Cloud Computing and Threats to Corporate Privacy - Research Paper Example

Abstract The report analyzes the manner in cloud computing has raised threats towards corporate privacy. Cloud computing requires development of strategies like minimizing the personal information which is sent from one person to another, protecting personal information through a process of hiding characters, maximizing user control, ensuring that users have choices which will reduce the use of personal information, determine the limit which has been provided for the use of personal data and increasing regulatory compliance and developing a new business model. The overall objective has to be aimed towards maximizing control and developing a business model which reduces the risk for the corporate sector and maximizes the control through which privacy can be ensured. This further requires study and development of a business model which will be aimed at improving and maximizing the safety aspect associated with personal information so that better control and maximum efficiency in the use of information can be pertained. Table of Contents Abstract 2 Table of Contents 3 Introduction 4 Research Aim and Objectives 5 The Cloud Computing Paradigm and Privacy 6 Articulating a Process of Corporate Privacy 8 Emergence of a New Business Model 10 Regulatory Compliance 11 Research Significance and Key Requirements 12 Research Innovation and Strategy 15 Minimize Personal Information Sent and Stored in the Cloud: 15 Protect Personal Information in the Cloud: 16 Maximize User Control: 17 Allow User Choice: 17 Specify and Limit the Purpose of Data Usage: 18 Provide Feedback: 18 Future Research Strategies 19 Conclusion 20 References: 22 Introduction Only a few decades ago, people kept all of their digital information on disks, but changes and developments in technology have led them to switch to memory cards. Cloud computing is the ability to access and manipulate information stored on different servers using the internet. This allows users the opportunity to access information from remote servers. Cloud computing facilities and applications are thereby delivered as a service over the internet. A few examples which will help to clarify the manner in which cloud computing is being used are Google Mail, Microsoft Office 365 and Google Docs, to name a few. Governments, individuals and organisations all over the globe have driven the growth and increasing popularity of cloud computing techniques. The cloud computing paradigm has changed how private information is used, but end users’ lack of prior knowledge of and experience in cloud computing techniques has increases risks which could be reduced through the services of experts. Cloud computing provides the advantage of reducing costs by sharing information through remote servers. It also supports a business process model that aims to maximize efficiency for users. These advantages have a direct impact on IT budgets and associated costs but also give rise to issues of security, trust, and privacy. Privacy is a right which ensures self-determination by making persons aware of how their personal data is stored and communicated, allowing them to take steps to prevent misuse of their personal information. This, therefore, looks at the confidentiality of information which seeks to ensure that no personal data are leaked or misused. Individuals’ universal right to protect their information, whether private, personal, or professional, encourages developing the means to safeguard that information. Cloud computing increases the risk that information which is processed and stored could be shared with the wrong people, thereby resulting in a high risk for businesses. For example, storing personal information on a server could pose a major threat, as the leakage of personal information could occur due to the use of internet technology. Privacy issues thus represent a very important aspect of cloud computing; as a result, it is necessary to develop a framework through which better confidence and economic issues can be dealt with. This, in turn, will help to create a situation in which information is protected. Research Aim and Objectives In the present study, research will investigate how privacy issues have changed for corporations in the field of cloud computing. The research will be concentrated on: 1. Determining the manner in which cloud computing and privacy concerns have changed for corporations; and 2. Identifying different barriers which hinder the process of protecting data and the different legal and ethical frameworks which need to be followed so that individual information is protected and the aspect of privacy is considered. Accordingly, this study will use secondary data from past research and findings to construct the appropriate framework through which privacy dynamics can be considered and protected. This study will specifically address a framework for ensuring privacy of private information. This framework will require proper storage of private information, a mechanism to utilize cloud computing, and better corporate strategies to protect information. In addition, this research will describe the various barriers to and legal framework through which to develop better computing measures. This aim also requires formulating a framework to better protect personal and corporate information. In addition, identifying a legal framework will help to maximize the overall gains from cloud computing and to develop a perspective from which better privacy measures can be adopted. Corporate privacy is thereby understood in terms information which corporations want to disclose and not disclose. This perspective aids in identifying the various directives that ensure corporate privacy and the practices which help protect information. The broad perspective will assist in constructing a framework that better protects information and addresses privacy concerns in the corporate sector. The Cloud Computing Paradigm and Privacy Cloud computing enables accessing and manipulating information stored on different servers through remote servers (Mell & Grance, 2009). A service provided over the Internet, cloud computing has five characteristics, three delivery models, and four deployment models. The five characteristics of cloud computing are on-demand self-service, ubiquitous network access, location-independent resource pooling, rapid elasticity, and measured service, which seeks to maximize efficiency. Rapid elasticity helps ensure better scaling of resources and provides a framework for better sharing of information. Measured services controls and optimizes the use of resources so that they are best allocated and load balancing is achieved (Mell & Grance, 2009). Figure 1 (Application/Software as a Service). The different cloud service delivery models are application/software as a service (SaaS), platform as a service (PaaS) and infrastructure as a Service (IaaS; see Figure 1). SaaS provides the consumer with an opportunity to use the provider’s application through the cloud infrastructure. The applications can be accessed through the use of different interfaces, such as web browsers. This model ensures that the consumer has no influence on the input and operates according to the manner and inputs which are made accessible by the provider. PaaS is another cloud provider service geared towards providing an opportunity to developers to use different applications like Google Apps, Mozilla and so on. The developer has to ensure that the application provides an opportunity wherein best practices and friendly tools can be developed. Finally, IaaS provides the opportunity for the consumer to use different applications through the software being run. One example of this is the Amazon EC2 Web Service. Such services requires companies to conform with the different legal and compliance requirements so that resilience measures which seek to ensure better safety related to different types of personal and private information can be preserved. Articulating a Process of Corporate Privacy The objective of delivering IT as a service is addressed for a number of different groups such as consumers, small and medium-sized enterprises (SMEs) and public administration. Industry analysts have stated that the information and communications technology (ICT) sector will be able to ensure heavy growth in the use of cloud computing services. This is enhanced by the fact that the amount of personal data is growing at an ever-increasing rate (Cavoukian & Abrams, 2010). Corporate privacy requires that information which is true and correct is provided to people, but at the same time, strategies need to be developed which will ensure that correct information which needs to be disclosed is provided while other information is protected. The questions which are raised at this juncture have to do with the manner in which corporate privacy can be ensured so that information is protected, as well as how an overall perspective which aims at better protection can be generated. The continuous piracy of software which is then sold at discounted prices has multiplied the burden on organizations, which have already incurred a high financial burden to develop the software. The inability to protect software and the increased use of cloud computing have provided an opportunity for people to exploit valuable information. The complexity associated with cloud computing provides a large number of unknown parameters which have to be identified and worked on. As a result, service providers and consumers are very cautious and aim towards providing compliance services so that they can adopt the different services and look at privacy issues. This would involve ensuring that people are not able to break into or find out about the programme’s original software so that no cheating takes place; moreover, it will help to bring about a change in the use of the software. Cloud services thus require a focus on different areas and a need to access the information so that the risks associated with piracy and security can be considered. In order to accomplish this, information such as the following needs to be taken into account: Who are the stakeholders? What are their roles and responsibilities? Where is the data stored? How are data replicated? To address the above-mentioned questions, it is important for every individual to remain transparent in relation to the different policies which are framed respecting the manner in which different types of information is processed. This aspect needs to be looked at from the perspective of developing anti-hacking software that will disallow people from using different types of data and information, thereby preventing duplication of data Emergence of a New Business Model Cloud computing enables users to collect, store, and manipulate information at a low cost. This service has created the opportunity to develop a new business model aimed at the previously discussed problems: programs being cracked and altered in order to sell new, low-cost. This business model has facilitated the use of cloud computing in different fields in order to maximize and improved different aspects of various businesses. At the same time, cloud computing’s ability to modify and customize t for every individual user has increased the overall risk for businesses. Additionally, cloud computing could lead to unauthorized disclosure of data. Therefore, a legal framework which records when data are collected and used is needed to ensure the authenticity and security of personal data. Cloud computing is used in daily life through such e-mail services as Hotmail and Gmail and social networking sites including Facebook, You Tube, Flickr, and Twitter. These services store huge amounts of data, including personal information, which is easily accessible to others, increasing the opportunities for leakage. The challenges multiply when cloud service providers integrate different SaaS services into a single stream. An example of a multiple SaaS integrator is the booking platform used by travel agents which, through a single application, manages many functions such as customer relationships, bookings, cancellations, online processing charges, and credit card processing. When SaaS services use the same applications, the risk increases because providers could employ different security strategies for personal data. The growing use of this business model necessitates greater security measures to prevent leaking personal data. Regulatory Compliance Data protection and regulatory compliance are commonly recognized as top concerns regarding the security of personal data. The majority of cloud users fear leakage of information by service providers which has adverse results. More than 90 percent of people fear that companies’ sales of private information to other companies will lead to its misuse (Federal Trade Commission, 2010). Developing rules and programs that do not permit manipulation or making changes to data will enable companies to achieve maximum gains. This claim is supported by the perception of IT executives and companies that security is the biggest challenge to the cloud computing model. Stakeholders believe they need to formulate strategies to prevent data breaches. The prime reason for this concern is the risk associated with the misuse of personal data. The media have highlighted that cloud computer has facilitated the development of lower-priced software. This requires formulating methods that incorporate different penalties and legal and business actions. The data protection authority has developed a scenario called Big Brother which it uses to evaluate whether privacy protection is adequate. This authority aims to ensure that no information is leaked and data security preserved without creating a total surveillance society (Horrigan, 2008). In addition, cloud computing results in an environment in which the service provider does not have full control over information. For example, in Internet-enabled services, third parties can use and manipulate information. As well, users might not know where their data are stored. This is a central issue in cloud computing and raises concerns about how data is analysed and whether it could be leaked or misused. Research Significance and Key Requirements The growing threats in the field of corporate privacy have raised concerns about how the corporate sector protects information and what strategies are needed to better protect information. Applied to the field of cloud computing, the fair information principle requires identification and development of policies and strategies to set privacy standards. Key privacy requirements associated with cloud computing are Notice, openness, and transparency should be ensured. Those gathering the information need to clearly state the reason for collecting the data, the manner in which it will be used, the period for which it will be stored, the people with whom it will be shared and other aspects associated with security. This should be followed by a process of notification to let relevant people know if any changes are made to the process so that all people concerned are aware of this (IDC, 2010). Privacy policies should be provided to the clients and explained so that they are clearly understood; moreover, they should ensure that no misuse of information is possible. Choice, consent and control should be ensured when gathering and preserving information. Stakeholders must obtain the required permission from information providers and should be matched by proper consent regarding the preservation of information. In terms of scope, the purpose for which data is collected should be clearly identified, and only necessary information collected. No information should be collected other than that which is relevant to the purpose of data collection, and steps should be taken to ensure that the amount of data collected is minimised to reduce the likelihood of leakage of information. Access and accuracy should be ensured to check that the information which has been collected matches the actual information. This means making timely changes and ensuring that the information is true (Enterprise Privacy Group, 2008). This will also ensure that all the information collected is correct and accurate. Security safeguards should be maintained which prevent unauthorised persons from using the information. Moreover, it should be ensured that the information cannot be copied and a process should be developed through which effectiveness is maintained so that the overall information which is supplied is preserved. Compliance is an aspect which has to be adhered to and can be achieved by having regulatory bodies and a framework which seeks to make sure that no information is leaked. This will increase regulatory and legal pressure and will prevent organisations and service providers from misusing information, which is vital to safeguarding information (IDC, 2008). The purposes for which the data will be used should be clearly identified. In looking to collect data, only required information should be collected. No information should be collected other than that which is relevant to the purpose of data collection, and steps should be taken to ensure that the amount of data collected is minimised to reduce the likelihood of leakage of information. The use of data should be limited according to the purpose for which it has been collected and organisations should take action against parties which divulge the information for other purposes or try to manipulate it. This will ensure that the private information pertaining to different organizations and parties can be protected. Further, parties which have the legal right and are authorised to do so should be the only ones to use the information, while others should abstain from this. Accountability should be created, as the service provider who gathers the information has to ensure that the information is not leaked. People who have gathered information but use it for other purposes should be penalised through penalties, business loss and other frameworks so to lessen the chances of information leakage. Accountability needs to be accompanied by strong legislation and the development of rules geared towards reducing the risk associated with cloud computing; a legal framework should be created which aims to curtailing the misuse of funds and will maximise the different opportunities which is provided by cloud computing. Research Innovation and Strategy The fast-growing popularity of cloud computing reflects a number of different trends; a few problems have also emerged around cloud computing. IT is now evolving so quickly that it is increasingly expensive for corporations to keep pace. This underlines the need for and importance of identifying a mechanism through which privacy issues related to the corporate sector are identified and protected. Privacy practices by cloud practitioners, designers, developers, architects and others are the most important elements which need to be focused on. The points listed below do not cover all aspects associated with privacy in cloud computing in the corporate sector, but does provide a framework through which the better preservation of data becomes possible and maximum gains can be achieved. Some of the strategies which can be implemented to ensuring better privacy in cloud computing are as follows: Minimize Personal Information Sent and Stored in the Cloud: Minimising the amount of personal information which is sent to and stored in the cloud ,strategies have to be developed and used which allow minimal sharing and storage of necessary personal information. Collecting minimal personal information will provide the advantage through which storage and processing of personal information can be minimised and the risk associated with data sharing can be reduced. This should be matched by the usage of anonymisation techniques which seek to encrypt data and personal information using different statistical methods so that information which is transferred across different locations cannot be easily copied or misused (ENISA, 2009a). Different types of anonymisation techniques are already available on the market; this provides solutions through which information can be hidden and encrypted. This makes it imperative that personal information which should not be shared is encrypted before it is sent to the cloud so that not everyone has access to information which is private and personal. In addition to this, privacy preservation techniques can also be used which will protect and preserve information through a data mining algorithm so that minimal information is passed on to achieve optimal customer service and achieve the desired result. This method can only be used when database owners have computing power through which they can analyse their own database and hide information which is personal and need not be shared. Protect Personal Information in the Cloud: In terms of protecting personal information in the cloud, information which is transferred through the use of different cloud transmitting techniques should be protected by ensuring limited access, disclosure, copying or other methods through which the personal data can be misused. Using tamper-resistant hardware while looking to transmit data and information from one place to another will serve as a process through which data will be stored. This has to be matched by the use of hardware-based encryption so that people are not able to misuse the information as is passed on to the correct, authorised person (ENISA, 2009b). Further, personal information should be stored and transferred using privacy laws such as cryptographic mechanisms and a high level of security measures which will prevent the misuse of information. The overall process should be such that data encryption should look at preserving and protecting the vital information so that different decisions which are made maximise productivity and ensure gains in protecting information. Maximize User Control: Maximising user control is another important issue. Trust is one of the most important components in looking to develop a technology for a mass market; lack of control could have an indirect impact and result in distrust of the organisation. Cloud computing increases risk, as personal information could be misused, leading towards distrust. One way of dealing with this is to allow users to take control of the information which is provided to them and remain accountable for their acts (Kamara & Lauter, 2010). Another mechanism can be using the services of private companies who are experts in this field and can preserve vital information. This will require designing the system in such a manner that the user is clearly able to find the needed information and use it for the purpose which has been identified, while at the same time limiting others from using it, thereby exercising maximum user control in relation to the personal information. Allow User Choice: User choice should also be allowed. Opt in/out mechanisms are presently employed where such a choice determines whether the user will be allowed to use the personal information. Opting out refers to the fact that the information cannot be seen and read, whereas opting in sends a request to the user; after obtaining the necessary permission, the individual is allowed to use the personal data. This is matched by the different legal requirements which have to be adhered to while looking to send a request to use the personal data or information (Danish Data Protection Agency, 2010). The design should be stringent and involve the toughest norms to restrict people from using certain personal information and only obtaining the required permission allows the person to use specific data. This will allow the user a choice based on whether the individual wants to allow or disallow the use of his or her personal information. Specify and Limit the Purpose of Data Usage: Personal information has to be treated and used in such a manner that no compromise is made; the information should be used for the purpose stated. Processing of personal information should be bounded by constraints which should limit the usage of personal information for purposes which already have been identified (Brands, 2010). It is imperative to make a comparison between the use of the data and the purpose for which permission has been obtained to use the data. Any differences should be dealt with properly and strategies have to be implemented through which stronger privacy rules are followed. Provide Feedback: Feedback needs to be provided. A process which looks to provide feedback both to the user and the developers will help to develop strategies through which control can be exercised over the use of personal data. The process of feedback will help to understand the different areas and aspects which have to be worked on and will provide an overview through which better informed decisions with regard to privacy can be made. The process of feedback will also tend to provide the required assurance and develop the required fundamentals which will improve trust in the organisation. This will help to develop the required infrastructure through which better control over the use of personal data will be exercised, and will help to develop a process which will maximise the overall gains for the business in cloud computing. Future Research Strategies The development and advancement of technology to deal with issues of privacy related cloud computing is already underway and will help to develop and formulate strategies through which better management of resources and effectiveness in dealing with personal information will be identified. There are numerous different open issues which have to be addressed so that better mechanisms to deal with cloud computing become possible. Some of the open issues which have been identified are described below. First, enforcing policy within the present cloud system is very challenging and a difficult task due to wide variations and different functions like personal information can be protected (Van & Blarkom, 2003). Second, it is only possible to determine that data processing has taken place within the cloud; identifying the exact place at which it has been done is still not yet possible and this will require more stringent policies and measures (Van & Blarkom, 2003). Third, it is difficult to identify the processor which is used to transfer data or whether regarding whether subcontractor should be used or not used (Van & Blarkom, 2003). Fourth, it is almost impossible to design and develop techniques to identify the evolutions which are going to take place and develop strategies based on these, as technological advancements have made the situation complicated and it is not clear what developments will arise in future (Van & Blarkom, 2003). Finally, accountability needs to be maintained, as the service provider which gathers the information has to ensure that it is not leaked (Van & Blarkom, 2003). The continuous demand being witnessed in the direction of personal data and information is bound to increase the need and importance of cloud services, especially when cloud services are able to deliver the same service at a lower cost; this will provide the opportunity to develop a new business model. This highlights the different areas and directions in which cloud computing is likely to become relevant and will thereby help to raise and multiply the different roles and responsibilities which have to be considered for the better protection of information. The purpose of the use of data should be clearly identified. Only required information should be collected. This is a process which needs to be put in place for the future as a basis for developments and identification of areas through which operational effectiveness and efficiency will be gained in the preservation of information. This will determine the manner in which the overall protection of vital information will be conducted. Conclusion Cloud computing is an area which has given rise to privacy issues and made it very difficult to develop and formulate strategies aimed at protecting vital personal information. Cloud computing increases risk for businesses related to the information which is processed and stored. For example, storing personal information on the server could act as a major threat as it could lead to leakage of personal information through internet technology. Privacy issues are thus a very important aspect in cloud computing; a framework needs to be developed through which better confidence and economic issues can be dealt with to help provide foundation for the security of information. This essay concentrated on cloud computing and the threats it raises to privacy issues, as well as the manner in which these threats can be dealt with. This will help to develop a better framework and provide the required directives through which better security measures can be developed. The overall framework shows the different directions and areas on which the business needs to concentrate so that better strategies aimed towards operational effectiveness and ensuring minimal loss of information can be implemented. This will help to reduce the chances of misuse of personal information and will provide a framework through which the business will be able to use data and at the same time ensure that this information is properly protected. References: Brands, S. (2010). Rethinking public key infrastructures and digital certificates: Building in privacy. MIT Press Publishing Cavoukian, A., & Abrams, S. T. (2010). Privacy by design: Essential for organizational accountability and strong business practices. Retrieved on November 11, 2013 from http://www.globalprivacy.it/Allegati_Web/57C2B8AA758546A0B76D5668F5CF5E16.pdf Danish Data Protection Agency. (2010). Processing of sensitive personal data in a cloud solution. Retrieved on November 11, 2013 from http://www.datatilsynet.dk/english/processing-of-sensitive-personal-data-in-a-cloud-solution/ ENISA. (2009a). Cloud computing security risk assessment. Retrieved on November 13, 2013 from www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment ENISA. (2009b). Cloud computing information assurance framework. Retrieved on November 11, 2013 from http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assuranceframework ENISA. (2011). Security & resilience in governmental clouds. Retrieved on November 11, 2013 from http://www.enisa.europa.eu/act/rm/emerging-and-future-risk/deliverables/security-and-resilience-ingovernmental-clouds Enterprise Privacy Group. (2008). Privacy by design: An overview of privacy enhancing technologies. Retrieved on November 11, 2013 from http://www.ico.gov.uk/upload/documents/pdb_report_html/pbd_pets_paper.pdf Federal Trade Commission. (2010). Protecting consumer privacy in an era of rapid change: A proposed framework for businesses and policymakers. Retrieved on November 11, 2013 from http://www.ftc.gov/os/2010/12/101201privacyreport.pdf Gartner Inc., 2012, `About Gartner’, Gartner website, Retrieved on November 10, 2013 from . Heisler, J. & Nicolett, M. 2008, ´Assessing the security risks of cloud computing’, Gartner, 03 June 2008, ID Number: G00157782, Retrieved on November 10, 2013 from . Horrigan, J. (2008). Use of cloud computing applications and services. Pew Research Center. Retrieved on November 15, 2013 from http:// www.pewinternet.org/Reports/2008/Use-of-Cloud-Computing-Applications-and-Services.aspx IDC. (2008). IT cloud services forecast. Retrieved on November 11, 2013 from http://blogs.idc.com/ie/?p=224 IDC. (2010). IDC predictions 2011: Welcome to the new mainstream. Retrieved on November 15, 2013 from http://www.idc.com/research/predictions11/downloads/IDCPredictions2011_WelcometotheNewMainstream.pdf Kamara, S., & Lauter, K. (2010). Cryptographic cloud storage. Proceedings of Financial Cryptography: Workshop on Real-Life Cryptographic Protocols and Standardization. Harvard Publishing Mell, P., & Grance, T. (2009). NIST definition of cloud computing. Retrieved on November 14, 2013 from http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf Van, G., & Blarkom, J. (2003). Handbook of privacy and privacy-enhancing technologies – The case of intelligent software agents. Retrieved on November 11, 2013 from ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/DPP/CWA15263-00-2005-Apr.pdf Read More