Delivery and Adoption of Cloud Computing Services in Contemporary Organizations Victor Chang Computing, Creative Technologies and Engineering, Leeds Beckett University, UK Robert John Walters Electronics and Computer Science, University of Southampton, UK Gary Wills Electronics and Computer Science, University of Southampton, UK
A volume in the Advances in Systems Analysis, Software Engineering, and High Performance Computing (ASASEHPC) Book Series
Managing Director: Managing Editor: Director of Intellectual Property & Contracts: Acquisitions Editor: Production Editor: Typesetter: Cover Design:
Lindsay Johnston Austin DeMarco Jan Travers Kayla Wolfe Christina Henning Amanda Smith Jason Mull
Published in the United States of America by Information Science Reference (an imprint of IGI Global) 701 E. Chocolate Avenue Hershey PA, USA 17033 Tel: 717-533-8845 Fax: 717-533-8661 E-mail:
[email protected] Web site: http://www.igi-global.com Copyright © 2015 by IGI Global. All rights reserved. No part of this publication may be reproduced, stored or distributed in any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher. Product or company names used in this set are for identification purposes only. Inclusion of the names of the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark. Library of Congress Cataloging-in-Publication Data Delivery and adoption of cloud computing services in contemporary organizations / Victor Chang, Robert John Walters, and Gary Wills, editors. pages cm Includes bibliographical references and index. ISBN 978-1-4666-8210-8 (hardcover) -- ISBN 978-1-4666-8211-5 (ebook) 1. Organizational change. 2. Information technology--Management. 3. Cloud computing. I. Chang, Victor, 1976- editor. II. Walters, Robert John, 1958- editor. III. Wills, Gary, 1962- editor. HD58.8.D443 2015 658’.0546782--dc23 2015003295 This book is published in the IGI Global book series Advances in Systems Analysis, Software Engineering, and High Performance Computing (ASASEHPC) (ISSN: 2327-3453; eISSN: 2327-3461) British Cataloguing in Publication Data A Cataloguing in Publication record for this book is available from the British Library. All work contributed to this book is new, previously-unpublished material. The views expressed in this book are those of the authors, but not necessarily of the publisher. For electronic access to this publication, please contact:
[email protected].
409
Chapter 17
Management of Privacy and Security in Cloud Computing: Contractual Controls in Service Agreements Deniz Tuncalp Istanbul Technical University, Turkey
ABSTRACT There are a number of risk domains that are relevant for information privacy and security in cloud-based scenarios and alternative deployment models, which require implementation of a number of controls. However, cloud service providers often take a one-size-fits-all approach and want all their customers to accept the same standardized contract, regardless of their particular information security and legal compliance needs. Taking ISO 27001 Information Security Management standard as a guide, we have employed the Delphi method with a group of cloud computing experts from around the world who are subscribed to the “Cloud Computing” group on LinkedIN to identify the most applicable controls in a generic cloud service provider – customer context. Based on these results, we use a sample of cloud computing customer service agreement as a case study to further discuss related contingencies. As a result, this chapter argues that a more balanced approach is needed in service contracts to ensure the maintenance of necessary service levels and the protection of cloud users.
INTRODUCTION The widespread diffusion of information and communication technologies (ICTs) has significantly altered the way people live and work. People spend significant portion of their time on and around computers in their daily lives. Companies utilize ICTs to perform and support all their business processes. ICTs are critical for the performance
of the immediate operations, and the long-term survival of the organizations. The worldwide diffusion of ICTs not only brings personal, social and commercial changes, but also carries new risks to contemporary society. Compared to the functioning of the society in the pre-computer era, both personal and business uses of ICTs involve: generating, storing, processing, and transferring much larger amounts of information. The
DOI: 10.4018/978-1-4666-8210-8.ch017
Copyright © 2015, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
Management of Privacy and Security in Cloud Computing
development and expansion of ICTs, therefore, affects individuals’ right to information privacy. It is necessary to balance the societal benefits promised by new technology infrastructures and related business models with individual rights to information privacy and organizations need for information security. Thus, an adequate level of information privacy and security control is essential to ensure public and commercial trust in online services. This is especially crucial for the success of new technologies when they are first launched for public use.
INFORMATION PRIVACY AND SECURITY In this chapter, information security is discussed in the context of privacy protection or the general personal data protection. For the purpose of this study, personal data protection is used as personal information privacy protection that includes the protection of data privacy and data security. Warren and Brandeis (1890) defined the right to privacy as the right “to be left alone”. Burgoon et al. (1989) distinguished four types of privacy violations: physical, interactional, psychological/ informational, and impersonal. DeCew (1997) divided privacy into three dimensions: informational, accessibility and expressive privacy. More recently Braman (2006) differentiated four aspects of privacy as spatial (home and body), communicative (mediated communication), relational (communication with professionals and spouse), and data (disclosure and/or use of personal information) privacy. In all these categorizations, information (data) privacy is a key dimension of privacy, which is defined by Westin (1967) as the amount of control that individuals can have over the type of information, and the extent of that information revealed to others. In this study, the discussion of privacy is limited to information privacy, which is often referred to as personal data.
410
Regarding personal information, Smith, Milberg, and Burke (1996) identified four dimensions of concerns about organizational privacy practices: 1. Unauthorized secondary use of personal information, 2. Improper access of personal information (internal and external), 3. Collection of personal information, and 4. Errors in collected personal information. These dimensions indicate that information privacy practices cover data collection, data use, data disclosure, and data quality. The dimension of external improper access of personal information and the other dimensions also contain the component of data security (Chang & Ramachandran, 2014). The concept of information privacy emerged in the 1960s and 1970s, at about the same time as data protection (Bennett, 2002). Although debates on information privacy protection are not new, advances in ICT threaten individuals’ privacy more easily and pervasively than ever before because of the increased ability to collect, assemble, and distribute personal information, particularly on the Internet. Personal information privacy in the digital age has increased in salience and has been discussed in various fields, such as public policy, law, and Internet study worldwide (e.g., Baumer, Earp, & Poindexter, 2004; Banisar & Davies, n.d.; Baumer, Earp, & Poindexter, 2004; Bennett, 2002; Buchanan, Paine, Joinson, & Reaps, 2007; Zwick, 1999). Information Security is “the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities” (International Organization for Standardization [ISO], 2005). ISO has published ISO 27001 standard in 2005 to provide guidance to organizations that want to manage their information security with a management system with explicit controls and policies. The ISO 27001 standard not only specifies a management system for information
Management of Privacy and Security in Cloud Computing
security, but also lists a set of applicable controls for the protection of relevant information assets in an organizational scope. Organizations are advised to define the scope of their information security risk management system, to make an inventory of their information assets and to evaluate each asset against the set of controls to control the information security risks associated with each and every asset in their protection scope effectively. The list of controls in Annex A of the ISO 27001 standard stands for an industry standard that covers a wide range of possible information security control categories addressing specific objectives. We used these control categories to identify applicable control categories in our study, in addition to those controls identified during our Delphi rounds: •
•
•
Control Category: Security Policy ◦◦ “Information Security Policy: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.” (ISO, 2005, p. 13) Control Category: Organization of Information Security ◦◦ “Internal Organization: To manage information security within the organization.” (ISO, 2005, p. 13) ◦◦ “External Parties: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.” (ISO, 2005, p. 14) Control Category: Asset Management ◦◦ “Responsibility for Assets: To achieve and maintain appropriate protection of organizational assets.” (ISO, 2005, p. 15) ◦◦ “Information Classification: To ensure that information receives an appropriate level of protection.” (ISO, 2005, p. 15)
•
•
•
Control Category: Human Resources Security ◦◦ “Prior to Employment: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.” (ISO, 2005, p. 15) ◦◦ “During Employment: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.” (ISO, 2005, p. 16) ◦◦ “Termination or Change of Employment: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.” (ISO, 2005, p. 16) Control Category: Physical and Environmental Security ◦◦ “Secure Areas: To prevent unauthorized physical access, damage and interference to the organization’s premises and information.” (ISO, 2005, p. 17) ◦◦ “Equipment Security: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities.” (ISO, 2005, p. 17) Control Category: Communication and Operational Management ◦◦ “Operational Procedures and Responsibilities: To ensure the correct and secure operation of information processing facilities.” (ISO, 2005, p. 18)
411
Management of Privacy and Security in Cloud Computing
◦◦
◦◦
◦◦
◦◦
◦◦
◦◦
◦◦
◦◦
◦◦
412
“Third Party Service Delivery Management: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.” (ISO, 2005, p. 18) “System Planning and Acceptance: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.” (ISO, 2005, p. 19) “Protection Against Malicious and Mobile Code: To protect the integrity of software and information.” (ISO, 2005, p. 19) “Back-Up: To maintain the integrity and availability of information and information processing facilities.” (ISO, 2005, p.19) “Network Security Management: To ensure the protection of information in networks and the protection of the supporting infrastructure.” (ISO, 2005, p. 20) “Media Handling: To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities.” (ISO, 2005, p. 20) “Exchange of Information: To maintain the security of information and software exchanged within an organization and with any external entity.” (ISO, 2005, p. 20) “Electronic Commerce Services: To ensure the security of electronic commerce services, and their secure use.” (ISO, 2005, p. 21) “Monitoring: To detect unauthorized information processing activities.” (ISO, 2005, p. 21)
•
•
Control Category: Access Control ◦◦ “Business Requirement for Access Control: To control access to information.” (ISO, 2005, p. 22) ◦◦ “User Access Management: To ensure authorized user access and to prevent unauthorized access to information systems.” (ISO, 2005, p. 22) ◦◦ “User Responsibilities: To prevent unauthorized user access, and compromise or theft of information and information processing facilities.” (ISO, 2005, p. 22) ◦◦ “Network Access Control: To prevent unauthorized access to networked services.” (ISO, 2005, p. 23) ◦◦ “Operating System Access Control: To prevent unauthorized access to operating systems.” (ISO, 2005, p. 23) ◦◦ “Application and Information Access Control: To prevent unauthorized access to information held in application systems.” (ISO, 2005, p. 24) ◦◦ “Mobile Computing and Teleworkin g: To ensure information security when using mobile computing and teleworking facilities.” (ISO, 2005, p. 24) C o n t r o l C a t e g o r y : I n f o r m a t i o n Systems Acquisition, Development, and Maintenance ◦◦ “Security Requirements of Information Systems: To ensure that security is an integral part of information systems.” (ISO, 2005, p. 24) ◦◦ “Correct Processing in Applicatio ns: To prevent errors, loss, unauthorized modification or misuse of information in applications.” (ISO, 2005, p. 25) ◦◦ “Cryptographic Controls: To protect the confidentiality, authenticity or integrity of information by cryptographic means.” (ISO, 2005, pp. 13-28)
Management of Privacy and Security in Cloud Computing
“Security of System Files: To ensure the security of system files.” (ISO, 2005, p. 25) ◦◦ “Security in Development and Support Processes: To maintain the security of application system software and information.” (ISO, 2005, p. 26) ◦◦ “Technical Vulnerability Management: To reduce risks resulting from exploitation of published technical vulnerabilities.” (ISO, 2005, p. 26) Control Category: Incident Management ◦◦ “Reporting Information Security Events and Weaknesses: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.” (ISO, 2005, p. 26) ◦◦ “Management of Information Secur ity Incidents and Improvements: To ensure a consistent and effective approach is applied to the management of information security incidents.” (ISO, 2005, p. 27) Control Category: Business Continuity Planning ◦◦ “Information Security Aspects of Business Continuity Management: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.” (ISO, 2005, p. 27) Control Category: Compliance ◦◦ “Compliance with Legal Requirements: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.” (ISO, 2005, p. 28) ◦◦
•
•
•
“Compliance with Security Policies and Standards, and Technical Compliance: To ensure compliance of systems with organizational security policies and standards.” (ISO, 2005, p. 28) ◦◦ “Information Systems Audit Considerations: To maximize the effectiveness of and to minimize interference to/from the information systems audit process.” (ISO, 2005, p. 29) Control Category: Legal and Regulatory Disclosure ◦◦ “Lawfully mandated disclosure of information to legal and/or regulatory parties.” (Expert panel opinion in the round 1 of the study) Control Category: Post Termination Assistance ◦◦ “Ensuring clear description of responsibilities in the transition of the relevant services either back to the customer systems or to the replacement provider.” (Expert panel opinion in the round 1 of the study) Control Category: Privacy of Third Parties ◦◦ “Privacy of personal information and data related to third parties that are expressively authorized without any withdrawal to be processed on the systems.” (Expert panel opinion in the round 1 of the study) ◦◦
•
•
•
The control categories and objectives given above are the most crucial, because they come from an internationally accepted information security best practice, known as the ISO 27001 standard or from our world-wide panel of cloudcomputing experts. We have also supplemented the list with three specific control categories that are identified by our expert panel with diverse experience bases, specifically for cloud computing.
413
Management of Privacy and Security in Cloud Computing
Cloud Computing Cloud Computing is an advanced technological model to host and share software and hardware over the Internet. In this way, different organizations may pool their IT resources via large-scale providers but virtually use logically separate resources. Therefore, they may scale upwards or downwards when required, without purchasing and setting up those resources physically on their premises (Voorsluys, Brober, & Buyya, 2011). The National Institute of Standards and Technology (NIST) of the United States, defines cloud computing as a “model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (Mell & Grance, 2011). Cloud infrastructures have measured and on-demand self-service capabilities that are available via network access for different client devices. It also has the advantage of pooling and sharing of resources with elastic provisioning for sudden increases in demand. Since the introduction of the cloud model, various service providers have offered a wide range of services. NIST defines three basic types of service models for cloud computing: •
•
414
Software as a Service (SaaS): The capability provided is to use the provider’s applications running on a cloud infrastructure. Customer has limited or no control, even on application configuration settings. Platform as a Service (PaaS): The capability provided is to deploy consumercreated or acquired applications onto the cloud infrastructure. Customer has control over the deployed applications and possibly over the application hosting environment configurations.
•
Infrastructure as a Service (IaaS): The capability provided is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run software of choice, which may include operating systems and applications. Customer has control over operating systems, storage, deployed applications, and possibly limited control of select networking components like host firewalls.
In all these models, customers do not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. In addition to these models, NIST define four types of clouds according to its deployment: private, public, hybrid and community clouds, with different capabilities and requirements (Mell & Grance, 2009). Cloud computing has brought new sets of opportunities for businesses, governments, and consumers. Gartner Group, a well-known and influential global strategic information technology (IT) consulting company, has listed cloud computing as one of the top10 issues that has the potential to reinvent and transform the IT industry (Pettey, 2011). Forrester Research, another famous IT consulting-house, has estimated the global cloud market to reach USD 241 billion by year 2020 (Ried, Kisker, Matzke, Bartels, & Lisserman, 2011). However, it also brought new risks and respective legal implications. These should be addressed effectively in service contracts to reap cloud benefits. It may give rise to new and significant information privacy and security questions, due to its complex and distributed service model. For example, due to nature of the service, client companies have limited control over the cloud infrastructure. This may give rise to privacy and security of business and customer data stored in the cloud (Voorsluys, Brober, & Buyya, 2011). There are business risks involved and thus a comprehensive solution such as business intelligence
Management of Privacy and Security in Cloud Computing
as a service should be used to identify risk and return for the investors and stakeholders (Chang, 2014). Furthermore, this lack of control may lead to concerns about integrity and availability of cloud services. Migration to cloud is a significant, and potentially one-way decision, as moving back to conventional IT structures may be very costly to implement once you are on the cloud. However, as strategic choices emerge, companies should be able to switch one provider to another. As these examples illustrate, different roles and responsibilities exist in a cloud-computing scenario and due to the novelty of the related business models, there are significant questions to be answered in service agreements. For example, in a typical cloud-computing scenario, which technical and legal rights does a service provider need directly or indirectly for accessing personal data and what access rights should be granted to users? These are very relevant questions for data protection. In more complex business scenarios, questions become even more complicated. For example, in a multinational scenario, what data protection issues might be relevant as companies start using foreign cloud providers, where different forms of data and their processing might be scattered over different countries and jurisdictions? Therefore, methods of addressing issues of information privacy and security on corresponding service contracts are crucially important. While this paper tries to identify major risk items and respective controls for information privacy and security, it does not try to be an exhaustive and detailed analysis of all relevant risks and controls involved. Our target is to pinpoint the most significant of those risks and assess how they might be controlled with different clauses on a typical service provider contract. For a detailed analysis of cloud computing risks and security issues, we recommend readers to visit Chang, Walters, and Wills (2014), Bisong and Rahman (2011), Onwubiko (2010), and Mather, Kumaraswamy and Latif (2009).
In the next section, we introduce our methodology. In the third section, we present results of our first round of results covering applicable controls for information privacy and security in cloud environment. In the fourth section, we analyze a sample cloud-computing contract as the case study and discuss what alternative clauses need to cover for different security controls. In the last section, we conclude with a discussion of how information security, privacy and data protection issues can be addressed in cloud computing service contracts.
METHODOLOGY In our study, we have employed the Delphi method to a group of cloud computing experts to understand their consensus on the most applicable information security controls for cloud computing environment in a generic service provider – customer context. We have used ISO 27001: 2005 Information Security Management standard, as a comprehensive guide of available information security controls and supplemented that with initial views of cloud computing experts participating to our panel. We considered seeking expert opinion and consensus with the Delphi method as the most appropriate, as this is a new topical area that has not matured yet with extant literature.
The Delphi Method The Delphi method was first developed and applied in the 1950’s by the RAND Corporation, to address a specific military issue and forecast potential military needs of the United States Air Force (Dalkey & Helmer, 1951; Helmer, 1965). It sought future projections on the problem with participation of a panel of experts in a series of face-to-face group meetings and rounds of surveys with a feedback process (Linstone & Turoff, 1975). Validity and reliability of the Delphi Method highly depends on the selection of the expert panel. In this method, panel participants are selected
415
Management of Privacy and Security in Cloud Computing
using reputational sampling, which does not seek for a representative sample, but looks for highly experienced practitioners based on their reputation. Tashakkori and Teddlie (2008) describe reputational sampling as a method of purposive sampling, where sampling is made “to achieve comparability across different types of cases on a dimension of interest” (p. 175). The method assumes that a small group of participants with high level of expertise, is more desirable than a large group of ordinary participants (e.g., random survey takers) and thus former alternative is more capable of understanding and indirectly discussing on a problem and reaching consensus. While this type of sampling may create some generalization problems (Tashakkori & Teddlie, 2008), the validity and reliability of the results is built into the Delphi process and collection of reliable data from experienced professionals (Dalkey & Helmer, 1951; Helmer, 1965; Linstone & Turoff, 1975; Scheibe, Skutsch, & Schofer, 1975). As Gray et al. (2007) noted, reputational sampling “will not produce a broadly representative sample” (p. 117) but will be an invaluable tool for “gaining access to informed and experienced people who may provide in-depth information available nowhere else” (p. 118). Landeta (2006) further discussed the general validity of the Delphi Method and noted that it “can be adapted to different social realities and requirements, making a positive contribution to social progress provided it is applied with the necessary methodological rigour” (p. 472). He considered that contacting the panel of experts during the Delphi process is very enlightening and methodologically it is widely accepted in the scientific community. He reports that the use of the Delphi Method in research has increased in the last 30 years with very significant proliferation after year 2000-2005. A brief search on literature databases also reveals that the trend has also been continuing in the last 10 years. Mitroff and Turoff (1975) describe philosophical foundations of the Delphi Method as a constructed truth achieved by a group of experi-
416
enced practitioners, as they suggest there is no absolute truth (Popper, 1963). Mitroff and Turoff (1975) suggest that truth is experiential and is entirely associated with the empirical content of communication. According to this perspective, truth is dependent on our ability to reduce complex propositions down to simple empirical referents (i.e., simple observations) and to ensure their validity by means of the widespread, freely obtained agreement between different human observers (Mitroff & Turoff, 1975, p. 45). In order to achieve this, we have selected experts on our panel using procedures outlined in Linstone and Turoff (1975). They recommend that panels can be of any size, however they recommend a small, experienced and diverse panel for most research. In the original Delphi method, the objective is to develop forecasts and future projections on the topic of interest. Expert panel members meet directly in a conventional meeting setup. However, forecasts and future projections may not be created as the outcome of an expert panel consensus. Faceto-face meeting format may also create some social pressure for reaching a premature agreement or may create extended contestation due to group dynamics. Physically bringing people together is also costly and makes it impossible to cover a globally diverse team of experts. Due to its historical nature, novel communication capabilities are also not utilized in the regular Delphi process. In order to solve these problems and to tap mentioned potentials, the Delphi method is modified in this research.
Modifications in the Delphi Method Modified Delphi Method has actually emerged during 1970s and 1980s to enhance consensus building on a particular research question (Custer, Scarcella, & Stewart, 1999). Turoff (1975) suggests that the modifications to the Delphi Method can be done depending on the specific research project. For example, he generated “the Policy Delphi” version, aiming to generate opposing opinions rather than consensus.
Management of Privacy and Security in Cloud Computing
In our version of the modified Delphi method, we have deviated from the original Delphi Method by: • • •
Seeking consensus rather than forecasts and future projections, Introducing solely online and process mediated interaction with informant anonymity among experts, and Employing technology by online surveys and email notifications.
Avoiding face-to-face interaction among the panel members and enabling their anonymity helps us to collect opinions of panel members in a neutral environment, encouraging free expression and avoiding group pressures. Face-to-face interactions in a Delphi panel has been reported to create problems in collecting alternative views due to group dynamics, personality differences and even use of body language (Adler & Ziglio, 1996). Since participants face every comment and statement of every member, it may also limit idea generation. Face-to-face group meetings also create logistics problems and limit diversity of the expert panel involved. Above modifications helped us avoiding such problems, maximize expert panel diversity and the cumulative experience. In our modified version of the Delphi method, experts’ opinions are collected with an open-ended survey at the first stage, without any initial face-toface, in-depth discussion. In a number of rounds, opinions are combined, organized and predicted to extract valid factors consistently. As more people participate in the process, wisdom of larger groups is expected to supplement missing knowledge more objectively, which is called quantitative objectivity (Gaukroger, 2012). In this method, experts participate in a survey to express their opinions without any restriction. These views are then organized as representative views and shown back to the participating experts. They are then asked to reconsider their earlier judgment. These rounds continue until the opinions converge to an acceptable degree, usually in two-to-five rounds (Linstone & Turoff, 1975).
Our Delphi Method Implementation Since we wanted to identify relevant information security controls for cloud computing, using reputational sampling as a basis for panel selection, we had selected 30 cloud computing experts subscribed to the “Cloud Computing” group on LinkedIN, which has more than 250,000 expert members worldwide. We first randomly select a group of experts; prescreened their level of expertise on cloud computing from their LinkedIN profile, contacted them individually to describe the study, asking whether they would identify themselves as cloud experts, whether they are currently working for a client company rather than a cloud provider, and their acceptance to participate in this study. Screening continued until we reached 30 participants across the world, identifying themselves as cloud experts working in client companies other than cloud providers. We had purposefully avoided including cloud providers in our study, to avoid potential provider biasness towards security measures in protecting security and privacy of cloud users. While sampling, we had also employed a stratified sampling strategy according to geographical regions of the world and selected 10 from each of the following three geographical areas to ensure diversity: North America, Europe and elsewhere. Our resulting panel members represent a large variety of experience base, from cloud service planning, to vendor selection, cloud operation to cloud service transfer. Majority of our panel (96.7%) had more than five years of experience in information technology departments. Almost half of the members of this group (46.7%) had more than ten years of experience. 83.3% of our panel members were male, and almost 87% of the members were in their 30s. Also half of our panel was working in a managerial position in an IT department, whereas the other half was made up of team members. The demographic figures of our panel members are given in Table 1.
417
Management of Privacy and Security in Cloud Computing
Table 1. Expert panel demographics n
%
n
%
20s
Age
1
3.3
0-5 years
1
3.3
30s
26
86.6
5-10 years
15
50.0
40s
3
10
10+ years
14
46.7
Total
30
100%
Total
30
100%
Gender
Experience
n
%
n
%
Male
25
83.3
Manager
15
50.0
Female
5
16.7
Member
15
50.0
Total
30
100%
Total
30
100%
Through collection of expert opinions with an open-ended survey in the first round, solicitation of collected declarative statements and subsequent rounds of Likert-scale questionnaires, we sought consensus of experienced practitioners on our panel systematically concerning information security management in cloud computing. We performed the Delphi process in three rounds and contacted the expert panel three times, asking them separate questions seeking their consensus without bringing them together in a meeting room: 1. In the first round, we asked panel members to generate their opinions freely with a brief open-ended questionnaire, asking what was important in terms of information security and privacy in cloud computing. In order not to limit or direct their comments, we did not present ISO 27001 standard items to them at this stage. Information security issues and controls suggested by each panel member were then organized and sorted, eliminating the repeated items. While processing and organizing panel opinions on our side, we started employing ISO 27001 standard for the second round, and mapped panel ideas to control categories mentioned in the standard. 2. In the second round, the panel members were provided with the grouped security controls for cloud computing, together with every other control categories listed in ISO
418
Role
27001 standard. We had only delisted the “security policy” and “organization of information security” control categories, due to their general and encompassing nature. Panel members were then asked to rank their importance on a 5-point Likert scale. When questionnaires were returned, we calculated the mean, median and mode values for each security control and presented the values back to panel members for consideration in the next round. 3. In the third round, we asked our panel members to re-rate the importance of each factor on the same scale. Our target was to increase consensus among the panel members by reporting central tendency values of the entire panel and giving an opportunity to revise their earlier thoughts. Our Delphi procedure is summarized in Table 2. Our Delphi surveys, namely Round-0: Screening (see Table 7), Round-1: Opinion Gathering (see Table 8), Round-2: Initial Rating (see Table 9) and Round-3: Re-rating (see Table 10) are given in the Appendix. Dedication and engagement of experts are critical for the results of any Delphi study. Since we had removed time and distance barriers with no face-to-face meetings and online anonymous interaction, the panel members stayed engaged through the three rounds. Since we had asked every panel
Management of Privacy and Security in Cloud Computing
Table 2. Our Delphi procedure Panel Formation
Select a panel of 30 experts, 10 from each of three areas: North America, Europe and Elsewhere.
Round 1
• Collect opinions on information security controls that are necessary for cloud computing from each panel participant. • Sort and organize the derived controls, removing repeating controls/issues. • Design the questionnaire for Round 2.
3 weeks
Round 2
• Ask panel members to assess cloud information security controls on a 5-point Likert scale. • ISO 27001 controls presented together with panel opinions generated in the previous round.
3 weeks
Round 3
• Ask panel members to re-rate the importance of each security control identified. • Mean, median, and mode values for each control are presented back. • Verify the agreement level between panel members.
2 weeks
member to commit to the entire Delphi process with approximately three rounds, there was no change in the participant sample throughout the study. Based on our results from the Modified Delphi Method, we used a cloud computing customer service agreement of a service provider as a case study, to discuss related contingencies further from a data protection perspective. Alternative clauses are designed based on the issues detected to provide guidance to different cloud customers with different information security needs.
RESULTS Since the central aim in the Delphi Method is to seek consensus, descriptive statistics such as central tendency measures (mean, median, and mode) and dispersion measures (standard deviation and inter-quartile range) have been used to report information about the collective judgments and the level of consensus of the expert panel. In the first stage of our Delphi study, the factors suggested by the experts were grouped into different categories. In the second stage, we had prepared a questionnaire, which combined the results of the first stage with all of the control categories of ISO 27001 standard. We presented all these categories with their descriptions and asked the panel input for each of them with a 5-point Likert scale. At this stage we had calculated the mean, median, mode, standard deviation and interquartile range for each item (See Table 3).
Results of the second round shows that there is a significant agreement over importance of most of the controls, the highest level of agreement is about the “Post Termination Assistance” with IQR = 0.00. The greatest discrepancy among the expert panel were on “Human Resources Security” and “Communication and Operational Management” specifically for cloud context. The other controls had relatively satisfying consensus level about their importance at the second round. Standard deviations with these items are also higher than 1, showing a significant level of divergence among the panel members. While there is some level of consensus on many of the items, we had presented every item in the third round to double-check the level of consensus and gave an opportunity to our panel members to reflect and possibly change their ideas in the third round. In the third stage, the same questionnaire had been utilized, together with the results calculated. The panel was asked to reconsider their assessment in the previous round. This aimed to help panel members to think about their earlier considerations again, reflect other people’s responses and therefore to help the assessment results to converge. As intended the level of standard deviation for almost every item had dropped and the ordering of some of the items had marginally changed. While the change of this ordering was not significant, the achieved convergence showed that the panel experts had reconsidered and revised their earlier responses. The results of this round are presented In Table 4.
419
Management of Privacy and Security in Cloud Computing
Table 3. Information security control categories after Delphi round 2 Category
Mean Score
Median Score
Mode Score
Standard Deviation
Interquartile Range
Data Protection and Privacy
4.53
5
5
0.629
1
Information Leakage
4.27
4
5
0.785
1
Legal and Regulatory Disclosure
4.13
4
4
0.819
1
Post Termination Assistance
3.93
4
4
0.828
0
Access Control
3.63
4
4
0.89
1
Audit Logging
3.47
4
4
0.629
1
Privacy of Third Parties
3.33
3
3
0.661
1
Comm. & Oper. Management
2.73
3
3
1.258
1.75
Business Continuity Planning
2.67
3
2
0.959
1
Human Resources Security
2.07
2
1
1.172
2
Physical & Env. Security
1.8
2
2
0.714
1
IS Acq., Dev. & Maintenance
1.73
2
1
0.868
1
Asset Management
1.43
1
1
0.626
1
1: Strongly disagree - 5: strongly agree.
In the third round, all IQR values had dropped to 1 and below, showing sufficient level of consensus on the importance of control categories for security of cloud computing. The highest level of agreement with post termination assis-
tance remained. Whereas, legal and regulatory disclosure also achieved highest consensus with IQR=0 compared to other control categories. All standard deviation results, regardless of their mean importance scores, also had dropped below
Table 4. Information security control categories after round 3 Category
Mean Score
Median Score
Mode Score
Standard Deviation
Interquartile Range
Data Protection and Privacy
4.63
5
5
0.49
1
Information Leakage
4.37
4
4
0.49
1
Post Termination Assistance
4.1
4
4
0.481
0
Legal and Regulatory Disclosure
4.07
4
4
0.45
0
Access Control
3.63
4
4
0.615
1
Audit Logging
3.33
3
3
0.479
1
Privacy of Third Parties
3.3
3
3
0.651
1
Comm. & Oper. Management
2.57
2
2
0.774
1
Business Continuity Planning
2.47
2
2
0.681
1
Human Resources Security
1.87
2
2
0.681
1
Physical & Env. Security
1.77
2
2
0.626
1
IS Acq., Dev. & Maintenance
1.53
2
2
0.507
1
Asset Management
1.37
1
1
0.556
1
1: Strongly disagree - 5: strongly agree.
420
Management of Privacy and Security in Cloud Computing
1. Six control categories received a mean score higher than 3 in terms of its importance to cloud computing. These control categories are “Data Protection and Privacy”, “Information Leakage”, “Post Termination Assistance”, “Legal and Regulatory Disclosure”, “Access Control”, “Audit Logging” and “Privacy of Third Parties”. These items also have median and mode values are also higher than 3. 5 of those 7 items have a standard deviation less than 0.5, showing strong consensus among the panel members. Parametric tests such as t-test are not applicable for Delphi studies employing interval scales like Likert. Because such test are normally applicable to continuous variables. Therefore, in addition to descriptive statistics, non-parametric tests may also be employed. The most common of those methods for Delphi studies are Friedman test of the changes in scores across the rounds, and MannWhitney ‘U’ test to differences between different sets of desirability scores. Since we reached a satisfactory level of consensus on almost all items, we chose to analyze the significance of differences between scores of control categories after Round 3 using Mann-Whitney ‘U’ test.
The Mann-Whitney test is a nonparametric test that allows two groups to be compared without assuming normal distribution. While using the test, a statistic called U score is calculated, indicating whether the test results can be used. The distribution of U under the null hypothesis is known and tabulated, in the case of small samples. We employed Mann-Whitney ‘U’ test, to compare desirability score of every control category with another category with adjacent mean score, to see whether their differences are significant. For example, we compared “Data Protection and Privacy” with “Information Leakage”, “Information Leakage” with “Post Termination Assistance” and so on. Results of Mann-Whitney ‘U’ test, Z-scores and p-values, significance results and U-values are calculated and shown in Table 5. All U-values were found to be satisfactory and the results can be used. According to Mann-Whitney ‘U’ test results, differences in scores between the following control categories are not significant: •
“Post Termination Assistance” and “Legal and Regulatory Disclosure”,
Table 5. Differences between preceding control categories Category
Z-Score
p-Value
Data Protection and Privacy
1.7667
0.03836
significant
330
Information Leakage
1.8259
0.03362
significant
326
Post Termination Assistance
0.1996
0.42074
not significant
436
Legal and Regulatory Disclosure
2.5207
0.00587
significant
279
Access Control
1.6928
0.04551
significant
335
Audit Logging
0.0074
0.49601
not significant
Privacy of Third Parties
3.3413
0.00042
significant
223.5
Comm. & Oper. Management
0.3844
0.35197
not significant
423.5
Business Continuity Planning
2.7869
0.00264
significant
Human Resources Security
0.4879
0.31207
not significant
416.5
Physical & Env. Security
1.2345
0.10935
not significant
366
IS Acq., Dev. & Maintenance
1.2049
0.11507
not significant
368
-
-
Asset Management
Significance at p ≤ 0.05
U-Value
450
261
-
-
421
Management of Privacy and Security in Cloud Computing
• • •
“Audit Logging” and “Privacy of Third Parties”, “Communications & Operational Management” and “Business Continuity Planning”, “Human Resources Security”, “Physical and Environmental Security”, “Information Systems Acquisition”, “Development and Maintenance” and “Asset Management”.
Our cut-off point, where the mean, median and mode scores drop below 3 over 5-point Likert scale, namely the difference between “Privacy of Third Parties” and “Communication and Operational Management” categories found to be significant. Using these results, we drew a hierarchy of relevant control categories for cloud computing at 7 levels, considering significant and not significant differences between control categories with adjacent mean scores from the Delphi study (See Figure 1).
Based on our results, we analyzed a cloud service contract and discussed the alternative issues that needed to be included in service contract clauses in the light of our results in the Delphi study in the next section.
SECURITY AND PRIVACY CLAUSES OF A CLOUD COMPUTING CONTRACT In this section, we analyze, discuss and propose alternative clauses for a cloud computing service contract to address current state and the potential alternatives of the identified control categories. We have used the results of our Delphi study that as our focus area to identify what clauses are currently available and what alternative clauses might be applicable for information security and privacy in cloud computing.
Figure 1. Hierarchy of control categories for cloud computing
422
Management of Privacy and Security in Cloud Computing
Disclaiming Data Protection Responsibility The sample cloud computing service contract we analyzed is written to primarily protect the service provider. It actively disclaims any responsibility in information security and privacy in multiple points of the service contract, suggesting security breaches to sensitive data and applications are almost natural parts of the nature of the Internet. Instead of taking responsibilities and outlining the security controls implemented on the service provider side, it takes a consultative tone and suggests security controls like using encryption technology, routinely archiving and applying latest security patches or updates. The service provider also declares that it is not responsible of any unauthorized access or use, corruption, deletion, destruction or loss of applications or data. Despite the security clause provided above, it also disclaims further potential responsibilities in a separate clause. In that clause, the service provider disclaims giving warranties of any kind about the cloud service, including merchantability, satisfactory quality, fitness for a particular purpose, non-infringement and any trade-related warranties. The service provider does not give any warranty about the service offerings. It does not promise the service will function as described, run interruptedly or function in an error free manner. It also does not give any assurance that the service components or data are protected and secure. As cloud customers trust all their data and applications to cloud providers, we believe disclaiming any data privacy, security and integrity is a very strong contractual statement.
Disclosure to Government, Legal, and Regulatory Authorities Potential disclosure and related notices to the customer have been mentioned once in the service contract, in a passing reference. The service
provider takes no responsibility in giving a notice to the customer about related legal or regulatory demands when possible. Therefore, regardless of the jurisdiction of the customer, the service provider or related cloud infrastructures’ physical location, legal disclosure is preserved as a right to all regulatory authorities, without even giving a notice to the data and/or application owner.
Data Preservation in the Event of Suspension or Termination In the contract, the service provider lists several conditions where it can suspend or terminate the service unilaterally. The clause also describes the resulting consequences on private data and application of cloud customer. According to this term, the service provider will not erase any of customer data during suspension of customer, due to payment settlement problems etc., whereas in a termination event, the data and application is preserved for 30 days after the effective day of termination. Customers can only retrieve their data if they pay all incurred charges for the period following the termination of the agreement and the customers’ compliance with any terms and conditions the service provider may establish about such data retrieval. Clearly, this clause is highly arbitrary and quite one sided, as relative terms and conditions that the service provider may impose for post-termination period is not defined or described in the contract. Other than these conditions, the service provider also disclaims any obligation about data storage and protection, or providing any permit to customer for data retrieval.
Post Termination Assistance According to the service contract, the service provider does not take the liability for comprehensive post-termination assistance, but it only promises that it ‘may elect to make that available’. If we consider how much the customer is tied to the cloud provider during service duration, this is also
423
Management of Privacy and Security in Cloud Computing
a highly one-sided and arbitrary statement. The service provider gives no promises and actively denies any obligation to provide post-suspension or post-termination assistance. These services, if they have been provided by the service provider at all, either generally or specifically and uniquely to a customer, will be subject to unspecified fees and conditions, at the time of the cloud service contract acceptance.
Privacy of Third Parties Privacy of third parties is mentioned only in two passing references in the contract. One of them is about limiting potential spam attempts from one customer to other customers, business partners etc. whose information may be collected from the service provider sites and services, which shouldn’t be disclosed on the service provider properties. Clearly this clause aims to protect third parties from the service provider side. It does not cover every third party and does not limit service provider’s actions. It only tries to impose controls on the customer side. However, a symmetric clause prohibiting service providers’ use of third party data entrusted to the cloud systems by the cloud customer is non-existent. The second reference to third party privacy is specified in listing the responsibilities of the customer about its application. In this reference, service provider holds customer responsible for providing a privacy policy or explanation of how third party data is handled and used in its own application. The clause does not mention the service provider’s own privacy policy reference.
Overall Assessment After making an overall assessment of the cloud service contract, three of the seven control categories identified in our Delphi Study are not mentioned. These are: “Information Leakage”, “Access Control” and “Audit Logging”. This is a major deficiency from the cloud customer perspec-
424
tive. Rights and responsibilities of both parties in such cases need to be described. However, as the other issues have been considered in a very unbalanced way, the contract being silent on these issues may even be for the benefit of the cloud customer. Because, already mentioned control categories are handled in a one-sided, unbalanced manner. For example, “Data Protection and Privacy” related clauses do not give any assurance or warranties for any kind of suitable performance for the cloud user. “Post Termination Assistance” is not provided as a proper service and it is only promised as an arbitrary and conditional service that may be provided in the future, without any specific terms and conditions today. The service provider also declares its rights to disclose customer data to legal and regulatory bodies in its jurisdiction. However, it does not give any promise to acknowledge such disclosure to the owners of the data. Similarly, only privacy of third parties that are in relationship with the service provider is mentioned and customers required providing a privacy policy to their own customers. However, the service provider’s own privacy policy is not mentioned (See Figure 2). Since customer contracts need to define and regulate rights and responsibilities of respective parties, a more balanced approach is needed. In the next section, we will describe alternative ways to describe a number of control categories in cloud service contracts.
DISCUSSION Based on the analysis above, this chapter argues that reasonable controls and provisions need to be included to protect information privacy and security of information assets that the customer may place on the cloud. Contracts should specify how the service provider safeguards the data stored and applications hosted on the cloud, including applications and their proper functioning. If the service provider promises to keep the customer’s
Management of Privacy and Security in Cloud Computing
Figure 2. Sample cloud contract - security controls assessment
data logically separate from other data, it should be noted and defined in the contract. Based on the analysis in the previous section, we have mapped how those security controls selected in our Delphi study may be placed on a Cloud Service Contract (See Table 6). According to that, we propose placing of respective security controls in “Data Security and Protection”, “Legal and Regulatory Disclosure” and “Post Termination Assistance” sections of a service contract. In this section, we describe the potential clauses to address those controls. Auditing Rights in the customer agreement should be reviewed and confirmed that they are sufficient to cover the regulatory compliance needs of the customer. Especially for customers with extensive auditing needs, this could be a major source of disagreement with the service provider. Unlike traditional IT outsourcing contracts, cloud computing providers are not expected to agree to give audit rights easily to their customers due to potential disruptions and resource requirements created by such audits (Ryan & Loeffler, 2010; Erdman & Stark, 2010). Ryan and Loeffler (2010) suggest that customers in specific industries with higher data protection requirements may also need to obtain industry standard certifications to
maintain the adequacy of the internal controls of the provider. Also, they may be required to insist on the ability of the regulators to conduct audits, if a regulator requires (Erdman & Stark, 2010). Like any service provider, cloud providers may often reject being liable for the third party actions, particularly for security breaches or service interruptions. However, some sort of protection or indemnification is required in the case of a security breach or similar events where the customer incurs damages. Customers should not allow the new cloud paradigm to act as a vehicle to shift the balance of responsibilities in a subcontract relationship (Erdman & Stark, 2010). The contract should also define the process of the service provider that provides a notice to the customer if the provider suffers an information security breach. In a multinational cloud-computing scenario, which jurisdiction’s law governs the contract? What other jurisdictions may influence the contract relationship? What may be the legal and regulatory compliance issues and their implications in the cloud? Selection of the relevant jurisdiction is critical in multi-country scenarios. Cloud computing infrastructures often reside in servers in multiple countries, storing data and
425
Management of Privacy and Security in Cloud Computing
Table 6. Mapping of security controls and contract sections Security Control
ISO 27001 Section
Security Control Description
Contract Issue
Audit Logging
10.10.1.
Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future investigations and access control monitoring.
Data Security and Protection
Access Control
11
Access to information, information processing facilities, and business processes should be controlled on the basis of business and security requirements.
Data Security and Protection
Data Protection and Privacy
15.1.4.
Data protection and privacy should be ensured as required in relevant legislation, regulations, and if applicable, contractual clauses.
Data Security and Protection
Information Leakage
12.5.4.
Opportunities for information leakage should be prevented.
Data Security and Protection
Legal and Regulatory Disclosure
-
Lawfully mandated disclosure of information to legal and/or regulatory parties.
Legal and Regulatory Disclosure
Post Termination Assistance
-
Ensuring clear description of responsibilities in the transition of the relevant services either back to the customer systems or to the replacement provider.
Post Termination Assistance
Privacy of Third Parties
-
Privacy of personal information and data related to third parties that are expressively authorized without any withdrawal to be processed on the systems.
Data Security and Protection
applications belonging to customers in various jurisdictions and is managed by a service provider in yet another jurisdiction. In some cases, law enforcement or other government actors in these jurisdictions may seek to assert jurisdiction and seek data disclosure from a cloud provider (Gellman, 2009). The problem gets even more complicated when these multiple jurisdictions have different laws and regulations regarding privacy and data retention. When these rules conflict, a cloud provider’s compliance to a lawful demand for user data in one jurisdiction may create risk of violating laws of another jurisdiction (Microsoft, 2010). The compliance requirements may differ significantly, depending on the industry of the customer organization. For instance in the United States, the Gramm-Leach-Bliley Act regulates the privacy and information security practices of
426
financial institutions, whereas the Health Insurance Portability and Accountability Act (HIPAA) similarly address regulatory requirements with regard to protecting health information (Ryan & Loeffler, 2010). Furthermore, if a customer is utilizing payment cards on the cloud systems, it may be contractually bound to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). In such cases, customer needs to ensure that its service providers, including the cloud provider, are PCI DSS compliant. Therefore, such issues may directly influence the contractual requirements that should be imposed on the cloud service provider. In a multinational data processing scenario, the applicable legal framework will most probably be determined by principle of territoriality. National provision where the processing is carried out on the territory of the relevant state is applicable.
Management of Privacy and Security in Cloud Computing
However, Cloud computing potentially involves worldwide transfer of data processing and may not be traceable. In a dispute, there is a risk of forum shopping to locate favorable legal environment. Another major question on the cloud computing environment is about what rights and responsibilities do the parties have when a Cloud Computing Provider is initiated, replaced or terminated? Considering the criticality of the services assumed by the cloud infrastructure, the assistance services that the provider gives during initiation, termination and transfer process is a major issue to be clarified. Rules and agreements should be introduced on how the provider should return all existing data to the customer (transmission, media, format, timing, cost, etc.) and destroy any leftover customer data on its systems, when a service is replaced or terminated. In the event of termination by either party, there should be an obligation to assist in the transition period with the migration of services and data. Migration of the services being provided is even more crucial where the service is businesses critical service otherwise the customer may become the hostage of the service provider. Post-termination assistance that might be relevant for the cloud-computing customer needs to be defined in the contract. For a detailed discussion of respective cloud computing clauses, see Erdman and Stark (2010). A limitation of the study is the potential for generalizability. As we have developed our results based on a Delphi study, they cannot be generalized to all cloud computing scenarios in different types of cloud deployments. However, we think that our results could be used as a best-practice scenario to provide some guidance to other cloud computing environments. While we do some statistical analysis, our meta-theoretical stance in this research aligns with post-positivist and constructivist paradigms. We used a modified version of the Delphi method, as a participatory research method, where we looked for consensus rather than forecasts and future projections, introduced
online and process mediated interaction to ensure expert anonymity and employed online surveys and email notifications, unlike the original Delphi method. As there is no absolute truth according to our paradigm, the Delphi Method helps us to get a potentially truthful perspective with experiential accumulation of panel members’ opinions, seeking validity by reaching consensus of different and diverse individuals with high level of expertise.
CONCLUSION Despite a variety of cloud computing customers, service providers often take a one-size-fits-all approach and ask customers to be satisfied with the same set of controls, regardless of their particular data protection and compliance needs, in order to homogenize different types of customers and to keep their operational costs down. The main contribution of this chapter is providing a novel perspective on the cloud security and privacy issue, using controls in the ISO 27001 standard. ISO 27001 is an increasingly accepted international standard which thousands of companies deploy to establish their information security management system. Bringing a perspective to privacy and security of cloud computing that uses the same notation and reference may help those companies with an ISO 27001 certificate to assess related risks and possibly decide on adopting cloud-computing scenarios more easily. The Hierarchy of Control Categories model developed in this chapter may be used as a guide to assess applicable controls and to ensure all important risk categories are addressed with technical measures and contractual terms. Limitations of this study may be overcome in future using alternative methodologies with analytical modeling, scenario-based quantification and simulation of cloud related risks in different implementations. As the number of cloud computing clients grow, empirical data can be directly collected from user organizations to address, the types of cloud computing risks that
427
Management of Privacy and Security in Cloud Computing
have been arising in different industries and cloud configurations. With increased competition among various cloud providers, analyzing available service agreement alternatives may also give us a contractual perspective on how relevant security and privacy risks can be managed, controlled and addressed in various cloud computing environments. In future, results of legal interpretations of cloud service contracts in various legal cases in different courts across the world, may act as a fruitful data source to develop more mature and balanced cloud computing service agreements. This study represents an attempt towards developing a more balanced discussion regarding legality of data protection in the cloud environment. As more people around the world try to find out how best to use the cloud-computing model, such approaches may be used to assess existing gaps for better risk management and devise cloud computing service contracts based on particular requirements of different businesses, different governments and different consumers. The cloud-computing model has potential to change fundamentally how information technologies are produced, employed and used in different business and individual settings. However, it is still an immature business model despite the major business and technology hype around the world. Considering the complicated nature of the relevant legal scrutiny, we can conclude that the cloud-computing model is still an immature business model, despite the major business and technology hype around the world. There are also a great number of relevant controls and a greater number of alternative contractual clauses to be implemented for customers with different information security and compliance needs. This study represents an initial attempt that is limited only to data protection. However, in future more studies are needed to establish a foundation for a systematic source of reference for researchers, executives and other professionals to help them develop a more balanced and complete understanding of the cloud environment including its contractual implementation.
428
REFERENCES Adler, M., & Ziglio, E. (1996). Gazing into the oracle: The Delphi method and its application to social policy and public health. London: Kingsley. Banisar, D., & Davies, S. (n.d.). Privacy and human rights—An international survey of privacy laws and practice. Retrieved March 15, 2011, from http://www.gilc.org/privacy/survey/ Baumer, D. L., Earp, J. B., & Poindexter, J. C. (2004). Internet privacy law: A comparison between the United States and the European Union. Computers & Security, 23(5), 400–412. doi:10.1016/j.cose.2003.11.001 Bennett, C. J. (2002). Information policy and information privacy: International arenas of governance. Journal of Law, Technology and Policy, 2, 385–406. Bisong, A., & Rahman, S. S. M. (2011). An overview of the security concerns in enterprise cloud computing. International Journal of Network Security & Its Applications, 3(1), 30–45. doi:10.5121/ijnsa.2011.3103 Braman, S. (2006). Change of state – information, policy, and power. Cambridge, Massachusetts: The MIT Press. Buchanan, T., Paine, C., Joinson, A. N., & Reips, U. D. (2007). Development of measures of online privacy concern and protection for use on the Internet. Journal of the American Society for Information Science and Technology, 58(2), 157–165. doi:10.1002/asi.20459 Burgoon, J. K., Parrott, R., Poire, B. A. L., Kelley, D. L., Walther, J. B., & Perry, D. (1989). Maintaining and restoring privacy through communication in different types of relationship. Journal of Social and Personal Relationships, 6(2), 131–158. doi:10.1177/026540758900600201
Management of Privacy and Security in Cloud Computing
Chang, V. (2014). The business intelligence as a service in the cloud. Future Generation Computer Systems, 37, 512–534. doi:10.1016/j. future.2013.12.028 Chang, V., & Ramachandran, M. (2014). A proposed case for the cloud software engineering in security. Paper presented at the first international workshop on Emerging Software as a Service, Spain, 3-5 Apr. Chang, V., Walters, R. J., & Wills, G. (2014). Review of cloud computing and existing frameworks for cloud adoption. In Advances in Cloud Computing Research. Nova Publishers. Custer, R., Scarcella, J., & Stewart, B. (1999). The modified Delphi technique – A rotational model. Retrieved from http://scholar.lib.vt.edu/ejournals/ JVTE/v15n2/custer.html Dalkey, N., & Helmer, O. (1951). The use of experts for the estimation of bombing requirements: A project Delphi experiment. Santa Monica: RAND Corporation.
Gellman, R. (2009). Privacy in the clouds: Risks to privacy and confidentiality from cloud computing. World Privacy Forum. Retrieved February 4, 2014, from http://gato-docs.its.txstate.edu/vpit-security/ policies/WPF_Cloud_Privacy_Report.pdf Gray, P. S., Williamson, J. B., Karp, D. A., & Dalphin, J. (2007). The research imagination: An introduction to qualitative and quantitative methods. Cambridge University Press. doi:10.1017/CBO9780511819391 Helmer, O. (1965). Social technology. Santa Monica, CA: RAND Corporation. ISO. (2005). ISO IEC 27001: Information technology — Security techniques - Information security management systems – Requirements. Geneva: ISO. Landeta, J. (2006). Current validity of the Delphi method in social sciences. Technological Forecasting and Social Change, 73(5), 467–482. doi:10.1016/j.techfore.2005.09.002 Linstone, H. A., & Turoff, M. (Eds.). (1975) The Delphi Method: techniques and applications, Reading, MA: Addison Wesley.
DeCew, J. W. (1997). In pursuit of privacy: Law, ethics, and the rise of technology. Ithaca, NY: Cornell University Press.
Mather, T., Kumaraswamy, S., & Latif, S. (2009). Cloud security and privacy: An enterprise perspective on risks and compliance. Sebastopol: OReilly.
Electronic Privacy Information Center. (n.d.). The census and privacy. Retrieved March 4, 2013, from http://epic.org/privacy/census/
Mell, P., & Grance, T. (2011). The NIST definition of cloud computing. Retrieved March 5, 2014, from http://csrc.nist.gov/publications/ nistpubs/800-145/SP800-145.pdf
Erdman, K., & Stark, N. (2010). Legal challenges for U.S. healthcare adopters of cloud computing. Paper presented at the International Technology Law Association Annual European Conference, Berlin, Germany.
Microsoft. (2010). Building confidence in the cloud: A proposal for industry and government action to advance cloud computing. Retrieved February 12, 2014 from http://www.microsoft. com/presspass/presskits/cloudpolicy/
Gaukroger, S. (2012). Objectivity: A very short introduction. Oxford: Oxford University Press. doi:10.1093/actrade/9780199606696.001.0001
Mitroff, I., & Turoff, M. (1975). Philosophical and methodological foundations of Delphi. In H. Linstone, & M. Turoff (Eds.), The Delphi method: Techniques and applications (pp. 17-34).
429
Management of Privacy and Security in Cloud Computing
Onwubiko, C. (2010). Security issues to cloud computing. In N. Antonopoulos & L. Gilliam (Eds.), Cloud computing principles, systems and applications. London: Springer. doi:10.1007/9781-84996-241-4_16
Tashakkori, A., & Teddlie, C. (2008). Foundations of mixed methods research: Integrating quantitative and qualitative approaches in the social and behavioral sciences. Thousand Oaks, CA: Sage Publications.
Pettey, C. (2010). Gartner identified the top 10 strategic technologies for 2011. Retrieved September 10, 2011 from http://www.gartner.com/ it/page.jsp?id=1454221
Tsilas, N. (2010). Moving responsibly to the cloud to ensure its full potential. The Computer & Internet Lawyer, 27(11), 16–24.
Popper, K. (1963). Conjectures and refutations: The growth of scientific knowledge. New York: Routledge. doi:10.1063/1.3050617 Rechtsanwalt, M., & Kempermann, P. (2010). Secrets of the cloud: Licensing and data protection – particularities and pitfalls. Paper presented at the International Technology Law Association Annual European Conference, Berlin, Germany. Ried, S., Kisker, H., Matzke, P., Bartels, A., & Lisserman, M. (2011). Sizing the cloud – a BT futures report. Retrieved December 21, 2013 from, http://www.forrester.com/Sizing+The+Cloud/ fulltext/-/E-RES58161?objectid=RES58161 Ryan, W. M., & Loeffler, C. M. (2010). Insights into cloud computing. Intellectual Property & Technology Law Journal, 22(11), 22–27. Scheibe, M., Skutsch, M., & Schofer, J. (1975). Experiments in Delphi methodology. In H. A. Linstone & M. Turoff (Eds.), The Delphi method - Techniques and applications (pp. 262–287). Reading: Addison-Wesley. Smith, H. J., Milberg, S. J., & Burke, S. J. (1996). Information privacy: Measuring individuals’ concerns about organizational practices. Management Information Systems Quarterly, 20(2), 167–196. doi:10.2307/249477
430
Turoff, M. (1975). The policy Delphi. In H. Linstone & M. Turoff (Eds.), The Delphi method: Techniques and applications. Reading, PA: Addison-Wesley. United States Department of Justice (USDOJ). (2007). Chapter 1: Computer fraud and abuse act. Retrieved March 23, 2011, from http://www. cybercrime.gov/ccmanual/01ccma.pdf Voorsluys, W., Brober, J., & Buyya, R. (2011). Introduction to cloud computing. In R. Buyya, J. Broberg, & A. Goscinski (Eds.), Cloud computing principles and paradigms. Hoboken, NJ: John Wiley & Sons Inc. doi:10.1002/9780470940105. ch1 Warren, S., & Brandeis, L. (1890). The right to privacy. Harvard Law Review, 4(5), 193–220. doi:10.2307/1321160 Westin, A. F. (1967). Privacy and freedom. New York: Atheneum Press. Wittow, M. H., & Buller, D. J. (2010). Cloud computing: Emerging legal issues for access to data, anywhere, anytime. Journal of Internet Law, 14(1), 1–10. Zwick, D. (1999). Models of privacy in the digital age: Implications for marketing and ecommerce. Retrieved May 26, 2011, from http://ritim.cba. uri.edu/Working%20Papers/Privacy-ModelsPaper%5B1%5D.pdf
Management of Privacy and Security in Cloud Computing
KEY TERMS AND DEFINITIONS Access Control: Ability to control access to information to ensure correct people are able to access necessary data on a timely and systematic manner. Information Leakage: Unintended or uncontrolled flow of personal or private data to third parties. Information Privacy: Right to have control over personal information, and the extent of personal information or the underlying data are revealed to other parties. Information Security: Protection of information assets and personal data from privacy, integrity and availability risks and threats.
Post Termination Assistance: Assistance services given by the service providers after the termination of the cloud computing services for data and business process migration, including data cleaning and sanitation at the cloud-based systems. Privacy of Third Parties: Privacy of data belonging to non-contracting parties, such as customers, employees or business partners. Service Contracts: Contractual agreements between the sides of the cloud computing services that defines rights of responsibilities of contracting parties.
431
Management of Privacy and Security in Cloud Computing
APPENDIX: SURVEYS Table 7. Round–0: screening Name Surname: E-mail: Age:
Sex:
❑ Female ❑ Male
Location:
Would you identify yourself as a cloud-computing expert?
❑ Europe ❑ North America ❑ Other Yes
No
Are you currently working in a cloud-provider company?
Yes
No
Are you currently working for a cloud-user company?
Yes
No
Are you working at on IT or a similar department in your company?
Yes
No
For how many years you have been working on IT?
Yes
No
Are you working on a managerial position?
Yes
No
Yes
No
How would you best describe your experience with cloud computing? Would you attend a research project online as an informant to locate relevant security controls for cloud computing? (Workload estimation: 3-4 short online surveys in few months)
Table 8. Round-1: opinion gathering Name, Surname: What are the most important information security and privacy issues in a generic cloud service provider – customer context and how a company / user may control them? Please feel free to describe all your opinions: Any additional comments? Thank you for your participation in the Round 1.
432
Management of Privacy and Security in Cloud Computing
Table 9. Round-2: initial rating Name, Surname: Please assess how important are the following control domains for information security and privacy in a generic cloud service provider – customer context. Note: Currently the following control domains are listed in the alphabetical order. Note: If you need descriptions of these controls, see the attached table below. Very unimportant Don’t Know
➀
➁
Very important ➂
➃
➄
Access control
❑
➀
➁
➂
➃
➄
Asset management
❑
➀
➁
➂
➃
➄
Business continuity planning
❑
➀
➁
➂
➃
➄
Communication and operational management
❑
➀
➁
➂
➃
➄
Compliance
❑
➀
➁
➂
➃
➄
Human resources security
❑
➀
➁
➂
➃
➄
Participant identified domain 1
❑
➀
➁
➂
➃
➄
Incident management
❑
➀
➁
➂
➃
➄
IS acquisition, development and maintenance
❑
➀
➁
➂
➃
➄
Organization of information security
❑
➀
➁
➂
➃
➄
Participant identified domain 2
❑
➀
➁
➂
➃
➄
Physical and environmental security
❑
➀
➁
➂
➃
➄
Security policy
❑
➀
➁
➂
➃
➄
…
❑
➀
➁
➂
➃
➄
Participant identified domain n
❑
➀
➁
➂
➃
➄
Any additional comments? Thank you for your participation in the Round 2.
433
Management of Privacy and Security in Cloud Computing
Table 10. Round-3: re-rating Name, Surname: You have previously reviewed how important are the following control domains for information security and privacy of cloud computing in a generic cloud service provider – customer context. Please find all of the assessments in the last round below. Do your ratings change after this review in the Round 3? Note: You don’t need to change your position if you disagree with the rest of the expert panel. Round 2 Results You
Panel Mean
Panel Median
Round 3 Panel Mode
Very unimportant
Very important
Access control
➀
➁
➂
➃
➄
Asset management
➀
➁
➂
➃
➄
Business continuity planning
➀
➁
➂
➃
➄
Communication and operational management
➀
➁
➂
➃
➄
Compliance
➀
➁
➂
➃
➄
Human resources security
➀
➁
➂
➃
➄
Participant identified domain 1
➀
➁
➂
➃
➄
Incident management
➀
➁
➂
➃
➄
IS acquisition, development and maintenance
➀
➁
➂
➃
➄
Organization of information security
➀
➁
➂
➃
➄
Participant identified domain 2
➀
➁
➂
➃
➄
Physical and environmental security
➀
➁
➂
➃
➄
Security policy
➀
➁
➂
➃
➄
…
➀
➁
➂
➃
➄
Participant identified domain n
➀
➁
➂
➃
➄
Any additional comments? Thank you for your participation in the Round 3.
434