The Charity organization has decided to move parts of their database onto the SaaS cloud environment. The NGO has an online portal called ‘MySupport’ on which their clients need to register to have their individual digital identity. These digital identities are directly linked with their corresponding personal data. Hence, it is obvious that the Charity organization is dealing with a huge volume of PII (Personally Identifiable Information) and stores it onto the distributed public SaaS cloud database. As a result, collection and use of client’s confidential information comes with a great deal of ethical responsibilities in terms of maintaining data privacy and security. In this context, the report focuses on the fundamental ethical implications related to privacy and security of client data, which in turn should lead to certain organizational process changes to ensure ethical compliance and protect the digital identities and PII.
Maintaining privacy is essential, as the Charity organization should concentrate on the legitimate concerns regarding the risks associated with client’s PII and digital identity protection. Privacy is a human right and the NGO is subjected to follow the relevant data privacy and protection laws and regulations. The NGO clients will provide their personal information through registering onto the MySupport portal. This data will be stored in the public SaaS cloud. The personal data of each client is directly linked with the digital IDs and thus, the chances of potential privacy and security breaches are significantly higher (Cavoukian, 2011). Therefore, the Charity organization needs to ensure proper ethical guidelines to protect the PII data privacy. The major ethical duties and responsibilities in this context are described underneath.
The organization should clearly define the exact purpose of collecting the personal data from their clients. Moreover, the NGO cannot change the purpose of data without specifying and justifying a sincere and legitimate cause behind it. Prior to the data collection, the organization should clearly state the purpose of collecting and use of such personal data to the clients (Subashini&Kavitha, 2011). In addition to that, the firm should ensure that the data is only accessible by the owners and individuals having legitimate interests. There are certain additional measures that the firm needs to adopt for safeguarding the digital identities.
Lawful collection, use and access of personal information is must in order to ensure ethical compliance for privacy. For this purpose, the NGO is subjected to be consistent with the General Data Protection Regulation (GDPR) 2018 in terms of collection and use of client data (Gray& Thorpe, 2015). It is the responsibility of the clients to maintain the highest standards of moral and ethical conduct by complying thoroughly with the data privacy and protection regulations.
Sensitive context and sensitive data
The NGO should ensure that the amount of PII data collection along with its granularity is at the minimum limit. The NGO handles a great deal of sensitive data. Therefore, it needs to follow the basic ethical duties such as data retention, minimization, data de-identification, pseudoanonymization and anonymization (Catteddu, 2010). A thorough analysis conducted by authorized personnel of the critical factors associated with violation of privacy of sensitive information by known and unknown third parties is must.
Conducting a detailed privacy risk assessment is considered as an integral part of maintaining ethical compliance for privacy protection. The Charity organization ought to consider the probable impact and consequences of use of personal data. In this case, as the digital identities are directly linked with the client data, thus, the handling of this PII becomes highly vulnerable to potential privacy risks and threats (Sen, 2014). Therefore, the risk and benefits assessment to be conducted by the ethics team of the NGO should focus on the critical factors such as the severity and magnitude of the identified risks as well as the likelihood of occurrence of those individual risks.
In order to be ethically correct, the organization must adopt and implement secure and safe methods in terms of storing and processing the digital identities and PII data of their clients. It is crucial to protect the confidential information from unauthorized and unwanted entities. In order to serve this purpose, it is essential to employ appropriate encryption techniques (Pearson, 2013). Furthermore, the Charity organization should ensure that the external cloud service provider has clearly defined the measures taken by them to store and process the cloud data. Therefore, the NGO is obliged to maintain a safe and secure environment with adequate access control mechanisms.
The NGO is considering establishing third party partnership with a public cloud vendor for migrating to the SaaS cloud. Hence, it will require storing certain confidential data pertaining to the organizational clients onto the public cloud environment. For this purpose, the third party cloud vendor collaborating with the NGO should ensure appropriate compliance with the necessary and applications data privacy acts (DPA) (Kumar & Saxena, 2011). It is important in terms of conducting a process of due diligence for assessment and evaluation of privacy practices by the third party collaborators.
The ethical implications for security deals with several aspects that include server and client security, password security and cryptographic mechanisms. The Charity organization is subjected to provide a safe and secure environment for the client’s personal information. The PII and its associated digital identities are highly vulnerable to damage, corruption and data loss due to various reasons such as theft, faulty disks, power outages, distortion and deletion of data as well as unauthorized access by hackers, outsider and insider attackers. Therefore, the third party cloud vendor needs to develop their SLA (service level agreement) in such a way that clearly defines the ethical implications and security policies for protecting against security threats. In this context, the thorough identification, assessment and evaluation of security threats should encompass the major ones such as eavesdropping, distributed denial of service (DDoS) attacks, data fabrication, Man in the Middle (MitM) attacks and so on (Taylor, 2012). Hence, the NGO must consider and address the major ethical duties for maintaining data security. These are discussed as follows.
If there should arise an occurrence of server security, SSL sets up secure communication between on premises and cloud servers. Nevertheless, the servers ought to be shielded from hackers and other security dangers. In this manner, it is the obligation of the third party cloud vendor to proclaim their SLA (Service Level Agreement) in a way so that the client organizations can totally confide in its corresponding cloud service provider with its confidential and private data (Rivers& Lewis, 2014). The ethical duties of server security should command regular security audits and reviews on the public SaaS cloud merchant to guarantee server security. It is a fundamental piece of the ethical obligation of the Charity firm to request proof from the cloud service vendor before entrusting their private information for storage, use and processing.
The Charity organization has decided to outsource some of their data management duties such as backup and restoration, disaster recovery and server level security to a third party cloud vendor through public SaaS cloud adoption. On the other hand, the client side security typically deals with providing a safe and secure environment to the clients in terms of laptops and desktop use by the organizational clients. The NGO clients will require registering on the MySupport portal and accessing the SaaS cloud. In this context, the organization ought to ensure that the computers and desktops being used by their clients are appropriately secured with strong security mechanisms such as firewalls, antivirus protection as well as recent security patches and Windows updates, latest secure patches and updates for web browsers and operating systems installed on the client systems (Subashini & Kavitha, 2011). Another part of client security is the physical security. The firm is entitled to ensure physical security of the clients by regulating mandatory screen locks and log offs from computers if a user is out of the system for a certain period. In addition to that, the firm should ensure system protection with strong administrative passwords. Hence, ensuring client side security is a major part of information security ethics. It closely associates with all the required tools and techniques implementation in order to protect the client’s personal data from security breaches and provide a secure environment for operating the desktops and computer systems.
Password security also comes under information security ethics. The Charity organization needs to develop their ethical guideline in such a way so that it includes a strong password policy. A strong password policy deals with several rules for security purposes. Firstly, it is mandatory to change server and system-level passwords after a certain period (usually after every 90 days). In addition to that, the firm should be aware that the cloud vendor is strong all the passwords in encrypted files (Von Solms & Van Niekerk, 2013). Moreover, the password policy should demand highly complex password that must contain special characters, numeric values and small and capital letters. Remote network access is typically vulnerable to security breaches. Therefore, the organization ought to use advanced security mechanisms such as two factor and multi factor authentication, public key infrastructure (PKI), tokens, zero knowledge password proof (ZKPP), one-time passwords (OTP) etc. (Takabi, Joshi&Ahn, 2010). More importantly, in case of remote server access, implementing virtual private networks (VPN) should be essential for ensuring proper protection from network security threats.
Implementation of cryptographic techniques is an integral part of ethical compliance in maintaining data security. Secure API is must and thereby, the implementation of Secure Hypertext Transfer Protocol (HTTPS) with SSL certificate can ensure adequate security to the MySupport portal (Whitman & Mattord, 2011). The Charity organization may consider Secure Socket Layers (SSLs) to deploy industry standard transmission of data through a public communication medium. It utilizes strong encryption techniques for ensuring protected communication environment between on premises and public cloud servers. Moreover, SSL TLS (Transport Layer Security) may be implemented to ensure a stronger security control to transfer client data through un-trusted and unprotected public cloud network.
The ethical implications for privacy and security discussed above help to identify and propose several methods and approaches to solve the major issues related to data privacy and security risks. According to Quinn (2010), the potential threats and issues can be mitigated and managed by implementing certain technical and managerial solutions. These solutions are closely associated with the ethical duties and responsibilities that need to be performed by the Charity organization. In this context, this section presents a number of useful recommendations for the NGO clients in terms of maintaining ethical compliance for security and privacy.
Following a specific information plan would give the customers point-by-point rules and principles for building up the cloud framework while considering the ethical qualities for data shared. Building up a valuable sensitive design for the execution of the cloud framework for MySupport would help in giving responsibility of the ethics through a thorough and principled way. Protection and security of the cloud database ought to be considered as the main considerations for developing the value sensitive design (Krutz & Vines, 2010).The NGO client requires assessing the ethical privacy and security issues identified with information insurance as a proactive way. Notwithstanding that, following the principles and approaches of ISO (International Organization for Standardization) gives an itemized rules and best practices for incorporating protection and security of the information that can be implemented in the MySupport interface. Besides, EU Data Protection Directive have distinguished different practices for giving straightforwardness in data storage, exchange, process, access and use. This would furnish MySupport with strong configuration process for privacy and security for client’s personal data.
Data integrity would help in protecting sensitive client data from unauthorized access. On the other hand, data availability should be considered in order to ensure that only the authorized persons are able to access the required resources as and when required. Backup and restoration are the critical success factors for ensuring data availability. For highly critical data, the organization should consider data redundancy techniques to avoid disruptions during power outages or other types of system failures (Kumar&Saxena, 2011). On the contrary, data integrity issues may include data loss or manipulation, untrusted cloud servers and potential vulnerabilities due to poorly defined SLA by the cloud vendor. The 500 support staff that access the SaaS cloud should be able to access the right data at the right time. It can be ensured by providing authenticated and authorized access to the indented users, keeping proper measures for backup, redundancy and restoration and implementing encryption and security techniques to prevent unauthorized access by hackers.
The Charity organization should consider applying strong encryption and authentication techniques for strengthening security. The procedure of cryptography produces codes for protecting information security during transmission. Through encryption, the data is changed over to cipher codes that end up indistinguishable to peruse for unauthorized clients without altering it. A particular decoding key is required for the clients to peruse the information received. The decryption process keeps up the uprightness and security of data. Further, this empowers a secure and trusted communication link between the on premises clients and the cloud servers. Kent (2016) suggested that cryptographic solutions essentially helps in secure storage and processing of information as well as gives a defensive fence around the individual information shared by the clients. The utilization of the 'homomorphic encryption' would allow actualizing specific access criteria for the clients. Moreover, with 'homomorphic encryption' the clients can send data in encrypted format so that it is transmitted over the public network without revealing the sensitive data to the outsiders. 'Homomorphic encryption' can be used for conglomerating the encoded information, guaranteeing the obscurity and security of the information imparted through the cloud. Besides, for sending and getting the therapeutic archives for confirmation or investigation to the MySupport head, Hash Function Encryption should be actualized. The use of Hash Function gave secure one path procedure of document encryption for keeping up the legitimacy and uprightness of the records.
The privacy ethics imply that the organization must adopt tools and techniques that helps in maintaining user anonymity and privacy while transmitting data across the cloud network. The NGO clients should make use of software applications such as Freenet and Tor for managing digital identities. Furthermore, it is recommended to implement encryption processes for communication across public servers and cloud networks. Data de-identification and anonymizationalgorithms are useful tools to protect privacy so that the individual owner of the data cannot be tracked directly by the digital IDs (Bygrave, 2014). Apart from that, the authentication and authorization methods should be implemented to secure the cloud database containing the personal information pertaining to the clients of the Charity organization. Moreover, securing privacy through virtual private networks for remote access is also recommended.
Management and use of client’s personal information in the public cloud framework involves a critical issue for the MySupport framework. All the sensitivedatarecorded through the online portal and thereby stored onto the public SaaS cloud. In this way, the Charity organization is able to get to the information through any framework whenever (Bélanger&Crossler, 2011). Along these lines, for overseeing and verifying the digital identity of the clients and in addition the customer, quality based ID framework with individual id and secret phrase is essential. Aside from that, the clients PII datashould be validated in view of different properties including age, nationality, medical issues and so forth. This method will empower the organizational clients to get to different administrations through the properties. Through digital de-identification, retention and minimization techniques, the organization should ensure that the individual clients should not be tracked directly by using only their digital IDs.
In this specific report, it has been distinguished that information shared and transmitted through the cloud and with the Charity's customer regularly raised different worry about the moral and ethical issues regarding privacy and security. The ethical ramifications identified with the privacy and protection of the information has been considered as risk in MySupport framework. The report demonstrated that the individual and confidential information brings ethical responsibilities that up in swing lead to behavioural changes towards the administration. The report has thoroughly discussed and evaluated the underlying ethical implications in terms of protecting the privacy and security of the HGO clients, their digital identities and personally identifiable information (PII). Since the Charity is moving the client’s personal information to the cloud merchant for storage and handling, the recommendationsare targeted to help in guaranteeing the information security and protection of the transmitted data. Following the specific suggestion strategies and process, the Charity organization would guarantee and keep up the ethics while giving adequate arrangement for privacy and security to their clients.