Legal, Privacy and Security issues with choosing cloud services

Over the course of the next five years, Gartner believe enterprises will spend $112 billion cumulatively software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) [Gartner11]. Among the reasons given was a desire to reduce the Total Cost of Ownership (TCO) for products and services. A survey conducted by Gartner in 2H10 in EMEA with 90 respondents, established the primary reasons SaaS was being considered. The most common reason selected (with 48 out of 90 respondents) was: "…considered to be more cost-effective from a TCO standpoint than on-premises solutions."

There are however a number of factors to consider when offering or hosting solutions in the cloud, and these factors form part of the hidden cost of the cloud. This series of posts address these factors explore the lack of objective measures for some of these factors, and where possible alternate objective measures are suggested.
Legal, Privacy and Security issues

Most countries usually have laws that aim to protect individual and organisational data. These can cover the use of personal data that is collected by organisations and how long data can or must be retained for law enforcement reasons. The use of cloud computing by organisations introduces a new level of complexity as an organisation is in effect outsourcing its collected data to a third party who in turn may store the data outside of the local country or region leading to potential legal disputes over which jurisdiction’s legal frameowork applies. The outsourcing organisation also opens up a new threat from its data providers in cases where data is compromised as data may be outsourced but responsibility cannot.

EU Data Protection Laws

Data Protection Directive (Directive 95/46/EC) [EU-95] : In particular, this directive forbids the transfer of data outside the EU unless the target country has adequate protecion laws. From the point of cloud computing, the main target country is the U.S. and the Safe Harbor agreement [SafeHarbor] is used by American companies to comply this EU directive.

There is currently a process in place for the revision of this directive [EU-95-REVISED] which is expected to last about two more years. One of the more controversial innovations will be an individual’s right to be forgotten after a defined time limit. The will cause a lot of problems with existing infrastructure and process as current practice is predicated on preserving data. The enforcement and auditing of this principle is expected to be contentious especially with cloud providers based in other jurisdictions.

Some other stated aims of this revision include:
1. Explicit consent for data acquisition
2. More stringent deadlines for notifiying national data protection agencies
3. Increase fines for contravening the revised regulation. For example, "€1 million or up to 2% of the global annual turnover of a company".
4. The application of the revised directive to all data processors operating in the EU but operating as non-EU legal entity.

When the directive is finally agreed, ratified and implemented at EU member state level, the demands on outsourcing IT to cloud providers and the contract negotiations will become even more important, the demands on both parties more stringent and the reputation of both parties will require more input to protect. Given the increased potential fines and demands on both outsourcing and cloud organisations, it is expected that data protection officers and departments will become more endemic. The partial outsourcing of this function could become a potential offering from cloud providers.

US Data Protection Laws 

Unlike the European model with region wide frameworks enforced in member countries, the US has a more fragmented approach to data protection. The Health Insurance Portability and Accountability Act [HIPAA] applies to the medical sector, the Patriot Act is concerned with law enforcement and anti-terrorism, the Privacy Act and Computer Matching and Privacy Act cover federal obligations on the use of collected data and other acts cover sectoral issues.

This fragmented approach is seen clearly in the growth of Location Based Services (LBS) and the concerns expressed over the lack of national law to protect individuals and the reliance on LBS companies self-regulation [Morris (pdf)].

Enforcing Local Laws

Given the above legal framework, the issues of data protection, how to regulate and enforce it across different jurisdictions, and what security a cloud provider utilises and provides to the client, are a large part of the decision process in whether to outsource partially or wholly an organisation’s IT function to a cloud provider or third party hosting site in the case where the private cloud option is taken.

Another main concern are the legal penalties and damages that may result in the case where the negotiated contract and Service Level Agreements (SLAs) are breeched. This concern is magnified in the case where an organisation is selling a service(s) based on services or infrastructure provided by a cloud provider. The matching of the SLA or Key Performance Indicators (KPI) offered by that organisation to its customers with the SLA negotiated with its cloud provider is paramount. The cloud provider’s SLA is in effect an under-pinning contract to the organisation’s customer SLA. For example, unless the downtime in the service offered by the organisation matches the downtime negotiated with its cloud provider, then the organisation’s customer SLAs will be breeched and potentially incur financial penalties. The net effect is that the cloud provider SLA will form the basis of the organisation’s customer SLA and will potentially dictate the viability of their service.

One main legal principle to note is that the cloud provider’s country of business, i.e. where it operates its business from, rather than where its operations are based is the legal jurisdiction where claims will be decided. This legal distinction has tended to cause a lot of potential outsourcing to be blocked although some cloud providers are beginning to use "model contracts" to allow a cloud provider to agree to local legal conditions and circumvent this possible problem.

Security Certification

As a reflection of the relative novelty of cloud computing, there are no industry wide security certification schemes. There are sectoral certification schemes such as:

HIPAA: US medical records [HIPAA]
Payment Card Industry (PCI): The relevant standard is PCI DSS (PCI Data Security Standard) and covers payment transactions handling. [PCI]
SAS 70 Type II: Accountancy process and procedures [SAS70].
ISO 27001 : Covers information security [ISO27001].
SSAE 16 : Replaces SAS 70 [SSAE16].

Responsibilities

Although legal frameworks and agreements can be used to satisfy an outsourcing organisation’s confidence in a cloud provider’s offering, the responsibility still remains with the organisation to ensure that their clients' data is protected. It is notable from the standard legal agreements offered by cloud providers in the IaaS and PaaS spaces that they are explicitly not responsible for data security or breaches. In effect, they are offering a computing facility but not managing the client’s applications or data.

It is also apparent that most cloud providers do not explicitly reveal their actual security techniques and this can be very important where data storage is based on multi-tenancy models and possible leakage of information between virtual machines [PASSIVE]. Other areas for concern are the clean up of data storage after a client has ceased using the cloud provider, temporary backups and snapshots, moving data to other regions in the event of a particular data centre failing.

Risks

The security of outsourced data needs to be actively monitored against unauthorised intrusion and/or data theft by an organisation’s own staff, the cloud provider’s staff and any other third parties involved in the supply chain. In the case of cloud aggregations the attack surface area is increased.
Unusual data queries that result in larger than expected data flows possibly indicating data theft.
Denial of service attacks targeted at a client’s cloud-based network. This could trigger automatic expansion of required resources incurring possible large amounts of extra cloud spend.
Hypervisor leaks, i.e. other VMs being able to extract information from other supervised VMs could also be an area to monitor.
The disposal of backups and snapshots by the cloud provider.
The disposal of instance transferrals to other regions or parts of cloud provider’s infrastructure where the normal instance is affected by server downtime or overloading.

Solution

Monitor you Security KPI's with ServiceClarity http://www.serviceclarity.com