Question

The Department of Administrative Services (DAS) provides a number of services to other departments in an Australian State Government. These services include HR and personnel management, payroll, contract tendering management, contractor management, and procurement. These services have all been provided from the Department’s own data centres.

As a result of a change in Government policy, DAS is moving to a “Shared Services” approach. This approach will mean that DAS will centralise a number of services for the whole of Government (WofG). The result of this move will be that each Department or Agency that runs one of these services for its own users, will be required to migrate its data to DAS so that it can be consolidated into one of the DAS centralised databases. DAS will then provide these consolidated services to all other Departments and Agencies within the Government.

Another Government policy mandates a “Cloud first” approach to the process of updating or acquiring software or services. Following these strategic policy changes from Government, DAS has decided to:

• Purchase a HR and personnel management application from a US based company that provides a SaaS solution.
  • The application will provide DAS with a HR suite that will provide a complete HR suite which will also include performance management. The application provider has advised that the company’s main database is located in a Cloud datacentre based in California in the United States, with a replica database located in a cloud datacentre in Dublin, Ireland. However, all data processing, configuration, maintenance, updates and feature releases are provided from the application provider’s processing centre in Bangalore, India.
  • Employee data will be uploaded from DAS daily at 12:00 AEST. This will be initially transferred to Bangalore in India for processing before being loaded into the main provider database in California.
  • Employees will be able to access their HR and Performance Management information through a link placed on the DAS intranet. Each employee will use their internal agency digital ID to authenticate to the HR and Performance management system. The internal digital ID is generated by each agency’s Active Directory instance and is used for internal authentication and authorisation.

• Move the DAS payroll to a COTS (Commercial Off The Shelf) application that it will manage in a public cloud;

Tasks

After your successful engagement to provide a security and privacy risk assessment for the DAS, you have again been engaged to consider some additional questions that DAS management has raised.

Prepare a presentation for DAS Management using the TRA you recently completed on the security and privacy of employee data. Your presentation is to show:

1. Discuss how the operational solution using an SaaS application, and the location(s) of the SaaS provider for HR management may affect the security posture of DAS.
2. Explain if either the operational solution, or the operational location(s), or both, increase or mitigate the threats and risks identified for the security and privacy of employee data?
3. Discuss the security and privacy implications for DAS of the data processing location?
4. Discuss any issues of data sensitivity that you think should be considered with either the chosen solution or the storage/processing locations?
5. Discuss any issues of data sovereignty that should be considered?

Your presentation is to be completed in either PowerPoint or Google slides. Your presentation must not exceed 25 slides of content.

• The presentation should be a maximum of 25 slides, including introduction, conclusions and recommendations.
• Each slide should have speaking notes in the Notes section which expand on the information in the slide.
• Images and quotations used in slides must be referenced on that slide.
• The slide deck does require a reference list. References are to be included on a Reference list slide(s), but these are not counted as part of the slide deck limit.

Your presentation should highlight the significant points of your argument, but you should include the detail in the speaking notes section of your slides.

Rationale

back to top

This assessment task will assess the following learning outcome/s:

• be able to examine the legal, business and privacy requirements for a cloud deployment model.
• be able to evaluate the risk management requirements for a cloud deployment model.
• be able to critically analyse the legal, ethical and business concerns for the security and privacy of data to be deployed to the cloud.

Answer 1

Cloud Systems:

• Cloud system is a system which helps in eliminating the need for any kind of hardware or make use of any kind of software while the users can quickly add or remove the users as per the requirements.
• Also, the users can access the virtual desktops from multiple devices or the web browsers which will help in maintaining the procedure for working with the workspace from anywhere, anytime.
• The cloud systems have an ability to store data independent of the location and machines. They can also provide data whenever and wherever it is needed so as to make the data omnipresent.
• The cloud-based system is based on to establish risk management processes and even procedures to provide a mission-critical service. The provision of the services is widespread.
• During any kind of disaster or recovery, the systems are up and can run without any problem. The setup can be resumed in order to balance the use of business continuity.
• The plan will also consider various events of procedures during the disaster and must be managed according to the requirements.
• Virtualization has always been the key to business continuity and this is the thing that can be easily done with the help of the cloud systems. The most authentic and effective design will be acknowledged while the disaster has occurred and there would be a certain level of stable backup operational.
• The cloud will provide us with the cost-efficient and most scalable methods of the computing for the type of industry you are been doing on a certain study. Cloud has recently become the most popular alternative for enterprise disaster recovery.
• Also, the AWS workspace makes use of the two ENI (Elastic Network Interface) which are being used by both management and streaming(eth0) and primary (eth1). Both of these have unique tasks to perform.
• The client applications also make use of HTTPS over port 443 for all the authentication-related information and also making use of the cloud services securely and privately in case of such needs.

Hence, this is how the AWS cloud systems work and provide us more coverage over the database and similar technologies.

Potential Risks in Cloud-based systems:

There are also some potential risks that must be focused on while making use of cloud services. They are listed below:

• The potential risks in the cloud are been transferred into the cloud providers using the hardware-independent virtualization technologies that are nowadays a trend in disaster recovery.
• The cloud personnel is known for designing the cloud for such a disaster recovery and making the cloud hinge of the most effective designs of the enterprises IT architectures.

Hence, this is how can one transfer the potential risks to the cloud providers.

Risk Assessment & Threat Vulnerability:

Nowadays, companies have moved on to the Agile or Rapid Application Development SDLC(Software Development Life Cycle) which has been resulting in reducing the development timeframe. Now, starting with the risk assessment for the cloud-based systems, here we go,

1. Collecting Information:
   • The collection of information is one of the major parts that plays in the security of the organization. The URL of the target must be accessible to gain information.
   • Information caught in wrong hands can turn out to be chaos for any organization. Hence, information must always be safeguarded with levels of security.
2. Risk Profiling:
   • Checking the website for each and every type of risks/threats is a very important task and must be carried on with each and every module of the organization's availability in the internet space.
   • There must be things carried out like:
     • Automated threat scanning
     • Penetration Testing
     • Black Box Testing of the source codes
     • Assigning Risk Ratings to the Security Flaws
     • Reporting to higher Authorities
3. Updating Technology:
   • In the current world scenario, it has become very important to update the technologies that are been actively used and must be balanced accordingly.
   • The use of older versions will come with a bunch of vulnerabilities and threats along with the destruction of certain aspects of the organization.
4. Application Fingerprinting:
   • In an organization, there are certain things that must be checked for the known vulnerabilities and exposures. If there, one must always keep it the priority to overcome certain threats in order to run the organization smoothly.
   • The application fingerprinting consists of different levels of assessment. Here are some of the different scopes:
     • Defining Objectives
     • Devising Strategy to overcome threats
     • Role-Based Access Control Matrix
     • Choosing Appropriate Security Tools

Hence, these are some of the risk and threat vulnerability for the cloud systems.

Actions For Effective Risk Management Capabilities in Cloud Systems:

The actions that one must take in order to make the risk management effectiveness and up to the mark in management capabilities for the cloud-based systems are as follows:

• Preparing:
  • One must always prepare for the risks and also keep the systems checked for the vulnerabilities.
  • The best approach is to plan and make changes to the system as soon as the updates are launched to a particular system.
  • The planning must work accordingly so that the risks are being minified at the user's end.
• Verifying & Eliciting:
  • Verifying each & every potential risk in the system and if found critical then eliciting the risk will ensure that the risks are eliminated properly.
  • The elimination of the risks is also being done on a certain level so that there are no further risks remaining in the system to check.
• Analyzing gaps & Evaluating:
  • Analyzing for risks is the major activities that must be taken on the developing end because if a risk is analyzed in the earlier stage it is less destructive for the system.
  • Evaluating the level of the risks also become important for the users so as to make the risks less effective on the systems.

Hence, these are actions that could lead to the development of effective risk management capabilities.

Guidelines For Security Policies:

For the security policies, there are certain things to be always taken into consideration, we will discuss all of them as we dive in deep. So here we go,

1. Knowing The Risks:
   • It is the most important part while creating security policies to know what risks are there in the system.
   • How the information is been manipulated at the client as well as the server end. Hence, making the process more secure as data is the part for which security is always compromised.
2. Knowing The Wrongs Done By Others:
   • Knowing that the organizations who have been gone through the certain risks which reside in your system. Learning from the mistakes made by others is always the most effective way of setting guidelines.
   • The guidelines to the security policy consist of the most probable wrong things that each and every organization with similar risks are been doing.
3. Keeping Legal requirements in mind:
   • Many times organizations completely forget about the legal requirements that are been required by the officials.
   • Hence, keeping the legal jurisdictions, data holdings and the location in which you reside is also most important.
   • Recently, this has been the case with Facebook's most controversial data theft.
4. Setting the level of security:
   • The level of the security that is been planned must always be kept in mind with the level of risks that are been residing in the system.
   • Excessive security in the system can also cause hindrance to the smooth business operations and hence, overprotecting oneself can also be a cause to the problem.
5. Training Employees Accordingly:
   • The training of the employees in a certain part of the security is also a major part of the security policy as the employees are the one who makes mistake.
   • So, if one trains their employee in such an order that they minimize the mistakes that are been made it will become great for the system.

Hence, these are the guidelines for creating an effective and functional security policy that every organization dealing with the cloud-based systems must develop in order to stay safe and secure.