The Edward Snowden affair could ultimately become the best thing that ever happened to the cloud. The incident will act as the necessity that's the mother of invention, and will foster the creation of a portfolio of new security technologies and compliance procedures.
There is an accelerated market for cloud privacy and a wealth of technology available to cloud consumers and vendors that want to equip themselves for a high standard of cloud security. This will provide a foundation for the legal community to then synchronize their efforts and lead to stronger cloud "contracting" and governance protocols. In short, your personal data may end up being safer in the cloud than outside it.
While no technologies will be entirely impervious to privacy threats, effective technologies will certainly go a long way to putting more control into the hands of data owners, enabling them to use a wider variety of cloud infrastructures more safely.
The specific details of what's needed for enterprises to achieve this type of compliant cloud service is described in this U.S. government document about best practices for cloud contracting, which sets out such recommendations as these:
- Encrypt data in line with technical standards.
- Ensure the enforcement of tenant data retention policies.
- Protect personal data and respond accordingly to personal data requests under the Freedom of Information Act.
- Strictly limit access to sensitive data from portable and mobile devices, such as laptops, cell phones, and personal digital assistants.
- Ensure that incident response plans comply with industry standards for legally admissible chain-of-custody management processes & controls.
Quickly moving cloud providers will target vertical industry sectors, such as government and healthcare, and will offer them tailored packages that offer "Compliance as a Service," the ability to meet specific privacy legislation needs, such as HIPAA or PIPEDA [the Personal Information Protection and Electronic Documents Act].
Currently, cloud providers focus mainly on technical products -- the specifications for how much Infrastructure as a Service (IaaS) to deliver for what price, for example -- and they don't necessarily have much expertise in areas of compliance or archiving.
However, as they increasingly target such markets as government, cloud vendors will deploy new technologies and add other layers to meet compliance needs. And these same technologies will improve the protections in place intended to secure your personal data.
These types of services require the provider to have the sophisticated platform and procedures required for data preservation and audit-log assurance, so that they can offer evidence-ready records proving their transactions' chain of custody.
Organizations like the Cloud Security Alliance (CSA) have emerged to offer documented industry standards and best practices for cloud providers. An ecosystem of new startup vendors has blossomed as well, populating such key major areas as Monitoring and Security as a Service, cloud encryption and Identity as a Service, and cloud archiving and disaster recovery.
Monitoring and Security as a Service
There are a number of well-established security monitoring applications and techniques, and the CSA even has a program to package these into a Security-as-a-Service, or SecaaS, delivery model.
Examples of security packaged into a managed service include Enlocked, a way to encrypt your email via a browser or products from vendors such as Alert Logic or Core CloudInspect, which perform security audits on providers such as Amazon Web Services.
Cloud encryption and IDaaS
Especially relevant to cloud environments are data encryption and other principles that ensure that the nature of the shared infrastructure doesn't compromise the security of any one tenant. Identity as a Service, or IDaaS, a managed services tool that allows for authentication across multiple platforms, often thought of as single sign-on for the cloud, is an important addition to the encryption space.
New tools in this market mean that the entire cloud environment and all of its moving parts can be encrypted for total security.
A number of vendors have populated this space, such as Porticor and Perspecsys, which encrypts data on-site before it is sent to the cloud. Similarly CipherCloud enables HIPAA compliance, and HighCloud describes how it can be used to achieve PCI [Payment Card Industry] compliance in the cloud. With the Trend Micro SecureCloud product, data is decrypted only within the virtual machine; it remains encrypted when at rest or when traversing the cloud infrastructure.
Cloud archiving and disaster recovery
A third main category is cloud archiving, the use of data preservation and cloud storage systems to enable legally admissible forms of archiving. Cloud archiving enables customers to check many of their own compliance tick boxes, and the capability can be used to improve disaster recovery.
Securing a cloud environment to meet the legal needs of such client sectors as government is only one half of the equation; catering to records retention and retrieval via storage and archiving tools is the other half.
In the cloud domain, relevant standards and innovations have included such organizations as the Storage Networking Industry Association (SNIA), the open standards group for storage.
The SNIA has built on its base of storage expertise to define how cloud storage could underpin these new vaulting-type applications. In this presentation, they describe its key features, such as overwrite protection; retention abilities; and the ability to provide records of alterations, additions, deletions and so forth.
Vendors like Metalogix apply all these principles for specific product segments -- for example, enabling Microsoft SharePoint users to tap into cloud storage for their archiving.
These and other ideas will be tried, tested and validated by the legal community as well, such that addressing these privacy risks will hopefully drive the development of the cloud across multiple service providers.
What are the best practices for global cloud privacy and security? Learn more in part one.
About the author:
Neil McEvoy is the founder and CEO of CloudBestPractices.net and a 20-year veteran entrepreneur in the field of cloud computing and multi-tenant software architecture business models. Neil has a track record of launching cloud computing products and startup ventures, and he specializes in enterprise cloud computing and business transformation best practices for larger organizations.