One area where IT decision-makers have considerable concerns with private and hybrid cloud implementations are the areas of legality, data protection, personally identifiable information (PII) and compliance. These requirements are particularly important in hybrid implementations, where you or business units within your organization may be in the position of the customer to a public cloud supplier.
Organizations looking at implementing a private cloud infrastructure are likely to need to ensure that effective governance of the new environment. The management stack of the private cloud architecture should enable management to view security aspects of the environment and show the current threat levels to the organization. Typically, governance oversight is provided through a web-based dashboard that translates the technical aspect of security issues into understandable business language.
Organizations in certain industry verticals such as health, financial operations, and the provision of public services fall under the auspices of a range of compliance requirements and regulations, such as the Health Insurance Portability and Accountability Act (HIPPA). With international organizations or hybrid implementations, it is possible that moving to a private cloud environment may result in users in one country with one set of regulations accessing data in another country with a different or even conflicting set of requirements.
This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this document, please include your name and any contact information you wish to share at the bottom of this page
The requirement for access to company data by law enforcement agencies is another area that must be examined carefully. For example, an organization may be presented with a subpoena to make its e-mail records made available. If this occurrence takes place, what is the effect on client confidentiality for data owned by a business unit from a different continent? Business units must be aware that these risks exist and that they may be exposed to the legal requirements of a different jurisdiction.
Ultimately, your organization needs to be aware of the compliance requirements of all the countries in which it operates. One conclusion may be that data from one country cannot be hosted in another, as can be the case with public cloud implementations.
The most effective approach to mitigating legal issues is to implement a fully integrated governance, risk management, and compliance framework. This framework would need to be defined at the highest level and then designed into the private cloud implementation.
Personally identifiable information (PII) is data that enables a living person to be identified. The US Office of Management and Budget identifies the following information as PII.
Protection of PII can be a significant issue with organizations that operate in multiple jurisdictions. For example, legislation such as the Data Protection Directive of the European Union (Directive 95/46/EC) governs the protection of PII in Europe. Among other requirements, this legislation requires data holders to give notice to users that their data is being stored and grant them access to correct inaccurate data. This data must also be protected from potential abuses. Hence, storing personal data can be a significant complication.
This complication arises not from the fact that the data might be insecure, as cloud environments can be made as secure as more traditional data centers. In this case, the issue is about granting access to the owner to amend the data. If your organization needs to store PII and you have a legal requirement to enable the owner of that data to change it, then you should consider how that information can be presented to the owner and amended if required.
Your organization must create a statement that covers its collection, collation, storage, management, transfer, and deletion of PII. This statement must address the process for releasing the information to the original owner and to any third parties, such as a hosted cloud provider.
The US Patriot act also introduces complications for multi-national organizations that are wholly-owned by US companies but operate in other parts of the world. If this situation applies to your organization, you should review the requirements of this act when planning data storage and PII.
The basis of the private cloud legal relationships between the IT department and the business units of the organization that subscribe to those services will be contained within a number of documents. These documents should align with the IT Infrastructure Library (ITIL) Security Management process and include:
All of these documents must set out clearly the security considerations of using the private cloud service, what activities are prohibited, and any penalties for contravention of these prohibitions. It should highlight that security responses may be automated and that manual intervention may be required to undo those responses. The legal documentation must also set out the process for establishing the identity of the consumer in the case of activities such as password resets or account provisioning and deprovisioning.
If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]
Return to Private Cloud Security Model
Return to Blueprint for A Solution for Private Cloud Security
Return to A Solution for Private Cloud Security
Return to Reference Architecture for Private Cloud
Move forward to Design Guide for A Solution for Private Cloud Security
Table of Contents for A Solution for Private Cloud Security