For many security practitioners, cloud privacy is currently at a zenith point in terms of both concern and interest....
It's not hard to understand why: Not only are firms conducting business in Europe currently under the ticking clock of the General Data Protection Regulation (for which they have until May 2018 to comply), but also, recent events in the news, such as the rolling back of Federal Communications Commission privacy protections, have attention focused directly on this topic.
For organizations that make heavy use of services in the cloud -- and these days, which don't? -- the challenge, therefore, involves extending existing privacy programs into the cloud to account for any information you are stewards of when that information is being operated upon by, processed through or stored at a service provider.
Doing this requires a few key elements. First, it presupposes that you have a privacy program in the first place; that you have taken stock of the data in your possession, that you know what your regulatory context is and that you've drafted a policy that governs management intent relative to privacy for the data in your care. Once you've done those things, you will also understand the privacy-relevant features offered by cloud providers, and will have adapted them to serve your program.
In turn, achieving cloud privacy is a process that includes understanding both the options and features available to you today, as well as understanding what future options are in development that can assist you down the road.
Just like anything else, building a plan for privacy means systematically defining and codifying our expectations -- and selecting enforcement approaches from the tools and countermeasures available (and those that might soon be available) to help ensure those expectations are met.
Baseline cloud privacy features
The first step toward doing this systematically is to understand the feature sets of the privacy options available to you from service providers. While any security feature offered by a service provider could ultimately become an element of your privacy program enforcement, there are a few options that stand out as useful. Specifically, many providers, particularly larger ones that service a global customer base (including jurisdictions like the European Union, which have robust privacy protections), offer features that directly support and enable privacy.
Depending on the service provider you employ, cloud privacy features can either be extensive or minimal.
From a validation and vetting standpoint, one useful area to consider as a starting point is certification against international standard ISO/IEC 27018:2014. This standard specifically addresses the storage, handling and transmission of personally identifiable information in a cloud context. Larger providers, particularly those with a larger European footprint, are incented to pursue this certification, as it can serve to increase their competitiveness in regions with more stringent privacy requirements. It bears noting that an important consideration in leveraging this certification is to ensure that the scope of the certification includes the services actually used by the customer, since not every service offered by a cloud provider may be in the scope of what is evaluated for the certification. This can be accomplished by reviewing the certificate itself -- a reputable provider will make the certificate available for customer review, which will have the scope of the services included prominently within it.
Beyond this, providers have started to implement technical features that can help enforce customers' cloud privacy requirements. For example, service providers that employ geographically distributed data centers (located across the globe in multiple jurisdictions) often provide the functionality to specifically indicate which data centers are used to support individual customers. Tuning the specific geographical areas to your usage can be advantageous, depending on your regulatory environment and the specifics of your plan.
Moreover, controls like cryptographic protections (e.g., encryption of data at rest or in transit) can provide a level of assurance to the cloud customer about access to data when in the custody of the service provider. Evaluate carefully where the keys are located (and who has access to them) in making use of these features.
Additionally, a robust logging and audit capability can provide value in privacy enforcement, so evaluating features provided by a service provider in this regard is helpful, as well.
Looking down the road, there are a few exciting developments in the service provider community that practitioners should keep an eye on. Specifically, they should ensure that the organization can derive full value from data without sacrificing privacy considerations.
For example, consider the case of analytics: How can an organization ensure that its data can be analyzed, and value derived, in such a way that the cloud provider (or any other unauthorized party) cannot identify the individuals about whom data is kept? Likewise, if encryption is used, how can the organization derive insights from it without decrypting large volumes of data every time statistical or analytic information is to be collected? Techniques are emerging that may help in these areas.
The first area to keep an eye on is differential privacy. The methodology behind differential privacy is designed to allow statistical analysis of information in such a way that it is resistant to de-anonymization through a combination of disparate data sources or through the application of advanced analytics.
Consider, for example, what happens when disparate data items (themselves not sufficient to identify any particular individual) are analyzed together: The result can be a situation where the combined information can allow for inference of a specific individual, where the disparate data sets did not. Methods such as the deliberate introduction of noise into the data set can help alleviate this issue. While it may be some years before this is a commonplace feature offered by cloud service providers, research is underway, and we're already seeing real-world applications emerge.
Another area to watch is homomorphic encryption. Consider a situation where you wish to operate on data that is encrypted, without having to decrypt it first; for example, if you wish to calculate a sum from a column of information stored as encrypted in a database. A traditional cryptographic scheme would typically preclude this -- no computation is possible unless the data is decrypted and the operation performed. Homomorphic encryption, by contrast, allows those computations to be performed on the ciphertext, and the calculated result can be meaningful even though the data itself remains encrypted.
Again, this is an emerging area, so it's not like you can flip a switch and turn it on for any given cloud service. That said, it is important for practitioners to know about, as it can help ensure that data privacy is protected, while still allowing businesses to use the data.
In short, privacy in a cloud context is not only possible, but it can, in fact, be facilitated by features already implemented by the cloud service provider community. Looking down the road, emerging technology areas like homomorphic encryption and differential privacy will provide possible additional features that could help organizations get more value out of data, while still ensuring these privacy goals are met.
Learn more about the Microsoft cloud data privacy case
Read about the push for updated email and cloud privacy legislation
Find out more about enterprise efforts to achieve cloud security privacy