to minimize its investment and utilize all of its options. But the most primary thing the companies consider the most is the services are provided by the third party, here the assurance on the technology gets minimized or reduced. As the third party have the strong influence on the data that is stored in the cloud. In Cloud computing, the most basic feature and economical model is SaaS model. Here the service provider provides the software as application. The consumer or the members related to the consumer has the option to access the network from anywhere and anytime. So the paths to access the network is saved in multiple devices. Where the possibilities of gaining access to the network is more.
The important considerations to be made while moving into the SaaS application:
1. The choice of deciding the public, private or hybrid cloud depends on the nature and type of the company.
2. For preserving more secured data, the security has to be strongly laid surrounding the cloud or data.
3. The service provider has to be resourceful in maintaining or supervising the data from the client to the cloud infrastructure, with avoiding any malicious attacks.
4. The security has to be continuously upgraded, in order to defend the latest or updated form of attacks.
5. Rich skill and training has to be provided to the consumer, inorder to avoid accidents and mistakes.
6. The network has to be frequently upgraded, inorder to reduce the vulnerability to attack the data servers.
7. Both the service provider and consumer have to be skillful in reaching same level to exchange of data between them and create more functioning smoothly.
The report states that while migrating into the SaaS application, more additional features are gained and also the preserving of the employees data has to be maintained effectively and results are observed to be more significantly changed with the smooth functioning.
1. Mell, P., ; Grance, T. (2011). The NIST definition of cloud computing.
2. Ma, j. (2015). Top 10 Security Concerns for Cloud-Based Services. Incapsula.com. Retrieved 18 August 2017, from
3. Sawani, A. (2016). 6 Key Challenges in Securing SaaS Applications. Palo Alto Networks. Retrieved from
4. Brodkin, J. (2010). 5 problems with SaaS security. Network World. Retrieved 19 August 2017, from
5. Roy Maurer. July 30, 2015. Top Database Security Threats and How to Mitigate Them. https://www.shrm.org/resourcesandtools/hr-topics/risk-management/pages/top-database-security-threats.aspx.
6. Patel, N. S., ; Rekha, B.S. (2014). Software as a Service (SaaS): Security issues and Solutions. International Journal of Computational Engineering Research (IJCER), 68-71. Retrieved from
7. Freibrun, E. (2017). 11 Key Benefits and Risks of SaaS Contracts. Springcm.com. Retrieved 23 August 2017, from
8. Hillsberg, A. (2016). 10 SaaS Security Risks And Concerns Every User Has. Financesonline.com. Retrieved 22 August 2017, from