Privacy. This is more than ensuring the confidentiality of corporate information (a big enough concern in its own right). This is about the legal and business risk ramifications of entrusting Privately Identifiable Information (PII) to a third-party supplier.
This is like putting your money in a bank, rather than buying and protecting your own vault. It is about trust.
Many, if not most, enterprises have strict privacy policies, with procedures in place to ensure that PII is dealt with securely.
The concerns with shifting this information to cloud include:
- Increased vulnerability to vendor attacks (rather than attacks of the enterprise) because the vendor would be hosting multiple organisations
- Losing availability to PII should another company be investigated on a shared platform
- The loss of transparency of who actually hosts, processes or transmits your data
It’s in the Architecture
As with any IT system it is important to consider security when architecting the solution. You DO NOT want security as an afterthought. Cloud is no different, at least when considering the technology view. As CTO’s we need to ensure that PII is secured technically, no matter the platform we choose to deliver the information.
My last posting on perimeter security, discussed how cloud security is less like fortifying a castle and more like driving a submarine in enemy waters. Cloud computing differs from Traditional IT in the control of managing risks to the business. This is now delegated to a commercial agreement, i.e. a contract with the suppliers.
Cloud is different from the putting your money in the bank example in two areas:
- The legal safeguards in most countries
- Standards that banks are required to (and do) meet
Currently, there are a number of laws about handling PII, and these vary from country to country. By and large in Australia, you can store PII in any country that has equivalent or greater legal protections for that information.
These laws cover collecting, transmitting, storing, keeping and sharing PII. We need to make sure our cloud provider understands, and explicitly adheres to these laws in the handling of this data. This translates technically by the tools and processes providers use to enforce the protection of this data.
Transparency in the Supply Chain
But it is not just your cloud provider. From a risk management perspective, however, there is one more issue that we must consider—Cloud providers have dependent providers.
For example, the provider of your accounting software will have contracts with a network provider and a I/PaaS provider. Potentially they have a separate agreement with an authentication systems company. Then there are additional agreements with a company that provides the management and monitoring tools. Then the I/PaaS provider could have down-level agreements with datacentres that host their systems, provide hardware and even they may contract to a storage provider elsewhere.
A valid request is to ask for complete transparency over the supply chain of who is looking after your data.
What you don’t want is someone to have access to one of your cloud vendor’s provider’s systems. Especially if you don’t have any knowledge of whom these providers are, and whether they comply to the Privacy laws. It is a tricky spider web to get caught in.
Technically, there is no reason why storing PII or other sensitive information in the cloud cannot be as, or even more secure, than in your own datacentre. Especially when you consider that the vast majority of security breaches are perpetrated by an employee of the company.
However, you do need to consider the geographical jurisdiction, and security standards adhered to by your cloud provider. Most importantly, you must demand full transparency from your cloud providers supply agreements, and see the safeguards they have in place to protect your sensitive data.
Have you experienced a situation where cloud provider vendor agreements endangered your data? Feel free to let me know in the comments section below.