Information Security professionals have understood for a long while that the big cloud vendors, with their extensive resources, are well placed to carry out the research and development required to ensure that security standards, controls and tools required to implement and manage security are continuously improved. This, together with the increasing availability and acceptability of ‘software as a service’ platforms to support core corporate functions and cost models that are better understood and more manageable is proving to be far too attractive for many organisations and necessary for others. Even within conservative sectors such as legal, defence and healthcare - not including wellness - the pace of cloud migration, or at least intended migration, continues to accelerate.
There are organisations that are still early in the cloud adoption curve. For those that are being forced to move at an uncomfortably fast pace the operational benefits to be gained can be overshadowed by the never-ending reports of data breaches suffered by organisations that have already made the move.
Whilst Information Security teams focus on preventing unauthorised access to data, for privacy professionals the bigger concern is mitigating against the possible misuse of their customer’s data. More specifically, privacy teams want to focus on the way in which data is collected, processed, managed and shared with known and possibly, unknown participants. With this knowledge they can plan and take steps to ensure that their data processing activities remain compliant with the many laws that their organisations are subjected to.
Privacy in the Cloud – What Changes?
Hidden behind the physical and technological security barriers that cloud providers have to create and with an added layer of contractual safeguards, the manner in which data collection and processing is carried out in the cloud does not lend itself to in-depth audit. Trust in the certifications issued by standards organisations and statements of compliance provided by third party auditors is, to a large extent, all the information that privacy teams have when developing their privacy risk management plans. At the same time there is still much scepticism that cloud vendors and their solution providers can be trusted with corporate data. Whether through deliberate abuse of power or through the fact that data driven innovation inevitably leads to use cases for which regulation either does not exist, or is insufficiently clear, it is the data controllers from whom regulators and customers will seek redress when things go wrong.
Serverless computing? data residency? where exactly are my assets?
Looking past the key issues of data collection and processing, additional complexities arise
with the way in which cloud vendors manage their infrastructure in order to ensure scalability and reliability. Creating inventories of applications and services deployed in the cloud and of the personal data that is processed is one the activities that privacy teams find most challenging. This is made even more so by the increasing use of the serverless computing strategies that cloud providers use to enable on demand allocation of servers and other resources. With this approach cloud customers cannot be sure of where their applications are running at any moment in time. This impacts the ability to create and maintain detailed records of environments in which applications are running. Data residency is similarly impacted and without the most detailed of configurations it is difficult to understand where data is stored for operational or backup purposes.
Extending Cloud Adoption Frameworks to Include Privacy Risk Management
Privacy teams can leverage Cloud adoption frameworks that are published by cloud vendors. By publishing these adoption frameworks vendors hope to provide detailed guidance to support the process of identifying and implementing appropriate business, technology and risk management strategies for moving to the cloud. Initially focused on data security, updates to these frameworks are beginning to provide guidance as to how they can be used to inform decisions for creating privacy risk management in the cloud.
An example of this can be found in an Amazon Web Services security blog - Privacy conscious cloud migration. This describes how their adoption framework can be used with the NIST Privacy Framework to “make better privacy-conscious decisions”. Here, privacy activities recommended in the NIST framework are mapped onto capabilities listed in the AWS adoption framework. Organisations working on an AWS cloud migration strategy can use the NIST framework to implement their privacy strategies and cross reference the AWS adoption framework in order to create a plan that embeds appropriate privacy concepts. An example of part of this mapping is shown below.
IDENTIFY is the part of the NIST Privacy Framework that focuses on building an understanding of the: business privacy objectives, operational environment and potential sources of privacy risk. Key activities involve building detailed inventories of applications, services, personal data used and of the data processing activities that are applied to the data. Many of the key outputs from this part of the NIST Framework map onto capabilities stated within the benefits risk management perspective of the AWS cloud adoption framework and in following this mapping organisations should be able to build a cloud enabled business model in which business and privacy are better integrated.
A Privacy Stack for The Cloud
Security professionals and engineers use the phrase “stack” to describe the combination of technologies, standards, processes and tools required to get the job done. Whilst there may not yet be a clearly defined stack for privacy professionals there are many frameworks and standards that can be referenced for guidance when ensuring that privacy management programs account for additional risks that cloud computing creates. Widely use frameworks include the British Standards Institute’s Personal Information Management System (BS 10012) and the ISO equivalent ISO/IEC 27701.
For cloud specific guidance privacy teams can reference ISO’s Code of Practice for Protecting Personal Data in the Cloud (ISO/IEC 27018) and the Cloud Security Alliance Privacy Level Agreement Code.
ISO’s Code of Practice for Protecting Personal Data in the Cloud (ISO/IEC 27018) is particularly useful because it is cloud specific. Aimed at cloud processors, it is intended to satisfy customers that they meet the necessary security provisions for securing personal data in the cloud. Key provisions focus on obligations to provide customers with information on where their data may be stored, the need to return data on request within reasonable period of time and the need to ensure the secure disposal of personal data when it is no longer required.
The Cloud Security Alliance recently (March 2020) updated their Privacy Level Agreement Code of Practice. This provides cloud providers with a framework for describing exactly what level of privacy protection they are providing.
Although generally speaking cloud customers cannot themselves inspect and verify the inner workings of their cloud vendors, the ongoing development of standards goes someway to providing information required to enable organisations to build privacy strategies that work well in the cloud.