The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud for New Zealand Organisations

THE LONG WHITE CLOUDAddressing Privacy, Residency and Security inthe Cloud for New Zealand OrganisationsFebruary 2011By Doug NewdickWith John Baddiley, Anita Easton, Boris Guskee

THE LONG WHITE CLOUDTABLE OF CONTENTSDISCLOSURES....................................................................................................3EXECUTIVE SUMMARY..........................................................................................4INTRODUCTION .................................................................................................5SPECIAL IMPACTS ON NEW ZEALAND ORGANISATIONS ...................................................6 The Privacy Act .........................................................................................6 Tax Administration Act ................................................................................7 Payment Card Industry - Data Security Standard (PCI-DSS).....................................7 Reserve Bank of New Zealand Act...................................................................8 Public Records Act .....................................................................................8 Official Information Act and the Local Government Official Information and Meetings Act ........................................................................................................8 Security in the Government Sector (SIGS) .........................................................8 SSC Advice ...............................................................................................9DISTINCTIVE PRIVACY, RESIDENCY AND SECURITY RISKS .............................................. 11OTHER CLOUD OPTIONS..................................................................................... 14 Public Cloud with New Zealand Hosting.......................................................... 14 Community Cloud in New Zealand ................................................................ 14 Encryption within the Cloud........................................................................ 14 Tokens.................................................................................................. 14 Local Agents, Cloud Management ................................................................. 15MANAGING CLOUD PRIVACY, RESIDENCY AND SECURITY RISKS....................................... 16 A Cloud-Aware Evaluation Process ................................................................ 16 Practices for Reducing Implementation Risks ................................................... 20IN CONCLUSION............................................................................................... 21ENDNOTES ..................................................................................................... 22 2

THE LONG WHITE CLOUDDISCLOSURESDavanti Consulting was established in 2007 as the independent business consulting arm ofGen-i New Zealand. Our consultants bring with them a wealth of experience from a variety offields and pride themselves on their pragmatic approach to delivering tangible business value.In the interests of acting with openness and integrity we want to inform you of anyrelationships that are relevant to this white paper: • Davanti Consulting is salesforce.com’s preferred partner in New Zealand; • Gen-i New Zealand provides cloud solutions ranging from infrastructure and security to applications.For more information visit our website at:www.davanti.co.nz 3

THE LONG WHITE CLOUDEXECUTIVE SUMMARYCloud computing can bring significant benefits to New Zealand organisations, but adoption isbeing hindered by concerns about privacy, residency and security risks. However, the cloud ishere and is here to stay. We need to incorporate the cloud in the way we identify, assess, andselect solutions. Our recommendation is to use a process for this evaluation that avoids boththe hype and the unjustified fears around cloud computing and instead focuses on a soberexamination of the compliance obligations in New Zealand and risks to the business weighedagainst the potential gains in efficiency and competitive advantage that the cloud candeliver. There are specific laws and regulations that impact New Zealand organisations’ useof cloud computing but these impacts are often not the insurmountable barriers they aremade out to be. It is true, however, that the distinctive features of cloud computing give riseto special risks as well as rewards. In particular the fact that there are no currentinternationally recognised standards for cloud computing security means that individualorganisations must do much of the work of managing these risks themselves. 4

THE LONG WHITE CLOUDINTRODUCTIONThe advent of cloud computing has been one of the most influential trends impacting onbusinesses and their IT organisations in the last few years. There will not be many CIOs whoare not thinking about using the cloud and some already are. Davanti is however seeing somereticence largely based on concerns about information and data: Who can access it? What willhappen to it? What rules apply to it? How secure is it? Can we control it? Conversely wesometimes see clients who do not understand that there are valid concerns about these issueswith respect to cloud computing services and therefore are potentially opening themselves upto risk.This paper aims to explore what the real issues, risks and constraints are for New Zealandorganisations that are thinking about cloud computing and how to address them.Firstly, we examine the directives, standards and legislative controls that actually doconstrain New Zealand organisations. Secondly, we place cloud computing in the context oftraditional modes of delivering and sourcing computing resources and examine those privacy,residency and security risks that are distinctive to cloud computing. Lastly, we look at thevarious solutions and practices that New Zealand organisations could and should adopt toaddress these constraints and risks to allow them to take full advantage of the significantbenefits that cloud computing can deliver.New Zealand organisations ignore the privacy, residency and security concerns of the cloud attheir peril. There are real and significant risks in using the cloud, and not managing theserisks can expose an organisation to loss of reputation, trust or even loss of business criticaldata. Much of the current reluctance to adopt cloud computing, however, is based on fear,uncertainty and doubt rather than on a calculated assessment of real risks. In order to bestutilise cloud computing to obtain competitive advantage and operational efficiencies youneed to transform the discussion from one based on rumour and conjecture, to one based onevidence. 5

THE LONG WHITE CLOUDSPECIAL IMPACTS ON NEW ZEALAND ORGANISATIONSFew standards or pieces of legislation have the foresight to consider the issues of cloudcomputing directly. However we can apply the broader principles and advice aroundtraditional security risk management to the issues of cloud computing. In particular, advicethat is valid for outsourcing often applies to cloud computing as well. There is a range oflegislation and other standards that apply to New Zealand organisations and that have (or arethought to have) an impact on cloud computing. This section discusses their applicability tocloud computing. Figure 1 outlines which of these standards and legislation apply to differentorganisation types in New Zealand. Figure 1 Standards and Legislation versus Organisation TypesThe Privacy ActThe Privacy Act 1993 governs all organisations in New Zealand. It has associated codes thatprovide more specific guidance and controls for particular industries – e.g.telecommunications and health. The Privacy Act applies to personal information – that isinformation about individual people. If you gather personal information in New Zealand thenyour organisation is bound by the principles of the act regardless of how or where thatinformation is managed. The principles contained within the Privacy Act concern goodpractices for managing personal information, such as: only using information for the purposeit was collected, and giving people the chance to correct any information about them that isincorrect.1 If you are not going to put information about individuals into the cloud, then thePrivacy Act will not impact your use of cloud services.Our take: In the main the principles of the Act are no harder to meet when your applicationsare hosted within the cloud than when they are on premise. The exception is Principle 5(storage and security of personal information) which requires that reasonable securitysafeguards are taken against loss, misuse, or unauthorised access, use, disclosure ormodification, and that if information is disclosed to another party (e.g. a cloud provider ortheir staff) everything reasonable is done to prevent unauthorised use or disclosure.2 Withinthe context of cloud computing this means that a customer should ensure that the security 6

THE LONG WHITE CLOUDprocesses and procedures of their vendor are adequate if personal information about NewZealand citizens is to be held in the cloud. The matter is complicated if the cloud services arephysically located in countries that do not provide the same level of protection for privacy asNew Zealand does.The Office of the Privacy Commissioner has issued a poster level summary (called PADLOCK)of how to meet the requirements of the Privacy Act.3 We suggest that this is consultedwhenever solutions are developed that use or store personal information, whether cloud-based or not.Tax Administration ActIn December 2010, the Inland Revenue Department (IRD) issued a revenue alert on the use ofcloud computing for financial record keeping. In summary, the alert states that it is the IRD’sposition that the use of off-shore cloud computing services to hold primary financial records isa violation of the Tax Administration Act 1994. Violations of this act may be punished byconvictions and fines.4Our take: The revenue alert is not the final opinion of the IRD on the use of cloud computing.The communications between IRD and the software development community who createcloud computing platforms suggest that either an exemption may be granted for individualbusinesses who apply for one, or that a wholesale exemption may be applied to all users ofany “approved” financial cloud computing product. Given the popularity of cloud financeapplications, there is also a reasonable chance of a change in the legislation. If yourorganisation is thinking of using such an application, we suggest talking to the IRD about thematter before pursuing it in depth.Payment Card Industry - Data Security Standard (PCI-DSS)PCI-DSS is a standard regulating the processing of credit card information and transactions formerchants (the people accepting credit card payments), issuers (the organisations that issuecredit cards) and acquirers (the organisations that mediate between merchants and issuers).PCI-DSS is enforced by the leading credit card companies (Visa, Mastercard etc.)internationally and is not specific to New Zealand.In New Zealand, banks are the main issuers and acquirers for credit cards. As credit cardsystems are regarded as “core” and the RBNZ requirements are more stringent with respectto the cloud than PCI-DSS the following discussion only applies to merchants and small banks.The PCI-DSS standards apply if you are storing or using credit card data in your IT systems.They document the security controls on networks, information, IT systems, people andprocesses that a company must follow if it stores, uses or processes credit card data. Whenlooking at the use of cloud computing for PCI components the following considerations arerelevant: • The provisions of PCI-DSS about outsourcing apply: if you are assessed for compliance you must show which requirements apply to you and which to the 3rd party outsourcer. Either the third party must have undergone their own assessment, or they must be assessed as your organisation’s assessment. • If you are not using a cloud provider that is assessed itself, then extensive information about the cloud provider’s implementation is required as part of any assessment.Our take: Overall PCI-DSS standards are onerous enough when just applying to a company’sinternal computing environment. We recommend not storing credit card information in thecloud unless it is with a PCI-DSS compliant provider (e.g. a credit card payment processingvendor). 7

THE LONG WHITE CLOUDReserve Bank of New Zealand ActWithin New Zealand, “large banks” (defined as those whose New Zealand liabilities, net ofamounts due to related parties, exceed $10 billion) are normally subject to a condition ofregistration relating to outsourcing arrangements. Controlled by the Reserve Bank of NewZealand (RBNZ), these conditions define the components of bank processing that each bankcan outsource to 3rd parties. The RBNZ is primarily interested in the ability of a large bank tocontinue operating in the event of a failure (either system or business) of any outsourcedparty that the bank might be using.5 In general the RBNZ tolerance for outsourcing diminishesas the function being outsourced becomes more material to the ongoing operation of thebank. Systems which provide account holdings or inter-bank settlement are less likely to betolerated as targets for outsourcing by the RBNZ.Our take: Cloud-provided systems are a form of outsourced function, and as such fall withinthe remit of the RBNZ outsourcing policy. This means that in general, core systems aregenerally not considered appropriate for delivery through the cloud, as the failure of thecloud platform could materially impact the Banks ability to meet its obligations. Systemswhich are widely used by customers may be placed in the cloud, but would attract intensescrutiny around the controls available to the Bank in the event of a failure in the cloudplatform.For those financial institutions that do not fall under the definition of “large banks” the RBNZcontrols do not apply. Smaller banks, however, should be aware of the requirements for largebanks, and take them into consideration when investigating the use of cloud services as theReserve Bank expects all banks to properly manage risks from outsourcing.Public Records ActThe Public Records Act (PRA) covers all crown entities (not just government departments) andlocal government bodies. It applies to all public records, which is all information created,received or maintained by any of those crown entities and all local government records whichare on the “protected list”.Our take: Similarly to the OIA, this act does not pose any greater constraints on a cloudcomputing solution over any other solution. The one key provision to consider is thatelectronic records may only be destroyed as specified by a Disposal Authority (which is anapproved official document that specifies the timeframes and conditions under which publicrecords may be destroyed). Thus the cloud solution must include the ability to store recordsfor as long as required by the Disposal Authority, as well as the ability to transfer them tolonger term storage if that is also required.Official Information Act and the Local Government OfficialInformation and Meetings ActThe Official Information Act applies to all government agencies including universities,hospitals and SOEs while the Local Government Official Information and Meetings Act(LGOIMA) applies to local government bodies.Our take: The OIA and LGOIMA have little impact on the use of cloud computing exceptinsofar as information handled or stored in the cloud should be able to be retrieved as part ofan OIA or LGOIMA request – as is the case for any on-premise information system covered bythese acts.Security in the Government Sector (SIGS)Security in the Government Sector (SIGS) is a set of policies and guidelines governinginformation security published by the Department of the Prime Minister and Cabinet. 8

THE LONG WHITE CLOUDFollowing it is mandatory for government agencies (government departments, and agenciessuch as the police and NZ Defence Force) and suggested for crown entities and State OwnedEnterprises.A primary concern of SIGS is the placing of government information into one of severalinformation classifications. Information is either unclassified (available to anyone who wantsit) or classified (available only to those who need to know and have the requisite level ofsecurity clearance). Classified information is further divided into categories ranging from: “INCONFIDENCE” (the lowest level) through to “TOP SECRET”. Information should be labelled “INCONFIDENCE” if its compromise “would be likely to prejudice the maintenance of law andorder, impede the effective conduct of government in New Zealand or affect adversely theprivacy of its citizens.”6 Levels above IN CONFIDENCE contain information which ifcompromised could damage the national interests of New Zealand to differing degrees.The policies and guidelines in SIGS fall into two camps: good practices that should be appliedto all information and information systems; and, specific policies and guidelines around thehandling of different levels of classified information. Each of the classifications has a set ofdistinct controls that must be applied to information of that kind, becoming more and moresecure – and therefore increasingly onerous – as you move up the scale.Our take: Due to the specific and onerous nature of the requirements around informationwith a classification of “SENSITIVE” or above (e.g. all staff involved in storing or handling thedata require NZ Government security clearances) we see it as unsuitable for processing in apublic cloud. This still leaves, however, a wide range of government information (i.e.unclassified and IN CONFIDENCE) and functions that may be suitable for cloud computing.While SIGS has no specific mention of cloud computing, it does have general informationsecurity considerations which are applicable to a cloud computing solution, as well as somementions of outsourcing which are also relevant. The following issues should be assessed: • If the cloud provider staff can access classified information, a risk assessment must be undertaken to see what controls need to be put in place; • The contract with the cloud provider should address methods for meeting security requirements; • The procedures for sanitisation of storage media for classified data should be examined to see if they meet SIGS requirements; • The formal procedures for access control should be examined to see if they meet SIGS requirements; • Should additional controls and processes on communications be required due to information being sent from an agency to another party (especially if they are overseas)?As long as these considerations are properly examined and weighed then SIGS does notpreclude the use of cloud computing.SSC AdviceThe State Services Commission (SSC) published a paper for the public sector on the use ofoffshore ICT providers in its advisory capacity.7 The purpose of the paper was to take existingframeworks such as SIGS and existing SSC guidelines and policies and apply them specificallyto the cases of cloud computing and off-shoring. While the paper was publicly criticised for itsnegativity towards off-shoring, it actually does not suggest that off-shoring ICT servicesshould be banned in any way. An overly cautious tone is rooted in the paper’s sole focus onthe risk side, ignoring any benefits.The core recommendation of the SSC is that government agencies should assess the risk of anoffshore initiative prior to any commitment and it elaborates on the risks coming with off- 9

THE LONG WHITE CLOUDshore approaches. Agencies should recognise that some of these risks may be show stoppers,these include: • Integrity and reliability of the legal system in the target jurisdiction; • Legislation that allows foreign governments to silently access data that is within their borders; • Some information should never go offshore e.g. information vital to national security.New Zealand government agencies should use the risks outlined in this advice to perform theirown risk assessment – checking the types of risks mentioned against their likelihood andpotential impact for the solution that they are considering. The true offshore risks are allabout hosting in a foreign jurisdiction: • What are the privacy laws in that jurisdiction? • What is the contract law in that jurisdiction? • What are the risks of espionage in that jurisdiction?Agencies are asked to seek advice if any of this is new to them.The risks relating to the foreign jurisdiction prompt an important insight: for government dataespecially, we actually do have to care about the country where our data will reside. “Thecloud” is not a specific enough address from a legal viewpoint: “hosted in the EU” vs. “hostedin Somalia” actually makes a difference! A logical first step is to get familiar with privacy andsecurity in the likely target jurisdictions – foremost the US, but also the EU and Australia.Our take: We recommend that any government agencies looking to use cloud computingshould follow this advice by performing the following steps: • Check for show-stopping risks; • Undertake a risk assessment using the framework of the SSC advice – qualifying the risks by their probability and the sensitivity and the criticality of the task or information; • Compare the cloud option risk assessment to the risk profile of your current equivalent computing platform and other reasonable alternatives. 10

THE LONG WHITE CLOUDDISTINCTIVE PRIVACY, RESIDENCY AND SECURITYRISKSThe risks discussed below should not be seen as reasons not to engage with cloud computing,but instead should be viewed in terms of providing a realistic assessment of: • Whether they apply to your solution; • What the likelihood of them occurring are; • How you can mitigate them; • How they weigh up against the benefits likely to be realised by using cloud services.In all cases a realistic assessment of the risks of a cloud computing solution should becompared with the very real privacy and security risks of traditional on-premise solutions thatare often down-played or ignored. Many of the same security risks as traditional on-premiseor outsourced computing resource models apply to cloud computing solutions, but the lack ofvisibility and control adds a degree of uneasiness on the part of customers. One oft-repeatedclaim is that cloud computing has significant and special challenges for security as it is notunder the control of the organisation. This claim usually inflates the extent to which internalcontrol equals good security practice. The reality in many organisations is that muchinternally controlled data is not well secured. While this in itself does not justify cloudcomputing we should be aware that the equation is not as straightforwardly in favour ofinternally hosted solutions as many people assume.In addition, there is a perception that “the cloud” in general is beset with security risks. Butthe reality is that different vendors and different offerings have quite different security,privacy and risk profiles as well as benefits. There is no one answer, each solution needs tobe assessed on its individual merits, and each cloud provider needs to be assessed on theirindividual merits. There are, however, a number of risk factors that are applicable to allcloud solutions and which will therefore need to be addressed by all solutions.What risks are specific to – or different in – cloud computing? If we look at the distinctive andtypical features of cloud computing we can identify the accompanying risks. Commoncharacteristics of cloud computing platforms are: • Scalability – automatic deployment of increased or decreased resources as needs change; • Multi-tenancy – hosting of multiple, different customers on the same underlying infrastructure; • Virtualisation - logically separate instances of platforms or applications running on the same physical hardware; • Outsourced – managed and delivered by an external third party; • Off-shored – the platform resides in a different jurisdiction; • Internet access – platforms are accessed by users or systems over the public internet; • Payment mode – computing resources are financed by a pay as you go model.These distinctive features of cloud computing give rise to the following specific risks inherentin many cloud computing solutions. • Multi-tenancy and virtualisation cause a risk of unauthorised access. Scalability is often achieved through multi-tenancy and virtualisation which have spawned some security worries. While it is theoretically possible for another user of a multi-tenancy architecture to access your information if the underlying platform exposes a vulnerability, the real chance of this occurring (and more specifically, happening to 11

THE LONG WHITE CLOUD you) if you are with a cloud provider who takes measures to ensure that data is segregated effectively is so low compared to other security risks that it is negligible. If this is a concern for your organisation check the measures that your cloud provider takes and their effectiveness. • Outsourcing hands control of your data to another organisation. Just like other outsourcing arrangements, cloud computing by definition gives access to your organisation’s information to people, processes and technologies of another organisation (or multiple organisations if they have outsourcing deals themselves). The difference is that this risk is more clearly understood in the case of traditional outsourcing, whereas it may be less visible and therefore overlooked in the case of cloud computing. The ease with which cloud services can be purchased and implemented elevates risks – compared to traditional outsourcing – which centre on what happens to your information if and when you end your use of a cloud computing platform. You need to be able to retrieve the valuable data that is kept in the cloud, and you will need assurance that any private, confidential or sensitive data is securely removed or disposed of from the cloud provider’s equipment (including from back-ups and redundant systems). For particularly sensitive or critical data, whatever procedure is put in place must work even if the provider suddenly became bankrupt. In addition, many Software-as-a-Service providers use Infrastructure-as-a-Service providers themselves, further increasing the complexity of your information security environment. • Off-shoring adds the complexity of foreign jurisdictions. Most cloud providers will not have their physical facilities in New Zealand; therefore the same risks exist as for traditional off-shoring. Specifically the different security and privacy laws of the hosting jurisdiction may negatively impact on the privacy and security of your information. Different privacy laws may mean that your data may be used for other purposes by your cloud provider, for instance some companies mine their customers’ data for their own benefit. Different security laws or practices may mean that another country’s security or policing agencies may be able to view data that you have at the provider’s premise. This is explicitly allowed by the U.S. Patriot Act (albeit with a warrant and probable cause, other jurisdictions are not so delicate). • On-demand access can become uncontrolled access. Platforms that are accessed over the internet and are outside your organisation’s traditional (on-premise) infrastructure are subject to risks around access management. With an on-premise system the mere fact that the user has to physically access a system from within the organisation mitigates against some of the risks of poor access controls. With cloud based systems the risk may be greatly increased. Organisations may struggle to effectively synchronise granting and revoking user access, leading to staff being unable to access the services they need, or, even worse, allowing people to access information and functions that should not be available to them (e.g. not revoking access to a CRM when staff leave your organisation). • Internet traffic is at risk from interception. Another risk inherent in the cloud model of service delivery or access over the internet is the possibility of your data being intercepted as it travels between your organisation and the cloud provider. However with most cloud providers this can easily be mitigated with secure authentication and encryption of network traffic. As most ‘internal’ VPNs rely on the same authentication and encryption protocols and are actually implemented as tenants on the internet’s network infrastructure the risk often comes down to perception rather than actual exposure. • Internet services may suffer disruption. Your organisation’s access to internet provided services may be at risk of disruption from: denial of service (DoS) attacks on the provider; a loss of internet access by you or your cloud provider; or, government intervention as seen recently in Egypt. 12

THE LONG WHITE CLOUD • Ease of implementation can lead to data exposure. The ease of installation, implementation and release inherent in a scalable, pay as you go model with platforms living in the cloud (not to mention the lack of financial barriers) can bring with it a little-recognised risk: making it too easy for staff to launch services or applications into the wider world. If business units can purchase and deploy technology services just by using a corporate credit card, they can easily (and probably unintentionally) bypass an organisation’s security risk assessment process. While this era of the ‘empowered user’ has brought many benefits, it may not treat customer and corporate data with the right level of security and sensitivity.What is often overlooked is that cloud computing has the potential to improve the privacy andsecurity of your data. The financial argument for cloud computing is that it providesefficiency and cost savings through scale – these same factors also apply to security: cloudproviders, because of their scale, can have access to large dedicated teams of securityspecialists with the latest technology. Can any New Zealand organisation compete with thesize and technical expertise of Google or Amazon’s security teams? Some cloud providers maybe able to provide better security than your own organisation, decreasing your security risk.In addition some cloud offerings are by their very nature may improve security, for instanceby allowing users to store or transfer information with a secure cloud provider you haveassessed, as opposed to storing or transferring them on insecure devices or media. 13

THE LONG WHITE CLOUDOTHER CLOUD OPTIONSThere are a range of different flavours of cloud computing solutions which impact differentlyon privacy, residency and security concerns. Standard public cloud services provide thegreatest choice and the greatest functionality at the lowest potential price. As discussedabove, however, there may be situations where the risks of using a standard public cloudsolution outweigh the benefits. In such cases, before ruling out cloud offerings entirely, othermore specialised cloud offerings should be considered to see if they address the risks whilestill allowing the organisation to realise some of the cloud’s benefits.Public Cloud with New Zealand HostingFor information that should not leave New Zealand the next best option is using a publiccloud provider that can ensure New Zealand hosting. This option combines the ease of thepublic cloud with the assurance of being covered by New Zealand laws and controls.Unfortunately most international cloud providers will be unwilling to set up a New Zealandhosting environment unless they see a significant commitment, those that are will be likely topass on the additional costs to their users. Being restricted to New Zealand hosted cloudservices drastically reduces the range of cloud services available and the benefits and costefficiencies that could be gained, but is an option that should be seriously considered. Inparticular a range of New Zealand based Infrastructure-as-a-Service offerings are available.Community Cloud in New ZealandA community cloud is a cloud service which is only available to a restricted set of customers,for instance Google’s government cloud that is only able to be used by the United StatesFederal government agencies – Google has separate physical servers and separate staff toallow it to meet the requirements of the U.S. Government. This approach requires a group ofcloud customers in NZ (a sector or nationwide) and cloud providers who are willing to supportcloud operations in New Zealand for a restricted set of customers.This option would allow the customers to meet almost all privacy, residency and securityconcerns, but would entail higher cost and commitment from the customer community andthe cloud provider while delivering a restricted set of cloud services. In addition there arealso likely to be complex governance issues around the management of a community cloud:Who ensures that the cloud meets and continues to meet all of the requirements of eachmember of the community?Encryption within the CloudEncrypting the data held in the cloud is a possibility which can be used in combination withother options such as the public cloud or community cloud. For instance files could beencrypted before being placed in a cloud storage service, or data could be encrypted within aPlatform-as-a-Service database. This may mitigate some security risks, but is not supportedby all cloud providers at this point in time or by many Software-as-a-Service providedapplications.TokensIn this solution, identifying or sensitive data (e.g. names or identifying numbers) is replacedwith meaningless tokens as the information is passed to the cloud. Which token replaceswhich datum is recorded, and when the information is pulled back out of the cloud themeaningless token is replaced with the original piece of data before being displayed orconsumed. For example “Account 12345678, balance $20” becomes “Account kzkxdf56, 14

THE LONG WHITE CLOUDbalance $20” on being sent to the cloud. Additional charges are added by the cloudapplication, and “Account kzkxdf56, balance $40” is returned. The token is replaced with thereal account number, and “Account 12345678, balance $40” is displayed to a staff member.The result is that the information in the cloud can no longer be related to individuals anddoes not contain the sensitive data. This has the advantage of allowing you to use most cloudofferings, but removes many of the privacy issues (by transforming the information into astate where it is no longer sensitive or identifiable) as well as some of the security andresidency issues. Depending on the kind of functionality desired and the type of informationused, this type of solution can be very effective. Each piece of information that is “swappedout”, however, reduces the amount of functionality from the cloud provider that can be used.For example if you swap the customer name for a token, then the cloud service cannot matchrecords based on name. It also introduces an additional layer of complexity to the overallsolution by adding more components and interfaces.Local Agents, Cloud ManagementSome cloud services work by providing a cloud based management solution with localsoftware agents or hardware. These solutions work by creating locally deployed software orhardware that are configured, created, and managed by a cloud based solution. These typesof solutions have minimal privacy, residency and security issues but are only available for arelatively limited set of services (for instance integration services). 15

THE LONG WHITE CLOUDMANAGING CLOUD PRIVACY, RESIDENCY ANDSECURITY RISKSThe lack of standards for privacy and security in cloud computing means that the onus is onthe consumer of cloud services to carry out their own investigations and risk assessment. Thecloud customer must also contract their privacy and security requirements at an individuallevel with each of their cloud providers – assuming the provider is willing to do this. Werecommend a two-pronged approach to dealing with this responsibility: use a structuredprocess for evaluating options that is cloud-aware; and, adopt a few key practices forimplementing cloud solutions.A Cloud-Aware Evaluation ProcessIf you are considering addressing a business need with a cloud solution, you need to evaluateall of your options with a process that is aware of the particular challenges of cloudcomputing and alive to its possibilities. The high level process shown in Figure 2 anddescribed below is a basic solution evaluation process that includes additional elementstailored to evaluating cloud options. Figure 2 A Cloud Aware Evaluation ProcessPreparationTo effectively evaluate cloud options you should carry out a realistic risk assessment that isnot biased for or against cloud computing. This requires targeted preparation. 16

THE LONG WHITE CLOUDEnhance your risk frameworkIf your organisation already has a security risk management framework or a set of securityrequirements these may need to be updated to enable them to be appropriately andadequately applied to cloud computing platforms and solutions. The risk managementframeworks at many organisations have been around for a while and may be biased againstcloud computing because of their focus on locally deployed solutions and an out of dateattitude to the internet. Work with your risk management or security teams to remove anynegative bias while remaining aware of the special challenges of cloud computing. If yourorganisation is a part of the New Zealand Government, you should incorporate the risk factorsdescribed in SIGS and the SSC Advice on Risk Management.Understand your informationIn order to properly carry out a risk assessment you will need to understand yourorganisation’s information. This involves detailing: • The different types and kinds of information your organisation is planning to put in or through the cloud; • The business criticality and sensitivity of that information.For applications that you are thinking of putting in the cloud, determine what informationthey process or use. For databases determine what information they store. If you are lookingat cloud storage or Infrastructure-as-a-Service you will need to consider the types ofinformation that could end up residing in the cloud. Some important information types are:personal details about customers or staff, financial records, strategic information, andproduct information.This will assist you in determining: • What legislation or standards apply to that information; • What information may go into the cloud; • What questions you need to ask and assurances you need to receive from your cloud provider; • Whether there are any additional risks you need to manage; • What controls you need to put in place when putting that information into the cloud.Investigate the application of standards and legislationBased on the discussion of relevant standards and legislation above, and taking into accountyour type of organisation (e.g. public sector, bank etc.) and the types of information that youare considering placing in the cloud you will need to determine which standards andlegislation apply to your solution. From this you can determine: • Whether there are any showstoppers (e.g. SIGS rules out the cloud for certain kinds of information); • What legal requirements you are under; • What additional controls you are should have.Option IdentificationOnce you have completed these steps you will know at a high level whether the cloud is aviable option – and what types of cloud. You then need to identify which cloud providerscould form part of your solution – as well as which non-cloud options are reasonablealternatives. 17

THE LONG WHITE CLOUDOption AssessmentOnce you have a candidate list of options, each option can then be assessed from theperspective of privacy, residency and security risks. The following sections outline some ofthe special considerations that need to be taken into account for solutions with cloudcomponents.Assess privacy, residency and security risksUndertake a risk assessment process, focusing on those risks that are particularly relevant tocloud computing as outlined above. You will need to investigate the particular cloud solutionto see whether it has any specific risks. Asking your vendor the high level questions in Figure3 should uncover whether there are any issues peculiar to them or their solution.The key to performing a risk assessment on a cloud solution is knowing where your data isgoing to be stored. This allows you to understand any privacy or security risks associated withthat location. In particular some jurisdictions have risks due to: a lack of privacy legislation;potentially invasive government surveillance; and, a lack of the rule of law.A particular concern for New Zealand organisations is the scheduled maintenance windows ofoverseas cloud providers. These are typically organised for the early morning in America orEurope, and so often fall in peak business hours for New Zealand.Assess cloud provider controlsOnce you have a realistic understanding of the business risks associated with placing yourinformation in the cloud you can then assess how your candidate cloud solution(s) will addressthose risks. To do this you will need to investigate the cloud provider’s ability to meet yourprivacy, residency and security requirements and what controls they have in place to mitigatespecific risks. As one of the rationales of cloud computing is to hide the “how” from view,some of this information may be hard to find – be prepared to ask some hard questions of yourvendors. The high level questions in Figure 3 address the most important controls that a cloudvendor should have in place.A more detailed list of questions – called the Consensus Assessments Initiative (CAI) – has beenassembled by the Cloud Security Alliance (CSA).8 Using the CAI questions is a more intensiveand time-consuming exercise, but we recommend using a tool such as this if your organisationis considering a significant investment in cloud services, or is looking at putting high risk orbusiness-critical information or processes into the cloud. 18

THE LONG WHITE CLOUD What will happen to your data at end-of-service? Where (which jurisdiction) will your data physically reside? What are the vendor’s data protection techniques? What documentation do they have for auditors? What are their identity and access management controls? Who has access to your data both within the cloud provider and any subcontracted 3rd parties? What controls and hiring policies do they have in place for those people? What are their business continuity and disaster recovery plans? What are their failover and availability processes, policies and procedures? When do they typically carry out maintenance? Do they do vulnerability assessments? What is their security architecture? What is their security staff like in terms of size and skills? Figure 3 Questions for Cloud ProvidersInvestigate additional risk mitigationAfter assessing your basic level of risk and investigating any controls implemented by yourcloud provider there may still be unacceptable levels of risk. If this is the case you shouldconsider whether there are any additional controls that your organisation can put in placethat may reduce the risk to acceptable levels. The controls that you will need and will beable to introduce will depend on the kind of cloud solution you are investigating and thespecific circumstances of your organisation, however here are a few general strategies thatmay be of use: • Introduce policies around how cloud services are bought, provisioned and used; • Implement access controls such as single sign-on, or use access management software; • Connect to the cloud provider over a secured network; • Add security and continuity requirements to your contract with the provider; • Keep a backup of your data on-premise or at a different provider; • Have plans in place for loss of service due to internet outages or Denial of Service attacks.Assess benefitsAny good risk management process should weigh up the potential risks of an option with itspotential benefits, taking into account the organisation’s appetite for risk along with itsdesire for specific benefits. In many cases, as the benefits of cloud computing are quitedifferent to those of in-house deployments, doing this thoroughly requires an explicit 19

THE LONG WHITE CLOUDunderstanding of the benefits of a cloud option, especially those that are peculiar to thecloud.Option Comparison and SelectionIt is important to compare the risk assessment of the cloud solution with a realistic riskassessment of the current state (if there is one) or a proposed on-premise or traditionaloutsourcing solution so that the relative merits of the cloud option(s) can be understood. Toooften a thorough risk assessment of a cloud solution scares people off as it is viewed inisolation rather than being compared with an equivalent assessment of the current on-premise solution or other alternatives.Practices for Reducing Implementation RisksBeyond risk assessments there are a number of other practices that can be used to reduce theprivacy, residency and security risks of cloud computing.One way that many organisations are getting experience with cloud security is byimplementing low risk applications, with low risk and non-sensitive business information. Thiscan help the organisation identify issues with the way that they manage security with cloudproviders as well as building confidence and trust for addressing more critical processes.For significant cloud solutions good vendor management practices should be key parts ofaddressing any security issues, for example: • Put in place clear Service Level Agreements (SLAs) that define what security controls the cloud provider must put in place, and what penalties are to be imposed if they are not met; • Get a clear, binding commitment that you can get your data back and that the data will be securely removed from their equipment at your request; • Where possible use contracts to address inadequacies in local privacy legislation.When it comes to personal information a good practice to follow is to minimise what is sent tothe cloud. This reduces the effort required to manage any privacy risk, and is merely followsthe good privacy principle of only collecting the minimum amount of personal informationthat is needed to perform the business task.Finally you need to remember that the overall solution is not limited to the cloud servicealone. The complete solution may well include your organisation’s people and processes aswell as elements of its infrastructure, application and data. Managing the parts under yourcontrol can decrease or increase the security risk. 20

THE LONG WHITE CLOUDIN CONCLUSIONIt is our opinion that New Zealand organisations should routinely assess the cloud as an optionwhen delivering IT solutions. Utilising the cloud is essential in today’s environment ofincreased competition in the private sector and increasing demand for efficiency and cost-effectiveness in the public sector. Understanding and managing the privacy, residency andsecurity risks – while not exaggerating them - is essential to realising the greatest benefitfrom cloud computing. Refusing to use the cloud due to fear, uncertainty and doubt, orleaping in to cloud use without examining the risks are both fraught approaches that couldsee your organisation losing out. In the first case you are not taking advantage of theefficiencies and cost reductions available. In the second, you are exposed to the possibility ofreputation damage or compliance penalties if any of the real but un-addressed risks becomereality.The potential benefits to New Zealand and New Zealand organisations of cloud computing areimmense. A small country, at great distance from the commercial centres of the world, weare able to take advantage of the scale and innovation of larger players. Will our fear of thepitfalls of cloud computing hold us back? Or can we take the opportunity to carefully andconsiderately assess the real risks and benefits inherent in this new trend and use it to driveorganisational success? 21

THE LONG WHITE CLOUDENDNOTES1 A Guide to the Privacy Act 1993, Office of the Privacy Commissioner, 2009.2 Information and Privacy Principles, Office of the Privacy Commissioner, 2009.3 PADLOCK: an Easy Checklist to Help Get Privacy Right, Office of the Privacy Commissioner,2010.4 Revenue Alert RA 10/02, Inland Revenue Department, 2010.5 Outsourcing Policy, Financial Stability Department, Reserve Bank of New Zealand,2006.6 Security in the Government Sector, Department of the Prime Minister and Cabinet, 2002.7 Government Use of Offshore Information and Communication Technologies (ICT) ServiceProviders: Advice on Risk Management, State Services Commission, 2009.8 Consensus Assessments Initiative Questionnaire, Cloud Security Alliance, 2010. 22

The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud for New Zealand Organisations

by Doug Newdick on Jul 03, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 21

Statistics

The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud for New Zealand Organisations — Document Transcript

http://paper.li	20
http://www.slideshare.net	1