Cloud Computing: Data Privacy in the Cloud

There are several steps you can, and should, take to ensure the security of your corporate data when moving to the cloud.

Vic (J.R.) Winkler

Adapted from “Securing the Cloud” (Syngress, an imprint of Elsevier)

The issue of data privacy is at the forefront of everybody’s mind. Television commercials advertise security products and news programs frequently describe the latest data breach. Public perception aside, any organization has a legal obligation to ensure that the privacy of their employees and clients is protected.

Laws prohibit some data from being used for secondary reasons other than the purpose for which it was originally collected. You can’t collect data on the health of your employees, for example, and then use it to charge smokers with higher insurance premiums. Also, you can’t share certain data with third parties. In the world of cloud computing, this becomes much more difficult, as you now have a third party operating and managing your infrastructure. By its very nature, that provider will have access to your data.

If you’re collecting and storing data in the cloud and it’s subject to the legal requirements of one or more regulations—for instance, The Health Insurance Portability and Accountability Act (HIPAA) or The Gramm-Leach-Bliley Act (GLBA)—you must ensure the cloud provider protects the privacy of the data in the appropriate manner. In the same way as data collected within your organization, data collected in the cloud must only be used for the purpose for which it was initially collected. If the individual specified that data be used for one purpose, that assurance must be upheld.

Privacy notices often specify that individuals can access their data and have it deleted or modified. If the data is in a cloud provider’s environment, privacy requirements still apply and the enterprise must ensure this is allowed within a similar timeframe as if the data were stored on site. If data access can only be accomplished by personnel within the cloud provider’s enterprise, you must be satisfied they can fulfill the task as needed.

If you’ve entered into a click-wrap contract, you’ll be constrained to what the cloud provider has set out in these terms. Even with a tailored contract, the cloud provider may try to limit the data control to ensure its clients have a unified approach. This reduces the cloud provider’s overhead and the need to have specialized staff on hand. If complete control over your data is a necessity, you need to ensure this upfront and not bend to a cloud provider’s terms.

There are a number of cloud providers that specialize in distinct markets and tailor their services to those markets. This is likely to become more prevalent in the upcoming years. Niche cloud providers will also likely emerge. For instance, cloud providers that offer services in health care would be bound by the relevant regulations, such as HIPAA. We would expect them to charge for the special handling and controls that are needed.

Data Location

Any business with a Web presence or individuals who post on social-networking sites is recording data on one or more servers that could actually be located anywhere. Whether you’re posting personal information to Facebook or updating your business links on LinkedIn, this data will be stored somewhere. As businesses move toward using and embracing cloud providers, the location of this data will become more important due to data privacy, legal or regulatory demands.

Global companies need to ensure that any services deployed to the cloud are used according to laws and regulations in place for the employees, foreign subsidiaries or third parties. U.S. law will be markedly different from that of other regions, so even if it’s your own employees who are using the service, you need to be aware of the laws that pertain to them in their location.

Subsidiaries in other regions may have slightly differing laws for which you have to account, even if they’re in the same general area. Some foreign subsidiaries may have no problems sharing data with one region, but not with another. Adding a cloud provider to the mix adds another layer of complexity.

The primary location of the data and any backup locations must be known to ensure these laws and regulations are followed. Often, the backup locations need to be determined. Amazon.com Inc., for instance, has large datacenters in both the United States and Ireland, which could cause problems if they were used as backup centers for certain types of data.

The data protection laws of the European Union (EU) member states, as well as other regions, are extremely complex and have a number of definitive requirements. The transfer of personal data outside these regions needs to be handled in very specific ways. For instance, the EU requires that the collector of the data, or data controller, must inform individuals that the data will be sent and processed in a region outside of the EU. The data controller and end processor must also have contracts approved by the Data Protection Authority in advance. This will have different levels of difficulty depending on the region that’s processing the data. The United States and EU have a reciprocal agreement, and the U.S. recipient only has to self-certify its data procedures by registering with the U.S. Department of Commerce.

You need to ensure that any cloud providers you use that are outside your jurisdiction have adequate security measures in place. This includes their primary and backup locations, as well as any intermediate locations if data is being transferred between jurisdictions.

By putting your data onto a third-party server, whether a cloud provider or otherwise, you’re entrusting your data to that third party. You need to ensure there is adequate security for your needs and to meet all the regulatory and legal requirements. Provider controls and procedures must also comply with the local laws of the region where the server is located. If you’ve entered into an agreement with a company in the United States, but they host the data on a server in the EU, it’s likely that you’ll have to abide by the laws of the EU if you want to transfer data into and out of the system.

These laws may be more onerous if the server is hosted in certain regions such as China, where laws may allow local government unlimited access to the data regardless of its sensitivity. You may even be limited (or prohibited) from encrypting the data without ensuring local authorities can decrypt it as needed.

The cloud provider market is expanding, but there are still only a limited number of players that can offer large-scale application and data hosting. This may lead companies to subcontract some or all of the hosting to another company, possibly in another region. Before entering into any agreement, be aware of any subcontracts and perform appropriate security checks on these as well.

Some cloud providers will inevitably go bankrupt or cease operating. Access to your data instantly becomes an issue. Depending on where the server resides, this may require you to go through another region’s jurisdiction to get the data back, and the data may be subject to completely different access rules.

Secondary Use of Data

Depending on the type of cloud provider with whom you contract, you’ll have to consider if your data is going to be mined by the supplier or others. The use of your data may occur unbeknownst to you or by virtue of a configuration error on the provider’s part. Based on the sensitivity of your data, you may wish to ensure your contract prohibits or at least limits the access the cloud provider has to use this data.

This can be especially hard when you enter into a click-wrap agreement. As we all know, very few of us will read the fine print at all. We just click the Agree box when it appears. In 2009, when Facebook changed its terms around data security, many people complained. However, the majority of users carried on using the service because they found it useful. It’s likely your users will react in the same way, which may well give you security issues.

The data you’re storing in the cloud may be confidential or hold personal data for which you must ensure security. The cloud provider is likely to have full access to this data to maintain and manage your servers. You’ll need to ensure this access is not abused in any way. Although a contract may protect you legally, you’ll also need to ensure you’re confident that the security in place at the provider will detect any unauthorized access to your data.

Disaster Recovery

You can’t overstate the importance of business continuity and disaster recovery. In terms of disaster recovery, you need to consider some possible scenarios: a provider might go out of business, or their datacenter could become inoperable. The main issues with the first scenario are getting your data back and relocating your cloud applications to another supplier. These should be thought out before deploying to the cloud. You should also further protect your interests by ensuring regular data backups.

Set out some form of plan when you move to the cloud and revisit that plan on a regular basis. Market factors and other circumstances change quite rapidly. There have been a number of instances where a datacenter has suffered a catastrophic outage, resulting in a loss or disruption of services to many Web sites and businesses, including:

  • A fire in a datacenter in Green Bay, Wis., in 2009 led to outages for some hosted Web sites for up to 10 days.
  • An outage in Fisher Plaza (Seattle) in July 2009 affected many sites, including Bing Travel.
  • An explosion in The Plant datacenter in Houston in 2008 took nearly 9,000 customers offline for as much as a few days.
  • Rackspace US Inc. had an outage in its Dallas center in 2009, which lasted just under an hour.
  • The 365 Main datacenter had outages in 2007 that affected Craigslist, Yelp and others.
  • Google suffered a datacenter rolling blackout due to a software upgrade error during February of 2009, causing the loss of mail service for many customers.

Depending on your level of preparedness, any of these events could be a mere inconvenience or an imminent threat to your business. Smaller companies are more likely to be hit harder, as they may have less expertise and fewer resources. An outage could seriously disrupt their business.

As you can see from that list of incidents, it’s not just physical issues due to power or cooling failures, but also software errors that can take a datacenter down. Hackers’ denial of service attacks against specific Web sites could also affect your site by virtue of bandwidth issues if the attacked site is hosted in the same datacenter.

Security Breaches

Your application or data may be compromised or breached while hosted in the cloud. In that event, you will be notified through the cloud provider’s systems or some other means. Hopefully, you would never find out because of a customer complaining of identity theft.

You need to be clear about your cloud provider’s disclosure policy and understand how quickly they will disclose the breach to you. The majority of U.S. states have security breach disclosure laws that require the data owner to notify individuals if their personal data has been compromised in any way. These laws require that you ensure you are informed promptly of any breach, preferably as defined in the initial contract.

Alternatively, if you discover your data has been breached, you may need to inform the cloud provider. This could have implications for its other clients. You’ll likely be sharing an environment with one or more enterprises. Depending on the extent of a breach, this may affect some of them. Having defined measures in place in the contract and a mutually agreed upon incident response plan will ensure that both parties can mitigate the consequences of a breach.

Vic (J.R.) Winkler

Vic (J.R.) Winkler is a senior associate at Booz Allen Hamilton Inc., providing technical consultation to primarily U.S. government clients. He’s a published information security and cyber security researcher, as well as an expert in intrusion/anomaly detection.

©2011 Elsevier Inc. All rights reserved. Printed with permission from Syngress, an imprint of Elsevier. Copyright 2011. “Securing the Cloud” by Vic (J.R.) Winkler. For more information on this title and other similar books, please visit elsevierdirect.com.