One area that is greatly affected by cloud computing is privacy. It’s important to remember that although the control of cloud computing privacy has many threats and vulnerabilities in common with noncloud processes and infrastruc- ture, it also has unique security issues.
For example, a successful identity theft exploit can result in a privacy loss that has a huge impact on an enterprise. The organization can suffer short-term losses due to remediation, investigation, and restitution costs. It can also incur longer term problems for the organization due to loss of credibility, confi dence, and negative publicity.
Another mistake organizations often make is in assigning responsibility for privacy controls to the IT dept, rather than a business unit that owns the data.
Information systems security frameworks have defi ned, standardized processes
c04.indd 127
c04.indd 127 6/24/2010 7:42:23 AM6/24/2010 7:42:23 AM
that apply to cloud computing — and its potential privacy breaches. This section examines the legal and standard processes that affect privacy control in the cloud.
An individual’s right to privacy is embodied in the fundamental principles of privacy:
Notice — Regarding the collection, use, and disclosure of personally identifi able information (PII)
Choice — To opt out or opt in regarding disclosure of PII to third parties
Access — By consumers to their PII to permit review and correction of information
Security — To protect PII from unauthorized disclosure
Enforcement — Of applicable privacy policies and obligations
Privacy defi nitions vary widely, especially when we start to wander out of the United States. The defi nition of personally identifi able information (PII) as described by the Offi ce of Management and Budget (OMB) is as follows:
Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specifi c individual, such as date and place of birth, mother’s maiden name, etc.1 Variations of this defi nition are used by compliance regulations such as HIPAA and EU directive 95/46/EC:
. . . “personal data” shall mean any information relating to an identifi ed or identifi able natural person (“data subject”); an identifi able person is one who can be identi- fi ed, directly or indirectly, in particular by reference to an identifi cation number or to one or more factors specifi c to his physical, physiological, mental, economic, cultural or social identity. . .2
The Payment Card Industry Data Security Standard (PCI DSS) PCI compliance refers to a 12-step security certifi cation standard called the Payment Card Industry Data Security Standard (PCI DSS), which is required in order to help minimize privacy loss and reduce identity theft vulnerabilities in the credit card industry. Any organization that stores, processes, or trans- mits card data is covered by PCI, regardless of the number of transactions per year. How the organization must verify this compliance varies according to its volume of annual card transactions.
The consequences of noncompliance depend on the rules of the specifi c enforcement program. If the audit fi nds some gaps in meeting the requirements,
c04.indd 128
c04.indd 128 6/24/2010 7:42:23 AM6/24/2010 7:42:23 AM
usually the organization is expected to develop a plan for addressing the gaps, setting specifi c target dates. However, if there are gaping holes in their security, if they suffer a breach, or if they haven’t had an audit or even started a compliance program, then it would likely be a different story.
Noncompliance can result in fi nes for merchants and service providers — that is, whether cardholder data is processed and stored by the company or by a third party.
Proving compliance depends on the number of transactions that they process.
Merchants and service providers with higher levels of transactions have to pass an on-site audit every year. Those with lower levels of transactions must submit documentation stating that they meet the requirements, called a self-assessment questionnaire.
The PC I DSS contains the following set of 12 high-level requirements that are supported by a series of more detailed requirements: 3
Install and maintain a fi rewall confi guration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Use and regularly update antivirus software.
Develop and maintain secure systems and applications.
Restrict access to cardholder data based on the business’s need to know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain a policy that addresses information security.
As of the writing of this book, there is much discussion within the PCI QSA (Qualifi ed Security Assessor) community regarding the proper process to audit and certify a cloud computing environment that requires PCI DSS compliance.
There is no reason why the 12 PCI requirements can’t be applied to cloud computing and virtualization. However, it is questionable whether a company that has all of its infrastructure and processes in the cloud can actually be PCI compliant, or whether all compliance-related activities can only be properly executed by the CSP.
c04.indd 129
c04.indd 129 6/24/2010 7:42:23 AM6/24/2010 7:42:23 AM
THE PCI DSS AND VIRTUALIZATION
The most current revision of the PCI DSS (v1.2) still doesn’t have any reference to cloud computing. The PCI SSC Virtualization Special Interest Group (SIG) is developing an Information Supplement to the PCI Data Security Standard (DSS) to provide guidance on the use of virtualization technology, with its fi nal release targeted for the calendar year 2010.
The PCI DSS states that an assessor must clearly state which third party com- ponents should be included within a PCI assessment. The third party must have a PCI assessment conducted; however, this assessment can be conducted at the time of the assessment of the original company. This means that cooperation from cloud computing service providers may be required to gain PCI-compliance for components within the cloud.
Some points regarding PCI and cloud computing can be addressed right now (thanks to Nick Coblentz, senior consultant within AT&T Consulting Services’
Application Security Practice, for this list):
Segmentation needs to be evaluated as it applies to virtual infrastructure, such as Amazon’s physical infrastructure.
Companies will need to establish compliance with at least some of the cloud provider’s components and companies will likely need cooperation from cloud providers in obtaining PCI compliance.
Companies may need to plan ahead and/or get cooperation from cloud providers regarding logging and forensics. Specialized virtual images can be created to assist with forensics or incident investigation.
Companies should verify and document the cloud provider’s use of anti-virus software on host operating systems, cloud storage, and other components.
FOR MORE INFORMATION
For more information on the privacy implications of cloud computing, see the May 2008 report by Ann Cavoukian, “Privacy in the Clouds: A White Paper on Privacy and Digital Identity: Implications for the Internet” (Information and Privacy Commissioner of Ontario), www.ipc.on.ca/images/Resources/
privacyintheclouds.pdf.
Information Privacy and Privacy Laws
There are many types of legal systems in the world, and they differ in how they treat evidence, the rights of the accused, and the role of the judiciary. These
c04.indd 130
c04.indd 130 6/24/2010 7:42:23 AM6/24/2010 7:42:23 AM
laws have a signifi cant privacy impact on cloud computing environments, yet vary widely.
Examples of these different legal systems are common law, Islamic and other religious law, and civil law. The common law system is employed in the United States, United Kingdom, Australia, and Canada. Civil law systems are used in France, Germany, and Quebec, to name a few.
Organizations develop and publish privacy policies that describe their approach to handling PII. The websites of organizations usually have their privacy policies available to read online, and these policies usually cover the following areas:
Statement of the organization’s commitment to privacy
The type of information collected, such as names, addresses, credit card numbers, phone numbers, and so on
Retaining and using e-mail correspondence
Information gathered through cookies and Web server logs and how that information is used
How information is shared with affi liates and strategic partners
Mechanisms to secure information transmissions, such as encryption and digital signatures
Mechanisms to protect PII stored by the organization
Procedures for review of the organization’s compliance with the privacy policy
Evaluation of information protection practices
Means for the user to access and correct PII held by the organization
Rules for disclosing PII to outside parties
Providing PII that is legally required
Privacy laws attempt to provide protection to an individual from unauthor- ized disclosure of the individual’s personally identifi able information (PII). For example, the Health Insurance Portability & Accountability Act (HIPAA) lists the following 16 items as a person’s individual identifi ers:
Names
Postal address information, other than town or city, state, and zip code
Telephone numbers
Fax numbers
Electronic mail addresses
Social security numbers
Medical record numbers
c04.indd 131
c04.indd 131 6/24/2010 7:42:23 AM6/24/2010 7:42:23 AM
Health plan benefi ciary numbers
Account numbers
Certifi cate/license numbers
Vehicle identifi ers and serial numbers, including license plate numbers
Device identifi ers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifi ers, including fi ngerprints and voiceprints
Full face photographic images and any comparable images Privacy Legislation
The following list summarizes some important legislation and recommended guidelines for privacy:
The Cable Communications Policy Act provides for discretionary use of PII by cable operators internally but imposes restrictions on disclosures to third parties.
The Children’s Online Privacy Protection Act (COPPA) is aimed at providing protection to children under the age of 13.
Customer Proprietary Network Information Rules apply to telephone com- panies and restrict their use of customer information both internally and to third parties.
The Financial Services Modernization Act (Gramm-Leach-Bliley) requires fi nancial institutions to provide customers with clear descriptions of the institution’s policies and procedures for protecting the PII of customers.
The Telephone Consumer Protection Act restricts communications between companies and consumers, such as telemarketing.
The 1973 U.S. Code of Fair Information Practices states that:
1. There must not be personal data record-keeping systems whose very existence is secret.
2. There must be a way for a person to fi nd out what information about them is in a record and how it is used.
3. There must be a way for a person to prevent information about them, which was obtained for one purpose, from being used or made avail- able for another purpose without their consent.
c04.indd 132
c04.indd 132 6/24/2010 7:42:23 AM6/24/2010 7:42:23 AM
4. Any organization creating, maintaining, using, or disseminating records of identifi able personal data must ensure the reliability of the data for their intended use and must take precautions to prevent misuses of that data.
Health Insurance Portability and Accountability Act (HIPAA)
An excellent example of the requirements and application of individual privacy principles is in the area of health care. The protection from disclosure and misuse of a private individual’s medical information is a prime example of a privacy law. Some of the common health care security issues are as follows:
Access controls of most health care information systems do not provide suffi cient granularity to implement the principle of least privilege among users.
Most off-the-shelf applications do not incorporate adequate information security controls.
Systems must be accessible to outside partners, members, and some vendors.
Providing users with the necessary access to the Internet creates the poten- tial for enabling violations of the privacy and integrity of information.
Criminal and civil penalties can be imposed for the improper disclosure of medical information.
A large organization’s misuse of medical information can cause the public to change its perception of the organization.
Health care organizations should adhere to the following information privacy principles (based on European Union principles):
An individual should have the means to monitor the database of stored information about themselves and should have the ability to change or correct that information.
Information obtained for one purpose should not be used for another purpose.
Organizations collecting information about individuals should ensure that the information is provided only for its intended use and should provide safeguards against the misuse of this information.
The existence of databases containing personal information should not be kept secret.
HIPAA addresses the issues of health care privacy and plan portability in the United States. With respect to privacy, this Act states, “Not later than the date that
c04.indd 133
c04.indd 133 6/24/2010 7:42:23 AM6/24/2010 7:42:23 AM
is 12 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall submit . . . detailed recommendations on standards with respect to the privacy of individually identifi able health information.” This Act further states “the recommendations . . . shall address at least the following:
The rights that an individual who is a subject of individually identifi able health information should have
The procedures that should be established for the exercise of such rights
The uses and disclosures of such information that should be authorized or required”
The Final Privacy Rule refers to security issues as illustrated in the following statements:
“1. Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
2. Implementation specifi cation: safeguards. A covered entity must rea- sonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifi cations or other requirements of this subpart.”
HITECH Act
The security and privacy rules of HIPAA (Health Insurance Portability and Accountability Act) took effect in 2003, but the healthcare industry did not take any of it seriously, as there was a lack of any real enforcement. The pass- ing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 is expected to change all of that. The HITECH Act not only strengthens HIPAA requirements, but also adds additional incentives for companies to switch over to electronic records while ensuring security.
One immediate impact of the HITECH Act is the signifi cant expansion in the number of entities covered under HIPAA and increased accountability and liability to business associates. It expands the HIPAA Privacy Rule and security standards, adds provisions for breach notifi cation, and changes the rules for business associates .
Platform for Privacy Preferences (P3P)
The Platform for Privacy Preferences (P3P) was developed by the World Wide Web Consortium (W3C) to implement privacy practices on websites. The W3C P3P Specifi cation states that “P3P enables Web sites to express their privacy practices in a standard format that can be retrieved automatically and inter- preted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate
c04.indd 134
c04.indd 134 6/24/2010 7:42:24 AM6/24/2010 7:42:24 AM
decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.”
The W3C P3P document can be found at www.w3.org/TR. With P3P, an organization can post its privacy policy in machine-readable form (XML) on its website. This policy statement should include the following:
Who has access to collected information
The type of information collected
How the information is used
The legal entity making the privacy statement The P3P specifi cation contains the following items:
A standard vocabulary for describing a website’s data practices
A set of data elements that websites can refer to in their P3P privacy policies
A standard schema for data a website may wish to collect, known as the P3P base data schema
A standard set of uses, recipients, data categories, and other privacy disclosures
An XML format for expressing a privacy policy
A means of associating privacy policies with Web pages or sites and cookies
A mechanism for transporting P3P policies over HTTP
A useful consequence of implementing P3P on a website is that website owners are required to answer multiple-choice questions about their privacy practices.
This forces the organization sponsoring the website to think about and evaluate its privacy policy and practices if it hasn’t already done so. After answering the necessary P3P privacy questions, an organization can then proceed to develop its policy. A number of sources provide free policy editors and assistance in writing privacy policies.4
P3P also supports user agents that allow a user to confi gure a P3P-enabled Web browser with the user’s privacy preferences. Then, when the user attempts to access a website, the user agent compares the user’s stated preferences with the privacy policy in machine-readable form at the website. Access will be granted if the preferences match the policy. Otherwise, either access to the website will be blocked or a pop-up window will appear notifying the user that he or she must change the privacy preferences. Microsoft’s Internet Explorer 6 (IE6) and above Web browser supports P3P and can be used to generate and display a report describing a particular website’s P3P-implemented privacy policy.
Another P3P implementation is provided by AT&T’s Privacy Bird software, a browser add-on that inserts an icon of a bird in the top-right corner of a user’s Web browser. The AT&T software reads the XML privacy policy statements from
c04.indd 135
c04.indd 135 6/24/2010 7:42:24 AM6/24/2010 7:42:24 AM
a website, causing the bird to chirp and change color if the user’s listed privacy preference settings are satisfi ed by the website’s P3P policy statements. Clicking on the bird provides more detailed information concerning mismatches between the website’s policy practices and the user’s provided preferences.
PATRIOT Act
The 2001 USA Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act permits the following:
Subpoena of electronic records
Monitoring of Internet communications
Search and seizure of information on live systems (including routers and servers), backups, and archives
This act gives the U.S. government powers to subpoena electronic records and monitor Internet traffi c. In monitoring information, the government can require the assistance of ISPs and network operators. This monitoring can extend even into individual organizations. In the PATRIOT Act, Congress permits investiga- tors to gather information about e-mail without having to show probable cause that the person to be monitored has committed a crime or was intending to commit a crime. Routers, servers, backups, and so on now fall under existing search and seizure laws.
A new twist to the PATRIOT Act is delayed notifi cation of a search warrant.
Under the PATRIOT Act, if it is suspected that notifi cation of a search warrant would cause a suspect to fl ee, a search can be conducted before notifi cation of a search warrant is given.
Federal Information Security Management Act (FISMA)
In order to increase the security of federal information systems, the Federal Information Security Management Act (FISMA), which is Title III of the E-Government Act of December, 2002 (Public Law 107-347), was passed. FISMA was enacted to:
1. Provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.
2. Recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities.
3. Provide for development and maintenance of minimum controls required to protect Federal information and information systems.
c04.indd 136
c04.indd 136 6/24/2010 7:42:24 AM6/24/2010 7:42:24 AM