Privacy Regulations for Cloud Computing Compliance and Implementation in Theory and Practice
Joep Ruiter and Martijn Warnier
Abstract Cloud Computing is a new paradigm in the world of IT. In traditional IT environments, clients connected to a number of servers located on company premises. In Cloud Computing, users connect to the ’Cloud’, appearing as a single entity as opposed to multiple servers. Outsourcing data to the Cloud Service Provider (CSP), an external party involves giving the CSP some form of control over the data. Privacy regulations put requirements on organizations regarding storage, processing and transmission of data. Outsourcing this data to a CSP involves outsourcing partial control over the storage, processing and transmission of data and privacy regulations become relevant. This paper addresses the questions as to how existing regulations in the area of privacy affect the implementation of Cloud Computing technologies and how the implementation of Cloud Computing technologies affect compliance with these regulations. Surprisingly, it looks like many organizations and CPSs are simply not aware of privacy issues in Cloud Computing. Therefore, raising awareness about both the privacy issues and the existing privacy regulations seems a good first step to increase privacy of data in Cloud Computing environments.
1 Introduction Privacy is considered to be a fundamental human right (Movius and Krup, 2009). Around the world this has led to a large amount of legislation in the area of priJoep Ruiter Faculty of Sciences, VU University Amsterdam e-mail: [email protected] Martijn Warnier Faculty of Technology, Policy and Management, Delft University of Technology e-mail: [email protected]
1
2
Joep Ruiter and Martijn Warnier
vacy. Nearly all national governments have imposed local privacy legislation. In the United States several states have imposed their own privacy legislation. In order to maintain a manageable scope this paper only addresses European Union wide and federal United States laws. In addition several US industry imposed regulations are also considered. Privacy regulations in emerging technologies are surrounded by uncertainty. This paper aims to clarify the uncertainty relating to privacy regulations with respect to Cloud Computing1 and to identify the main open issues that need to be addressed for further research. This paper is based on existing literature and a series of interviews and questionnaires with various Cloud Service Providers (CSPs) that have been performed for the first author’s MSc thesis (Ruiter, 2009). The interviews and questionnaires resulted in data on privacy and security procedures from ten CSPs and while this number is by no means large enough to make any definite conclusions the results are, in our opinion, interesting enough to publish in this paper. The remainder of the paper is organized as follows, the next section gives some basic background on cloud computing. Section 3 provides an overview of several US and EU privacy regulations and Section 4 discusses the privacy regulations in relation to cloud computing. Next follows a more general discussion and the paper ends width conclusions.
2 Cloud Computing Cloud Computing is a new paradigm in Information Technology (IT). In their research Vaquero et al. propose the following definition: Clouds are a large pool of easily usable and accessible virtualized resources (such as hardware, development platforms and/or services). These resources can be dynamically reconfigured to adjust to a variable load (scale), allowing also for an optimum resource utilization. (Vaquero et al., 2009)
In traditional IT environments, clients connect to multiple servers located on company premises. Clients need to connect to each of the servers separately. In Cloud Computing clients connect to the Cloud. The Cloud contains all of the applications and infrastructure and appears as a single entity. Cloud Computing allows for dynamically reconfigurable resources to cater for changes in demand for load, allowing a more efficient use of the resources. In Cloud Computing, end users are provided with dedicated hardware or a virtualized machine. To end users, this virtual machine appears as an isolated machine, where each user has isolated access. In Cloud Computing standardization has not yet emerged. Using software in a Cloud Computing environment therefore depends on the CSP. Virtualization in Cloud Computing allows distributing computing power 1
Note that with regard to Cloud Computing, this paper is limited to Business to Business (B2B) Cloud Computing initiatives. Cloud Computing initiatives directed to consumers, such as Microsoft’s Windows Live Mail or Google’s Gmail are not part of this research.
!
Privacy Regulations for Cloud Computing
3
! "#$%&!"$'(%)*+,! ! to! cater for load fluctuations. Standard web protocols provide access to Cloud Com-
puting and control ! is centrally managed in various data centers. ! 4+51./)1%7)%10! ./! .! 601:*70! ;4..6<=! /$'0)*'0/! 1050110&! )$! ./!of>.1&?.10! .! 601:*70@88AB=! Cloud Computing is offered through three types services./!(Lin et al., 2009; .##$?/! )30! et %/0!al., $5! 3.1&?.10! )31$%,3! 7$''$+#C! *+)015.70/=! ./! ?0D! (IaaS), *+)015.70/E! Weinhardt 2009). These services are.:.*#.D#0! Infrastructure as/%73! a Service Plat@FF=88F=8GAB! H%0! )$! )30! %D*I%*)C! $5! )30! ?0D! .+&! )30! .D/)1.7)*$+! )30/0! *+)015.70/! (1$:*&0=! form as a Service (PaaS) and Software as a Service (SaaS). .770//!)$!4..6!*/!7#.*'0&!)$!D0!/*'(#0!.+&!0./CE!!!! Infrastructure as a Service (IaaS), sometimes referred to as Hardware as a SerJ#)3$%,3! /$'0! 10/0.17301/! (#.70! /)$1.,0! ./! .! /0(.1.)0! /01:*70@0E,E! KL=8GAB=! )3*/! 10/0.173! vice (Wang et al., 2008), allows the use of hardware through commonly available 5$##$?/!$)301!10/0.17301/!.+&!/0)/!/)$1.,0!./!.!(.1)!$5!)30!4..6!7$+70()E@88FB! interfaces, such as web interfaces (Leavitt, 2009; Weinhardt et al., 2009) Due to the ! ubiquity of the web and the abstraction these interfaces provide, access to IaaS is M#.)5$1'!./!.!601:*70!;M..6
!
!"#$%&'()'*+&',-.$/'0&%1"2&'-34&%0'53/367&/'8%.9'7+&':$%7.;'<%.$6=>?@A'<%.0093;=B>@A'C";'&7'3-D=EF@'3;/' G&";+3%/7'&7'3-D=HHI@J' Fig. 1 The Cloud service layers (adapted from Grossman (Grossman, 2009), Lin et al. (Lin et
al.,
2009) and Weinhardt et al. (Weinhardt et al., 2009))
Portraying the Cloud services in layers resembles the OSI stack that comprises traditional computing. At the same time the layers represent the amount of control users have over their Cloud Computing initiative. Each layer provides further abstraction to users of Cloud-./)01!230/*/!4+5$1'.)*$+!67*0+70/! Computing. IaaS hereby offers the least abstraction and SaaS the most. With more abstraction, more control of the technology stack is taken away by the Cloud Service Provider or IT organization. These cloud services can be obtained from 3rd parties, referred to as Cloud Service Providers (CSPs) (Armbrust et al., 2009; Vaquero et al., 2009). Organizations
Privacy Regulations for Cloud Computing - MAFIADOC.COM
Jun 25, 2007 - company premises. Clients need to connect to ... rity aspects, interoperability, pricing and benefits of Cloud Computing depend on the type of Cloud. ..... Privacy and Security Law Issues in Off-shore Outsourcing. Transactions.
national food security also. ... than the average level in the world and the production value per capita and land yield per unit are also on .... IOT and cloud computing applications in agriculture are as mentioned below: ... FinalPaperINTERNET OF TH
from individual consumers to the largest. businesses. Their portfolio spans printing,. personal computing, software, services,. and IT infrastructure. For the latest ...
cloud computing for dummies pdf. cloud computing for dummies pdf. Open. Extract. Open with. Sign In. Main menu. Displaying cloud computing for dummies pdf.
Google Search. â¢. Google 'Cloud' listings showing 'most popular' blog links. â¢. FeedBurner which provides free email updates. â¢. Publications o Class Application Form 2010 o Events Diary o Information Booklet o Manuals Available o Newsletters o
called cloud computing, and it could change the entire computer industry. .... master schedules backup execution of the remaining in-progress tasks. Whenever the task is .... You wouldn't need a large hard drive because you'd store all your ...
There are three service models of cloud computing namely Infrastructure as a .... applications too, such as Google App Engine in combination with Google Docs.
[10]. VMware finds cloud computing as, âis best under- stood from the perspective of the consumer .... cations and other items among user's devices, like laptop,.
the task of allowing a third party auditor (TPA), on behalf of the cloud client, to verify the integrity of the dynamic data stored in the cloud. To securely introduce an ...
Your private rating data may not be safe on the cloud because of insider and outsider threats. Anirban Basu, et al. Cloud based privacy preserving CF. 4/22 ...
Principles (APP), regulates the way organisations and government agencies handle the personal ... Direct marketing. 8. Cross-border disclosure of personal information. 9. Adoption, use or disclosure of government related identifiers. 10. Quality of p
specifically to indicate another way online computing is moving into the 'cloud computing' ... Another useful example is the free Adobe Photoshop Express, at.
of cloud-based services. In. Cloud Computing: Concepts,. Technology &Architecture,. Thomas Erl, one of the world's top-selling IT authors, teams up with cloud.
cloud computing into the mobile environment and overcomes obstacles related to the ... storage, and bandwidth), environment (e.g., heterogeneity, scalability, and ..... iPhone 4S, Android serials, Windows Mobile serials decrease 3 times in ...
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Cloud ...
of IT professionals did not understand what 'cloud computing' was about. ... The application even allows you to save your documents and spreadsheets in ... If you have used Google Docs as your web based application software and saved it on Google ...