2
Cloud Privacy and Security
Assessment Item 3
Privacy and Data Protection
Students name and Students ID: Sangeeth Reddy Arepally – 11660914
Akshay Kumar Aleti - 1626230
Sri Sanka Kathaluwa Liyanage – 11639785
Uma Hiriyannaiah Prema – 11634685
Subject Code: ITC568
Professor: Dr. Purvi Mehta
Table of Contents
1.Introduction (Sangeeth Reddy Arepally)4
2.Privacy Strategy for Personal Data4
a.Management of personal information (Sangeeth Reddy Arepally)4
b.Collection and management of solicited personal information (Sangeeth Reddy Arepally)6
c.Use and disclosure of personal information (Uma Hiriyannaiah Prema)7
d.Use and security of digital identities (Sri Sanka Kathaluwa Liyanage)8
e.Security of Personal Information (Uma Hiriyannaiah Prema)10
f.Access to Personal Information (Akshay Kumar Aleti)11
g.Quality and correction of personal information (Akshay Kumar Aleti)12
3.Mitigating identified security risks and privacy risks (Akshay Kumar Aleti) (Sri Sanka Kathaluwa Liyanage)13
a.Mitigation for privacy Risks (Akshay Kumar Aleti)14
b.Implementation of Privacy Stratergy (Sri Sanka Kathaluwa Liyanage)18
4.Data Protection Strategy (Uma Hiriyannaiah Prema) (Sangeeth Reddy Arepally)21
1.Initial constraints for the strategy (Sangeeth Reddy Arepally)23
Backing up and recovering23
Dynamic storage23
Data and Information Lifecycle Management24
2.Following the Holistic approach (Uma Hiriyannaiah Prema)25
Technology26
People26
Process27
3.Strategic Safeguarding (Sangeeth Reddy Arepally)28
Administrative safeguarding28
4.Technical safeguarding (Uma Hiriyannaiah Prema)29
De-identification29
Data encryption29
User and employee authentication (Akshay Kumar Aleti)30
5.Conclusion (Uma Hiriyannaiah Prema)31
6.Appendix – Team Discussion32
7.Bibliography33
1. Introduction (Sangeeth Reddy Arepally)
Cloud computing is the cutting edge and state of the art technology which is in demand for its flexible and random access features. Cloud computing is known for delivering ultimate services through the use of the internet and by integrating models (PaaS, IaaS, SaaS). The goal is to enable access to the various computing services in a manner that could restrict entry of illegal access. Elucidated with the benefits of cloud computing, the charity has come out with a plan to allow accessibility of services to its members on a cloud platform only. However, the privacy strategies still needs to be implemented for assured security. The recommendation plan is to ensure the privacy of the personal data of the members belonging to the charity that will be integrated by taking several steps while moving the data on to the cloud platform. The data is crucial and so its protection has to be advanced. The purpose of using cloud computing is to make applications available for each member of the community and to provide easy access to the administrators as well. The biggest concern here is the compromised security of the sensitive data. Hence, the proposal here is to enh.
2Cloud Privacy and SecurityAssessment Item 3Privacy and .docx
1. 2
Cloud Privacy and Security
Assessment Item 3
Privacy and Data Protection
Students name and Students ID: Sangeeth Reddy Arepally –
11660914
Akshay Kumar Aleti - 1626230
Sri Sanka Kathaluwa Liyanage – 11639785
Uma Hiriyannaiah Prema – 11634685
Subject Code: ITC568
Professor: Dr. Purvi Mehta
Table of Contents
1.Introduction (Sangeeth Reddy Arepally)4
2.Privacy Strategy for Personal Data4
a.Management of personal information (Sangeeth Reddy
Arepally)4
b.Collection and management of solicited personal information
(Sangeeth Reddy Arepally)6
c.Use and disclosure of personal information (Uma Hiriyannaiah
Prema)7
d.Use and security of digital identities (Sri Sanka Kathaluwa
Liyanage)8
e.Security of Personal Information (Uma Hiriyannaiah Prema)10
f.Access to Personal Information (Akshay Kumar Aleti)11
g.Quality and correction of personal information (Akshay
Kumar Aleti)12
3.Mitigating identified security risks and privacy risks (Akshay
Kumar Aleti) (Sri Sanka Kathaluwa Liyanage)13
a.Mitigation for privacy Risks (Akshay Kumar Aleti)14
2. b.Implementation of Privacy Stratergy (Sri Sanka Kathaluwa
Liyanage)18
4.Data Protection Strategy (Uma Hiriyannaiah Prema) (Sangeeth
Reddy Arepally)21
1.Initial constraints for the strategy (Sangeeth Reddy
Arepally)23
king up and recovering23
2.Following the Holistic approach (Uma Hiriyannaiah Prema)25
3.Strategic Safeguarding (Sangeeth Reddy Arepally)28
feguarding28
4.Technical safeguarding (Uma Hiriyannaiah Prema)29
-identification29
5.Conclusion (Uma Hiriyannaiah Prema)31
6.Appendix – Team Discussion32
7.Bibliography33
1. Introduction (Sangeeth Reddy Arepally)
Cloud computing is the cutting edge and state of the art
technology which is in demand for its flexible and random
access features. Cloud computing is known for delivering
ultimate services through the use of the internet and by
integrating models (PaaS, IaaS, SaaS). The goal is to enable
access to the various computing services in a manner that could
restrict entry of illegal access. Elucidated with the benefits of
cloud computing, the charity has come out with a plan to allow
accessibility of services to its members on a cloud platform
only. However, the privacy strategies still needs to be
implemented for assured security. The recommendation plan is
3. to ensure the privacy of the personal data of the members
belonging to the charity that will be integrated by taking several
steps while moving the data on to the cloud platform. The data
is crucial and so its protection has to be advanced. The purpose
of using cloud computing is to make applications available for
each member of the community and to provide easy access to
the administrators as well. The biggest concern here is the
compromised security of the sensitive data. Hence, the proposal
here is to enhance the accessibility of applications via the
medium of cloud computing and at the same time taking care
that the private data of the charity does not get interfered by an
illegal access at any cost. The purpose of this paper is to design
a privacy strategy for the charity to process applications on
cloud platform so that the data safety has been largely focused.
2. Privacy Strategy for Personal Data
a. Management of personal information (Sangeeth Reddy
Arepally)
Cloud computing platform has offered immense benefits in
terms of the ease of accessibility, flexibility options, large
information available on one location, being efficient and cost
reduction benefits. However, this does not necessarily mean that
no harm could be made to the information stored on the cloud
server. Maintaining personal information is so crucial while
relying on the cloud computing and a hosting provider to assist
with the services. The question arises here: how the data can be
maintained safely on the cloud servers. This gives a sneak peek
into the methods that could oblige in the maintenance of
sensitive data stored inside a cloud of the charity members.
The first step to maintaining information is to analyze and
identify the risks associated with data security (NAA, 2018).
This process must have been done prior to making deals with a
cloud provider who is responsible to provide for all the
accessible operations. The integrity of the data needs to
safeguarded, especially depending upon the information which
is stored such as personal details of charity members. The users
4. can now easily access their personal information saved on the
cloud and no expert knowledge is required for the processing of
the same. The major benefit involved in transferring
information to cloud servers is that the cost factors get reduced
in making use of shared resources in cloud computing (Thomas,
2009). All of the information stored on the cloud server can be
accessed effortlessly irrespective of the time and place of the
users (Guilloteau, Orange, & Mauree, 2012). For example, in
the case of charity also, the software distribution is targetted at
different locations. However, the processing gets done from the
other distinct places also.
No matter its accessibility features from either location, it’s the
security of personalized information gets targeted the most,
especially when it comes to storage of the data. The
management of the personal information can be efficiently
managed by verifying the provider details under the cloud
application services. For example, SaaS makes use of third
parties vendor and internet to offer delivery of services (Deyo,
2018). Thus, making sure that the third party is correct to its
details and is trustworthy, the charity could trust the cloud
services provider to go ahead with the agreement and deals.
Like for example, the charity has formed an agreement with the
US-based company that will be providing services of cloud
computing as SaaS. However, all the data configurations and
maintenance operations etc will be managed from Bangalore.
This only means that the verification must be carried out before
proceeding with the other operations involved in a deal.
b. Collection and management of solicited personal information
(Sangeeth Reddy Arepally)
The efficient collection and management of the personal data on
a cloud platform are crucial to maintain the security of the
stored information. It should be done in a way the privacy
should not get compromised. Measures could be adopted to
manage personal information in a way which is rather more
open and a clear transparent process rather than hiding the
5. details. The data collection of the personal information of the
charity members using cloud computing model can be carried
out by enabling anonymity, and pseudonymity (Google Cloud
and Australian Privacy Principles, 2018). The privacy can be
assured by gathering solicited personal information of the users
that are connected to the charity. Notifications could be
approved to allow the data users to be elucidated with the
process of data collection. The privacy guidelines also include
dealing with the personal information that is collected
unsolicited (Collection of solicited personal information, 2018).
The solicited personal information can be collected in the form
of individual responses to a request that may demand to enter a
person’s confidential data details. Or it could take the form of
another entity providing personal details of the data users to
assist in sharing information between the entities. Other forms
of solicited information include a completely filled application
form or the applications that demand the credentials of the data
users (Collection of solicited personal information, 2018).
c. Use and disclosure of personal information (Uma
Hiriyannaiah Prema)
Shifting data all towards the cloud computing to allow
enhancements in the services sometimes require the
participation of the third parties to assist with the services. The
internet or software act as a medium to enable communication
between processes and finally with the delivery of services. The
privacy policies could be established that determines what kind
of personal information is required in transferring data on to the
cloud platform. Along with this, the arrangement of disclosure
of the personal information must be clear out to the data users
for the assured privacy. The set guidelines of the privacy policy
depict disclosure of the personal information to the outside only
if it demanded under some government legal proceedings (Cloud
computing and privacy, 2014). The use of personal information
must not be made in a way where any illegal access could
disrupt the whole working of the data processing.
6. The members of the charity can be granted permissions
regarding access to their personal information on requesting
services basis only, not just merely giving the insights to the
stored data which could be hacked easily by the hackers. At the
same time, they could be allowed to access their personal
information for making modifications as required by them. It is
more of a cloud provider’s responsibility than the company to
assure correctness in the delivery of services, to ensure the
privacy of the confidential data while allowing the users to
access the information at any time of the day. The cloud
provider or the assisting third parties must develop an
established set of measures or guidelines making sure that any
unauthorized access does not interfere with the stored data
(Cloud computing and privacy, 2014). Personal information
needs to be secured from any probable misuse, loss or
modifications thereby avoiding chances of possible data
breaches in the future. The personal information stored on the
cloud database must get updated from time to time (Gadia,
2016). The cloud provider may adopt some measures to delete
the existing users' information deliberating on its ultimate
purpose. Information, no longer needed, can be easily deleted or
modified (Gadia, 2016).
Since the important data of the charity is getting moved onto the
cloud computing platform for enhanced accessibility,
contractual agreements with the provider must be signed before
handing over charge of the sensitive data to the third parties
(Cloud computing and privacy, 2014). The charity must be
aware of the laws that exist for a country they are residing in so
that in case of occurrence of the data breach help could be taken
deliberating on national security and law enforcement.
d. Use and security of digital identities (Sri Sanka Kathaluwa
Liyanage)
The digital identities are much more of an interaction that take
place face to face without indulging the need to have a
compulsory physical appearance. Digital identities play a vital
7. role in the digital era where communication can take place
instantly no matter the time and location of the users (Benkoel-
Adechy, 2012). The cloud computing offers a perfect platform
where data accessibility features from any location are its
ultimate benefit.
The charity is planning to enable digital identities for all its
members with the objective that the data users can have
accessibility to its dedicated set of services which is made
available on the cloud computing. Also making use of digital
identities can help improve the privacy of the confidential data
(Benkoel-Adechy, 2012). This is because sensitive data in this
digital era can’t merely be protected by building walls for its
protection instead more secured mechanisms is needed to avoid
misuse of the data. But with digital identities only, authorized
users will be able to access data and complete transactions and
illegal access are restricted.
The digital entities can be in the form of password or email that
the people own on a digital platform as a token for their unique
identification. The data is stored in the form of electronic
format making use of biometric and biographic data that makes
a distinction among the person from other unauthorized users on
a digital media (Wladawsky-Berger, 2016). The trusted digital
identities can be created only by applying for verification of the
authenticity of the registered users. There is no doubt that the
fake identities could also be built within a fraction of seconds.
However, talking from a security point of view, the authenticity
of the trusted users must be evaluated as part of the cloud
provider responsibilities. Maybe the documents or id’s are
verified to earn the approval of being a trusted user
(Wladawsky-Berger, 2016). It may take some form of
verification with the government or third parties in which user’s
credit details, phone, and other credentials are checked before
in advance. The technology acted as a main deriving force that
pushes to the need of creating digital identities for assured
security and privacy of the personal information. Moreover, it
provides a convenient access to the users for the processing of
8. services by moving on to a cloud platform. This is also in need
of meeting greater demands of building trust and security on a
digital platform.
The integrating concept of digital identities to be part of cloud
computing has fostered the service delivery benefits that are
available in a cloud platform. Accessing data stored on the
cloud database is not open to everyone but it will get restricted
by using digital identities that is unique for every person. This
way the security can still be assured. For more advanced
privacy, the policies can be developed to be used in the
designing of the technical structure in such a manner that any
illegal access could not interfere with the stored data (Digital
Identity and Privacy, 2017). User control and various privacy
mechanisms can be set as the top priority of the technical
designing without compromising the need to put all the essential
functionalities in the structure. Examples of such user controls
could be allowing disclosure of the information to the minimum,
validating identities of the users first with various
authentication schemes, creating distinct identities of users to
avoid sharing of data among unauthorized users (Digital
Identity and Privacy, 2017).
Such systems could be designed in which vulnerability could be
reduced to the minimum. The storage of data is maintained in
such a way that any illegal access from the outside can never
think of interfering with the data. Furthermore, cryptographic
capabilities can be built as functionalities into the proposed
systems where layered control checks and other privacy
verification means can be integrated easily (Digital Identity and
Privacy, 2017).
e. Security of Personal Information (Uma Hiriyannaiah Prema)
The security of the personal information can be assured by
evaluating the verification details of subcontractors that are
connected to the service providers of cloud computing (Cloud
Computing, 2015). These subcontractors are responsible for
maintaining the processing of the stored data. The chances are
9. that the subcontractors may not work efficiently to allow
delivery of services involved in cloud computing. Or the
subcontractors may form a loose agreement with other
subcontractors to take care of the customer needs. Thus, it will
be better for charity to have full knowledge and access to
details of the subcontractors deliberating that the needs or
objectives of the charity are fulfilled. It should also be noted
that all the legal measures must be taken care of while assuring
the privacy of the personal data. The arrangements of the data
providers must be elucidated to the charity so that the security
is never compromised when the goal is to allow enhancement in
the services. The charity should have signed a contractual
agreement with the cloud provider or other subcontractors
ensuring that all the legal formalities are taken care of (Cloud
Computing, 2015). The protection of the information stored on
the cloud servers both in terms of administrative and technical
data along with the various compliance controls must be assured
by the respective cloud providers and the other subcontractors.
Not all cloud providers deem on offering standardized services
to its customers. This could be one of the factors that risk the
security of the data stored in the database of the cloud
computing. However, any services provided without
conforming to standard rules and as per the contractual
documents would not assure protection of the personal data of
the data users. It is the responsibility of the charity to cross
check in advance whether the cloud provider is working under
the standardized rules so that the security and data protection or
privacy needs of the charity are met. The absence of this may
ultimately lead to compromised security and resulting data
breaches or interference with the stored personal data.
The cloud computing is operated using either of the three
models as PaaS, IaaS, SaaS. While PaaS, IaaS models helps the
companies to stay informed of the various processings of the
cloud computing by letting users having full control of their
businesses, Iaas model makes use of software to assist in the
delivery of the services (Bernheim, 2018). This means that the
10. data users have to rely on the cloud providers to help with the
services which surely needs a more enhanced form of security.
Looking at the charity’s objective to allow with the number of
services to its members, making use of the SaaS model will risk
up the security of the data. Choosing to rely on a private cloud
provider instead of a shared one helps to gain more control over
the services. Alternatively, the shared cloud platforms require
users to identify risks in advance and must incorporate ways to
address them (Cloud Computing, 2015).
f. Access to Personal Information (Akshay Kumar Aleti)
Access to the personal information can be guarded by the use of
digital identities and other privacy control mechanisms such as
making use of cryptographic, various encryption and decryption
techniques, layered access controls, privacy checks, user
controls etc (Sharma & Trivedi, 2014). Only valid users are
allowed to actively access the information stored on the cloud
platform. The purpose of the charity to shift the entire data on
to the cloud platform is for better access. However, they do
question the privacy of the data. The security of the data
especially assisted by the third parties is at their major concern.
Thus, by integrating a set of privacy measures, it could
eliminate the doubts the charity have in the protection of the
data. Illegal access can only be controlled by verifying user
credentials and then granting them permissions to access the
same (Rouse, 2018). The processing of the services will be
handled at different locations from that of software handling.
The benefit of moving to the advanced technology platform i.e.
cloud computing is that it does not get data restrictions filters
based on locations and time. Thus, accessing information
becomes easier with the assured security features. Digital
signatures are also part of the measures that could control
access to the user’s stored data on the cloud platform.
Personally identifiable information (PII) helps to identify
unique users by using the identification numbers (Rouse, 2018).
Access to the services automatically gets restricted for the
11. invalid users. Faking information is not easier on a cloud
platform. However, hackers could still try to modify the stored
information in an attempt to ruin a company ’s data. For
example, as the charity is planning to the keep all of the data on
a cloud platform, any illegal access could disrupt the data
resulting in a loss. Thus, privacy needs to be integrated into the
technical organization or designing of the systems to prevent
any possible harms in the future.
g. Quality and correction of personal information (Akshay
Kumar Aleti)
The quality of the personal information stored on the database
is assured of its integrity because the cloud system works in an
organized format to make data easily accessible among the
users. There have been many restrictions put in the cloud
processing of services. Initially, a user has to validate his/her
credentials before requesting for the cloud services. After login
credentials, the server demands users for its evaluation of
authentications based on which other permissions are granted to
the users. Any information which is no longer useful is deleted
at the cloud end and only the essential information is kept there
for future use. Unauthorized users are not allowed to access
other users data. Similarly, modifications needed in the personal
information requires verification of the user identities in an
objective to protect the privacy of the data. The functionalities
of the cloud computing are designed in such a manner to restrict
accessibility of the data among those who failed to pass the
valid user credentials. The correction can only be maintained
provided the user has earned the trust of the cloud platforms.
The cloud platforms have left an everlasting influence on the
lives of the technical users who can access instant information
at any time of the day. There is no need left to appear
physically in front of any server to avail services. The quality
of the day is maintained accurately in the cloud servers by
making use of various cryptography, encryption, decryption and
authentication control techniques (Sharma & Trivedi, 2014).
12. The data gets stored in the digital formats in which digital
identities are used for each individual uniquely to further access
the stored data. 3. Mitigating identified security risks and
privacy risks (Akshay Kumar Aleti) (Sri Sanka Kathaluwa
Liyanage)
In cloud computing infrastructure, it becomes pivotal to deal
with threats like breach, data loss, traffic hijacking, malicious
insiders, and shared technology, unavailability, and reliability
issues. So, users must be prohibited to share the account
credentials even if business partners are trustworthy. The
charity must also deploy single sign-on mechanism to manage
fewer accounts and hence, making them less likely to track
(Graciolli, 2015). Regular auditing is must when cloud is
utilized. The security can be strengthened with end-to-end
encryption. The in-house software must not be outdated. To deal
with the malicious insiders, the company must deploy logging
and reporting modules to keep track about the important
information. Also, user access must be restricted to sensitive
data (Graciolli, 2015). If any abnormal or unwanted behaviour
is identified, the company must immediately block the access.
Monitoring and auditing of sensitive data is a key to mitigate
insider threats. The charity can also create mapping to
recognize the zones that contain critical information (Graciolli,
2015). Duties must be distributed fairly.
a. Mitigation for privacy Risks (Akshay Kumar Aleti)
The recommended solutions for cloud computing to assure
privacy is that of incorporating various controlled measures that
could protect the privacy of the data. The first and the most
essential step, to control privacy on a cloud platform, is making
use of various authentication and authorization schemes (Cohen,
Baudoin, & Dotson, 2015). Employing systems that could
analyse the credentials of the users before logging in to access
data can be checked by employing authentication controls. The
idea is to hinder accessibility of the data for the unauthorized
13. users. The classification of the credentials is one step towards
integrating authorization controls where each unique id or
reference number is given to each individual separately to
access their private data (Gholami & Laure, 2015). The
identification of the accurate requirements and evaluation of
various deployment models is pivotal. A design model needs to
be integrated in the systems that could validate two factors
authentiactions at both client and server side (Gholami & Laure,
2015). The potential of the possible security threats could be
identified in advance as part of the evaluation schemes.
The organization must be prepared for cyberattacks like
ransomware. Hence, they need to have good internal practices
such as creating stronger passwords, securing the channels of
data transfer, and regularly evaluating the software interfaces
for vulberabilties. Web filters must be used for block infected
websites. It is pivotal to have in-depth introspection of
trafficking of network in order to monitor and detect suspicious
activity. Authentication can also be verified under the SaaS
model which can be used to verify customers who are mobile
friendly and are connected to the cloud applications of the IaaS
model. The controls are implemented at the middle ware layer
to deal with the authentications in the real time (Gholami &
Laure, 2015). No invalid users are allowed to access the data
without prior permissions. The authentication systems work at
the very first step where invalid credentials are restricted to
have a look at the data. The HTTP traffic is also controlled to a
minimum with these type of middleware layer verifications
(Gholami & Laure, 2015). For example, Amazon S3 is the best
example that falls into this category where mobile consumption
of data is managed on IaaS clouds.
Public key infrastructures (PKI) is another mechanism in the
form of certification to protect the privacy of the data by taking
care of authentications of the users (Gholami & Laure, 2015).
Command line interfaces can also be used further for added
security purposes. Some companies are also relying on the
mapping measures such as making use of locally existing
14. credentials to allow users with the authorizations on other cloud
providers after gaining trust with the already existing cloud
services. The charity can have a look at the privacy measures
being discussed here to implement controls in the cloud servers
for better security. The privacy of the data is automatically
assured.
Then there is also the availability of the collaborative
mechanisms which reflects upon the accessibility of the
centralized facilities and outsourcing of the trust. These
services are counted under the authorization as a service in
which a multitenancy authorization system are employed to
verify for the user credentials in addition to offering
administrative controls.
Cryptographic based access control measures can also be
implemented to restrict access to the unauthorized users. In
some studies, it has been revealed that the user-centric approach
can also be used to allow access on a platform level (Gholami &
Laure, 2015). Another important privacy control measure is the
identity and access management. As described earlier also,
creating digital identities is one effective method to assure the
privacy of the data. A federal integrated identity management
system could be incorporated into the designing structures of
the systems of the cloud computing (Wladawsky-Berger, 2016).
For this to work efficiently, the user has to maintain an
effective relationship under the SaaS model domains with the
benefits that the SaaS users can easily access and shared
resources on a SaaS cloud platform (Gholami & Laure, 2015).
The functioning is different on a PaaS domain in which there is
an interceptor that manages the user’s requests by acting as a
proxy server. The processing of the user's requests takes place
from this domain. The interceptor works by accessing the secure
token service (STS) and using the WS-Trust specification
(Gholami & Laure, 2015).
Identity-based encryption techniques and identity-based
signatures are an advanced form of identity validation control
that only allows registered and trusted users to access the
15. information stored on the cloud computing platform (Zaffer,
2015). The identity based hierarchical model used in the
structure of cloud computing is the main foundation behind the
idea proposed for implementing identity-based authentications.
The trusted cloud computing platforms is another mechanism to
control the privacy of the data stored in the cloud database. The
IaaS model functions as a single model in trusted cloud
computing platforms. A monitor is operated under the name of
the trusted virtual machine for the protection of virtual
machines (Miller, 2018). The components in the cloud manager
are responsible for providing access to the users for personal
information that is stored in the database.
Other privacy controls which can be employed by the charity
could be making use of deterrent controls, prevention, and
detective controls. The deterrent controls are aimed to reduce
hackers attempt to disrupt and modify data stored in the
database (Mahesh, 2016). The potential attackers are identified
in advance and the threat level gets reduced. Immediate
measures can be implemented to assure protection.
b. Implementation of Privacy Stratergy (Sri Sanka Kathaluwa
Liyanage)
Preventive control measures act as pre–preventive measures that
the charity could integrate at the initial step to provide
protection to the stored data on the cloud platform. The
objective is to completely eliminate or reduce vulnerabilities if
existing in the cloud database. The chances are that it may get
reduced by implementing preventive control measures.
Measures such as strong authentication and identity
management can restrict the unauthorized cloud users to access
data of other users (Mahesh, 2016).
Then there are detective control measures in which any
potential future incidents can be detected in advance by using
detection strategies. The detective control measures will signify
the actions that need to be controlled to avoid any misuse of the
16. data in the future. Intrusion detection systems can be used for
system monitoring and performances so that the measures could
be integrated in advance to avoid chances of a data breach
(Sharma & Trivedi, 2014). Intrusion detection systems are
specially employed to predict attacks on cloud systems. The
communication infrastructure also gets evaluated in the
detection of probable attacks.
There are also corrective measures which could be the
implemented by the charity for enhanced services and benefits.
The idea is to reduce the potential of the damage. Systems
restore or backups are the methods employed to assure
integration of the corrective measures (Rajegore & Kadam,
2017). These measures come into existence when the system has
undergone damage after some small incident that has occurred
to the cloud servers.
The physical security of the cloud servers can be taken care of
the cloud server providers where they protect the IT hardware
infrastructure or the software needs. The idea is to restrict the
entry of unauthorized users from gaining access to the
confidential data stored in the database. The possibilities of
distortion of the data get minimized to less. The objective is
accomplished by making use of various applications that can
help protect the physical security of the cloud database.
Privacy of the data can be assured primarily by making use of
encryption techniques. The security of the data is however
maintained by ensuring confidentiality of the data, data access
controllability and lastly data integrity. Data integrity assures
storage of the data in an accurate format and it should be
complete. The confidentiality of the data is maintained by using
identity control schemes. The data integrity factor makes sure
that the cloud provider is responsible for deletion of unused,
illegal data, modified data (Mahesh, 2016). On finding so, the
cloud provider must be able to suggest ways to get eradication
of the invalid data.
Many laws have been implemented nowadays to provide
protection to the data especially stored on the cloud platform.
17. Technology is blooming and so are its benefits. Every now and
then many advanced functionalities have been added to the
cloud computing platforms to better privacy of the stored data
(Palmer, 2018). These techniques can help the data users to
assure protection of their data on an advanced level.
It must be the responsibility of the technical staff of the charity
to elucidate instructions to the members on correct usage of the
cloud services and how creating digital identities can help
secure the personal data. Moreover, there is a need to verify the
details of the third parties and the cloud providers so that only
the trusted partnerships can be built with them for the storage of
the data (Mahesh, 2016). The functionalities of the SaaS, IaaS,
PaaS model must be understood well in advance and by taking
the help of the experts so that no lack of knowledge could ever
hinder the privacy of the stored data. The security is the
concern here and the ultimate goal which is required to be
accomplished.
The charity must take a multi-layered approach when it comes
to security triad. The personal data protection can only by
guided by making use of authorization controls which covers
restricted illegal access, identification of users with the help of
digital identities and other authorization controls employed
specifically for Saas and Paas, Iaas models. Personally
identifiable information (PII) is the ultimate feature which
helps tracking users based on their unique identities following
which permissions can be granted to each user to allow
accessing of the data (Rouse, 2018). Besides this, multilayered
controls, encryption techniques and digital signatures etc act as
the essential measures to control the privacy of the data.
Digital identities have a major role to play in restricting
unauthorized users from accessing contents of the database
(Wladawsky-Berger, 2016). Security controls can be
implemented in the architectural design of the cloud computing
platforms so as to avoid illegal users from gaining access to the
database. Cloud computing is already a secured system with
multi-factor authentication techniques to verify users. However,
18. security can sometimes be compromised by the malicious
attention of the hackers where the chances of personal
information getting stolen or lost get increased. Hence,
protecting personal information demands the privacy strategies
for the protection of the personal data. The schemes discussed
above can be easily integrated both at the charity level and the
cloud provider level. The charity needs to verify the details of
the cloud provider and must be sure of the trustworthy
relationship they have with the providers. The providers, on the
other hand, are responsible to provide security to the personal
and sensitive data. It can be implemented by using various
control measures such as intrusion detection and prevention,
monitoring tools, encryption, honey pot defence, and firewalls
etc (Guilloteau, Orange, & Mauree, 2012). Critical data can be
taken offline and companies must establish stringent terms of
use.4. Data Protection Strategy (Uma Hiriyannaiah Prema)
(Sangeeth Reddy Arepally)
While addressing the security domain in cloud environment, it
is essential to consider the assets about the acquisition, storage
and retrieval of data carefully. The community based charity
adopting newer technologies must take to data protection
strategies so that the confidential information and identities of
the related people are not compromised. The information arena
is always subjected to threats and as for a charitable
organization (where a good amount of confidential data dwells),
it becomes important to adhere to data protection services.
Eventually, an organization should be able to recognize the
sensitive nature of their data, maximize the amount of
transparency regarding confidential information and implement
security policies (Kaplan, Rezek, & Sprague, 2013).
With the inception of cloud computing, a major portion of the
industry has benefited from the services rendered online. Cloud
storage is economically better and offers good backup strategies
at every level. Data management is well facilitated and
19. applications are monitored over each and every operational
device. However, the threat that prevails over the front-end
cannot be ruled out. It is required that a security strategy
enforces policies that restrict the threats to diffuse into the
private portions. Although various cloud associated phenomena
like server redundancy and fault tolerance work in favour of
maintaining the integrity, they are not enough to guide the
entire cloud implemented network (Mowbray & Pearson, 2012).
A revised plan of the data authenticity should be maintained by
the organization.
1. Initial constraints for the strategy (Sangeeth Reddy Arepally)
· Backing up and recovering
The word 'redundancy' carries major importance in the domain
of information technology, data communication and networking.
Maintaining various copies of the data that is integral in
organization’s interest is the way to go (Petrocelli, 2015).
Although the process requires a good amount of storage, it
works fine when the data is hampered or lost. The charity needs
to be prepared for such situations and hence, deploy an effective
backup and recovery facility. It gives the flexibility to the
organization about what data to protect and how long to protect
it (Petrocelli, 2015).· Dynamic storage
A strategy will only survive when data will exist. The data
should be moved to the outside primary storage location so that
it does not become a prey to attacks and other physical damage.
It is imperative to duplicate data between systems with
technique such as remote replication. · Data and Information
Lifecycle Management
It incorporates the above two points as well as attaches value
and protection to the various assets of information. The critical
data can be placed at read-only storage system so that it is not
subjected to alteration (Petrocelli, 2015). Stringent policies
must be devised for automating information management.
2. Following the Holistic approach (Uma Hiriyannaiah Prema)
20. The holistic approach to data security makes sure that all the
attributes pertaining to the organization are indulged in the
management activities in one or the other way. These attributes
encompass the technology in practice, the people involved and
the process itself. The method ensures that all the groups are
working together to attain a single goal thereby making the data
integrity the highest priority factor. · Technology
The data is stored in the cloud as soon as it enters the domain of
the organization. The data confronts various interactions and
infuses with distinctive application systems. This data enters
the field from various paths. A lot of it arrives through websites
while call recordings and payment gateways make up a good
amount. The lurking data in the payment gateways is the
responsibility of the contact server. It is important for the
organization to opt for the best contact servers because of the
consequences associated with any kind of failure (Palmer,
2018). Considering the nature of the organization (i.e. charity),
payment data is frequent and needs security at every level of its
movement. At times the call recordings require regular muting
when the confidential data like credit card information is
exchanged (Palmer, 2018). This will involve an agent who will
initiate the muting. · People
The environment has transformed itself into a virtualised arena
where human efforts are not frequent subjects of addressing.
However, assigning a skilful team for guarding the data is quite
effective. These people can be taught about various implications
and constraints associated with different operations (Gadia,
2016). For example, they can be told, not to share any
information regarding the donations with each other. They have
to maintain their own accounts where they will mention their
day to day proceedings. In this way, an organization can
effectively analyse the data whose integrity and availability is
hundred per cent intact. Moreover, the job description like in
the above example would not create a fuss as only a limited and
apt amount of people will be aware of the integrality of the
21. confidential data. Conclusively, it can be said that this
technique is quite effective however it is prone to human errors.
· Process
The heading incorporates an introduction to the security
policies. A setting of protection protocols is essential. These
protocols depend on the work methods of the organization. As
for a charitable one, the protocols will define the call recording,
online accessing and authorization policies.
· Calls relating to payments should not be introduced to interns.
Only regular and experienced members of the organization
should have access to these types of calls. Furthermore, these
calls should not be infused in the training domain.
· The employees should only have access to their respective
portals (Palmer, 2018). These portals are to be defined by their
departments. Any breach in the foreign portal would lead to
immediate action against the perpetrator.
· Regular monitoring of the systems and people is essential for
limiting the threat imposed by the attacks like DoS (Denial of
Services). These attacks let the intruders access the integral
data and deny access to the rightful owner to access the
information (Palmer, 2018).
· During the online sharing of confidential information, screen
masking should be able to make sure that the non-sharable data
is well preserved (Palmer, 2018). This will add an additional
layer of data security and will enhance the user experience.
3. Strategic Safeguarding (Sangeeth Reddy Arepally)·
Administrative safeguarding· Risk analysis and management
Risk analysis is essential for the conventional implementation
of a strategy. Every model in the domain of software recognizes
the importance of this factor. For this particular organization,
risk analysis can be implemented through certain tools. Some of
them are:
· Knowledge of application archive: Classification and
segregation of data are necessary (How to Secure Private Data
Stored and Accessed in the Cloud, 2018). This can be only be
22. achieved when there is a good knowledge of the data present in
the cloud. For the data accounting to around 200TB, a team
needs to be deployed to the work office.
· Cloud risk analysis report: Mentioning the risks associated
with the operation with remedies pertaining to the nature of the
organization.
· Risk Prioritization: Measuring the impact and accordingly
taking action to reduce the extent of the risk (Gadia, 2016). ·
Access restriction
As mentioned above, access restriction is important for
preventing attacks like DOS as well as for preserving the
confidentiality. The cloud's access restriction can be linked with
the IP addresses. The organization will need to manage the IP
addresses over the network. This primarily is done to ensure
that no externality interferes with the confidential data.
Intermixing with Cloud Access Security Brokers (CASB) is a
fine option considering the fact that they act as a bridge
between the enterprise and its security (How to Secure Private
Data Stored and Accessed in the Cloud, 2018). They render a
clean environment on the cloud leaving no room for unwanted
accessing requests. Access revocation is a phenomenon that is
practices generally. It involves putting brakes to access for
those people who either have ended the program or do not
deserve any further access (How to Secure Private Data Stored
and Accessed in the Cloud, 2018).
4. Technical safeguarding (Uma Hiriyannaiah Prema)· De-
identification
It is popular but at the same time difficult to implement. De-
identification is the process by which a person's identity is kept
hidden so as to secure it from the externalities. The hidden
identity asks for the separation of a person's identity from the
information. De-identification promotes anonymity and is a
perfect technique for the charity cloud security. It involves
masking of particular attributes and deleting them. Often, this
technique is subjected to failure when someone re-identifies the
23. identity. In that case, the effectiveness of de-identification is
brought under surveillance and the algorithms are re-formulated
(How to Secure Private Data Stored and Accessed in the Cloud,
2018). Re-identification is a result of improperly de-identified
data assets. Conclusively, de-identification is a very fruitful
process when there are a lot of people correlated to the
organization.· Data encryption
Encrypting data has been long in practice. It involves the
transformation of data to some other format commonly known
as cipher text. This newer format is only accessible through a
key that is known as the decryption key. This key is only
provided to the authorized users. The process is associated with
various protocols one of which is HTTPS (Hyper Text Transfer
Protocol Secure) that involves the use of public and private
keys. The decryption is not easy; however, hackers often
manage to breach the security using reverse algorithms to
decrypt the cipher text (Sharma & Trivedi, 2014). Various
cloud-based services provide client-side encryption. AWS
(Amazon Web Services) is a fine modern example of the same.
Encryption algorithms are must to validate the confidentiality
and integrity (Sharma & Trivedi, 2014). · User and employee
authentication (Akshay Kumar Aleti)
Considering the nature of the organization, it can be devised
that both user and employee authentication would point towards
almost similar technology. DaaS (Directory as a service) has
commenced as a successful candidate to initiate cloud-based
authentication (Keller, 2015). Authenticate, authorize and
manage, that is the purpose of the central directory.DaaS is an
initiative that came in with the innovation of jump cloud and
has been creating fresher waves in the domain of cloud-based
data protection and services (Keller, 2015). The process makes
use of the concept of tunnelling where the connection between
two components on the same network is supported by a
component on the foreign network. With DaaS's inception,
virtualisation has been promoted. Employees can work from
anywhere and thus this technology entirely complies with the
24. charity organization. Other authentication methods include
deploying strong passwords at the first protection level. It is
vital to have access control and scrutinize support i.e. audit
tools for users to assess important issues like verification,
implementation, protection etc (Sharma & Trivedi, 2014). Users
must ensure to deploy monitoring, prevention and defensive
tools such as firewalls, packet filtering, router protection etc.
Fig. Implementing data protection strategy
Ultimately, a holistic approach suits the organization well for it
encompasses each and every aspect from person to system to
technology. The correlation renders the availability of various
protection levels which means that there are multiple options
that can monitor and prevent the mishaps. Furthermore, even if
one aspect fails to deliver, the protocols and policies infused
into the structure will ensure that the data integrity is
preserved.5. Conclusion (Uma Hiriyannaiah Prema)
The prevalence of the data breaches has put a big question mark
on the privacy issues of the cloud computing. Besides providing
with the ultimate number of benefits, the security is still at risk
for most of the users. The personal information of the users gets
targeted the most and the hackers may attempt to ruin and
modify the information. Hence, privacy strategies need to be
implemented from the very first step to assure protection of the
users data. Many strategies have been discussed above that the
charity can implement before procedding with moving the data
on to the cloud platforms.
6. Appendix – Team Discussion
25. Bibliography
Benkoel-Adechy, D. (2012). 5 forces driving Trusted Digital
Identity. Retrieved from
https://blog.gemalto.com/mobile/2018/02/22/5-forces-driving-
trusted-digital-identity/
Bernheim, L. (2018). IaaS vs. PaaS vs. SaaS Cloud Models.
Retrieved from https://www.hostingadvice.com/how-to/iaas-vs-
paas-vs-saas/
Cloud Computing. (2015). Retrieved from
https://www.pcpd.org.hk/english/resources_centre/publications/
files/IL_cloud_e.pdf
Cloud computing and privacy. (2014). Retrieved from
https://www.communications.gov.au/sites/g/files/net301/f/2014-
112101-CLOUD-Consumer-factsheet.pdf
Cohen, E., Baudoin, C., & Dotson, C. (2015). Security for
Cloud Computing. Retrieved from http://www.cloud-
council.org/deliverables/CSCC-Security-for-Cloud-Computing-
10-Steps-to-Ensure-Success.pdf
Collection of solicited personal information. (2018). Retrieved
from https://www.oaic.gov.au/agencies-and-organisations/app-
guidelines/chapter-3-app-3-collection-of-solicited-personal-
information
Deyo, J. (2018). Software as a Service (SaaS). Retrieved from
http://www.isy.vcu.edu/~jsutherl/Info658/SAAS-JER.pdf
Digital Identity and Privacy. (2017). Retrieved from
https://www.omidyar.com/sites/default/files/file_archive/Digital
_Identity_POV_Oct17.pdf
Gadia, S. (2016). How To Manage 5 Key Risks In Cloud
Computing. Retrieved from
https://www.forbes.com/sites/kpmg/2016/09/15/how-to-manage-
5-key-risks-in-cloud-computing/#37ac9ce87542
Gholami, A., & Laure, E. (2015). Security and Privacy on
sensitive data in cloud computing. Computer Science &
26. Information Technology , 2015, 131-150.
Google Cloud and Australian Privacy Principles. (2018).
Retrieved from https://cloud.google.com/files/GoogleCloud-
AustralianPrivacyPrinciples.pdf
Graciolli, M. (2015). Ways to mitigate cloud computing risks.
Retrieved from
https://www.neweggbusiness.com/smartbuyer/over-easy/5-ways-
mitigate-cloud-computing-risks/
Guilloteau, S., Orange, F., & Mauree, V. (2012). Privacy in
Cloud Computing. Retrieved from
https://www.itu.int/dms_pub/itu-
t/oth/23/01/T23010000160001PDFE.pdf
How to Secure Private Data Stored and Accessed in the Cloud.
(2018). Retrieved from
https://digitalprinciples.org/resource/howto-secure-private-data-
cloud/
Kaplan, J., Rezek, C., & Sprague, K. (2013). Protecting
information in the cloud. Retrieved from
https://www.mckinsey.com/business-functions/digital-
mckinsey/our-insights/protecting-information-in-the-cloud
Keller, G. (2015). Cloud-based User Authentication. Retrieved
from https://jumpcloud.com/blog/uncategorized/cloud-based-
user-authentication/
Mahesh, B. (2016). Data security and security controls in cloud
computing. International Journal of Advances in Electronics and
Computer Science , 2016, 11-13.
Miller, J. (2018). SharePoint Cloud
Solution
Comparisons. Retrieved from
http://summit7systems.com/downloads/S7S_SharePointCloud