Data Security and the Cloud
The rapid adoption of Web 2.0 technologies such as blogging, online media sharing, social networking, and web-based collaboration has pushed huge quantities of data onto Internet servers. Along with this migration to web services has come a push for companies to adopt utility computing. Much like traditional infrastructure utilities such as gas and electricity, utility or “cloud” computing seeks to abstract the supply and usage of computing from everyday use. Under cloud computing, businesses can acquire services, platforms, or infrastructure on-demand and get billed for usage, returning resources to the cloud once they are no longer needed.The massive, distributed Internet architecture of cloud computing has been leveraged to provide data redundancy, faster access times, and rapidly scalable service to support the high demand for next-generation web technology. The architecture and services in the cloud have so far been a resounding business success, but cloud computing has raised a number of information assurance concerns. The European Commission is currently investigating what sorts of privacy controls should govern the data that is residing in social networks, as we mentioned in this week’s Cyber Risk Report.Security Concerns for Distributed DataOne of the key benefits of cloud computing stems from the ability for data to be in many places within the cloud, close to the users that need to access it, and available whenever it is requested. Scalability also allows consumers of cloud computing resources to ramp up quickly to handle spikes in computing loads, through “federation” or transparently sharing computation across partner cloud service providers. However, this distribution of data (and the various sensitivities of this data) has a downside in that it may run afoul of legal, governance, risk, or compliance concerns, and pose risks to end-users and to businesses that provide cloud services. Some of the risks associated with cloud computing will be familiar to incident responders who must consider various legal jurisdictions, including international concerns regarding the physical and logical location of data. Data that resides in the cloud and has been distributed to various servers across the globe may have been replicated to systems in other countries with vastly different laws. What may be legal for a company to seize during an investigation in the United States isn’t necessarily legal within the European Union (which is known for stricter data privacy regulation) or for other countries. Another concern is that cloud providers located within countries that have more lenient regulation may be subject to the laws of their users, if those users are from countries that impose stricter constraints.Current Privacy Moves in the European UnionA specific example of how this plays out is the Article 29 Working Party of the European Commission who officially adopted an opinion paper on privacy controls and social networks. The document seeks to identify the roles of social networking services, their users, and third-parties such as advertisers or other secondary consumers of data in the social network. In doing so, the Working Party expresses the opinion that the EU should be enforcing the EU Data Protection Directive for social networks, third-parties, and in some cases, even users. This inclusion of social network users means that restrictions could extend to those outside of the European Economic Area (EEA).According to the opinion adopted by the Working Group, that would mean complications for social networking companies, third-party advertisers or application providers that use personal information, or even heavy users with lots of impersonal contacts, like celebrities. Most users will be excepted under the “household” exemption, which allow them to have information from friends and personal acquaintances, but individuals with large amounts of information available from non-personal contacts could be defined as data collectors under the EU Data Privacy Directive. Should this opinion progress into a regulation, there will be some very complex changes in store for social network providers. Security Concerns for Abstracted DataHowever the EU decides to proceed with the social networking opinion, security concerns have already emerged. A report was issued by Joseph Bonneau with the University of Cambridge just prior to the EU filing this opinion. Bonneau found that many social networking sites were not actively removing photos that users had deleted. He argues that failure to remove personally identifying information (PII) is a breach of the EU Data Protection Directive of 1995. An additional violation may occur if the data is marked as deleted (at which point the user cannot access it) but it is not removed — the directive requires that users have access to all stored data pertaining to them. While Bonneau’s theories have not been tested in the courts, they do result in some very interesting conversations about design, security, and privacy in the cloud, and it appears that Europe is listening.Users face similar privacy concerns, though typically at the hands of usability and convenience features. As users move their personal, financial, and business interests online, they are quickly adopting services and features that simplify tasks, entertain, and add value to their lives. But many of these services are collecting significant amounts of personal information, correlating it, and storing it outside of the user’s control, possibly indefinitely. Every action taken online leaves some trace of the user’s involvement, and often personalized sites contain huge amounts of PII, photos, videos, personal comments, habits, likes, dislikes, travel patterns, location, and more.Planning Secure Cloud Computing from the BeginningThe technology of cloud computing itself is not insecure. However, companies must carefully consider the implications of massively scalable design, storage, and computing. This is especially true if those services are outsourced to cloud providers and not directly under company control. Organizations might consider not only the legal ramifications of computing across national boundaries, but also those of an international customer base, as well as the challenges of ensuring that all copies of data throughout the cloud infrastructure uniformly fall under the appropriate policies.Most of the obvious challenges exist with public cloud computing and open cloud computing, where companies use resources outside their control from one or many providers to provide transparently scalable computing resources. However, private clouds (and especially private federated clouds) do pose risks to enterprises that are not prepared for the complexities of this infrastructure. As resources are expended for cloud computing tasks and then returned to the cloud for the next task, there is a risk that data permanence or audit trails are not sufficient. Organizations must plan carefully when constructing cloud computing environments to ensure that the flexibility and scalability do not overshadow the necessity for risk-tolerant implementation. As the developments in the EU show, the initial implementation must not only be secure, but the whole system must also be flexible to accommodate emerging laws and regulations.Additional InformationThe Cloud Security Alliance exists “to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” More information regarding security and information assurance with cloud computing is available on the Cloud Security Alliance website. How else are you seeing perspectives about data security change as data shifts into the cloud?