2017 International Conference on Computer and Applications (ICCA)

Data Protection & Security Challenges in Digital &

IT Services: A Case Study

Mehdi Panjwani, Marko Jäntti

School of Computing
University of Eastern Finland
P.O.B 1627, 70211 Kuopio, Finland
Email: mehdip@uef.fi, [Link]@uef.fi

Abstract—With the evolution of digital services, data protec- provided an analysis on data security and protection issues
tion & security have become cruical areas and companies that associated with cloud computing. Our study focuses on data
offer digital services must have defined processes for these. These privacy & security aspects in IT service provider organization
companies face pressures from: (i) people who are concerned from the perspectives of digital services.
about data being held about them, (ii) risk of cyber attacks that
allows unauthorized data access, (iii) regulatory requirements Many companies now provide some kind of digital services
from governments and (iii) negative effect to companie’s own over Internet such as business services, real-time informa-
brand and reputation. Due to continuous changes in the rules & tion services, online commerce services, booking services
regulation and exponential growth in data security and protection and many others. The government institutions, such as tax
requirements, more research is needed to address the current administration, ministries & hospitals collect and store large
issues and requirements. Therefore, this paper deals with the
challenges and issues related to data protection & security
amount of data and provide access to personal information in
and aims to answer the research problem: how data integrity, some form of digital service.
confidentiality & availability could be achieved? The paper Some companies even host their internal web applications
highlights data protection and security related issues utilizing
on the Internet for ease of use and accessibility. Since web
the case study approach.
applications do not require any installation, it allows compa-
Keywords—Data Protection; Data Security; Digital Services; IT nies to operate them from anywhere using just a web browser.
Services Providing digital services over Internet helps companies to
attract customers while reducing labour costs & time, but it
also brings in data privacy and security challenges.
I. I NTRODUCTION
Companies offering digital services face data protection
Digital services refers to the delivery of information via an challenges that must be addressed. This study addresses the
electronic network, irrespective of time and distance. These following key elements of Information Security management:
services are entirely automated with very less human inter-
vention. The desired content is automatically generated from • Data Integrity: Data accuracy and consistency is es-
servers and delivered to the end user, usually over Internet. sential and data must be protected from being altered
or deleted against security breaches or software errors.
With services being offered over an electronic network,
Data integrity rules could be enforced by adopting a
the data protection and security becomes the top priority. Data
more rigorous approach to integrity constraint man-
being shared and made available to a large variety of users
agement [6]. Since most databases enforce integrity
and applications in real-time environment further complicates
constraints by specifying data types, therefore data
the problem of data protection [1]. Data protection involves
inconsistencies could be easily handled from the very
compliance with regulatory requirements while maintaining
beginning.
high levels of productivity. The privacy of the individuals
whose data are being collected and analyzed is increasingly • Data Confidentiality: Data must be protected against
at risk [2]. Therefore, companies holding customer data are unauthorized access by limiting access control and
directly responsible for protecting confidentiality of data. The applying physical information permissions [7]. Data
data is the most valuable asset for a company and it should be encryption algorithms and patterns such as PGP, AES,
shared only with people having authorised access. RSA, Triple DES, Twofish are commonly used for
securing data that converts human readable text to
Previous studies have explored data privacy & security ciphertext. PGP (Pretty Good Privacy) is mostly used
from various perspectives. Only few studies have focused for sharing information over Internet as it uses key
on data privacy & security from the perspective of digital pair of public-private keys [8]. AES is the standard
services. Bertino [3] has discussed the research directions in symmetric key encryption algorithm mostly used for
data privacy, confidentiality & IoT (Internet of Things) data closed environment systems and databases.
security while identifying key challenges. Xu, Jiang, Wang,
Yuan and Ren [4] reviewed the privacy issues related to • Data Availability: Data must be accessible without
data mining emphasizing on various approaches that could any interruption at all times. To achieve high avail-
help protect sensitive information . Chen and Zhao [5] have ability of data, replication techniques could be used

978-1-5386-2752-5/17/$31.00 © 2017 IEEE 379

 2017 International Conference on Computer and Applications (ICCA)

by creating multiple copies of data on independent

nodes [9]. Replication improves data accessibility and
availability in case of major incident and it is typically
supported by SAN (storage area network). SAN uses
high speed network of storage devices acting as local
disks which can be accessed by client computers
directly.
Digital services are considered as the services which are
fully automated and accessible by end user or customer [10]
and are becoming more open due to reduced labor-based de-
pendency and lower cost base. Since the services are delivered
via Internet, they are not restricted by operational timings Fig. 1. The context of the case study
and distance. This encourages companies to acquire digital
services gaining competitive advantages, lowering operational
costs while enhancing customer experience. Digital services • Participant observations (data privacy request proce-
require reliable IT services, such as servers, network services dures)
and the application services. • Operating system & software log files
ITIL is the most used IT service framework and Informa- • Data storage strategies (relational and non-relational
tion Security Management is part of the ITIL’s service design database systems)
lifecycle phase. The ITIL consists of five publications that
defines the service life cycle: • Data protection guidelines and policies
• Documentation (Information Security process descrip-
• Service Strategy [11] tion)
• Service Design [12]
The data protection officer and IT security specialist roles
• Service Transition [13] were interviewed from the case organization. The data pro-
tection officer was responsible for ensuring that the company
• Service Operation [14] complies with data privacy laws & regulations, addressing data
• Continuous Service Improvement [15] privacy issues and analyzing system logs for potential risks and
security breaches.
In our previous paper, we discussed IT security manage-
ment from SME’s view point and studied physical access B. Data Analysis Methods
control, defined policies and standards while addressing risks
and security threats [7]. In this study, we used a pattern matching technique to an-
alyze case study evidence. According to Yin, pattern matching
In this paper, we discuss data privacy and security chal- technique is useful for case study analysis if it is used to
lenges related to digital services and propose recommenda- study and answer the research questions [17]. We categorized
tions. This paper is further organized in 5 sections. In Section our case study findings into research patterns. Based on
2, we discuss the research settings. In Section 3, research the interview observations, following research patterns were
results are presented. Section 4 provides analysis of findings. identified:
In Section 5, the conclusions are given.
• Data storage practices & policies
II. R ESEARCH S ETTING • Data access & sharing policies
Case study research approach is utilized in this paper • Cryptography - Encryption & decryption
as it is considered a realistic approach that applies methods • Web services implementation & protection
and data sources for obtaining rich understanding of the
phenomenon under investigation [16]. Various data sharing • Sensitive data handling procedures
tools and methods are analyzed offering further insight into • Privacy impact assessment policies
data protection and security aspects of digital services.
• Privacy by design & Privacy by default principles
A. Data Collection and Observations
III. R ESULTS
In this study, we interviewed a digital solutions company
that provides and maintains the IT system, infrastructure, Next, we present our findings from the case study with
security and digital services to the health care sector and Finnish IT service provider organization. The data has been
local authorities in Finland. The technology provider company collected by using case study methods, especially with inter-
employs about 400 people. In this study, case study evidence views with employees responsible for Information Security &
consisted of: data privacy. The University Hospital & city authorities are the
customers of the case organization and they will be referred
• Physical artifacts (Splunk software for monitoring and as customers in our context. The findings shall be presented
analyzing machine generated data) according to predefined categories.

380
 2017 International Conference on Computer and Applications (ICCA)

are: Microsoft SQL, Oracle & MariaDB. The non-relational

database is MongoDB. The backup is regularly done on the
disks and backup tapes.
Is cloud data storage used? The data is not stored on
the cloud platform. No cloud storage is used within the orga-
nization at the moment due to accessibility reasons. However,
there is a possibility to use Azure private cloud platform for the
future ongoing projects as the case organization suggests that
physical security is much controlled in Azure environment.

B. Data access & sharing policies

How data is accessed & shared within and out of
organization? Various tools are used for data accessing and
sharing. Sharepoint system, HR system and document manage-
ment system are used by the customer for internal collaboration
within the organization. The data is usually not shared outside
of the organization. The patient data and confidential data are
not shared through mails.
How users are authenticated? The case organization uses
domain level server authentication for authenticating users.
In some legacy systems and integrated systems, SSO (single
sign on) authentication process is used in conjunction with
the server level authentication allowing user to access multiple
applications using their login credentials.
How file transferring & sharing is achieved? The case
organization uses SFTP (secure file transfer protocol) & NFS
(network file system) & SNB for transferring and sharing
files. NFS is not used externally and is used only within the
organization.

C. Cryptography - Encryption & decryption

Is data encrypted and what cryptography is being
used? All the data stored is encrypted. The case organization
uses BitLocker software for data encryption on harddrives.
Fig. 2. Pattern matching technique used BitLocker uses 128/256 bit strong AES encryption algorithm.
With BitLocker encryption, the data cannot be harvested even
if the harddrive is removed and physically connected to another
A. Data storage practices & policies system. However, the data could only be recovered by the
system administrator using a recovery key.
What are the potential data sources? The case orga-
nization manages data on behalf of its customers. The case D. Web services implementation & protection
organization provides and maintains the IT system, infras-
tructure, security and digital services for University Hospital Are there any web services used and how are they
& city authorities. National patient data and information is protected? Plenty of web APIs and services are used for
managed and handled by the case organization. Most of extracting and sharing the required information from various
the data is provided and entered by the hospital and city legacy systems and integrated systems. Web APIs are protected
authorities themselves. The case organization provides 24/7 using bearer token authorization in conjunction with SSL
support having one of the data centers in the hospital facility. among various other ways.

What is the data storage and backup policy? All the E. Sensitive data handling procedure
data is held within the case organization’s data center in the
encrypted form. The case organization had its own on-premise How sensitive data is handled? The data is maintained
data centre and it processes and maintains the database systems by the case organization and it is stored in their own data
for their customer. The health sector and local authorities are center. Furthermore, the data is encrypted and the data is
the main data sources that use various systems to store & backed up for recovery options. The case organization also
access the customer information and patient history while the has collaboration with Kyberturvallisuuskeskus (cyber security
case organization manages the data. The case organization centre authority) that develops and monitors the reliability and
uses various relational and non-relational database systems security of communication networks and acts as a national
for storing and managing data. The relational databases used communications security authority.

381
 2017 International Conference on Computer and Applications (ICCA)

TABLE I. T HE FINDINGS OF THE CASE STUDY

How data protection and security rules are addressed
required by government authorities? The case organization
is required to follow the data protection rules and regulations Research ques- Findings
Category
from EU GDPR (general data protection regulation). The case tions
organization also follows the rules implemented by Finnish
authorities and the regulations are provided in the Finnish - The data is stored in the data
What data centre
language. It is also mandatory to have a DPO (data protection storage Data storage - The case organization pro-
officer) as per the regulation. practices practices & cesses and maintains the data
and policies policies - Relational & Non-relational
What about people concerned about their privacy and are used? databases are used: SQL, Or-
information? People are not concerned about their data. The acle, MariaDB, MongoDB
hospital system usually stores patient’s history, however, it - Data is accessed by autho-
could only be accessed by the authorized people within the rized personnel within the or-
hospital facility. How data is ganization
accessed & Data access & - Data accessed through Share-
What are payment handling procedures and storing shared in the sharing policies point, HR system & document
such information? The case organization doesn’t provides organization? management system
- Data is not shared outside of
any payment gateway or such integration. It is provided and the organization
handled by third party software organization which deals
directly with the university hospital and local city authorities. What - BitLocker encryption algo-
Cryptography -
cryptography rithm is used
Encryption & - 128/256 strong AES encryp-
F. Privacy impact assessment policies algorithm is
decryption tion supported
used?
What privacy impact assessment policies are in place?
There is no formal policy and the data doesn’t belong to the How web ser- Web services - Web APIs are protected using
case organization. According to Wang and Liu [18], privacy vices are pro- implementation bearer token authorization
impact factor is a numerical value and to measure it requires - SSL used for further protec-
tected? & protection tion
privacy measurement functions and attribute visibilities. Since
the data is owned by the hospital & local authorities, this - European Union GDPR and
National data protection rules
doesn’t directly apply to the case organization. The case How sensitive
applies
Sensitive
organization has its own data protection guidelines which they data is handled - Collaboration with Cyber Se-
data handling
follow. Additionally, the national law and the EU GDPR (Gen- and what rules curity Centre Authority
procedures
eral Data Protection Regulations) are formally being followed. applies? - Data stored in a safe data
centre
G. Privacy by design & Privacy by default principles What privacy - This doesn’t applies to case
impact Privacy impact organization directly
How ”Privacy by design” and ”Privacy by default” - Case organization uses own
principles are taken into account? ”Privacy by design” and assessment assessment
data protection guidelines
policies are policies - No formal policy on privacy
”Privacy by default” principles are introduced by European implemented?
Union for the data protection, ensuring data privacy as a legal impact assessment
obligation for companies collecting and processing data.
Privacy by de- - ”Privacy by design” do not
According to EU data protection directives, ”privacy by How privacy applies to case organization
sign & Privacy
principles - ”Privacy by default” is imple-
design” paradigm means that data protection safeguards should applies?
by default prin-
mented by the case organiza-
be built into products and services from the earliest stage of ciples
tion
their conception [19]. ”Privacy by default” requires service
providers to preselect the most restrictive option as default
for all privacy settings that could potentially expose personal
data storage practices, such as relational and non-relational
information[20]. From the perspective of case organization,
databases.
”privacy by design” principles applies to the companies devel-
oping software systems and not to the service providers them- Related to data access & sharing, common tools are used
selves, however, the most restrictive settings are preselected as inside the organization. However, it was surprising that data
the default settings. was not shared outside of the organization. Concerning the
cryptography algorithms, hard drive data is encrypted using
IV. DATA A NALYSIS BitLocker.
In this case, we used a within case analysis technique As main findings, we observed that the case organization
to analyze IT service provider’s Information Security & data had data protection officer role and relative mature practices
privacy practices and tools [21]. for data protection and security. The case organization offered
data protection officer and security services to their customers.
Additionally, we observed that the case organization had active
collaboration with Finnish Cyber Security centre and national
There were no surprises in our findings related to data data protection authorities as well as national health care
storage practices and policy. We identified some standard actors. The data privacy management of the case organization

382
 2017 International Conference on Computer and Applications (ICCA)

seems to include a lot of collaboration with external organiza- [9] K. Ranganathan, A. Iamnitchi, and I. Foster, “Improving data avail-
tions. ability through dynamic model-driven replication in large peer-to-
peer communities,” in Cluster Computing and the Grid, 2002. 2nd
IEEE/ACM International Symposium on, May 2002, pp. 376–376.
V. C ONCLUSION [10] H. Singhal and A. K. Kar, “Information security concerns in digital
services: Literature review and a multi-stakeholder approach,” in 2015
This paper aimed to answer the research problem: how data International Conference on Advances in Computing, Communications
integrity, confidentiality & availability could be achieved? The and Informatics (ICACCI), Aug 2015, pp. 901–906.
paper dealt with data protection and security related issues [11] Cabinet Office (A), ITIL Service Strategy. The Stationary Office UK,
utilizing the case study approach. 2011.
[12] Cabinet Office (B), ITIL Service Design. The Stationary Office UK,
We focused on 3 key elements of data protection and secu- 2011.
rity: Data Integrity, Data Confidentiality & Data Availability. [13] Cabinet Office (C), ITIL Service Transition. The Stationary Office UK,
We assessed the case organization’s data storage practices and 2011.
policies and highlighted the methods of data sources & data. [14] Cabinet Office (D), ITIL Service Operation. The Stationary Office
We analyzed the data accessing & sharing policies from the UK, 2011.
case organization’s perspective. Next we identified the encryp- [15] Cabinet Office (E), ITIL Continuous Service Improvement. The
Stationary Office UK, 2011.
tion and decryption algorithms and patterns used by the case
[16] A. F. Almutairi, G. E. Gardner, and A. McCarthy, “Practical guidance
organization. The web services usage and its implementation for the use of a pattern-matching technique in case-study research: A
were further analyzed in this case study. We also evaluated the case presentation,” Nursing & Health Sciences, vol. 16, no. 2, pp. 239–
sensitive data handling procedures, privacy impact assessment 244, 2014. [Online]. Available: [Link]
policies and privacy principles. We applied the pattern match- [17] R. Yin, Case Study Research: Design and Methods (4th edn). SAGE
ing technique against our predefined categories. We compared Publications, 2009.
our theoretical pattern (i.e. predefined categories) against the [18] Y. Wang and J. Liu, “An attribtue-based statistic model for privacy
observed pattern in the case organization. impact assessment,” in 2016 International Conference on Collaboration
Technologies and Systems (CTS), Oct 2016, pp. 619–621.
Future research ideas: The results of this study might be [19] N. Foukia, D. Billard, and E. Solana, “Pisces: A framework for privacy
used in data privacy, security & IT service organization. Future by design in iot,” in 2016 14th Annual Conference on Privacy, Security
studies could focus on exploring GDPR adoption rules and and Trust (PST), Dec 2016, pp. 706–713.
local law applicable. Additionally, there is need for the case [20] M. Tschersich and M. Niekamp, “Pros and cons of privacy by default:
Investigating the impact on users and providers of social network sites,”
studies that deal with big data and cloud security & privacy. in 2015 48th Hawaii International Conference on System Sciences, Jan
2015, pp. 1750–1756.
VI. ACKNOWLEDGMENT [21] K. Eisenhardt, “Building theories from case study research,” Academy
of Management Review, vol. 14, pp. 532–550, 1989.
We would like to thank the case organization’s represen-
tatives for valuable feedback and responses that helped us
to perform this study. The work for this paper was partly
conducted in Management Roadmap for Service Innovation
and Excellence project (S20527) funded by European Social
Fund, Pohjois-Savon ELY-keskus and industry partners.

R EFERENCES
[1] E. Bertino, “Big data - security and privacy,” in 2015 IEEE International
Congress on Big Data, June 2015, pp. 757–761.
[2] J. Soria-Comas and J. Domingo-Ferrer, “Big data privacy: Challenges to
privacy principles and models,” Data Science and Engineering, vol. 1,
no. 1, pp. 21–28, 2016.
[3] E. Bertino, “Data security and privacy: Concepts, approaches, and
research directions,” in 2016 IEEE 40th Annual Computer Software and
Applications Conference (COMPSAC), vol. 1, June 2016, pp. 400–407.
[4] Lei Xu, Chunxiao Jiang, Jian Wang, Jian Yuan and Yong Ren, “Infor-
mation security in big data: Privacy and data mining,” IEEE Access,
vol. 2, pp. 1149–1176, 2014.
[5] D. Chen and H. Zhao, “Data security and privacy protection issues
in cloud computing,” in 2012 International Conference on Computer
Science and Electronics Engineering, vol. 1, March 2012, pp. 647–651.
[6] C. Sophie, “A taxonomy of spatial data integrity constraints,”
GeoInformatica, vol. 1, no. 4, pp. 327–343, Dec 1997. [Online].
Available: [Link]
[7] M. Panjwani, M. Jäntti, and J. Sormunen, “It service management
from a perspective of small and medium sized companies,” in 2016
10th International Conference on the Quality of Information and
Communications Technology (QUATIC), Sept 2016, pp. 210–215.
[8] V. Gupta and H. Singh, “A review on data security using pgp & des,”
vol. 1, July 2014.

383