We examine how cloud providers secure customer data, how to minimise the chances of data leaks, and how to comply with privacy law.
In part one of our feature series on the cloud, we helped you understand all the options for your business (and the jargon). In part three, we'll discuss which cloud storage app is best for business. Here, in part two, we'll examine how secure is business data in the cloud.
The privacy card is often overplayed in discussions about cloud computing. That's not to say privacy isn't an important issue, only that it is not as big a problem as some would have you believe.
Much of the confusion comes from the existence of internet services such a Facebook that have business models based on exploiting data about their users. But that's a very different from paying a company so you can use its accounting system or office suite.
Small businesses need to consider two aspects of privacy: the legal privacy requirements for personal information held about staff, customers and others; and the privacy of the business's information more broadly.
Complying with privacy legislation
From a legal standpoint, many small businesses (in this context, those with an annual turnover of less than $3 million) are not required to comply with the Privacy Act's Australian Privacy Principles (APPs). There are exceptions, and the Office of the Australian Information Commissioner (OAIC) provides a checklist to help small businesses determine whether the APPs apply to them. For example, health service providers including "complementary therapists" must comply. Furthermore, your larger clients may impose a contractual requirement that you comply with the APPs.
Keep in mind that 'personal information' has a particular definition in this context.
In addition, privacy legislation includes rules that apply regardless of the size of a business, notably those regarding an individual's tax file number. This is something you need to consider if your business employs people.
Cloud providers doing business in Australia (in a relatively broad sense that does not necessarily require a physical presence, although merely having Australian clients is probably not sufficient) are apparently covered by the Privacy Act. However, it seems that if information is stored or processed offshore your business is required to ensure the provider complies with the APPs. If breach occurs, your business normally remains liable for the actions or inactions of the provider.
Therefore, if your business is required to comply with the APPs and wants to store personal information in cloud-based systems, it would seem to be sensible to choose a local provider and check that the data is never moved offshore. After all, few small businesses are in a position to compare other countries' laws and regulations with the APPs.
Bear in mind that a foreign-owned provider may be required by its home government to provide access in certain circumstances to the data it stores for its clients. Conversely, we've heard a lawyer express the opinion that if certain foreign governments seek access to data stored in Australia by an Australian business, the Commonwealth Government is obliged by treaty to assist with such requests.
How cloud providers secure your data
Turning to the privacy of business information more generally, we sometimes hear concerns about cloud providers along the lines of "I don't want my data mixed up with everyone else's."
While there may be some basis for those concerns, cloud software systems are designed to isolate data from other users and from inappropriate access by the service's employees.
According to MYOB Chief Technology Officer Simon Raik-Allen (who stressed he was speaking generally rather than describing MYOB's specific measures), systems designers use a range of technologies and techniques to prevent accidental or deliberate access to another client's data. These include:
- Routing database requests through a layer of software that blocks requests for data that isn't 'owned' by the requesting customer
- Exposing only seemingly random GUIDs (globally unique identifiers) for use in URLs, not (as in earlier days) constructions such as "CUST=16" that may tempt curious users to edit the URL to different values to see what would happen
- Using modern databases that provide specific features to keep different customers' data apart from others but without losing the costs benefits of multi-tenancy
- Extensive security evaluation and testing, including reviews by separate external experts at different stages, plus automated and human testing
- Offering 'bug bounties' to encourage security researchers to report any issues to the company rather than offering them on the open market.
Ensuring the cloud provider's employees (and those of related companies such as the data centre operator) don't snoop into customers' data is – like most security issues – a multi-layer process. Approaches include:
- Encrypting the data
- Careful management of access rights – "you do have to trust some people," said Raik-Allen – but the right processes ensure only the right people can access the data, and only when they need it. If the processes are too cumbersome, there will be a temptation to seek workarounds and that's likely to mean too many people have access for too long.
- 'Cleansing' routines that can allow necessary access to data values but in a de-identified form to maintain privacy
- Storing sensitive data in a separate 'vault' that is only accessible via the database
- Using network access controls so the database is only accessible from whitelisted addresses, specifically the application server(s) that use the database plus a 'bastion box' acting as an intermediary for legitimate access to the database but restricts access to specified users and logs all interactions.
Data security tips
If you look at reported large-scale breaches – US Target, Ashley Madison and Sony come to mind – the problem is typically related to in-house systems, not those operated by cloud providers. A cloud provider of any substance can afford to employ more and better-skilled security staff than the small and medium businesses that they serve.
And for every time a cloud provider slips up (such as the 2011 Dropbox password bungle), how many hundreds of thousands of business PCs are affected by some sort of configuration problem that allows improper access to data? That can be as simple as a group of employees using a single account to avoid the burden of repeatedly logging in to shared computers.
There are reasons for preferring on-premises systems to cloud services (for example, cloud isn't necessarily cheaper), but privacy shouldn't be one of them.
Finally, remember these three points whatever technology you use:
- Not collecting data that you don't really need means you can't inadvertently disclose it.
- Most data breaches are internal, so take care with access controls – people should only have access to the information they need to do their jobs.
- If you adequately destroy data that is no longer required, there's no risk of subsequent disclosure.