Nymity:  What is a Chief Governance Officer for Cloud Computing and why would a cloud provider need one?

Dennedy:  The Role of Chief Governance Officer was created to focus on the evolution of 'cloud computing' and address the many control vectors for information that may be implicated by distributed information processing that is becoming the norm rather than the exception in an increasingly connected world.

My charter was specifically designed to cover:

• Strategy and planning to include all data governance issues relating to Cloud Computing product/ service offerings including, privacy, security , policy, export control etc.
• Defining the objective criteria and practice to ensure that data stored or otherwise processed on Sun's Cloud/ Utility service offerings meets or exceeds the data security, privacy, and governance requirements for all customers and users.
• Driving and managing compliance and ongoing governance standards for the Sun Cloud and Sun managed/ designed Cloud architectures.
• Developing measurement criteria, governance policies, and practices necessary to seek appropriate certifications that are required to attract enterprise customers.
• Educating executive, development, and operations teams regarding proper conduct to ensure protection of customer information.
• Represent Sun in public fora regarding policy and governance issues raised by the evolving practices and trends that support a Cloud data strategy for Sun customers, public policy or other influencers and enforcement agencies.
• Explore potential business opportunities for new services in areas such as certification, auditing, and standards compliance to enable the usage of cloud services by customers that would otherwise not be capable of moving information into the cloud.
• Advise product management regarding the development of new services based on customer-submitted public data sets to ensure that proper legal and licensing and usage terms are in place.

It is a rather broad charter but one that most Chief Compliance or Privacy Officers will find very familiar. In an uncharted but fast moving field, we are asked to follow rules that exist that do or may apply in a new context and to create measurement out of chaos to begin to normalize and disclose controls for information assets.

Nymity:  What is cloud computing?

Dennedy:  While this should be a straightforward question, the popularity of Cloud Talk has scattered the potential definition of cloud computing to mean everything from virtualization to grid utility computing to anything that is "out there."

A great place to start is to look at the (US based) National Institute of Standards and Technology (NIST) current definition which may be found at http://csrc.nist.gov/groups/SNS/cloud-computing/ They are on version 15, so the only thing that is clear is that there is not a great deal of clarity as yet.

I shall quote from this source extensively to avoid too much debate over these foundational concepts. There are many other commentators with their own take on cloud computing, including some outspoken and interesting IT executives who shall remain nameless here, but that is another story altogether.

According to the NIST group, "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models." Easy, right?

On-demand self-service:  Where the user of cloud services can choose when and how to provision services.  The timing and fluid turning on of resources makes the initial engagements far less measured and apparent to governance professionals, including privacy, security and legal teams.

Internet and intranet network access:  Where services may be accessed on a variety of different devices and 'clients'.

Multi tenancy:  Where multiple applications or multiple user data may be shared within the same data center or compute resources.  Multi tenancy is relevant where the 'tenants” are completely different entities or different groups within one entity.  Where the tenants are separate entities, the data protection considerations can be very challenging because concepts like control and audit without either entity becoming exposed to the others' information are relatively new and untested in this space.

Rapid elasticity: Where compute resources can be increased and decreased dynamically as needed.

Measured Service:  Where usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service and a conversion of IT spending from bursts of large capital expenditures to operational expenditures.  This conversion is the reason for the extreme excitement within business communities as well as within the information technology communities. 

In addition to the various Cloud Computing characteristics, there are three categories of the type of services currently conceived in Cloud Computing. 

Software as a Service (SaaS). Where the consumer does not manage or control the underlying cloud infrastructure but, instead is a user of applications created, managed and operated by the cloud provider.  This type of web-based service may or may not be considered a true utility “cloud” but certainly is the most familiar of the three service types.  From a governance perspective, this form of cloud service offers the least amount of control for the user.  Accordingly, compensating controls via, contractual obligations and the ability to audit or receive transparent communications regarding the operation of the cloud services is critical.

Platform as a Service (PaaS).  Cloud users leverage programming languages and tools supported by the provider to create cloud based applications for either direct consumption or for use as a SaaS service.  Here users of PaaS services have control over the deployed applications and potentially over a range of configurations for the applications created from the platform tools.  This is a service that would typically be leveraged by the more sophisticated IT user.  While the greatest amount of evolution in the technology standards and tools may be taking place at this service level, it may also offer governance professionals a means to introduce technical controls such as audit, identity management, encryption techniques and the like during the application development.

Infrastructure as a Service (IaaS). Cloud users have control over operating systems, storage, deployed applications, and possibly limited control of select networking components but most likely will not own the physical environment. 

Nymity:  What kind of organizations are offering cloud computing based services?

Dennedy:  The original players in the cloud computing field are the expected complement of high technology companies such as Sun, IBM and HP where the providers own solutions in the combined software and hardware business and have been arguably providing IaaS type services and systems.  Google, Yahoo, Microsoft are probably the most recognizable consumer facing companies offering services such as email, calender and document processing.

Salesforce.com is another prominent CRM SaaS provider with a less well known but important PaaS platform.

Finally but not least, Amazon's storage and compute services are interesting examples of IaaS coming from a retail ecommerce organization.  This conversion from traditional retail to services may be a trend that expands cross industry and continues to challenge the definition and scope of Cloud Compute services.


Nymity:  What are the privacy risks to an organizations offering these services?

Dennedy:  The data protection and privacy risks do very depending upon the level of services from SaaS to PaaS to IaaS because the levels of actual and expected controls vary.  In general, however, the terms of use are critical to the provider with particular emphasis on the amount if intellectual property control, liability for failure of service levels and, of course, loss of data through negligence or malfeasance.  In short, privacy risks for ISV's, ecommerce or other service or outsourcing service providers apply in cloud computing as well.

In the case of a mixed entity cloud compute environment, a Cloud Computing service provider may face particular privacy and governance risks.  For example, a cloud user may have a requirement or a desire to have an audit trail of activity regarding use of services, intrusions or geolocation of the stored data itself.  In a dedicated environment, such concerns and requests for measurement and control may be managed with third party audit or direct inspection.  The risk of inadvertent intrusion into a fellow tenant's environment or loss of data integrity.

Another risk that must be managed in these environments is the regulatory risk of understanding and managing the location of relevant information.  Many of the larger cloud providers are starting to offer geography restricted services to keep data within a particular boundary or region where the the traditional data transfer and conflict of law issues may be managed.


Nymity:  How does an organization manage a compliance program when the data could be in multiple locations as could the customers?

Dennedy:  As mentioned above, more services are starting to offer geo specific services.  Where those types of services are not available or entities are not willing to commit to transparency about the location of data, a customer organization must take a look at its compliance programs to understand its customer base, and requirements to determine which applications are appropriate for cloud and where a truly international compliance program may be implemented.

Particular care must be paid where the cloud service provider disclaims any liability to provide an 'as is' service without a clear data transfer strategy.  In such a case, the customer organization should ensure that any registrations, dispute resolution mechanisms and transfer requirements are met and whether the cloud provider can provide sufficient proof and transparency to ensure controls are in place.


Nymity:  Has there been regulator actions or guidelines, or case law that helps organizations with cloud computing?

Dennedy:  Wait for it.  Cloud computing has yet to become a staple tool for the enterprise outside of the SaaS arena.  Vendor management and outsourcing case law is highly relevant in evaluating legal risk in this area.

In the US, the 4th Amendment protects data found in homes, lockers and computers but not business records like those found in a bank. Once the data is in the clouds, will the 4th Amendment apply, or is the data considered a business record?

This is actually a complex question and there is not yet absolute clarity in this area.  Where an individual starts using SaaS service, for example,  to place truly personal data in the cloud rather than in paper form on a bookshelf at home, that document may be considered a business record of the cloud provider for the purpose of government investigation.  The Fourth Amendment still applies but the government agent has a lower burden before he may aquire information.  Furthermore, the individual who has data in the care of a cloud provider may have no notice that information has been examined.

Similarly, an enterprise may not be made aware of a government investigation in a cloud environment.  Terms of use for service levels may or may not specifically cover this contingency.  An important distinction must be made where enterprise documents stored in a cloud environment are often already business records and thus subject to subpoena as opposed to a court ordered search warrant.

For both consumer and enterprise applications, one risk mitigating strategy is to encrypt information that is stored in a remote location and manage the keys onsite to force an inquisitive government agent to notify the cloud user before investigations begin.  The caveat here is that many applications simply will not be functional unless data is processed in the clear and, thus an encryption solution will not be a silver bullet for protecting data from investigations.

If data is moving from one jurisdiction to the next, how do you comply with breach notification and data security laws in the USA?


Nymity:  In Canada, EU and other locations around the world, an individual has the right to know where there data is located and to access that data and in some cases have the data destroyed. What challenges will this have for organizations?

Dennedy:  As noted above, some services are limiting geo locations.  Where a service has not or cannot manage notification of data geolocation and an entity determines that the data in question cannot be protected through segmentation, encryption or logical rather than physical server based controls, the application in question may not be appropriate for a third party owned, multitenant environment.  In such a case, a better option may be a so called “private cloud” where a single entity manages virtualized, web based services but ultimately controls the structure, location and management of information services.


Nymity:  In closing, what privacy recommendations do you have for organizations that are offering, or planning to offer, cloud computing based services?

Dennedy:  The benefits of Cloud Computing are irresistible and this area of techniques and technologies are rapidly expanding while the risks are present but equally ephemeral at this point.  Having an overall data strategy in place where an entity clearly understands its pragmatic risk profile, understands it's data requirements and the applications that may be necessary to meet those requirements and the sensitivity and general quanta of data is probably the most important element in planning a privacy strategy for cloud computing.

It is most likely a matter of when and not 'if' an organization will be impacted in some way by Cloud Computing, so the best preparation is to audit and clean up the existing mechanisms for data transfer, vendor management, audit and outsourcing due diligence.  Preparation with the basics is certainly a better means to manage risk in this space than hoping terms and conditions and indemnity clauses will breathe life into an organizations; unique data challenges.

Where an organization has a critical application or specific requirement for compliance such as a geolocation service, the marketplace is wide open for standards, requirements and business cases so I would also recommend getting involved with the cloud providers who are looking for early cases and applications and may be very open to customer requirements during the cloud buildout.

• Free Privacy Resources
  • Privacy Interviews
  • Privacy Breach Analysis
  • Latest Privacy Studies

• Free Privacy Maps
• Receive Free Newsletter