I had the privilege to join Sun’s Chief Privacy Officer, who is also our Chief Governance Officer for Cloud Computing, in meetings with some government InfoComm authority folks. The subject of the meetings were Governance for Cloud Computing.
Overall, I thought she did well in covering the key and important points across areas such as legislation / laws and the jurisdictional territories, Standards, data classifications / categories, how to maintain data privacy and security across its lifecycle, IP (Intellectual Property) of third party contents, license rights, policing rights, etc. The message she brought to the table is that at the end of the day, businesses needs to manage an acceptable equilibrium between gaining the business agility, cost advantages and empowering their business to leverage on available Cloud services, and the acceptable or tolerated level of risks by the business. It was not an easy subject to talk about (especially in an hour duration).
On Sept 14th, I posted an entry called “Cloud Computing: The big picture” and I quoted McKinsey on the point that there are at least 22 different definitions of Cloud services in use today in the industry. There are also many ways that businesses could leverage on the various available Cloud services, be it SaaS, IaaS or PaaS. Businesses could use these Cloud services to augment their current infrastructure in supporting seasonal / cyclical / temporary peak loads, or use it for occasional analytics, testing and development purposes, etc. So, picture this complex definition matrix of Cloud services, which is three-dimensional – firstly, there are three key categories of Cloud services (SaaS, IaaS, PaaS), secondly, it could be a private, public or hybrid service, and then lastly, the various ways that businesses are using the Cloud (test, development, augmentation, functional, research, etc.).
Every one of these ways to use Cloud services is unique. It is unique in a sense that the type of data that will be transferred, stored and located on the service provider’s infrastructure will be different, e.g. a batch processing to run analytics on consumer data, or the financial planning proposals for an insurance firm’s client during the month of December (where December is a typical peak month in insurance business in this part of the world), or employees’ personal blogs, web spaces, or photographs, or telephone usage records for each phone extension, etc. Each of these types of data belonging to the businesses and/or their employees, are related to the way they use Cloud services, i.e. depending on what or how the businesses use the Cloud services. Therefore, before we even begin on data privacy or security concerns, we should first approach it by understanding how we classify or categorize our data. In general, a common way to classify data is by labeling them “Sensitive”, “Confidential”, “Private”, “Public” and these can be according to your business context as a government ministry, public service, military agency, or hospital, would be very different from profit organization. It is only after we have classified our data in the organization, then we would have logically placed all of our data into appropriate “buckets”, each signifying its importance, value and privacy requirements.
After the data is classified, we should then take a look at the critical path and lifecycle of this data, i.e. how does it get created, what would be its lifespan, who uses it, how does it get used, what are the implication and impact if this data falls into unauthorized hands, how does the data flow from the origin where it is created to the point it is being used or consumed and to the point where it is stored or archived, what are the threats and risks along this path, and how (if necessary) would you destroy the data?
In my opinion, sometimes, we jumped way past all of these into a situation where you do not have sufficient context or perspective to assess the situation. For instance, if somebody were to enquire : If you subscribe to a Cloud service in Singapore, where your data is hosted in Singapore, and this service provider has a DR site located in India or China, and it happens that due to an incident, they had to failover to the DR site. So, now, your most current data is located at least 3000 miles away from Singapore. And the question is what happens if your service provider goes out of business and their infrastructure is seized for liquidation? How can you protect and retrieve your data? Are you protected by Singapore jurisdiction or be subjected to the jurisdictions in India or China? Well, in my opinion, this scenario lacks sufficient context. What sort of data are we talking about? What Cloud service are we talking about and how are the legal terms structured around this service offering that are agreed by and binds the consumer and producer together? Lets revisit my earlier Big Picture, take a look at the yellow-colored boundaries on the right. Above the service operation, would be terms of usage and legally binding contracts – and these are important elements in any business agreements. After all, subscribing to a Cloud service is the same as paying for a service such as a WAN connectivity, leasing space in an office building, etc. The underlying agreement to pay for what you consume must be backed by a legally binding and mutually agreed terms and conditions for usage and a commercial contract. For the first part of the question in terms of protecting your data in such a dire situation, well, it is ultimately dependent on the equilibrium – what are the acceptable level of risks balancing against the benefits of the Cloud services to your business. Prior to entering into the commercial contract for this Cloud service, the business must understand this equilibrium and acceptable / tolerable level of risks and understand what are the implications to the business. Only by doing this, the business will not be caught off-guard.
Tags: Cloud Computing, Consumers, data privacy, Governance, Producers, protection, Security, services, strategy