Info, Law, IP & Ethics

The argument that “A full ten years into cloud computing, customers understand that cloud systems typically outshine their own in terms of reliability and security. In the final analysis, security and privacy of data are more robust in environments in which there is prioritization, expertise, and resources fuelled by economies of scale, conditions that do not exist in most companies” was made by Marc Benioff, chairman & CEO, Salesforce.com at a debate on The Economist.

I agree with Marc that “Cloud computing delivers more innovation at far lower cost and complexity” because cloud computing offers virtually limitless storage compared to a PC’s hard drive and instead of purchasing expensive software applications, one can get most of them free on the cloud thus reducing cost and complexity.  Also there are many other advantages of cloud computing like easier group collaboration because the documents are hosted in the cloud and not on individual computers, increased data reliability because even if your personal computer crashes, all your data is still present in the cloud and increased scalability because cloud computing is a way to increase capacity or add capabilities without investing in additional infrastructure, training new personnel, or licensing additional software.

I do not agree with Marc’s assertion that cloud computing offers robust security and privacy of data. Although these issues are top of mind for cloud providers, I think there are still lot of security and data privacy related concerns or questions that remain unresolved today. Several experts and industry groups share my point of view.

Ann Cavoukian, Information and Privacy Commissioner of Ontario, mentions in her paper, Privacy in the Clouds, that in personal computing security needs are minimal and they mainly consist of a few usernames and passwords for the local systems. Hence users’ privacy and security can be controlled by restricting physical access to the computing devices. But when the user starts using the cloud where they rely heavily on data and software that reside on the internet, the users have to frequently provide their identity every time they use a new Internet-based application, usually by filling out an online form and providing sensitive personal information (e.g., name, home address, SSN, credit card number, phone number, etc.). This leaves a trail of personal information that, if not properly protected, may be exploited and abused. In fact since the cloud is a multitenant environment where multiple customers store data in a shared environment, mistake by one customer can lead to increased risk for all the customers sharing the environment.

According to the analyst firm Gartner “Cloud computing has unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing”. Some of the specific security and privacy issues raised by Gartner are:

• Risks in privileged user access because the cloud services ignore the “physical, logical and personnel controls” IT exercises over the organization programs.
• Risks in regulatory compliance because traditional service providers are subjected to external audits and security certifications which may not be mandatory for cloud service providers.
• Risks in data recovery because of issues such as service outages or if the cloud provider suddenly goes out of business.
• Risks in data privacy because cloud providers are willing to share sensitive information with government investigators and marketing firms without user permission. For e.g. recently there was a panic amongst Facebook users when they realized that the site had changed its terms of service. This implied that because of the change, Facebook would show their most embarrassing photographs to parents, teachers, and prospective employers.

According to an assessment of cloud computing risks from the European Network and Information Security Agency (ENISA), when moving to cloud-based computing services, companies have to hand over control to the cloud provider on a number of issues, which may affect security negatively. For example:

• The provider’s terms of use may not allow port scans, vulnerability assessment and penetration testing. At the same time, service level agreements (SLAs) may not include those services and result in a gap in the defense.
• Compliance could also prove to be a big problem if the provider can’t offer the right levels of certification or the certification scheme hasn’t been adapted for cloud services.
• One of the advantages of cloud services is that data can be stored in multiple locations, which could save the day in the event of an incident in one of the data centers. However, it could also be a big risk if the data centers are located in countries with a shaky legal system. The user may not exactly know where his data is hosted. The data could be in the United States today and in China tomorrow. The laws pertaining to data privacy and protection are different for different countries.

Even regulators in the United States have expressed concerns about the lack of industry standards that govern how cloud service providers protect consumer security and data privacy. The Federal Trade Commission recently organized a roundtable consisting of cloud service providers, experts and consumer organizations to discuss this topic. Although, the discussions reiterated the risks and issues of cloud computing there was no consensus as to how to assess the relative risks associated with this new technical and computing model. There is also a concern within the industry whether the existing US privacy regulations and practices such as SAS 70 and FISMA can be applied as is to cloud computing. This lack of consensus on how to measure and tackle risks proves my position that it is too early for us to accept Marc Benioff’s viewpoint. Cloud computing has been around for the best part of last decade and there is unanimous agreement about its benefits. However, the slow pace with which businesses are embracing this innovation proves that enterprise customers share my concerns. In fact security and data privacy issues have been cited as the top barriers to SAAS adoptions in almost all analyst reports and industry survey for the last five years. Although, cloud service providers have been successful in consistently lowering the barriers, they have not done so at a pace that can justify Mr. Benioff’s optimism.