15 Expert Recommendations to Address Privacy Challenges in the Cloud
“Cloud computing has been envisioned as the next generation paradigm in computation. In the cloud computing environment, both applications and resources are delivered on demand over the Internet as services. Cloud is an environment of the hardware and software resources in the data centers that provide diverse services over the network or the Internet to satisfy user’s requirements” (Hindawi )
The digital transformation
The rapid development of information technology has given new challenges on privacy. Digital technologies such as cloud computing and the Internet of Things (IoT), have a direct impact on how we retrieve, use and protect the information.
In the digital economy today, connectivity and information flow are becoming global. Data flows across borders are fundamental to the success of companies and individual consumers, who benefit from the services available globally.
Cloud computing in a global economy
The globalization of business and social connectivity has caused the privacy issues grow in scope and complexity. It also brought new challenges for regulators and privacy professionals in all organizations.
The pace of cloud adoption around the world is getting fast. The cloud increasingly becomes important in our daily work and in our own lives. Accessing to cloud services offers a unique opportunity to achieve a more integrated world. It allows us to collect, store and transfer information from anywhere in the world. This ability to transfer information across national borders provides a tremendous value to the society.
Understand privacy issues in the cloud
As cloud services becomes essential element of competition, privacy and information security also becomes another competitive element in the global market. Privacy professionals around the world need to find ways to balance incentives for businesses and concerns about privacy risks.
When planning a migration to external cloud provider, privacy is a key concern the companies may have. How to meet the privacy regulations and requirements in different countries is one of the biggest challenges when implementing a cloud solution because fully compliant with all these requirements can be very difficult.
Who should be responsible for privacy protection in the cloud?
Although cloud services brought many benefits, there is a right way and a wrong to adopt the cloud. Many people think that storing personal data in the cloud will reduce privacy protection. However, this confusion exists mainly because the lack of understanding of the cloud and the countless computing solutions that are named the cloud.
Evaluating and planning properly such as selecting a reliable supplier and employing proper cloud deployment model can help companies make smart decisions around the cloud. Additionally, this can allow for better privacy protection in the cloud. Companies need to understand:
- how the information is transmitted between multiple clouds or other external vendors?
- key roles played by different cloud providers; and
- different security layers and the underlying architecture.
In short, the cloud users are responsible for the information up to the cloud. Although cloud providers are responsible for security in the cloud, users are responsible for the privacy and control of personal information stored in the cloud.
What are the recommendations from the experts?
The Council of European Professional Informatics Societies (CEPIS) has put together 15 recommendations to be considered for cloud computing privacy protection:
- Risk management and (legal) compliance issues must be well defined in the contract between cloud computing provider and customer and should enable transparency with regard to the processing and storage of data.
- The service provided shall be compliant with the regulation and legislation that the customer needs to follow, and also customers should be enabled to be compliant with the respective regulation and legislation.
- The problems and risks that affect data protection rules in Europe must be considered properly when cloud computing platforms are located on servers in non-European countries.
- The communication line between the cloud computing provider and the customer has to be adequately protected to ensure confidentiality, integrity, authentication control and further to minimise the risk of denial-of-service attacks. An open and clear specification of the measurements taken to ensure the security of the communication line should be obligatory for any cloud computing provider and should be based on open and transparent standards and technologies.
- The cloud computing providers should be obliged to ensure data confidentiality.
- Mandatory deletion of data should be included into potential regulation of cloud computing services, but it should not be relied upon too much.
- The fact that there is no guaranteed complete deletion of data needs to be considered, when data are gathered and stored.
- In order to guarantee the availability of data, local backup of essential data by customers should be considered.
- Development and better promotion of software that enables local data transfers between devices should be encouraged.
- The telecommunications network that supports the cloud computing services should be secured and protected against malware and DOS attacks.
- Adequate logging and auditing should be provided. An external audit can be beneficial for the reputation of the cloud computing providers as well as for strengthening the trust with the customer.
- Non-professionals (e.g. the usual user) should be educated with regard to the new paradigm. Education should prepare them to make competent decisions on using cloud computing services including what information should be transferred into the cloud and under what circumstances.
- Professionals should be skilled to manage the new types of risks.
- Given that some regulation will be needed in the future, e.g. to balance the power between providers and customers of cloud computing services, it would be wise to consider its weaknesses and issues before cloud computing becomes a critical service or infrastructure. It needs to be checked which of the dimensions of conflict and regulatory potential will be relevant (e.g. the guarantee and liability with regard to confidentiality and integrity of processed data). In particular when a cloud computing provider becomes part of a critical information infrastructure some regulation or limitations concerning their possible takeover by another party may be appropriate.
- Research on the basic concepts and issues in informatics, security, and privacy and their consequences and trade-off’s with regard to cloud computing should be encouraged. Also issues concerning the possible impact of cloud computing platforms on the validity of certification of applications that are certified according to criteria (e.g. Common Criteria, European Privacy Seal, etc.) may need to be investigated.