Privacy On Public Clouds – Five Issues You Must Know About
Cloud computing is everywhere and presents a compelling value proposition for its end users. However issues like privacy and security still are grey areas when it comes to public clouds. Here presented are five issues one must be aware of:
Many cloud users do not know the answer to this question – Who owns my personal information once I upload it on the Cloud Service Provider’s (CSP) server? Most public cloud service providers recognize that the user retains ownership of data once it is uploaded. (e.g. https://www.facebook.com/legal/terms) This also means that you have decided to trust the CSP with handling of your data. The CSP may have some responsibility for handling the information safely but not all. You may choose a different service provider or choose not to put particular data on cloud altogether. But the buck stops at you are responsible for the data you put up there.
2. CSPs collect much more data
Typically at the time of joining you provide certain details including personally identifiable information (PIIs) to CSP. But you will be surprised to know that they know a lot more about you. The additional information is derived from your regular usage of their services. This includes when you log in, for how long you are connected, devices you use, location from where you connect, applications you use etc. Various mechanisms are employed to collect these details. Common methods use browser web storage, application data caches, cookies, pixel tags and anonymous identifiers.
3. You have only limited control over data
It is common for CSPs to provide few privacy options to end users. But there is a catch. Firstly you do not get to control every data, only a subset of privileges is offered. Secondly these options help you customize how rest of the world sees your information. Your CSP still has full access to the data, and they use it for a variety of purposes (e.g. http://www.google.co.in/intl/en/policies/privacy/). You cannot stop them from doing that because it is covered in the contract.
However, you still have some absolute powers in the form of local browser security settings. You can set the desired security levels and in effect block cookies or other scripts from executing. But there is a cost associated with this. The moment you say block cookies, many features may stop working. CSPs clearly state that in their terms and conditions. So if you want to get full features from the cloud this is not a practical option.
4. Encryption is your true friend
What if you have already signed up with cloud service provider? You still have a friend in terms of encryption. You can encrypt all your sensitive data before storing it on the cloud. This adds an additional security layer, control of which lies entirely with you. It may not be to the CSPs liking but highly recommended as this will fetch you greater control over safety of your data.
5. Law of the land may not apply
Unfortunately, privacy laws all over the world are still evolving and there is no global standard. While you may be governed by the state laws you live in, the same may not apply to your data. Your CSP and eventually the server where your data resides, may come under a different jurisdiction. So think again if you are counting on local laws to come to your rescue in case of a breach.
By Manoj Tiwari