Key Cloud Privacy Concerns in 2012
Privacy is a major concern for any organisation using the cloud. Handing over your data to others has always been something contentious and the more we do it, the more organisations are becoming nervous that the data is falling into the wrong hands. This article will cover major concerns that companies have when data is stored and processed in the cloud, and things that can be done to better protect against the threat vector.
Typical concerns surrounding cloud computing include:
Security and Privacy of data
There are conflicting opinions as to who is responsible for security and privacy in the cloud. Some might like to place the responsibility on the provider, ultimately the responsibility for the security and privacy of the data lies with the data owner. If a security breach were to occur the organisation would be held liable for any damages, so to rely entirely on the service provider to protect and secure the data would be considered as being reckless. The organisation should ensure that the data that is being stored or processed in the cloud is secure, possibly by encrypting all data that moves into the cloud.
Data that is stored in the cloud should only be used for the purpose approved by the data subject. This becomes a challenge in the cloud as the data is stored along with other data in a single location. The challenge is to ensure that data of this kind is only used for the purpose set out and agreed, as it can easily be pooled with data from other sources and be used in unapproved ways.
Privacy and security in the cloud denotes a big challenge. However steps can be taken to improve privacy and security. It is important to have an extensive knowledge of the technology regarding cloud computing, the legalities, obligations and repercussions. Risk management of the data throughout its life cycle is crucial.
If a privacy breach were to occur the organisation should have a policy set up which can be followed swiftly by the provider as well as the organisation to reduce operational and reputational damage. Areas around notification of the breach, management of the breach and responsibilities should be clearly covered in the policy.
To enable privacy you require security. Data should be protected against risks such as loss, unauthorised access, unauthorised use or modification of data, also against deletion or disclosure of data. In a nutshell, CIA (Confidentiality Integrity and Availability).
The following are necessary security measures to achieve CIA that should be in place.
Access to data and data portability
A company holding personal information and data with regards to employees, customers or clients should have control and access to the data at all times. There may come a time when it is requested that particular data stored by the organisation be accessed or moved or removed completely, however when the data is being processed and stored in the cloud this becomes more difficult. The concern is the ability the organisation has to provide individuals with access to their data and carry out individual's requests if the data is in the cloud.
This is also a concern for the organisation with regards to the company's information being processed and stored in the cloud. The organisation must have access to the information at all times and has to ensure that the data is portable and can be adapted or removed as required.
Erasure or destruction of data in the cloud
Company information is stored in the cloud to ensure maximum availability. However there comes a point when this information may no longer be required and will need to be erased or securely archived. The concern is whether information that exists in many copies in the cloud really can be erased. How can organisations be certain that the information is securely erased? When data is deleted the space previously occupied is marked as unusable, until the space is overwritten the data is still available. A way for companies to ensure that data is actually gone once deleted is through encryption. If an organisation encrypts all data stored or processed in the cloud the data can be destroyed through destroying the encryption key, rendering the data unreachable. This fact is most often overlooked.
Compliance, Legal and Regulatory requirements
Concerns surround the laws that govern the information in the cloud. Are there governing regulations or standards that are upheld? Who takes responsibility for our information in the cloud? The data can be stored in a number of countries or states, when this occurs what laws govern the data and how is this managed? These areas are grey and causing confusion.
Legal and regulatory requirements for data privacy vary across the world. In some countries laws regarding this are strictly enforced and in others they may not exist at all. In some countries the laws and regulations of the country where the organisation is located govern the data, in other countries the laws of the country where the data is stored govern the data and in some instances the laws of the country where the data subject resides govern the data. There is great conflict between the governing laws thus for multinational organisations this is extremely challenging. What is legal in one country could be illegal in another.
Ultimately the organisation is responsible for the data it creates, manages and harbours. The organisation should designate an individual who is accountable for the compliance. A good approach would be for the organisation to accept accountability and have policies and strategies in place to safeguard data regardless of where it is being stored or processed.
Storage and the whereabouts of our data storage
When ones data is stored in the cloud very little is known as to the location of the storage. This concerns organisations. Data could be scattered in data centres in different countries or moved between data centres for one reason or another. Not knowing the whereabouts of one's data is a concern. Many organisations are also unsure that their data is isolated from other organisations; perhaps their data is in combined storage with other organisations. This raises concerns about security and privacy of the data.
Monitoring and auditing data
Organisations using cloud computing need to be able to assure customers, clients and employees etc. that they have control over the data and information stored and processed in the cloud and that the data is secure and private. The difficulty comes with the ability to monitor and audit the cloud service provider and keep on top of things to assume control of your data. Risk management of the data throughout its lifecycle is essential.
Best practice for organisations using cloud computing
- It's of utter importance that the service provider you choose can guarantee the highest level of uptime. Of course cloud computing and access to your data and software is totally dependent on a working internet connection. Have an alternate plan in place if this problem were to occur.
- Be knowledgeable about where your data is being stored at all times and enquire about the laws in that jurisdiction - at the end of the day your organisation is held responsible
- ALWAYS encrypt your data, Data should be encrypted when moving through the network as well as at rest, stored in the cloud. It is ultimately the organisations responsibility to ensure that the data is secure. By encrypting the data it strengthens the security already in place though the cloud service provider. You can never have too much security when it comes to your data. Through encryption you also have a means of ensuring your data can be destroyed if necessary.
- It's important to have an agreement in place with the cloud service provider regarding issues such as deletion of data, portability of data and software. Organisations do not want to find themselves in a situation where they are stuck with at particular vendor due to the fact that they are unable to export there data to an alternate vendor if they wish.
- When looking for a suitable cloud service provider ensure you choose one with good levels of security in place. Make sure your network is secured at all times and your local security is in place. ENCRYPT your data. A combination of all of these offers you the best chance at effective data security. Seeking an independent security audit of the provider is beneficial.
- Be aware of the third parties the cloud service provider uses and the policies around the access they may have to your data.
- Take extra care during updates ensuring access privileges remain unchanged.
- Make sure there is a system in place for monitoring data.
- Make sure that your organisation follows good password practice, this should be managed to ensure policies regarding passwords within the organisation is maintained at all times.
Many organisations are feeling the need to move to cloud computing and those already in the cloud the need to make greater use of the services available to them, the economic benefits cloud computing is great. The cloud offers an abundant array of service models however with the move is the realisation that we are offering over the reins of retaining control of our data to and external source in the cloud.
When moving into the cloud companies no longer have exclusive control of data and the ability to deploy the necessary measures to ensure the accessibility, integrity, confidentiality, transparency, isolation and portability of our data becomes more challenging. On top of all of these is the difficulty in managing the legalities and conflicting regulations with regards to jurisdiction and data flow between countries which is unavoidable with cloud computing. The future of cloud is going to get more interesting when it comes to data security.