Saturday, December 7, 2019
Office Australian Information Commissioner -Myassignmenthelp.Com
Question: Discuss About The Office Australian Information Commissioner? Answer: Introducation Due to the developments in technology and the increasing accounting of data that agencies must handle, along with the need for reduced costs and better management, agencies such as DAS are increasingly changing and modernizing their information systems (Akella, Buckow Rey, 2009) https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/it-architecture-cutting-costs-and-complexity . This is achieved through measures such as consolidation of IT systems, modernization of information systems, outsourcing some services, such as hardware devices, computing power, and backup, and re-aligning information systems (Bond, 2015). Many organizations are transforming their legacy systems by migrating to the cloud and making use of technologies such as PaaS (platform as a service), SaaS (software as a service), and IaaS (infrastructure as a service). These moves have their benefits, including better service delivery, reducing workload for staff be enabling on-line self service port als, reduced costs as well as reduced complexity of information systems (Akella, Buckow Rey, 2009), (Bond, 2015). These benefits of information systems (IS) modernization through consolidation and using outsourced services also come with associated risks. Cloud computing environments are highly scalable as well as being highly available and reliable, making them attractive propositions, especially for public organizations that have to handle large amounts of public data and manage thousands of employees. Migrating applications to the cloud helps public organizations run their internal systems better and serve the public better (Antonopoulos Gillam, 2017). By handling public information on individuals with personal and personal identifiable information (PII), these IS become increasingly attractive for malicious entities such as hackers. The information system repositories and portals hold information valuable for hackers such as their contacts, addresses, biometric information, and even financial information details such as credit card numbers an details (Mather, Kumaraswamy Latif, 2010). As such, consolidating and migrating services to cloud portals carriers with attendant risks and threats to the security and privacy of PII and even staff information at these agencies. To ensure a safe migration to modern computing platforms, agencies and organization need to fully understand the risks that storing PII in such platforms as online portals (cloud computing) carries through undertaking a risk and threat analysis, for example. Based on such an analysis, the organization will be aware of the risk faced in having PII and organization dat a stored in cloud platforms and running some of their operations on cloud platforms such as PaaS and IaaS (Pfleeger Pfleeger, 2012). The threat and risk analysis will help the organization make informed decisions and develop appropriate measures to protect their data and well as the PII of people (citizens in the case of government bodies or clients/ customers in the case of private/ corporate organizations). Moving data and applications to the cloud is a major long term term trend, but fraught with challenges and risks, not least the threats to PII and enterprise data and information (Mahmood, 2014). When data and information, including PII is migrated to cloud platforms there are inherent risks due to the nature and sensitivity of the information; the threat and risks to migrating to the cloud start right before the migration begins, when data is being stored in the cloud platforms, and when there is exchange of data and information between the cloud environment and access points . This paper will evaluate the threats and risks that the Department of Administrative Services (DAS) would face when consolidating and migrating its applications and data, including PI for its staff and members of the general public, to a cloud environment. In the DAS scenario, there is a new cloud first policy in which the DAS wants to consolidate all the services offered to the public by various departments including contractor management and procurement, as well as licensing to its own data centers. Further, the DAS wants to migrate its application services including HR and personnel management, contract tendering management, payroll, procurement, and contractor management to a consolidated data center; a strategy that will see the ful adoption of the shared services model. DAS will centralize several services for the whole of government (WofG) such that every Agency or Department that offers any of the targeted services for its internal users and for members of the public, will ha ve to migrate them into the DAS data center where it will all be consolidated into the DAS database. These services will then be centrally provided by DAS to all other government departments. DAS has commenced the switch to the cloud first policy and is presently implementing the following services; A HR and personnel suite in the SaaS model, A Contractor management suite also in the SaaS model A COTS Payroll solution implemented in the AWS cloud A Share Point PaaS platform that is the basis of its intended Intranet platform for the WofG Further, a decision has been made for all applications for, and renewal of licenses form various government agencies to be taken to a single web portal, named MyLicense. Citizens will then be encouraged to register in the MyLicense portal for renewal of nearly all licenses, and have designed this process to follow one process flow for all licenses. The Government will use the portal to better view licenses held by every citizen thereby having PII for citizens in its web portal and exposing citizens data to possible data risks. This paper will develop a suitable data protection and data privacy policy for DAS staff and for citizens with relation to PII. In this paper, a threat and risk assessment for PII data in the MyLicense portal is developed with regard to privacy and protection of this data. Thereafter, a PII strategy proposal for the MyLicense portal is also developed for threats and risks to the PII data and management for control. The paper also develops a strategy for the pro tection of informal digital identities created by users in the MyLicense portal for privacy and data protection, along with measures to mitigate the identified risks. Finally, a governance plan will be developed PII data for both the public and DAS staff. Threat Risk Assessment for PII Data in MyLicense Portal Internal and External Threats The cloud platform amplifies internal threats to PII data security and privacy in the cloud; the figure below illustrates the threats due to external factors and those due to internal factors; The threats and risks will be discussed in the context of both internal and external threats; while internal threats pose the biggest risks, the external threats usually have the biggest impacts, such as ransomware attacks, and most external attacks occur as a result of internal human factors, such as poor strategies, deliberate actions, and mistakes/ ignorance (Vohradski, 2012). The nature of the cloud means that the attack surface can only get bigger and wider, so reducing the attack surface is not an option. The threats and risks are discussed below; Malicious Insiders An example of this is the Edward Snowden case in which lots of the NSA information was made public, creating headlines around the world (Waxman, 2017). When there is a malicious employee insider an organization with a a huge cloud portal having lots of information, the risks are magnified several times over. The insiders can steal information and sell it for financial benefit or just to get back at their employee, or for the Snowden case, to operationalize a private crusade. Employees can also modify data or delete them irretrievably, especially those trusted to manage such data. Further, its possible for employees to leave backdoors or vulnerabilities that allow external collaborators to access PII for use for other purposes, either for profit or due to disgruntlement (Subashini Kavitha, 2011). Breaches to PII Data Cloud computing entails having the data in different states; data at rest, data in transit, and data under use in the cloud platform. Cloud computing has forced malicious entities to innovate new ways of circumventing security protocols in the cloud and administer new attack methods. Breaches to PII has serious consequences, including legal, reputation, and financial; it is also embarrassing for the top person in the organization to have to face an irate public and the media and try to explain what happened and what they will do (Metheny, 2017). Cloud Service Providers (CSPs) usually provide strong and rigorous security protocols to guard against such attacks, cyber criminals still always find a way through, such s the recent case of Equifax (Gressin, 2017). However, the same threats that traditional IS (information systems ) face also pose threats to PII in the cloud. Inherent weaknesses such as side channeling timing exposure, where a user in a VM (virtual machine) is able to liste n to activity signaling that an encryption key has arrived on another VM sharing the same host can result in sensitive data for the DSA falling into the wrong hands, more so because of the cloud nature where many users share services and resources (Ren, Wang Wang, 2012). Loss of Data Permanently Data breaches are due to intrusive actions or the result of malicious action, including by insiders in the organization. The loss of data means that information is lost an a manner in which it cannot be retrieved or recovered, for instance a disk drive dying/ failing when no backup for the data stored in it was created; this is especially a risk for DAS in a hybrid cloud architecture. It is also possible for data to be permanently lost when the data owner of encrypted data loses the decryption key, or forgets it (LeClair Keeley, 2015). An example is when some data (small) were lost by AWS when Amazons EC2 Cloud suffered whet they termed a re-mirroring storm caused by an error by a human operator in 2011(Goldman, 2011). data can also be lost due to deliberate actions of insiders deleting or modifying data by encrypting it, or externally due to malware attacks that deletes all data, as happened to the Saudi State Oil Company or Ransomware as happened to the UK National Health Service. Hijacked Accounts This would normally be expected to happen in traditional computing; but it is also a major risk in the cloud environment. Accounts in the cloud can be hijacked through loss of credentials and passwords, such as when employee devices they use to access cloud services containing PII are lost. It can also happen due to exploitation of vulnerabilities in software, for instance, buffer flow attacks or through Phishing and Social Engineering attacks (Pearson Benameur, 2010). Intruders that hijack accounts of DAS staff can manipulate transactions, eavesdrop, give false damaging information, or simply steal crucial information such as addresses and credit card numbers, or obtain information to use for other nefarious acts such as identity theft. If the account(s) with PII is connected to other accounts, there can be a quick loss of control over other accounts as well. The passwords given or developed by the users can also be weak and lead to their passwords being stolen. Further, its common for citizens to access government cloud portals such as MyLicense portal using their devices, the work/ office device, or a public portal and even forget to sign out. If these devices had malware that steals passwords, the user account can be hijacked and the password changed (Robinson, 2011). Hacking of Interfaces and APIs that are Insecure Another major threat is interfaces and APIs that are weak/ insecure that get hacked; the MyLicense platform aims at providing services to millions through various government agencies and also attempting to limit the damage these millions of users can cause the service, given they they are mostly anonymous users. The solution lies in developing APIs (application programming interfaces) that are public facing that define how third parties connect to applications (Abraham Thampi, 2013)in the MyLicense portal service. Further, communication with other cloud services also utilize APIs in many cases meaning that the APIs security also have direct impacts on the security of PI in the cloud. Chances of these APIs increase when access to the APIs are granted to third parties and the result would be the loss of PII or having the exposed to the general public (loss of privacy) (Dinh, Lee, Niyato Wang, 2013). DDoS (Distributed Denial of Service) Type Attacks DDoS are common forms of cyber attacks; however, when targeted at cloud platforms, the effects can be devastating as these attacks affect the ability of DAS and government agencies to run critical services while consuming significant amounts of resources, including processing power, raising bills for cloud services (Yu, 2013). Cloud Services Abuse The cloud platform means resources and services are shared by different users; including hackers who can use the same cloud services and their processing power and resources cause attacks, such as decrypting encryption keys within a short time. Cloud servers that are shared can also be used by cyber criminals to launch attacks such as DDoS, serve malware to steal or compromise PII. While CSPs are responsible for cloud services use, it may be difficult for them to detect abuse and improper use (Daimi et al., 2017), (Ren, Wang Wang, 2012) Weak identity and Authentication Management Failure to implement strong identity and authentication protocols has been a major cause of PII data being breached. There is always a challenge for organizations to manage identity and authentication to access various IS human resources management commensurate with their job roles. If these credentials and authentication methods are weak, cyber criminals can hijack or crack them, resulting in them breaching and accessing millions of PII data that they can use for any other malicious purpose. If identity management is poor, huge cyber security holes is the result, leaving the system at the mercy of hackers and cyber attackers (Ghorbel, Ghorbel Jmaiel, 2017), (Mock Desai, 2013). Advanced Persistent Threats These are parasitic types of attacks where APT s infiltrate the DAS IS infrastructure and establish a foothold. The APT s then extract and ex-filtrate PII data and information over long term periods. APT s move across networks laterally; the fact that DAS will use a PaaS Share Point Intranet further compounds this problem because the APT s can move laterally across its entire IS network. Because APT s easily blend with normal traffic making their detection difficult. APT s gain entry into enterprise networks through infected external storage drives, direct attacks, and spear Phishing (Auer Zutin, 2017). PaaS Intranet Vulnerabilities DAS will build an Intranet using a PaaS platform; this increases the attack surface due to resource sharing and the risk of the root access to servers that will be running many of the instances on MyLicense portal. If cyber criminals gain unauthorized access to this infrastructure, they can change configurations and breach PII or even cause data loss and modification. Failure to properly configure security and other settings in the PaaS platform will escalate threats of cyber attacks; PaaS provides a self service platform, implying that DAS must undertake all protocols to ensure safety and security, including installing and updating anti malware software (Korshed Wasimi, 2012). Insufficient Diligence Migrating and having PII on cloud portals with external access by millions of anonymous users will greatly expose their PII data to attacks and breaches. If DAS does not fully understand the cloud environment and its risks, or adopt an unsuitable policy, starting from migration and how this data is accessed, managed and used in the cloud based web portal, there are risks of the PII data being breached (Herold, 2011). Everything must be carefully planned, starting with the clod architecture, the migration policy, control policies, and management of users After evaluating the threats, a TRA is undertaken to create a threat profile for PII on the MyLicense portal, as shown in the Figure below; Threat Risk Analysis Below is the TRA for the threats and risks inherent to using cloud service platforms (the PaaS and SasS) and the use of public clouds and a data center for storing public information and software suite instances Threat/ Risk Number Threat /Risk Rank 1 Malicious Insiders Extreme 2 Breaches to PII Data Extreme 3 Insufficient Diligence Extreme 4 Weak identity and Authentication Management Extreme 5 Advanced persistent Threats Extreme 6 Loss of Data Permanently Very High 7 Hijacked Accounts Very High 8 PaaS Intranet Vulnerabilities Very High 9 Hacking of Interfaces and APIs that are Insecure High 10 Cloud Services Abuse High Conclusions Agencies are increasingly migrating to the cloud because of its inherent benefits, including a highly scalable platform, greater security, streamline operations, ability to share resources, consolidation of IT systems, and providing users an easy form to access services through self service model. However, migration to the cloud has its own risks and dangers, especially where dealing with public data that contain personally identifiable information such as addresses and names or gender. To remain on top of the game, an elaborate threat risk assessment is necessary to ensure informed decisions and choices are made based on available data and information from the threat risk assessment. DAS is in the process of consolidating its IT systems and services for various departments using its new cloud first policy. Already, it is in the process of migrating its HR and contract management systems to a SaaS platform. Also, DAS is migrating its payroll system, which is a COTS to the AWS. It wil l also have an Intranet implemented in a PaaS Share Point platform. The threats and risks that PII and personal data for users are exposed to include malicious insiders, breaches to PII data, loss of data permanently, hijacked accounts, hacking of interfaces and API s that are insecure, DDoS (distributed denial of service) type attacks, cloud services abuse, weak identity and authentication management, advanced persistent threats, PaaS Intranet vulnerabilities, and insufficient diligence References Abraham, A. Thampi, S. M.. (2013). Intelligent Informatics: Proceedings of the International Symposium on Intelligent Informatics ISI'12 Held at August 4-5 2012, Chennai, India. Berlin: Springer. Antonopoulos, N., Gillam, L. (2017). Cloud computing: psychology, systems and applications.Computer communications and networks Auer, Michael E., Zutin, Danilo G. (2017). Online Engineering Internet of Things: Proceedings of the 14th International Conference on Remote Engineering and Virtual Instrumentation Rev 2017, Held 15-17 March 2017, Columbia Universit. Springer Verlag. Bond, J. (2015). The enterprise cloud: Best practices for transforming legacy IT. Sebastopol, CA: O'Reilly Media. Dinh, H. T., Lee, C., Niyato, D., Wang, P. (December 25, 2013). A survey of mobile cloud computing: architecture, applications, and approaches. Wireless Communications and Mobile Computing, 13, 18, 1587-1611. Gressin, S. (2017). The Equifax Data Breach: What to Do. Consumer Information. Retrieved 8 October 2017, from https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what- do Goldman, D. (2011). Amazon explains and apologizes for cloud disaster - Apr. 29, 2011.Money.cnn.com. Retrieved 8 October 2017, from https://money.cnn.com/2011/04/29/technology/amazon_apology/index.htm Ghorbel, A., Ghorbel, M., Jmaiel, M. (June 01, 2017). Privacy in cloud computing environments: a survey and research challenges. The Journal of Supercomputing : an International Journal of High-Performance Computer Design, Analysis, and Use, 73, 6, 2763-2800. Herold, R. (2011). Managing an information security and privacy awareness and training program. Boca Raton, FL: CRC Press. Khorshed, M. T., Ali, A. B. M. S., Wasimi, S. A. (June 01, 2012). A survey on gaps, threat remediation challenges and some thoughts for proactive attack detection in cloud computing. Future Generation Computer Systems, 28, 6, 833-851. LeClair, J., Keeley, G. (2015). Cybersecurity in Our Digital Lives. BookBaby. Mather, T., Kumaraswamy, S., Latif, S. (2010). Cloud security and privacy: [an enterprise perspective on risks and compliance]. Beijing: O'Reilly. Pearson, S., Benameur, A., 2010 IEEE 2nd International Conference on Cloud Computing Technology and Science (CloudCom). (November 01, 2010). Privacy, Security and Trust Issues Arising from Cloud Computing. 693-702. Pfleeger, C. P., Pfleeger, S. L. (2012). Analyzing computer security: A threat/vulnerability/countermeasure approach. Upper Saddle River, N.J: Pearson Education International. Robinson, N., Rand Corporation., European Commission. (2011). The Cloud: Understanding the security, privacy and trust challenges. Santa Monica: Rand. Mahmood, Z. (2014). Cloud Computing: Challenges, Limitations and RD Solutions. Cham : Springer International Publishing Metheny, M. (2017). Federal cloud computing: The definitive guide for cloud service providers. Amsterdam : Syngress Mock, K., Desai, A. M. (January 01, 2013). Security in Cloud Computing. InfoSci-Books Ren, K., Wang, C., Wang, Q. (January 01, 2012). Security Challenges for the Public Cloud. IEEE Internet Computing, 16, 1, 69-73. Subashini, S., Kavitha, V. (January 01, 2011). A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications, 34, 1, 1-Vohradsky, D. (2012). Cloud Risk10 Principles and a Framework for Assessment. ISACA, 5(1). Retrieved from https://www.isaca.org/Journal/archives/2012/Volume-5/Pages/Cloud- Risk-10-Principles-and-a-Framework-for-Assessment.aspx Waxman, A. B. (2017). Rogues of Wall Street: How to project-management risk in the cognitive era. Hoboken, NJ : Wiley/IBM Press Yu, S. (2014). Distributed Denial of Service Attack and Defense. (Springer eBooks.) New York, NY: Springer New York.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.