Before turning to cloud computing applications to conduct business, enterprise executives should think twice about the potential for exposure of corporate secrets or legal liabilities, according to a new World Privacy Forum report.
details the privacy and confidentiality risks that can arise from “sharing or storage by users of their information on remote servers owned or operated by others and accessed through the internet or other connections.”
Enterprise executives must weigh the risks and benefits of cloud computing and analyze both the provider being used and the information being put in the cloud, Robert Gellman, an independent privacy consultant and author of the report told SCMagazineUS.com Monday. Some of the most important issues for companies to consider before engaging in cloud computing are a providers' terms of service, as well as the location and data restrictions on information put in the cloud.
But whether such considerations are taken into account or not, cloud computing will become ubiquitous as employees begin demanding that enterprises use it for productivity reasons, said Peter Evans, director, security strategy and technology integration for IBM ISS.
“Enterprises have to realize the new normal is lots of content, people always on, a lot of information being used for a myriad of reasons -- you can't get past change and innovation,” Evans said.
Yet the technology has evolved faster than privacy laws, which don't address the unique cloud computing privacy challenges.
“We're using older laws to protect newer business concepts,” Evans told SCMagazineUS.com Monday.
This is one reason it's critical for business leaders to read the provider's privacy information and the terms of service. In some cases, providers have the right to read -- and make public -- information that is put in the cloud. Because companies might be storing documents that should not be made public, there lot of concerns about what can happen to the information, Gellman said.
Also, information stored in the cloud is much more accessible by a private litigant or the government. The reason? Traditionally, if an enterprise has information in its possession that a government wants, the government must come directly to the owner of the information to get it. But if it's in the hands of a third party, the information potentially could be released without the owner's knowledge. In that scenario, the owner of the information wouldn't have been able to object to the disclosure let alone even know their information has been released.
The location of the cloud provider is also an important consideration, Gellman said. If, for example, the cloud provider is located in the European Union, the data could be permanently subject to EU laws. Within the U.S., this same issue applies to different states where privacy laws vary.
“A company needs to be very cautious to allow employees to make ad-hoc decisions to use cloud computing.” Gellman said. “Just because you have two different branches [in two different states], you shouldn't just put stuff into the cloud without thinking about it.”
Putting certain information in the cloud (such as personal information on customers, for example) could result in a violation of a privacy law, Gellman said. For some information, it may not be a big deal, but for other information, a business may be vulnerable.
It may be difficult to determine if the cloud provider is meeting security standards needed to protect certain data. If the cloud applications are provided for free, it might be more difficult getting information on the security of the services. If the cloud applications are paid, an enterprise might be able to negotiate terms of the agreement to make sure the data will be properly protected.
“I think the IT department needs to talk to the lawyers first and figure out where the vulnerabilities are,” Gellman said.
The report did not analyze particular cloud computing providers or give any a "stamp of approval," Gellman explained. This was due to both the enormity of the task, as well as because ultimately it's a company's job to make that determination itself.
Encrypting data that is put in the cloud might solve many of the data privacy issues. But on the down side, it might make it harder to access the data, Gellman said.
“It all depends on who you are, what kind of data you have and what the cons of putting that data in the cloud [are],” Gellman said.
Companies should work with providers that understand the privacy issues of cloud computing, advised Evans. Users should ask providers what sort of security, privacy, and data protection assurances they can provide. Are they PCI certified, for example? Are they encrypting, isolating and separating data? Do they have intrusion prevention mechanisms and authentication controls in place? Are they using logging systems?
“Do the same due diligence on the cloud provider as you do on your own business to make sure you're secure,” Evans said.