Skip to main content

Data Privacy and Security Issues

With a third-party organisation managing the infrastructure in the cloud, the responsibility to maintain privacy of all personal data is enhanced. It is common and acceptable to share personal data with the cloud but the decision must be an informed one. Personal details of employees, customer data and company secrets must be protected against the potential risks of theft and leakage. One of the classic examples would be that of hacking attacks on Sony PlayStation Network in 2011 – which we discussed in earlier chapters. If this can happen to Sony, which has most of its infrastructure internally, imagine the level of caution that needs to be in place while trusting third party cloud service providers. Let us briefly discuss different elements that need to be made available in contracts and agreements while moving to the cloud.

Privacy and Data Protection

According to a research by IDC (International Data Corporation), 71% of enterprises say preventing the exposure of confidential data and related information is one of their top challenges. The research also pinpoints that the company’s financial and customer information, intellectual properties and personal information of employees are the most vulnerable data. Data that can be traced back to a single individual can be categorised as “personal”. Companies must look for cloud service providers that offer sufficient protection to such sensitive information. To start with, when third-party data has to be moved to the cloud, the existence of any contracts or obligations against such action must be checked for. Following this, depending upon the location of the cloud service provider and industry-specific laws of privacy such as Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA) stringent privacy measures must be applied.

Data Controllers and Data Processors

In order to regulate the use of personal data, the Data Protection Act was established. Under this act, the data controller implies to an entity that determines the purpose of holding personal data and the data processor “processes” the data on behalf of the controller. The data controller takes the ultimate responsibility of complying with the Data Protection Act in case of any discrepancies. Though the cloud service provider is often the data processor, there are some cases where it takes the role of a data controller too. The precise role of the cloud service provider must be evaluated in each case and the obligation for data protection must be assigned to the right entity.

 Data Protection Issues in the Cloud

With the role of the data controller and data processor defined and the level of obligation stated, cloud customers must now evaluate the technical aspects of the provider and learn how they promise to deliver services within the established expectations of protection. Failing this, the following data protection issues can be expected in the cloud environment:
  1. Lack of interoperability and data portability
  2.  Lack of integrity that arises from sharing of resources
  3.  Inability to ensure data compliance measures
  4.  Lack of proper data isolation in the multi-tenant environment
Data protection risks are further amplified when the cloud service provider involves multiple tiers of sub-processors/sub-contractors and data transfer happens between different countries.

Data Protection Laws

Prior to 2011, the Indian judiciary system did not provide space for clear - cut laws pertaining to data protection. However with the enhancement of the data protection laws in the European Union, Information Technology Rules 2011 came into place. Under this act, corporate bodies, Indian government and information providers were subjected to sensible security practices. In addition to this, there are other laws within the Indian Penal Code (IPC) that can assist in practising a reasonable level of security while handling data in the cloud.

The Information Technology Act( Section 43 A)

When a corporate body causes a “wrongful loss or wrongful gain” due to its negligence in maintaining a fair level of security of data, then it is liable to the compensation to the person affected.

The Information Technology Act( Section 72 A)

Privacy breach which may result in imprisonment for up to 3 years and penalty that may extend up to five lacs.

Right to Privacy ( Article 19 and 21)

Right to privacy ( applicable to data privacy as well )
Activity

Find out what are the key features of Information Technology Rules 2011 that relate to business organisation dealing with sensitive/personal data Introduction

Comments

Post a Comment

thank you for visiting :)

Popular posts from this blog

Special Permissions in linux

The setuid permission on an executable file means that the command will run as the user owning the file, not as the user that ran the command. One example is the passwd command: [student@desktopX ~]$ ls -l /usr/bin/passwd -rw s r-xr-x. 1 root root 35504 Jul 16 2010 /usr/bin/passwd In a long listing, you can spot the setuid permissions by a lowercase s where you would normally expect the x (owner execute permissions) to be. If the owner does not have execute permissions, this will be replaced by an uppercase S . The special permission setgid on a directory means that files created in the directory will inherit their group ownership from the directory, rather than inheriting it from the creating user. This is commonly used on group collaborative directories to automatically change a file from the default private group to the shared group, or if files in a directory should be
Post a Comment
Read more

The Seven-Step Model of Migration

Irrespective of the migration approach adopted, the Seven-step Model of Cloud Migration creates a more rational point of view towards the migration process and offers the ability to imbibe several best practices throughout the journey Step 1: Assess Cloud migration assessments are conducted to understand the complexities in the migration process at the code, design and architectural levels. The investment and the recurring costs are also evaluated along with gauging the tools, test cases, functionalities and other features related to the configuration. Step 2: Isolate The applications to be migrated to the cloud from the internal data center are freed of dependencies pertaining to the environment and the existing system. This step cuts a clearer picture about the complexity of the migration process. Step 3: Map Most organisations hold a detailed mapping of their environment with all the systems and applications. This information can be used to distinguish between the
Post a Comment
Read more

RequestsDependencyWarning: urllib3 (1.24.1) or chardet (3.0.4) doesn't match a supported version

import tweepy /usr/lib/python2.7/dist-packages/requests/__init__.py:80: RequestsDependencyWarning: urllib3 (1.24.1) or chardet (3.0.4) doesn't match a supported version!   RequestsDependencyWarning) Traceback (most recent call last):   File "<stdin>", line 1, in <module>   File "/usr/local/lib/python2.7/dist-packages/tweepy/__init__.py", line 14, in <module>     from tweepy.api import API   File "/usr/local/lib/python2.7/dist-packages/tweepy/api.py", line 12, in <module>     from tweepy.binder import bind_api   File "/usr/local/lib/python2.7/dist-packages/tweepy/binder.py", line 11, in <module>     import requests   File "/usr/lib/python2.7/dist-packages/requests/__init__.py", line 97, in <module>     from . import utils   File "/usr/lib/python2.7/dist-packages/requests/utils.py", line 26, in <module>     from ._internal_utils import to_native_string   File "/usr/lib/python2.
Post a Comment
Read more

tag