Privacy and Its Relation to Cloud-Based Information Systems 149
Financial information (bank and credit/debit card account num-
bers, purchase history, credit records)
Online activity (IP address, cookies, flash cookies, log-in credentials)
A subset of personal data is defined as sensitive and requires a greater
level of controlled collection, use, disclosure, and protection. Sensitive data
includes some forms of identification such as Social Security number, some
demographic information, and information that can be used to gain access
to financial accounts, such as credit or debit card numbers and account
numbers in combination with any required security code, access code, or
password. Finally, it is important to understand that user data may also be
personal dasta.
5.4.1 Privacy Risks and the Cloud
Cloud computing has significant implications for the privacy of personal
information as well as for the confidentiality of business and governmental
information. Any information stored locally on a computer can be stored in
a cloud, including email, word processing documents, spreadsheets, videos,
health records, photographs, tax or other financial information, business
plans, PowerPoint presentations, accounting information, advertising cam-
paigns, sales numbers, appointment calendars, address books, and more.
The entire contents of a user’s storage device may be stored with a single
cloud provider or with many cloud providers. Whenever an individual, a
business, a government agency, or other entity shares information in the
cloud, privacy or confidentiality questions may arise.
A user’s privacy and confidentiality risks vary significantly with the
terms of service and privacy policy established by the cloud provider. For
some types of information and some categories of cloud computing users,
privacy and confidentiality rights, obligations, and status may change when
a user discloses information to a cloud provider. Disclosure and remote stor-
age may have adverse consequences for the legal status of or protections for
personal or business information. The location of information in the cloud
may have significant effects on the privacy and confidentiality protections of
information and on the privacy obligations of those who process or store the
information. Information in the cloud may have more than one legal loca-
tion at the same time, with differing legal consequences. Laws could oblige
a cloud provider to examine user records for evidence of criminal activity
and other matters. Legal uncertainties make it difficult to assess the status of
Chap5.fm Page 149 Friday, May 22, 2009 11:25 AM
150 Cloud Computing
information in the cloud as well as the privacy and confidentiality protec-
tions available to users.
5.4.2 Protecting Privacy Information
The Federal Trade Commission is educating consumers and businesses
about the importance of personal information privacy, including the secu-
rity of personal information. Under the FTC Act, the Commission guards
against unfairness and deception by enforcing companies’ privacy promises
about how they collect, use, and secure consumers’ personal information.
The FTC publishes a guide that is a great educational tool for consumers
and businesses alike, titled “Protecting Personal Information: A Guide for
Business.”
10
In general, the basics for protecting data privacy are as follows,
whether in a virtualized environment, the cloud, or on a static machine:
Collection: You should have a valid business purpose for develop-
ing applications and implementing systems that collect, use or
transmit personal data.
Notice: There should be a clear statement to the data owner of a
company’s/providers intended collection, use, retention, disclo-
sure, transfer, and protection of personal data.
Choice and consent: The data owner must provide clear and
unambiguous consent to the collection, use, retention, disclosure,
and protection of personal data.
Use: Once it is collected, personal data must only be used (includ-
ing transfers to third parties) in accordance with the valid business
purpose and as stated in the Notice.
Security: Appropriate security measures must be in place (e.g.,
encryption) to ensure the confidentiality, integrity, and authentica-
tion of personal data during transfer, storage, and use.
Access: Personal data must be available to the owner for review
and update. Access to personal data must be restricted to relevant
and authorized personnel.
Retention: A process must be in place to ensure that personal data
is only retained for the period necessary to accomplish the
intended business purpose or that which is required by law.
10. http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf, retrieved 27 Feb 2009.
Chap5.fm Page 150 Friday, May 22, 2009 11:25 AM
Privacy and Its Relation to Cloud-Based Information Systems 151
Disposal: The personal data must be disposed of in a secure and
appropriate manner (i.e., using encryption disk erasure or paper
shredders).
Particular attention to the privacy of personal information should be
taken in an a SaaS and managed services environment when (1) transferring
personally identifiable information to and from a customer’s system, (2)
storing personal information on the customers system, (3) transferring
anonymous data from the customer’s system, (4) installing software on a
customer’s system, (5) storing and processing user data at the company, and
(6) deploying servers. There should be an emphasis on notice and consent,
data security and integrity, and enterprise control for each of the events
above as appropriate.
11
5.4.3 The Future of Privacy in the Cloud
There has been a good deal of public discussion of the technical architecture
of cloud computing and the business models that could support it; however,
the debate about the legal and policy issues regarding privacy and confiden-
tiality raised by cloud computing has not kept pace. A report titled “Privacy
in the Clouds: Risks to Privacy and Confidentiality from Cloud Comput-
ing,” prepared by Robert Gellman for the World Privacy Forum, provides
the following observations on the future of policy and confidentiality in the
cloud computing environment:
Responses to the privacy and confidentiality risks of cloud com-
puting include better policies and practices by cloud providers,
more vigilance by users, and changes to laws.
The cloud computing industry could establish standards that
would help users to analyze the difference between cloud providers
and to assess the risks that users face.
Users should pay more attention to the consequences of using a
cloud provider and, especially, to the provider’s terms of service.
For those risks not addressable solely through policies and prac-
tices, changes in laws may be needed.
11. Further details on privacy guidelines for developing software products and services can be
found at http://www.microsoft.com/downloads/details.aspx?FamilyID=c48cf80f-6e87-
48f5-83ec-a18d1ad2fc1f&displaylang=en.
Chap5.fm Page 151 Friday, May 22, 2009 11:25 AM
152 Cloud Computing
Users of cloud providers would benefit from greater transparency
about the risks and consequences of cloud computing, from fairer
and more standard terms, and from better legal protections. The
cloud computing industry would also benefit.
12
5.5 Chapter Summary
In this chapter, we covered the importance and relevance of federation, pres-
ence, identity, and privacy in cloud computing. We covered the latest chal-
lenges, solutions, and potential future for each area. Combined with the
standards for cloud computing, the concepts of this chapter are the glue for
the architectural elements that make the cloud a highly distributed, reliable,
flexible, and cost-efficient functional medium in which to conduct business.
The number-one concern and challenge concerning cloud computing and
services is security It is a critical element of cloud computing and is associ-
ated with the other areas discussed in this chapter. In the next chapter, we
will discuss the latest security vulnerabilities, challenges, and best practices
for security in the cloud.
12. http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf, 23 Feb 2009,
retrieved 28 Feb 2009.
Chap5.fm Page 152 Friday, May 22, 2009 11:25 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset