December is Cloud Privacy Month
Businesses have been grappling with the different cloud choices for some time. However, we need to keep advising them on the differences that matter from a privacy and data protection perspective.
Organizations need to take a careful look at the type of data that goes in the cloud and the capabilities for that cloud service to support the legal obligations involved with the data being processed.
Most of the risk assessments for the different types of cloud models talk about security issues. The models below come from the UK Government’s National Cybersecurity Center.
|Service model||Associated risks|
|Infrastructure as a Service (IaaS)||Offerings implemented using hardware virtualization and leading virtualization products can provide a good level of separation between workloads and data in community and public cloud platforms. However, like all complex software, IaaS offerings will never be free from vulnerabilities and the risks that these bring. IaaS services also have a much greater burden on the user to configure and operate well.|
|Platform as a Service (PaaS)||PaaS offerings tend to have a larger attack surface than IaaS offerings since the separation between users is normally provided in higher-level software rather than by a hypervisor. Community cloud PaaS offerings may provide some additional comfort for users where an acceptable use policy is in place that has been designed to reduce the risk of malicious workloads. PaaS technologies are evolving rapidly and you should regularly verify that your platform choice meets your business and security needs.|
|Software as a Service (SaaS)||SaaS offerings tend to implement separation at a higher level than both IaaS and PaaS, meaning the potential attack surface for a would-be attacker is much greater. Unless architected well these services will often present a potentially higher risk than deploying software packages for a dedicated user within an IaaS or PaaS service.The|
The biggest privacy risk in IaaS is the fact that the liability is strictly falling on the organization engaging with the CSP. Even though the IaaS provider is still responsible for vulnerabilities and overall security, they are absolutely “blind” when it comes to customer data.
The PaaS solutions are bringing the CSP one step closer to the data and this is where organizations need to understand the setup and make careful decisions about who can “see” the data at any given time. Considerations have to be given to the separation of roles, elevated permissions, and of course, the attached surface.
Last but not least SaaS is the service that should get the most attention because it is the provider which decides the features and functionality of the application offered and the buying organization has absolutely no say. However, there may be ways to limit certain functionality in such a way as to allow more privacy-friendly options.
If you are currently looking at engaging a cloud service provider, Managed Privacy Canada is here to help. Choose the right cloud service provider with our Vendor Risk and Impact Assessment. Book your free 20- minute consultation with our Privacy Experts today at managedprivacy.ca