Home

News

Trust and confidence in cloud privacy

by Elizabeth Gasiorowski-Denis on
ISO News feeds (RSS)
The use of cloud computing is soaring, and by 2016 this growth will increase to become the bulk of new IT spend, according to Gartner, Inc. But as more and more information on individuals and companies is placed on the cloud, concerns are being raised about just how safe an environment it is.

It’s big, if the numbers pan out. According to analyst firm Gartner (2013), the marketplace for cloud computing will grow 18.5 % to USD 131 billion in 2017 from USD 111 billion in 2012. What’s more, 2016 will be a defining year for cloud, as the cutting-edge technology will just get more sophisticated in the next few years.

Growing concerns

Yet, despite the rapid escalation of cloud services use, many remain hesitant. Worse, there are some who refuse to adopt any cloud-based applications at all, citing security and privacy concerns, operational challenges or the inability to control information once it leaves the perimeter. According to a 2014 global study from BT, data security and trust in cloud-based services are a cause for unease among IT decision makers within large organizations. In fact, the study showed that security was the main concern for as many as 76 % of those surveyed when using cloud-based services. Almost half of respondents (49 %) admitted that they are “very or extremely anxious” about the security implications surrounding the cloud.

Even while 79 % of those surveyed in the US (70 % glo­bally) are still adopting cloud storage and Web applications within their business, it is clear that confidence around cloud security is at an all-time low.

No need to panic!

Such genuine fear for the safety of one’s most precious cloud-stored assets, such as personal information, is absolutely understandable but also largely overstated.

A specialist in cloud computing law at global law firm Covington & Burling, Maria-Martina Yalamova, says that, frequently, reputable cloud service providers offer much greater security than individuals or enterprises can achieve on their own. “These providers invest significant resources in ensuring that their systems utilize state-of-the-art security measures, and routinely stress-test and strengthen these measures. Many comply with international security standards and are subject to contractual and legal/regulatory obligations to keep data secure and private. And they offer customers a range of privacy controls to protect their data, depending on the type of data involved.”

The cloud story has moved on from the early days. As with any technology or delivery model, the embryonic stages bring fear, uncertainty and doubt. Remember, too, that it wasn’t so long ago when we wondered if PCs would be able to withstand the onslaught of security threats they faced.

The same is true of cloud, according to Knut Blind, Professor of Standardization at the Rotterdam School of Management and Innovation Economics at the Technische Universität Berlin, sponsored by Fraunhofer Fokus. He believes times have most certainly changed when it comes to security and associated fears.

Migrate with confidence

The growing marketplace of cloud computing

Fact is, not all clouds are created equally, and the quality of service and support can differ dramatically from provider to provider.

The overarching problem here is trust. By improving trust, people and businesses will be more likely to embrace the benefits of cloud computing, such as lower costs and improved scalability and deployment times. The thing is, this level of confidence can only be built if the type of data is taken into consideration when planning any uptake of cloud.

Prof. Edward Humphreys, Convenor of the ISO working group responsible for information security management standards including ISO/IEC 27001, ISO/IEC 27002 and the cloud security standard ISO/IEC 27017, believes that creating a climate of trust is the most important prerequisite when outsourcing IT. “Companies need to have assurance in the underlying cloud provider.

“Many users may not understand that they need to select a cloud service provider that has good governance over the processing of personal data; and those that do know this may have difficulty knowing how to verify that good governance is in place. This situation can lead to increased risks for the protection of personal data.”

So what can be done? Certainly cloud service providers should take action to improve their customer confidence, says Humphreys. In practice, this means: “A cloud service provider needs, as part of its governance process, to have a system of controls in place that specifically addresses the protection of personal data. Starting with a data processing agreement, which outlines the governance process and important issues that may be relevant to meeting their legal obligations, will help customers have confidence in selecting the right cloud service provider. Demonstrating compliance to ISO/IEC 27001, extended with controls on the protection of personal data from ISO/IEC 27018, can add a further level of customer confidence.”

Prof. Knut Blind agrees: “With more and more individuals using cloud services, cloud providers must offer well-designed and user-friendly security controls. Businesses have to set up appropriate information security management systems.”

Secure cloud service

So don’t let hype and trust derail you from embracing the cloud.

So how can companies create a standard service level agreement for cloud services? How can they make better-informed decisions when assessing whether to use a cloud computing solution and which solution best meets their business needs?

Published in 2014, ISO/IEC 27018 is the first International Standard that focuses on protection of personal data in the cloud. Although only a few months old, the new standard should finally give cloud users confidence that their service provider is well-placed to keep data private and secure.

Yalamova adds, “ISO/IEC 27018 specifies certain minimum types of security measures that cloud providers should adopt, if applicable, including encryption and access controls. The cloud standard also requires cloud providers to implement security awareness policies and make relevant staff aware of the potential consequences (for staff, the cloud provider and the customer) of breaching privacy and security rules.”

As the first-ever standard that deals with the protection of personal data for the cloud, ISO/IEC 27018 has the following key objectives:

  • Help cloud service providers that process personally identifiable information to address applicable legal obligations as well as customer expectations
  • Enable transparency so customers can choose well-governed cloud services
  • Facilitate the creation of contracts for cloud services
  • Provide cloud customers with a mechanism to ensure cloud providers’ compliance with legal and other obligation

In a nutshell, ISO/IEC 27018 provides a practical basis to induce confidence in the cloud industry. At the same time, the public cloud industry will have clear guidance in order to meet some of the legal and regulatory concerns of its clients. What’s not to like?

Bringing order to cloud chaos

The more quickly users can trust to use the cloud correctly (with full security precautions in place), the better for business and data, and their company’s profitability as well. And there has already been a big improvement thanks to ISO/IEC 27018 as cloud providers have taken more security precautions for their clients’ data.

Of course, we as individuals are also expected to assess the benefits, risks and implications for privacy when considering a cloud computing service. And, let’s not forget to take responsibility for keeping our personal data safe, for example by choosing strong passwords and by double-checking that the cloud provider we choose has adopted appropriate security measures and remains transparent about its data processing practices.

So don’t let hype and trust derail you from embracing the cloud – the savings and business utility is much too important to pass up.

Have you been a victim?

Victim of cloud cybercrime? Don’t despair. You’re not alone.

According to Maria-Martina Yalamova, a lawyer who specializes in data privacy at law firm Covington & Burling, there are a number of remedies :

  1. The first step will be to investigate the intrusion, and then monitor how and where the data is being used, predicting next steps where possible.
  2. The precise remedies will vary according to local law, but often bad actors are best dealt with by the police, to whom information about the relevant individuals can be provided. Bad actors may not respond to civil measures (such as cease-and-desist measures, or court orders).
  3. Once a bad actor is identified, it might also be possible to seek compensation from them. Whether the benefits of doing so would outweigh the costs will depend on the circumstances of the case.
  4. Lastly, the individual and his/her advisors should bear in mind that an over-the-top response risks drawing public attention to the intrusion, further eroding the victim’s privacy.
Courtesy of Maria-Martina Yalamova