Rethinking Privacy and Cloud Computing
A predominantly cloud-based architecture is the future for most enterprises. The question is how to best balance privacy and security with cost and business risk.
Privacy--or the lack thereof--accounts for many of the headlines grabbing readers attention on Internet use and cloud computing, in general. Recent coverage includes: Facebooks URL referrer and application issues, where personal data is/was shared without user transparency, and Googles referrer data leaks that prompted a former FTC employee to file a complaint with the FTC. Formal responses from Facebooks and Googles CEOs havent given users or businesses much comfort. Googles Schmidt infamously took a less than serious view of lost privacy when he suggested people change their names if poor privacy controls and teenage oversharing lead to problems when they reach adulthood. Facebooks Zuckerberg emphasizes the benefits of sharing information in a social context, but skirts the topic of potential negative impact from sensitive data exposure.
Theres also little doubt that for most organizations a predominantly Cloud-based architecture is the future. Whether an enterprise opts to go Cloud for messaging and backup (ex: Exchange Hosted Services, SkyDrive, and Gmail), select services (ex: Salesforce and Lawson Enterprise Management Systems) or all messaging and productivity applications (ex: Google Applications for Enterprise (GAPE) and Education, Microsoft Office 365/BPOS), core privacy concerns persist because sensitive data exists in all of the above models. Enterprises can opt to put only low-sensitivity data in the Cloud, but this limits Cloud utility, as well as increases complexity, since some controls will be required to ensure medium and high-sensitivity data is not sent to the Cloud by accident.
To gain some clarity on the Cloud privacy issue, it is helpful to break down the exposure use cases into three categories. This is because one of the problems when discussing privacy in the Cloud is the conflation of multiple types of exposure use cases into a single bucket of privacy concerns. Lumping these use cases together does a disservice to enterprises analyzing the business risk associated with moving to the Cloud because there is not a clear differentiation between privacy and security aspects that enterprises have complete or partial control over from those which are beyond their control. With that, lets rethink privacy in the Cloud using the following three categories:
1. Unintentional user-driven data leaks
2. Lack of controls or protections from the Cloud provider
3. Intentional data leaks for monetary gain
Unintentional, user-driven data leaks
This use-case addresses the ease with which users themselves expose their own private information. Who hasnt read a Facebook post or Twitter tweet that the author clearly intended to be private but which was broadcast to hundreds or thousands or readers? User-controlled exposure is not the same as non-transparent sharing of data, but it does amp up fear and adrenaline for many.
Since many companies are asking employees to interact with a broader community using blogs, Facebook, and Twitter, theres a legitimate business concern regarding proper use. However, these kinds of unintentional exposures can, for the most part, be addressed with proper employee training and acceptable use policies. That doesnt mean the exposure window isnt real, simply that companies themselves can take action to close the window themselves.
Lack of controls or protections from the cloud provider
A bigger concern is inadequate controls within the Cloud providers infrastructure. These controls can be founded in process; for example David Barksdale, the Google employee that accessed users Gmail and GTalk accounts was not properly monitored and invaded customer privacy for weeks or months before being dismissed.
Inadequate controls can also be more technical in nature; for example, if a provider does not have HA (high-availability) backup support or the ability to failover to another geographic location in case of a massive long-term power outage or earthquake. Another technical concern is basic access control within the Cloud providers network. A few years ago, Salesforce.com was at the root of a series of targeted spear phishing attacks after an employee fell for a phish, shared his or her password, and attackers were able to steal customer contact lists without be stopped by Salesforce.com access control or monitoring and prevention solutions.
The level of controls and protections that a Cloud provider offers is of high importance, and as such there needs to be transparency regarding practices, controls, and policy available to the customer. Before signing or accepting an agreement with a Cloud provider, enterprises should ask to see proof of controls both types of controls and operation of them, review (or conduct) audits, and even write in financial protections into the contract - in the case of breach of data, for example. Completing due diligence on provider controls is time-consuming, but enterprises that fail to complete this work do so at their own risk for privacy leaks.
Intentional data leaks for monetary gain
This use-case is perhaps the most concerning because it is accomplished transparently to the end-user and even careful due-diligence may not fully expose the practice. As noted earlier, both Facebook and Google have been called up on dubious privacy leaking practices in the past few weeks. But they are not alone Android (a smartphone platform from Google) and Twitter have also recently come under fire for oversharing. In the Android case, researchers at Duke and UPenn showed that many Droid apps were sending sensitive and private information to marketers without the users express permission. Twitter came under scrutiny for its permission security framework, especially with regards to its recent implementation of OAuth. Some apps, like Twifficiency, automatically Tweet information without express user permission. And many Twitter apps have complete access to DMs (direct messages) that users thought were private.
The issue here is not a lack of awareness on the part of users it is that applications in the Cloud are sharing information without user or enterprise consent. It feels a little like the deny and imply trope used at the ARA (American Restoration Authority) security checkpoints in Gary Shteyngart's Super Sad True Love Story.
Both sides need to take responsibility
As Cloud users, enterprises and their employees have a responsibility to act as good citizens in regards to privacy of their own (and others) information. Learning the difference between broadcasting information and sharing with only a select, known few is a start. Performing thorough due diligence on a provider and requesting on-going audits and updates on controls is another. But providers need to be transparent about how theyre using personal or private data. Transparent, meaning it is easy for users to understand where and how their data is being shared and the ability to take action to prevent the sharing if desired. Burying a tacit agreement on page 13 of a EULA and the controls to change settings 10 screens deep is purposefully deceptive. Weve got a responsibility to ensure data safety in the Cloud, but providers have a responsibility to let users and enterprises know when theyre using our information to hop on the marketing gravy train and selling sensitive information to other vendors and advertisers.
What They Know: Web site Exposure Index Joint project between The Wall Street Journal and privacychoice.org
NIST: Cloud Computing Group
FedRAMP: Federal Risk and Authorization Management Program focused on cloud computing.
Diana Kelley is a partner at IT research and consultancy firm SecurityCurve and a frequent contributor to eSecurityPlanet.com.
Keep up with cloud security advice; follow eSecurityPlanet on Twitter @eSecurityP.