Cloud computing continues to gain traction as businesses seek greater business agility and expanded ways to connect with customers that increasingly engage with businesses through social media and mobile technology. So as we prepare to start the New Year, it is a good time to consider some of the things attorneys should be watching in the area of cloud computing. These include encryption, identity and access management and wearable technologies.
With the NSA in the headlines this year for monitoring U.S. citizens, cloud encryption solutions are expected to dominate the cloud landscape in 2014 as more companies seek to encrypt data being placed into the cloud. Gartner predicts that, in 2014, cloud-based tokenization and encryption will be among the highest growth areas of cloud security.
Encryption is a control mechanism used to protect data by restricting access to only those people with the credentials necessary to decrypt the data. Encryption is not new, however, has not been widely used in the cloud environment. Cloud services evolved around consumers, and the focus was on providing functionality and ease of use for consumers who want to handle tasks directly, so often encryption security features were not included. Encryption also requires that the encryption keys be properly managed. The encryption keys must be secured and stored so that critical data does not become compromised if encryption keys are stolen or irretrievably lost if the encryption keys are accidentally deleted. Attorneys should be aware that many businesses do not have personnel trained in encryption and often do not have data classified in a manner that facilitates encryption.
In order to address encryption demands, some businesses are considering cloud encryption gateways, a solution that enables cloud adoption while keeping sensitive data on premises and tokenizing or encrypting that data so that it is protected in the cloud. Split key encryption is expected to become even more popular in 2014. With split key encryption, the encryption key is split in two, one half held by the cloud service provider and one by the cloud user so that the cloud user’s database can only be accessed with the cloud user’s participation.
Some companies, particularly those in healthcare, are now installing full-disk encryption on their employee laptops. Note, however, that some of the leading encryption products are configured so that once the password is entered, the laptop is unencrypted (and unprotected) until the laptop is booted down. A laptop in the “sleep” mode may not trigger application of the encryption protection. This means that a laptop that is lost or stolen while in “sleep” mode may be completely unprotected. Attorneys should consider whether their organization’s technology policies should be modified to require employees to completely shut down their laptops before removing them from the workplace and to only use the “shut down” function, rather than “sleep” mode, when traveling or leaving their laptop unattended in an unsecure environment. Additionally, attorneys should consider whether technologies policies address encryption of mobile devices and media, such as USB drives, if they will be used remotely.
The cost of encryption does not appear significant when measured against the potentially substantial financial exposure to an organization that can arise from a data security breach, especially one that involves protected personal information or health information. Most security breaches today do not occur because of cybercrime. They are associated with people coming in the “front door” with the use of weak or stolen credentials or lost or stolen devices. If organizations allow their employees to use their own devices, cloud security professionals are recommending encryption if there is a possibility sensitive data will be stored on those devices. Organizations may have a policy prohibiting the storage of sensitive information on personally owned devices, but often such policies are difficult to enforce. This explains an increasing use of company owned computers and encrypted portable media.
Given the prominent role of encryption in cloud security, attorneys are encouraged to spend some time in the New Year consulting with their organization’s IT and security teams to gain an understanding of this important aspect of cloud security and to include appropriate protections in cloud services agreements.
Identity management also is expected to gain increasing attention in 2014. Managing who has access to what — and how to quickly eliminate access when employees leave the company — is essential to enterprise security yet is more complicated in today’s cloud environment. Without cloud identity management, companies have difficulty adopting public cloud solutions safely and effectively. The concept of “aggregate identity” is being discussed by cloud security professionals as a means of addressing identity and access management. This aggregate identity will consist of several parts, including corporate, personal, devices used, behavior and social identity. The challenge in identity management is the need for organizations to quickly determine who the user is and what the user is authorized to have access in a cloud environment that is fast moving, outside of the organization’s control, and, very complex.
“BYOI” or “bring your own identity” is an emerging concept in cloud security. As the name suggests, it means bringing your own identity to online interactions. The concept can be understood in terms of social identity as access — for example, using your Amazon ID to shop at various stores rather than creating a new account at each store. According to a recent study, less than 5 percent of customer identities are based on social network identities but by the end of 2015, 50 percent of all new retail customer identities are expected to be based on social network identities.
Social identity is being promoted by large cloud service providers to help reduce the costs of identity management and provide a framework to consumerize identity. Some government agencies are using this approach. For example, New York’s Ny.gov website uses an online ID and password that enables individuals, businesses and organizations to securely access multiple online government services with a single user ID and password.
Cloud, mobility and BYOD are driving developments in BYOI. Some areas of current focus in BYOI include strength of authentication and identity administration, determining who is responsible if the identity is breached, and methods for revoking access. Attorneys will need to monitor the developments in this area to understand how legal compliance may be impacted by BYOI.
Wearable technology continues to expand as Google Glass and other wearable technology illustrate. Wearable technologies are worn in the much the same manner as traditional eyeglasses or clothing are worn, with the difference being that they interact with the user based on the context of the situation. These wearable technologies can act as intelligent assistants or provide augmented reality and rely on the cloud for data storage and other services.
These wearable technologies, together with other mobile devices, enlarge the legal, security and privacy issues that attorneys need to consider in helping their organizations maintain effective privacy and security controls. While there are currently a number of wearable technologies used in industry, such as armbands that track goods being gathered by employees, many of the wearable technologies are designed for consumer use and do not necessarily have the built-in security controls necessary to meet business security needs.
The Federal Trade Commission is closely monitoring Google Glass and other wearable computers for potential privacy violations. With these emerging wearable technologies, it is important for attorneys to consider the associated privacy and security implications. Wearable technologies and other mobile technologies significantly impact traditional IT security models by increasing the security perimeter for businesses. Developing systems for accurately identifying and creating an inventory of these types wearable technologies and mobile devices will be essential to effectively managing the security and compliance responsibilities — without such an inventory, it will be difficult to manage these technologies. Attorneys will need to ensure that their organization’s cloud and information security controls and policies address wearable technologies and the growing array of mobile devices.
Technology continues to move beyond traditional computer equipment and mobile devices into enterprise assets and wearable computers that rely on the cloud. Attorneys need to help their organizations proactively explore the possibilities presented by these emerging technologies in order to be operationally and organizationally ready to address security, governance and compliance issues.