It seems everywhere you turn there is another gloomy statement about the potential dangers of cloud computing. This commentary is reaching a crescendo with sensational newspaper headlines citing speculation as fact. It’s time everyone took a step back to look objectively at what is actually happening, reflect on their decade plus experience using cloud based services and go beyond the negative hype.
So the first thing to do is to get clear on the Cloud. I often describe the challenge using the meteorological clouds which we are more familiar with. If I were to say to you, “Don’t go outside if there are clouds,” you would clearly think I was nuts. The clouds could be cirrus clouds (high and wispy), stratus clouds (low blanket like grey clouds), nimbus clouds (rain clouds), cumulonimbus (thunderstorm clouds) or even funnel clouds (tornados). For the everyday person, some clouds don’t require any additional actions be taken, some require modest safeguards e.g. umbrella and others, more significant safeguards (take cover!). For truck drivers there are considerations like fog lights, wipers, tarpaulins and tire chains. For pilots there are other considerations such as alternative airports, instrument flight rules, wing deicing, etc.
The naysayers deal in speculation and absolutes. Much akin to announcing: don’t fly in airplanes because they crash, they make pronouncements for the cloud that state indirectly that privacy intrusions are happening. Many would have you believe that the sky is falling, a meteor could drop onto the earth or you could, quite possibly, be struck by lightning as you read this. Now while I can’t absolutely guarantee that any of the aforementioned events won’t happen, I think you’ll agree that first, it’s fairly remote that they will happen, and second, in the case of the lightning strike, you could further reduce the vanishingly small chance of occurrence by avoiding that tin foil suit while standing in the middle of an empty field during a thunderstorm.
The first step to getting comfortable in the cloud is a review of the expert guidance for privacy and security safeguards for cloud services. The Ontario Privacy Commissioner’s office has published guidance on safeguarding data in cloud services in “Privacy in the Clouds: Privacy and Digital Identity – Implications for the Internet” and “Modeling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach.” The Government of Canada Treasury Board Secretariat has published a guidance document: “Taking Privacy into Account Before Making Contracting Decisions,” which provides a checklist and other tools to help organizations address their privacy requirements. Cloud providers also provide detailed guidance on how their services work. For example, Microsoft’s Global Foundation Services, the group that builds and operates Microsoft’s Data Centers and Online Services, has published a whitepaper that describes how they Secure Microsoft’s Cloud Infrastructure. You’ll note that the privacy development lifecycle outlined on Page 8 aligns with the Privacy By Design approach promoted in the guidance from the Ontario Privacy Commissioner’s Office. Noteworthy references such as these provide a useful foundation for the Threat Risk Assessment (TRA) process for security and the Privacy Impact Assessment (PIA) process that organizations routinely use to identify and manage the risks associated with internal and external service delivery.
Data Sovereignty is one discussion point that frequently arises in discussions on Cloud computing and privacy. The USA Patriot Act is the most common on international legislation that people are talking about. The Canada, Mexico and USA Trilateral Committee on transborder data flows held multiple meetings between September 25, 2008 and June 15, 2009 to explore the challenges associated with cross border information flows. In their final report they noted that:
- “While the USA PATRIOT Act does not create a restriction on the movement of data across borders, misperceptions surrounding it appear to be negatively impacting data flows.” (page 11)
- “The Questionnaire (of the business community) indicated the occurrence of misperceptions within the business community regarding the USA Patriot Act, and how the lack of clarity surrounding this piece of legislation has resulted in lost opportunities.” (page 17)
In testimony at the second meeting of the committee, privacy expert Fred Cate indicated that “The likelihood of the government resorting to searches of personal data from provincial Canadian public sector authorities held by, or accessible through, service providers in the United States as a reliable law enforcement or counterterrorism tool is “vanishingly small.” The Federal Privacy Commissioner held public Consultations on Cloud Privacy in June of 2010 and while a final report remains outstanding, prominent Canadian privacy lawyer David T.S. Fraser presented the rough equivalence of legal authority in Canada and the US. He further reinforced the opinion that US authorities would sooner work directly with their Canadian counterparts than seek the information unilaterally through the US. This opinion is reinforced by the Canadian Advanced Technology Association in one of two publicly available submissions. And while one or two organizations continue to highlight concerns, albeit without consideration for the application of safeguards, it appears that the guidance provided by the Federal Privacy Commissioner on “Processing Personal Data Across Borders” remains as valid guidance for business leaders today. This guidance was also called out be the trilateral committee as leading “to increased understanding and less concern from individuals about cross‐border data transfers.”
As your organization looks to take advantage of the economies of scale, the business agility and the robust security inherent in cloud computing, it is vital that you understand that many of your applications do not deal with personal information and therefore would not require specific privacy impact assessments to move to the cloud. For those that do, there are a variety of safeguards, both already in the cloud and that you can implement, that will mitigate the risk to less than vanishingly small.
). So unless there is some enterprising reader out there that would like to extend and expand each of the titles, I’ll have to extrapolate and estimate that there would be well over 500 different Digital Economy impacting solutions in primary support of these business areas. If we were to think a little more we could quickly come up with another 10 subjects to support each primary area. I think we can all see the quick expansion of the number of areas of the economy that are digital and why I chose to drop the “digital” from the recent consultations.
