With the proliferation of Web-based services, the world has become your IT department. But can you ensure your internal privacy controls are maintained in external services? These key questions and concrete actions can help ensure privacy compliance in the cloud.

By Cass Brewer

You were probably in the cloud before you knew it—using Web-based services to share files, track to-do lists, and email. Do you remember it? The thrill of the workaround. The cessation of frustration. The daring hope that, one day, the world might be your IT department.

That day is near. Empowered by fast connections and faster development platforms, technology vendors are rolling out increasingly potent Web-based business services, preassembled and on tap. The appeal—and the value proposition—are often undeniable. But with great power comes great responsibility. Managing that responsibility outside of the corporate walls requires great internal controls.

Privacy, business continuity, and process or data continuity represent the most concrete risks associated with a dependence on cloud-based services. Although this article focuses on privacy controls for information hosted on third-party services, business, process, and data continuity must also be considered.  In fact, privacy can also be a factor in continuity considerations,

In general, control objectives for cloud-based applications are similar to internal control objectives. Companies should seek to ensure that external privacy controls meet internal criteria for information confidentiality, integrity, and availability. A few pointed questions during the service evaluation and procurement process can go a long way towards determining whether a prospective cloud vendor can meet your expectations:

Privacy

1. Will data stored in third-party environments be subject to comparable internal controls for protection, use, transfer, and storage?
2. If the externally stored data is subject to regulatory requirements, such as encryption of electronic protected health information (ePHI) under HIPAA or access restrictions under PCI, can the organization be assured that the cloud service complies with these requirements?
3. If the cloud service relies on customer data, will it support the organization's ability to support customers' knowledge, choice, and consent regarding the collection, use, and retention of their personal information?
4. If the cloud service experiences a data breach incident, will the organization be assured of notification, and can any consequent liabilities be assessed and appropriately assigned?
5. If the service contract is terminated by either party—under any conditions—will the sourcing company have a right to retrieve its data? Will the vendor securely erase or otherwise destroy all data related to the terminated service in a timely way?

Business continuity

1. Will the cloud service meet minimum-availability requirements for its business objectives?
2. Is the potential impact of a cloud service failure, including the impact of downtime and/or the impact of data loss, an acceptable risk?
3. In the event of a physical event at the service provider's facility—such as a physical server failure, facility emergency, or environmental catastrophe—will the security of the organization's information be maintained?

Process and data continuity

1. Is the data used by the cloud service available to the organization in raw form?
2. Can the data used or produced by the cloud service be used with other internal processes, or does the cloud service create a data silo that is potentially inconsistent with internal business data?
3. Does the cloud service modify organizational data and, if so, are the potential costs and risks arising from that modification understood?
4. If the cloud service requires transfer of data to and from internal systems, is the transfer process secure?

At a meta-level, companies should evaluate the procurement process itself and ensure that compliance and risk management are built into both software and service sourcing criteria. Since many Web-based services do not require internal technical support or management, they can effectively end-run IT—as well as the privacy and security controls built into internal systems. This is a particular risk in organizations where IT resources are stretched thin and business managers turn to external services out of frustration with internal project backlogs.

Putting privacy compliance in the cloud

Even where privacy is evaluated in cloud-service sourcing, the relative opacity and business independence of cloud service providers complicates the assurance of information confidentiality, and integrity. Sourcing companies rarely have direct access to or audit rights for vendor environments.

The bottom line: cloud services bear intrinsic risk. Companies should always think twice about storing highly sensitive data on third-party servers. That said, there are several steps you can take that can reduce those risks—or at least establish an acceptable level of trust in your cloud service vendor:

Investigate

Read the fine print in contracts, terms of service, technical documentation, and even marketing literature. These legal documents should give you a sense of whether the service provider’s terms of service and policies are in concordance or potential conflict with laws and internal policies under which your information has been and will be collected. Especially note:

• Whether the vendor specifically limits its ability to use your information to activities allowed under law and internal policy
• Whether the vendor generates transactional and reporting data based on your services; and, if so, whether that data is conflicts with applicable laws and/or your internal privacy policies
• Whether use of the vendor's services constitutes cross-border information transfer, which might subjects your organizational information to additional country privacy laws
• Whether the vendor stores information on physical servers in a country or countries other than your organization’s base country; and, if so, whether that subjects your data to additional privacy or security requirements
• Whether sensitive business or customer information retained by a service provider is acceptably protected from legal discovery and investigatory actions in whatever country its physically stored
• Whether the vendor's privacy and protection commitments will persist beyond the term of any service contract, and include the secure disposition of any proprietary data related to the contracted services

Confirm

If existing documentation does not provide the assurance you're seeking, press for more information. Vendor sales and support staff are generally good channels for these types of requests.

One notable exception is the pursuit of assurance that the vendor does not process, store, or transfer information through jurisdictions whose laws do not provide for adequate information protection. Sales staff are unlikely to have deep information about physical server locations or routing. Moreover, the cloud vendor might consider this information to be somewhat sensitive. In these cases, it can be more effective to have internal counsel pursue the information as a matter of due diligence in the procurement process.

It's also worth checking whether the vendor has a SAS 70 Type II audit certification. SAS 70 audits can provide a high level of assurance and are regularly required by financial service companies of their service providers. Be aware, however, that the scope of SAS 70 audit is discretionary. Depending on the level of assurance your organization is seeking, the nature of the services being offered, and the character of the service vendor, even this measure of assurance can omit key privacy requirements.

Compel

Most cloud service contracts are standard and inflexible. However, very large companies and companies that have very large contracts with smaller service providers may have the leverage to impose contractual privacy controls on their vendors. Whenever it's practical and feasible, companies should write privacy and information protection requirements, assurance, and liability assignments into service contracts. Contract terms should include:

• A requirement for the service to comply with applicable laws, regulations, and internal policy covering privacy and information protection
• Requirements for the protection of sensitive personal and business information—including specific requirements for highly sensitive data, such as encryption or secure storage
• Provisions for secure data disposal, transmission, and storage
• Explicit reservation of ownership and access rights for data stored on vendor servers, including the right to retrieve a full backup of the company's data upon termination of the service contract by either party.
• Assignment of liability and compensation burdens for any damages that might result from exposure of the company's data by the vendor
• The right to audit vendor controls and environments

Document

Regardless of whether you can impose contractual controls on your cloud provider, it's a good idea to document any control-information gaps, explicit assumptions, and known risks related to the vendor's ability to ensure your information's privacy and security. If any of these factors change over the term of your contract, the documentation will help you review the risk impact in context.

Compensate

The inability to establish a defensible degree of privacy assurance in an otherwise compelling service offering is one of the most difficult cloud sourcing scenarios. In some cases, the decision to engage a service may come down to subjective factors of managerial trust and risk tolerance. The ability to mitigate a service's inherent risk with compensating internal controls can swing that decision. Compensating controls might include:

• Masking, hashing, or otherwise obscuring sensitive data before it's posted to the cloud
• Implementing an internal gateway with more stringent access and authentication requirements
• Periodic review of externally hosted data sets with comparable internal data sets
• Contractually requiring the vendor to provide daily log reports for service access (successful and attempted), record modifications, downloads, process initiation, or other potential indicators of security incidents.

Finally, whatever the outcome of these efforts, there is always the option to simply accept the cloud's inherent risk. Companies constantly weigh comparable decisions for business services and supply chain components. The risk assessment of cloud services is different from payroll services or outsourcing services only in the specifics of its potential failure. Although cloud computing might be recent jargon; its control approaches are well modeled in software development, contract management, and information security management.

Author

Cass Brewer is the chief steward of the Truth to Power information governance research community. Read more of her analysis and view in her Founder's Blog.

Comments on this article are welcome! Please log in or join T2P to enable comments.