Privacy Compliance

Depending upon which country you are in, people have varying rights regarding the data that you hold about them. Typically, an individual can ask to see this data or have this data destroyed and this data must be treated as confidential and not shared with other parties without the express permission of the individual. This situation is the same whether the data is behind a firewall or in the Public Cloud. However, Public Cloud-based data has additional challenges. Regulations vary between countries with stricter privacy controls forced by law in Europe compared to those in the USA.


Note:
This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Reference Architecture for Private Cloud documentation is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this article, please include your name and any contact information you wish to share at the bottom of this page.


Geographic Compliance

Most Public Cloud systems are international and this brings many benefits. The data can be accessed worldwide with minimal latency, there are remote backup copies of data which would be unaffected by natural disasters at a particular location, and the cloud vendor (Cloud Service Provider or CSP) can keep prices low by using sites in countries with lower costs.

There are risks which come with international storage and these should be assessed and mitigated through SLAs and contracts. There are also regulations that require the disclosure of private data to government agencies. Regulations which require privacy in one country are often contradictory to regulations which require disclosure in another. Geographic considerations mostly affect data storage, but may also affect data processing.

For example, in the United States of America the Federal Rules of Civil Procedure allows for discovery request which would breach both European and Canadian law. To further compound the issue, laws differ regionally. In the United States the Federal Rules of Civil Procedure has been adopted in only 35 states, whilst in Europe you might need to consider federal, national, and European law.

The reason that this is of particular concern to cloud computing is the geographically dispersed nature of Public Cloud storage. Unfortunately, the technology has progressed at a far faster rate than the laws governing it, but Public Cloud vendors often seem unaware or uninterested in current regulations. You should consider:

  • whether regulations are enforced based on where the data is stored,
  • where the data is processed, or
  • where the individual resides that the data concerns.
You must ensure that you know where your data and processing will occur and that you meet all regulations in those locations.

It is likely that this situation will be resolved in the near future as the Organisation for Economic Co-operation and Development (OECD) Directorate for Science, Technology and Industry is implementing guidelines on the protection of privacy and trans-border flows of personal data.

Industry Compliance

Industry compliance considerations are typically seen as an area where many cloud migrations flounder. Organizations such as financial and medical institutions typically operate under strict compliance regulations, so these bodies are always particularly aware of any issue that can have a regulatory implication. Typical regulatory requirements can include:

With Public Clouds, the idea of placing data that is subject to any regulatory oversight into this nebulous area called "the cloud" where it will be in the hands of a third party is simply not to be countenanced. And in many ways, this is an entirely understandable position to take. The fact is that it is the data owner who is responsible for meeting the terms of whatever regulation applies to that organization, regardless of any contracts with any third-party organizations.

Conversely, with Private Cloud implementations, there are significant advantages to be realised from this type of environment. One major advantage of implementing a Private Cloud is the possibility that data is no longer stored on the individual computers. With this fundamental shift in storage location should be enough to interest compliance officers that Private Cloud systems can make their lives simpler by centralizing data in one area where it can be tracked and audited more effectively.

Compliance Factors

There are many areas that have to be considered when seeking to look at migrating to a cloud architecture from a compliance perspective. Compliance factors in cloud-based environments include:

  • Platform integrity and security. You must consider what possible vulnerabilities might arrive from adopting a cloud-based environment and the risks that those vulnerabilities might bring. With SaaS and PaaS, there is an element of shared responsibility for ensuring platform integrity and security that is shared with the service provider but with IaaS, the responsibility for this integrity and security falls entirely on the hosted organization.
  • Who has access to the applications and the data that those applications process? Just as on a local area network, you want to be sure that only authorized people have access to your applications and data. You should know that there are processes in place for defining users and specifying access rights, and that these user accounts map to individuals within your organization for compliance reporting.
  • What access rights do privileged users have? The administrative staff of the organization providing the cloud service will need rights to the applications that run within the cloud service in order to manage the service. However, you must satisfy yourself that there are mechanisms in place to prevent them from viewing the data.
  • Where is the data stored? Certain compliance regulations specify that data must reside within a particular country or region. For example, the Data Protection Act in the UK specifies that any data covered by this act must be stored in the European Union. But you might want to consider whether storing information on cloud premises in a country nearly two thousand miles away that is going through severe political and financial upheaval is a wise choice. In consequence, you may want to be more prescriptive about where your data is stored or processes. If you do, you need to ensure your cloud service provider is flexible enough to provide this type of data segregation.
  • What facilities are there for federated reporting and auditing? Auditing and reporting forms a central part of compliance checking and it is vital that any cloud service that you select provides federated reports across the entire environment and can also generate and supply adequate auditing information for any likely investigation of your computing environment. For example, can you track a user’s interaction with a web service from end to end?
  • What happens when you stop using the service? You must be certain that you know what is going to happen to any data when you stop using your cloud provider’s service. You should know that any stored or residual data (for example, transaction cached data) is deleted completely within a set timescale. Importantly, this data destruction should be carried out at each cloud location, so that the still untouched replicas of the data do not attempt to reconstruct the destroyed information.

Compliance and Contracts

Managing compliance effectively within a cloud environment starts with the contract with your cloud provider. This contract should cover areas such as:

  • Data and Data Retention – who is responsible and what happens to any data on cessation of the contract?
  • Liability – who has legal liability for compliance issues?
  • Jurisdiction Issues – in which countries will data be stored or applications that use data run?
  • Privacy – what measures are in place to ensure privacy and to protect user data from compromise? Does the provider collect and analyse information for their own use and what is the regulatory effect of this
  • Information Security Laws – what are the responsibilities of the service provider (and the customer) to provide notifications of any breaches?
  • Information Requests – how are information requests from legitimate authorities (e.g. government and police) to be handled? If in a public sector environment, how will Freedom of Information Act (FoI) requests be managed?
  • Auditing – who has access to the audit logs, where are they stored and for how long are they kept?

Compliance and Risk

Ultimately, you have to be able to trust your CSP, which in turn requires a degree of transparency from that provider as to their operational processes and environment. This balance between transparency and the opposing requirement for confidentiality is a major challenge. What you need as a customer is the ability to make informed decisions as to the degree of risk that moving to a cloud-based environment entails, while not requiring the cloud service provider to disclose their proprietary systems and processes.

Note:
This degree of risk will vary according to the confidentiality of the data that you are processing in the cloud and the level of regulatory oversight to which your organization is exposed.

Like any other large IT project, the core part of moving to a cloud computing environment is assessment and management of the risk associated with this move. In many ways, these risks are broadly the same as with any other outsourcing project, it is just that the nature of the computing environment is less well defined (unlike a data center outsourcing, you may not be able to visit the multiple facilities that are hosting your cloud-based environment) and your relationship with the cloud service provider may primarily be through a web portal, not through face-to-face meetings.

As with any area that involves compliance, it is essential that you have confidence in your cloud services provider. A key factor in establishing that confidence is that should be looking at organizations who can demonstrate that they meet the following standards:

RESOURCES:

Regulatory Compliance: Is it Impossbile in the Cloud?

ACKNOWLEDGEMENTS LIST:
If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]

Return to Cloud Computing Security Architecture

Return to Reference Architecture for Private Cloud