Can anyone access the data that you trust to the safekeeping of a cloud-computing vendor? It’s a good question, made all the more relevant by the revelations regarding the National Security Agency’s Prism program. So how can you best address these issues in your contract with your cloud vendor?
With cloud computing, data access is inevitably a shared responsibility between the customer and the cloud vendor. Those shared responsibilities need to be addressed in the contract, and most cloud vendors’ standard contracts leave something to be desired.
Who is Currently Using Cloud Storage?
A recent poll stated that 86% of companies not only use extensive cloud storage systems but multiple cloud storage systems. The survey consisted of companies from 80 different countries and collected data from as far back as 2005 before cloud storage became a hot button issue. 30% of 1 storage account businesses, 16% have 2, 12% have 3, 8% have four, and 19% have five or more (with 13% having 0 accounts).
So what does this mean? It means that most companies either trust cloud storage enough to incorporate it significantly in their data storage efforts or that the benefits of cloud storage are so great that it’s worth the risk. Nevertheless, the trend is not stopping. Cloud usage has seen an exponential rise every year since 2009.
So although safety seems to remain a concern, despite the guidelines and practices put forth by experts in the field, big companies are still investing resources in acquiring and developing the storage platform. It means that cloud optimisation and security will mimic the rise in its popularity.
Who Has Access?
Whether you like it or not, storing data in the cloud means someone else gets to see and even access it (unless you go for a zero-knowledge provider, that is).
In cloud computing, you move your data, applications, and processes into third-party domains that you then access remotely. Whomever you entrust your data to will, therefore, be able to see it, and that’s a fact you have to accept.
Your hosting provider is responsible for the storage and safety of your data. While we can safely say that most of the employees can be trusted to do their work professionally, there will always be the bad apples that will either lose or steal your data.
Disgruntled employees pose a threat as they will sometimes look for ways to get back at their employers. The higher up the food ladder these employees are, the greater the risk they pose to your data.
All you can do is look for a reliable provider. However, know that even the better cloud storage providers can have rogue employees.
Then there are the ex-employees that have left but still hold a grudge against their former employers. They could try to get back at them from the outside by going after your data.
Contractors working for your hosting provider could also be allowed to handle your data. This adds one more circle of people to take your data and thus increases the risks you will have to face.
Whenever possible, opt for a self-reliant hosting provider and handle all aspects of your data’s storage internally.
People don’t necessarily need to have worked for either you or your hosting provider to want to steal your data. External hackings and malware attacks are on the rise, with significant data breaches grabbing headlines almost every week.
The fact remains that many countries in the world have their citizens’ data under scrutiny. Your data won’t avoid those prying eyes either; if they set out to track your online activities, they will get to it. There’s nothing much you can do in this case. With governments controlling national digital grids, they pretty much have free rein regarding their citizens’ data.
While the cloud vendor is responsible for providing the customer with access to its data, the cloud vendor should also be contractually obligated not to share the customer’s data with others, intentionally or not. This may seem obvious, but there are nuances to be addressed in the following areas:
To provide the service you contract for, some of the cloud vendor’s employees will likely need to have access to your data. You want to ensure that this access is kept to the minimum degree necessary, so the contract should address:
- Which vendor employees will have data access.
- Whether access is on a “least-privilege” and “need-to-know” basis.
- Whether those privileges are promptly and adequately rescinded when employees leave the vendor or move into a different role at the vendor.
- How access is granted.
- Whether access is logged, monitored, or analysed.
Let’s take a look at how one vendor addresses this issue by reviewing Dropbox‘s Terms of Service Security Overview. (I will use examples from Dropbox’s standard contract, not to pick on that company, but because its terms are reasonably representative of the industry.) The overview states, in part.
Unintentional External Access
Since your cloud vendor will be storing and/or processing your data on its infrastructure, the vendor should be obligated to take appropriate and specific steps to ensure that it has deployed adequate measures to secure it against hackers and other external threats.
Dropbox’s Terms of Service state:
You, and not Dropbox, are responsible for maintaining and protecting all of your stuff. Dropbox will not be liable for any loss or corruption of your property.
We follow generally accepted standards to protect the information submitted to us, both during transmission and once we receive it. No method of electronic transmission or storage is 100% secure, however. Therefore, we cannot guarantee its absolute security.
A bit fuzzy on the details. And most folks don’t expect “absolute,” but how about guaranteeing some “reasonable” level of security? The Terms of Service Security Overview do go on to at least provide this assurance:
We encrypt the files that you store on Dropbox using the AES-256 standard, which is the same encryption standard used by banks to secure customer data.
Still, hardly the degree of detail or assurance that a customer would want regarding any sensitive data.
Intentional External Access
We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to
- (a) comply with a law, regulation, or compulsory legal request;
- (b) protect the safety of any person from death or serious bodily injury;
- (c) prevent fraud or abuse of Dropbox or its users;
- (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not decrypt any files that you encrypted before storing them on Dropbox.
This hardly gives the impression that the vendor will be a strong defender of its customer’s rights. The focus seems more on the vendor’s unilateral protection of itself and its rights. It’s especially problematic when it advises that it will also chuck out its previously highlighted encryption measures as part of the bargain. But it’s kind of the vendor to (with a nod and a wink) advise that customers can always encrypt their data before sharing it with the vendor to avoid any unwanted access.
Customers have their work cut out for them in negotiating improved contract language on these issues. But for sensitive customer data and business-critical functions in the cloud, such effort will be well worth it in the long term.
Using (public) cloud services, the organisation will need to revise its control measures to maintain the required level of security. Whilst security risks may well decrease by transferring selected services to the cloud, chances are likely to increase in specific areas such as IAM. To minimise the risk, it is necessary to set up the IAM framework properly. Implementing changes required to IAM in a cloud environment is critical in providing an adequate level of confidence and guarantee security.
Some of the IT resources no longer contained in the organisation itself raise several questions in the IAM domain. Even though liability remains with the organisation utilising services, keeping control of the IAM processes is more difficult because these are often part of the cloud provider’s domain. For user management, organisations must verify whether the cloud provider takes over changes to user data. Organisations must comply with company, national and international laws and regulations concerning personal information.
When considering authentication, it is essential that the authentication methods and requirements used match those of the cloud provider. Furthermore, the authorisation models should align so that the correct rights are granted to the authenticated users.
The processing of both authorisations and authentications must be timely and accurate for the partnering organisations to have confidence in the actual use of cloud services. Finally, the monitoring and auditing processes must meet the requirements of the applicable security policies.
Several options are available for managing identity and access to cloud services. Firstly, the IAM framework can be connected with the cloud provider. The customer itself contains and propagates users and the rights to the cloud provider.
It may be possible to automate this process. Identification and authentication occur in the cloud provider domain. A second option is to allow the cloud provider to support the customer’s IAM framework. The use of this trusted relationship makes it unnecessary to propagate users to all cloud providers. In addition, identification and authentication occur locally. A third option is to use an IdSP. This is a third party that is trusted by both customers and cloud services providers and validates the identity of users. The last option is to outsource the entire IAM stack and consume IAM as a cloud service altogether.
Which option is the most suitable depends on the IAM requirements of the organisation and the type and number of cloud services consumed? The IAM framework should be established appropriately before cloud services are utilised to minimise risk exposure. Furthermore, it is essential to align the IAM framework with the cloud landscape to allow practical cooperation with the cloud provider and adequate security safeguards.
Cloud Security – Who Owns The Data?
Chances are, if you use a modern smartphone, a great deal of your personal information is stored on the cloud. That could be a mixture of photos, your music library, emails sent to loved ones, and records of search engine activity.
Strip away the ethereal ‘cloud’ moniker, and the reality of where such data is physically stored can be somewhat concerning for many. The cloud is simply a collection of servers housed in massive, acre-filling complexes and owned by some of the world’s largest corporations. This essentially means that our data sits on computers we don’t have access to.
Microsoft, Amazon, and Apple have all invested considerable sums in creating homes for our data. The result is a convenient, portable service and reduces the need for expensive hardware in our homes. That precious photo of your son blowing the candles out on his birthday cake for the first time is suddenly accessible on all of your devices, no matter where you are.
The same benefits can be felt in business. With organisations increasingly moving file storage to the cloud, staff can now access critical information in an instant, anywhere on the planet. But with such data often being highly confidential, it begs one simple question: who owns it?
The Importance Of The Contract
When it comes to cloud data, the contract between the company providing the storage service and the client is of paramount importance. A clear distinction should be made between the provider’s right to store and process the data and the ownership retained by the customer.
Here are three examples that set just the right tone:
- Office 365: “You own your data and retain all rights, title, and interest in the data you store with Office 365. You can download a copy of all of your data at any time and for any reason, without any assistance from Microsoft.”
- Amazon Web Services (AWS): “Other than the rights and interests expressly outlined in this Agreement, and excluding Amazon Properties and works derived from Amazon Properties, you reserve all right, title and interest (including all intellectual property and proprietary rights) in and to Your Content.”
- Google: “Some of our Services allow you to upload, submit, store, send or receive content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.”
The word ‘your’ should be used judiciously within such contracts and a tone set that puts the provider strictly in the role of enabling storage and data access – nothing more.
How To Retain Ownership Of Cloud Data
- Read every term and condition from the provider to ensure they follow the examples set above.
- Suppose you’re a business and are considering storing highly confidential information on the cloud. In that case, it is advisable to take legal advice before choosing a partner to ensure the legal framework surrounding the data storage is clear.
- Never stop backing up locally. Your stuff may be on the cloud, but if the provider goes under, you could lose everything if you don’t have a local copy.
- Ensure that your chosen cloud partner fully encrypts your data and uses end-to-end encryption when transmitting it.
- Check the location of where your data will be stored. If in a foreign country, ensure their data regulations match up with your own.
Thankfully, we only have to look at Microsoft, Google, and Amazon for confirmation that one of the essential elements of cloud security is retaining data ownership.
You own your data. Businesses hold their data. Any cloud storage service provider should set out within its terms and conditions that this is the case, and if there is ever any doubt or ambiguity, alternatives should be sourced or legal assistance called upon