Cloudy, With a Lack of Awareness
Cloud computing has frequently been referred to as a transformational technology. For business leaders, the promise of scalable IT services being provided on demand at vastly reduced cost is very attractive, and has helped drive the rapid growth of interest in cloud computing. However, in the rush to adopt these services, many businesses have, until relatively recently, paid little attention to the security of information sent into the cloud.
The Business Drivers for Cloud Computing
Before we get into the security implications of cloud computing, let’s first talk about the business drivers behind it. Cloud computing covers a range of distributed, on-demand computing services that are delivered across networks, typically using the Internet. Underlying cloud services are a number of technologies that typically use a shared infrastructure to store and process customers’ data in a highly efficient cost-effective way.
The business drivers for cloud computing — low cost, flexibility and almost immediate accessibility — are compelling to businesses and this explains why the adoption of cloud computing services is growing rapidly. Because signing up to cloud computing services is relatively straightforward, new arrangements can be implemented without going through the formal channels that would normally be in place to authorize a new IT service.
Cloud computing is viewed as a convenient, ready-made solution to a business problem. The issue is that business managers signing up to cloud computing solutions may have little or no idea that they are implementing a new type of IT service, which is unapproved and which sidesteps existing company policy.
The downside to this method is that it could leave organizations susceptible to cyber security incidents, including hacking and data leakage — along with the potentially significant hit to their reputation. Additionally, regulated firms face the risk of investigative and enforcement actions if their systems and controls, or their oversight and governance arrangements, are deemed inadequate to detect, protect against and manage cyber attacks.
Personally Identifiable Information (PII)
While the cost and efficiency benefits of cloud computing services are clear, organizations can’t afford to delay getting to grips with their information security implications. In moving their sensitive data to the cloud, all organizations must know whether the information they are holding about an individual is Personally Identifiable Information and therefore needs adequate protection.
Most governments have already created, or are in the process of developing, regulations that impose conditions on the protection and use of PII, with penalties for businesses that fail to adequately protect it. As a result, organizations need to treat privacy as both a compliance and business-risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and loss of customers due to privacy breaches.
There are many types of cloud-based services and options available to an organization. Each combination of cloud type and service offers a different range of benefits and risks to the organization. Privacy obligations do not change when using cloud services — and therefore the choice of cloud type and cloud service require detailed consideration before being used for PII.
Cloudy, With a Lack of Awareness
There is often a lack of awareness of information risk when moving PII to cloud-based systems. In particular, business users purchasing a cloud-based system often have little or no idea of the risks they are exposing the organization to and the potential impact of a privacy breach.
In some cases, organizations are unaware that information has been moved to the cloud; in others, the risks are just being ignored. This is at a time when regulators, media and customers are paying more attention to the security of PII.
Here are four key issues:
- Business users often have little or no knowledge of privacy regulation requirements, because privacy regulation is a complex topic which is further complicated by the use of the cloud.
- Business users don’t necessarily question the PII the application will collect and use.
- Business users rarely consider cloud-based systems to be different from internal systems from a security perspective, and thus expect them to have the same level of protection built in.
- Application architects and developers often collect more PII than the applications need. Their argument is that the additional information may be helpful for future versions of the application or to support extended reporting. The expansion of the number of records and the number of attributes increases the potential impact of a privacy breach. (In some jurisdictions — such as EU countries — regulations forbid the collection of excessive information.)
These issues often expose the organization to risks that could be completely avoided or significantly reduced.
Privacy Regulations Around the World
While an organization can outsource the processing and storage of PII, they cannot outsource its responsibilities for protecting privacy. Therefore, the organization needs to ensure that it considers the relevant jurisdictions’ regulations for any cloud-based system it uses.
Privacy regulations vary widely around the world, and while many jurisdictions have (or are adopting) their own, they broadly fall under one of two main approaches:
- Regulation that is based on the rights of the individual
- Regulation that imposes conditions on organizations and the way they operate
In addition to privacy regulations, some countries have additional legislation that may need to be considered to determine whether the jurisdiction is an acceptable place to put sensitive information such as PII. Typically, this is some form of anti-terrorist legislation, such as the U.S. Patriot Act.
The requirement for maintaining data privacy has increased as privacy regulations have been adopted by many more jurisdictions since they were first introduced. Fines for breaching data-privacy regulation have multiplied, and penalties can be even more severe than fines. Increased media interest and a greater public awareness have led to potential commercial and reputational consequences for noncompliance. Such awareness continues to be raised and maintained with the ongoing revelations from Edward Snowden, not least of which being allegations regarding the NSA and the U.K.’s GCHQ and its alleged interception of records moving between Google and Yahoo foreign data centers, including information about and from American users.
Putting private information into the cloud creates risk and must be understood and managed properly. Organizations may have little or no control over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centers scattered across the globe. If the information being moved is subject to privacy regulations, and the data centers are in different jurisdictions, this can trigger additional regulations or result in a compliance breach.
Transferring Data Across National Borders
Different countries’ regulations impose different requirements on whether PII can be transferred across borders. Some have no additional requirements; others have detailed requirements. In order to determine what cross-border transfers will occur with a particular cloud-based system, an organization needs to work with their cloud provider to determine where the information will be stored and processed.
Details are also required on the various parties who have access rights and their locations, including:
- Day-to-day users, including operations and management
- Subcontracted cloud providers
- Help-desk users
- Administration staff
These details can then be used to understand all cross-border transfers that the information may make and consequently the contractual arrangements that need to be in place to control them.
Follow the Information
Organizations need to focus on information, the impact on information, the risks associated with the loss or contamination of information — and classify the information. Concentrating on the organization’s information will bring clarity to decision-making when assessing risk and examining treatment options.
Focusing on information helps prevent being overwhelmed by an ever-increasing collection of device-specific or application-specific measures. It also facilitates solutions that work across myriad devices, improving scalability.
When sharing information, several questions need to be answered:
- Who the information is being shared with
- What/when/why/where/how/how much information is being shared
- How much access suppliers have to information and assets
- How is the information being shared protected by those who receive it
Know Who Has Your Data … And Where It Is
Demand for cloud services continues to increase as the benefits of cloud services change the way organizations manage their data and use IT. Cloud computing is able to deliver generic services that can be implemented quickly and easily. Consequently, business users often purchase new cloud services directly.
The decision to use cloud systems should be accompanied by an information risk assessment that has been conducted specifically to deal with the complexities of both cloud systems and privacy regulations; it should also be supported by a procurement process that helps compel necessary safeguards. Otherwise, the persistent pressure to adopt cloud services will increase the risk that an organization will fail to comply with privacy legislation.
With increased legislation around data privacy, the rising threat of cyber theft, and the simple requirement to be able to access your data when you need it, organizations need to know precisely to what extent they rely on cloud storage and computing.
As global vice president of the Information Security Forum (ISF), Steve Durbin’s main areas of focus include the emerging security-threat landscape, cyber security, BYOD, outsourced cloud security, third-party management and social media across both the corporate and personal environments. Follow him @SteveDurbin.