How cloud providers are adopting privacy by design
For the most part, the internet evolved initially from a rules-free environment. The accelerated adoption of internet-enabled technologies in the private and public sectors has pegged compliance, security and standardisation requirements to these deployments. Generally speaking, data sovereignty was just a data location requirement rather than a data custody and privacy issue. We have reached a major turning point in the internet evolution, where we have an explosion of social networking, big data, Internet of Things and the Snowden revelations all happening at the same time. The internet traffic has just reached the zetabyte magnitude. 1
Traditional information management and business intelligence has relied on standard personal information (name, tax ID, passport, etc), but big data has allowed us to correlate different sources of information, where individuals can be tracked by other parameters, such as the International Mobile Equipment Identity (IMEI) on a mobile device or the unique hardware identifier of a computer (also known as MAC address). All these elements now are defined as personal identifiable information and in many countries will be subject to the same privacy rules as traditional personal data.
On the one side, information is being extracted, exposed and analysed in ways no one could have imagined even just a few years ago and on the other hand, there is a need (or strong sentiment) to keep our privacy while maintaining all the tremendous benefits that internet-based tools do give us. However, it is important to remember that there is no such thing as perfect security or privacy.
Privacy by design
Privacy by design is an approach to systems engineering which takes privacy into account throughout the whole engineering process. This concept has rapidly evolved in two main areas: information management and architectural design. The first one is related to implementing collection, management and de-identification mechanisms and processes in order to conduct analytics and big data gathering while taking into consideration privacy and sovereignty constraints or regulations. The second one is focused on building the right architectures in networks and data centres in order to comply with current regulatory environments and even to include tools and processes to mitigate customer’s privacy concerns.
As of now, architectural design and operational requirements should be aligned with the current regulatory framework, and also privacy requirements or expectations. There are established best practices around availability, security, data location and the compliance to industry (or state) defined standards.2
The ICT industry is now adding features to comply with privacy requirements. In order to achieve privacy we need firstly to identify the penetration areas. Penetration areas could be at the infrastructure layer and in operations (human factor). Penetration can be done by interception or by direct access. Interception can be done at the network and storage infrastructure and access can be done via ‘backdoors’, security ‘holes’ or by unauthorised access to login credentials.
Storage: how and where to store information
Adequate storage requires having a defined classification of information confidentiality or sensitivity. Information that constitutes public records does not require privacy. On the other hand, financial information, such as saving accounts could be very sensitive.
This is likely the centre of the attention and where a lot of the protective measures can be adopted. The very first tool to use is encryption. Companies like Google and Microsoft are pursuing that route; however the data custody, even being encrypted is still affected by a potential government agency access request. One emerging industry trend is called encryption portability. The general idea is that you can use storage from the cloud, but you add specific tools (or plugins) that allow you, as a user that is, to encrypt your information using systems or keys of your choice. The concept is simple: you buy a house, but you put the locks on the door when you move in.
Distributed storage is another way of ‘hedging your risk’. As mentioned before, one potential exposure point is access control, being logical or physical. In case there is a possible physical access to the storage device you can use different techniques (e.g. erasure coding), where pieces of information are distributed through many different sites, and the only way to retrieve the information is having full access to all components to rebuild the information.3
Network: how information is accessed and where it transits
When users access information from the cloud, the data likely flows through an undetermined route on the internet. There are two basic industry trends around network control, encrypted VPNs (traditional method) and ‘cloud connectors’ - which is an emerging practice in which you establish a direct/dedicated link between the cloud provider and the end consumer. Major cloud providers (e.g. Microsoft and Amazon) are using this option and data centre providers.
Access control is the non-architectural component of the solution. The cloud providers need to have the right architecture, but this alone is not enough, they need to have the right processes and management policies in place.
Snowden is the best example of what could happen to your information without having the right control points, as Snowden got access to a significant amount of protected information based on his system administration role.4
Having the right encryption or specific security tools doesn’t ensure that the information is secure. At the end of the day, the cloud operator or user need to use them effectively. Having the right process and audits in place is what makes the information secure. As a best practice, we can mention the encryption by default of any files or documents containing specific keywords or coming from specific groups. Another best practice is the segregation of administrative policies. This is a method by which for instance two administrators “turn the key at the same time”. It is called the ‘four eyes policy’.
Finally the ‘paper trail’ concept, where a system can trace and audit the information or workload movement, attempts to transfer or download information, and more. Despite many major incidents in the industry that could have been avoided by this basic principle, it is not yet a common practice.
Europe is driving the ‘privacy niche’
These concerns and the massive amount of regulation popping up in the ICT world are creating major constraints for the seamless adoption of cloud and Internet of Things technologies, but also opening new opportunities around security, encryption, policy and compliance management, etc. I see innovation rapidly happening and startups and established industry players coming up with brilliant ideas around storage, encryption, secure networking, identity management and compliance management. Further, technology certifications could become an interesting niche for European professional services companies - particularly since this region is at the epicentre of the privacy debate. The Snowden revelations triggered substantial discussions about privacy. This in turn pushed many companies to look for third party trusted advisors to review and validate technologies and cloud services being used today.
The evolution of cloud and Internet of Things without privacy compromises
Social media and the Internet of Things are creating massive amounts of information, and most of it is data that, from a social or legal perspective, is considered private or sensitive information in many countries. For example, personal tax and income information would be of utmost privacy in Switzerland while in Norway this is for the public record. On the one side, as users of technology we need to be aware of the consequences of putting our personal or personal identifiable information on the world wide web, and understanding the trade-offs of doing so. I would assume that for most of us, the benefits outweigh the risks at this point in time, again with the assumption that consumers do understand the risks.
Security and privacy breaches are not going to go away; you need to accept this as you accept the fact that every now and then you will get a flu. What you can always do is to be prepared for it and take the right measures in advance. Adding more regulation in the space is likely not the solution either, but a baseline framework may be needed to establish fair rules for all parties globally. This framework would need to favour social and economic freedom and development in favour of a true global internet.
All these factors are driving cloud providers to slowly but surely embrace privacy by design, and take one step back, look around, understand the regulatory environment and expectations before building the next services.
1. Internet traffic figure provided by the Cisco’s Cloud Index. See http://www.cisco.com/c/en/us/solutions/collateral/service-provider/global-cloud-index-gci/Cloud_Index_White_Paper.pdf
2. Examples include vertical industries such as healthcare (HIPAA - Health Insurance Portability and Accountability Act of 1996), finance (PCI - PCI Security Standards apply to online payment card data security) or the public sector (IL3 - see UK government security classification).