How to Safeguard Against the Privacy Implications of Cloud Computing
The definition of cloud computing is quite controversial but the general consensus, good enough for our purposes, is that it is really just a metaphor for the Internet and refers to the storing and accessing of resources over the Internet instead of on your computer’s hard drive. As IT World’s Kevin Fogarty says, cloud computing is “just really good virtualization.”
Whatever the definition, using cloud computing (remember: it is a model, not a technology), businesses are able to provide a variety of digital services to individuals and businesses. Some examples include social and business networks, job search boards, secure storage facilities, as-a-service models, test and development environments, online shopping, collaboration applications, online document management, news services, streaming music and video, etc.
The problem is that cloud services are prone to privacy vulnerabilities and while multiple new industry segments in cybersecurity have rapidly evolved to help secure the privacy of user data, the cybercriminal underground always seems to be keeping pace.
In this article, we will take a look at the privacy issues in cloud computing and how to safeguard against them.
To learn more about the privacy risks using social media like Facebook, a cloud platform, consider reading User Privacy: The Price Paid and 5 Social Media Site Privacy Issues You Should Worry About.
Top Security Threats Facing Cloud Computing
A report by the Cloud Security Alliance (CSA) warned that “Among the most significant security risks associated with cloud computing is the tendency to bypass information technology (IT) departments and information officers. Although shifting to cloud technologies exclusively may provide cost and efficiency gains, doing so requires that business-level security policies, processes, and best practices are taken into account. In the absence of these standards, businesses are vulnerable to security breaches that can erase any gains made by the switch to cloud technology.” It identified the top 12 threats as:
- Data breaches
- Insufficient identity, credential and access management
- Insecure interfaces and APIs
- System vulnerabilities
- Account hijacking
- Malicious insiders
- Advanced persistent threats
- Data loss
- Insufficient due diligence
- Abuse and nefarious use of cloud services
- Denial of service
- Shared technology vulnerabilities
Each one of these risks has implications for an individual’s privacy. What these threats have in common is unauthorized access to data. A few examples of vulnerable access areas that threaten users’ privacy and provide opportunities for the theft of personal data include:
- Malicious insiders. Employees working at a cloud service provider could have unrestricted access to sensitive company resources
- Insecure APIs. An attacker stealing a token used by a customer to access the service through a service API can use the same token to manipulate their data
- Shared technology issues. An attacker can hack into a virtual machine (VM) and then piggyback into other VMs on the server
- Account hijacking. Watering-hole attacks and Denial of Service (DoS) attacks are just two ways criminals can illegally gain unauthorized access to a system and steal personal data
When Clouds Turn Dark
Cloud computing is based on access rather than ownership. But the same features that make it so accessible and usable – including elasticity, multi-tenancy and powerful resource utilization – also create security issues.
Three of the main challenges are geography, configuration management and auditing.
In a Tech Target article, Matthew Pascucci identifies four potential problem areas for Platform as a Service (PaaS):
- Some PaaS systems may be up and running only for short periods of time, so auditing them is a unique challenge
- Considering incident response and forensics, the challenge of preserving, collecting and analyzing data on moving systems may be something the organization isn’t prepared for
- Sensitive data could be stored in different geographical locations and moving data between applications can have privacy implications
- With regard to configuration management, the last thing you want is to have multiple systems throughout your infrastructure that could increase your risk footprint
An article by Wired magazine (see Sources) reviews the disadvantages of the Platform-as-a-Service (PaaS) space. On privacy, it notes:
- Strict national data privacy laws mean that data about many European customers must by law be stored in servers located within the countries’ borders. “As a result, cloud or hosted applications must be run from data centers in multiple countries. Most multitenant PaaS providers will find it difficult to make that happen.”
- If a cloud database is breached, chances are a hacker will be able to steal the data of “dozens or hundreds of different business customers.”
Writing on LinkedIn, Alan Dennis explores multi-tenancy and privacy issues: the primary issue, he says, is that because resources share hardware, there is an inherent security risk — for instance, proximity-based attacks.
“Because cloud computing platforms are open, they are subject to attacks from within and from the outside. While most cloud service providers offer security mechanisms such as firewalls and virtual networks, the underlying data storages servers may be a vulnerability.”
In addition, “Many issues with cloud security are a product of improper configuration of environments.” And while Dennis does not mention this explicitly, it is sometimes the customer who does not have the knowledge to configure their system for maximum security.
Sharing cloud resources means that users must share a network infrastructure. As discussed in the Chicago Policy Review, there are multiple dangers associated with virtual networks:
- As networks can’t be monitored by protection mechanisms in the underlying physical network, virtual networks are actually an obstacle to standard detection and prevention mechanisms
- In addition, users do not have as much control over their data as they would if it was stored using traditional methods, which raises concerns about data integrity, privacy, recovery vulnerability, media sanitization and data backup
Safeguarding Against Key Cloud Computing Privacy Issues
There are multiple tactics you can use to safeguard against identified cloud-computing privacy issues. Remember that these are not all of the potential issues with cloud computing; new ones are detected and resolved all the time. However, these are the factors to consider for immediate security.
Utilize multifactor authentication and encryption to ensure against information breaches and the theft of personal data.
Implement strong network traffic encryption and select an “intelligent solution.” Modern Host Intrusion Prevention Systems (HIPSs) can monitor networks for suspicious behavior, unlike standard Intrusion Detection Systems (IDSs) that provide notification only of attacks made with known intrusion signatures. An Intrusion Prevention System (IPS) can identify known intrusion signatures and some unknown attacks because it keeps a database of generic attack behavior and can intelligently alert security employees about unusual activity.
State-of-the-art network security is ideally a mix of IDS, IPS, and an application layer firewall. Advanced analytics powers intelligence and can enable real-time visibility into a cloud’s infrastructure.
Strong identity, credentials and key management software can mitigate the risks of attacks and protect the APIs that customers use to manage and integrate with cloud services. In addition, ensure insiders are well-vetted, and destroy the credentials of employees who have left the company.
Anyone dealing with personal information should be trained on handling data securely. Limit data access to what a user needs. In some instances, you may want to limit what a user can access depending on the device they are using, e.g. not being able to log into the network from a cell phone.
Understand privacy compliance like the Clarifying Lawful Overseas Use of Data (CLOUD) Act. What data stored abroad can be legally accessed by U.S. law enforcement has always been a contentious issue. The CLOUD Act, signed into law in March 2018, seeks to clarify who can access what, and where. The General Data Protection Regulation (GDPR) is a European Union regulation, but it is extraterritorial and has implications for anyone that does business with Europe.
Ensure individuals know what personal information is being held and how it is being held, and that there is a mechanism in place to remove them from the database if they opt out of a service or choose to be forgotten. This is mandatory in global compliance laws. Not communicating with your users about what, how and when you use their data could land you in hot water.
Storage and Data Loss
Privacy laws in different countries may place limitations on the transfer of some personal data to other countries. Understand where data may be heading and the law in that location. Accidents happen, and so do physical so-called “Acts of God.” Have good backup, disaster recovery and business continuity plans in place. And remember, backups should be encrypted. Many organizations solve (some) privacy issues by retaining control of sensitive data on-site. See Geography below.
A business that does not have written security and privacy policies – from data retention and destruction policies to BYOD guidelines and third party Service Level Agreements (SLAs) – is a breach of privacy data waiting to happen. Such an organization will not only be deemed untrustworthy and undependable by its customers, its employees will not understand their responsibilities in securing private data.
Auditing and Monitoring
An article published by Ericsson warns that traditional auditing procedures are not always viable in the cloud. “Current practices such as design document verification, network traffic injection and penetration testing don’t work in an environment where tenants share resources, and network parameters change quickly and dynamically.” Possible solutions: a Security Information and Event Management (SIEM) tool, a cloud-specific tool such as those from Cyxtera (now owner of the popular CatBird Secure), or a cloud-based service like Amazon Web Service (AWS).
The Information Technology and Innovation Foundation (ITIF) has published a list of the main regulations governing data flow globally. Some of the information showcases some potential problems for cloud computing. For instance, in 2012, Australia enacted the Personally Controlled Electronic Health Records Act, which requires that personal health records be stored only in Australia.
It’s not just you: misconfigured Amazon Web Service (AWS) S3 buckets in 2017 opened the way for man-in-the-middle attacks on servers containing data from websites around the world, and made news headlines. Take control with open source tools like Chef, Ansible, Puppet, Docker and Salt Open.
A Final Word on Cloud Computing and Privacy Issues
Most important of all, organizations should understand their responsibilities for securing their customers’ data in the cloud. One small slip could mean disaster; when it comes to privacy, there’s no such thing as too much security.
For the final word, we’ll return again to journalist Kevin Fogarty. In an article appropriately titled “Why is IT so bad at cloud computing?”, he makes an amusingly snippy observation: “Cloud providers aren’t there to rent you slivers of utopia for which you can pay by the hour and only for as much heaven as you can use […] It might be the provider’s fault another customer’s hackers were able to approach your VMs; it’s your fault there was nothing to stop them once they got there.”
Learn all you need to know about cloud computing with InfoSec Institute’s comprehensive collecting of cloud resources.
Cloud Computing Definitions and Solutions, CIO
The Treacherous 12: Top Threats to Cloud Computing, Cloud Security Alliance
Up in the Cloud: Data and Security Concerns in Cloud Computing, Chicago Policy Review
What Are the Key Privacy Concerns in the Cloud, Thesis Scientist
Network Protection: adding intelligence to security, CloudAcademy Blog
The U.S. CLOUD Act and the EU: A Privacy Protection Race to the Bottom, Electronic Frontier Foundation
Why is IT so bad at cloud computing?, IT World
Shazia Tabassam, “Security and Privacy Issues in Cloud Computing Environment,” Journal of Information Technology & Software Engineering