Unit 1: E-Commerce

e_commerce_tutorial.
pdf

Managing Technology in e-commerce era – Industry study:

Digital-classifieds-Ind
ia-2020_new.pdf
Unit 2: Mobility and Mobile Applications:

Introduction to Mobilityy

In today's rapidly expanding and dynamic marketplace, businesses embrace new technologies
in order to stay resilient and ahead of competitors. Smart organisations have identified mobility
as one of the keys to delivering the next generation of strategic advantage.

It wasn't long ago that having a laptop and a mobile phone with voicemail meant your
workforce was mobile. For the mobile workforce today, it means immediately accessing
important information - acting on that information to the benefit of the business - and
collaborating efficiently with customers, partners, and colleagues. In other words, successful
business communications rely on an efficient exchange between people and data.

Enterprise mobility is commonly defined as the process of extending business applications and
solutions through the use of mobile, wireless technology. Companies choose these applications
either to improve productivity, or to offer greater flexibility to their employees. Continued
advancements in mobile technologies - from improved wireless networks and security, to an
exploding range of mobile devices and mobile solutions - enable companies to extend once
office-bound corporate resources to their entire mobile workforce.

Mobility Technologies and Standards

http://www.rfidc.com/docs/introductiontomobility_standards.htm

Elements / Categories of Mobility

http://www.rfidc.com/docs/introductiontomobility_elements.htm

Mobility Devices
http://www.rfidc.com/docs/introductiontomobility_devices.htm

Business Benefits of Mobility Solutions

http://www.rfidc.com/docs/introductiontomobility_business.htm

The RFID Centre and Mobility

http://www.rfidc.com/docs/introductiontomobility_rfidc.htm
M-commerce (mobile commerce)

M-commerce (mobile commerce) is the buying and selling of goods and services through
wireless handheld devices such as cellular telephone and personal digital assistants (PDAs).
Known as next-generation e-commerce, m-commerce enables users to access the Internet
without needing to find a place to plug in. The emerging technology behind m-commerce,
which is based on the Wireless Application Protocol (WAP), has made far greater strides in
Europe, where mobile devices equipped with Web-ready micro-browsers are much more
common than in the United States.

In order to exploit the m-commerce market potential, handset manufacturers such as Nokia,
Ericsson, Motorola, and Qualcomm are working with carriers such as AT&T Wireless and Sprint
to develop WAP-enabled smart phones, the industry's answer to the Swiss Army Knife, and
ways to reach them. Using Bluetooth technology, smart phones offer fax, e-mail, and phone
capabilities all in one, paving the way for m-commerce to be accepted by an increasingly mobile
workforce.

As content delivery over wireless devices becomes faster, more secure, and scalable, there is
wide speculation that m-commerce will surpass wireline e-commerce as the method of choice
for digital commerce transactions. The industries affected by m-commerce include:

Financial services, which includes mobile banking (when customers use their handheld devices
to access their accounts and pay their bills) as well as brokerage services, in which stock quotes
can be displayed and trading conducted from the same handheld device.

Telecommunications, in which service changes, bill payment and account reviews can all be
conducted from the same handheld device.

Service/retail, as consumers are given the ability to place and pay for orders on-the-fly.

Information services, which include the delivery of financial news, sports figures and traffic
updates to a single mobile device.

IBM and other companies are experimenting with speech recognition software as a way to
ensure security for m-commerce transactions.
Mobile Commerce Architecture

M-Commerce
Architecture _ E Cube India Solutions Limited.pdf

E-commerce is a transaction of buying or selling online. Electronic commerce draws on technologies

such as
 mobile commerce,
o Mobile purchase
Catalog merchants can accept orders from customers electronically, via the customer's
mobile device. In some cases, the merchant may even deliver the catalog electronically,
rather than mailing a paper catalog to the customer. Consumers making mobile
purchases can also receive value-add upselling services and offers. Some merchants
provide mobile web sites that are customized for the smaller screen and limited user
interface of a mobile device.

In-application mobile phone payments

Payments can be made directly inside of an application running on a popular
smartphone operating system, such as Google Android. Analyst firm Gartner expects in-
application purchases to drive 41 percent of app store (also referred to as mobile
software distribution platforms) revenue in 2016.[18] In-app purchases can be used to
buy virtual goods, new and other mobile content and is ultimately billed by mobile
carriers rather than the app stores themselves.[19] Ericsson’s IPX mobile commerce
system is used by 120 mobile carriers to offer payment options such as try-before-you-
buy, rentals and subscriptions.[20]

o Mobile marketing and advertising

In the context of mobile commerce, mobile marketing refers to marketing sent to
mobile devices. Companies have reported that they see better response from mobile
marketing campaigns than from traditional campaigns. The primary reason for this is the
instant nature of customer decision-making that mobile apps and websites enable. The
consumer can receive a marketing message or discount coupon and, within a few
seconds, make a decision to buy and go on to complete the sale - without disrupting
their current real-world activity.

For example, a busy mom tending to her household chores with a baby in her arm could
receive a marketing message on her mobile about baby products from a local store. She
can and within a few clicks, place an order for her supplies without having to plan ahead
for it. No more need to reach for her purse and hunt for credit cards, no need to log into
 her laptop and try to recall the web address of the store she visited last week, and
surely no need to find a babysitter to cover for her while she runs to the local store.

Research demonstrates that consumers of mobile and wireline markets represent two
distinct groups who are driven by different values and behaviors, and who exhibit
dissimilar psychographic and demographic profiles.[21] What aspects truly distinguish
between a traditional online shopper from home and a mobile on-the-go shopper?
Research shows that how individuals relate to four situational dimensions- place, time,
social context and control determine to what extent they are ubiquitous or situated as
consumers.[22] These factors are important in triggering m-commerce from e-
commerce. As a result, successful mobile commerce requires the development of
marketing campaigns targeted to these particular dimensions and according user
segments.

o Influence on youth markets

Mobile media is a rapidly changing field. New technologies, such as WiMax, act to
accelerate innovation in mobile commerce. Early pioneers in mobile advertising include
Vodafone, Orange, and SK Telecom.

Mobile devices are heavily used in South Korea to conduct mobile commerce. Mobile
companies in South Korea believed that mobile technology would become synonymous
with youth life style, based on their experience with previous generations of South
Koreans. "Profitability for device vendors and carriers hinges on high-end mobile devices
and the accompanying killer applications," said Daniel Longfield.[23]

o Payment methods
Consumers can use many forms of payment in mobile commerce, including:

o Contactless payment for in-person transactions through a mobile phone (such as Apple
Pay or Android Pay). In a system like EMV, these are interoperable with contactless
credit and debit cards.
o Premium-rate telephone numbers, which apply charges to the consumer's long-distance
bill
o Mobile-Operator Billing allows charges to be added to the consumer's mobile telephone
bill, including deductions to pre-paid calling plans
o Credit cards and debit cards
o Some providers allow credit cards to be stored in a phone's SIM card or secure element
o Some providers are starting to use host card emulation, or HCE (e.g. Google Wallet and
Softcard)
 o Some providers store credit card or debit card information in the cloud; usually in
tokenized. With tokenization, payment verification, authentication, and authorization
are still required, but payment card numbers don't need to be stored, entered, or
transmitted from the mobile device
o Micropayment services
o Stored-value cards, often used with mobile-device application stores or music stores
(e.g. iTunes)

o App design
Interaction design and UX design has been at the core of the m-commerce experience
from its conception, producing apps and mobile web pages that create highly usable
interactions for users.[24] However, much debate has occurred as to the focus that
should be given to the apps. In recent research, Parker and Wang[25] demonstrated
that within fashion m-Commerce apps, the degree that the app helps the user shop
(increasing convenience) was the most prominent function. They also showed that
shopping for others was a motivator for engaging in m-commerce apps with great
preference for close integration with social media.

o App commerce
The popularity of apps has given rise to the latest iteration of mobile commerce: app
commerce. This refers to retail transactions that take place on a native mobile app. App
commerce is said to perform better than both desktop and mobile web when it comes
to browsing duration and interactions.[26] Average order value is reportedly greater
with retail apps than traditional ecommerce, and conversion rates on apps are twice
that of mobile websites.[26]
 electronic funds transfer,
o Electronic funds transfer

Electronic Funds Transfer (EFT) is the electronic transfer of money from one bank
account to another, either within a single financial institution or across multiple
institutions, via computer-based systems, without the direct intervention of bank staff.
EFT transactions are known by a number of names. In the United States, they may be
referred to as electronic checks or e-checks.

Types:

The term covers a number of different payment systems, for example:

o cardholder-initiated transactions, using a payment card such as a credit or debit card

 o direct deposit payment initiated by the payer
o direct debit payments for which a business debits the consumer's bank accounts for
payment for goods or services
o wire transfer via an international banking network such as SWIFT
o electronic bill payment in online banking, which may be delivered by EFT or paper check
o transactions involving stored value of electronic money, possibly in a private currency.

Steps:

o An EFT transaction requires the following steps:

o Making application
o Data preparation
o Data transmission
o Debiting remittance banks
o Crediting receiving banks
o Crediting beneficiary
o Task at service branch
o Task at beneficiary branch
 supply chain management,
 Internet marketing,
 online transaction processing,
 electronic data interchange (EDI),
 inventory management systems, and
 automated data collection systems.

Modern electronic commerce typically uses the World Wide Web for at least one part of the
transaction's life cycle although it may also use other technologies such as e-mail. Typical e-commerce
transactions include the purchase of online books (such as Amazon) and music purchases (music
download in the form of digital distribution such as iTunes Store), and to a less extent,
customized/personalized online liquor store inventory services.[1] There are three areas of e-commerce:
online retailing, electric markets, and online auctions. E-commerce is supported by electronic
business.[2]

E-commerce businesses may also employ some or all of the followings:

 Online shopping web sites for retail sales direct to consumers

 Providing or participating in online marketplaces, which process third-party business-to-
consumer or consumer-to-consumer sales
 Business-to-business buying and selling;
 Gathering and using demographic data through web contacts and social media
  Business-to-business (B2B) electronic data interchange
 Marketing to prospective and established customers by e-mail or fax (for example, with
newsletters)
 Engaging in pretail for launching new products and services
 Online financial exchanges for currency exchanges or trading purposes.

UNIFIED PAYMENTS INTERFACE (UPI)

Unified Payments Interface (UPI) is a system that powers multiple bank accounts into a single mobile
application (of any participating bank), merging several banking features, seamless fund routing &
merchant payments into one hood. It also caters to the “Peer to Peer” collect request which can be
scheduled and paid as per requirement and convenience. Each Bank provides its own UPI App for
Android, Windows and iOS mobile platform(s).

How to get it:

 Bank a/c
 Mobile number should be linked with bank a/c
 Smart Phone with internet facility
 Debit Card for re-setting MPIN.

Service Activation:

 Download the App for UPI

 Do registration online on the App with a/c details
 Create a virtual ID
 Set MPIN
 5-7 minutes

What is required for Transaction:

 Smartphone with internet facility

 Registered device only
 Use registered MPIN
 Self Service Mode

Transaction Cost:

 NIL to customer by most Banks

 Customer pays for data charges
  Disclaimer: The transaction costs are based on available information and may vary based on
banks.

Services Offered:

 Balance Enquiry
 Transaction History
 Send / Pay Money
 Virtual Address
 A/c no. & IFSC code
 Mobile no. and MMID
 Aadhaar (to be made functional)
 Collect Money
 Virtual Address
 Add bank account
 Change / Set MPIN
 Notifications
 A/c Management

Funds Transfer limit:

1 lakh / transaction

India Stack:
http://indiastack.org/about/

National Financial Switch

National Financial Switch (NFS) is the largest network of shared automated teller machines
(ATMs) in India.[1] It was designed, developed and deployed by the Institute for Development
and Research in Banking Technology (IDRBT) in 2004, with the goal of inter-connecting the
ATMs in the country and facilitating convenience banking. It is run by the National Payments
Corporation of India (NPCI).

Background:

The first ATM in India was set up in 1987 by HSBC in Mumbai.[2] In the following twelve years,
about 1500 ATMs were set up in India. In 1997, the Indian Banks' Association (IBA) set up
Swadhan, the first network of shared ATMs in India. It was managed by India Switch Company
(ISC) for five years, and allowed cardholders to withdraw cash from any ATM in the network, for
a fee if they did not have an account with the bank that owned the ATM. In 2002, the network
connected over 1000 ATMs of the 53 member banks of the association. The network was
capable of handling 250,000 transactions per day, but only 5000 transactions, worth about
₹100,000, took place each day. In contrast, ICICI Bank's network of about 640 ATMs handled
transactions worth about ₹20,000,000 each day. After the contract with ISC expired, IBA failed
to find a bidder to manage the operationally uneconomical network, and shut it down on 31
December 2003.

After the collapse of Swadhan, Bank of India, Union Bank of India, Indian Bank, United Bank of
India and Syndicate Bank formed an ATM-sharing network called CashTree. Citibank, the
Industrial Development Bank of India, Standard Chartered Bank and Axis Bank formed a similar
network called Cashnet. Punjab National Bank and Canara Bank also created such networks.

In August 2003, the IDRBT announced that it would be creating the National Financial Switch
(NFS) to link together the country's ATMs in a single network.

The IDRBT collaborated with Euronet Worldwide and Opus Software to build a platform to
allow banks to connect their own switches to the NFS. The NFS consisted of an inter-ATM
switch and a e-commerce payment gateway.

History:

The National Financial Switch was launched by the IDRBT on 27 August 2004, connecting the
ATMs of three banks, Corporation Bank, Bank of Baroda and ICICI Bank.[3][4][5] The IDRBT then
worked towards bringing all major banks in India on board and by December 2009, the network
had grown to connect 49,880 ATMs of 37 banks, thereby emerging as the largest network of
shared ATMs in the country.

IDRBT decided to hive off its operational role on ATM switching to refocus on research and
development, and was sought to shift the business to a national-level payment system
organization. The National Payments Corporation of India (NPCI) started discussions with IDRBT
on the feasibility of taking over. The Board for Regulation and Supervision of Payment and
Settlement Systems (BPSS) at its meeting held on 24 September 2009 approved in-principle to
issue authorisation to NPCI for operating various retail payment systems in the country. The
Reserve Bank of India granted authorisation to NPCI to take over the operations of National
Financial Switch (NFS) from the Institute of Development and Research in Banking Technology
(IDRBT) on a ‘as is where is basis’ on 15 October 2009. NPCI deputed its officials to IDRBT
Hyderabad, and the Institute handed over the National Financial Switch to the NPCI on 14
December 2009.
Any bank that provides core banking services with 24x7 transaction banking capabilities with or
without ATMs may join the National Financial Switch through a sponsor bank. This allows non-
scheduled Urban Co-operative Banks (UCBs) and Regional Rural Banks (RRBs) to gain access to
the national network of over 103,000 ATMs in the country. Before 14 August 2011, access was
limited to scheduled banks with RTGS membership.[6] The sponsorship scheme was started to
increase the connectivity of ATMs across the country, and to enable customers to use ATMs
across India.

The primary headquarters is located at Mumbai.

Member banks:

As of April 2017, the NFS Network connects total of 2,36,190 ATMs in India. Among them
2,16,952 ATMs of 99 Direct Member banks, 4,058 ATMs of 692 Sub Member banks, 1,034 ATMs
of 56 RRB Member banks and 14,146 ATMs of 8 White Label ATM providers, which is the largest
number of ATMs under a single network in India.

Services offered in NFS:

NFS which is the largest domestic ATM network in the country member banks has been in the
fore front in providing inter bank ATM services to maximum customers. Initially, the following
basic transactions were available in the NFS network

 Cash Withdrawal
 Balance Enquiry
 PIN Change
 Mini Statement

To enable the member banks of NFS to offer greater utility to their customers, NPCI has
introduced the below mentioned functionalities as value added services to enable customers to
use these services at any participating bank ATMs.

Card to Card Fund transfer (ATM/Debit Card to ATM/Debit Card) : Using this service, a Card
holder of a participating NFS Member Bank will be able to remit funds to another Card holder
of a participating NFS Member Bank. The funds will be transferred basis the Beneficiary’s ‘Card
Number’ which the remitter will be required to input at the time of the transaction. The main
features of the service are mentioned below:
  Inter Operable
 Instant Fund Transfer
 24/7 Availability
 Paper Less
 Secure
 Better Fund Management

Transaction Limits - The transaction limits are in accordance with the RBI’s circular on ‘Domestic
Money Transfer’. Accordingly, for cases where the Issuing and Beneficiary Cards are ‘Debit/ATM
Cards’, the per transaction limit will be Rs.5000 and the monthly limit will be Rs.25,000 per
remitter.
Cheque Book Request/Statement Request: At present, although statement & cheque book
request options are available at ATMs, these are available only for customers of that particular
bank. NFS aims to make this option inter operable wherein customers will be able to avail the
aforementioned services at NFS member bank ATMs who avail this particular service from NPCI.

Other Link: https://www.npci.org.in/

Unit 3: Big Data Analytics

http://searchdatamanagement.techtarget.com/definition/data-analytics

What it is and why it matters

Big data analytics examines large amounts of data to uncover hidden patterns, correlations and
other insights. With today’s technology, it’s possible to analyze your data and get answers from
it almost immediately – an effort that’s slower and less efficient with more traditional business
intelligence solutions.

History and evolution of big data analytics

The concept of big data has been around for years; most organizations now understand that if
they capture all the data that streams into their businesses, they can apply analytics and get
significant value from it. But even in the 1950s, decades before anyone uttered the term “big
data,” businesses were using basic analytics (essentially numbers in a spreadsheet that were
manually examined) to uncover insights and trends.

The new benefits that big data analytics brings to the table, however, are speed and efficiency.
Whereas a few years ago a business would have gathered information, run analytics and
unearthed information that could be used for future decisions, today that business can identify
insights for immediate decisions. The ability to work faster – and stay agile – gives organizations
a competitive edge they didn’t have before.

Why is big data analytics important?

Big data analytics helps organizations harness their data and use it to identify new
opportunities. That, in turn, leads to smarter business moves, more efficient operations, higher
profits and happier customers. In his report Big Data in Big Companies, IIA Director of Research
Tom Davenport interviewed more than 50 businesses to understand how they used big data.
He found they got value in the following ways:

1. Cost reduction. Big data technologies such as Hadoop and cloud-based analytics bring
significant cost advantages when it comes to storing large amounts of data – plus they
can identify more efficient ways of doing business.
2. Faster, better decision making. With the speed of Hadoop and in-memory analytics,
combined with the ability to analyze new sources of data, businesses are able to analyze
information immediately – and make decisions based on what they’ve learned.
3. New products and services. With the ability to gauge customer needs and satisfaction
through analytics comes the power to give customers what they want. Davenport points
out that with big data analytics, more companies are creating new products to meet
customers’ needs.
Big data analytics in today’s world
Most organizations have big data. And many understand the need to harness that data and
extract value from it. But how? These resources cover the latest thinking on the intersection of
big data and analytics.

Getting the right people on the big data bus

Launching a big data initiative requires rethinking not only data and systems, but people. And
it's about time.

Bringing the power of SAS® to Hadoop

Want to get even more value from Hadoop? This paper presents the SAS portfolio of solutions
that help you apply business analytics to Hadoop.

Health care and big data analytics

A big data boom is on the horizon, so it’s more important than ever to take control of your
health information. This webinar explains how big data analytics plays a role.

The hard work behind analytics

To understand the opportunities of business analytics, MIT Sloan Management Review
conducted its sixth annual survey of executives, managers and analytics professionals.

High-performance analytics lets you do things you never thought about before because the
data volumes were just way too big. For instance, you can get timely insights to make decisions
about fleeting opportunities, get precise answers for hard-to-solve problems and uncover new
growth opportunities – all while using IT resources more effectively.

Who’s using it?

Think of a business that relies on quick, agile decisions to stay competitive, and most likely big
data analytics is involved in making that business tick. Here’s how different types of
organizations might use the technology:

Travel and hospitality

Keeping customers happy is key to the travel and hotel industry, but customer satisfaction can
be hard to gauge – especially in a timely manner. Resorts and casinos, for example, have only a
short window of opportunity to turn around a customer experience that’s going south fast. Big
data analytics gives these businesses the ability to collect customer data, apply analytics and
immediately identify potential problems before it’s too late.

Health care
Big data is a given in the health care industry. Patient records, health plans, insurance
information and other types of information can be difficult to manage – but are full of key
insights once analytics are applied. That’s why big data analytics technology is so important to
heath care. By analyzing large amounts of information – both structured and unstructured –
quickly, health care providers can provide lifesaving diagnoses or treatment options almost
immediately.

Government
Certain government agencies face a big challenge: tighten the budget without compromising
quality or productivity. This is particularly troublesome with law enforcement agencies, which
are struggling to keep crime rates down with relatively scarce resources. And that’s why many
agencies use big data analytics; the technology streamlines operations while giving the agency a
more holistic view of criminal activity.

Retail
Customer service has evolved in the past several years, as savvier shoppers expect retailers to
understand exactly what they need, when they need it. Big data analytics technology helps
retailers meet those demands. Armed with endless amounts of data from customer loyalty
programs, buying habits and other sources, retailers not only have an in-depth understanding
of their customers, they can also predict trends, recommend new products – and boost
profitability.

How it works and key technologies

There’s no single technology that encompasses big data analytics. Of course, there’s advanced
analytics that can be applied to big data, but in reality several types of technology work
together to help you get the most value from your information. Here are the biggest players:

Data management. Data needs to be high quality and well-governed before it can be reliably
analyzed. With data constantly flowing in and out of an organization, it's important to establish
repeatable processes to build and maintain standards for data quality. Once data is reliable,
organizations should establish a master data management program that gets the entire
enterprise on the same page.

Data mining. Data mining technology helps you examine large amounts of data to discover
patterns in the data – and this information can be used for further analysis to help answer
complex business questions. With data mining software, you can sift through all the chaotic and
repetitive noise in data, pinpoint what's relevant, use that information to assess likely
outcomes, and then accelerate the pace of making informed decisions.

Hadoop. This open source software framework can store large amounts of data and run
applications on clusters of commodity hardware. It has become a key technology to doing
business due to the constant increase of data volumes and varieties, and its distributed
computing model processes big data fast. An additional benefit is that Hadoop's open source
framework is free and uses commodity hardware to store large quantities of data.

In-memory analytics. By analyzing data from system memory (instead of from your hard disk
drive), you can derive immediate insights from your data and act on them quickly. This
technology is able to remove data prep and analytical processing latencies to test new
scenarios and create models; it's not only an easy way for organizations to stay agile and make
better business decisions, it also enables them to run iterative and interactive analytics
scenarios.

Predictive analytics. Predictive analytics technology uses data, statistical algorithms and
machine-learning techniques to identify the likelihood of future outcomes based on historical
data. It's all about providing a best assessment on what will happen in the future, so
organizations can feel more confident that they're making the best possible business decision.
Some of the most common applications of predictive analytics include fraud detection, risk,
operations and marketing.

Text mining. With text mining technology, you can analyze text data from the web, comment
fields, books and other text-based sources to uncover insights you hadn't noticed before. Text
mining uses machine learning or natural language processing technology to comb through
documents – emails, blogs, Twitter feeds, surveys, competitive intelligence and more – to help
you analyze large amounts of information and discover new topics and term relationships.

Unit 4: Data Protection

Data Protection – What Is It And How Does It Affect Your Company?

What is Data Protection?
The Data Protection Act (1998) is the protection of any personal data that is in the possession of any
organisation, business or government, and how this information is used or shared. There are a set of
rules that must be followed called the Data Protection Principles. The Information Commissioners Office
(ICO) is in control of the data protection act, they judge whether organisations are using specific data
responsibly, or whether they are being reckless with personal files, such as selling information.

Customers have data protection rights, including that all the safekeeping and confidentiality of their
personal records. There is even stronger protection for more sensitive personal information, such as
ethnic backgrounds, political opinions, religious beliefs, health, sexual health and criminal records.

How Does it Affect Your Company?

Different organisations will have different amounts of personal data; however it is advisable to audit
your personal data regularly to get rid of data that you do not need. The ICO can deem it reckless if you
keep old data for too long.

Keeping a large amount of personal data without auditing it can also be problematic for organisations
for a number of reasons:

Older data may be out of date, causing errors or increasing the risk of passing on false information.
It is more difficult to ensure that older documents are correct.
It is more difficult to locate personal data if there is too much unnecessary data in store.
It is also advisable to put information that you do not need on a regular basis into storage to ensure
safekeeping. It is not a criminal offence to keep personal data that does not get used very regularly,
however it is a criminal offence to store them unsafely. It is best to outsource your document storage to
free up space and also to ensure it is stored in accordance with Data Protection Act legislation.
Therefore you should also conduct regular audits to be sure that you are not holding too much data for
too long.

If an organisation breaches any of the Data Protection Act’s principles then the Information
Commissioner has the right to issue a financial penalty. This is relevant if the company deliberately
breaches any of the principles, or if the company knew (should have known) there was a risk of a breach
which is likely to cause substantial damage or distress, but failed to take reasonable steps to prevent it.

The maximum penalty that can be issued is £500,000.

Not complying with data protection principles is not a criminal offense; however there are multiple
ramifications for being careless with people’s personal data. People may demand compensation for any
harm caused, you may need to pay a penalty given by the ICO, but most of all it is bad publicity and
negative for your brand name.

Data Protection Case Study

Sony Computer Entertainment Europe was fined £250,000 in January 2013. This is a result of the Sony
PlayStation system being hacked in 2011, putting personal data such as payment card and login details
at risk. The ICO decided that their security system was not strong enough to withstand the hack and that
they should have been stronger.

Sony was responsible for keeping all of this information safe from hackers, and therefore received the
fine as the ICO said that it could have been avoided

About Secure Data Management

At Secure Data MGT we have over 25 years of document storage experience and we offer an auditing
and storage service that minimises the risk of Data Protection breaches. We store in access controlled,
weather and fire proof centres with 24-hour security and CCTV. On top of this, we help with the auditing
of your documents to improve processes and workflow. Get in touch!

Classifying Data
Understand the considerations and criteria for classifying data.
Throughout this chapter, we have discussed various aspects of protecting information assets. When we talk
about risk analysis and management, we talk about the most cost-effective way of protecting the information
asset. Part of setting the level of risk associated with data is placing it in a classification. After data is classified,
a risk analysis can be used to set the most cost-effective ways of protecting that data from various attacks.
Classifying data is supposed to tell you how the data is to be protected. More sensitive data, such as human
resources or customer information, can be classified in a way that shows that disclosure has a higher risk.
Information data, such as those used for marketing, would be classified at a lower risk. Data classified at a
higher risk can create security and access requirements that do not exist for lower risks, which might not
require much protection altogether.

Commercial Classification
Classification of commercial or nongovernment organizations does not have a set standard. The classification
used is dependent on the overall sensitivity of the data and the levels of confidentiality desired. Additionally, a
nongovernment organization might consider the integrity and availability of the data in its classification model.
There is no formula in creating the classification system—the system used is dependent on the data. Some
organizations use two types of classification: confidential and public. For others, a higher granularity might be
necessary. Table 3.4 contains a typical list of classifications that can be used for commercial organizations,
from highest to lowest.

Table 3.4 COMMERCIAL DATA CLASSIFICATIONS FROM HIGHEST TO LOWEST

Classification Description

Sensitive Data that is to have the most limited access and requires a high degree of integrity. This is
typically data that will do the most damage to the organization should it be disclosed.

Confidential Data that might be less restrictive within the company but might cause damage if
disclosed.

Private Private data is usually compartmental data that might not do the company damage but
must be keep private for other reasons. Human resources data is one example of data that
can be classified as private.

Proprietary Proprietary data is data that is disclosed outside the company on a limited basis or
contains information that could reduce the company's competitive advantage, such as the
technical specifications of a new product.

Public Public data is the least sensitive data used by the company and would cause the least
harm if disclosed. This could be anything from data used for marketing to the number of
employees in the company.

Government Classification
Government classification of data is something created out of policy for maintaining national security or the
privacy of citizen data. Military and intelligence organizations set their classifications on the ramifications of
disclosure of the data. Civilian agencies also look to prevent unauthorized disclosure, but they also have to
consider the integrity of the data.
Classifications for Sensitive Data
The classifications for the sensitivity of data used in government and military applications are top secret, secret,
confidential, sensitive but unclassified, and unclassified.
The implementation of the classification is based on laws, policies, and executive directives that can be in
conflict with each other. Agencies do their best to resolve these conflicts by altering the meaning of the
standard classifications. Table 3.5 explains the types of classifications used by government civilian and military
organizations.

Table 3.5 GOVERNMENT DATA CLASSIFICATIONS FROM HIGHEST TO LOWEST

Classification Description

Top Secret Disclosure of top secret data would cause severe damage to national security.

Secret Disclosure of secret data would cause serious damage to national security. This data
is considered less sensitive than data classified as top secret.

Confidential Confidential data is usually data that is exempt from disclosure under laws such as
the Freedom of Information Act but is not classified as national security data.

Sensitive But SBU data is data that is not considered vital to national security, but its disclosure
Unclassified (SBU) would do some harm. Many agencies classify data they collect from citizens as SBU.
In Canada, the SBU classification is referred to as protected (A, B, C).

Unclassified Unclassified is data that has no classification or is not sensitive.

Criteria
After the classification scheme is identified, the organization must create the criteria for setting the
classification. No set guidelines exist for setting the criteria, but some considerations are as follows:
 Who should be able to access or maintain the data?
 Which laws, regulations, directives, or liability might be required in protecting the data?
 For government organizations, what would the effect on national security be if the data were disclosed?
 For nongovernment organizations, what would the level of damage be if the data was disclosed or
corrupted?
 Where is the data to be stored?
 What is the value or usefulness of the data?
Creating Procedures for Classifying Data
Using this information, your organization can create a procedure for classifying data. Government organizations
already have this procedure defined. Nongovernment organizations have a lot of flexibility in setting the
procedures that best suit their needs. Step By Step 3.2 is an example of a procedure your organization can
use.

STEP BY STEP
3.2 Creating Data Classification Procedures
1. Set the criteria for classifying the data.
2. Determine the security controls that will be associated with the classification.
3. Identify the data owner who will set the classification of the data.
4. Document any exceptions that might be required for the security of this data.
5. Determine how the custody of the data can be transferred.
6. Create criteria for declassifying information.
7. Add this information to the security awareness and training programs so users can understand their
responsibilities in handling data at various classifications.

Information Security Standards:

Information Security in India: A new approach to ISO 27001

ISO27001.pdf

The likelihood of corporate data security becoming prone to malicious threats has become more
probable than ever in the last few years, with global economic uncertainty and terrorism at a high.

International Case
Learning from companies like Sony and Marks & Spencer, it is important to realise that having sensitive
data stolen by hackers can lead to company-destroying, and sometimes irreversible, consequences.
Many people have highlighted the dangers, such as reputational damage and financial ramifications,
which can happen if organisations’ security systems are shown to be insufficiently effective or non-
existent. In Sony’s case, this observation might be quite pertinent.
The lesson to learn from this is that hackers can get hold of information from any company, large or
small. The solution is simple – implement a solid information security plan. When your valuable data is
protected, the risk of hackers stealing your information is minimal.

Drivers for Security in India

External threats are not the only factors for security: globalisation and directives are also another major
issue. International companies which seek to outsource work to Indian firms, for instance, insist on
security certification, or adherence to laws, standards and business practices prevalent in their
respective countries. There is no surprise that all the top software, IT-enabled services companies and
BPO outfits in India are achieving security certifications such as ISO 27001.

This information security standard is not new in this country. Back in 2009 India’s largest mobile phone
firm, Bharti Airtel, was awarded certification to ISO/IEC 27001 Information Security Management
Standard by the British Standards Institution (BSI) in India. For the company, information is critical.
Certification to ISO/IEC 27001 helps manage and protect valuable information assets, defining
requirements for an information security management system (ISMS), to help ensure adequate and
proportionate security controls are in place.
Elaborating further, on 11th April 2011, the Indian Department of Information Technology in the
Ministry of Communication made an important announcement on information security and ISO 27001:

The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard
or the codes of best practices for data protection (…) shall be deemed to have complied with reasonable
security practices and procedures provided that such standard or the codes of best practices have been
certified or audited on a regular basis by entities through independent auditor, duly approved by the
Central Government. The audit of reasonable security practices and procedures shall be carried out by
an auditor at least once a year or when the body corporate or a person on its behalf undertakes
significant upgradation of its process and computer resource.

Security Concerns in Cloud:

According to Cloud Security Alliance (CSA), over 70 percent of the world’s businesses now
operate – at least in part – on the cloud.

With benefits like lower fixed costs, higher flexibility, automatic software updates, increased
collaboration, and the freedom to work from anywhere, 70 percent isn’t a big surprise.

Still, the cloud has its share of security issues.

Recently the “Cloud Security Spotlight Report” showed that “90 percent of organizations are
very or moderately concerned about public cloud security.” These concerns run the gamut from
vulnerability to hijacked accounts to malicious insiders to full-scale data breaches.

Although cloud services have ushered in a new age of transmitting and storing data, many
companies are still hesitant or make the move without a clear plan for security in place.

We’ll show you a big picture view of the top 10 security concerns for cloud-based services you
should be aware of.
1. Data Breaches

Cloud computing and services are relatively new, yet data breaches in all forms have existed for
years. The question remains: “With sensitive data being stored online rather than on premise, is
the cloud inherently less safe?”

A study conducted by the Ponemon Institute entitled “Man In Cloud Attack” reports that over
50 percent of the IT and security professionals surveyed believed their organization’s security
measures to protect data on cloud services are low. This study used nine scenarios, where a
data breach had occurred, to determine if that belief was founded in fact.

After evaluating each scenario, the report concluded that overall data breaching was three
times more likely to occur for businesses that utilize the cloud than those that don’t. The simple
conclusion is that the cloud comes with a unique set of characteristics that make it more
vulnerable.

2. Hijacking of Accounts

The growth and implementation of the cloud in many organizations has opened a whole new
set of issues in account hijacking.

Attackers now have the ability to use your (or your employees’) login information to remotely
access sensitive data stored on the cloud; additionally, attackers can falsify and manipulate
information through hijacked credentials.

Other methods of hijacking include scripting bugs and reused passwords, which allow attackers
to easily and often without detection steal credentials. In April 2010 Amazon faced a cross-site
scripting bug that targeted customer credentials as well. Phishing, keylogging, and buffer
overflow all present similar threats. However, the most notable new threat – known as the Man
In Cloud Attack – involves the theft of user tokens which cloud platforms use to verify individual
devices without requiring logins during each update and sync.

3. Insider Threat

An attack from inside your organization may seem unlikely, but the insider threat does exist.
Employees can use their authorized access to an organization’s cloud-based services to misuse
or access information such as customer accounts, financial forms, and other sensitive
information.

Additionally, these insiders don’t even need to have malicious intentions.

A study by Imperva, “Inside Track on Insider Threats” found that an insider threat was the
misuse of information through malicious intent, accidents or malware. The study also examined
four best practices companies could follow to implement a secure strategy, such as business
partnerships, prioritizing initiatives, controling access, and implementing technology.

4. Malware Injection

Malware injections are scripts or code embedded into cloud services that act as “valid
instances” and run as SaaS to cloud servers. This means that malicious code can be injected into
cloud services and viewed as part of the software or service that is running within the cloud
servers themselves.

Once an injection is executed and the cloud begins operating in tandem with it, attackers can
eavesdrop, compromise the integrity of sensitive information, and steal data. Security Threats
On Cloud Computing Vulnerabilities, a report by the East Carolina University, reviews the
threats of malware injections on cloud computing and states that “malware injection attack has
become a major security concern in cloud computing systems.”

5. Abuse of Cloud Services

The expansion of cloud-based services has made it possible for both small and enterprise-level
organizations to host vast amounts of data easily. However, the cloud’s unprecedented storage
capacity has also allowed both hackers and authorized users to easily host and spread malware,
illegal software, and other digital properties.

In some cases this practice affects both the cloud service provider and its client. For example,
privileged users can directly or indirectly increase the security risks and as a result infringe upon
the terms of use provided by the service provider.

These risks include the sharing of pirated software, videos, music, or books, and can result in
legal consequences in the forms of fines and settlements with the U.S. Copyright Law reaching
up to $250,000. Depending on the damage, these fines can be even more cost prohibitive. You
can reduce your exposure to risk by monitoring usage and setting guidelines for what your
employees host in the cloud. Service providers and legal entities, such as CSA have defined
what is abusive or inappropriate behavior along with methods of detecting such behaviors.

6. Insecure APIs

Application Programming Interfaces (API) give users the opportunity to customize their cloud
experience.

However, APIs can be a threat to cloud security because of their very nature. Not only do they
give companies the ability to customize features of their cloud services to fit business needs,
but they also authenticate, provide access, and effect encryption.
As the infrastructure of APIs grows to provide better service, so do its security risks. APIs
give programmers the tools to build their programs to integrate their applications with other
job-critical software. A popular and simple example of an API is YouTube, where developers
have the ability to integrate YouTube videos into their sites or applications.

The vulnerability of an API lies in the communication that takes place between applications.
While this can help programmers and businesses, they also leave exploitable security risks.

7. Denial of Service Attacks

Unlike other kind of cyberattacks, which are typically launched to establish a long-term
foothold and hijack sensitive information, denial of service assaults do not attempt to breach
your security perimeter. Rather, they attempt to make your website and servers unavailable to
legitimate users. In some cases, however, DoS is also used as a smokescreen for other malicious
activities, and to take down security appliances such as web application firewalls.

8. Insufficient Due Diligence

Most of the issues we’ve looked at here are technical in nature, however this particular security
gap occurs when an organization does not have a clear plan for its goals, resources, and policies
for the cloud. In other words, it’s the people factor.

Additionally, insufficient due diligence can pose a security risk when an organization migrates to
the cloud quickly without properly anticipating that the services will not match customer’s
expectation.

This is especially important to companies whose data falls under regulatory laws like PII, PCI,
PHI, and FERPA or those that handle financial data for customers.

9. Shared Vulnerabilities

Cloud security is a shared responsibility between the provider and the client.

This partnership between client and provider requires the client to take preventative actions to
protect their data. While major providers like Box, Dropbox, Microsoft, and Google do have
standardized procedures to secure their side, fine grain control is up to you, the client.

As Skyfence points out in its article “Office 365 Security & Share Responsibility,” this leaves key
security protocols – such as the protection of user passwords, access restrictions to both files
and devices, and multi-factor authentication – firmly in your hands.

The bottom line is that clients and providers have shared responsibilities, and omitting yours
can result in your data being compromised.
10. Data Loss

Data on cloud services can be lost through a malicious attack, natural disaster, or a data wipe
by the service provider. Losing vital information can be devastating to businesses that don’t
have a recovery plan. Amazon is an example of an organization that suffered data loss by
permanently destroying many of its own customers’ data in 2011.

Google was another organization that lost data when its power grid was struck by lightning four
times.

Securing your data means carefully reviewing your provider’s back up procedures as they relate
to physical storage locations, physical access, and physical disasters.

Cloud Computing: Cloud Security Concerns

While maintaining appropriate data security continues to be a prevailing concern, a cloud
computing infrastructure can actually increase your overall security.

Vic (J.R.) Winkler

Adapted from “Securing the Cloud” (Syngress, an imprint of Elsevier)

While some of you may still harbor deep concerns over cloud computing from a security
standpoint, that’s essentially an inaccurate conclusion. With its inherent qualities, cloud
computing has tremendous potential for organizations to improve their overall information
security posture.
There are many reasons for this. The cloud model enables the return of effective control and
professional operation over IT resources, processing and information. By virtue of the scale of
the public cloud, tenants and users can achieve better security because the provider’s
investment in achieving better security costs less per consumer.
A private cloud provides significant security advantages for the same reasons. There are
caveats, however: You won’t get the benefit without investment, and not every model is
appropriate for all organizations. Regardless of which services delivery model or deployment
model you choose, you will transfer some degree of control to the cloud provider. This is
completely reasonable if control is managed in a manner and at a cost that meets your needs.

Keeping Track of Security

There are several areas of concern when it comes to cloud computing:

 Network Availability: You can only realize the value of cloud computing when your
network connectivity and bandwidth meet your minimum needs. The cloud must be
available whenever you need it. If not, the consequences are no different than a denial-
of-service attack.
  Cloud Provider Viability: Because cloud providers are relatively new to the business,
there are questions about their viability and commitment. This concern deepens when a
provider requires tenants to use proprietary interfaces, leading to tenant lock-in.
 Disaster Recovery and Business Continuity: Tenants and users require confidence that
their operations and services will continue if the cloud provider’s production
environment is subject to a disaster.
 Security Incidents: The provider must inform tenants and users of any security breach.
Tenants or users may require provider support to respond to audit or assessment
findings. Also, a provider may not offer sufficient support to tenants or users for
resolving investigations.
 Transparency: When a cloud provider doesn’t expose details of its own internal policy
or technology, tenants or users must trust the provider’s security claims. Tenants and
users may still require some transparency by providers as to how they manage cloud
security, privacy and security incidents.
 Loss of Physical Control: Because tenants and users lose physical control over their data
and applications, this gives rise to a range of concerns:
o Data Privacy: With public or community clouds, data may not remain in the same
system, raising multiple legal concerns.
o Data Control: Data could be coming in to the provider in various ways with some
data belonging to others. A tenant administrator has limited control scope and
accountability within a public Infrastructure as a Service (IaaS) implementation,
and even less with a Platform as a Service (PaaS) one. Tenants need to have
confidence their provider will offer appropriate control, while recognizing the
need to adapt their expectations for how much control is reasonable within
these models.
o New Risks and Vulnerabilities: There’s concern that cloud computing brings new
classes of risks and vulnerabilities. There are hypothetical new risks, but the
actual exploits will largely be a function of a provider’s implementation. All
software, hardware and networking equipment are subject to unearthing new
vulnerabilities. By applying layered security and well-conceived operational
processes, you can protect a cloud from common attacks, even if some of its
components are inherently vulnerable.
o Legal and Regulatory Compliance: It may be difficult or unrealistic to use public
clouds if your data is subject to legal restrictions or regulatory compliance. You
can expect providers to build and certify cloud infrastructures to address the
needs of regulated markets. Achieving certification may be challenging due to
the many non-technical factors, including the current state of general cloud
knowledge. As best practices for cloud computing encompass greater scope, this
concern should fade.

Although the public cloud model is appropriate for many non-sensitive needs, the fact is that
moving sensitive information into any cloud not certified for such processing introduces
inappropriate risk. You need to be completely clear about certain best practices: It’s unwise to
use a public cloud for processing sensitive, mission-critical or proprietary data. It’s expensive
and excessive to burden non-sensitive and low-impact systems with high-assurance security.
Finally, it’s irresponsible to either dismiss cloud computing as being inherently insecure or claim
it to be more secure than alternatives.
Follow a reasonable risk assessment when choosing a cloud deployment model. You should also
ensure you have appropriate security controls in place. List your security concerns so you can
either dismiss or validate them and counter them with compensating controls.

The Role of Virtualization

As you consider the security concerns around cloud computing, you also have to consider the
security concerns around virtualization and its role in cloud computing. You need to understand
how virtualization is implemented within a cloud infrastructure.
Starting at the level of our objective, a virtual machine (VM) is typically a standard OS captured
in a fully configured and operationally ready system image. This image amounts to a snapshot
of a running system, including space in the image for virtualized disk storage.
Supporting this VM’s operation is some form of enabling function. This is typically called a
hypervisor, which represents itself to the VM as the underlying hardware. Different
virtualization implementations vary, but in general terms, there are several types:
 Type 1: This is also called “native” or “bare metal” virtualization. It’s implemented by a
hypervisor that runs directly on bare hardware. Guest OSes run on top of the
hypervisor. Examples include Microsoft Hyper-V, Oracle VM, LynxSecure, VMware ESX,
and IBM z/VM.
 Type 2: This is also called hosted virtualization. This has a hypervisor running as an
application within a host OS. VMs also run above the hypervisor. Examples include
Oracle VirtualBox, Parallels, Microsoft Windows VirtualPC, VMware Fusion, VMware
Server, Citrix XenApp and Citrix XenServer.
 OS implemented virtualization: This is implemented within the OS itself, taking the
place of the hypervisor. Examples of this include Solaris Containers, BSD jails, OpenVZ,
Linux-V Server, and Parallels Virtuozzo Containers.
There are interesting security concerns around the use of virtualization, even before you
consider using it for cloud computing. First, by adding each new VM, you’re adding an
additional OS. This alone entails additional security risk. Every OS should be appropriately
patched, maintained and monitored as appropriate per its intended use.
Second, typical network-based intrusion detection doesn’t work well with virtual servers co-
located on the same host. Consequently, you need to use advanced techniques to monitor
traffic between VMs. When you move data and applications between multiple physical servers
for load balancing or failover, network monitoring systems can’t assess and reflect these
operations for what they are. This is exaggerated when using clustering in conjunction with
virtualization.
Third, using virtualization demands different management approaches for many functions,
including configuration management, VM placement and capacity management. Likewise, your
resource allocation problems can quickly become performance issues. Thus, refined
performance management practices are critical to running an effective, secure virtualized
environment.