Issues with storing Data in the Cloud
Moving an application into the cloud offers numerous benefits but it is fraught with security issues. While many of these security issues are related to moving an entire application into to the cloud, this post will focus on issues related to moving an application’s data into the cloud. This outsourcing of data into a Cloud Computing environment is one of the biggest concerns for technology decision makers. A recent study from CIO magazine found that 50% of CEOs said data safety was one of their biggest worries when considering a move to the cloud. Additionally, a Cloud Computing cyber-security survey found that 70% of technology decision makers for the government were very concerned about data security. This post will detail three categories of data related security concerns: privacy, compliance, and legal.
When a company stores data on another company’s hardware, they lose some degree of control over that data. In addition, data stored in the cloud is much easier for the government to obtain than the data stored by a company, because a lower legal standard applies (23). For these reasons, access to the data must also be controlled due to privacy issues. While there are legal and privacy requirements, there is also the chance of cloud provider espionage when the data includes trade secrets or proprietary marketing data.
A multitude of laws and regulations have forced specific compliance requirements onto many companies that collect, generate or store data. These policies may dictate a wide array of data storage policies, such as how long information must be retained, the process used for deleting data, and even certain recovery plans. Below are some examples of compliance laws or regulations.
- In the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires a contingency plan that includes, data backups, data recovery, and data access during emergencies.
- The privacy laws of Switzerland demand that private data, including emails, be physically stored in the Switzerland.
- In the United Kingdom, the Civil Contingencies Act of 2004 sets forth guidance for a Business contingency plan that includes policies for data storage.
In addition to regulatory compliance obligations, there may be additional legal responsibilities related to the storage of data. In a virtualized Cloud Computing environment, customers may never know exactly where their data is stored. In fact, data may be stored across multiple data centers in an effort to improve reliability, increase performance, and provide redundancies. This geographic dispersion may make it more difficult to ascertain legal jurisdiction if disputes arise. Some additional legal issues may result from contractual obligations that cloud customers may have with their own end customers. In addition, since the data is residing on the server of another company, it is possible that intellectual property rights will be affected.
The responsibility to protect against data breaches is now shared by the hosting company and the consumer. The integrity of the data must be protected, a viable disaster recovery program must be in place, and manipulation of the data must be controlled. By spreading this responsibly to multiple organizations (cloud vendor, and cloud consumer), the legal issues may become unclear.
The legal issues are not confined to the time period in which the cloud based application is actively being used. There must also be consideration for what happens when the provider-customer relationship ends. In most cases, this event will be addressed before an application is deployed to the cloud. However, in the case of provider insolvencies or bankruptcy the state of the data may become blurred.
Provider Lock In
Storing data in the cloud opens the cloud consumer to the possibility of lock-in with the Cloud Computing provider. The cloud may store data in a proprietary format that cannot be assessed without the cloud. Thus, if a cloud goes out of business, some user data may no longer be accessible. While this is not directly a security issue, it may have implications with legal and compliance issues, which fall into the security category.
To summarize, moving proprietary data from the enterprise data center into the cloud brings with it a set of unique data security related challenges. These challenges are not simply theoretical exercises; instead, they can have real world consequences. In March 2010, Yale University decided to postpone a decision to adopt Google Apps for Education, citing privacy concerns. Among the reasons given was the fact that data may be stored in other countries, subject to foreign law. In addition, there were concerns related to intellectual property rights. In order to increase the viability of Cloud Computing, a method for overcoming these data security related issues must be devised.