Privacy, security and ethical reflection

Sangeeth08
assignment3.docx

2

Cloud Privacy and Security

Image result for charles sturt university

Assessment Item 3

Privacy and Data Protection

Students name and Students ID: Sangeeth Reddy Arepally – 11660914

Akshay Kumar Aleti - 1626230

Sri Sanka Kathaluwa Liyanage – 11639785

Uma Hiriyannaiah Prema – 11634685

Subject Code: ITC568

Professor: Dr. Purvi Mehta

Table of Contents 1. Introduction (Sangeeth Reddy Arepally) 4 2. Privacy Strategy for Personal Data 4 a. Management of personal information (Sangeeth Reddy Arepally) 4 b. Collection and management of solicited personal information (Sangeeth Reddy Arepally) 6 c. Use and disclosure of personal information (Uma Hiriyannaiah Prema) 7 d. Use and security of digital identities (Sri Sanka Kathaluwa Liyanage) 8 e. Security of Personal Information (Uma Hiriyannaiah Prema) 10 f. Access to Personal Information (Akshay Kumar Aleti) 11 g. Quality and correction of personal information (Akshay Kumar Aleti) 12 3. Mitigating identified security risks and privacy risks (Akshay Kumar Aleti) (Sri Sanka Kathaluwa Liyanage) 13 a. Mitigation for privacy Risks (Akshay Kumar Aleti) 14 b. Implementation of Privacy Stratergy (Sri Sanka Kathaluwa Liyanage) 18 4. Data Protection Strategy (Uma Hiriyannaiah Prema) (Sangeeth Reddy Arepally) 21 1. Initial constraints for the strategy (Sangeeth Reddy Arepally) 23  Backing up and recovering 23  Dynamic storage 23  Data and Information Lifecycle Management 24 2. Following the Holistic approach (Uma Hiriyannaiah Prema) 25  Technology 26  People 26  Process 27 3. Strategic Safeguarding (Sangeeth Reddy Arepally) 28  Administrative safeguarding 28 4. Technical safeguarding (Uma Hiriyannaiah Prema) 29  De-identification 29  Data encryption 29  User and employee authentication (Akshay Kumar Aleti) 30 5. Conclusion (Uma Hiriyannaiah Prema) 31 6. Appendix – Team Discussion 32 7. Bibliography 33

1. Introduction (Sangeeth Reddy Arepally)

Cloud computing is the cutting edge and state of the art technology which is in demand for its flexible and random access features. Cloud computing is known for delivering ultimate services through the use of the internet and by integrating models (PaaS, IaaS, SaaS). The goal is to enable access to the various computing services in a manner that could restrict entry of illegal access. Elucidated with the benefits of cloud computing, the charity has come out with a plan to allow accessibility of services to its members on a cloud platform only. However, the privacy strategies still needs to be implemented for assured security. The recommendation plan is to ensure the privacy of the personal data of the members belonging to the charity that will be integrated by taking several steps while moving the data on to the cloud platform. The data is crucial and so its protection has to be advanced. The purpose of using cloud computing is to make applications available for each member of the community and to provide easy access to the administrators as well. The biggest concern here is the compromised security of the sensitive data. Hence, the proposal here is to enhance the accessibility of applications via the medium of cloud computing and at the same time taking care that the private data of the charity does not get interfered by an illegal access at any cost. The purpose of this paper is to design a privacy strategy for the charity to process applications on cloud platform so that the data safety has been largely focused.

2. Privacy Strategy for Personal Data

a. Management of personal information (Sangeeth Reddy Arepally)

Cloud computing platform has offered immense benefits in terms of the ease of accessibility, flexibility options, large information available on one location, being efficient and cost reduction benefits. However, this does not necessarily mean that no harm could be made to the information stored on the cloud server. Maintaining personal information is so crucial while relying on the cloud computing and a hosting provider to assist with the services. The question arises here: how the data can be maintained safely on the cloud servers. This gives a sneak peek into the methods that could oblige in the maintenance of sensitive data stored inside a cloud of the charity members.

The first step to maintaining information is to analyze and identify the risks associated with data security (NAA, 2018). This process must have been done prior to making deals with a cloud provider who is responsible to provide for all the accessible operations. The integrity of the data needs to safeguarded, especially depending upon the information which is stored such as personal details of charity members. The users can now easily access their personal information saved on the cloud and no expert knowledge is required for the processing of the same. The major benefit involved in transferring information to cloud servers is that the cost factors get reduced in making use of shared resources in cloud computing (Thomas, 2009). All of the information stored on the cloud server can be accessed effortlessly irrespective of the time and place of the users (Guilloteau, Orange, & Mauree, 2012). For example, in the case of charity also, the software distribution is targetted at different locations. However, the processing gets done from the other distinct places also.

No matter its accessibility features from either location, it’s the security of personalized information gets targeted the most, especially when it comes to storage of the data. The management of the personal information can be efficiently managed by verifying the provider details under the cloud application services. For example, SaaS makes use of third parties vendor and internet to offer delivery of services (Deyo, 2018). Thus, making sure that the third party is correct to its details and is trustworthy, the charity could trust the cloud services provider to go ahead with the agreement and deals. Like for example, the charity has formed an agreement with the US-based company that will be providing services of cloud computing as SaaS. However, all the data configurations and maintenance operations etc will be managed from Bangalore. This only means that the verification must be carried out before proceeding with the other operations involved in a deal.

b. Collection and management of solicited personal information (Sangeeth Reddy Arepally)

The efficient collection and management of the personal data on a cloud platform are crucial to maintain the security of the stored information. It should be done in a way the privacy should not get compromised. Measures could be adopted to manage personal information in a way which is rather more open and a clear transparent process rather than hiding the details. The data collection of the personal information of the charity members using cloud computing model can be carried out by enabling anonymity, and pseudonymity (Google Cloud and Australian Privacy Principles, 2018). The privacy can be assured by gathering solicited personal information of the users that are connected to the charity. Notifications could be approved to allow the data users to be elucidated with the process of data collection. The privacy guidelines also include dealing with the personal information that is collected unsolicited (Collection of solicited personal information, 2018).

The solicited personal information can be collected in the form of individual responses to a request that may demand to enter a person’s confidential data details. Or it could take the form of another entity providing personal details of the data users to assist in sharing information between the entities. Other forms of solicited information include a completely filled application form or the applications that demand the credentials of the data users (Collection of solicited personal information, 2018).

c. Use and disclosure of personal information (Uma Hiriyannaiah Prema)

Shifting data all towards the cloud computing to allow enhancements in the services sometimes require the participation of the third parties to assist with the services. The internet or software act as a medium to enable communication between processes and finally with the delivery of services. The privacy policies could be established that determines what kind of personal information is required in transferring data on to the cloud platform. Along with this, the arrangement of disclosure of the personal information must be clear out to the data users for the assured privacy. The set guidelines of the privacy policy depict disclosure of the personal information to the outside only if it demanded under some government legal proceedings (Cloud computing and privacy, 2014). The use of personal information must not be made in a way where any illegal access could disrupt the whole working of the data processing.

The members of the charity can be granted permissions regarding access to their personal information on requesting services basis only, not just merely giving the insights to the stored data which could be hacked easily by the hackers. At the same time, they could be allowed to access their personal information for making modifications as required by them. It is more of a cloud provider’s responsibility than the company to assure correctness in the delivery of services, to ensure the privacy of the confidential data while allowing the users to access the information at any time of the day. The cloud provider or the assisting third parties must develop an established set of measures or guidelines making sure that any unauthorized access does not interfere with the stored data (Cloud computing and privacy, 2014). Personal information needs to be secured from any probable misuse, loss or modifications thereby avoiding chances of possible data breaches in the future. The personal information stored on the cloud database must get updated from time to time (Gadia, 2016). The cloud provider may adopt some measures to delete the existing users' information deliberating on its ultimate purpose. Information, no longer needed, can be easily deleted or modified (Gadia, 2016).

Since the important data of the charity is getting moved onto the cloud computing platform for enhanced accessibility, contractual agreements with the provider must be signed before handing over charge of the sensitive data to the third parties (Cloud computing and privacy, 2014). The charity must be aware of the laws that exist for a country they are residing in so that in case of occurrence of the data breach help could be taken deliberating on national security and law enforcement.

d. Use and security of digital identities (Sri Sanka Kathaluwa Liyanage)

The digital identities are much more of an interaction that take place face to face without indulging the need to have a compulsory physical appearance. Digital identities play a vital role in the digital era where communication can take place instantly no matter the time and location of the users (Benkoel-Adechy, 2012). The cloud computing offers a perfect platform where data accessibility features from any location are its ultimate benefit.

The charity is planning to enable digital identities for all its members with the objective that the data users can have accessibility to its dedicated set of services which is made available on the cloud computing. Also making use of digital identities can help improve the privacy of the confidential data (Benkoel-Adechy, 2012). This is because sensitive data in this digital era can’t merely be protected by building walls for its protection instead more secured mechanisms is needed to avoid misuse of the data. But with digital identities only, authorized users will be able to access data and complete transactions and illegal access are restricted.

The digital entities can be in the form of password or email that the people own on a digital platform as a token for their unique identification. The data is stored in the form of electronic format making use of biometric and biographic data that makes a distinction among the person from other unauthorized users on a digital media (Wladawsky-Berger, 2016). The trusted digital identities can be created only by applying for verification of the authenticity of the registered users. There is no doubt that the fake identities could also be built within a fraction of seconds. However, talking from a security point of view, the authenticity of the trusted users must be evaluated as part of the cloud provider responsibilities. Maybe the documents or id’s are verified to earn the approval of being a trusted user (Wladawsky-Berger, 2016). It may take some form of verification with the government or third parties in which user’s credit details, phone, and other credentials are checked before in advance. The technology acted as a main deriving force that pushes to the need of creating digital identities for assured security and privacy of the personal information. Moreover, it provides a convenient access to the users for the processing of services by moving on to a cloud platform. This is also in need of meeting greater demands of building trust and security on a digital platform.

The integrating concept of digital identities to be part of cloud computing has fostered the service delivery benefits that are available in a cloud platform. Accessing data stored on the cloud database is not open to everyone but it will get restricted by using digital identities that is unique for every person. This way the security can still be assured. For more advanced privacy, the policies can be developed to be used in the designing of the technical structure in such a manner that any illegal access could not interfere with the stored data (Digital Identity and Privacy, 2017). User control and various privacy mechanisms can be set as the top priority of the technical designing without compromising the need to put all the essential functionalities in the structure. Examples of such user controls could be allowing disclosure of the information to the minimum, validating identities of the users first with various authentication schemes, creating distinct identities of users to avoid sharing of data among unauthorized users (Digital Identity and Privacy, 2017).

Such systems could be designed in which vulnerability could be reduced to the minimum. The storage of data is maintained in such a way that any illegal access from the outside can never think of interfering with the data. Furthermore, cryptographic capabilities can be built as functionalities into the proposed systems where layered control checks and other privacy verification means can be integrated easily (Digital Identity and Privacy, 2017).

e. Security of Personal Information (Uma Hiriyannaiah Prema)

The security of the personal information can be assured by evaluating the verification details of subcontractors that are connected to the service providers of cloud computing (Cloud Computing, 2015). These subcontractors are responsible for maintaining the processing of the stored data. The chances are that the subcontractors may not work efficiently to allow delivery of services involved in cloud computing. Or the subcontractors may form a loose agreement with other subcontractors to take care of the customer needs. Thus, it will be better for charity to have full knowledge and access to details of the subcontractors deliberating that the needs or objectives of the charity are fulfilled. It should also be noted that all the legal measures must be taken care of while assuring the privacy of the personal data. The arrangements of the data providers must be elucidated to the charity so that the security is never compromised when the goal is to allow enhancement in the services. The charity should have signed a contractual agreement with the cloud provider or other subcontractors ensuring that all the legal formalities are taken care of (Cloud Computing, 2015). The protection of the information stored on the cloud servers both in terms of administrative and technical data along with the various compliance controls must be assured by the respective cloud providers and the other subcontractors.

Not all cloud providers deem on offering standardized services to its customers. This could be one of the factors that risk the security of the data stored in the database of the cloud computing. However, any services provided without conforming to standard rules and as per the contractual documents would not assure protection of the personal data of the data users. It is the responsibility of the charity to cross check in advance whether the cloud provider is working under the standardized rules so that the security and data protection or privacy needs of the charity are met. The absence of this may ultimately lead to compromised security and resulting data breaches or interference with the stored personal data.

The cloud computing is operated using either of the three models as PaaS, IaaS, SaaS. While PaaS, IaaS models helps the companies to stay informed of the various processings of the cloud computing by letting users having full control of their businesses, Iaas model makes use of software to assist in the delivery of the services (Bernheim, 2018). This means that the data users have to rely on the cloud providers to help with the services which surely needs a more enhanced form of security. Looking at the charity’s objective to allow with the number of services to its members, making use of the SaaS model will risk up the security of the data. Choosing to rely on a private cloud provider instead of a shared one helps to gain more control over the services. Alternatively, the shared cloud platforms require users to identify risks in advance and must incorporate ways to address them (Cloud Computing, 2015).

f. Access to Personal Information (Akshay Kumar Aleti)

Access to the personal information can be guarded by the use of digital identities and other privacy control mechanisms such as making use of cryptographic, various encryption and decryption techniques, layered access controls, privacy checks, user controls etc (Sharma & Trivedi, 2014). Only valid users are allowed to actively access the information stored on the cloud platform. The purpose of the charity to shift the entire data on to the cloud platform is for better access. However, they do question the privacy of the data. The security of the data especially assisted by the third parties is at their major concern. Thus, by integrating a set of privacy measures, it could eliminate the doubts the charity have in the protection of the data. Illegal access can only be controlled by verifying user credentials and then granting them permissions to access the same (Rouse, 2018). The processing of the services will be handled at different locations from that of software handling. The benefit of moving to the advanced technology platform i.e. cloud computing is that it does not get data restrictions filters based on locations and time. Thus, accessing information becomes easier with the assured security features. Digital signatures are also part of the measures that could control access to the user’s stored data on the cloud platform. Personally identifiable information (PII) helps to identify unique users by using the identification numbers (Rouse, 2018). Access to the services automatically gets restricted for the invalid users. Faking information is not easier on a cloud platform. However, hackers could still try to modify the stored information in an attempt to ruin a company ’s data. For example, as the charity is planning to the keep all of the data on a cloud platform, any illegal access could disrupt the data resulting in a loss. Thus, privacy needs to be integrated into the technical organization or designing of the systems to prevent any possible harms in the future.

g. Quality and correction of personal information (Akshay Kumar Aleti)

The quality of the personal information stored on the database is assured of its integrity because the cloud system works in an organized format to make data easily accessible among the users. There have been many restrictions put in the cloud processing of services. Initially, a user has to validate his/her credentials before requesting for the cloud services. After login credentials, the server demands users for its evaluation of authentications based on which other permissions are granted to the users. Any information which is no longer useful is deleted at the cloud end and only the essential information is kept there for future use. Unauthorized users are not allowed to access other users data. Similarly, modifications needed in the personal information requires verification of the user identities in an objective to protect the privacy of the data. The functionalities of the cloud computing are designed in such a manner to restrict accessibility of the data among those who failed to pass the valid user credentials. The correction can only be maintained provided the user has earned the trust of the cloud platforms. The cloud platforms have left an everlasting influence on the lives of the technical users who can access instant information at any time of the day. There is no need left to appear physically in front of any server to avail services. The quality of the day is maintained accurately in the cloud servers by making use of various cryptography, encryption, decryption and authentication control techniques (Sharma & Trivedi, 2014). The data gets stored in the digital formats in which digital identities are used for each individual uniquely to further access the stored data.

3. Mitigating identified security risks and privacy risks (Akshay Kumar Aleti) (Sri Sanka Kathaluwa Liyanage)

In cloud computing infrastructure, it becomes pivotal to deal with threats like breach, data loss, traffic hijacking, malicious insiders, and shared technology, unavailability, and reliability issues. So, users must be prohibited to share the account credentials even if business partners are trustworthy. The charity must also deploy single sign-on mechanism to manage fewer accounts and hence, making them less likely to track (Graciolli, 2015). Regular auditing is must when cloud is utilized. The security can be strengthened with end-to-end encryption. The in-house software must not be outdated. To deal with the malicious insiders, the company must deploy logging and reporting modules to keep track about the important information. Also, user access must be restricted to sensitive data (Graciolli, 2015). If any abnormal or unwanted behaviour is identified, the company must immediately block the access. Monitoring and auditing of sensitive data is a key to mitigate insider threats. The charity can also create mapping to recognize the zones that contain critical information (Graciolli, 2015). Duties must be distributed fairly.

a. Mitigation for privacy Risks (Akshay Kumar Aleti)

The recommended solutions for cloud computing to assure privacy is that of incorporating various controlled measures that could protect the privacy of the data. The first and the most essential step, to control privacy on a cloud platform, is making use of various authentication and authorization schemes (Cohen, Baudoin, & Dotson, 2015). Employing systems that could analyse the credentials of the users before logging in to access data can be checked by employing authentication controls. The idea is to hinder accessibility of the data for the unauthorized users. The classification of the credentials is one step towards integrating authorization controls where each unique id or reference number is given to each individual separately to access their private data (Gholami & Laure, 2015). The identification of the accurate requirements and evaluation of various deployment models is pivotal. A design model needs to be integrated in the systems that could validate two factors authentiactions at both client and server side (Gholami & Laure, 2015). The potential of the possible security threats could be identified in advance as part of the evaluation schemes.

The organization must be prepared for cyberattacks like ransomware. Hence, they need to have good internal practices such as creating stronger passwords, securing the channels of data transfer, and regularly evaluating the software interfaces for vulberabilties. Web filters must be used for block infected websites. It is pivotal to have in-depth introspection of trafficking of network in order to monitor and detect suspicious activity. Authentication can also be verified under the SaaS model which can be used to verify customers who are mobile friendly and are connected to the cloud applications of the IaaS model. The controls are implemented at the middle ware layer to deal with the authentications in the real time (Gholami & Laure, 2015). No invalid users are allowed to access the data without prior permissions. The authentication systems work at the very first step where invalid credentials are restricted to have a look at the data. The HTTP traffic is also controlled to a minimum with these type of middleware layer verifications (Gholami & Laure, 2015). For example, Amazon S3 is the best example that falls into this category where mobile consumption of data is managed on IaaS clouds.

Public key infrastructures (PKI) is another mechanism in the form of certification to protect the privacy of the data by taking care of authentications of the users (Gholami & Laure, 2015). Command line interfaces can also be used further for added security purposes. Some companies are also relying on the mapping measures such as making use of locally existing credentials to allow users with the authorizations on other cloud providers after gaining trust with the already existing cloud services. The charity can have a look at the privacy measures being discussed here to implement controls in the cloud servers for better security. The privacy of the data is automatically assured.

Then there is also the availability of the collaborative mechanisms which reflects upon the accessibility of the centralized facilities and outsourcing of the trust. These services are counted under the authorization as a service in which a multitenancy authorization system are employed to verify for the user credentials in addition to offering administrative controls.

Cryptographic based access control measures can also be implemented to restrict access to the unauthorized users. In some studies, it has been revealed that the user-centric approach can also be used to allow access on a platform level (Gholami & Laure, 2015). Another important privacy control measure is the identity and access management. As described earlier also, creating digital identities is one effective method to assure the privacy of the data. A federal integrated identity management system could be incorporated into the designing structures of the systems of the cloud computing (Wladawsky-Berger, 2016). For this to work efficiently, the user has to maintain an effective relationship under the SaaS model domains with the benefits that the SaaS users can easily access and shared resources on a SaaS cloud platform (Gholami & Laure, 2015).

The functioning is different on a PaaS domain in which there is an interceptor that manages the user’s requests by acting as a proxy server. The processing of the user's requests takes place from this domain. The interceptor works by accessing the secure token service (STS) and using the WS-Trust specification (Gholami & Laure, 2015).

Identity-based encryption techniques and identity-based signatures are an advanced form of identity validation control that only allows registered and trusted users to access the information stored on the cloud computing platform (Zaffer, 2015). The identity based hierarchical model used in the structure of cloud computing is the main foundation behind the idea proposed for implementing identity-based authentications.

The trusted cloud computing platforms is another mechanism to control the privacy of the data stored in the cloud database. The IaaS model functions as a single model in trusted cloud computing platforms. A monitor is operated under the name of the trusted virtual machine for the protection of virtual machines (Miller, 2018). The components in the cloud manager are responsible for providing access to the users for personal information that is stored in the database.

Other privacy controls which can be employed by the charity could be making use of deterrent controls, prevention, and detective controls. The deterrent controls are aimed to reduce hackers attempt to disrupt and modify data stored in the database (Mahesh, 2016). The potential attackers are identified in advance and the threat level gets reduced. Immediate measures can be implemented to assure protection.

b. Implementation of Privacy Stratergy (Sri Sanka Kathaluwa Liyanage)

Preventive control measures act as pre–preventive measures that the charity could integrate at the initial step to provide protection to the stored data on the cloud platform. The objective is to completely eliminate or reduce vulnerabilities if existing in the cloud database. The chances are that it may get reduced by implementing preventive control measures. Measures such as strong authentication and identity management can restrict the unauthorized cloud users to access data of other users (Mahesh, 2016).

Then there are detective control measures in which any potential future incidents can be detected in advance by using detection strategies. The detective control measures will signify the actions that need to be controlled to avoid any misuse of the data in the future. Intrusion detection systems can be used for system monitoring and performances so that the measures could be integrated in advance to avoid chances of a data breach (Sharma & Trivedi, 2014). Intrusion detection systems are specially employed to predict attacks on cloud systems. The communication infrastructure also gets evaluated in the detection of probable attacks.

There are also corrective measures which could be the implemented by the charity for enhanced services and benefits. The idea is to reduce the potential of the damage. Systems restore or backups are the methods employed to assure integration of the corrective measures (Rajegore & Kadam, 2017). These measures come into existence when the system has undergone damage after some small incident that has occurred to the cloud servers.

The physical security of the cloud servers can be taken care of the cloud server providers where they protect the IT hardware infrastructure or the software needs. The idea is to restrict the entry of unauthorized users from gaining access to the confidential data stored in the database. The possibilities of distortion of the data get minimized to less. The objective is accomplished by making use of various applications that can help protect the physical security of the cloud database.

Privacy of the data can be assured primarily by making use of encryption techniques. The security of the data is however maintained by ensuring confidentiality of the data, data access controllability and lastly data integrity. Data integrity assures storage of the data in an accurate format and it should be complete. The confidentiality of the data is maintained by using identity control schemes. The data integrity factor makes sure that the cloud provider is responsible for deletion of unused, illegal data, modified data (Mahesh, 2016). On finding so, the cloud provider must be able to suggest ways to get eradication of the invalid data.

Many laws have been implemented nowadays to provide protection to the data especially stored on the cloud platform. Technology is blooming and so are its benefits. Every now and then many advanced functionalities have been added to the cloud computing platforms to better privacy of the stored data (Palmer, 2018). These techniques can help the data users to assure protection of their data on an advanced level.

It must be the responsibility of the technical staff of the charity to elucidate instructions to the members on correct usage of the cloud services and how creating digital identities can help secure the personal data. Moreover, there is a need to verify the details of the third parties and the cloud providers so that only the trusted partnerships can be built with them for the storage of the data (Mahesh, 2016). The functionalities of the SaaS, IaaS, PaaS model must be understood well in advance and by taking the help of the experts so that no lack of knowledge could ever hinder the privacy of the stored data. The security is the concern here and the ultimate goal which is required to be accomplished.

The charity must take a multi-layered approach when it comes to security triad. The personal data protection can only by guided by making use of authorization controls which covers restricted illegal access, identification of users with the help of digital identities and other authorization controls employed specifically for Saas and Paas, Iaas models. Personally identifiable information (PII) is the ultimate feature which helps tracking users based on their unique identities following which permissions can be granted to each user to allow accessing of the data (Rouse, 2018). Besides this, multilayered controls, encryption techniques and digital signatures etc act as the essential measures to control the privacy of the data.

Digital identities have a major role to play in restricting unauthorized users from accessing contents of the database (Wladawsky-Berger, 2016). Security controls can be implemented in the architectural design of the cloud computing platforms so as to avoid illegal users from gaining access to the database. Cloud computing is already a secured system with multi-factor authentication techniques to verify users. However, security can sometimes be compromised by the malicious attention of the hackers where the chances of personal information getting stolen or lost get increased. Hence, protecting personal information demands the privacy strategies for the protection of the personal data. The schemes discussed above can be easily integrated both at the charity level and the cloud provider level. The charity needs to verify the details of the cloud provider and must be sure of the trustworthy relationship they have with the providers. The providers, on the other hand, are responsible to provide security to the personal and sensitive data. It can be implemented by using various control measures such as intrusion detection and prevention, monitoring tools, encryption, honey pot defence, and firewalls etc (Guilloteau, Orange, & Mauree, 2012). Critical data can be taken offline and companies must establish stringent terms of use.

4. Data Protection Strategy (Uma Hiriyannaiah Prema) (Sangeeth Reddy Arepally)

While addressing the security domain in cloud environment, it is essential to consider the assets about the acquisition, storage and retrieval of data carefully. The community based charity adopting newer technologies must take to data protection strategies so that the confidential information and identities of the related people are not compromised. The information arena is always subjected to threats and as for a charitable organization (where a good amount of confidential data dwells), it becomes important to adhere to data protection services. Eventually, an organization should be able to recognize the sensitive nature of their data, maximize the amount of transparency regarding confidential information and implement security policies (Kaplan, Rezek, & Sprague, 2013).

With the inception of cloud computing, a major portion of the industry has benefited from the services rendered online. Cloud storage is economically better and offers good backup strategies at every level. Data management is well facilitated and applications are monitored over each and every operational device. However, the threat that prevails over the front-end cannot be ruled out. It is required that a security strategy enforces policies that restrict the threats to diffuse into the private portions. Although various cloud associated phenomena like server redundancy and fault tolerance work in favour of maintaining the integrity, they are not enough to guide the entire cloud implemented network (Mowbray & Pearson, 2012). A revised plan of the data authenticity should be maintained by the organization.

1. Initial constraints for the strategy (Sangeeth Reddy Arepally)

· Backing up and recovering

The word 'redundancy' carries major importance in the domain of information technology, data communication and networking. Maintaining various copies of the data that is integral in organization’s interest is the way to go (Petrocelli, 2015). Although the process requires a good amount of storage, it works fine when the data is hampered or lost. The charity needs to be prepared for such situations and hence, deploy an effective backup and recovery facility. It gives the flexibility to the organization about what data to protect and how long to protect it (Petrocelli, 2015).

· Dynamic storage

A strategy will only survive when data will exist. The data should be moved to the outside primary storage location so that it does not become a prey to attacks and other physical damage. It is imperative to duplicate data between systems with technique such as remote replication.

· Data and Information Lifecycle Management

It incorporates the above two points as well as attaches value and protection to the various assets of information. The critical data can be placed at read-only storage system so that it is not subjected to alteration (Petrocelli, 2015). Stringent policies must be devised for automating information management.

2. Following the Holistic approach (Uma Hiriyannaiah Prema)

The holistic approach to data security makes sure that all the attributes pertaining to the organization are indulged in the management activities in one or the other way. These attributes encompass the technology in practice, the people involved and the process itself. The method ensures that all the groups are working together to attain a single goal thereby making the data integrity the highest priority factor.

· Technology

The data is stored in the cloud as soon as it enters the domain of the organization. The data confronts various interactions and infuses with distinctive application systems. This data enters the field from various paths. A lot of it arrives through websites while call recordings and payment gateways make up a good amount. The lurking data in the payment gateways is the responsibility of the contact server. It is important for the organization to opt for the best contact servers because of the consequences associated with any kind of failure (Palmer, 2018). Considering the nature of the organization (i.e. charity), payment data is frequent and needs security at every level of its movement. At times the call recordings require regular muting when the confidential data like credit card information is exchanged (Palmer, 2018). This will involve an agent who will initiate the muting.

· People

The environment has transformed itself into a virtualised arena where human efforts are not frequent subjects of addressing. However, assigning a skilful team for guarding the data is quite effective. These people can be taught about various implications and constraints associated with different operations (Gadia, 2016). For example, they can be told, not to share any information regarding the donations with each other. They have to maintain their own accounts where they will mention their day to day proceedings. In this way, an organization can effectively analyse the data whose integrity and availability is hundred per cent intact. Moreover, the job description like in the above example would not create a fuss as only a limited and apt amount of people will be aware of the integrality of the confidential data. Conclusively, it can be said that this technique is quite effective however it is prone to human errors.

· Process

The heading incorporates an introduction to the security policies. A setting of protection protocols is essential. These protocols depend on the work methods of the organization. As for a charitable one, the protocols will define the call recording, online accessing and authorization policies.

· Calls relating to payments should not be introduced to interns. Only regular and experienced members of the organization should have access to these types of calls. Furthermore, these calls should not be infused in the training domain.

· The employees should only have access to their respective portals (Palmer, 2018). These portals are to be defined by their departments. Any breach in the foreign portal would lead to immediate action against the perpetrator.

· Regular monitoring of the systems and people is essential for limiting the threat imposed by the attacks like DoS (Denial of Services). These attacks let the intruders access the integral data and deny access to the rightful owner to access the information (Palmer, 2018).

· During the online sharing of confidential information, screen masking should be able to make sure that the non-sharable data is well preserved (Palmer, 2018). This will add an additional layer of data security and will enhance the user experience.

3. Strategic Safeguarding (Sangeeth Reddy Arepally)

· Administrative safeguarding

· Risk analysis and management

Risk analysis is essential for the conventional implementation of a strategy. Every model in the domain of software recognizes the importance of this factor. For this particular organization, risk analysis can be implemented through certain tools. Some of them are:

· Knowledge of application archive: Classification and segregation of data are necessary (How to Secure Private Data Stored and Accessed in the Cloud, 2018). This can be only be achieved when there is a good knowledge of the data present in the cloud. For the data accounting to around 200TB, a team needs to be deployed to the work office.

· Cloud risk analysis report: Mentioning the risks associated with the operation with remedies pertaining to the nature of the organization.

· Risk Prioritization: Measuring the impact and accordingly taking action to reduce the extent of the risk (Gadia, 2016).

· Access restriction

As mentioned above, access restriction is important for preventing attacks like DOS as well as for preserving the confidentiality. The cloud's access restriction can be linked with the IP addresses. The organization will need to manage the IP addresses over the network. This primarily is done to ensure that no externality interferes with the confidential data. Intermixing with Cloud Access Security Brokers (CASB) is a fine option considering the fact that they act as a bridge between the enterprise and its security (How to Secure Private Data Stored and Accessed in the Cloud, 2018). They render a clean environment on the cloud leaving no room for unwanted accessing requests. Access revocation is a phenomenon that is practices generally. It involves putting brakes to access for those people who either have ended the program or do not deserve any further access (How to Secure Private Data Stored and Accessed in the Cloud, 2018).

4. Technical safeguarding (Uma Hiriyannaiah Prema)

· De-identification

It is popular but at the same time difficult to implement. De-identification is the process by which a person's identity is kept hidden so as to secure it from the externalities. The hidden identity asks for the separation of a person's identity from the information. De-identification promotes anonymity and is a perfect technique for the charity cloud security. It involves masking of particular attributes and deleting them. Often, this technique is subjected to failure when someone re-identifies the identity. In that case, the effectiveness of de-identification is brought under surveillance and the algorithms are re-formulated (How to Secure Private Data Stored and Accessed in the Cloud, 2018). Re-identification is a result of improperly de-identified data assets. Conclusively, de-identification is a very fruitful process when there are a lot of people correlated to the organization.

· Data encryption

Encrypting data has been long in practice. It involves the transformation of data to some other format commonly known as cipher text. This newer format is only accessible through a key that is known as the decryption key. This key is only provided to the authorized users. The process is associated with various protocols one of which is HTTPS (Hyper Text Transfer Protocol Secure) that involves the use of public and private keys. The decryption is not easy; however, hackers often manage to breach the security using reverse algorithms to decrypt the cipher text (Sharma & Trivedi, 2014). Various cloud-based services provide client-side encryption. AWS (Amazon Web Services) is a fine modern example of the same. Encryption algorithms are must to validate the confidentiality and integrity (Sharma & Trivedi, 2014).

· User and employee authentication (Akshay Kumar Aleti)

Considering the nature of the organization, it can be devised that both user and employee authentication would point towards almost similar technology. DaaS (Directory as a service) has commenced as a successful candidate to initiate cloud-based authentication (Keller, 2015). Authenticate, authorize and manage, that is the purpose of the central directory. DaaS is an initiative that came in with the innovation of jump cloud and has been creating fresher waves in the domain of cloud-based data protection and services (Keller, 2015). The process makes use of the concept of tunnelling where the connection between two components on the same network is supported by a component on the foreign network. With DaaS's inception, virtualisation has been promoted. Employees can work from anywhere and thus this technology entirely complies with the charity organization. Other authentication methods include deploying strong passwords at the first protection level. It is vital to have access control and scrutinize support i.e. audit tools for users to assess important issues like verification, implementation, protection etc (Sharma & Trivedi, 2014). Users must ensure to deploy monitoring, prevention and defensive tools such as firewalls, packet filtering, router protection etc.

Fig. Implementing data protection strategy

Ultimately, a holistic approach suits the organization well for it encompasses each and every aspect from person to system to technology. The correlation renders the availability of various protection levels which means that there are multiple options that can monitor and prevent the mishaps. Furthermore, even if one aspect fails to deliver, the protocols and policies infused into the structure will ensure that the data integrity is preserved.

5. Conclusion (Uma Hiriyannaiah Prema)

The prevalence of the data breaches has put a big question mark on the privacy issues of the cloud computing. Besides providing with the ultimate number of benefits, the security is still at risk for most of the users. The personal information of the users gets targeted the most and the hackers may attempt to ruin and modify the information. Hence, privacy strategies need to be implemented from the very first step to assure protection of the users data. Many strategies have been discussed above that the charity can implement before procedding with moving the data on to the cloud platforms.

6. Appendix – Team Discussion

Bibliography Benkoel-Adechy, D. (2012). 5 forces driving Trusted Digital Identity. Retrieved from https://blog.gemalto.com/mobile/2018/02/22/5-forces-driving-trusted-digital-identity/ Bernheim, L. (2018). IaaS vs. PaaS vs. SaaS Cloud Models. Retrieved from https://www.hostingadvice.com/how-to/iaas-vs-paas-vs-saas/ Cloud Computing. (2015). Retrieved from https://www.pcpd.org.hk/english/resources_centre/publications/files/IL_cloud_e.pdf Cloud computing and privacy. (2014). Retrieved from https://www.communications.gov.au/sites/g/files/net301/f/2014-112101-CLOUD-Consumer-factsheet.pdf Cohen, E., Baudoin, C., & Dotson, C. (2015). Security for Cloud Computing. Retrieved from http://www.cloud-council.org/deliverables/CSCC-Security-for-Cloud-Computing-10-Steps-to-Ensure-Success.pdf Collection of solicited personal information. (2018). Retrieved from https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-3-app-3-collection-of-solicited-personal-information Deyo, J. (2018). Software as a Service (SaaS). Retrieved from http://www.isy.vcu.edu/~jsutherl/Info658/SAAS-JER.pdf Digital Identity and Privacy. (2017). Retrieved from https://www.omidyar.com/sites/default/files/file_archive/Digital_Identity_POV_Oct17.pdf Gadia, S. (2016). How To Manage 5 Key Risks In Cloud Computing. Retrieved from https://www.forbes.com/sites/kpmg/2016/09/15/how-to-manage-5-key-risks-in-cloud-computing/#37ac9ce87542 Gholami, A., & Laure, E. (2015). Security and Privacy on sensitive data in cloud computing. Computer Science & Information Technology , 2015, 131-150. Google Cloud and Australian Privacy Principles. (2018). Retrieved from https://cloud.google.com/files/GoogleCloud-AustralianPrivacyPrinciples.pdf Graciolli, M. (2015). Ways to mitigate cloud computing risks. Retrieved from https://www.neweggbusiness.com/smartbuyer/over-easy/5-ways-mitigate-cloud-computing-risks/ Guilloteau, S., Orange, F., & Mauree, V. (2012). Privacy in Cloud Computing. Retrieved from https://www.itu.int/dms_pub/itu-t/oth/23/01/T23010000160001PDFE.pdf How to Secure Private Data Stored and Accessed in the Cloud. (2018). Retrieved from https://digitalprinciples.org/resource/howto-secure-private-data-cloud/ Kaplan, J., Rezek, C., & Sprague, K. (2013). Protecting information in the cloud. Retrieved from https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/protecting-information-in-the-cloud Keller, G. (2015). Cloud-based User Authentication. Retrieved from https://jumpcloud.com/blog/uncategorized/cloud-based-user-authentication/ Mahesh, B. (2016). Data security and security controls in cloud computing. International Journal of Advances in Electronics and Computer Science , 2016, 11-13. Miller, J. (2018). SharePoint Cloud Solution Comparisons. Retrieved from http://summit7systems.com/downloads/S7S_SharePointCloudSolutionsComparison.pdf Mowbray, M., & Pearson, S. (2012). Protecting personal information in cloud computing. Lecture Notes in Computer Science , 7566, 475-491. NAA. (2018). Cloud computing and information management. Retrieved from http://www.naa.gov.au/information-management/managing-information-and-records/storing/cloud/index.aspx Palmer, T. (2018). Ensuring data protection in the cloud. Retrieved from https://www.niceincontact.com/resources/ensuring_data_protection_in_the_cloud_whitepaper.pdf Petrocelli, T. (2015). Five components of a data protection strategy. Retrieved from https://searchitchannel.techtarget.com/feature/Five-components-of-a-data-protection-strategy Rajegore, P. B., & Kadam, S. G. (2017). Issues & solution of SaaS model in cloud computing. IOSR Journal of Computer Engineering , 1 (8), 40-44. Rouse, M. (2018). Personally identifiable information. Retrieved from https://searchfinancialsecurity.techtarget.com/definition/personally-identifiable-information Sharma, R., & Trivedi, R. K. (2014). Literature review: Cloud computing – security issues, solution and technologies. International Journal of Engineering Research , 3 (4), 221-225. Thomas, D. (2009). Cloud Computing - Benefits and Challenges. Journal of Object Technology , 8 (3), 37-41. Wladawsky-Berger, I. (2016). Digital Identity: The Key to Privacy and Security in the Digital World. Retrieved from http://ide.mit.edu/news-blog/blog/digital-identity-key-privacy-and-security-digital-world Zaffer, T. (2015). Client-Side Encryption: The Latest Trend in Cloud Storage. Retrieved from http://dataconomy.com/client-side-encryption-the-latest-trend-in-cloud-storage/

CloudPrivacy1.m4a

com.apple.VoiceMemos (iOS 11.4.1)

Cloud security 2.m4a

com.apple.VoiceMemos (iOS 11.4.1)

Cloud Security 3.m4a

com.apple.VoiceMemos (iOS 11.4.1)

Cloud security 4.m4a

com.apple.VoiceMemos (iOS 11.4.1)

Cloud Security 5.m4a

com.apple.VoiceMemos (iOS 11.4.1)

Cloud Security 7.m4a

com.apple.VoiceMemos (iOS 11.4.1)