This paper aims to explore what the real issues, risks and constraints are for New Zealand organisations that are thinking about cloud computing and how to address them.
General Principles of Intellectual Property: Concepts of Intellectual Proper...
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud for New Zealand Organisations
1. THE LONG WHITE CLOUD
Addressing Privacy, Residency and Security in
the Cloud for New Zealand Organisations
February 2011
By Doug Newdick
With John Baddiley, Anita Easton, Boris Guskee
2. THE LONG WHITE CLOUD
TABLE OF CONTENTS
DISCLOSURES....................................................................................................3
EXECUTIVE SUMMARY..........................................................................................4
INTRODUCTION .................................................................................................5
SPECIAL IMPACTS ON NEW ZEALAND ORGANISATIONS ...................................................6
The Privacy Act .........................................................................................6
Tax Administration Act ................................................................................7
Payment Card Industry - Data Security Standard (PCI-DSS).....................................7
Reserve Bank of New Zealand Act...................................................................8
Public Records Act .....................................................................................8
Official Information Act and the Local Government Official Information and Meetings
Act ........................................................................................................8
Security in the Government Sector (SIGS) .........................................................8
SSC Advice ...............................................................................................9
DISTINCTIVE PRIVACY, RESIDENCY AND SECURITY RISKS .............................................. 11
OTHER CLOUD OPTIONS..................................................................................... 14
Public Cloud with New Zealand Hosting.......................................................... 14
Community Cloud in New Zealand ................................................................ 14
Encryption within the Cloud........................................................................ 14
Tokens.................................................................................................. 14
Local Agents, Cloud Management ................................................................. 15
MANAGING CLOUD PRIVACY, RESIDENCY AND SECURITY RISKS....................................... 16
A Cloud-Aware Evaluation Process ................................................................ 16
Practices for Reducing Implementation Risks ................................................... 20
IN CONCLUSION............................................................................................... 21
ENDNOTES ..................................................................................................... 22
2
3. THE LONG WHITE CLOUD
DISCLOSURES
Davanti Consulting was established in 2007 as the independent business consulting arm of
Gen-i New Zealand. Our consultants bring with them a wealth of experience from a variety of
fields and pride themselves on their pragmatic approach to delivering tangible business value.
In the interests of acting with openness and integrity we want to inform you of any
relationships that are relevant to this white paper:
• Davanti Consulting is salesforce.com’s preferred partner in New Zealand;
• Gen-i New Zealand provides cloud solutions ranging from infrastructure and security
to applications.
For more information visit our website at:
www.davanti.co.nz
3
4. THE LONG WHITE CLOUD
EXECUTIVE SUMMARY
Cloud computing can bring significant benefits to New Zealand organisations, but adoption is
being hindered by concerns about privacy, residency and security risks. However, the cloud is
here and is here to stay. We need to incorporate the cloud in the way we identify, assess, and
select solutions. Our recommendation is to use a process for this evaluation that avoids both
the hype and the unjustified fears around cloud computing and instead focuses on a sober
examination of the compliance obligations in New Zealand and risks to the business weighed
against the potential gains in efficiency and competitive advantage that the cloud can
deliver. There are specific laws and regulations that impact New Zealand organisations’ use
of cloud computing but these impacts are often not the insurmountable barriers they are
made out to be. It is true, however, that the distinctive features of cloud computing give rise
to special risks as well as rewards. In particular the fact that there are no current
internationally recognised standards for cloud computing security means that individual
organisations must do much of the work of managing these risks themselves.
4
5. THE LONG WHITE CLOUD
INTRODUCTION
The advent of cloud computing has been one of the most influential trends impacting on
businesses and their IT organisations in the last few years. There will not be many CIOs who
are not thinking about using the cloud and some already are. Davanti is however seeing some
reticence largely based on concerns about information and data: Who can access it? What will
happen to it? What rules apply to it? How secure is it? Can we control it? Conversely we
sometimes see clients who do not understand that there are valid concerns about these issues
with respect to cloud computing services and therefore are potentially opening themselves up
to risk.
This paper aims to explore what the real issues, risks and constraints are for New Zealand
organisations that are thinking about cloud computing and how to address them.
Firstly, we examine the directives, standards and legislative controls that actually do
constrain New Zealand organisations. Secondly, we place cloud computing in the context of
traditional modes of delivering and sourcing computing resources and examine those privacy,
residency and security risks that are distinctive to cloud computing. Lastly, we look at the
various solutions and practices that New Zealand organisations could and should adopt to
address these constraints and risks to allow them to take full advantage of the significant
benefits that cloud computing can deliver.
New Zealand organisations ignore the privacy, residency and security concerns of the cloud at
their peril. There are real and significant risks in using the cloud, and not managing these
risks can expose an organisation to loss of reputation, trust or even loss of business critical
data. Much of the current reluctance to adopt cloud computing, however, is based on fear,
uncertainty and doubt rather than on a calculated assessment of real risks. In order to best
utilise cloud computing to obtain competitive advantage and operational efficiencies you
need to transform the discussion from one based on rumour and conjecture, to one based on
evidence.
5
6. THE LONG WHITE CLOUD
SPECIAL IMPACTS ON NEW ZEALAND ORGANISATIONS
Few standards or pieces of legislation have the foresight to consider the issues of cloud
computing directly. However we can apply the broader principles and advice around
traditional security risk management to the issues of cloud computing. In particular, advice
that is valid for outsourcing often applies to cloud computing as well. There is a range of
legislation and other standards that apply to New Zealand organisations and that have (or are
thought to have) an impact on cloud computing. This section discusses their applicability to
cloud computing. Figure 1 outlines which of these standards and legislation apply to different
organisation types in New Zealand.
Figure 1 Standards and Legislation versus Organisation Types
The Privacy Act
The Privacy Act 1993 governs all organisations in New Zealand. It has associated codes that
provide more specific guidance and controls for particular industries – e.g.
telecommunications and health. The Privacy Act applies to personal information – that is
information about individual people. If you gather personal information in New Zealand then
your organisation is bound by the principles of the act regardless of how or where that
information is managed. The principles contained within the Privacy Act concern good
practices for managing personal information, such as: only using information for the purpose
it was collected, and giving people the chance to correct any information about them that is
incorrect.1 If you are not going to put information about individuals into the cloud, then the
Privacy Act will not impact your use of cloud services.
Our take: In the main the principles of the Act are no harder to meet when your applications
are hosted within the cloud than when they are on premise. The exception is Principle 5
(storage and security of personal information) which requires that reasonable security
safeguards are taken against loss, misuse, or unauthorised access, use, disclosure or
modification, and that if information is disclosed to another party (e.g. a cloud provider or
their staff) everything reasonable is done to prevent unauthorised use or disclosure.2 Within
the context of cloud computing this means that a customer should ensure that the security
6
7. THE LONG WHITE CLOUD
processes and procedures of their vendor are adequate if personal information about New
Zealand citizens is to be held in the cloud. The matter is complicated if the cloud services are
physically located in countries that do not provide the same level of protection for privacy as
New Zealand does.
The Office of the Privacy Commissioner has issued a poster level summary (called PADLOCK)
of how to meet the requirements of the Privacy Act.3 We suggest that this is consulted
whenever solutions are developed that use or store personal information, whether cloud-
based or not.
Tax Administration Act
In December 2010, the Inland Revenue Department (IRD) issued a revenue alert on the use of
cloud computing for financial record keeping. In summary, the alert states that it is the IRD’s
position that the use of off-shore cloud computing services to hold primary financial records is
a violation of the Tax Administration Act 1994. Violations of this act may be punished by
convictions and fines.4
Our take: The revenue alert is not the final opinion of the IRD on the use of cloud computing.
The communications between IRD and the software development community who create
cloud computing platforms suggest that either an exemption may be granted for individual
businesses who apply for one, or that a wholesale exemption may be applied to all users of
any “approved” financial cloud computing product. Given the popularity of cloud finance
applications, there is also a reasonable chance of a change in the legislation. If your
organisation is thinking of using such an application, we suggest talking to the IRD about the
matter before pursuing it in depth.
Payment Card Industry - Data Security Standard (PCI-DSS)
PCI-DSS is a standard regulating the processing of credit card information and transactions for
merchants (the people accepting credit card payments), issuers (the organisations that issue
credit cards) and acquirers (the organisations that mediate between merchants and issuers).
PCI-DSS is enforced by the leading credit card companies (Visa, Mastercard etc.)
internationally and is not specific to New Zealand.
In New Zealand, banks are the main issuers and acquirers for credit cards. As credit card
systems are regarded as “core” and the RBNZ requirements are more stringent with respect
to the cloud than PCI-DSS the following discussion only applies to merchants and small banks.
The PCI-DSS standards apply if you are storing or using credit card data in your IT systems.
They document the security controls on networks, information, IT systems, people and
processes that a company must follow if it stores, uses or processes credit card data. When
looking at the use of cloud computing for PCI components the following considerations are
relevant:
• The provisions of PCI-DSS about outsourcing apply: if you are assessed for compliance
you must show which requirements apply to you and which to the 3rd party
outsourcer. Either the third party must have undergone their own assessment, or they
must be assessed as your organisation’s assessment.
• If you are not using a cloud provider that is assessed itself, then extensive
information about the cloud provider’s implementation is required as part of any
assessment.
Our take: Overall PCI-DSS standards are onerous enough when just applying to a company’s
internal computing environment. We recommend not storing credit card information in the
cloud unless it is with a PCI-DSS compliant provider (e.g. a credit card payment processing
vendor).
7
8. THE LONG WHITE CLOUD
Reserve Bank of New Zealand Act
Within New Zealand, “large banks” (defined as those whose New Zealand liabilities, net of
amounts due to related parties, exceed $10 billion) are normally subject to a condition of
registration relating to outsourcing arrangements. Controlled by the Reserve Bank of New
Zealand (RBNZ), these conditions define the components of bank processing that each bank
can outsource to 3rd parties. The RBNZ is primarily interested in the ability of a large bank to
continue operating in the event of a failure (either system or business) of any outsourced
party that the bank might be using.5 In general the RBNZ tolerance for outsourcing diminishes
as the function being outsourced becomes more material to the ongoing operation of the
bank. Systems which provide account holdings or inter-bank settlement are less likely to be
tolerated as targets for outsourcing by the RBNZ.
Our take: Cloud-provided systems are a form of outsourced function, and as such fall within
the remit of the RBNZ outsourcing policy. This means that in general, core systems are
generally not considered appropriate for delivery through the cloud, as the failure of the
cloud platform could materially impact the Banks ability to meet its obligations. Systems
which are widely used by customers may be placed in the cloud, but would attract intense
scrutiny around the controls available to the Bank in the event of a failure in the cloud
platform.
For those financial institutions that do not fall under the definition of “large banks” the RBNZ
controls do not apply. Smaller banks, however, should be aware of the requirements for large
banks, and take them into consideration when investigating the use of cloud services as the
Reserve Bank expects all banks to properly manage risks from outsourcing.
Public Records Act
The Public Records Act (PRA) covers all crown entities (not just government departments) and
local government bodies. It applies to all public records, which is all information created,
received or maintained by any of those crown entities and all local government records which
are on the “protected list”.
Our take: Similarly to the OIA, this act does not pose any greater constraints on a cloud
computing solution over any other solution. The one key provision to consider is that
electronic records may only be destroyed as specified by a Disposal Authority (which is an
approved official document that specifies the timeframes and conditions under which public
records may be destroyed). Thus the cloud solution must include the ability to store records
for as long as required by the Disposal Authority, as well as the ability to transfer them to
longer term storage if that is also required.
Official Information Act and the Local Government Official
Information and Meetings Act
The Official Information Act applies to all government agencies including universities,
hospitals and SOEs while the Local Government Official Information and Meetings Act
(LGOIMA) applies to local government bodies.
Our take: The OIA and LGOIMA have little impact on the use of cloud computing except
insofar as information handled or stored in the cloud should be able to be retrieved as part of
an OIA or LGOIMA request – as is the case for any on-premise information system covered by
these acts.
Security in the Government Sector (SIGS)
Security in the Government Sector (SIGS) is a set of policies and guidelines governing
information security published by the Department of the Prime Minister and Cabinet.
8
9. THE LONG WHITE CLOUD
Following it is mandatory for government agencies (government departments, and agencies
such as the police and NZ Defence Force) and suggested for crown entities and State Owned
Enterprises.
A primary concern of SIGS is the placing of government information into one of several
information classifications. Information is either unclassified (available to anyone who wants
it) or classified (available only to those who need to know and have the requisite level of
security clearance). Classified information is further divided into categories ranging from: “IN
CONFIDENCE” (the lowest level) through to “TOP SECRET”. Information should be labelled “IN
CONFIDENCE” if its compromise “would be likely to prejudice the maintenance of law and
order, impede the effective conduct of government in New Zealand or affect adversely the
privacy of its citizens.”6 Levels above IN CONFIDENCE contain information which if
compromised could damage the national interests of New Zealand to differing degrees.
The policies and guidelines in SIGS fall into two camps: good practices that should be applied
to all information and information systems; and, specific policies and guidelines around the
handling of different levels of classified information. Each of the classifications has a set of
distinct controls that must be applied to information of that kind, becoming more and more
secure – and therefore increasingly onerous – as you move up the scale.
Our take: Due to the specific and onerous nature of the requirements around information
with a classification of “SENSITIVE” or above (e.g. all staff involved in storing or handling the
data require NZ Government security clearances) we see it as unsuitable for processing in a
public cloud. This still leaves, however, a wide range of government information (i.e.
unclassified and IN CONFIDENCE) and functions that may be suitable for cloud computing.
While SIGS has no specific mention of cloud computing, it does have general information
security considerations which are applicable to a cloud computing solution, as well as some
mentions of outsourcing which are also relevant. The following issues should be assessed:
• If the cloud provider staff can access classified information, a risk assessment must be
undertaken to see what controls need to be put in place;
• The contract with the cloud provider should address methods for meeting security
requirements;
• The procedures for sanitisation of storage media for classified data should be
examined to see if they meet SIGS requirements;
• The formal procedures for access control should be examined to see if they meet SIGS
requirements;
• Should additional controls and processes on communications be required due to
information being sent from an agency to another party (especially if they are
overseas)?
As long as these considerations are properly examined and weighed then SIGS does not
preclude the use of cloud computing.
SSC Advice
The State Services Commission (SSC) published a paper for the public sector on the use of
offshore ICT providers in its advisory capacity.7 The purpose of the paper was to take existing
frameworks such as SIGS and existing SSC guidelines and policies and apply them specifically
to the cases of cloud computing and off-shoring. While the paper was publicly criticised for its
negativity towards off-shoring, it actually does not suggest that off-shoring ICT services
should be banned in any way. An overly cautious tone is rooted in the paper’s sole focus on
the risk side, ignoring any benefits.
The core recommendation of the SSC is that government agencies should assess the risk of an
offshore initiative prior to any commitment and it elaborates on the risks coming with off-
9
10. THE LONG WHITE CLOUD
shore approaches. Agencies should recognise that some of these risks may be show stoppers,
these include:
• Integrity and reliability of the legal system in the target jurisdiction;
• Legislation that allows foreign governments to silently access data that is within their
borders;
• Some information should never go offshore e.g. information vital to national security.
New Zealand government agencies should use the risks outlined in this advice to perform their
own risk assessment – checking the types of risks mentioned against their likelihood and
potential impact for the solution that they are considering. The true offshore risks are all
about hosting in a foreign jurisdiction:
• What are the privacy laws in that jurisdiction?
• What is the contract law in that jurisdiction?
• What are the risks of espionage in that jurisdiction?
Agencies are asked to seek advice if any of this is new to them.
The risks relating to the foreign jurisdiction prompt an important insight: for government data
especially, we actually do have to care about the country where our data will reside. “The
cloud” is not a specific enough address from a legal viewpoint: “hosted in the EU” vs. “hosted
in Somalia” actually makes a difference! A logical first step is to get familiar with privacy and
security in the likely target jurisdictions – foremost the US, but also the EU and Australia.
Our take: We recommend that any government agencies looking to use cloud computing
should follow this advice by performing the following steps:
• Check for show-stopping risks;
• Undertake a risk assessment using the framework of the SSC advice – qualifying the
risks by their probability and the sensitivity and the criticality of the task or
information;
• Compare the cloud option risk assessment to the risk profile of your current
equivalent computing platform and other reasonable alternatives.
10
11. THE LONG WHITE CLOUD
DISTINCTIVE PRIVACY, RESIDENCY AND SECURITY
RISKS
The risks discussed below should not be seen as reasons not to engage with cloud computing,
but instead should be viewed in terms of providing a realistic assessment of:
• Whether they apply to your solution;
• What the likelihood of them occurring are;
• How you can mitigate them;
• How they weigh up against the benefits likely to be realised by using cloud services.
In all cases a realistic assessment of the risks of a cloud computing solution should be
compared with the very real privacy and security risks of traditional on-premise solutions that
are often down-played or ignored. Many of the same security risks as traditional on-premise
or outsourced computing resource models apply to cloud computing solutions, but the lack of
visibility and control adds a degree of uneasiness on the part of customers. One oft-repeated
claim is that cloud computing has significant and special challenges for security as it is not
under the control of the organisation. This claim usually inflates the extent to which internal
control equals good security practice. The reality in many organisations is that much
internally controlled data is not well secured. While this in itself does not justify cloud
computing we should be aware that the equation is not as straightforwardly in favour of
internally hosted solutions as many people assume.
In addition, there is a perception that “the cloud” in general is beset with security risks. But
the reality is that different vendors and different offerings have quite different security,
privacy and risk profiles as well as benefits. There is no one answer, each solution needs to
be assessed on its individual merits, and each cloud provider needs to be assessed on their
individual merits. There are, however, a number of risk factors that are applicable to all
cloud solutions and which will therefore need to be addressed by all solutions.
What risks are specific to – or different in – cloud computing? If we look at the distinctive and
typical features of cloud computing we can identify the accompanying risks. Common
characteristics of cloud computing platforms are:
• Scalability – automatic deployment of increased or decreased resources as needs
change;
• Multi-tenancy – hosting of multiple, different customers on the same underlying
infrastructure;
• Virtualisation - logically separate instances of platforms or applications running on
the same physical hardware;
• Outsourced – managed and delivered by an external third party;
• Off-shored – the platform resides in a different jurisdiction;
• Internet access – platforms are accessed by users or systems over the public internet;
• Payment mode – computing resources are financed by a pay as you go model.
These distinctive features of cloud computing give rise to the following specific risks inherent
in many cloud computing solutions.
• Multi-tenancy and virtualisation cause a risk of unauthorised access. Scalability is
often achieved through multi-tenancy and virtualisation which have spawned some
security worries. While it is theoretically possible for another user of a multi-tenancy
architecture to access your information if the underlying platform exposes a
vulnerability, the real chance of this occurring (and more specifically, happening to
11
12. THE LONG WHITE CLOUD
you) if you are with a cloud provider who takes measures to ensure that data is
segregated effectively is so low compared to other security risks that it is negligible.
If this is a concern for your organisation check the measures that your cloud provider
takes and their effectiveness.
• Outsourcing hands control of your data to another organisation. Just like other
outsourcing arrangements, cloud computing by definition gives access to your
organisation’s information to people, processes and technologies of another
organisation (or multiple organisations if they have outsourcing deals themselves).
The difference is that this risk is more clearly understood in the case of traditional
outsourcing, whereas it may be less visible and therefore overlooked in the case of
cloud computing. The ease with which cloud services can be purchased and
implemented elevates risks – compared to traditional outsourcing – which centre on
what happens to your information if and when you end your use of a cloud computing
platform. You need to be able to retrieve the valuable data that is kept in the cloud,
and you will need assurance that any private, confidential or sensitive data is
securely removed or disposed of from the cloud provider’s equipment (including from
back-ups and redundant systems). For particularly sensitive or critical data, whatever
procedure is put in place must work even if the provider suddenly became bankrupt.
In addition, many Software-as-a-Service providers use Infrastructure-as-a-Service
providers themselves, further increasing the complexity of your information security
environment.
• Off-shoring adds the complexity of foreign jurisdictions. Most cloud providers will
not have their physical facilities in New Zealand; therefore the same risks exist as for
traditional off-shoring. Specifically the different security and privacy laws of the
hosting jurisdiction may negatively impact on the privacy and security of your
information. Different privacy laws may mean that your data may be used for other
purposes by your cloud provider, for instance some companies mine their customers’
data for their own benefit. Different security laws or practices may mean that
another country’s security or policing agencies may be able to view data that you
have at the provider’s premise. This is explicitly allowed by the U.S. Patriot Act
(albeit with a warrant and probable cause, other jurisdictions are not so delicate).
• On-demand access can become uncontrolled access. Platforms that are accessed
over the internet and are outside your organisation’s traditional (on-premise)
infrastructure are subject to risks around access management. With an on-premise
system the mere fact that the user has to physically access a system from within the
organisation mitigates against some of the risks of poor access controls. With cloud
based systems the risk may be greatly increased. Organisations may struggle to
effectively synchronise granting and revoking user access, leading to staff being
unable to access the services they need, or, even worse, allowing people to access
information and functions that should not be available to them (e.g. not revoking
access to a CRM when staff leave your organisation).
• Internet traffic is at risk from interception. Another risk inherent in the cloud model
of service delivery or access over the internet is the possibility of your data being
intercepted as it travels between your organisation and the cloud provider. However
with most cloud providers this can easily be mitigated with secure authentication and
encryption of network traffic. As most ‘internal’ VPNs rely on the same
authentication and encryption protocols and are actually implemented as tenants on
the internet’s network infrastructure the risk often comes down to perception rather
than actual exposure.
• Internet services may suffer disruption. Your organisation’s access to internet
provided services may be at risk of disruption from: denial of service (DoS) attacks on
the provider; a loss of internet access by you or your cloud provider; or, government
intervention as seen recently in Egypt.
12
13. THE LONG WHITE CLOUD
• Ease of implementation can lead to data exposure. The ease of installation,
implementation and release inherent in a scalable, pay as you go model with
platforms living in the cloud (not to mention the lack of financial barriers) can bring
with it a little-recognised risk: making it too easy for staff to launch services or
applications into the wider world. If business units can purchase and deploy
technology services just by using a corporate credit card, they can easily (and
probably unintentionally) bypass an organisation’s security risk assessment process.
While this era of the ‘empowered user’ has brought many benefits, it may not treat
customer and corporate data with the right level of security and sensitivity.
What is often overlooked is that cloud computing has the potential to improve the privacy and
security of your data. The financial argument for cloud computing is that it provides
efficiency and cost savings through scale – these same factors also apply to security: cloud
providers, because of their scale, can have access to large dedicated teams of security
specialists with the latest technology. Can any New Zealand organisation compete with the
size and technical expertise of Google or Amazon’s security teams? Some cloud providers may
be able to provide better security than your own organisation, decreasing your security risk.
In addition some cloud offerings are by their very nature may improve security, for instance
by allowing users to store or transfer information with a secure cloud provider you have
assessed, as opposed to storing or transferring them on insecure devices or media.
13
14. THE LONG WHITE CLOUD
OTHER CLOUD OPTIONS
There are a range of different flavours of cloud computing solutions which impact differently
on privacy, residency and security concerns. Standard public cloud services provide the
greatest choice and the greatest functionality at the lowest potential price. As discussed
above, however, there may be situations where the risks of using a standard public cloud
solution outweigh the benefits. In such cases, before ruling out cloud offerings entirely, other
more specialised cloud offerings should be considered to see if they address the risks while
still allowing the organisation to realise some of the cloud’s benefits.
Public Cloud with New Zealand Hosting
For information that should not leave New Zealand the next best option is using a public
cloud provider that can ensure New Zealand hosting. This option combines the ease of the
public cloud with the assurance of being covered by New Zealand laws and controls.
Unfortunately most international cloud providers will be unwilling to set up a New Zealand
hosting environment unless they see a significant commitment, those that are will be likely to
pass on the additional costs to their users. Being restricted to New Zealand hosted cloud
services drastically reduces the range of cloud services available and the benefits and cost
efficiencies that could be gained, but is an option that should be seriously considered. In
particular a range of New Zealand based Infrastructure-as-a-Service offerings are available.
Community Cloud in New Zealand
A community cloud is a cloud service which is only available to a restricted set of customers,
for instance Google’s government cloud that is only able to be used by the United States
Federal government agencies – Google has separate physical servers and separate staff to
allow it to meet the requirements of the U.S. Government. This approach requires a group of
cloud customers in NZ (a sector or nationwide) and cloud providers who are willing to support
cloud operations in New Zealand for a restricted set of customers.
This option would allow the customers to meet almost all privacy, residency and security
concerns, but would entail higher cost and commitment from the customer community and
the cloud provider while delivering a restricted set of cloud services. In addition there are
also likely to be complex governance issues around the management of a community cloud:
Who ensures that the cloud meets and continues to meet all of the requirements of each
member of the community?
Encryption within the Cloud
Encrypting the data held in the cloud is a possibility which can be used in combination with
other options such as the public cloud or community cloud. For instance files could be
encrypted before being placed in a cloud storage service, or data could be encrypted within a
Platform-as-a-Service database. This may mitigate some security risks, but is not supported
by all cloud providers at this point in time or by many Software-as-a-Service provided
applications.
Tokens
In this solution, identifying or sensitive data (e.g. names or identifying numbers) is replaced
with meaningless tokens as the information is passed to the cloud. Which token replaces
which datum is recorded, and when the information is pulled back out of the cloud the
meaningless token is replaced with the original piece of data before being displayed or
consumed. For example “Account 12345678, balance $20” becomes “Account kzkxdf56,
14
15. THE LONG WHITE CLOUD
balance $20” on being sent to the cloud. Additional charges are added by the cloud
application, and “Account kzkxdf56, balance $40” is returned. The token is replaced with the
real account number, and “Account 12345678, balance $40” is displayed to a staff member.
The result is that the information in the cloud can no longer be related to individuals and
does not contain the sensitive data. This has the advantage of allowing you to use most cloud
offerings, but removes many of the privacy issues (by transforming the information into a
state where it is no longer sensitive or identifiable) as well as some of the security and
residency issues. Depending on the kind of functionality desired and the type of information
used, this type of solution can be very effective. Each piece of information that is “swapped
out”, however, reduces the amount of functionality from the cloud provider that can be used.
For example if you swap the customer name for a token, then the cloud service cannot match
records based on name. It also introduces an additional layer of complexity to the overall
solution by adding more components and interfaces.
Local Agents, Cloud Management
Some cloud services work by providing a cloud based management solution with local
software agents or hardware. These solutions work by creating locally deployed software or
hardware that are configured, created, and managed by a cloud based solution. These types
of solutions have minimal privacy, residency and security issues but are only available for a
relatively limited set of services (for instance integration services).
15
16. THE LONG WHITE CLOUD
MANAGING CLOUD PRIVACY, RESIDENCY AND
SECURITY RISKS
The lack of standards for privacy and security in cloud computing means that the onus is on
the consumer of cloud services to carry out their own investigations and risk assessment. The
cloud customer must also contract their privacy and security requirements at an individual
level with each of their cloud providers – assuming the provider is willing to do this. We
recommend a two-pronged approach to dealing with this responsibility: use a structured
process for evaluating options that is cloud-aware; and, adopt a few key practices for
implementing cloud solutions.
A Cloud-Aware Evaluation Process
If you are considering addressing a business need with a cloud solution, you need to evaluate
all of your options with a process that is aware of the particular challenges of cloud
computing and alive to its possibilities. The high level process shown in Figure 2 and
described below is a basic solution evaluation process that includes additional elements
tailored to evaluating cloud options.
Figure 2 A Cloud Aware Evaluation Process
Preparation
To effectively evaluate cloud options you should carry out a realistic risk assessment that is
not biased for or against cloud computing. This requires targeted preparation.
16
17. THE LONG WHITE CLOUD
Enhance your risk framework
If your organisation already has a security risk management framework or a set of security
requirements these may need to be updated to enable them to be appropriately and
adequately applied to cloud computing platforms and solutions. The risk management
frameworks at many organisations have been around for a while and may be biased against
cloud computing because of their focus on locally deployed solutions and an out of date
attitude to the internet. Work with your risk management or security teams to remove any
negative bias while remaining aware of the special challenges of cloud computing. If your
organisation is a part of the New Zealand Government, you should incorporate the risk factors
described in SIGS and the SSC Advice on Risk Management.
Understand your information
In order to properly carry out a risk assessment you will need to understand your
organisation’s information. This involves detailing:
• The different types and kinds of information your organisation is planning to put in or
through the cloud;
• The business criticality and sensitivity of that information.
For applications that you are thinking of putting in the cloud, determine what information
they process or use. For databases determine what information they store. If you are looking
at cloud storage or Infrastructure-as-a-Service you will need to consider the types of
information that could end up residing in the cloud. Some important information types are:
personal details about customers or staff, financial records, strategic information, and
product information.
This will assist you in determining:
• What legislation or standards apply to that information;
• What information may go into the cloud;
• What questions you need to ask and assurances you need to receive from your cloud
provider;
• Whether there are any additional risks you need to manage;
• What controls you need to put in place when putting that information into the cloud.
Investigate the application of standards and legislation
Based on the discussion of relevant standards and legislation above, and taking into account
your type of organisation (e.g. public sector, bank etc.) and the types of information that you
are considering placing in the cloud you will need to determine which standards and
legislation apply to your solution. From this you can determine:
• Whether there are any showstoppers (e.g. SIGS rules out the cloud for certain kinds of
information);
• What legal requirements you are under;
• What additional controls you are should have.
Option Identification
Once you have completed these steps you will know at a high level whether the cloud is a
viable option – and what types of cloud. You then need to identify which cloud providers
could form part of your solution – as well as which non-cloud options are reasonable
alternatives.
17
18. THE LONG WHITE CLOUD
Option Assessment
Once you have a candidate list of options, each option can then be assessed from the
perspective of privacy, residency and security risks. The following sections outline some of
the special considerations that need to be taken into account for solutions with cloud
components.
Assess privacy, residency and security risks
Undertake a risk assessment process, focusing on those risks that are particularly relevant to
cloud computing as outlined above. You will need to investigate the particular cloud solution
to see whether it has any specific risks. Asking your vendor the high level questions in Figure
3 should uncover whether there are any issues peculiar to them or their solution.
The key to performing a risk assessment on a cloud solution is knowing where your data is
going to be stored. This allows you to understand any privacy or security risks associated with
that location. In particular some jurisdictions have risks due to: a lack of privacy legislation;
potentially invasive government surveillance; and, a lack of the rule of law.
A particular concern for New Zealand organisations is the scheduled maintenance windows of
overseas cloud providers. These are typically organised for the early morning in America or
Europe, and so often fall in peak business hours for New Zealand.
Assess cloud provider controls
Once you have a realistic understanding of the business risks associated with placing your
information in the cloud you can then assess how your candidate cloud solution(s) will address
those risks. To do this you will need to investigate the cloud provider’s ability to meet your
privacy, residency and security requirements and what controls they have in place to mitigate
specific risks. As one of the rationales of cloud computing is to hide the “how” from view,
some of this information may be hard to find – be prepared to ask some hard questions of your
vendors. The high level questions in Figure 3 address the most important controls that a cloud
vendor should have in place.
A more detailed list of questions – called the Consensus Assessments Initiative (CAI) – has been
assembled by the Cloud Security Alliance (CSA).8 Using the CAI questions is a more intensive
and time-consuming exercise, but we recommend using a tool such as this if your organisation
is considering a significant investment in cloud services, or is looking at putting high risk or
business-critical information or processes into the cloud.
18
19. THE LONG WHITE CLOUD
What will happen to your data at end-of-service?
Where (which jurisdiction) will your data physically reside?
What are the vendor’s data protection techniques?
What documentation do they have for auditors?
What are their identity and access management controls?
Who has access to your data both within the cloud provider and any subcontracted 3rd parties?
What controls and hiring policies do they have in place for those people?
What are their business continuity and disaster recovery plans?
What are their failover and availability processes, policies and procedures?
When do they typically carry out maintenance?
Do they do vulnerability assessments?
What is their security architecture?
What is their security staff like in terms of size and skills?
Figure 3 Questions for Cloud Providers
Investigate additional risk mitigation
After assessing your basic level of risk and investigating any controls implemented by your
cloud provider there may still be unacceptable levels of risk. If this is the case you should
consider whether there are any additional controls that your organisation can put in place
that may reduce the risk to acceptable levels. The controls that you will need and will be
able to introduce will depend on the kind of cloud solution you are investigating and the
specific circumstances of your organisation, however here are a few general strategies that
may be of use:
• Introduce policies around how cloud services are bought, provisioned and used;
• Implement access controls such as single sign-on, or use access management
software;
• Connect to the cloud provider over a secured network;
• Add security and continuity requirements to your contract with the provider;
• Keep a backup of your data on-premise or at a different provider;
• Have plans in place for loss of service due to internet outages or Denial of Service
attacks.
Assess benefits
Any good risk management process should weigh up the potential risks of an option with its
potential benefits, taking into account the organisation’s appetite for risk along with its
desire for specific benefits. In many cases, as the benefits of cloud computing are quite
different to those of in-house deployments, doing this thoroughly requires an explicit
19
20. THE LONG WHITE CLOUD
understanding of the benefits of a cloud option, especially those that are peculiar to the
cloud.
Option Comparison and Selection
It is important to compare the risk assessment of the cloud solution with a realistic risk
assessment of the current state (if there is one) or a proposed on-premise or traditional
outsourcing solution so that the relative merits of the cloud option(s) can be understood. Too
often a thorough risk assessment of a cloud solution scares people off as it is viewed in
isolation rather than being compared with an equivalent assessment of the current on-
premise solution or other alternatives.
Practices for Reducing Implementation Risks
Beyond risk assessments there are a number of other practices that can be used to reduce the
privacy, residency and security risks of cloud computing.
One way that many organisations are getting experience with cloud security is by
implementing low risk applications, with low risk and non-sensitive business information. This
can help the organisation identify issues with the way that they manage security with cloud
providers as well as building confidence and trust for addressing more critical processes.
For significant cloud solutions good vendor management practices should be key parts of
addressing any security issues, for example:
• Put in place clear Service Level Agreements (SLAs) that define what security controls
the cloud provider must put in place, and what penalties are to be imposed if they
are not met;
• Get a clear, binding commitment that you can get your data back and that the data
will be securely removed from their equipment at your request;
• Where possible use contracts to address inadequacies in local privacy legislation.
When it comes to personal information a good practice to follow is to minimise what is sent to
the cloud. This reduces the effort required to manage any privacy risk, and is merely follows
the good privacy principle of only collecting the minimum amount of personal information
that is needed to perform the business task.
Finally you need to remember that the overall solution is not limited to the cloud service
alone. The complete solution may well include your organisation’s people and processes as
well as elements of its infrastructure, application and data. Managing the parts under your
control can decrease or increase the security risk.
20
21. THE LONG WHITE CLOUD
IN CONCLUSION
It is our opinion that New Zealand organisations should routinely assess the cloud as an option
when delivering IT solutions. Utilising the cloud is essential in today’s environment of
increased competition in the private sector and increasing demand for efficiency and cost-
effectiveness in the public sector. Understanding and managing the privacy, residency and
security risks – while not exaggerating them - is essential to realising the greatest benefit
from cloud computing. Refusing to use the cloud due to fear, uncertainty and doubt, or
leaping in to cloud use without examining the risks are both fraught approaches that could
see your organisation losing out. In the first case you are not taking advantage of the
efficiencies and cost reductions available. In the second, you are exposed to the possibility of
reputation damage or compliance penalties if any of the real but un-addressed risks become
reality.
The potential benefits to New Zealand and New Zealand organisations of cloud computing are
immense. A small country, at great distance from the commercial centres of the world, we
are able to take advantage of the scale and innovation of larger players. Will our fear of the
pitfalls of cloud computing hold us back? Or can we take the opportunity to carefully and
considerately assess the real risks and benefits inherent in this new trend and use it to drive
organisational success?
21
22. THE LONG WHITE CLOUD
ENDNOTES
1
A Guide to the Privacy Act 1993, Office of the Privacy Commissioner, 2009.
2
Information and Privacy Principles, Office of the Privacy Commissioner, 2009.
3
PADLOCK: an Easy Checklist to Help Get Privacy Right, Office of the Privacy Commissioner,
2010.
4
Revenue Alert RA 10/02, Inland Revenue Department, 2010.
5
Outsourcing Policy, Financial Stability Department, Reserve Bank of New Zealand,
2006.
6
Security in the Government Sector, Department of the Prime Minister and Cabinet, 2002.
7
Government Use of Offshore Information and Communication Technologies (ICT) Service
Providers: Advice on Risk Management, State Services Commission, 2009.
8
Consensus Assessments Initiative Questionnaire, Cloud Security Alliance, 2010.
22