Freely subscribe to our NEWSLETTER

What looks to the average business person as a good strong safe environment to work on and store your businesses data with name brand icons, does not always mean that you as a business or business owner are looking after your data related to state, national or multi-national business compliance laws and privacy laws. Even something as simple as good business practices, that is covered by the ITIL need to be followed with “Computing in the Cloud”.

As a business owner we are still responsible to be complaint with all these laws and practices related to business data protection and retention, plus all the laws related to privacy, not these Cloud Computing Providers (CCPs).

Looking through the rear view mirror:

Today’s environment: As business owners and operators we are responsible for the safety and reliability of all your companies’ data, that includes data at rest or standing data, data that’s used in applications and the retention of data. The primary goal of this discussion is not to re-play all the compliance issues but to highlight new data application considerations with “Computing in the Cloud”.
Today (A), we constantly provide the relevant controlled access to our businesses data by providing firewall protection from the internet, via appropriate password protection on each of our PC’s, data protection through off-site backups and storage, plus sometimes even encryption of our data on hard drives. We normally provide a license for each of our software applications, and store them on our office computers and servers; our computing life is fairly insular. Our business data resides on our PCs/Servers and we for the most part control its location.

Now arrives “Computing in the Cloud” (C), so what changes, the variety of applications that reside on the application servers (1st) in the “Cloud Computing Provider” location. This in many cases precludes the need to purchase a license for software, which may lower some operating costs and upgrade costs.

The big change is the movement of data (2nd) to the “Cloud Computing Provider’s” (CCP’s) data center location, both for the short term while the data is being processed on the Application Server ( C.1 ) and for the longer term both when the data is stored (3rd) in the Data Warehouses ( C.2 ) or as residual data (4th) on the Application Server ( C.1 ).

To better illustrate the issues let’s look at the big changes via two broad cases of data. The first is financial data, and the second is Human Resource information. With both of these cases there are important conditions that must be addressed.

In the case of financial data we now move this data from (A) our location to the Cloud Computing Provider (C) via the Internet (B). We use a spreadsheet applications ( C.1 ), after we finish the use of this application, we save the results of our manipulation back on our computer (A.1). So where are the security risks: Confidentiality, Availability, and Integrity (CIA)?

1- The most obvious is the data that is moved from location (A) to (C). During this time the Confidentiality and Integrity of the data is potentially exposed.
2- As the data is being used in the application the security of the application is under the control of the Cloud Computing Provider,(C.1), and the business owner needs to factor this into its use and value.
3- The last time that needs to be considered is when the data is stored back on the computer (A.1). The transit of data from (C) to (A) are the same risks as point 1, but there is an additional risk of the residual use of the data and work files on the Application Processor (C.1). If the data and work files are not immediately erased then the risk of breach of Confidentiality is increased.

In the case of Human Resource information, we have many of the same issues as above, but we have a few additional ones. So where are the security risks: Confidentiality, Availability, Integrity (CIA), plus privacy?

1- The most obvious is the data that is moved from location (A) to (C). During this time the Confidentiality and Integrity of the data is potentially exposed. Additionally since the location of the “Cloud Computing Provider’s” (C) data centers are not known you may be in-advertently violating privacy laws like the European Union’s Data Protection Directive, or other National privacy laws like PIPEDA in Canada.
2- The next time that needs to be considered for security and privacy issues is when the data is stored on the data warehouse (C.2). In this case we still have the issues is what country the data is stored in and how long the data can be stored. Even if there is an agreement, the responsibility for data retention is still the owning corporation and not the “Cloud Computing” providers. If in 5 years after paying for data ware housing services, the tax department of a state or nation asks for your records and the “Cloud Computing” service cannot retrieve them, then it is your problem.
3- Additionally information that is stored on the “Cloud Computing” data center (C.2) is subject to the laws of the nations they are located in for search, seizure and privacy laws. These can be big factors if we talk about data centers in the U.S., India and/or China.

The last issue for both the Financial Data and the Human Resource data is for data retention. To ensure with most data compliance issues is that data must be kept for 5 to 7 years, on the whole, depending on data types. With the separation of the data and the application and the rapid evolution of applications keeping useful back-ups in a “Cloud Computing” environment must be considered and tested especially when we talk about time frames of 7 plus years.

Through the looking Glass:

As we move forward with “Computing in the Cloud, applications that traditional have been un-economically for a small business or middle sized business are now available. Business can very much benefit from “Computing in the Clouds”, but need to weigh the Confidentiality, Integrity and Availability issues that can impact their business.

Let’s focus on three general states of data both from a compliance perspective of financial data and of Human Resource private data at least from a basic security perspective.

1. Safe guarding of Data on the Move
2. Protecting Data when in use of the Application
3. Safe guarding of Standing Data
4. Retention of Data
5. Ownership of Data

Safe Guarding Data on the Move

As a minimum we need to encourage the Cloud Computing Service Providers to provide the capability to ensure you can connect via VPN to their Data centers. Additionally, end points need to be protected (A.1, A.2) and (C.1, C.2) by the next generation of secured sign-on.

Protecting Data when in use of the Application

As part of the Confidentiality, Integrity and Availability of both the Cloud Computing Providers (CCPs) Applications and the processing of the data, a number of items need to be covered. The CCPs must work to ensure that no malicious code is inserted into their applications, that the data is secure, and the data as used by the applications is erased after the applications are closed and appropriate viruses, spam, and other malicious code is blocked by their UTM’s.

Safe Guarding Standing Data

With the ability to Data Warehouse a clients data, both access to this data must be controlled by the next generation of access control to ensure authorized users of the dat. Additionally encryption of standing data needs to take place, to minimize compromises of the data, through intentional or un-intentional events.

Retention of Data

With the requirement to keep data for multiple years due to legal compliance issues we need to insure that software applications are backward compatible from the CCP, and or the data owners store the data on their own site in a general compatible format.

Ownership of Data

What is obvious to a business consumer may not be obvious when the fine print is read from the “Computing in the Cloud” service provider. Contracts need to be digested and the fine print read to ensure the data that is yours, remains your, and does not explicitly or implicitly become the property of the “Computing in the Cloud” service provider.