- Home
- Knox Law Institute
- Publications
- Data Security In the Cloud
Data Security In the Cloud
Author: Mark A. Denlinger
Originally published in October 2018
Copyright © 2018 Knox McLaughlin Gornall & Sennett, P.C.
This article has not been updated for current law since the date of its posting on the website. This article is not intended to provide any legal advice. Please seek advice of your professional council.
Any U.S. federal and state tax advice contained in this communication is not intended or written by the Knox Law Firm to be used, and cannot be used by you, for the purpose of: (i) avoiding penalties under the Internal Revenue Code that may be imposed upon you, or (ii) promoting, marketing, or recommending to another party any transaction or matter addressed herein.
Brief Overview of Cloud Computing
Cloud Computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (i.e., networks, servers, storage, applications and services) that can be rapidly released with minimal management effort or service provider interaction – primarily composed of 5 essential characteristics, 3 service models, and 4 deployment methods.
5 Essential Characteristics: (i) on-demand self-service; (ii) broad network access; (iii) resource pooling; (iv) rapid elasticity; and (v) measured service
3 Service Models: (i) Software as a Service (“SaaS”); (ii) Platform as a Service (“PaaS”); and (iii) Infrastructure as a Service (“IaaS”)
4 Deployment Methods: (i) Private Cloud; (ii) Community Cloud; (iii) Public Cloud; and (iv) Hybrid Cloud
Cloud Customers Make “Informed” Tradeoffs
Cloud computing transforms the way organizations use, store, and share data, applications, and workloads. Cloud customers must consider and take into account the following:
- Critical nature of the software, data and services in question
- Unique issues associated with cloud computing
- Public, private or hybrid models
- Availability and pricing of various alternatives
Requiring robust contractual protections may increase the price point and eliminate certain providers altogether.
Issues of Privacy and Security
Key Privacy and Security Issues to Consider or Address If Moving to the “Cloud”
- Data location issues – where is the data “stored” or kept?
- Locations of users accessing the data
- Movement and storage of the data, and possible data transfer issues
- Cloud provider’s use of subcontractors
- Lack of transparency and control
- Data breach issues and data destruction issues
- Ability to impose security and privacy requirements/limitations
Data Control Issue #1: Access & E-Discovery
- Issues with Accessing your Data: (i) on vendor computers; and/or (ii) moving it to customer computers
- E-Discovery Requirements: (i) making sure the vendor does not get you in trouble by deleting relevant data; and (ii) making sure your opponent in litigation cannot subpoena the vendor
Data Control Issue #2: Restrictions on Use
- Data used to serve the cloud customer
- Data used by the cloud vendor: (i) vendor analysis and reporting; and (ii) improvement of products and services
- Data used for privacy law compliance purposes
- Restrictions on marketing with the data
- Restrictions on locations of data
- Restrictions on devices that can use or process the data
- Compliance with a customer’s privacy policy
- Restrictions or limitation on the aggregation of data: De-identified data: all PII removed; or Truly anonymized: PII removed and no key/code available to recreate it.
Contractual Management of Cloud Providers
Pre-Selection of Cloud Providers:
- Investigate potential providers risk tolerance and control environment
- Evaluate and consider: Risk management and oversight; Preventative, detective and corrective controls; and Use of vendors and subcontractors
Build protections into contract with cloud provider
- Representations and warranties regarding scope of cyber security program
- Obligation to disclose cyber security events
- Right to review cyber security policies and procedures
- Require specific vendor and subcontractor standards
- Restrict where data can be stored/located/transferred
- Requirements to return or destroy data
Assess the risk of using a cloud provider
- Regular review of data protection and cyber security policies and procedures
- Provider’s maintenance of cyber security insurance
- Analyze and investigate provider’s processes and systems for dealing with security threats and protection of PII
- Inquiry as to any past data breaches and security threats
Director and Officer Actions
- Corporate board has fiduciary duty to protect corporate assets, including categories of data
- Need to be proactive in protection of data and prevention of breaches
- Maintain a Chief Information Security Officer
- Establish a cyber security subcommittee
- Have an incident response system in place
- Directors and officers should be aware of organization’s cloud computing providers and the contracts governing those relationships
Top 12 Current Cloud Security Threats in 2018
- Data breaches – targeted attack, human error, application vulnerabilities, or poor security practices
- Insufficient identity, credential and access management – bad actors masquerading as legitimate users, operators or developers
- Insecure interfaces and application programming interfaces – accidental or malicious attempts to circumvent software user interfaces that manage and interact with cloud services
- System vulnerabilities – exploitable bugs in programs that attackers can use to infiltrate a system
- Account hijacking – gaining access to a user’s credentials and thus allowing the manipulation of data, provision of falsified information, monitoring of transactions, and redirection to illegitimate sites
- Malicious insiders – not only can access potentially sensitive information, but can grant himself or herself greater, expanded access to more critical systems and data
- Advanced persistent threats – form of cyber-attack that infiltrates systems to establish a foothold in the IT infrastructure of a company, enabling attackers to steal data
- Data loss – accidental deletions or physical catastrophes can lead to permanent loss of data unless proper steps taken
- Insufficient due diligence – organizations rushing to adopt cloud technologies and thus choose inadequate providers
- Abuse and nefarious use of cloud services - poorly secured cloud service deployments, free cloud service trials, and fraudulent account sign-ups via payment instrument fraud expose cloud computing models to malicious attacks
- Denial of services - designed to prevent users of a service from being able to access their data or applications
- Shared technology vulnerabilities - underlying components that comprise the infrastructure supporting cloud services deployment may not have been designed to offer strong isolation properties for a multi-tenant architecture or multi-customer applications, which can lead to shared technology vulnerabilities that can be exploited.
Author: Mark A. Denlinger
Originally published in October 2018
Copyright © 2018 Knox McLaughlin Gornall & Sennett, P.C.