Privacy Archive

Considering Compliance When Adopting Public Cloud Services

By
John.Weigelt
Published: June 16, 2011Posted in: CIO Toolbox, Cloud, General, Policy, Privacy, Security

Cloud computing processes and technologies offer organizations the opportunity to transform their approach to IT services delivery and ultimately transforming their overall services delivery. While several characteristics fundamental to cloud computing are relatively novel to these solutions (e.g. elasticity, transparent scalability, usage based billing) there are some aspects of cloud services, especially in procurement, that organizations will be familiar with. Many organizations are using public cloud services for their service delivery. While the path each has taken to implement cloud services has been different, there are some activities that they have commonly performed:

1.  Select a candidate service (capability) that will provided – While many CIOs have included “moving towards cloud services” in their strategies, actual implementation of these services requires that CIOs and their service delivery leaders go well beyond the concept and take a detailed look at what services and information holdings they plan to host in the cloud. For existing services, organizations should take the time to examine how their user community is actually using the services over and above to the official purpose of the system in question. This will help identify any unexpected categories of information that need to be supported. Organizations should also take the time to think about and almost predict how their community may find alternate uses of new services that they are looking to deploy in the cloud. This will help avoid any unintended consequences.

2. Assess the compliance obligations for the service (PCI, FOIPPA, PHIPPA, SOX etc.) – The output from the first step should be a clear understanding of the services and information that will be transitioned to the cloud. Since all services are governed by legislation, policy or standards, it is essential that a fulsome analysis of the compliance obligations be carried out by a compliance team composed of a partnership between the service owner, legal and IT organizations. It is often the case that several compliance regimes will apply to an individual service.

3. Take a realistic look at how the organization conducts business today (Mobile devices, Internet presence, partner connections, POTs, social network use etc.) – While any change in how an organization delivers its services provides an opportunity for improvement and to address gaps that have arisen over time, a balance must be struck not to over-engineer the solution. Instead of taking a blank slate approach to delivering services via the cloud, successful deployments have taken a look at the current service delivery environment and examined the differences that the cloud services introduces. This approach effectively addresses arguments for security, privacy, availability etc. that deal with absolutes.

4. Conduct a preliminary Privacy Impact Assessment (PIA) and Threat Risk Assessment (TRA) – Now that a clearer understanding of the services has been developed; there is an opportunity to conduct preliminary TRA and PIA. These assessments identify the information assets, the threats to those assets, the safeguards required and provide an insight into the remaining risks that need to be addressed before the services are deployed. These preliminary reports go beyond technology based recommendations and will help identify policy, process, people and publication safeguards/controls for the services. Should the organization determine that the remaining risk of their planned deployment is too high, there is an opportunity to go back and revisit the approach and add additional safeguards. Organizations can also look to hybrid models where the sensitive information remains on premise and a less sensitive portion of the service is migrated to the cloud.

5. Pilot the service – The very nature of cloud services provide a great way to deliver new. Because you only pay for what you use, organizations can quickly and cost effectively get access to cloud services so that they can investigate how they could work with their plans. These pilots/prototypes can be done at the same time that the policy/compliance work is being done.

6. Assess the potential risk delta in moving to new cloud model. – The preliminary PIA and TRA provide the foundation for the business assessment for the adoption of cloud services. It should consider the current operational environment and the planned cloud end state. It is essential that the risk be considered in the context of the current ways that the services are performed since starting from a blank sheet or ideal world scenarios can introduce scope creep explosion which will extend far beyond the project in question.

7. Conduct a detailed review of the Service Level Agreement, including a mapping to current service levels. – The Service Level Agreement is the cornerstone safeguard for effective outsourced service provision since it describes the expectations and obligations of both the service provider and consumer. Several organizations have made the case for cloud services to their senior management based upon the service enhancements over their existing service delivery capabilities (e.g. availability, capacity, discoverability). Organizations should take the time to fully describe their service expectations and avoid sending poorly understood services to cloud providers. A sure recipe for failure is where a poorly understood service is tossed into the cloud since both parties won’t know what’s expected leading to discontent.

8. Build out the business case. – Successful deployment of any full service ultimately relies on a solid business case. While cloud services do have the potential for organic, bottom up growth because of usage based billing, fully sustainable solutions are supported by solid business cases. The biggest challenge experienced with business cases is accurately capturing the current total cost of ownership. Organizations generally underestimate the current costs because it is often difficult to get full access to the various direct and indirect costs associated with a service.

9. Decide and manage the risk – Ultimately the decision to maintain status quo, adjust a service or deliver a new service comes down to a risk management decision. All of the activities described above help develop the evidence for the line of business leader to make an informed risk decision.

Canadian organizations are beginning to take advantage of cloud services for their service delivery initiatives. Those that have been successful in deploying have generally performed these high level steps to tease out and address the risks and opportunities associated with their move to the cloud.

Share

Rethinking IT Service Delivery Through the Power of the Cloud

By
John.Weigelt
Published: December 14, 2010Posted in: Cloud, General, Policy, Privacy

I’ve had the opportunity to chat with many people across Canada over the past few months about the potential of the cloud and more recently during the cross Canada “Journey to the Cloud” tour.During these conversations I was able to confirm first-hand that while Leger marketing has found that “Cloud computing is confusing Canadian businesses”, the number of businesses with a clear view of the opportunity presented by the cloud increases steadily every day.Conversations have leapt ahead from exploratory discussions on service descriptions to detailed conversations investigating how to leverage the innovative service delivery models possible through the use of the cloud.

Organizations exploring cloud services have the flexibility not only to leverage software as a service, platform as a service or infrastructure as a service in a public, hosted or private cloud service delivery model, but they also have the opportunity to divide up their business services across each of these possibilities.While the flexibility may seem daunting, think of the cloud as a toolbox where each of the options as a tool fit for a particular task;Screwdrivers for screws, saws for cutting etc.Beware the cloud provider that suggests you use a hammer for everything.

A case study from Aerlingus gives a great example ofthe power of the cloud though the ability to provide each part of the user experience from the best technology for the job.This separation of workloads (or business services) across a variety systems; some moved into the cloud while some staying on premise provides the solid foundation for innovation in the customer experience.The hosting of the computation intensive and network demanding graphic tiles associated with the route maps into the Cloud while maintaining the booking systems separately helps illustrate how organizations can leverage the strengths of the cloud.The cloud provides the scalability, network reach and capacity, elasticity, economies of scale required for the images and is complemented with the existing corporate IT investments, namely the booking system which is overlaid upon the route maps.

I’ve had the good fortune to participate in brainstorming sessions with Canadian organizations to explore how the cloud can change the way that they deliver services.During one of these brainstorming exercises, the CTO of a Canadian Healthcare community discussed some of the innovative telepathology work underway in Canada.Essentially, medical images from remote locations without pathologists in Canada are shared to a network of pathologists across Canada who, with proper authorization and security, can provide their analysis in a much timelier manner than having to travel to the location in person.As you might imagine, medical images are compute and network intensive, placing huge demands on centralized servers and resources when accessed from across the country.What if the cloud could be used to distribute this critical data?Using the Aerlingus case study as an example, we explored the potential of distributing only the image portion of the files using the cloud, while keeping the patient data in the existing systems.This separation could speed the delivery of the image files across the country because to the capabilities of the cloud, while safeguarding the existing investment in the patient data systems.Of course this was a brainstorming session and any number of details would need to be worked out before this type of project would be launched, but I think it helps demonstrate the power of the cloud and the new flexible thinking and innovative services that it enables.

Share

Ten Cloud Computing Myths

By
John.Weigelt
Published: November 4, 2010Posted in: Cloud, Privacy, Security

statues against a backdrop of cloudsI’ve had the opportunity to talk to many people about cloud computing at a number of conferences across Canada. I have to say that there is considerable enthusiasm about the potential of the cloud and the many opportunities that it unlocks. Unfortunately there is a lot of uncertainty that accompanies this enthusiasm and perhaps rightly so given some of the game changing approaches that accompany the familiar. Where there is uncertainty, there are well-meaning groups and individuals who, perhaps resistant to change, paint fairly negative pictures of the cloud. I’ve collected this list of top ten myths that I have heard perpetuated at conferences and provided my thoughts on why these are indeed myths.

  1. All cloud is on the Internet

Perhaps one of the most common myths is that for organizations to use cloud services they must use consumer oriented services available on web. It certainly doesn’t help that those companies with an internet-only service delivery model continue to push the message very hard.

In reality, cloud technologies and cloud services are available in a variety of formats: on the internet, on private networks and even within your own organizational boundaries. Many organizations are getting started with cloud technologies by building out their own “private cloud” services on their own internal networks. Even hosted cloud service providers often provide options where their services are provided over private networks to their customers. These non-internet dependent cloud services are especially important where internet connectivity may be intermittent or non-existent.

2. All cloud services are the same

Another common myth being perpetuated is the grouping of all forms of cloud services under a common umbrella and broadly applying the characteristics of one type of service to another completely different class of service. Perhaps the most common association is where consumer oriented cloud services are equated with enterprise grade cloud business services. I’ve seen music marketplaces lumped in with business collaboration sites, social networking with infrastructure services.

Not only is this broad brush approach unhelpful, it really (no, really, really) discredits any valid points made about the considerations needed for each category or class of cloud services. While admittedly the shorthand “Cloud” services has been applied across a wide variety of technologies in different ways by a variety of providers the broad-brush approach would be like describing, perhaps, the characteristics of a motorcycle (e.g. You can get wet when it rains) across all vehicles. Certainly the characteristic applies to some vehicles (bicycles, convertibles, pogo sticks) but not to others. The same is the case in cloud services. Cloud services vary considerably not only from how people consume the service (Infrastructure, Platform, Software as a service), from the business function of the service (search, database, collaboration), the business model (subscription, advertisement, licensed), from a service model (private, hosted and public) and more. Some cloud services oblige its users assemble their own functionality, where others are pre-packaged. As you look at any assessment on cloud services, be sure to explore a little further to make sure that you appreciate how that assessment applies to your particular business situation and use of cloud technologies.

3. You cannot mix and match cloud services

Modern organizations use a variety of best of class tools to address their business requirements. For some reason, a misperception that the move to the cloud is an all or nothing proposition, either from a bundling perspective or from a business application delivery perspective. This misinterpretation can hinder the adoption of cloud technologies by organizations as they look to move to these services.

Flexibility is one of the fundamental advantages of the cloud. Cloud services provide flexibility to use just what you require, when you require it. This flexibility extends into new programming models where developers have the flexibility to separate data and compute, leveraging the best locations for their operations. The interoperability built into cloud services also provides flexibility to organizations allowing reuse of internal systems, such as identity management, with external cloud services. As organizations make their move into the cloud they often adopt one or two services while keeping connections to their existing internal services.

4. Cloud Providers just toss the data into their data centers

Some presentations I’ve attended would lead you to believe that cloud service providers manage their data like an episode of the TLC’s Hoarders TV series, where data simply piles up and becomes lost.

Compliance audits, certifications, service level agreements, availability and reliability assertions all oblige enterprise grade cloud service providers to know where their customer’s data resides.

5. Cloud providers just shovel over data in response to lawful access requests

One myth that instills concern in people is the suggestion of a half hazard approach to responding to lawful access requests. Perhaps this misperception is coupled with the previous myth since naysayers could conclude that if organizations don’t know where the data is, they would simply hand over an arbitrary collection and let law enforcement sort through it.

Really? This is perhaps the stuff of movies. Enterprise grade cloud providers have considerable experience in responding to lawful access requests and strive to provide exactly the specific information being sought. And because close control is maintained over the data, cloud providers can separate only the information requested from the other data.

6. Operators casually browse the data sets in their custody

I get the impression that some people think of a data centre operator’s job as a boring day, spent in front of a relatively blank screen perhaps playing solitaire. The reason that this comes through is because of false assertion that cloud operators casually browse customer data sets.

Well, if you have a single operator and a single server it could be a rather long day. But the business of cloud computing is a business of scale. To be successful, cloud service providers need to be able to operate their computing resources at a massive scale http://tinyurl.com/2622zqt. One example of this scale is in the coverage model of operators to servers. In world class enterprise data centers the ratio of operators to servers is around 1-140. For cloud service providers that ratio jumps by an order of magnitude. I think that you can all appreciate that in today’s economic reality, enterprises can ill afford to have employees that just sit around, so one could expect that the data center operators have gainful work expected of them throughout the day. Simply put, the operators are kept busy enough maintaining the high operational availability of the cloud services that they provide that they simply would not have the time to browse the data sets. And even if they did, there are a number of internal safeguards that have been implemented to prevent this sort of misuse.

7. Law enforcement browses the cloud at service provider’s locations

Much like the aforementioned myth, a number of individuals make assertions that every use of the cloud is automatically accessed by law enforcement. There is no mention of differentiation of services, no mention of safeguards applied by consumers, no mention of the need for warrants, just a presumption of almost casual access.

Let’s take a closer look at the reality. Yes, law enforcement agencies worldwide have procedures that they can use to obtain data from cloud services providers as part of an investigation. At this year’s Federal Privacy Commissioner’s consultation on the Cloud, David Fraser highlighted the equivalences between Canadian and US lawful access procedures. Input to the Trilateral Committee on Cross Border Data flows noted that the possibility of US law enforcement using their access to obtain Canadian data is “vanishingly small”. Perhaps it’s simply “System 1” getting the best of the pundits.

8. The cloud exposes your data to incidental access

Perhaps it’s from the olden days when the high tech crime investigators literally used yellow tape, chalk lines and computer confiscation to start their investigation, but there is a myth that investigations of cloud services providers begins with wholesale confiscation of hardware.

Cloud services have been around for many years, many for well over 10 years. Both law enforcement and cloud services providers have worked together to build effective processes to provide the data required for investigation support. These processes emphasize close cooperation to provide only the data required and respect the privacy and SLAs of other customers.

9. It’s against the law in Canada to use international Cloud services

There is a common misunderstanding that there are a large number of Canadian laws that prevent the transfer of data outside of Canada extending across different business sectors both public sector and private sector.

Let me start off with a disclaimer that I am not a lawyer, so all organizations should seek competent legal advice about the compliance requirements that their organization must abide by. That said I have been deeply involved with the deployment of broad consumer cloud services in Canada, assisted Industry Canada and the Federal Privacy Commissioner in their consultations on cloud security and privacy and helped deploy cloud based services in provinces, municipalities and private sector. There is one Canadian jurisdiction with a prohibition on the storage of a specific category of data outside of Canada. The British Columbia Freedom of Information Privacy Protection Act prohibits storage or access of personal information in its custody or under its control outside of Canada. Note that this is a subset of the information held by governments in BC and doesn’t apply to the information that private sector uses for their own services. I’ve highlighted a few of the organizations that have provided advice and guidance on considerations and safeguards for use of the cloud in a previous blog post.

10. The Cloud will displace all other technologies

Rounding out the group is the myth that everything will move to the cloud and that all other technologies will be replaced. Some suggest that mainframe computers will magically disappear, local servers and internal corporate networks will vanish, and that all applications will reside in the cloud leaving local devices a shadow of their current self; supporting perhaps no more than a browser.

If we were to look at the stepwise shifts in technology in the past, for example the rise of the PC, client server computing, the advent of the web, the adoption of services oriented architecture we see how the technological shifts were additive to the existing technologies. While some workloads moved away from the previous paradigm, after an adoption period equilibrium was reached where the old and the new coexisted. Looking broadly at the cloud technologies, we see that one of the key principles behind the cloud is ubiquitous network connectivity. As cell phone users we recognize quite well the connectivity dead zones that can exist for universal coverage (ever tried to take a call from the ice rink) Certainly as we look at the broad expanse of Canada we can see that while tremendous progress is being made, there are still some regions without broadband access. Consumers and businesses need to be able to use their computing resources even when connections are not available. Apps that are only available via the web might not be the ideal solution for individuals that find themselves beyond a connection from time to time. A more realistic scenario is where your devices will be able to work regardless of location and connect when available or convenient to synchronize.

As organizations explore the opportunities of cloud computing it is critically important that they look beyond the myths and begin to focus on the specifics on the which services they are looking to use, for which data in which way.

Share

Getting Comfortable in the Cloud

By
John.Weigelt
Published: August 26, 2010Posted in: Cloud, General, Privacy

It seems everywhere you turn there is another gloomy statement about the potential dangers of cloud computing.  This commentary is reaching a crescendo with sensational newspaper headlines citing speculation as fact.  It’s time everyone took a step back to look objectively at what is actually happening, reflect on their decade plus experience using cloud based services and go beyond the negative hype.

So the first thing to do is to get clear on the Cloud. I often describe the challenge using the meteorological clouds which we are more familiar with. If I were to say to you, “Don’t go outside if there are clouds,” you would clearly think I was nuts. The clouds could be cirrus clouds (high and wispy), stratus clouds (low blanket like grey clouds), nimbus clouds (rain clouds), cumulonimbus (thunderstorm clouds) or even funnel clouds (tornados). For the everyday person, some clouds don’t require any additional actions be taken, some require modest safeguards e.g. umbrella and others, more significant safeguards (take cover!).  For truck drivers there are considerations like fog lights, wipers, tarpaulins and tire chains.  For pilots there are other considerations such as alternative airports, instrument flight rules, wing deicing, etc.

The naysayers deal in speculation and absolutes.  Much akin to announcing: don’t fly in airplanes because they crash, they make pronouncements for the cloud that state indirectly that privacy intrusions are happening.  Many would have you believe that the sky is falling, a meteor could drop onto the earth or you could, quite possibly, be struck by lightning as you read this.  Now while I can’t absolutely guarantee that any of the aforementioned events won’t happen, I think you’ll agree that first, it’s fairly remote that they will happen, and second, in the case of the lightning strike, you could further reduce the vanishingly small chance of occurrence by avoiding that tin foil suit while standing in the middle of an empty field during a thunderstorm. 

The first step to getting comfortable in the cloud is a review of the expert guidance for privacy and security safeguards for cloud services.  The Ontario Privacy Commissioner’s office has published guidance on safeguarding data in cloud services in “Privacy in the Clouds: Privacy and Digital Identity – Implications for the Internet” and  “Modeling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach.” The Government of Canada Treasury Board Secretariat has published a guidance document: “Taking Privacy into Account Before Making Contracting Decisions,” which provides a checklist and other tools to help organizations address their privacy requirements.  Cloud providers also provide detailed guidance on how their services work.  For example, Microsoft’s Global Foundation Services, the group that builds and operates Microsoft’s Data Centers and Online Services, has published a whitepaper that describes how they Secure Microsoft’s Cloud Infrastructure.  You’ll note that the privacy development lifecycle outlined on Page 8 aligns with the Privacy By Design approach promoted in the guidance from the Ontario Privacy Commissioner’s Office.   Noteworthy references such as these provide a useful foundation for the Threat Risk Assessment (TRA) process for security and the Privacy Impact Assessment (PIA) process that organizations routinely use to identify and manage the risks associated with internal and external service delivery.

Data Sovereignty is one discussion point that frequently arises in discussions on Cloud computing and privacy.  The USA Patriot Act is the most common on international legislation that people are talking about.  The Canada, Mexico and USA Trilateral Committee on transborder data flows held multiple meetings between September 25, 2008 and June 15, 2009 to explore the challenges associated with cross border information flows.  In their final report they noted that:

  1. “While the USA PATRIOT Act does not create a restriction on the movement of data across borders, misperceptions surrounding it appear to be negatively impacting data flows.” (page 11)
  2.  “The Questionnaire (of the business community) indicated the occurrence of misperceptions within the business community regarding the USA Patriot Act, and how the lack of clarity surrounding this piece of legislation has resulted in lost opportunities.” (page 17)

In testimony at the second meeting of the committee, privacy expert Fred Cate indicated that “The likelihood of the government resorting to searches of personal data from provincial Canadian public sector authorities held by, or accessible through, service providers in the United States as a reliable law enforcement or counterterrorism tool is “vanishingly small.”  The Federal Privacy Commissioner held public Consultations on Cloud Privacy in June of 2010 and while a final report remains outstanding, prominent Canadian privacy lawyer David T.S. Fraser presented the rough equivalence of legal authority in Canada and the US.  He further reinforced the opinion that US authorities would sooner work directly with their Canadian counterparts than seek the information unilaterally through the US.  This opinion is reinforced by the Canadian Advanced Technology Association in one of two publicly available submissions.  And while one or two organizations continue to highlight concerns, albeit without consideration for the application of safeguards, it appears that the guidance provided by the Federal Privacy Commissioner on “Processing Personal Data Across Borders” remains as valid guidance for business leaders today.  This guidance was also called out be the trilateral committee as leading “to increased understanding and less concern from individuals about cross‐border data transfers.”

                As your organization looks to take advantage of the economies of scale, the business agility and the robust security inherent in cloud computing, it is vital that you understand that many of your applications do not deal with personal information and therefore would not require specific privacy impact assessments to move to the cloud.  For those that do, there are a variety of safeguards, both already in the cloud and that you can implement, that will mitigate the risk to less than vanishingly small.

Share

Tardy

By
John.Weigelt
Published: March 12, 2010Posted in: Accessibility, General, Privacy

Time flies when you’re having fun. I just noticed the date of my last post and realize that I have missed my goal of weekly posts by a long way. In my defence, I have been criss-crossing the globe working on some pretty exciting stuff. Open Gov, Gov 2.0, Cloud Computing, Accessibility, Privacy and Identity Management all with a distinctly Canadian approach. What’s great is that there is a tonne of Canadian thought leadership to share. The many successful CityCamps and the innovative OpenData apps that have developed from them, the real world identity management deployments underway in provincial governments and the world wide thought leadership on privacy are all of great interest both locally and worldwide. While each of these subjects deserves its own extended post (and even subject tag) which will come in due time, I was thinking about how these subjects come together and relate to one another. Certainly we could stack rank them to look at which of the themes are really just supportive of the higher order themes. That would leave Gov 2.0 at perhaps the highest level with open gov as an enabler supported by cloud computing and identity management with accessibility and privacy as key requirements. This ranking might not seem entirely useful at first blush and we might even quibble about ordering of which topic supports the others but is does start to highlight a framework for successful delivery of any of the individual subject. It could be that my security engineering is boldly peeking through, but it struck me that the defence in depth structure actually applies to most of these difficult challenges. So in place of defence in depth, it makes sense to use Design in Depth or Deliver in Depth. Successful projects consider the Principles, Policy, People, Process and finally the Products. This design in depth approach against service delivery opportunities helps connect business and service delivery leaders with those delivering the technology. It assists with the allocation of requirements and helps ensure that the right tools are used for the right things in the right way. The framework works for both a centralized and decentralized approach to service delivery as well. Many service delivery leaders are looking to the community to help deliver innovative solutions. Design in Depth helps establish the centralized vision that guides and directs the distributed empowerment to set “the Crowd” in motion to deliver solutions in support of an organization’s business objectives. While there are many examples of this, you can see this first hand in many of the municipal open government activities. The municipality typically establishes their vision (principles (and supporting objectives)) from which both the internal and external community develop and provide meaningful solutions. This distributed empowerment compliments those traditional rigidly structured projects. This complimentary relationship may well strengthen over time to an iterative approach where externally developed applications are integrated into the internal application development lifecycle. As organizations look to meet their service delivery imperatives, the Design in Depth approach allows them to connect their business leaders with both their internal development teams as well as crowd to contribute innovative solutions and approaches to meet their program needs.

Share