ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx

ITC568
Cloud Privacy and Security
The Cloud Security Ecosystem
Week 1
Dr. Peter White
Course Administration
Introduction
The Cloud Security Ecosystem
Cybercrime in the Cloud
© P White, 2017
Agenda
2
Contact Lecturer:
Email [email protected] (put ITC568in the subject line)

© P White, 2017
Course Administration
3
3
Assignment 1 – due 11 August2017 (10%)
Privacy and security reflection
Assignment 2 – due 25 Aug 2017 (25%)
Team assignment
Risk assessment based on a case study
Assignment 3 – due 22 Sep 2017 (30%)
Team assignment
Develop privacy and data protection strategies based on an
updated case study
Assignment 4 – due 09 Oct 2017 (35%)
Team assignment
Develop PII privacy and data protection strategy
© P White, 2017
Assignments
4
Online Session
There will be an online lecture and tutorial session each

Thursday evening commencing at 19:00. These sessions will be
recorded.
The recordings will be uploaded to the ITC568 Resources site
so that you can either download or stream them.
ITC568
5
© P White, 2017
This subject will require you to conduct a reasonable amount of
research both on your own and as part of your governance team
The online sessions will be more of a guide followed by a
discussion. You should not rely on just the session notes to give
you enough information to successfully complete the subject.
ITC568 Online session format
6
© P White, 2017
It is highly recommended that you use a reference manager to
manage your references:
Mendeley - https://www.mendeley.com/
Zotero - https://www.zotero.org/
EndNote (CSU provided) -
http://libguides.csu.edu.au/c.php?g=482066&p=3296596
A reference manager will help you to correctly cite your sources
and build a reference list at the end of the assignment
You will be required to provide references in APA 6th edition
format in all ITC568 assignments.

Download one and start to use it TODAY!
7
ITC568 Reference Managers
© P White, 2017
Most governance work in industry or government is usually
conducted in small teams.
We will be using governance teams for most of our assignments.
These usually prove to be quite helpful as you can:
Share ideas,
Learn from and with each other, and
Develop a really good governance framework quickly by
working cooperatively.
Governance Teams
8
© P White, 2017
© P White, 2017
Introduction
9

What is Information Security?
The user view
© Peter White, 2017
10
What is Information Security?
The ICT view
11
Information Security
We can define InfoSec very simply as:
“The protection of data against unauthorised access” (Griffiths,
D. 2010)
But a more complete definition would be:
“preservation of confidentiality, integrity and availability of
information; in addition, other properties such as authenticity,
accountability, non-repudiation and reliability can also be
involved” (ISO/IEC 27001:2005(E), 2005)
This second definition provides a more accurate view of InfoSec
It is a view that looks to some of the particular needs of
business, but it can also be used to view our personal security
requirements as well
12

Information Security Goals
13
C.I.A.
Integrity
Confidentiality
Availability
13
Confidentiality
14
Confidentiality is the avoidance of the unauthorized disclosure
of information.
confidentiality involves the protection of data, providing access
for those who are allowed to see it while disallowing others
from learning anything about its content.

14
Integrity
15
Integrity: the property that information has not be altered in an
unauthorized way.
Achieving Integrity:
Backups: the periodic archiving of data.
Checksums: the computation of a function that maps the
contents of a file to a numerical value. A checksum function
depends on the entire contents of a file and is designed in a way
that even a small change to the input file (such as flipping a
single bit) is highly likely to result in a different output value.
Data correcting codes: methods for storing data in such a way
that small changes can be easily detected and automatically
corrected.
15
Availability
16
Availability: the property that information is accessible and
modifiable in a timely fashion by those authorized to do so.

Achieving Availability:
Physical protections: infrastructure meant to keep information
available even in the event of physical challenges.
Computational redundancies: computers and storage devices
that serve as fallbacks in the case of failures.
16
17
The Layered Approach to Security
Don’t rely on a single aspect to protect you, like castle walls
Add additional security measures like moats, narrow bridges,
strong imposing gates, portcullis, boiling oil, etc
Only allow entry through a controlled chokepoint – a gate
Keep a good lookout from an elevated position to see threats
from afar
18
Chokepoints
Chokepoints are used to control and monitor access
Chokepoints allow an organisation to concentrate resources on a
known point of security interest.

This point can then be controlled and monitored.
This increases the level of security as the organisation can now
focus on these areas of real concern.
The identification and use of chokepoints will also reduce the
chance of exposure as a result of configuration errors.
This is a more effective solution than trying to enforce many
security controls in many different areas simultaneously.
The use of chokepoints also helps to reduces security costs,
while increasing security effectiveness.
Top 12 threats to cloud services in 2016:
Data breaches
Insufficient Identity, Credential and Access Management
Insecure interfaces & APIs
System Vulnerabilities
Account hijacking
Malicious Insiders
Advanced Persistent Threats
Data Loss
Insufficient Due Diligence
Abuse and nefarious use of Cloud Services
Denial of Service
Shared Technology Issues
19
Threats and Issues
Cloud Security Alliance. (2016). The Treacherous 12. Cloud
Computing Top Threats in 2016. Retrieved from
https://downloads.cloudsecurityalliance.org/assets/research/top-
threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

The Australian Signals Directorate has produced a number of
publications for both consumers and providers of cloud services
The cloud computing security considerations document looks at:
Maintaining availability & functionality
Protecting data from unauthorised access by:
Third parties
Other cloud consumers
Rogue provider employees
Handling security incidents
These documents also give some non-exhaustive & detailed
security considerations at
http://www.asd.gov.au/publications/protect/Cloud_Computing_S
ecurity_Considerations.pdf
https://www.asd.gov.au/publications/protect/essential-eight-
explained.htm
20
Threats and Issues
The Deming Cycle
Plan
What are the threats faced?
What are the risks faced?
What are the organisation’s requirements?
Do
Cloud Security
Privacy of your data
Check

Incident response
Forensics
Act
Governance
Auditing
© P White, 2017
21
Managing Cloud Security
Download and install a reference manager
Start looking at assignment 1. It requires you to:
Read Chapter 2 of the text
Start thinking about how you will answer the questions
Start looking for information about these case studies to ensure
that you have all the information you need – make sure that you
record the references!
© P White, 2017
22
Essential tasks
Essential reading:
Ko, R., Choo, K. (2015). Cloud security ecosystem. In Ko, R.,
& Choo, K.(Eds.). (2015). The Cloud Security Ecosystem:
Technical, Legal, Business and Management Issues. Waltham,
MA: Syngress.
Lau, Y. (2015). Cybercrime in cloud: Risks and responses in

Hong Kong, Singapore. In Ko, R., & Choo, K.(Eds.). (2015).
The Cloud Security Ecosystem: Technical, Legal, Business and
Management Issues. Waltham, MA: Syngress.
Cloud Security Alliance. (2016). The Treacherous 12. Cloud
Computing Top Threats in 2016. Retrieved from
https://downloads.cloudsecurityalliance.org/assets/research/top-
threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf
Research task:
What is the McCumber Cube? How does this cube help you to
assess information security?
Don’t forget to store the references you find!
© P White, 2017
23
Tasks
©
ITC568
Digital Identity and Privacy
Week 2
Dr Peter White

Digital Identity
Privacy and Identity
Agenda
© P White 2017
2
What is a Digital Identity?
Sullivan defines it as
“Digital identity is all the information digitally recorded about
an individual. i.e. a natural person that is accessible under the
particular scheme”
What is the purpose of a digital identity?
What do you use a digital identity for?
When do you create one?
© P White 2017
3
Digital Identity
Digital identity is now emerging as an important concept for
government
Services for citizens are being moved online to provide:
Better transactional efficiency
Reduction in operating costs

24x7 access to a range of different services
But, the move online has created challenges
Legislative issues & requirements
Identity assurance issues
People have more than one identity
Fraud issues, including identity theft
Government identity systems require uniqueness & exclusivity:
one person = one identity
© P White 2017
4
Digital Identity
Sullivan sees a digital identity as having two components:
A set of defined, static information that is presented for a
transaction, such as name, address, DoB, and other identifying
information, such as numerical identifier, signature, etc.
What other information do you think should be included here to
ensure proper identification?
For a private use digital identity?
For a government use digital identity?
Should it include biometric information?
© P White 2017
5
Digital Identity
Sullivan, C. (2015). Protecting digital identity in the cloud. In
Ko, R., & Choo, K.(Eds.). (2015). The Cloud Security
Ecosystem: Technical, Legal, Business and Management Issues.
Waltham, MA: Syngress.

Transactional data.
This is a larger collection of “other” information that is tied to
the transaction identity.
Note her use of terminology here – transaction identity.
What do you think this means?
Transactional data is dynamic & augmented on a on-going basis
This data is generally considered personal information & not
available in the public domain
This data is often protected by privacy laws and regulations
© P White 2017
6
Digital Identity
Digital identification has two phases:
Authentication of identity
Verification of identity
This process is based on the integrity of transaction identity
© P White 2017
7
Digital Identification
Authentication
An identity claim is authenticated by the claimant providing
identifying information, such as:
User name and password,

Identity number and password
Biometrics and password
Identifying information is regarded as being associated
inseparably with the individual
© P White 2017
8
Verification
The authenticated digital identity can now be used to verify
transactions, such as renew licences, claim Medicare rebates,
complete tax returns, etc.
© P White 2017
9
Note that a human is not absolutely essential to the
identification process.
Identification can be on a computer to computer basis using
previously stored, and verified identity claims
Think about Medicare rebates – the Doctor’s surgery handles
the complete claim for you, including identifying the patient to
Medicare
© P White 2017
10

Identity Management has been defined as “the administration of
an entity’s digital identity so as to provide secure and
controlled access to the resources that the entity is entitled to
use” (White, 2009, p. 5)
The ‘administration of an entity’s digital identity’ implies that
all aspects of that administration, including identification of the
entity and the issuing of credentials, are part of the identity
management process.
It also implies the continued maintenance of the identity and its
credentials throughout their life-cycles.
The need to provide ‘secure and controlled access’ entails not
only the use of a system of authentication to ensure that only
the correct identities are allowed access, but it also includes
access control of the enterprises resources. This ensures that the
authenticated identity only has access to those resources that it
is entitled to use.
The use of the phrase ‘entitled to use’ further implies that there
must be a system of provisioning to ensure that an identity is
granted access only to the resources that it is entitled to access.
This leads to the implication that a system of governance must
be in place to monitor the entire process of identity
management.
© P White 2017
11
Identity Management
© P White 2017

12
Identity Management
© P White 2017
13
Authentication & Authorisation
The process of authentication takes a user to an authentication
module
There the user’s credentials are compared with the stored set
If the credentials match, authentication then occurs
The user is the passed to an authorisation module
Authorisation is the process of granting the suer access to
resources that they are entitled to access
Question:
Is having less data about an individual equal to better privacy?
Answer:
It depends.
A single fingerprint stored may be more invasive than a full
credit history
A small amount of identity information that is shared with
numerous parties may be more invasive
A small amount of identity information that is not secured may
be catastrophic for the individual
A small amount of identity information may be used to profile
an individual that can have consequences ranging from
reputational damage to criminal charges

© P White 2017
14
Privacy issues
Privacy guidelines
Openness.
The existence of systems containing personal data should be
publicly known, along with a description of the system's main
purposes and uses of the personal data in the system.
Individual participation.
Individuals should have a right to view all information that's
collected about them. They should also be able to correct or
remove data that isn't timely, accurate, relevant, or complete.
Collection limitation.
Limits to the collection of personal data should exist. Personal
data should be collected by lawful and fair means and, where
appropriate, with the individual's knowledge or consent.
Data quality.
Personal data should be relevant to the purposes for which it's
collected and used. It should be accurate, complete, and timely.
Finality.
The use and disclosure of personal data should be limited.
Personal data should be used only for the purposes specified at
the time of collection and shouldn't be otherwise disclosed
without the consent of the individual or other legal authority.
Security.
Personal data should be protected by reasonable security
safeguards against such risks as loss, unauthorized access,
destruction, use, modification, and disclosure.
Accountability.
The keepers of personal data should be accountable for
complying with fair information practices.

© P White 2017
15
Privacy Issues
Additional principles:
Diversity and decentralization.
Enrolment and authentication options should let individuals
choose the appropriate key for a specific need. Designers should
resist centralising identity information or using a single
credential for multiple purposes.
Proportionality.
The amount, type, and sensitivity of identity information
collected and stored should be consistent with and proportional
to the system's purpose.
Privacy by design.
Privacy considerations should be incorporated into the identity
management system from the outset of the design process.
Considerations include safeguards for the physical system
components as well as policies and procedures that guide the
system's implementation.
© P White 2017
16
Privacy Issues
© P White 2017
17

Privacy architecture
Privacy considerations:
Lack of user control
Unauthorised secondary use
Data proliferation and cross border data flows
Dynamic provisioning
© P White 2017
18
Privacy in the Cloud
Security considerations:
Access – legal right to access data held
Control over the data lifecycle
Availability & backup
Lack of interoperability standards
Multi-Tenancy
Audit
© P White 2017
19
Trust issues:

Trust boundaries
Shared responsibility boundaries
Non-transitive trust issues with use of subcontractors or other
cloud providers
Customer trust issues – usually from lack of visibility or control
Legal issues between jurisdictions
© P White 2017
20
Data handling mechanisms
Classifying data
Data location policies
Data security mitigation
Encryption?
Data classifications
Privacy design
Standardisation
Accountability
Auditing & reviews
Increase trust
Governance frameworks, privacy rules, etc.
© P White 2017
21
Addressing the issues
Read:

Sullivan, C. (2015). Protecting digital identity in the cloud. In
Ko, R., & Choo, K.(Eds.). (2015). The Cloud Security
Ecosystem: Technical, Legal, Business and Management Issues.
Waltham, MA: Syngress
White, P. (2008). Identity Management Architecture: A New
Direction. Paper presented at the 8th International Conference
on Computer and Information Technology CIT 2008, Sydney.
http://ieeexplore.ieee.org.ezproxy.csu.edu.au/document/4594710
/
Hansen, M., Schwartz, A., & Cooper, A. (2008). Privacy and
Identity Management. IEEE Security & Privacy, (2), 38-45.
/
Pearson, S., & Benameur, A. (2010). Privacy, Security and
Trust Issues Arising from Cloud Computing. Paper presented at
the IEEE Second International Conference on Cloud Computing
Technology and Science (CloudCom), 2010.
/
Watch
Digital Identity videos on Interact
© P White 2017
22
Tasks
ITC568

Threats and Risks
Week 3
Dr Peter White
Data centres and security models
Threats and Risks
Considerations
Agenda
© P White 2017
2
Our data and applications are stored in, and run from, data
centres
Characteristics of a data centre include:
Network
Storage
Compute resources
Reliability
Maintenance
But, Yang sees the essential characteristics as:
On-demand access
Measured service

Network access
Resource pooling
Virtualization
Reliability
Maintenance
Notice how Yang’s characteristics align with the NIST Cloud
characteristics?
Data Centres
Yang, Li; “Network-aware Job Placement in Data Center
Environments,” University of Calgary, 2014
© P White 2017
3
Internal: a data centre run by a single enterprise for its own
operations
Network – dedicated internal network, perhaps some external
access available
Storage – Internal storage on SAN, NAS or similar
Compute resources – can be physical or virtualised
Reliability – multiple copies of data, backup to tape, DR plan,
UPS and environment controls
Maintenance – dedicated internal IT team
Internal data centres
© P White 2017
4

Hybrid: a data centre that is split across two or more
geographically diverse locations
Network – dedicated internal network, external access available,
spanned between multiple DCs, more bandwidth and channels
required
Storage – storage on SAN, NAS, etc, replicated between DCs,
data tiering between DCs,
Compute resources – few physical, mostly virtual, spanned
between DCs, some automation, some VDI infrastructure
Reliability – multiple copies of data in both DCs, data tiering
backup to tape, DR plan, UPS and environment controls
Maintenance – dedicated internal IT team, external provider in
remote DCs
Hybrid data centres
© P White 2017
5
External: a data centre that is run for an enterprise by an
external provider
Network – dedicated internal network with external access to
DC (Cloud?), more bandwidth and channels required
Storage – StaaS in external DC,
Compute resources – IaaS, PaaS, SaaS from external provider,
move to VDI for users
Reliability – multiple copies of data in different locations, data
tiering, backup to Cloud, DR plan
Maintenance – external provider
External data centres
© P White 2017
6

Internal
Concentric layered defence
Essentially firewall based
Hard exterior shell with trusted internal traffic
Hybrid
Concentric layered defence with VPN tunnels between DCs
Modified version of Internal
External
Shared responsibility model
Ability to deploy different security models and techniques
Scalable approach
Security models
© P White 2017
7
The Cloud Security Alliance (CSA) describe the current top
threats in the Cloud ecosystem
Data breaches
Insufficient identity, credential and access management
Insecure interfaces and APIs
System vulnerabilities
Account hijacking
Malicious insiders
Advanced persistent threats
Data loss
Insufficient due diligence
Abuse of cloud services

Denial of service
Shared technology issues
Threats
© P White 2017
8
The CSA document is essential reading as it gives you:
A description of the security concern and the cloud service
models it affects,
A threat analysis
Business impacts
Anecdotes and examples,
Cloud Control Matrix (CCM) control IDs to assist in applying
controls
Links to further information
Download the CCM from
https://cloudsecurityalliance.org/download/cloud-controls-
matrix-v3-0-1/
© P White 2017
9
Threats
The Australian Signals Directorate (ASD) has a paper on cloud
security considerations which is essential reading. It covers:
Maintaining availability & business functionality
Protecting data from unauthorised access

Handling security incidents
© P White 2017
10
Cloud Security Considerations
The ASD also put out a series of strategies to mitigate Cyber
Security incidents known as the Essential Eight:
Application whitelisting
Patch applications
Disable MS Office macros
User application hardening
Restrict admin privileges
Patch operating systems
Multi-factor authentication
Daily backup of data
© P White 2017
11
Cloud Security Considerations
Johnson defined threats and vulnerabilities as follows:
Threat: Who might attack against what assets, using what
resources, with what goal in mind, when/where/why, and with
what probability. There might also be included some general
aspect of the nature of the attack (e.g., car bombing, theft of
equipment, etc.), but not details about the attack or the security
measures that must be defeated and the Vulnerabilities to be
exploited.

Vulnerability: a specific weakness in security (or a lack of
security measures) that typically could be exploited by multiple
adversaries having a range of motivations and interest in a lot of
different assets.
© P White 2017
12
Threats and Vulnerabilities
Threat: Adversaries might install malware in the computers in
our Personnel Department so they can steal social security
numbers for purposes of identity theft.
Vulnerability: The computers in the Personnel Department do
not have up to date virus definitions for their anti-malware
software.
Threat: Thieves could break into our facility and steal our
equipment.
Vulnerability: The lock we are using on the building doors is
easy to pick or bump.
© P White 2017
13
Threats and Vulnerabilities
Taxonomy of attacks
Juliadotter & Choo’s taxonomy allow us to look at the type and
breadth of attacks

The goal with such a taxonomy is to allow us to quickly
determine both the type of the attack and then the appropriate
countermeasures
This provides some background information that is valuable
when you are initially planning your security measures
It is a bit cumbersome, in it’s present format, for use in
countermeasures
These taxonomies contain valuable information for planning
your security approach
© P White 2017
14
Attacks and Taxonomy
© P White 2017
15
Cloud Security challenges
Ali, M., Khan, S., & Vasilakos, A. (2015). Security in Cloud
Computing: Opportunities and challenges. Information
Sciences, 305(2015), 357-383
Khan’s paper also takes a taxonomic approach to attacks
Like Juliadotter & Choo, he concentrates on the technical
aspects of attacks against the cloud
His tables in section 3 of his paper are also valuable sources of
information on various attacks and their countermeasures.
© P White 2017

16
Cloud Security Challenges
Social engineering is defined as:
the use of social disguises, cultural ploys, and psychological
tricks to get computer users to assist hackers in their illegal
intrusion or use of computer systems and networks
Abraham, S., & Chengalur-Smith, I. (2010). An overview of
social engineering malware: Trends, tactics, and
implications. Technology in Society, 32(3), 183-196.
Social engineering is one of the strongest weapons in the
armoury of hackers and malware writers, as it is much easier to
trick someone into giving his or her password for a system than
to spend the effort to hack into the target system
We need to recognise in our plans that social engineering of our
users may defeat our technical & technological plans and
countermeasures
© P White 2017
17
Social engineering
Read:
The CSA’s treacherous 12
The ASD Cloud Considerations
The ASD Essential 8
Download and read the CMM from
https://cloudsecurityalliance.org/download/cloud-controls-
matrix-v3-0-1/

© P White 2017
18
Tasks
ITC568
Risk assessment models and techniques
Week 4
Dr Peter White
Evaluate risks for data privacy and security
Analyse the legal, ethical & business concerns for data privacy
and security
Evaluate risk management techniques
Agenda
2

Risk management is defined as:
“The identification, assessment and prioritization of risks
followed by the coordinated and economical application of
resources to minimize, monitor and control the probability
and/or impact of unfortunate events” Hubbard, D. W. (2009).
The Failure of Risk Management: Why It's Broken and How to
Fix It. Somerset, NJ: John Wiley & Sons.
It can also be summed up as:
Being smart about taking chances
3
Risk management
Risk Management
4
Realistically, InfoSec is all about Risk Management:
You are applying some controls, or security measures, to reduce
the risk of a threat occurring in your environment
Risk - The level of impact on organizational operations
(including mission, functions, image, or reputation),
organizational assets, or individuals resulting from the
operation of an information system given the potential impact of
a threat and the likelihood of that threat occurring (NIST, 2010)
So, to be realistic about what controls or measure to apply, you
need to be aware of what risk you face
You also need to be aware that applying controls can also create
new risks:
Strong and imposing gates can also be a weak point
if the invaders have the right equipment, or find a way

to bypass them
A chokepoint can also be a single point of failure
Risk management is not just about assessing risk
It includes policies on:
The level of acceptable risk
Controls to minimise the risk
It also includes communication about the risk
5
Approaches
Risk Management is comprised of:
Risk Identification,
Risk Analysis,
Risk Evaluation,
Risk Treatment, and
Monitoring and Review
ISO/IEC 31010:2009 discusses a number of ways that we
implement the identification, analysis, evaluation and
monitoring of risks
6

A Basic Approach to Risk Management
Standards Australia. (2009). AS/NZS ISO 31000:2009 Risk
management - Principles and guidelines Sydney: Standards
Australia.
Risk Identification
Need to understand all the risks to the enterprise
Iterative process that could take up to 3 years, or more, to
achieve!
Develop knowledge of threats to enterprise
Natural causes - storms, etc.
Man made threats
Technical & technology threats
Supply threats - water, sewer, electricity, communications, etc.
Identify the mitigation controls and recovery processes for each
identified case of:
Natural causes
Man made threats
Technical and Technology threats
Supply threats
7
Basic Risk Assessment - Identification
Risk Analysis:
Asset inventory:

What are the assets?
What has to be protected?
Asset valuation
Identify protection priority (sensitivity value or other measure?)
Vulnerability analysis
What are the inherent weaknesses in our assets
Threat analysis:
What can hurt our assets
8
Basic Risk Assessment – Analysis
Risk Evaluation:
Evaluate likelihood and impact
Quantify the risk to the assets.
Evaluate possible preventative response and recovery controls:
What we do to stop the threats?
how do we reduce the impact of a threat if it occurs?
Cost evaluation and justification
What is the cost of the control vs benefit derived
Create risk assessment report
9
Basic Risk Assessment – Evaluation
Risk Management is:

The actions taken to manage the threats prudently
Management approves controls that are developed in the Risk
Assessment:
The controls are based on Management’s tolerance for risk,
their budget and other pressures;
The aim of the Risk Management treatment is to:
Mitigate, transfer or avoid risk
Controls are implemented and integrated:
Administrative, technical and physical controls
Controls are used to Prevent, Deter, Delay, Detect, Assess,
Respond, Recover from Risk
It is essential that users are trained to use any new controls
Controls must be utilised, monitored, maintained and refined
over time
Controls are evaluated for effectiveness over time using agreed
metrics
The implemented Risk Management program becomes the new
“normal” state of the enterprise security posture
10
Basic Risk Management – Treatment
Start with the standard TRA based on ISO/IEC 31000 Risk
Management, then consider some cloud specific risks:
Compliance requirements
Shared roles and responsibilities in a cloud environment
Responsibility for assets
Access control
Segregation in shared computing environments
VM hardening
Changes to operational procedures
Changes to operational security

Logging and monitoring
Virtual network security management
Cryptography
Incident management
Endpoint security
Cloud Threat and Risk Assessment – ISO/IEC 27017: 2015
11
Data storage
Type of data
Mission critical data
Customer data
Identifiable
Transactional
Public access data
Ephemeral data (short lived)
Level of confidentiality required – classification?
Are access controls imposed on the data?
12
Data issues - Storage

How & what data is being collected?
Customers
Requested Personally Identifiable Information (PII)
Requested non-identifiable information?
Can that be confirmed as non-identifiable?
How?
Can it become identifiable id it is aggregated?
Anonymous information
Unsolicited personal information
Corporate data
What data is requested from customers?
Crowd sourced data
Unsolicited data
Marketing data (website tracking, etc)
Can that data identify individual customers/users?
13
Data issues - Collection
Data may not intrinsically be regarded as private or in need of
security
But, if data is aggregated:
Could that aggregation identify persons, issues or potential
security problems?
Can the aggregated data be de-identified in such a way as to
preclude subsequent identification?
Would the data mining of apparently unassociated data sets lead
to identification of people?
14

Data issues - Aggregation
Does transactional data require privacy and security controls?
Consider:
Sales transactions from an online retailer
Financial transactions through a bank’s website
Record/licence transactions with a Government Agency – e.g.
Renew your car registration
Complete a survey from an retailer/supplier that you deal with
15
Data issues – Transactional data
There may be a number of legal issues that come into play with
data in the cloud.
We will look at these in the next two topics in more detail, but
you will need to consider:
Business continuity and disaster recovery plans
Data location and retrieval
Legal and regulatory environment
Information governance and management
Privacy
Security
Licensing
16
Data issues - Legal

How are you going to secure your data in the Cloud?
Where will it be located?
How will it be stored?
Will it be encrypted?
At rest?
In transit?
How will it be securely updated?
How will it be securely delivered?
What about backups and archiving?
17
Data issues- Security
Who has access to your data in the cloud?
Internal access:
Who can access it?
Is the access appropriate?
What can they do it?
Who has elevated privilege access? Why?
Who loads/updates/deletes/backup/archives data? When?
External access:
Who can access it?
Is they access appropriate?
Is it through a secure channel?
What can they do with the data?
18

Data issues - Access
An alternative approach to risk assessment is to assess risk
using attack vectors:
Source – the threat agent
Vector – method of operation
Vulnerability - the weakness that can be exploited
Target - the aim of the attack
Impact - Confidentiality, Integrity, Availability
Defence - how to close or defend the weakness
19
Attack Risk Assessment
This approach is based on the OWASP approach
(https://www.owasp.org/index.php/OWASP_Risk_Rating_Metho
dology) and uses the following factors:
Threat Agents:
Skill level
Motive
Opportunity
Size
Vulnerability
Ease of discovery
Ease of exploit
Awareness
Intrusion detection

20
Technical impact
Loss of confidentiality
Loss of integrity
Loss of availability
Loss of accountability
Business impact
Financial damage
Reputational damage
Non-compliance
Privacy violation
21
22
Assessing severity
From:
https://www.owasp.org/index.php/OWASP_Risk_Rating_Metho
dology

23
Assessing risk
From:
dology
Read:
Juliadotter, N., Choo, K.. (2015). CATRA: Conceptual cloud
attack taxonomy and risk assessment framework. In Ko, R., &
Choo, K.(Eds.). (2015). The Cloud Security Ecosystem:
Technical, Legal, Business and Management Issues. Waltham,
MA: Syngress. (Chapter 3)
Nidd, M., Ivanova, M., Probst, C., Tanner,A. (2015). Tool-
based risk assessment of cloud infrastructures as socio-technical
systems. In Ko, R., & Choo, K.(Eds.). (2015). The Cloud
Security Ecosystem: Technical, Legal, Business and
Management Issues. Waltham, MA: Syngress. (Chapter 22)
National Institute of Standards and Technology. (2016). Risk
Management Framework. Gaithersburg, MD: National Institute
of Standards and Technology. Retrieved from
http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-
Framework/
Amazon Web Services. (2014). Amazon Web Services: Risk and
Compliance. Retrieved from
http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and
_Compliance_Whitepaper.pdf
Office of Finance and Services. (2014). OFS ICT Cloud Service

Guidelines. Sydney: Office of Finance and Services,
Department of Treasury. Retrieved from
http://arp.nsw.gov.au/sites/default/files/Cloud%20Services%20P
olicy%20and%20Guidelines.pdf
OWASP, (2013). OWASP Risk Rating Methodology, Open Web
Application Security Project, viewed 17 May 2017),
dology
24
Tasks
Scenario
You are the principal consultant for a community based Charity.
The Charity is involved in locating and providing
accommodation, mental health services, training and support
services to disadvantaged people in the community.
The Charity currently runs a small data centre that has some 50
x86 64 bit servers running mainly Windows Server 2008 R2 for
desktop services, database and file services. It also has 10 Red
Hat Enterprise Linux 5 servers to service public facing Web
pages, Web services and support.
The Charity is considering joining a community cloud provided
by a public cloud vendor in order to provide a number of
applications to all 500 support staff and administrative users. A
small number of the Charity's applications are mission critical
and the data that those applications use is both confidential and
time sensitive.
The community cloud would also be used to store the Charity's
200TB of data. The data would be held in a SaaS database run

by the public cloud vendor. The Charity's data contains a
considerable amount of confidential information about the
people to whom the Charity provides services.
The Charity collects PII data on the clients who use its services
so that it can assist them to manage their different service
requirements. This PII data also includes holding some digital
identity data for some of the more disadvantaged clients,
particularly if they also have mental health issues.
The cloud vendor has made a presentation to management that
indicates that operational costs will drop dramatically if the
cloud model is adopted. However, the Board of the Charity is
concerned with the privacy and security of the data that it holds
on the people that it provides services to in the community. It is
concerned that a data breach may cause considerable damage to
substantially disadvantaged people in the community.
The Board asks that you prepare a report that proposes
appropriate privacy and security policies for the Charity's data.
The charity has also decided to:
· Purchase a HR and personnel management application from a
US based company that provides a SaaS solution.
· The application will provide the charity with a complete HR
suite, which will also include performance management. The
application provider has advised that the company's main
database is in California, with a replica in Dublin, Ireland.
However, all data processing, configuration, maintenance,
updates and feature releases are provided from the application
provider's processing centre in Bangalore, India.
· Employee data will be uploaded from the charity daily at
12:00 AEST. This will be processed in Bangalore before being
loaded into the main provider database.
· Employees can access their HR and Performance Management
information through a link placed on the Charity intranet. Each
employee will use their internal charity digital ID to
authenticate to the HR and Performance management system.
The internal digital ID is generated by the charity's Active

Directory instance and is used for internal authentication and
authorisation.
· Move the charity payroll to a COTS (Commercial Off The
Shelf) application that it will manage in a public cloud;
· Move the charity Intranet into a Microsoft SharePoint PaaS
offering so that it can provide Intranet services to all agencies
in the WofG.
Tasks
You have been engaged to provide a risk assessment for the
planned moves to SaaS application offerings.
You are to write a report that assesses the risks to the charity
for just their planned moves in the HR area:
1. Consider the data and information that the charity holds on
its employees in the current HR system.
1. Establish the existing threats and risks to the security of that
data and information contained in the in-house HR database. (10
marks)
2. Are there any additional risks and threats to employee data
that may arise after migration to an SaaS application? (10
marks)
3. Assess the resulting severity of risk and threat to employee
data. (10 marks)
2. Consider the privacy of the data for those employees who
will move to an SaaS application.
1. Establish the existing threats and risks to the privacy of that
data and information contained in the in house HR database. (10
marks)
2. Are there any additional risks and threats to the privacy of
the employee data after migration to an SaaS application? (10
marks)
3. Assess the resulting severity of risk and threat to the privacy
of employee data. (10 marks)
3. What are the threats and risks to the digital identities of
charity employees from the move to SaaS applications? (10
marks)

4. Consider the operational solution and location(s) of the SaaS
provider for HR management. Does either the operational
solution, or the operational location, or both, increase or
mitigate the threats and risks identified for the security and
privacy of employee data? (20 marks)
5. Are there any issues of ethics, data sensitivity or jurisdiction
that should be considered by the charity? (10 marks)
You are to provide a written report with the following headings:
· Security of Employee Data
· Privacy of Employee Data
· Digital Identity Issues
· Provider
Solution
Issues
· Data Sensitivity
As a rough guide, the report should not be longer than about
5,000 words.

ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx

Recommended

Recommended

More Related Content

Similar to ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx

Similar to ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx (20)

More from christiandean12115

More from christiandean12115 (20)

Recently uploaded

Recently uploaded (20)

ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx