School of Electronics and Computer Science [618068]

School of Electronics and Computer Science
Faculty of Physical Sciences and Engineering
University of Southampton

<Ioana Simion >
<29618061>

<15/12/2017 >

< Data anonymity, privacy and security –
Information storage and access >

Personal tutor: <Prof. M.C. Schraefel >

“I am aware of the requirements of good academic practice, and the potential
penalties for any breach.”

2 Contents
Brief………………………………………………………………………………………3
Abstract ………………………….. ………………………….. ………………………….. …………… 4
Introduction ………………………….. ………………………….. ………………………….. ……… 5
Main Sections ………………………….. ………………………….. ………………………….. …… 6
Conclusions ………………………….. ………………………….. ………………………….. ……… 9
References ………………………….. ………………………….. ………………………….. …….. 10
Bibliography ………………………….. ………………………….. ………………………….. …… 12

3 Brief
Anonymi ty, Privacy and Security – Information storage and access
The company in which you are employed runs a small gym club. It provides
personal training in their own gym, at the workplace of a number of companies
and in the gyms of some local hotels. To use the gyms and personal training
clients have to become a member of the gym club. Members provide details of
their home address and contact information along with personal health and
medical -related information. Personal trainers regularly charts clients’ progr ess,
and the company also keeps individual banking details so they can track
payments. Members are invited to join and ‘like’ various pages run by the
company
on social media, and can gain rewards by providing personal recommendations
bringing new clients to the business. All records are kept on a central
database accessed via laptop computers and backed up by a commercial cloud
storage provider.
In light of the types of personal information your company’s gym club gathers
and how this information is stored , write a short report explaining (1) the
potential privacy and security breaches possible due to this arrangement, (2)
how the risk of these breaches occurring could be minimised and (3) your
company’s moral legal and ethical responsibilities to protect t he security of the
data stored, making recommendations as to how they should manage data
held on paper records and in the clubs databases.

4 Abstract

Data privacy has always been one of the customer’s main concerns. In today’s
society, a lot of methods were created in order to break into an informational
system. Thus, the security practices had to improve, constantly trying to develop
new ways to protect the user’s per sonal data. The result is a continuous
development on both sides, each company is trying to fix any loophole before it
can be exploited.
However, in a system such as a local gym club, loaded with client’s valuable
personal information , there are many secur ity breaches that could potentially
corrupt the whole system. Thus, making it a prime target for attackers .
This report presents actual solutions that would make the gym company less
vulnerable. In order to emphasize on this subject, I’m going to cover it from three
perspectives: the potential privacy and security problems, how to minimise them
and what legal and ethical responsibilities does the company have.
Finally, this report concludes by putting all solution into practice, resulting in a
well-optimiz ed security system, that will have considerably lower chances of
being broken into. Furthermore, the gym company will have a better idea about
their implication and role in the whole data anonymity problem.

5 Introduction
The aim of this report is to look in to the main problems that any small company
might have, regarding data privacy and anonymity.
First of all, any possible breaches should be discovered in the system or the way
it is managed. This first step is crucial because it offers a foundation on whic h
the solutions for the problems found can be built.
Second of all, the report should find practical ways of solving the errors. For this,
I based my solutions on documentation about “best practices” regarding data
privacy.
Furthermore, as an additional y et valuable piece of information, the report will
explore the responsibilities a company has in this matter.
Thus, with this report, I aim to raise awareness about the importance of applying
this measures even on small companies. Throughout this paper, I will base my
examples on the small gym company I work at, but the solutions are universally
applicable.

6 Privacy and security breaches
Historically speaking, security wasn’t the main concern during the writing of
computer software. Due to the increase in fr equency and complexity of
malicious attacks, modern software designs include security measure s as a
primary objective.
Still, due to the continuous development of cyber attack s, there are always some
loopholes that need to be covered in a system. For any n ew security measure,
there is a new method to break into it, thus, advances in this field will always be
needed.[1]
I will state all of my solution based on the information I have regarding my
company. Precisely on the fact that all the information is stor ed into a “central
database accessed via laptop computers and backed up by a commercial cloud
storage provider “ .
Starting with the fact that all the information is stored in a central database, on
this scale, it does not represent a major concern. This is not seen as a good
practice in larger companies but, even for the smaller ones, it is important to
keep a safe back -up, so that data restoring won’t be impossible.
One of the main problems with this system is the fact that everything can be
accessed throu gh laptops. The “optimal” environment would be a secure
building where only authorized people have access. Moreover, the office should
have computers rather than laptops. By using laptops, the information can exit
that “safe space” and thus expose a direct access to the whole system.
The fact that everything is backed up on a cloud is another important breach.
First of all, the company has to put all the trust in the cloud. Second of all, as
expected from a small company, by using common commercial means of storing
data, intermediates are used, thus making the company vulnerable.

7 Solutions to minimise the risks
In order to minimise the possible risks coming from the mentioned breaches,
there should be some changes into the design of the software that manages the
information.
For this, I am going to look into the means of applying the secure software
design principles.[2]
Starting with dependability, this stage is based on designing security into cloud
software. In other words, the software should be de signed to resist as many
attacks and tolerate as many as possible of those attacks it cannot resist. It
should be able to operate correctly under a variety of conditions, including when
it is running on a malicious host or when it is under attack.
Another principle is survivability. It consists in making the software contain the
damage and recover as soon as possible after attacks.

Another important stage in making a software secure is taking confidentiality into
consideration. Confidentiality refers to the intentional or unintentional
unauthorized disclosure of information.[3]
In regarding to this topic, there are some methods that have a significant role in
increasing the security.
First of all, one important breach is traffic analysis that can be used to detect a
major procedure that is occurring, based on the increased activity in messages
and traffic. The solution for this is to cover this high levels of activity by
maintaining an almost constant rate of traffic and to disguise where the
information is c oming from and where it goes.
Second of all, encryption is one of the most efficient methods to minimize the
amount of information that can be read by unauthorized users. Even though the
data is intercepted by external sources, using this method, an addit ional amount
of effort is required to decrypt the information.[4]

8 Moral, legal and ethical responsibilities
Regarding this matter, the report extends on the Data Protection Act 1998. [5]
The company has the responsibility to:
1. Process the data fairly and lawfully
2. Obtain the data only for specified purposes and not request additional,
incompatible information
3. Data should not be kept for longer than necessary
4. The data should not be transferred to countries that don ’t have adequate
levels of p rotection of the rights and freedoms

The Data Protection Act says that: “Appropriate technical and organisational
measures shall be taken against unauthorised or unlawful processing of
personal data and against accidental loss or destruction of, or damage to,
personal data.” [6]
This is one of the data protection principles which states that, as a corporation or
organization, you must ensure that you have the appropriate security to prevent
the personal data from being endangered. Specifically, there are s ome steps
that need to be taken.
Firstly, the company is required to plan and organise its security so that it fits the
nature of the information it holds. Moreover, when designing it, the damages that
may result from security breaches should be taken into consideration.
Secondly, the company should make sure they are endowed with the
appropriate technical security. In addition to this, they should clearly state out
their policies and procedures, who is responsible for ensuring data security and
train them so they would be able to face any breach of security.[7]

9 Conclusions
This report concludes by spotting all the possible breaches, solving them and
even upgrading the current software security. In addition, the responsibilities
section emphasizes the previo us parts, thus increasing their importance.
This paper has the potential to help a lot of small companies in the data privacy
and anonymity matter. Furthermore, it is very useful for those working in this
field, since it highlights some problems that maybe they didn’t take into
consideration until now.
Yet, the extent of this study is not enough to cover all companies and their
possible breaches. There are always new ways to break into the systems, thus,
even with the proposed solutions, a constant researc h on the matter should be
done in order to guarantee full security .
For this, new work should be undertaken regarding privacy on a bigger level and
how can the evolution of malicious attacks be stopped.

10 References

[1]
Article title: 10 Principles of Database Security Program Design
Website title: Trustwave
URL: https://www2.trustwave.com/10 -Principles -of-Database -Security –
Program -Design –
AD.html?utm_source=google&utm_medium=cpc&utm_campaign=DatabaseSec
urityBMM&gclid=EAIaIQobChMI –
pL_4PTj1wIVCrvtCh3zPwCB EAAYASAAEgIOTvD_BwE

[2]
Authors : Ronald L. Krutz and Russell Dean Vines
Chapter: Cloud Information Security Objectives
Title of publication: Cloud Security -A comprehensive guide to secure cloud
computing
Publisher: Wiley Publishing, Inc.
Publication dat e: 2010
Page: 62

[3]
Authors : Ronald L. Krutz and Russell Dean Vines
Chapter: Cloud Information Security Objectives
Title of publication: Cloud Security -A comprehensive guide to secure cloud
computing
Publisher: Wiley Publishing, Inc.
Publication date: 2010
Page: 63

[4]
Article title: What Is Data Encryption?
Website title: Digital Guardian
URL: https://digitalguardian.com/blog/what -data-encryption

11 Authors: Nate Lord
Publication date: Thursday December 7, 2017

[5]
Article title:Data protection – GOV.UK
Website title: Gov.uk
URL: https://www.gov.uk/data -protection

[6]
Article title: Information security (Principle 7)
Website title: Ico.org.uk
URL: https://ico.org.uk/for -organisations/guide -to-data-protection/principle -7-
security/
Authors: Elizabeth Denham
Publication date: Thursday December 7, 2017

[7]
Article title: IBM Registration Form
Website title: www -01.ibm.com
URL: https://www -01.ibm.com/marketing/iwm/dre/signup?source=mrs -form-
10915&S_PKG=ov55740&cm_mmc=Search_Google -_-
Security_Identify+and++protect+sensitive+data -_-WW_EU -_-
+data++privacy_Bro ad_ov55740&cm_mmca1=000000MU&cm_mmca2=100002
02&mkwid=3fdc4577 -e0b9 -48ba -98b1 –
44312db18ddb|467|301869&cvosrc=ppc.google.%2Bdata%20%2Bprivacy&cvo_
campaign=000000MU&cvo_crid=227781744360&Matchtype=b&cm_mmca7=90
45801&cm_mmca8=kwd -297948465541&cm_mmca9=3fdc4577 -e0b9 -48ba –
98b1 -44312db18ddb&cm_mmca10=227781744360&cm_mmca11=b

12 Bibliography
 Krutz, R. and Vines, R. (2011). Cloud security. Indianapolis, IN: Wiley &
Sons.

 Digital Guardian. (2018). What Is Data Encryption?. [online] Available at:
https://digitalguardia n.com/blog/what -data-encryption [Accessed 11 Jan.
2018].