Private Cloud Security Model - Legal and Compliance Issues

  • Article

One area where IT decision-makers have considerable concerns with private and hybrid cloud implementations are the areas of legality, data protection, personallyhttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/5658.image_5F00_64BCDD48.png identifiable information (PII) and compliance. These requirements are particularly important in hybrid implementations, where you or business units within your organization may be in the position of the customer to a public cloud supplier.

Governance

Organizations looking at implementing a private cloud infrastructure are likely to need to ensure that effective governance of the new environment. The management stack of the private cloud architecture should enable management to view security aspects of the environment and show the current threat levels to the organization. Typically, governance oversight is provided through a web-based dashboard that translates the technical aspect of security issues into understandable business language.

Compliance

Organizations in certain industry verticals such as health, financial operations, and the provision of public services fall under the auspices of a range of compliance requirements and regulations, such as the Health Insurance Portability and Accountability Act (HIPPA). With international organizations or hybrid implementations, it is possible that moving to a private cloud environment may result in users in one country with one set of regulations accessing data in another country with a different or even conflicting set of requirements.  

Note:
This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this document, please include your name and any contact information you wish to share at the bottom of this page

The requirement for access to company data by law enforcement agencies is another area that must be examined carefully. For example, an organization may be presented with a subpoena to make its e-mail records made available. If this occurrence takes place, what is the effect on client confidentiality for data owned by a business unit from a different continent? Business units must be aware that these risks exist and that they may be exposed to the legal requirements of a different jurisdiction.

Ultimately, your organization needs to be aware of the compliance requirements of all the countries in which it operates. One conclusion may be that data from one country cannot be hosted in another, as can be the case with public cloud implementations.

Integrated Governance, Risk Management, and Compliance

The most effective approach to mitigating legal issues is to implement a fully integrated governance, risk management, and compliance framework. This framework would need to be defined at the highest level and then designed into the private cloud implementation.

Data Protection and Personally Identifiable Information

Personally identifiable information (PII) is data that enables a living person to be identified. The US Office of Management and Budget identifies the following information as PII.

  • Full name (unless a very common name)
  • National identification number
  • Vehicle registration plate number
  • Driver's license number
  • Date of birth
  • Birthplace

Protection of PII can be a significant issue with organizations that operate in multiple jurisdictions. For example, legislation such as the Data Protection Directive of the European Union (Directive 95/46/EC) governs the protection of PII in Europe. Among other requirements, this legislation requires data holders to give notice to users that their data is being stored and grant them access to correct inaccurate data. This data must also be protected from potential abuses. Hence, storing personal data can be a significant complication.

This complication arises not from the fact that the data might be insecure, as cloud environments can be made as secure as more traditional data centers. In this case, the issue is about granting access to the owner to amend the data. If your organization needs to store PII and you have a legal requirement to enable the owner of that data to change it, then you should consider how that information can be presented to the owner and amended if required.

Your organization must create a statement that covers its collection, collation, storage, management, transfer, and deletion of PII. This statement must address the process for releasing the information to the original owner and to any third parties, such as a hosted cloud provider.

The US Patriot act also introduces complications for multi-national organizations that are wholly-owned by US companies but operate in other parts of the world. If this situation applies to your organization, you should review the requirements of this act when planning data storage and PII.

The basis of the private cloud legal relationships between the IT department and the business units of the organization that subscribe to those services will be contained within a number of documents. These documents should align with the IT Infrastructure Library (ITIL) Security Management process and include:

  • Service Level Agreement (SLA). The SLA is the key definition of the arrangement between the service provider and the consumer of the private cloud services. This document should clearly identify the security levels that the service provider applies and identify the risks so that the consumer can make an informed decision on the service offerings.
  • Operating Level Agreement (OLA). This document defines the relationships between the groups within the organization that support the SLA. The OLA makes these support relationships clearly visible and helps the consumer identify responsibility for support functions. The OLA must clearly spell out who is responsible for security support, the boundaries of that support, and the contact details and follow-up information if there is a security issue.
  • Terms of Usage (ToUs). ToUs agreements make the consumer aware of what is or is not deemed acceptable usage of the cloud-based service, particularly in relation to security. For example, running port scans or using other people’s identities to log on are areas which might be specifically prohibited by the ToUs.
  • User License Agreements (ULAs). ULAs specify the terms that the consumer must accept before accessing private cloud applications, platforms, or operating systems. Some of the ULAs may come from commercial off-the-shelf software hosted in the cloud environment or may be specifically created by the organization’s legal department for its in-house applications.

All of these documents must set out clearly the security considerations of using the private cloud service, what activities are prohibited, and any penalties for contravention of these prohibitions. It should highlight that security responses may be automated and that manual intervention may be required to undo those responses. The legal documentation must also set out the process for establishing the identity of the consumer in the case of activities such as password resets or account provisioning and deprovisioning.

RESOURCES:

 

ACKNOWLEDGEMENTS LIST:
If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]

Return to Private Cloud Security Model[

Return to Blueprint for A Solution for Private Cloud Security](http://social.technet.microsoft.com/wiki/contents/articles/blueprint-for-a-solution-for-private-cloud-security.aspx)

Return to A Solution for Private Cloud Security

Return to Reference Architecture for Private Cloud

Move forward to Design Guide for A Solution for Private Cloud Security

Table of Contents for A Solution for Private Cloud Security