Privacy, security and ethical reflection
Charles Strut University Cloud Privacy And Security
CLOUD PRIVACY AND SECURITY
ASSIGNMENT 2
SUBMITTED TO
PURVI MEHTA
SUBMITTED BY
Sangeeth Reddy Arepally
11660914
arepallysangeethreddy@gmail.com
Table of Contents Introduction 3 Security of Employee Data 4 Existing Threats and Security Concerns 4 Additional Risks with Migration to SaaS Application 5 Severity of Risk and Threat to Employee Data 6 Privacy of Employee Data 9 Existing Privacy Threats and Risks 9 Additional Privacy Threats and Risks with Migration to SaaS Service 10 Severity of Risks and Threats to the Privacy of Employee Data 11 Digital Identity Issues 13 Provider Solution Issues 16 Data Sensitivity 18 Conclusion 20 References 21
Introduction
With the evolution of technology, operations have become much more efficient and easier for organizations of all kinds. However, everything has a downside, which in this case is the dangerously rising amount of cyber-crime and malicious activity. There are thousands of victims of such activities each day, which range from individuals to large organizations. Once on the internet, no one is safe, the risk is of course higher for larger organizations, due to their storage of large amount of data on their operations, employees, finances, individuals, etc. There are many solutions for such malicious and fraudulent online activity provided by experts, which includes Cloud Computing. Another by-product of Cloud computing is SaaS, or ‘Software as a Service’.
These computing systems and services are designed to host all the data for organization from remote servers hosted on the internet to store, process and manage data, rather than on the local servers or personal computers. Furthermore, all the data processed through SaaS, is managed and processed centrally. However, these complex systems and services fail to eliminate security threats and risks completely, as there are organized experts carrying out malicious activities and frauds on the other end also. This case study will provide a complete, detailed risk assessment, security concerns, and privacy threats that are present while changing to Cloud computing and/or SaaS for operations of a Charity. In-depth security and privacy concerns will be reviewed and analyzed of individuals as well as employees.
Security of Employee Data
Existing Threats and Security Concerns
In-house HR department of the Charity, in order to carry out their responsibilities, have to collect a whole lot of personal and professional information about the employees. This storage of the huge amount of information is looked upon as a goldmine to cyber criminals (Dion, 2013). HR department of a company is most prone to receiving malicious files or links as they usually use a shared inbox for all of their potential and current employees, and on top of that the HR representatives are expecting their potential employees to send some files or links to their previous work experiences and their CV’s, which can be sent to them by anyone. A lot of cyber criminals could take advantage of that by imbedding malicious content in such documents or links (Joseph, 2009). Another platform that puts employee data for the charity at huge risk in the in-house HR system is the social media.
More often than not, HR representatives browse the social media to look for potential candidates for the company. This is also a huge opportunity for cyber criminals as they can set traps for such social media browsers to fall right in to. The huge amount of employee data can easily fall into the wrong hands to be misused (Joseph, 2009). This can include identity theft, personal blackmailing, or simply selling the data to organizations for their own use. This makes the current in-house HR data processing and management of employees a huge security and privacy concern for both, the employees and the charity. The employees of the charity could never be certain about the safety of their personal information when providing it to the HR representatives (Saini, 2014). Appropriate steps are needed for this growing threat of misuse of personal information; otherwise the employees of the charity would never remain or feel safe about providing their personal and/or financial information to the HR representatives.
Additional Risks with Migration to SaaS Application
SaaS is supposed to make things a lot easier for the charity manager and employees alike. However, comfort and ease are not the only things that matter. Another huge concern is the privacy and security of sensitive information of employees (Ferrini, 2009). The first and the biggest information security risk and privacy threat that comes to mind is not having an internal IT department for the management and processing of such personal and sensitive data, rather than sharing it with a third party (Hunton, 2010). This can raise many questions in the minds of the employees and the managers of the charity. It is a huge concern that how many employees of the third party would be able to access the information, how many unauthorized personnel would be able to access the information, would the data be safe from cyber-criminals or not, etc (Sawma, 2016). in this case, the SaaS provider that the charity has chosen has many branches in different countries, with its main database being in California, USA, with a replica being in Dublin Ireland, with all the data processing, maintenance, feature releases, configuration and updates being processed from the application provider’s processing center in Bangalore, India.
This is another huge concern for the employees and the board of the charity as the information would be accessible to so many people from many different parts of the world, which makes the chances of misuse of data and cyber crimes significantly high (Sawma, 2016). Another privacy and security concern about the SaaS provider is their lack of transparency about their operations. Although the provider assures the board of the charity that they will be able to keep their information even more secure than the in-house HR and IT managers it is still questionable why they would not disclose how they will do it (Foxall, 2018). The SaaS provider does argue that the whole purpose of their safety and security would be destroyed if they started sharing it with their users, which does make sense to some extent, however, the concern about the privacy and security about the personal and sensitive information of the employees increases having to blindly trust a third party with it (Dion, 2013).
Severity of Risk and Threat to Employee Data
Although there are many existing threats and risks to the security of employee data in the in-house HR and IT department. The severity of such threats and risks are bound to increase with the immigration of the charity’s HR to the SaaS solution provider (Ferrini, 2009). With the in-house HR the personal and sensitive information of the employees was still safe with the charity’s own personnel and the board of the charity was responsible for it. With the immigration to an SaaS application things would become simply out of control of the board of the charity. The third party SaaS solution provider would be free to do as they please with the employee data provided to them. This makes the employee personal and sensitive data much more vulnerable and prone to misuse, and cyber crimes (Ferrini, 2009). The lack of knowledge about the operations and the data processing and management procedures of the SaaS solution provider increases the security threats and risks of the employees’ data considerably.
The sharing of the personal and sensitive data and information about the charity’s employees with a third party makes the data much more vulnerable to be falling into the wrong hands. The data is shared with many employees of the SaaS solution provider, who are located and operational in many different locations which increases the risks and threats associated with the data security concerns much higher than they already are (Saini, 2014). The operational costs of the charity might go down by migrating to such an SaaS solution provider and cloud computing, however, putting such sensitive and personal employees’ data on the line for that could be considered very irresponsible and unethical.
|
|
Security |
||||
|
|
Negligible
|
Marginal
|
Critical
|
Catastrophic
|
|
|
Probability |
LOW
|
HR department being tricked with malicious content |
Client sensitive information accessed by third parties |
Not processing and managing the employee data appropriately |
SaaS providers being involved in the malicious and fraudulent activities concerning the employee data privacy and security |
|
|
MEDIUM
|
Viewing of the employee data by the SaaS providers’ employees |
Charity’s employees not having any idea about who can view their data |
Mismanagement of the large amount of data |
Digital identity theft or misuse of employees of the charity |
|
|
HIGH
|
Employees being able to access each others data |
Lack of knowledge about the SaaS provider’s operations |
Losing some of the data of the employees of the charity |
Cyber criminals targeting the databases to access the employee data and digital identities of employees of the charity |
This is a risk assessment matrix highlighting some of the risks and threats of employee data security and privacy.
Privacy of Employee Data
Existing Privacy Threats and Risks
The in-house HR management storing, processing and managing the sensitive and deeply personal data of the employees of the charity could be subject to a great deal of privacy risks and threats. The employee data could be subject to theft or misuse by cyber criminals, which exist in dangerously huge numbers on the World Wide Web, making employee data privacy completely nonexistent (Foxall, 2018). Employees have to disclose many personal details about themselves to the HR representatives before being hired at the charity which eliminates employee privacy completely. The confidentiality agreement would not be of much use if the data is stolen or acquired by other malicious activity (Foxall, 2018). For these reasons an employee could never be completely comfortable about providing private information about themselves to the HR representatives of the charity. The data can be misused in many different ways if stolen and the privacy of the employees would be nonexistent if it happens (Foxall, 2018).
It is required by the HR and IT representatives of the charity to take some sort of precautions and steps to ensure that such incidents never occur. It is the job of the board of the charity to implement this as a required step in order to handle the sensitive employee information provided to them responsibly (Hunton, 2010). The privacy of the employees could be in immense danger due to the carelessness of the HR and IT departments respectively. The most secure way to avert such an incident is to go with the layered protection systems to guard against malicious intruders into the HR database (Saini, 2014). The layered system will used its complex multilayered security systems to protect the charity’s HR databases to be subjected to malicious activity and thus the privacy of the employee data would be much more secure than before.
Additional Privacy Threats and Risks with Migration to SaaS Service
With the charity’s migration to SaaS HR solutions, the privacy risks and threats to the employees’ personal and sensitive information are bound to increase significantly. The employees’ private and sensitive data would be shared to the SaaS provider, a third party, by the board of the charity itself, it would not be stolen or acquired through malicious activity, but presented to a third party by trusting them blindly (Saini, 2014). This raises many questions about the privacy of that data. The SaaS provider could easily misuse that data themselves, on top of that the employees would feel much more exposed, as their private data would not only have been shared to the in-house HR representatives but be shared with a third party, the SaaS provider (Sawma, 2016). The SaaS provider would then share that data with a sea of individuals including their employees and staff to be processed and managed accordingly. This throws the employee privacy of data out of the window.
Other than this, the lack of transparency of the operations of the SaaS provider is also a cause for many privacy concerns regarding the personal and sensitive employee data. If any unauthorized individual or a cyber criminal could get a hold of the database of the SaaS provider, they will have access to a huge amount of data containing many personal, private and sensitive details about all the employees of the charity (Sawma, 2016). The SaaS provider could be involved in questionable, fraudulent and malicious activity themselves and the board of the charity would have no way of knowing that at all. This puts the privacy of employee data under a lot of questionable platforms. The board of the charity needs to consider these risks accordingly before proceeding with a cloud computing systems, including SaaS (Sawma, 2016). They need to take all of these risks about privacy of employee data under consideration and carry out detailed and in-depth research to find satisfactory answers to these questions. There is too much at stake here to go in blindly and take this huge leap of faith without first clearing all the doubts and the concerns about these possible privacy risks and threats to the employee data with the migration to SaaS HR solutions (Sawma, 2016).
Severity of Risks and Threats to the Privacy of Employee Data
The severity of the privacy risks and threats to the employee data, increases significantly with the charity’s migration to the SaaS solutions, and cloud computing. Considering the previous risks and threats of employee data privacy, the in-house HR system still kept everything internal to the charity’s operations (Joseph, 2009). Providing such private and sensitive employee data to a third party would take things simply out of the control of the board of the charity. Such sensitive and private data and its protection against misuse or malicious activities is the responsibility of the board and the HR of the charity, as the employees have trusted them with their personal and sensitive information (Joseph, 2009). The privacy concerns, risks and threats of the employee data becomes much more severe with the entering of an untrustworthy third party. The impact of these privacy risks and concerns should be reviewed appropriately before handing over such a delegate and sensitive set of private data of the employees of the charity.
The privacy of the employees is prone to become nonexistent in the case of such sharing of their personal and sensitive data to a third party whose operations, processing, and the management of said data is completely unknown (Joseph, 2009). The individual lives of the employees as well as the well-being of the charity could be in grave danger with such a huge and risky step. It is evident from this, that the privacy risks and threats would become considerably higher, if the board of the charity does decide to migrate to SaaS HR solutions. The privacy of said employees could be in huge danger with such a step. If fallen into the wrong hands, the sensitive and private employee data could prove to be very dangerous for the employees as well as the charity (Joseph, 2009).
|
|
Security |
||||
|
|
Negligible
|
Marginal
|
Critical
|
Catastrophic
|
|
|
Probability |
LOW
|
HR department being tricked with malicious content |
Client sensitive information accessed by third parties |
Not processing and managing the employee data appropriately |
SaaS providers being involved in the malicious and fraudulent activities concerning the employee data privacy and security |
|
|
MEDIUM
|
Viewing of the employee data by the SaaS providers’ employees |
Charity’s employees not having any idea about who can view their data |
Mismanagement of the large amount of data |
Digital identity theft or misuse of employees of the charity |
|
|
HIGH
|
Employees being able to access each others data |
Lack of knowledge about the SaaS provider’s operations |
Losing some of the data of the employees of the charity |
Cyber criminals targeting the databases to access the employee data and digital identities of employees of the charity |
This is a risk assessment matrix containing some of the key risks and threats of privacy and security concerns of employee data.
Digital Identity Issues
Digital identity is a very dangerous and risky concept as it is couple that with a third party, it becomes even more risky and prone to misuse. A digital identity also known as an online identity contains all the complex, and private information about an organization, or an individual, including their online behavior, past purchases, social security information, credit card information, etc (Ferrini, 2009). The digital identity of the employees of the charity would include all their private information about their personal self and their previous activity on the business computer. Such information could prove to be very dangerous if fallen into the wrong hands (Ferrini, 2009). The most dangerous outcome could be that of identity theft. Cyber criminals are always on the lookout for potential identities to steal, and with the emergence and popularity of the digital identity, everything they need to steal an identity would be presented to them on a silver platter. Such activities can prove to be very dangerous. Digital identity of the employees of the charity could be misused in such ways where it would not only be dangerous for the employees, but the operations of the charity could be also in immense danger.
If the board of the charity comes to the decision that they would be moving to cloud computing and SaaS HR solutions, it would make the digital identities of the employees much more prone to misuse. The digital identity of an employee would contain all the details required for a cyber criminal to misuse or abuse the information acquired by them (Ferrini, 2009). They can go as far as to steal the identity of the employees’ altogether, and if the HR management of the charity is to be handed over to the SaaS solutions provider, the charity would in no way be in control of the digital identities of their employees and it would be a cyber criminal’s goldmine to come across such a huge amounts of data containing the digital identities of hundreds of employees of the charity. Other than this the SaaS provider themselves could be participants of malicious activity or digital identity fraud. Handing over such a huge number of digital identities of the employees of the charity, without gaining complete transparency and management of their operations first, is an insanely risky move. Personal and sensitive information of the employees of the charity, as well as their digital identities could be used for fraudulent or questionable purposes if provided to a third party without fully knowing about their operations (Dion, 2013). This lack of transparency provides the SaaS applications solution provider with the opportunity to misuse the personal and sensitive employee data in any way they want. For cyber criminals such a large amount of data could be very useful to use for their questionable and malicious motives, which is why it is very dangerous to trust such third parties with such sensitive information.
Other than this, the charity collects PII data on the clients that use their services, to tend to their requirements and needs in a more personalized matter. This PII data includes some digital identity data for some of the more disadvantaged clients of the charity especially if they are suffering from mental health issues. If the board of the charity decides to convert to a cloud computing system uploading all of this data to a cloud vendor and SaaS provider, if things go wrong, the clients of the charity are prone to suffer alongside with the employees as well. This highly individualized data on the clients of the charity makes the already disadvantaged clients vulnerable to the charity, and if the charity shares that information with a third party there is no way of knowing or controlling the outcome of that decision (Dion, 2013). The highly personalized information and the digital identity make the clients a high target to be blackmailed or manipulated.
Cyber criminals could target such disadvantaged individuals very easily as they are already suffering from mental health issues and are prone to be manipulated or blackmailed easily. Certain risks and threats to the well-being of the clients of the charity as well as the employees of the charity are needed to be considered thoroughly before taking such a risky step (Dion, 2013). It is very important for the board of the charity to ensure that the digital identities of their employees as well as their clients are going in safe hands before coming on a final decision. Providing such a large amount of data on the employees and the clients to a third party would also be considered highly unethical and irresponsible for the board of the charity (Dion, 2013). The board of the charity needs to weigh the pros and cons of this decision before finalizing it; otherwise some serious, irreversible damage could take place.
Another shortcoming of cloud computing and SaaS applications solution is that it is never certain to the user where their data is actually stored (Saini, 2014). SaaS providers, especially those of cloud based software never disclose to the costumer where their databases are. This means that the charity can never carry out a background check on the SaaS provider, to ensure that the data and the digital identities of their employees are safe and secure (Saini, 2014). This poses another great threat and risk to the security and privacy of the highly sensitive and personal data of the employees of the charity. The board of the charity needs to find solution for this risk and consider it thoroughly before coming to a final decision. Digital identity of the employees of the charity could also prove to be very problematic if lost by the SaaS provider. It would mean that the entire online history of the employees would be wiped out and they would have to build it back up again (Saini, 2014). This would make the individuals unrecognizable by any and all online platforms. Which could be a huge problem for them (Saini, 2014).
Provider Solution Issues
Converting to a cloud computing system and SaaS solutions for HR management would of course make things much more efficient for the operations of the charity. It would also bring the cost of operations considerably lower for the charity’s operations. However, these benefits could make the board of the charity make the wrong decisions, which are not in the best interests for either their clients or their employees. The previously identified security and privacy threats and risks to the sensitive data about the employees of the charity hugely outweigh the benefits the cloud vendors and the SaaS provider claims that the charity would gain (Dion, 2013).
The shady and non-transparent operations of the SaaS solutions provider can raise some huge threats and risks regarding the safety and security of the sensitive and private employee data. It can be a huge ethical issue for the board of the charity to disclose private and sensitive information about their employees to a third party that is not at all transparent about their operations (Hunton, 2010). Sharing such a huge amount of sensitive and private data on the employees of the charity can be considered highly unethical and risky (Joseph, 2009). Neither the charity nor the individual employees would have any control or knowledge about the collective and individual data that will be uploaded to the cloud computing system’s and SaaS providers databases. Giving up control and knowledge of such a large amount of individual personal and sensitive data plus individual digital identities of the employees would also have great deal of security and privacy risks and threats and would be considered highly immoral and unethical (Saini, 2014).
Furthermore, the potential SaaS provider for the charity operates and manages data in multiple locations which makes it even more prone to unethical and wrongful use of the personal individual, employees’ data (Dion, 2013). This would also be considered highly unethical on the part of the board of the charity if they are to share said data to such a third party. The employees’ personal and sensitive information plus their digital identities would be exposed to people in multiple locations making their privacy and data security completely nonexistent would also be highly unethical for the board of the charity (Dion, 2013). Before proceeding forward with this decisions of converting to cloud computing systems and moving to SaaS solutions for HR management the board of the charity would need to take these factors well into consideration.
It would also be unethical for the board of the charity to share such personal and sensitive employee data and their digital identities to such a third party without the consent of their employees, to ensure that appropriate communicative and voting measures must be taken by the board of the charity (Sawma, 2016). The Employees would have no idea whatsoever about the location, management or processing measures of their data nor would the board of the charity, leaving them completely out of the equation while managing and processing their data. This lack of control and knowledge in such sensitive matters can be really dangerous and risky (Sawma, 2016). The board of the charity needs to find the appropriate answers and solutions for such risks before finalizing any decisions whatsoever.
Data Sensitivity
The board of the charity needs to take into account that the data they would be sharing with the SaaS application solution providers would be highly sensitive and personalized individual data, if misused the sharing of that data could have some serious consequences (Sawma, 2016). Sharing of such a huge amount of employee data could put the privacy and digital identities of the employees of the charity in grave danger. This dangerous and risky step could result in making hundreds of employee lives seriously prone to malicious and fraudulent activity. The identities of said employees could be stolen, they could be blackmailed or manipulated using their personal and sensitive data, their personal and private information could be sold to other people with questionable motives, etc.
Other than this, the board of the charity also needs to consider that the data they will be sharing with the SaaS solutions provider would be processed and managed in Bangalore, India, where the charity would have no jurisdiction to demand the activity of their data. The information could easily be misused without the knowledge of the board of the charity or the employees of the charity. Such issues are of immense importance when considering making this big of a decision on such a sensitive and risky matter (Hunton, 2010). The security concerns and privacy threats greatly outnumber the benefits that the charity will gain by migrating to SaaS application solutions for HR management. However, if the board of the charity can ensure that that they can manage and address these risks and threats accordingly while ensuring complete privacy and security of employee data and their digital identities they can consider moving to a cloud computing system as a beneficial venture for the operations of the charity. However, if they are unsure of the outcome of this action and cannot guarantee complete safety, privacy and security such employee data they should not take this risk. Taking this risk would not only put their employees’ privacy, security and digital identities in danger but their own ethical standpoint would be at a questionable stance (Dion, 2013).
Such sensitive employee data can be subject to many security risks and privacy threats even if stored to an internal database of the charity or managed by in-house HR representatives, however, if such data is shared with a third party in order to gain benefits from a cloud based computing systems and SaaS HR management solutions these risks and threats are multiplied. It would be very unethical for the board of the charity to put their employees’ such sensitive data on such a great risk (Dion, 2013). The board of the charity cannot risk losing control over such important data and in such a large quantity. The risks and threats need to be appropriately considered and steps must be taken to minimize them accordingly before sharing any sensitive employee information with third parties.
Risk management and the in-depth analysis and assessment of such risks is very important for the board of the charity before making such major decisions. The safety and privacy of the employees would be largely compromised by such actions which would then put the operations of the charity also in great danger (Sawma, 2016). The board of the charity should be able to answer all the questions that arise in the minds of employees or IT consultants before trusting any third parties with the processing and management of such sensitive employee data. If this is not done the digital identities of the employees could be stolen, their sensitive information can be used against them, their personal and private information could be sold to other parties, they could be blackmailed or manipulated by their sensitive and personal information by cyber criminals, and their privacy would simply cease to exist (Dion, 2013).
Conclusion
To sum up, in this paper an in-depth risk assessment is provided regarding the migration of a charity to cloud computing system, and getting SaaS application solutions for their HR management. The security and privacy risks and threats this action would include are discussed thoroughly. It is seen how the large amounts of personal and sensitive employee data can be misused and abused by cyber criminals in their malicious and fraudulent activities. It is also seen how the digital identities of such employees can be stolen and used for the benefits of such cyber criminals. The lack of transparency of the SaaS provider is also viewed as a highly concerning aspect of this decision. It is also seen how the employees of the charity could be manipulated or blackmailed using their personal information by cyber criminals. The motives and actions of such SaaS application solutions provider are also questioned, and their participation in malicious or questionable activities is also questioned. It is concluded that migrating to such cloud computing systems and using SaaS application solutions for the management of HR might be beneficial to the operations of the charity in terms of efficiency and cost savings. However, the privacy and security risks and threats this actions poses on the personal and sensitive data on the employees of the charity are far greater than the benefits. Therefore, the board of the charity needs to tread carefully as not to make a huge mistake regarding the misuse and/or abuse of the sensitive and private data on their employees.
References Dion, M. (2013). Corruption, fraud and cybercrime as dehumanizing phenomena. INTERNATIONAL JOURNAL OF SOCIAL ECONOMICS , 38 (5). Ferrini, R. (2009). Privacy-preserving Digital Identity Management for Cloud. IEEE , 1-7. Foxall, D. (2018, February 5). Five basic HR data security threats in 2018. Retrieved August 13, 2018, from hrmsworld.com: https://www.hrmsworld.com/hr-data-security-threats.html Hunton, P. (2010). Cyber Crime and Security: A New Model of Law Enforcement Investigation. A Journal of Policy and Practice , 4 (4), 385–395. Joseph, A. D. (2009). Above the Clouds: A Berkeley View of Cloud Computing. Electrical Engineering and Computer Sciences University of California at Berkeley , 3-25. Saini, S. (2014). Identity Management issues in Cloud Computing. International Journal of Computer Trends and Technology (IJCTT) , 9 (8), 414-416. Sawma, E. (2016, May 5). Identity and Access Management Challenges with Your SaaS Apps. Retrieved August 13, 2018, from okta.com: https://www.okta.com/blog/2016/05/identity-and-access-management-challenges-with-your-saas-apps/
15
Sangeeth Reddy Arepally
11660914