At a Thanksgiving dinner last November, a few of my relatives (none of whom are in the IT, information security or privacy industries) asked what I was writing about. I mentioned that I was looking into the privacy implications of cloud computing. After a brief pause, one of them asked, “Are cumulus more dangerous than cirrus to computers?”

The concept of “cloud computing” is not well known to most folks; not even for the person using a vast number of cloud computing applications, often without his being aware, through his company networks. If they don’t know what they are using, then how can they know the information security and privacy risks involved?

“Cloud computing” emerged over the IT horizon in 2008 to become one of the hot topics of conversation for most IT leaders. For those who may wonder, cloud computing is a nebulous (or should I say cumulous) term used to describe applications that are actually located outside the network perimeter and on other entities’ servers accessible via the Internet. They are very much like silent business partners.

What’s to worry about?
Are those silent business partners ensuring appropriate privacy protections to the vast amounts of personally identifiable information (PII) being entrusted to them? Is there any need to worry? And how does data storge on cloud impact compliance?

While at a recent CSI Annual conference in National Harbour, Maryland, I asked a few executives on security and privacy issues related to cloud computing.

One very smart security vendor said there were no new issues; just issues that needed to be revisited.

So, he had no worries. Is it really that simple?

Another brilliant IT services vendor said that the more she learned the more concerned she became, and that she was sure she still hadn’t heard the worst.

Here are a few of the worries I have with cloud computing as they relate to privacy and information security:

• Who has the access to information that organisations puts on external cloud application and systems servers?
• How does an organisation’s compliance address applicable laws, regulations, and policy change when its information is stored in the clouds?
• How long does information put into the clouds stay in those clouds? Do the clouds have retention policies? Can information be permanently and completed removed from the clouds once it is put there?
• Are there any logs generated to show how that cloudy information is accessed, copied, modified and otherwise used?

Can all necessary information in clouds be easily retrieved during e-discovery activities? If so, what are the related costs involved? Consider a couple of popular cloud computing services, Google Documents (Google Docs for short) and Adobe Photoshop Express.

Document of delusion?
Last summer I participated in a group project of globally spread information security experts, and we used Google Docs as the primary repository for our work, none of which was classified as sensitive or confidential.

I sometimes wondered how safe were the documents we put on Google Docs cloud. The Google Docs site indicates they use the same privacy policy as the one located at the primary Google site in addition to some other stipulations.

Basically there is very little expectation of tight controls to the files put onto the site; security is pretty much left up to the site users.

And that amount of security is pretty limited, considering Google Docs indicates that the files you entrust to them may be “read, copied, used and redistributed by people you know or, again if you choose, by people you do not know.

Information you disclose using the chat function of Google Docs may be read, copied, used and redistributed by people participating in the chat.”

Google Docs gives a nonchalant warning to use care when including sensitive personal information in documents you share or in chat sessions, such as social security numbers, financial account information, home addresses or phone numbers.”

It was good to see Google Docs indicates that you may “permanently delete” files from their systems, but then in the next sentence states that “Because of the way we maintain this service, residual copies of your files and other information associated with your account may remain on our servers for three weeks.”

It appears that Google Docs could be a great way to collaborate with other organisations on documents that are not sensitive in nature, but probably not a repository to place PII or business sensitive information within.

Shadow of doubt
Many of the folks I know, including one of the parents’ groups I belong to, use Adobe Photoshop Express to share photos; hey, it’s quick and easy!

I know some businesses that are also using this site to share files with business partners. Does Adobe protect those photos and answer my questions from earlier?

It is important to also consider that some of those photos could be interpreted incorrectly taken out of context if viewed by unauthorized or unintended individuals.

The privacy policy from the Photoshop Express site is the same one as used from the Adobe home page. It is quite wordy, lengthy, heavy in legalese, and includes several implied consents.

For example, it states that, “However, if Adobe sells assets (or the assets of a division or subsidiary) to another entity, or Adobe (or a division or subsidiary) is acquired by or merged with another entity, you agree that Adobe may provide to such entity customer information that is related to that part of our business that was sold to or merged with the other entity without obtaining your further consent.”

Another implied consent states, “By using this Site and the Products and Services, you agree and acknowledge that personal information collected through the Site or in connection with the Products and Services may be transferred across national boundaries and stored and processed in any of the countries around the world in which Adobe maintains offices.....”

It is not clear how long Adobe retains information put on their servers, or how you can completely remove information from the site.

I could find nothing related to removal or retention of the photos on the site. It looks like a great way to share non-sensitive photos, but it would not be wise to use it for business purposes without first doing a thorough information security and privacy program and review of the site.

Cloudy laws and regulations issues
In the past many organisations found them-selves in complicated and sticky situations by addressing compliance issues only after new technologies and tools were widely used throughout the enterprise.
If your organisation hasn’t tried cloud computing yet, act now to prevent compliance issues from getting out of hand and to save yourself some headaches.

Before the business commits to cloud computing services, it is good to consider the cloud computing vendor as much more than just a software provider; it really is another type of business partner.

Businesses need to scrutinise the information security programs, and cloud computing tools should be viewed no differently.

If your business is entrusting critical processing and data to another entity, you should first ensure it is trustworthy, secure and meets your organisation’s compliance obligations.

Most laws and regulations, not only in the U.S., but also in many other countries, require organisations to establish appropriate controls and safeguards around PII and related business information.

But how do you know that appropriate controls and safeguards exist within the clouds? Information processed in clouds is not under your organisation’s control.

Do you know what happens to the information? Where it is stored? Who has access to it? Consider this: what breach notice actions will you need to take if your cloud computing service has a security incident involving your organisation’s PII?

Will the cloud computing service that had an incident even notify you? And in organisations that process credit card payments there are also certainly compliance issues for PCI DSS compliance to consider when using cloud services that involve customer PII.

Privacy issues still foggy
As companies start using more cloud com-puting resources for business purposes, business leaders will be wise to identify the sites and services they want to use and then review the information security policies and update them to address these new risks.

In addition to usage policies for employee interaction on public sites, companies must look for new ways to protect data on resources that are not under their direct control. This includes securing data as it is transmitted to and stored in the cloud as well as granting the appropriate access rights regarding who can view the data.

Select cloud computing services carefully, and with your organisation’s legal requirements and your own information security and privacy policies in mind. Here are issues to address and questions to ask:

• Where will your organisation’s data be stored?
• Will your organisation’s data be stored in a way that it intermingles with the data from other companies?
• Who will have access to your organisation’s data?
• Are backup and recovery processes in place?
• What are the availability promises for the cloud service? Are they documented within a Service Level Agreement?
• What audit trails are generated and maintained for your data?
• Does the cloud computing service have established and documented information security policies and supporting procedures?

Basically you need to ask all the same questions that you would during a third party, vendor or business partner security program review, in addition to knowing some specifics mentioned above that are unique to cloud computing services.

You also need to ensure your policies and procedures are up-to-date with your new cloud computing activities.

Some of the issues to address within your policies and supporting procedures include:

• The increased risks of inadvertent disclosure of sensitive data and PII by posting to cloud computing sites.
• The increased exposure to malware that is commonly hiding on and distributed through these sites.
• The increased risk of unauthorised use of the data used on the cloud computing sites as a result of minimal to no access controls.
• Determining how data protection requirements apply to information stored in these computer clouds.

I also recommend organisations do a privacy impact assessment (PIA) whenever considering a move to a cloud computing service.

As part of the PIA map your PII data flows to identify the vulnerabilities to determine security and non-compliance risks.

Committing to a cloud computing service without first considering the legal and compliance risks, and without knowing the security controls that exist, could result in very significant negative business impact from noncompliance and/or security incidents, well beyond the savings that using the cloud service brings to the business.

Be sure you provide training and ongoing awareness communications to your personnel about how they can, and cannot, use specific cloud computing services, and make sure they know and follow the associated procedures.

—Rebecca Herold is an information privacy, security and compliance consultant, author and instructor with her own company, Rebecca Herold & Associates, LLC. This aricle is published with permission from www. information-security-resources.com