SlideShare une entreprise Scribd logo
1  sur  22
Télécharger pour lire hors ligne
THE LONG WHITE CLOUD
Addressing Privacy, Residency and Security in
the Cloud for New Zealand Organisations


February 2011



By Doug Newdick
With John Baddiley, Anita Easton, Boris Guskee
THE LONG WHITE CLOUD




TABLE OF CONTENTS


DISCLOSURES....................................................................................................3

EXECUTIVE SUMMARY..........................................................................................4

INTRODUCTION .................................................................................................5

SPECIAL IMPACTS ON NEW ZEALAND ORGANISATIONS ...................................................6
       The Privacy Act .........................................................................................6
       Tax Administration Act ................................................................................7
       Payment Card Industry - Data Security Standard (PCI-DSS).....................................7
       Reserve Bank of New Zealand Act...................................................................8
       Public Records Act .....................................................................................8
       Official Information Act and the Local Government Official Information and Meetings
       Act ........................................................................................................8
       Security in the Government Sector (SIGS) .........................................................8
       SSC Advice ...............................................................................................9

DISTINCTIVE PRIVACY, RESIDENCY AND SECURITY RISKS .............................................. 11

OTHER CLOUD OPTIONS..................................................................................... 14
       Public Cloud with New Zealand Hosting.......................................................... 14
       Community Cloud in New Zealand ................................................................ 14
       Encryption within the Cloud........................................................................ 14
       Tokens.................................................................................................. 14
       Local Agents, Cloud Management ................................................................. 15

MANAGING CLOUD PRIVACY, RESIDENCY AND SECURITY RISKS....................................... 16
       A Cloud-Aware Evaluation Process ................................................................ 16
       Practices for Reducing Implementation Risks ................................................... 20

IN CONCLUSION............................................................................................... 21

ENDNOTES ..................................................................................................... 22




                                                                                                                  2
THE LONG WHITE CLOUD




DISCLOSURES

Davanti Consulting was established in 2007 as the independent business consulting arm of
Gen-i New Zealand. Our consultants bring with them a wealth of experience from a variety of
fields and pride themselves on their pragmatic approach to delivering tangible business value.
In the interests of acting with openness and integrity we want to inform you of any
relationships that are relevant to this white paper:
    •   Davanti Consulting is salesforce.com’s preferred partner in New Zealand;
    •   Gen-i New Zealand provides cloud solutions ranging from infrastructure and security
        to applications.
For more information visit our website at:
www.davanti.co.nz




                                                                                              3
THE LONG WHITE CLOUD




EXECUTIVE SUMMARY

Cloud computing can bring significant benefits to New Zealand organisations, but adoption is
being hindered by concerns about privacy, residency and security risks. However, the cloud is
here and is here to stay. We need to incorporate the cloud in the way we identify, assess, and
select solutions. Our recommendation is to use a process for this evaluation that avoids both
the hype and the unjustified fears around cloud computing and instead focuses on a sober
examination of the compliance obligations in New Zealand and risks to the business weighed
against the potential gains in efficiency and competitive advantage that the cloud can
deliver. There are specific laws and regulations that impact New Zealand organisations’ use
of cloud computing but these impacts are often not the insurmountable barriers they are
made out to be. It is true, however, that the distinctive features of cloud computing give rise
to special risks as well as rewards. In particular the fact that there are no current
internationally recognised standards for cloud computing security means that individual
organisations must do much of the work of managing these risks themselves.




                                                                                             4
THE LONG WHITE CLOUD




INTRODUCTION

The advent of cloud computing has been one of the most influential trends impacting on
businesses and their IT organisations in the last few years. There will not be many CIOs who
are not thinking about using the cloud and some already are. Davanti is however seeing some
reticence largely based on concerns about information and data: Who can access it? What will
happen to it? What rules apply to it? How secure is it? Can we control it? Conversely we
sometimes see clients who do not understand that there are valid concerns about these issues
with respect to cloud computing services and therefore are potentially opening themselves up
to risk.
This paper aims to explore what the real issues, risks and constraints are for New Zealand
organisations that are thinking about cloud computing and how to address them.
Firstly, we examine the directives, standards and legislative controls that actually do
constrain New Zealand organisations. Secondly, we place cloud computing in the context of
traditional modes of delivering and sourcing computing resources and examine those privacy,
residency and security risks that are distinctive to cloud computing. Lastly, we look at the
various solutions and practices that New Zealand organisations could and should adopt to
address these constraints and risks to allow them to take full advantage of the significant
benefits that cloud computing can deliver.
New Zealand organisations ignore the privacy, residency and security concerns of the cloud at
their peril. There are real and significant risks in using the cloud, and not managing these
risks can expose an organisation to loss of reputation, trust or even loss of business critical
data. Much of the current reluctance to adopt cloud computing, however, is based on fear,
uncertainty and doubt rather than on a calculated assessment of real risks. In order to best
utilise cloud computing to obtain competitive advantage and operational efficiencies you
need to transform the discussion from one based on rumour and conjecture, to one based on
evidence.




                                                                                              5
THE LONG WHITE CLOUD




SPECIAL IMPACTS ON NEW ZEALAND ORGANISATIONS

Few standards or pieces of legislation have the foresight to consider the issues of cloud
computing directly. However we can apply the broader principles and advice around
traditional security risk management to the issues of cloud computing. In particular, advice
that is valid for outsourcing often applies to cloud computing as well. There is a range of
legislation and other standards that apply to New Zealand organisations and that have (or are
thought to have) an impact on cloud computing. This section discusses their applicability to
cloud computing. Figure 1 outlines which of these standards and legislation apply to different
organisation types in New Zealand.




               Figure 1 Standards and Legislation versus Organisation Types


The Privacy Act
The Privacy Act 1993 governs all organisations in New Zealand. It has associated codes that
provide more specific guidance and controls for particular industries – e.g.
telecommunications and health. The Privacy Act applies to personal information – that is
information about individual people. If you gather personal information in New Zealand then
your organisation is bound by the principles of the act regardless of how or where that
information is managed. The principles contained within the Privacy Act concern good
practices for managing personal information, such as: only using information for the purpose
it was collected, and giving people the chance to correct any information about them that is
incorrect.1 If you are not going to put information about individuals into the cloud, then the
Privacy Act will not impact your use of cloud services.
Our take: In the main the principles of the Act are no harder to meet when your applications
are hosted within the cloud than when they are on premise. The exception is Principle 5
(storage and security of personal information) which requires that reasonable security
safeguards are taken against loss, misuse, or unauthorised access, use, disclosure or
modification, and that if information is disclosed to another party (e.g. a cloud provider or
their staff) everything reasonable is done to prevent unauthorised use or disclosure.2 Within
the context of cloud computing this means that a customer should ensure that the security



                                                                                                 6
THE LONG WHITE CLOUD



processes and procedures of their vendor are adequate if personal information about New
Zealand citizens is to be held in the cloud. The matter is complicated if the cloud services are
physically located in countries that do not provide the same level of protection for privacy as
New Zealand does.
The Office of the Privacy Commissioner has issued a poster level summary (called PADLOCK)
of how to meet the requirements of the Privacy Act.3 We suggest that this is consulted
whenever solutions are developed that use or store personal information, whether cloud-
based or not.


Tax Administration Act
In December 2010, the Inland Revenue Department (IRD) issued a revenue alert on the use of
cloud computing for financial record keeping. In summary, the alert states that it is the IRD’s
position that the use of off-shore cloud computing services to hold primary financial records is
a violation of the Tax Administration Act 1994. Violations of this act may be punished by
convictions and fines.4
Our take: The revenue alert is not the final opinion of the IRD on the use of cloud computing.
The communications between IRD and the software development community who create
cloud computing platforms suggest that either an exemption may be granted for individual
businesses who apply for one, or that a wholesale exemption may be applied to all users of
any “approved” financial cloud computing product. Given the popularity of cloud finance
applications, there is also a reasonable chance of a change in the legislation. If your
organisation is thinking of using such an application, we suggest talking to the IRD about the
matter before pursuing it in depth.


Payment Card Industry - Data Security Standard (PCI-DSS)
PCI-DSS is a standard regulating the processing of credit card information and transactions for
merchants (the people accepting credit card payments), issuers (the organisations that issue
credit cards) and acquirers (the organisations that mediate between merchants and issuers).
PCI-DSS is enforced by the leading credit card companies (Visa, Mastercard etc.)
internationally and is not specific to New Zealand.
In New Zealand, banks are the main issuers and acquirers for credit cards. As credit card
systems are regarded as “core” and the RBNZ requirements are more stringent with respect
to the cloud than PCI-DSS the following discussion only applies to merchants and small banks.
The PCI-DSS standards apply if you are storing or using credit card data in your IT systems.
They document the security controls on networks, information, IT systems, people and
processes that a company must follow if it stores, uses or processes credit card data. When
looking at the use of cloud computing for PCI components the following considerations are
relevant:

    •   The provisions of PCI-DSS about outsourcing apply: if you are assessed for compliance
        you must show which requirements apply to you and which to the 3rd party
        outsourcer. Either the third party must have undergone their own assessment, or they
        must be assessed as your organisation’s assessment.
    •   If you are not using a cloud provider that is assessed itself, then extensive
        information about the cloud provider’s implementation is required as part of any
        assessment.
Our take: Overall PCI-DSS standards are onerous enough when just applying to a company’s
internal computing environment. We recommend not storing credit card information in the
cloud unless it is with a PCI-DSS compliant provider (e.g. a credit card payment processing
vendor).




                                                                                               7
THE LONG WHITE CLOUD



Reserve Bank of New Zealand Act
Within New Zealand, “large banks” (defined as those whose New Zealand liabilities, net of
amounts due to related parties, exceed $10 billion) are normally subject to a condition of
registration relating to outsourcing arrangements. Controlled by the Reserve Bank of New
Zealand (RBNZ), these conditions define the components of bank processing that each bank
can outsource to 3rd parties. The RBNZ is primarily interested in the ability of a large bank to
continue operating in the event of a failure (either system or business) of any outsourced
party that the bank might be using.5 In general the RBNZ tolerance for outsourcing diminishes
as the function being outsourced becomes more material to the ongoing operation of the
bank. Systems which provide account holdings or inter-bank settlement are less likely to be
tolerated as targets for outsourcing by the RBNZ.
Our take: Cloud-provided systems are a form of outsourced function, and as such fall within
the remit of the RBNZ outsourcing policy. This means that in general, core systems are
generally not considered appropriate for delivery through the cloud, as the failure of the
cloud platform could materially impact the Banks ability to meet its obligations. Systems
which are widely used by customers may be placed in the cloud, but would attract intense
scrutiny around the controls available to the Bank in the event of a failure in the cloud
platform.
For those financial institutions that do not fall under the definition of “large banks” the RBNZ
controls do not apply. Smaller banks, however, should be aware of the requirements for large
banks, and take them into consideration when investigating the use of cloud services as the
Reserve Bank expects all banks to properly manage risks from outsourcing.


Public Records Act
The Public Records Act (PRA) covers all crown entities (not just government departments) and
local government bodies. It applies to all public records, which is all information created,
received or maintained by any of those crown entities and all local government records which
are on the “protected list”.
Our take: Similarly to the OIA, this act does not pose any greater constraints on a cloud
computing solution over any other solution. The one key provision to consider is that
electronic records may only be destroyed as specified by a Disposal Authority (which is an
approved official document that specifies the timeframes and conditions under which public
records may be destroyed). Thus the cloud solution must include the ability to store records
for as long as required by the Disposal Authority, as well as the ability to transfer them to
longer term storage if that is also required.


Official Information Act and the Local Government Official
Information and Meetings Act
The Official Information Act applies to all government agencies including universities,
hospitals and SOEs while the Local Government Official Information and Meetings Act
(LGOIMA) applies to local government bodies.
Our take: The OIA and LGOIMA have little impact on the use of cloud computing except
insofar as information handled or stored in the cloud should be able to be retrieved as part of
an OIA or LGOIMA request – as is the case for any on-premise information system covered by
these acts.


Security in the Government Sector (SIGS)
Security in the Government Sector (SIGS) is a set of policies and guidelines governing
information security published by the Department of the Prime Minister and Cabinet.



                                                                                                8
THE LONG WHITE CLOUD



Following it is mandatory for government agencies (government departments, and agencies
such as the police and NZ Defence Force) and suggested for crown entities and State Owned
Enterprises.
A primary concern of SIGS is the placing of government information into one of several
information classifications. Information is either unclassified (available to anyone who wants
it) or classified (available only to those who need to know and have the requisite level of
security clearance). Classified information is further divided into categories ranging from: “IN
CONFIDENCE” (the lowest level) through to “TOP SECRET”. Information should be labelled “IN
CONFIDENCE” if its compromise “would be likely to prejudice the maintenance of law and
order, impede the effective conduct of government in New Zealand or affect adversely the
privacy of its citizens.”6 Levels above IN CONFIDENCE contain information which if
compromised could damage the national interests of New Zealand to differing degrees.
The policies and guidelines in SIGS fall into two camps: good practices that should be applied
to all information and information systems; and, specific policies and guidelines around the
handling of different levels of classified information. Each of the classifications has a set of
distinct controls that must be applied to information of that kind, becoming more and more
secure – and therefore increasingly onerous – as you move up the scale.
Our take: Due to the specific and onerous nature of the requirements around information
with a classification of “SENSITIVE” or above (e.g. all staff involved in storing or handling the
data require NZ Government security clearances) we see it as unsuitable for processing in a
public cloud. This still leaves, however, a wide range of government information (i.e.
unclassified and IN CONFIDENCE) and functions that may be suitable for cloud computing.
While SIGS has no specific mention of cloud computing, it does have general information
security considerations which are applicable to a cloud computing solution, as well as some
mentions of outsourcing which are also relevant. The following issues should be assessed:

    •   If the cloud provider staff can access classified information, a risk assessment must be
        undertaken to see what controls need to be put in place;
    •   The contract with the cloud provider should address methods for meeting security
        requirements;
    •   The procedures for sanitisation of storage media for classified data should be
        examined to see if they meet SIGS requirements;
    •   The formal procedures for access control should be examined to see if they meet SIGS
        requirements;
    •   Should additional controls and processes on communications be required due to
        information being sent from an agency to another party (especially if they are
        overseas)?
As long as these considerations are properly examined and weighed then SIGS does not
preclude the use of cloud computing.


SSC Advice
The State Services Commission (SSC) published a paper for the public sector on the use of
offshore ICT providers in its advisory capacity.7 The purpose of the paper was to take existing
frameworks such as SIGS and existing SSC guidelines and policies and apply them specifically
to the cases of cloud computing and off-shoring. While the paper was publicly criticised for its
negativity towards off-shoring, it actually does not suggest that off-shoring ICT services
should be banned in any way. An overly cautious tone is rooted in the paper’s sole focus on
the risk side, ignoring any benefits.
The core recommendation of the SSC is that government agencies should assess the risk of an
offshore initiative prior to any commitment and it elaborates on the risks coming with off-




                                                                                                9
THE LONG WHITE CLOUD



shore approaches. Agencies should recognise that some of these risks may be show stoppers,
these include:

    •   Integrity and reliability of the legal system in the target jurisdiction;
    •   Legislation that allows foreign governments to silently access data that is within their
        borders;
    •   Some information should never go offshore e.g. information vital to national security.
New Zealand government agencies should use the risks outlined in this advice to perform their
own risk assessment – checking the types of risks mentioned against their likelihood and
potential impact for the solution that they are considering. The true offshore risks are all
about hosting in a foreign jurisdiction:

    •   What are the privacy laws in that jurisdiction?
    •   What is the contract law in that jurisdiction?
    •   What are the risks of espionage in that jurisdiction?
Agencies are asked to seek advice if any of this is new to them.
The risks relating to the foreign jurisdiction prompt an important insight: for government data
especially, we actually do have to care about the country where our data will reside. “The
cloud” is not a specific enough address from a legal viewpoint: “hosted in the EU” vs. “hosted
in Somalia” actually makes a difference! A logical first step is to get familiar with privacy and
security in the likely target jurisdictions – foremost the US, but also the EU and Australia.
Our take: We recommend that any government agencies looking to use cloud computing
should follow this advice by performing the following steps:

    •   Check for show-stopping risks;
    •   Undertake a risk assessment using the framework of the SSC advice – qualifying the
        risks by their probability and the sensitivity and the criticality of the task or
        information;
    •   Compare the cloud option risk assessment to the risk profile of your current
        equivalent computing platform and other reasonable alternatives.




                                                                                              10
THE LONG WHITE CLOUD




DISTINCTIVE PRIVACY, RESIDENCY AND SECURITY
RISKS

The risks discussed below should not be seen as reasons not to engage with cloud computing,
but instead should be viewed in terms of providing a realistic assessment of:

    •   Whether they apply to your solution;
    •   What the likelihood of them occurring are;
    •   How you can mitigate them;
    •   How they weigh up against the benefits likely to be realised by using cloud services.
In all cases a realistic assessment of the risks of a cloud computing solution should be
compared with the very real privacy and security risks of traditional on-premise solutions that
are often down-played or ignored. Many of the same security risks as traditional on-premise
or outsourced computing resource models apply to cloud computing solutions, but the lack of
visibility and control adds a degree of uneasiness on the part of customers. One oft-repeated
claim is that cloud computing has significant and special challenges for security as it is not
under the control of the organisation. This claim usually inflates the extent to which internal
control equals good security practice. The reality in many organisations is that much
internally controlled data is not well secured. While this in itself does not justify cloud
computing we should be aware that the equation is not as straightforwardly in favour of
internally hosted solutions as many people assume.
In addition, there is a perception that “the cloud” in general is beset with security risks. But
the reality is that different vendors and different offerings have quite different security,
privacy and risk profiles as well as benefits. There is no one answer, each solution needs to
be assessed on its individual merits, and each cloud provider needs to be assessed on their
individual merits. There are, however, a number of risk factors that are applicable to all
cloud solutions and which will therefore need to be addressed by all solutions.
What risks are specific to – or different in – cloud computing? If we look at the distinctive and
typical features of cloud computing we can identify the accompanying risks. Common
characteristics of cloud computing platforms are:

    •   Scalability – automatic deployment of increased or decreased resources as needs
        change;
    •   Multi-tenancy – hosting of multiple, different customers on the same underlying
        infrastructure;
    •   Virtualisation - logically separate instances of platforms or applications running on
        the same physical hardware;
    •   Outsourced – managed and delivered by an external third party;
    •   Off-shored – the platform resides in a different jurisdiction;
    •   Internet access – platforms are accessed by users or systems over the public internet;
    •   Payment mode – computing resources are financed by a pay as you go model.
These distinctive features of cloud computing give rise to the following specific risks inherent
in many cloud computing solutions.

    •   Multi-tenancy and virtualisation cause a risk of unauthorised access. Scalability is
        often achieved through multi-tenancy and virtualisation which have spawned some
        security worries. While it is theoretically possible for another user of a multi-tenancy
        architecture to access your information if the underlying platform exposes a
        vulnerability, the real chance of this occurring (and more specifically, happening to


                                                                                                11
THE LONG WHITE CLOUD



       you) if you are with a cloud provider who takes measures to ensure that data is
       segregated effectively is so low compared to other security risks that it is negligible.
       If this is a concern for your organisation check the measures that your cloud provider
       takes and their effectiveness.
   •   Outsourcing hands control of your data to another organisation. Just like other
       outsourcing arrangements, cloud computing by definition gives access to your
       organisation’s information to people, processes and technologies of another
       organisation (or multiple organisations if they have outsourcing deals themselves).
       The difference is that this risk is more clearly understood in the case of traditional
       outsourcing, whereas it may be less visible and therefore overlooked in the case of
       cloud computing. The ease with which cloud services can be purchased and
       implemented elevates risks – compared to traditional outsourcing – which centre on
       what happens to your information if and when you end your use of a cloud computing
       platform. You need to be able to retrieve the valuable data that is kept in the cloud,
       and you will need assurance that any private, confidential or sensitive data is
       securely removed or disposed of from the cloud provider’s equipment (including from
       back-ups and redundant systems). For particularly sensitive or critical data, whatever
       procedure is put in place must work even if the provider suddenly became bankrupt.
       In addition, many Software-as-a-Service providers use Infrastructure-as-a-Service
       providers themselves, further increasing the complexity of your information security
       environment.
   •   Off-shoring adds the complexity of foreign jurisdictions. Most cloud providers will
       not have their physical facilities in New Zealand; therefore the same risks exist as for
       traditional off-shoring. Specifically the different security and privacy laws of the
       hosting jurisdiction may negatively impact on the privacy and security of your
       information. Different privacy laws may mean that your data may be used for other
       purposes by your cloud provider, for instance some companies mine their customers’
       data for their own benefit. Different security laws or practices may mean that
       another country’s security or policing agencies may be able to view data that you
       have at the provider’s premise. This is explicitly allowed by the U.S. Patriot Act
       (albeit with a warrant and probable cause, other jurisdictions are not so delicate).
   •   On-demand access can become uncontrolled access. Platforms that are accessed
       over the internet and are outside your organisation’s traditional (on-premise)
       infrastructure are subject to risks around access management. With an on-premise
       system the mere fact that the user has to physically access a system from within the
       organisation mitigates against some of the risks of poor access controls. With cloud
       based systems the risk may be greatly increased. Organisations may struggle to
       effectively synchronise granting and revoking user access, leading to staff being
       unable to access the services they need, or, even worse, allowing people to access
       information and functions that should not be available to them (e.g. not revoking
       access to a CRM when staff leave your organisation).
   •   Internet traffic is at risk from interception. Another risk inherent in the cloud model
       of service delivery or access over the internet is the possibility of your data being
       intercepted as it travels between your organisation and the cloud provider. However
       with most cloud providers this can easily be mitigated with secure authentication and
       encryption of network traffic. As most ‘internal’ VPNs rely on the same
       authentication and encryption protocols and are actually implemented as tenants on
       the internet’s network infrastructure the risk often comes down to perception rather
       than actual exposure.
   •   Internet services may suffer disruption. Your organisation’s access to internet
       provided services may be at risk of disruption from: denial of service (DoS) attacks on
       the provider; a loss of internet access by you or your cloud provider; or, government
       intervention as seen recently in Egypt.




                                                                                              12
THE LONG WHITE CLOUD



   •   Ease of implementation can lead to data exposure. The ease of installation,
       implementation and release inherent in a scalable, pay as you go model with
       platforms living in the cloud (not to mention the lack of financial barriers) can bring
       with it a little-recognised risk: making it too easy for staff to launch services or
       applications into the wider world. If business units can purchase and deploy
       technology services just by using a corporate credit card, they can easily (and
       probably unintentionally) bypass an organisation’s security risk assessment process.
       While this era of the ‘empowered user’ has brought many benefits, it may not treat
       customer and corporate data with the right level of security and sensitivity.
What is often overlooked is that cloud computing has the potential to improve the privacy and
security of your data. The financial argument for cloud computing is that it provides
efficiency and cost savings through scale – these same factors also apply to security: cloud
providers, because of their scale, can have access to large dedicated teams of security
specialists with the latest technology. Can any New Zealand organisation compete with the
size and technical expertise of Google or Amazon’s security teams? Some cloud providers may
be able to provide better security than your own organisation, decreasing your security risk.
In addition some cloud offerings are by their very nature may improve security, for instance
by allowing users to store or transfer information with a secure cloud provider you have
assessed, as opposed to storing or transferring them on insecure devices or media.




                                                                                             13
THE LONG WHITE CLOUD




OTHER CLOUD OPTIONS

There are a range of different flavours of cloud computing solutions which impact differently
on privacy, residency and security concerns. Standard public cloud services provide the
greatest choice and the greatest functionality at the lowest potential price. As discussed
above, however, there may be situations where the risks of using a standard public cloud
solution outweigh the benefits. In such cases, before ruling out cloud offerings entirely, other
more specialised cloud offerings should be considered to see if they address the risks while
still allowing the organisation to realise some of the cloud’s benefits.


Public Cloud with New Zealand Hosting
For information that should not leave New Zealand the next best option is using a public
cloud provider that can ensure New Zealand hosting. This option combines the ease of the
public cloud with the assurance of being covered by New Zealand laws and controls.
Unfortunately most international cloud providers will be unwilling to set up a New Zealand
hosting environment unless they see a significant commitment, those that are will be likely to
pass on the additional costs to their users. Being restricted to New Zealand hosted cloud
services drastically reduces the range of cloud services available and the benefits and cost
efficiencies that could be gained, but is an option that should be seriously considered. In
particular a range of New Zealand based Infrastructure-as-a-Service offerings are available.


Community Cloud in New Zealand
A community cloud is a cloud service which is only available to a restricted set of customers,
for instance Google’s government cloud that is only able to be used by the United States
Federal government agencies – Google has separate physical servers and separate staff to
allow it to meet the requirements of the U.S. Government. This approach requires a group of
cloud customers in NZ (a sector or nationwide) and cloud providers who are willing to support
cloud operations in New Zealand for a restricted set of customers.
This option would allow the customers to meet almost all privacy, residency and security
concerns, but would entail higher cost and commitment from the customer community and
the cloud provider while delivering a restricted set of cloud services. In addition there are
also likely to be complex governance issues around the management of a community cloud:
Who ensures that the cloud meets and continues to meet all of the requirements of each
member of the community?


Encryption within the Cloud
Encrypting the data held in the cloud is a possibility which can be used in combination with
other options such as the public cloud or community cloud. For instance files could be
encrypted before being placed in a cloud storage service, or data could be encrypted within a
Platform-as-a-Service database. This may mitigate some security risks, but is not supported
by all cloud providers at this point in time or by many Software-as-a-Service provided
applications.


Tokens
In this solution, identifying or sensitive data (e.g. names or identifying numbers) is replaced
with meaningless tokens as the information is passed to the cloud. Which token replaces
which datum is recorded, and when the information is pulled back out of the cloud the
meaningless token is replaced with the original piece of data before being displayed or
consumed. For example “Account 12345678, balance $20” becomes “Account kzkxdf56,


                                                                                                  14
THE LONG WHITE CLOUD



balance $20” on being sent to the cloud. Additional charges are added by the cloud
application, and “Account kzkxdf56, balance $40” is returned. The token is replaced with the
real account number, and “Account 12345678, balance $40” is displayed to a staff member.
The result is that the information in the cloud can no longer be related to individuals and
does not contain the sensitive data. This has the advantage of allowing you to use most cloud
offerings, but removes many of the privacy issues (by transforming the information into a
state where it is no longer sensitive or identifiable) as well as some of the security and
residency issues. Depending on the kind of functionality desired and the type of information
used, this type of solution can be very effective. Each piece of information that is “swapped
out”, however, reduces the amount of functionality from the cloud provider that can be used.
For example if you swap the customer name for a token, then the cloud service cannot match
records based on name. It also introduces an additional layer of complexity to the overall
solution by adding more components and interfaces.


Local Agents, Cloud Management
Some cloud services work by providing a cloud based management solution with local
software agents or hardware. These solutions work by creating locally deployed software or
hardware that are configured, created, and managed by a cloud based solution. These types
of solutions have minimal privacy, residency and security issues but are only available for a
relatively limited set of services (for instance integration services).




                                                                                            15
THE LONG WHITE CLOUD




MANAGING CLOUD PRIVACY, RESIDENCY AND
SECURITY RISKS

The lack of standards for privacy and security in cloud computing means that the onus is on
the consumer of cloud services to carry out their own investigations and risk assessment. The
cloud customer must also contract their privacy and security requirements at an individual
level with each of their cloud providers – assuming the provider is willing to do this. We
recommend a two-pronged approach to dealing with this responsibility: use a structured
process for evaluating options that is cloud-aware; and, adopt a few key practices for
implementing cloud solutions.


A Cloud-Aware Evaluation Process
If you are considering addressing a business need with a cloud solution, you need to evaluate
all of your options with a process that is aware of the particular challenges of cloud
computing and alive to its possibilities. The high level process shown in Figure 2 and
described below is a basic solution evaluation process that includes additional elements
tailored to evaluating cloud options.




                         Figure 2 A Cloud Aware Evaluation Process

Preparation
To effectively evaluate cloud options you should carry out a realistic risk assessment that is
not biased for or against cloud computing. This requires targeted preparation.




                                                                                                 16
THE LONG WHITE CLOUD



Enhance your risk framework
If your organisation already has a security risk management framework or a set of security
requirements these may need to be updated to enable them to be appropriately and
adequately applied to cloud computing platforms and solutions. The risk management
frameworks at many organisations have been around for a while and may be biased against
cloud computing because of their focus on locally deployed solutions and an out of date
attitude to the internet. Work with your risk management or security teams to remove any
negative bias while remaining aware of the special challenges of cloud computing. If your
organisation is a part of the New Zealand Government, you should incorporate the risk factors
described in SIGS and the SSC Advice on Risk Management.

Understand your information
In order to properly carry out a risk assessment you will need to understand your
organisation’s information. This involves detailing:

    •   The different types and kinds of information your organisation is planning to put in or
        through the cloud;
    •   The business criticality and sensitivity of that information.
For applications that you are thinking of putting in the cloud, determine what information
they process or use. For databases determine what information they store. If you are looking
at cloud storage or Infrastructure-as-a-Service you will need to consider the types of
information that could end up residing in the cloud. Some important information types are:
personal details about customers or staff, financial records, strategic information, and
product information.
This will assist you in determining:

    •   What legislation or standards apply to that information;
    •   What information may go into the cloud;
    •   What questions you need to ask and assurances you need to receive from your cloud
        provider;
    •   Whether there are any additional risks you need to manage;
    •   What controls you need to put in place when putting that information into the cloud.

Investigate the application of standards and legislation
Based on the discussion of relevant standards and legislation above, and taking into account
your type of organisation (e.g. public sector, bank etc.) and the types of information that you
are considering placing in the cloud you will need to determine which standards and
legislation apply to your solution. From this you can determine:

    •   Whether there are any showstoppers (e.g. SIGS rules out the cloud for certain kinds of
        information);
    •   What legal requirements you are under;
    •   What additional controls you are should have.

Option Identification
Once you have completed these steps you will know at a high level whether the cloud is a
viable option – and what types of cloud. You then need to identify which cloud providers
could form part of your solution – as well as which non-cloud options are reasonable
alternatives.




                                                                                             17
THE LONG WHITE CLOUD



Option Assessment
Once you have a candidate list of options, each option can then be assessed from the
perspective of privacy, residency and security risks. The following sections outline some of
the special considerations that need to be taken into account for solutions with cloud
components.

Assess privacy, residency and security risks
Undertake a risk assessment process, focusing on those risks that are particularly relevant to
cloud computing as outlined above. You will need to investigate the particular cloud solution
to see whether it has any specific risks. Asking your vendor the high level questions in Figure
3 should uncover whether there are any issues peculiar to them or their solution.
The key to performing a risk assessment on a cloud solution is knowing where your data is
going to be stored. This allows you to understand any privacy or security risks associated with
that location. In particular some jurisdictions have risks due to: a lack of privacy legislation;
potentially invasive government surveillance; and, a lack of the rule of law.
A particular concern for New Zealand organisations is the scheduled maintenance windows of
overseas cloud providers. These are typically organised for the early morning in America or
Europe, and so often fall in peak business hours for New Zealand.

Assess cloud provider controls
Once you have a realistic understanding of the business risks associated with placing your
information in the cloud you can then assess how your candidate cloud solution(s) will address
those risks. To do this you will need to investigate the cloud provider’s ability to meet your
privacy, residency and security requirements and what controls they have in place to mitigate
specific risks. As one of the rationales of cloud computing is to hide the “how” from view,
some of this information may be hard to find – be prepared to ask some hard questions of your
vendors. The high level questions in Figure 3 address the most important controls that a cloud
vendor should have in place.
A more detailed list of questions – called the Consensus Assessments Initiative (CAI) – has been
assembled by the Cloud Security Alliance (CSA).8 Using the CAI questions is a more intensive
and time-consuming exercise, but we recommend using a tool such as this if your organisation
is considering a significant investment in cloud services, or is looking at putting high risk or
business-critical information or processes into the cloud.




                                                                                               18
THE LONG WHITE CLOUD



        What will happen to your data at end-of-service?

        Where (which jurisdiction) will your data physically reside?

        What are the vendor’s data protection techniques?

        What documentation do they have for auditors?

        What are their identity and access management controls?

        Who has access to your data both within the cloud provider and any subcontracted 3rd parties?

        What controls and hiring policies do they have in place for those people?

        What are their business continuity and disaster recovery plans?

        What are their failover and availability processes, policies and procedures?

        When do they typically carry out maintenance?

        Do they do vulnerability assessments?

        What is their security architecture?

        What is their security staff like in terms of size and skills?

                                 Figure 3 Questions for Cloud Providers

Investigate additional risk mitigation
After assessing your basic level of risk and investigating any controls implemented by your
cloud provider there may still be unacceptable levels of risk. If this is the case you should
consider whether there are any additional controls that your organisation can put in place
that may reduce the risk to acceptable levels. The controls that you will need and will be
able to introduce will depend on the kind of cloud solution you are investigating and the
specific circumstances of your organisation, however here are a few general strategies that
may be of use:

    •     Introduce policies around how cloud services are bought, provisioned and used;
    •     Implement access controls such as single sign-on, or use access management
          software;
    •     Connect to the cloud provider over a secured network;
    •     Add security and continuity requirements to your contract with the provider;
    •     Keep a backup of your data on-premise or at a different provider;
    •     Have plans in place for loss of service due to internet outages or Denial of Service
          attacks.

Assess benefits
Any good risk management process should weigh up the potential risks of an option with its
potential benefits, taking into account the organisation’s appetite for risk along with its
desire for specific benefits. In many cases, as the benefits of cloud computing are quite
different to those of in-house deployments, doing this thoroughly requires an explicit



                                                                                                        19
THE LONG WHITE CLOUD



understanding of the benefits of a cloud option, especially those that are peculiar to the
cloud.

Option Comparison and Selection
It is important to compare the risk assessment of the cloud solution with a realistic risk
assessment of the current state (if there is one) or a proposed on-premise or traditional
outsourcing solution so that the relative merits of the cloud option(s) can be understood. Too
often a thorough risk assessment of a cloud solution scares people off as it is viewed in
isolation rather than being compared with an equivalent assessment of the current on-
premise solution or other alternatives.


Practices for Reducing Implementation Risks
Beyond risk assessments there are a number of other practices that can be used to reduce the
privacy, residency and security risks of cloud computing.
One way that many organisations are getting experience with cloud security is by
implementing low risk applications, with low risk and non-sensitive business information. This
can help the organisation identify issues with the way that they manage security with cloud
providers as well as building confidence and trust for addressing more critical processes.
For significant cloud solutions good vendor management practices should be key parts of
addressing any security issues, for example:

    •   Put in place clear Service Level Agreements (SLAs) that define what security controls
        the cloud provider must put in place, and what penalties are to be imposed if they
        are not met;
    •   Get a clear, binding commitment that you can get your data back and that the data
        will be securely removed from their equipment at your request;
    •   Where possible use contracts to address inadequacies in local privacy legislation.
When it comes to personal information a good practice to follow is to minimise what is sent to
the cloud. This reduces the effort required to manage any privacy risk, and is merely follows
the good privacy principle of only collecting the minimum amount of personal information
that is needed to perform the business task.
Finally you need to remember that the overall solution is not limited to the cloud service
alone. The complete solution may well include your organisation’s people and processes as
well as elements of its infrastructure, application and data. Managing the parts under your
control can decrease or increase the security risk.




                                                                                              20
THE LONG WHITE CLOUD




IN CONCLUSION

It is our opinion that New Zealand organisations should routinely assess the cloud as an option
when delivering IT solutions. Utilising the cloud is essential in today’s environment of
increased competition in the private sector and increasing demand for efficiency and cost-
effectiveness in the public sector. Understanding and managing the privacy, residency and
security risks – while not exaggerating them - is essential to realising the greatest benefit
from cloud computing. Refusing to use the cloud due to fear, uncertainty and doubt, or
leaping in to cloud use without examining the risks are both fraught approaches that could
see your organisation losing out. In the first case you are not taking advantage of the
efficiencies and cost reductions available. In the second, you are exposed to the possibility of
reputation damage or compliance penalties if any of the real but un-addressed risks become
reality.
The potential benefits to New Zealand and New Zealand organisations of cloud computing are
immense. A small country, at great distance from the commercial centres of the world, we
are able to take advantage of the scale and innovation of larger players. Will our fear of the
pitfalls of cloud computing hold us back? Or can we take the opportunity to carefully and
considerately assess the real risks and benefits inherent in this new trend and use it to drive
organisational success?




                                                                                              21
THE LONG WHITE CLOUD




ENDNOTES



1
    A Guide to the Privacy Act 1993, Office of the Privacy Commissioner, 2009.
2
    Information and Privacy Principles, Office of the Privacy Commissioner, 2009.
3
 PADLOCK: an Easy Checklist to Help Get Privacy Right, Office of the Privacy Commissioner,
2010.
4
 Revenue Alert RA 10/02, Inland Revenue Department, 2010.
5
 Outsourcing Policy, Financial Stability Department, Reserve Bank of New Zealand,
2006.
6
    Security in the Government Sector, Department of the Prime Minister and Cabinet, 2002.
7
 Government Use of Offshore Information and Communication Technologies (ICT) Service
Providers: Advice on Risk Management, State Services Commission, 2009.
8
    Consensus Assessments Initiative Questionnaire, Cloud Security Alliance, 2010.




                                                                                             22

Contenu connexe

Tendances

Dwyer "Privacy by Design: Can It Work?"
Dwyer "Privacy by Design: Can It Work?"Dwyer "Privacy by Design: Can It Work?"
Dwyer "Privacy by Design: Can It Work?"Cathy Dwyer
 
Privacy by design
Privacy by designPrivacy by design
Privacy by designblogzilla
 
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...Mighty Guides, Inc.
 
It's About the Data, Stupid: Mobile Security and BYOD for Healthcare
It's About the Data, Stupid: Mobile Security and BYOD for HealthcareIt's About the Data, Stupid: Mobile Security and BYOD for Healthcare
It's About the Data, Stupid: Mobile Security and BYOD for HealthcareMarie-Michelle Strah, PhD
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing   Mitigating Risk   Fmb   0110C:\Fakepath\Cloud Computing   Mitigating Risk   Fmb   0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110guestd7fc9c
 
How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...
How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...
How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...Dana Gardner
 
Cutting To The Chase: Cloud From A Customers Perspective
Cutting To The Chase: Cloud From A Customers PerspectiveCutting To The Chase: Cloud From A Customers Perspective
Cutting To The Chase: Cloud From A Customers PerspectiveJanine Anthony Bowen, Esq.
 
Data privacy and security in uae
Data privacy and security in uaeData privacy and security in uae
Data privacy and security in uaeRishalHalid1
 
internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideSatchit Dokras
 
The Winning Case for (Law Firm) Online Document Management
The Winning Case for (Law Firm) Online Document Management The Winning Case for (Law Firm) Online Document Management
The Winning Case for (Law Firm) Online Document Management LexisNexis Software Division
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAJason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAVeritas Technologies LLC
 
Protecting the Core of Your Network
Protecting the Core of Your Network Protecting the Core of Your Network
Protecting the Core of Your Network Mighty Guides, Inc.
 
Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...
Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...
Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...Trevor Owens
 
IEEE PHM Cloud Computing
IEEE PHM Cloud ComputingIEEE PHM Cloud Computing
IEEE PHM Cloud ComputingJoseph Williams
 
Best Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business ContinuityBest Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business ContinuityReadWrite
 
Protecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud SecurityProtecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud SecurityInnoTech
 
Enterprise Blockchain
Enterprise BlockchainEnterprise Blockchain
Enterprise Blockchainsnewell4
 
Introduction to Information Governance and eDiscovery in the Cloud
Introduction to Information Governance and eDiscovery in the CloudIntroduction to Information Governance and eDiscovery in the Cloud
Introduction to Information Governance and eDiscovery in the CloudeDiscoveryConsultant
 
Blockchain Overview
Blockchain OverviewBlockchain Overview
Blockchain Overviewsnewell4
 

Tendances (20)

Dwyer "Privacy by Design: Can It Work?"
Dwyer "Privacy by Design: Can It Work?"Dwyer "Privacy by Design: Can It Work?"
Dwyer "Privacy by Design: Can It Work?"
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
 
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
 
295256_Security_Problem_Whitepaper.Web
295256_Security_Problem_Whitepaper.Web295256_Security_Problem_Whitepaper.Web
295256_Security_Problem_Whitepaper.Web
 
It's About the Data, Stupid: Mobile Security and BYOD for Healthcare
It's About the Data, Stupid: Mobile Security and BYOD for HealthcareIt's About the Data, Stupid: Mobile Security and BYOD for Healthcare
It's About the Data, Stupid: Mobile Security and BYOD for Healthcare
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing   Mitigating Risk   Fmb   0110C:\Fakepath\Cloud Computing   Mitigating Risk   Fmb   0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
 
How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...
How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...
How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...
 
Cutting To The Chase: Cloud From A Customers Perspective
Cutting To The Chase: Cloud From A Customers PerspectiveCutting To The Chase: Cloud From A Customers Perspective
Cutting To The Chase: Cloud From A Customers Perspective
 
Data privacy and security in uae
Data privacy and security in uaeData privacy and security in uae
Data privacy and security in uae
 
internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guide
 
The Winning Case for (Law Firm) Online Document Management
The Winning Case for (Law Firm) Online Document Management The Winning Case for (Law Firm) Online Document Management
The Winning Case for (Law Firm) Online Document Management
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAJason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEA
 
Protecting the Core of Your Network
Protecting the Core of Your Network Protecting the Core of Your Network
Protecting the Core of Your Network
 
Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...
Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...
Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...
 
IEEE PHM Cloud Computing
IEEE PHM Cloud ComputingIEEE PHM Cloud Computing
IEEE PHM Cloud Computing
 
Best Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business ContinuityBest Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business Continuity
 
Protecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud SecurityProtecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud Security
 
Enterprise Blockchain
Enterprise BlockchainEnterprise Blockchain
Enterprise Blockchain
 
Introduction to Information Governance and eDiscovery in the Cloud
Introduction to Information Governance and eDiscovery in the CloudIntroduction to Information Governance and eDiscovery in the Cloud
Introduction to Information Governance and eDiscovery in the Cloud
 
Blockchain Overview
Blockchain OverviewBlockchain Overview
Blockchain Overview
 

Similaire à The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud for New Zealand Organisations

10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the CloudPeak 10
 
10 Tips for CIOS Data Security in the Cloud
10 Tips for CIOS Data Security in the Cloud10 Tips for CIOS Data Security in the Cloud
10 Tips for CIOS Data Security in the CloudIron Mountain
 
Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsCloudMask inc.
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
Security Problem With Cloud Computing
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud ComputingMartin Bioh
 
Security Problem With Cloud Computing
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud ComputingMartin Bioh
 
Security Problem With Cloud Computing
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud ComputingMartin Bioh
 
Data issue affrecting Cloud computing
Data issue affrecting Cloud computingData issue affrecting Cloud computing
Data issue affrecting Cloud computingMartin Bioh
 
Security with Cloud Computing
Security with Cloud ComputingSecurity with Cloud Computing
Security with Cloud ComputingMartin Bioh
 
Security Problem With Cloud Computing
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud ComputingMartin Bioh
 
Security Problem With Cloud Computing
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud ComputingMartin Bioh
 
S E C U R I T Y P R O B L E M W I T H C L O U D C O M P U T I N G
S E C U R I T Y  P R O B L E M  W I T H  C L O U D  C O M P U T I N GS E C U R I T Y  P R O B L E M  W I T H  C L O U D  C O M P U T I N G
S E C U R I T Y P R O B L E M W I T H C L O U D C O M P U T I N GMartin Bioh
 
2014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v012014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v01promediakw
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015sllongo3
 
What is Cloud Security And Why It is Important.pdf
What is Cloud Security And Why It is Important.pdfWhat is Cloud Security And Why It is Important.pdf
What is Cloud Security And Why It is Important.pdfPridesys IT Ltd.
 
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days
 
New Era in Insurance - Cloud Computing
New Era in Insurance - Cloud ComputingNew Era in Insurance - Cloud Computing
New Era in Insurance - Cloud ComputingNIIT Technologies
 
Space to think | Cloud research using Logica futurescope
Space to think | Cloud research using Logica futurescope Space to think | Cloud research using Logica futurescope
Space to think | Cloud research using Logica futurescope CGI
 

Similaire à The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud for New Zealand Organisations (20)

Cloud security - Publication
Cloud security - Publication Cloud security - Publication
Cloud security - Publication
 
10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud
 
10 Tips for CIOS Data Security in the Cloud
10 Tips for CIOS Data Security in the Cloud10 Tips for CIOS Data Security in the Cloud
10 Tips for CIOS Data Security in the Cloud
 
Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law Firms
 
The cloud: financial, legal and technical
The cloud: financial, legal and technicalThe cloud: financial, legal and technical
The cloud: financial, legal and technical
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
Security Problem With Cloud Computing
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud Computing
 
Security Problem With Cloud Computing
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud Computing
 
Security Problem With Cloud Computing
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud Computing
 
Data issue affrecting Cloud computing
Data issue affrecting Cloud computingData issue affrecting Cloud computing
Data issue affrecting Cloud computing
 
Security with Cloud Computing
Security with Cloud ComputingSecurity with Cloud Computing
Security with Cloud Computing
 
Security Problem With Cloud Computing
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud Computing
 
Security Problem With Cloud Computing
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud Computing
 
S E C U R I T Y P R O B L E M W I T H C L O U D C O M P U T I N G
S E C U R I T Y  P R O B L E M  W I T H  C L O U D  C O M P U T I N GS E C U R I T Y  P R O B L E M  W I T H  C L O U D  C O M P U T I N G
S E C U R I T Y P R O B L E M W I T H C L O U D C O M P U T I N G
 
2014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v012014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v01
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015
 
What is Cloud Security And Why It is Important.pdf
What is Cloud Security And Why It is Important.pdfWhat is Cloud Security And Why It is Important.pdf
What is Cloud Security And Why It is Important.pdf
 
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
 
New Era in Insurance - Cloud Computing
New Era in Insurance - Cloud ComputingNew Era in Insurance - Cloud Computing
New Era in Insurance - Cloud Computing
 
Space to think | Cloud research using Logica futurescope
Space to think | Cloud research using Logica futurescope Space to think | Cloud research using Logica futurescope
Space to think | Cloud research using Logica futurescope
 

Dernier

CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxSaurabhParmar42
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesMohammad Hassany
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapitolTechU
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...Nguyen Thanh Tu Collection
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationMJDuyan
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxAditiChauhan701637
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfTechSoup
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17Celine George
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesCeline George
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptxSandy Millin
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...CaraSkikne1
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17Celine George
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational PhilosophyShuvankar Madhu
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17Celine George
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.EnglishCEIPdeSigeiro
 

Dernier (20)

CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptx
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming Classes
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptx
 
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdfPersonal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive Education
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptx
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 Sales
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational Philosophy
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.
 

The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud for New Zealand Organisations

  • 1. THE LONG WHITE CLOUD Addressing Privacy, Residency and Security in the Cloud for New Zealand Organisations February 2011 By Doug Newdick With John Baddiley, Anita Easton, Boris Guskee
  • 2. THE LONG WHITE CLOUD TABLE OF CONTENTS DISCLOSURES....................................................................................................3 EXECUTIVE SUMMARY..........................................................................................4 INTRODUCTION .................................................................................................5 SPECIAL IMPACTS ON NEW ZEALAND ORGANISATIONS ...................................................6 The Privacy Act .........................................................................................6 Tax Administration Act ................................................................................7 Payment Card Industry - Data Security Standard (PCI-DSS).....................................7 Reserve Bank of New Zealand Act...................................................................8 Public Records Act .....................................................................................8 Official Information Act and the Local Government Official Information and Meetings Act ........................................................................................................8 Security in the Government Sector (SIGS) .........................................................8 SSC Advice ...............................................................................................9 DISTINCTIVE PRIVACY, RESIDENCY AND SECURITY RISKS .............................................. 11 OTHER CLOUD OPTIONS..................................................................................... 14 Public Cloud with New Zealand Hosting.......................................................... 14 Community Cloud in New Zealand ................................................................ 14 Encryption within the Cloud........................................................................ 14 Tokens.................................................................................................. 14 Local Agents, Cloud Management ................................................................. 15 MANAGING CLOUD PRIVACY, RESIDENCY AND SECURITY RISKS....................................... 16 A Cloud-Aware Evaluation Process ................................................................ 16 Practices for Reducing Implementation Risks ................................................... 20 IN CONCLUSION............................................................................................... 21 ENDNOTES ..................................................................................................... 22 2
  • 3. THE LONG WHITE CLOUD DISCLOSURES Davanti Consulting was established in 2007 as the independent business consulting arm of Gen-i New Zealand. Our consultants bring with them a wealth of experience from a variety of fields and pride themselves on their pragmatic approach to delivering tangible business value. In the interests of acting with openness and integrity we want to inform you of any relationships that are relevant to this white paper: • Davanti Consulting is salesforce.com’s preferred partner in New Zealand; • Gen-i New Zealand provides cloud solutions ranging from infrastructure and security to applications. For more information visit our website at: www.davanti.co.nz 3
  • 4. THE LONG WHITE CLOUD EXECUTIVE SUMMARY Cloud computing can bring significant benefits to New Zealand organisations, but adoption is being hindered by concerns about privacy, residency and security risks. However, the cloud is here and is here to stay. We need to incorporate the cloud in the way we identify, assess, and select solutions. Our recommendation is to use a process for this evaluation that avoids both the hype and the unjustified fears around cloud computing and instead focuses on a sober examination of the compliance obligations in New Zealand and risks to the business weighed against the potential gains in efficiency and competitive advantage that the cloud can deliver. There are specific laws and regulations that impact New Zealand organisations’ use of cloud computing but these impacts are often not the insurmountable barriers they are made out to be. It is true, however, that the distinctive features of cloud computing give rise to special risks as well as rewards. In particular the fact that there are no current internationally recognised standards for cloud computing security means that individual organisations must do much of the work of managing these risks themselves. 4
  • 5. THE LONG WHITE CLOUD INTRODUCTION The advent of cloud computing has been one of the most influential trends impacting on businesses and their IT organisations in the last few years. There will not be many CIOs who are not thinking about using the cloud and some already are. Davanti is however seeing some reticence largely based on concerns about information and data: Who can access it? What will happen to it? What rules apply to it? How secure is it? Can we control it? Conversely we sometimes see clients who do not understand that there are valid concerns about these issues with respect to cloud computing services and therefore are potentially opening themselves up to risk. This paper aims to explore what the real issues, risks and constraints are for New Zealand organisations that are thinking about cloud computing and how to address them. Firstly, we examine the directives, standards and legislative controls that actually do constrain New Zealand organisations. Secondly, we place cloud computing in the context of traditional modes of delivering and sourcing computing resources and examine those privacy, residency and security risks that are distinctive to cloud computing. Lastly, we look at the various solutions and practices that New Zealand organisations could and should adopt to address these constraints and risks to allow them to take full advantage of the significant benefits that cloud computing can deliver. New Zealand organisations ignore the privacy, residency and security concerns of the cloud at their peril. There are real and significant risks in using the cloud, and not managing these risks can expose an organisation to loss of reputation, trust or even loss of business critical data. Much of the current reluctance to adopt cloud computing, however, is based on fear, uncertainty and doubt rather than on a calculated assessment of real risks. In order to best utilise cloud computing to obtain competitive advantage and operational efficiencies you need to transform the discussion from one based on rumour and conjecture, to one based on evidence. 5
  • 6. THE LONG WHITE CLOUD SPECIAL IMPACTS ON NEW ZEALAND ORGANISATIONS Few standards or pieces of legislation have the foresight to consider the issues of cloud computing directly. However we can apply the broader principles and advice around traditional security risk management to the issues of cloud computing. In particular, advice that is valid for outsourcing often applies to cloud computing as well. There is a range of legislation and other standards that apply to New Zealand organisations and that have (or are thought to have) an impact on cloud computing. This section discusses their applicability to cloud computing. Figure 1 outlines which of these standards and legislation apply to different organisation types in New Zealand. Figure 1 Standards and Legislation versus Organisation Types The Privacy Act The Privacy Act 1993 governs all organisations in New Zealand. It has associated codes that provide more specific guidance and controls for particular industries – e.g. telecommunications and health. The Privacy Act applies to personal information – that is information about individual people. If you gather personal information in New Zealand then your organisation is bound by the principles of the act regardless of how or where that information is managed. The principles contained within the Privacy Act concern good practices for managing personal information, such as: only using information for the purpose it was collected, and giving people the chance to correct any information about them that is incorrect.1 If you are not going to put information about individuals into the cloud, then the Privacy Act will not impact your use of cloud services. Our take: In the main the principles of the Act are no harder to meet when your applications are hosted within the cloud than when they are on premise. The exception is Principle 5 (storage and security of personal information) which requires that reasonable security safeguards are taken against loss, misuse, or unauthorised access, use, disclosure or modification, and that if information is disclosed to another party (e.g. a cloud provider or their staff) everything reasonable is done to prevent unauthorised use or disclosure.2 Within the context of cloud computing this means that a customer should ensure that the security 6
  • 7. THE LONG WHITE CLOUD processes and procedures of their vendor are adequate if personal information about New Zealand citizens is to be held in the cloud. The matter is complicated if the cloud services are physically located in countries that do not provide the same level of protection for privacy as New Zealand does. The Office of the Privacy Commissioner has issued a poster level summary (called PADLOCK) of how to meet the requirements of the Privacy Act.3 We suggest that this is consulted whenever solutions are developed that use or store personal information, whether cloud- based or not. Tax Administration Act In December 2010, the Inland Revenue Department (IRD) issued a revenue alert on the use of cloud computing for financial record keeping. In summary, the alert states that it is the IRD’s position that the use of off-shore cloud computing services to hold primary financial records is a violation of the Tax Administration Act 1994. Violations of this act may be punished by convictions and fines.4 Our take: The revenue alert is not the final opinion of the IRD on the use of cloud computing. The communications between IRD and the software development community who create cloud computing platforms suggest that either an exemption may be granted for individual businesses who apply for one, or that a wholesale exemption may be applied to all users of any “approved” financial cloud computing product. Given the popularity of cloud finance applications, there is also a reasonable chance of a change in the legislation. If your organisation is thinking of using such an application, we suggest talking to the IRD about the matter before pursuing it in depth. Payment Card Industry - Data Security Standard (PCI-DSS) PCI-DSS is a standard regulating the processing of credit card information and transactions for merchants (the people accepting credit card payments), issuers (the organisations that issue credit cards) and acquirers (the organisations that mediate between merchants and issuers). PCI-DSS is enforced by the leading credit card companies (Visa, Mastercard etc.) internationally and is not specific to New Zealand. In New Zealand, banks are the main issuers and acquirers for credit cards. As credit card systems are regarded as “core” and the RBNZ requirements are more stringent with respect to the cloud than PCI-DSS the following discussion only applies to merchants and small banks. The PCI-DSS standards apply if you are storing or using credit card data in your IT systems. They document the security controls on networks, information, IT systems, people and processes that a company must follow if it stores, uses or processes credit card data. When looking at the use of cloud computing for PCI components the following considerations are relevant: • The provisions of PCI-DSS about outsourcing apply: if you are assessed for compliance you must show which requirements apply to you and which to the 3rd party outsourcer. Either the third party must have undergone their own assessment, or they must be assessed as your organisation’s assessment. • If you are not using a cloud provider that is assessed itself, then extensive information about the cloud provider’s implementation is required as part of any assessment. Our take: Overall PCI-DSS standards are onerous enough when just applying to a company’s internal computing environment. We recommend not storing credit card information in the cloud unless it is with a PCI-DSS compliant provider (e.g. a credit card payment processing vendor). 7
  • 8. THE LONG WHITE CLOUD Reserve Bank of New Zealand Act Within New Zealand, “large banks” (defined as those whose New Zealand liabilities, net of amounts due to related parties, exceed $10 billion) are normally subject to a condition of registration relating to outsourcing arrangements. Controlled by the Reserve Bank of New Zealand (RBNZ), these conditions define the components of bank processing that each bank can outsource to 3rd parties. The RBNZ is primarily interested in the ability of a large bank to continue operating in the event of a failure (either system or business) of any outsourced party that the bank might be using.5 In general the RBNZ tolerance for outsourcing diminishes as the function being outsourced becomes more material to the ongoing operation of the bank. Systems which provide account holdings or inter-bank settlement are less likely to be tolerated as targets for outsourcing by the RBNZ. Our take: Cloud-provided systems are a form of outsourced function, and as such fall within the remit of the RBNZ outsourcing policy. This means that in general, core systems are generally not considered appropriate for delivery through the cloud, as the failure of the cloud platform could materially impact the Banks ability to meet its obligations. Systems which are widely used by customers may be placed in the cloud, but would attract intense scrutiny around the controls available to the Bank in the event of a failure in the cloud platform. For those financial institutions that do not fall under the definition of “large banks” the RBNZ controls do not apply. Smaller banks, however, should be aware of the requirements for large banks, and take them into consideration when investigating the use of cloud services as the Reserve Bank expects all banks to properly manage risks from outsourcing. Public Records Act The Public Records Act (PRA) covers all crown entities (not just government departments) and local government bodies. It applies to all public records, which is all information created, received or maintained by any of those crown entities and all local government records which are on the “protected list”. Our take: Similarly to the OIA, this act does not pose any greater constraints on a cloud computing solution over any other solution. The one key provision to consider is that electronic records may only be destroyed as specified by a Disposal Authority (which is an approved official document that specifies the timeframes and conditions under which public records may be destroyed). Thus the cloud solution must include the ability to store records for as long as required by the Disposal Authority, as well as the ability to transfer them to longer term storage if that is also required. Official Information Act and the Local Government Official Information and Meetings Act The Official Information Act applies to all government agencies including universities, hospitals and SOEs while the Local Government Official Information and Meetings Act (LGOIMA) applies to local government bodies. Our take: The OIA and LGOIMA have little impact on the use of cloud computing except insofar as information handled or stored in the cloud should be able to be retrieved as part of an OIA or LGOIMA request – as is the case for any on-premise information system covered by these acts. Security in the Government Sector (SIGS) Security in the Government Sector (SIGS) is a set of policies and guidelines governing information security published by the Department of the Prime Minister and Cabinet. 8
  • 9. THE LONG WHITE CLOUD Following it is mandatory for government agencies (government departments, and agencies such as the police and NZ Defence Force) and suggested for crown entities and State Owned Enterprises. A primary concern of SIGS is the placing of government information into one of several information classifications. Information is either unclassified (available to anyone who wants it) or classified (available only to those who need to know and have the requisite level of security clearance). Classified information is further divided into categories ranging from: “IN CONFIDENCE” (the lowest level) through to “TOP SECRET”. Information should be labelled “IN CONFIDENCE” if its compromise “would be likely to prejudice the maintenance of law and order, impede the effective conduct of government in New Zealand or affect adversely the privacy of its citizens.”6 Levels above IN CONFIDENCE contain information which if compromised could damage the national interests of New Zealand to differing degrees. The policies and guidelines in SIGS fall into two camps: good practices that should be applied to all information and information systems; and, specific policies and guidelines around the handling of different levels of classified information. Each of the classifications has a set of distinct controls that must be applied to information of that kind, becoming more and more secure – and therefore increasingly onerous – as you move up the scale. Our take: Due to the specific and onerous nature of the requirements around information with a classification of “SENSITIVE” or above (e.g. all staff involved in storing or handling the data require NZ Government security clearances) we see it as unsuitable for processing in a public cloud. This still leaves, however, a wide range of government information (i.e. unclassified and IN CONFIDENCE) and functions that may be suitable for cloud computing. While SIGS has no specific mention of cloud computing, it does have general information security considerations which are applicable to a cloud computing solution, as well as some mentions of outsourcing which are also relevant. The following issues should be assessed: • If the cloud provider staff can access classified information, a risk assessment must be undertaken to see what controls need to be put in place; • The contract with the cloud provider should address methods for meeting security requirements; • The procedures for sanitisation of storage media for classified data should be examined to see if they meet SIGS requirements; • The formal procedures for access control should be examined to see if they meet SIGS requirements; • Should additional controls and processes on communications be required due to information being sent from an agency to another party (especially if they are overseas)? As long as these considerations are properly examined and weighed then SIGS does not preclude the use of cloud computing. SSC Advice The State Services Commission (SSC) published a paper for the public sector on the use of offshore ICT providers in its advisory capacity.7 The purpose of the paper was to take existing frameworks such as SIGS and existing SSC guidelines and policies and apply them specifically to the cases of cloud computing and off-shoring. While the paper was publicly criticised for its negativity towards off-shoring, it actually does not suggest that off-shoring ICT services should be banned in any way. An overly cautious tone is rooted in the paper’s sole focus on the risk side, ignoring any benefits. The core recommendation of the SSC is that government agencies should assess the risk of an offshore initiative prior to any commitment and it elaborates on the risks coming with off- 9
  • 10. THE LONG WHITE CLOUD shore approaches. Agencies should recognise that some of these risks may be show stoppers, these include: • Integrity and reliability of the legal system in the target jurisdiction; • Legislation that allows foreign governments to silently access data that is within their borders; • Some information should never go offshore e.g. information vital to national security. New Zealand government agencies should use the risks outlined in this advice to perform their own risk assessment – checking the types of risks mentioned against their likelihood and potential impact for the solution that they are considering. The true offshore risks are all about hosting in a foreign jurisdiction: • What are the privacy laws in that jurisdiction? • What is the contract law in that jurisdiction? • What are the risks of espionage in that jurisdiction? Agencies are asked to seek advice if any of this is new to them. The risks relating to the foreign jurisdiction prompt an important insight: for government data especially, we actually do have to care about the country where our data will reside. “The cloud” is not a specific enough address from a legal viewpoint: “hosted in the EU” vs. “hosted in Somalia” actually makes a difference! A logical first step is to get familiar with privacy and security in the likely target jurisdictions – foremost the US, but also the EU and Australia. Our take: We recommend that any government agencies looking to use cloud computing should follow this advice by performing the following steps: • Check for show-stopping risks; • Undertake a risk assessment using the framework of the SSC advice – qualifying the risks by their probability and the sensitivity and the criticality of the task or information; • Compare the cloud option risk assessment to the risk profile of your current equivalent computing platform and other reasonable alternatives. 10
  • 11. THE LONG WHITE CLOUD DISTINCTIVE PRIVACY, RESIDENCY AND SECURITY RISKS The risks discussed below should not be seen as reasons not to engage with cloud computing, but instead should be viewed in terms of providing a realistic assessment of: • Whether they apply to your solution; • What the likelihood of them occurring are; • How you can mitigate them; • How they weigh up against the benefits likely to be realised by using cloud services. In all cases a realistic assessment of the risks of a cloud computing solution should be compared with the very real privacy and security risks of traditional on-premise solutions that are often down-played or ignored. Many of the same security risks as traditional on-premise or outsourced computing resource models apply to cloud computing solutions, but the lack of visibility and control adds a degree of uneasiness on the part of customers. One oft-repeated claim is that cloud computing has significant and special challenges for security as it is not under the control of the organisation. This claim usually inflates the extent to which internal control equals good security practice. The reality in many organisations is that much internally controlled data is not well secured. While this in itself does not justify cloud computing we should be aware that the equation is not as straightforwardly in favour of internally hosted solutions as many people assume. In addition, there is a perception that “the cloud” in general is beset with security risks. But the reality is that different vendors and different offerings have quite different security, privacy and risk profiles as well as benefits. There is no one answer, each solution needs to be assessed on its individual merits, and each cloud provider needs to be assessed on their individual merits. There are, however, a number of risk factors that are applicable to all cloud solutions and which will therefore need to be addressed by all solutions. What risks are specific to – or different in – cloud computing? If we look at the distinctive and typical features of cloud computing we can identify the accompanying risks. Common characteristics of cloud computing platforms are: • Scalability – automatic deployment of increased or decreased resources as needs change; • Multi-tenancy – hosting of multiple, different customers on the same underlying infrastructure; • Virtualisation - logically separate instances of platforms or applications running on the same physical hardware; • Outsourced – managed and delivered by an external third party; • Off-shored – the platform resides in a different jurisdiction; • Internet access – platforms are accessed by users or systems over the public internet; • Payment mode – computing resources are financed by a pay as you go model. These distinctive features of cloud computing give rise to the following specific risks inherent in many cloud computing solutions. • Multi-tenancy and virtualisation cause a risk of unauthorised access. Scalability is often achieved through multi-tenancy and virtualisation which have spawned some security worries. While it is theoretically possible for another user of a multi-tenancy architecture to access your information if the underlying platform exposes a vulnerability, the real chance of this occurring (and more specifically, happening to 11
  • 12. THE LONG WHITE CLOUD you) if you are with a cloud provider who takes measures to ensure that data is segregated effectively is so low compared to other security risks that it is negligible. If this is a concern for your organisation check the measures that your cloud provider takes and their effectiveness. • Outsourcing hands control of your data to another organisation. Just like other outsourcing arrangements, cloud computing by definition gives access to your organisation’s information to people, processes and technologies of another organisation (or multiple organisations if they have outsourcing deals themselves). The difference is that this risk is more clearly understood in the case of traditional outsourcing, whereas it may be less visible and therefore overlooked in the case of cloud computing. The ease with which cloud services can be purchased and implemented elevates risks – compared to traditional outsourcing – which centre on what happens to your information if and when you end your use of a cloud computing platform. You need to be able to retrieve the valuable data that is kept in the cloud, and you will need assurance that any private, confidential or sensitive data is securely removed or disposed of from the cloud provider’s equipment (including from back-ups and redundant systems). For particularly sensitive or critical data, whatever procedure is put in place must work even if the provider suddenly became bankrupt. In addition, many Software-as-a-Service providers use Infrastructure-as-a-Service providers themselves, further increasing the complexity of your information security environment. • Off-shoring adds the complexity of foreign jurisdictions. Most cloud providers will not have their physical facilities in New Zealand; therefore the same risks exist as for traditional off-shoring. Specifically the different security and privacy laws of the hosting jurisdiction may negatively impact on the privacy and security of your information. Different privacy laws may mean that your data may be used for other purposes by your cloud provider, for instance some companies mine their customers’ data for their own benefit. Different security laws or practices may mean that another country’s security or policing agencies may be able to view data that you have at the provider’s premise. This is explicitly allowed by the U.S. Patriot Act (albeit with a warrant and probable cause, other jurisdictions are not so delicate). • On-demand access can become uncontrolled access. Platforms that are accessed over the internet and are outside your organisation’s traditional (on-premise) infrastructure are subject to risks around access management. With an on-premise system the mere fact that the user has to physically access a system from within the organisation mitigates against some of the risks of poor access controls. With cloud based systems the risk may be greatly increased. Organisations may struggle to effectively synchronise granting and revoking user access, leading to staff being unable to access the services they need, or, even worse, allowing people to access information and functions that should not be available to them (e.g. not revoking access to a CRM when staff leave your organisation). • Internet traffic is at risk from interception. Another risk inherent in the cloud model of service delivery or access over the internet is the possibility of your data being intercepted as it travels between your organisation and the cloud provider. However with most cloud providers this can easily be mitigated with secure authentication and encryption of network traffic. As most ‘internal’ VPNs rely on the same authentication and encryption protocols and are actually implemented as tenants on the internet’s network infrastructure the risk often comes down to perception rather than actual exposure. • Internet services may suffer disruption. Your organisation’s access to internet provided services may be at risk of disruption from: denial of service (DoS) attacks on the provider; a loss of internet access by you or your cloud provider; or, government intervention as seen recently in Egypt. 12
  • 13. THE LONG WHITE CLOUD • Ease of implementation can lead to data exposure. The ease of installation, implementation and release inherent in a scalable, pay as you go model with platforms living in the cloud (not to mention the lack of financial barriers) can bring with it a little-recognised risk: making it too easy for staff to launch services or applications into the wider world. If business units can purchase and deploy technology services just by using a corporate credit card, they can easily (and probably unintentionally) bypass an organisation’s security risk assessment process. While this era of the ‘empowered user’ has brought many benefits, it may not treat customer and corporate data with the right level of security and sensitivity. What is often overlooked is that cloud computing has the potential to improve the privacy and security of your data. The financial argument for cloud computing is that it provides efficiency and cost savings through scale – these same factors also apply to security: cloud providers, because of their scale, can have access to large dedicated teams of security specialists with the latest technology. Can any New Zealand organisation compete with the size and technical expertise of Google or Amazon’s security teams? Some cloud providers may be able to provide better security than your own organisation, decreasing your security risk. In addition some cloud offerings are by their very nature may improve security, for instance by allowing users to store or transfer information with a secure cloud provider you have assessed, as opposed to storing or transferring them on insecure devices or media. 13
  • 14. THE LONG WHITE CLOUD OTHER CLOUD OPTIONS There are a range of different flavours of cloud computing solutions which impact differently on privacy, residency and security concerns. Standard public cloud services provide the greatest choice and the greatest functionality at the lowest potential price. As discussed above, however, there may be situations where the risks of using a standard public cloud solution outweigh the benefits. In such cases, before ruling out cloud offerings entirely, other more specialised cloud offerings should be considered to see if they address the risks while still allowing the organisation to realise some of the cloud’s benefits. Public Cloud with New Zealand Hosting For information that should not leave New Zealand the next best option is using a public cloud provider that can ensure New Zealand hosting. This option combines the ease of the public cloud with the assurance of being covered by New Zealand laws and controls. Unfortunately most international cloud providers will be unwilling to set up a New Zealand hosting environment unless they see a significant commitment, those that are will be likely to pass on the additional costs to their users. Being restricted to New Zealand hosted cloud services drastically reduces the range of cloud services available and the benefits and cost efficiencies that could be gained, but is an option that should be seriously considered. In particular a range of New Zealand based Infrastructure-as-a-Service offerings are available. Community Cloud in New Zealand A community cloud is a cloud service which is only available to a restricted set of customers, for instance Google’s government cloud that is only able to be used by the United States Federal government agencies – Google has separate physical servers and separate staff to allow it to meet the requirements of the U.S. Government. This approach requires a group of cloud customers in NZ (a sector or nationwide) and cloud providers who are willing to support cloud operations in New Zealand for a restricted set of customers. This option would allow the customers to meet almost all privacy, residency and security concerns, but would entail higher cost and commitment from the customer community and the cloud provider while delivering a restricted set of cloud services. In addition there are also likely to be complex governance issues around the management of a community cloud: Who ensures that the cloud meets and continues to meet all of the requirements of each member of the community? Encryption within the Cloud Encrypting the data held in the cloud is a possibility which can be used in combination with other options such as the public cloud or community cloud. For instance files could be encrypted before being placed in a cloud storage service, or data could be encrypted within a Platform-as-a-Service database. This may mitigate some security risks, but is not supported by all cloud providers at this point in time or by many Software-as-a-Service provided applications. Tokens In this solution, identifying or sensitive data (e.g. names or identifying numbers) is replaced with meaningless tokens as the information is passed to the cloud. Which token replaces which datum is recorded, and when the information is pulled back out of the cloud the meaningless token is replaced with the original piece of data before being displayed or consumed. For example “Account 12345678, balance $20” becomes “Account kzkxdf56, 14
  • 15. THE LONG WHITE CLOUD balance $20” on being sent to the cloud. Additional charges are added by the cloud application, and “Account kzkxdf56, balance $40” is returned. The token is replaced with the real account number, and “Account 12345678, balance $40” is displayed to a staff member. The result is that the information in the cloud can no longer be related to individuals and does not contain the sensitive data. This has the advantage of allowing you to use most cloud offerings, but removes many of the privacy issues (by transforming the information into a state where it is no longer sensitive or identifiable) as well as some of the security and residency issues. Depending on the kind of functionality desired and the type of information used, this type of solution can be very effective. Each piece of information that is “swapped out”, however, reduces the amount of functionality from the cloud provider that can be used. For example if you swap the customer name for a token, then the cloud service cannot match records based on name. It also introduces an additional layer of complexity to the overall solution by adding more components and interfaces. Local Agents, Cloud Management Some cloud services work by providing a cloud based management solution with local software agents or hardware. These solutions work by creating locally deployed software or hardware that are configured, created, and managed by a cloud based solution. These types of solutions have minimal privacy, residency and security issues but are only available for a relatively limited set of services (for instance integration services). 15
  • 16. THE LONG WHITE CLOUD MANAGING CLOUD PRIVACY, RESIDENCY AND SECURITY RISKS The lack of standards for privacy and security in cloud computing means that the onus is on the consumer of cloud services to carry out their own investigations and risk assessment. The cloud customer must also contract their privacy and security requirements at an individual level with each of their cloud providers – assuming the provider is willing to do this. We recommend a two-pronged approach to dealing with this responsibility: use a structured process for evaluating options that is cloud-aware; and, adopt a few key practices for implementing cloud solutions. A Cloud-Aware Evaluation Process If you are considering addressing a business need with a cloud solution, you need to evaluate all of your options with a process that is aware of the particular challenges of cloud computing and alive to its possibilities. The high level process shown in Figure 2 and described below is a basic solution evaluation process that includes additional elements tailored to evaluating cloud options. Figure 2 A Cloud Aware Evaluation Process Preparation To effectively evaluate cloud options you should carry out a realistic risk assessment that is not biased for or against cloud computing. This requires targeted preparation. 16
  • 17. THE LONG WHITE CLOUD Enhance your risk framework If your organisation already has a security risk management framework or a set of security requirements these may need to be updated to enable them to be appropriately and adequately applied to cloud computing platforms and solutions. The risk management frameworks at many organisations have been around for a while and may be biased against cloud computing because of their focus on locally deployed solutions and an out of date attitude to the internet. Work with your risk management or security teams to remove any negative bias while remaining aware of the special challenges of cloud computing. If your organisation is a part of the New Zealand Government, you should incorporate the risk factors described in SIGS and the SSC Advice on Risk Management. Understand your information In order to properly carry out a risk assessment you will need to understand your organisation’s information. This involves detailing: • The different types and kinds of information your organisation is planning to put in or through the cloud; • The business criticality and sensitivity of that information. For applications that you are thinking of putting in the cloud, determine what information they process or use. For databases determine what information they store. If you are looking at cloud storage or Infrastructure-as-a-Service you will need to consider the types of information that could end up residing in the cloud. Some important information types are: personal details about customers or staff, financial records, strategic information, and product information. This will assist you in determining: • What legislation or standards apply to that information; • What information may go into the cloud; • What questions you need to ask and assurances you need to receive from your cloud provider; • Whether there are any additional risks you need to manage; • What controls you need to put in place when putting that information into the cloud. Investigate the application of standards and legislation Based on the discussion of relevant standards and legislation above, and taking into account your type of organisation (e.g. public sector, bank etc.) and the types of information that you are considering placing in the cloud you will need to determine which standards and legislation apply to your solution. From this you can determine: • Whether there are any showstoppers (e.g. SIGS rules out the cloud for certain kinds of information); • What legal requirements you are under; • What additional controls you are should have. Option Identification Once you have completed these steps you will know at a high level whether the cloud is a viable option – and what types of cloud. You then need to identify which cloud providers could form part of your solution – as well as which non-cloud options are reasonable alternatives. 17
  • 18. THE LONG WHITE CLOUD Option Assessment Once you have a candidate list of options, each option can then be assessed from the perspective of privacy, residency and security risks. The following sections outline some of the special considerations that need to be taken into account for solutions with cloud components. Assess privacy, residency and security risks Undertake a risk assessment process, focusing on those risks that are particularly relevant to cloud computing as outlined above. You will need to investigate the particular cloud solution to see whether it has any specific risks. Asking your vendor the high level questions in Figure 3 should uncover whether there are any issues peculiar to them or their solution. The key to performing a risk assessment on a cloud solution is knowing where your data is going to be stored. This allows you to understand any privacy or security risks associated with that location. In particular some jurisdictions have risks due to: a lack of privacy legislation; potentially invasive government surveillance; and, a lack of the rule of law. A particular concern for New Zealand organisations is the scheduled maintenance windows of overseas cloud providers. These are typically organised for the early morning in America or Europe, and so often fall in peak business hours for New Zealand. Assess cloud provider controls Once you have a realistic understanding of the business risks associated with placing your information in the cloud you can then assess how your candidate cloud solution(s) will address those risks. To do this you will need to investigate the cloud provider’s ability to meet your privacy, residency and security requirements and what controls they have in place to mitigate specific risks. As one of the rationales of cloud computing is to hide the “how” from view, some of this information may be hard to find – be prepared to ask some hard questions of your vendors. The high level questions in Figure 3 address the most important controls that a cloud vendor should have in place. A more detailed list of questions – called the Consensus Assessments Initiative (CAI) – has been assembled by the Cloud Security Alliance (CSA).8 Using the CAI questions is a more intensive and time-consuming exercise, but we recommend using a tool such as this if your organisation is considering a significant investment in cloud services, or is looking at putting high risk or business-critical information or processes into the cloud. 18
  • 19. THE LONG WHITE CLOUD What will happen to your data at end-of-service? Where (which jurisdiction) will your data physically reside? What are the vendor’s data protection techniques? What documentation do they have for auditors? What are their identity and access management controls? Who has access to your data both within the cloud provider and any subcontracted 3rd parties? What controls and hiring policies do they have in place for those people? What are their business continuity and disaster recovery plans? What are their failover and availability processes, policies and procedures? When do they typically carry out maintenance? Do they do vulnerability assessments? What is their security architecture? What is their security staff like in terms of size and skills? Figure 3 Questions for Cloud Providers Investigate additional risk mitigation After assessing your basic level of risk and investigating any controls implemented by your cloud provider there may still be unacceptable levels of risk. If this is the case you should consider whether there are any additional controls that your organisation can put in place that may reduce the risk to acceptable levels. The controls that you will need and will be able to introduce will depend on the kind of cloud solution you are investigating and the specific circumstances of your organisation, however here are a few general strategies that may be of use: • Introduce policies around how cloud services are bought, provisioned and used; • Implement access controls such as single sign-on, or use access management software; • Connect to the cloud provider over a secured network; • Add security and continuity requirements to your contract with the provider; • Keep a backup of your data on-premise or at a different provider; • Have plans in place for loss of service due to internet outages or Denial of Service attacks. Assess benefits Any good risk management process should weigh up the potential risks of an option with its potential benefits, taking into account the organisation’s appetite for risk along with its desire for specific benefits. In many cases, as the benefits of cloud computing are quite different to those of in-house deployments, doing this thoroughly requires an explicit 19
  • 20. THE LONG WHITE CLOUD understanding of the benefits of a cloud option, especially those that are peculiar to the cloud. Option Comparison and Selection It is important to compare the risk assessment of the cloud solution with a realistic risk assessment of the current state (if there is one) or a proposed on-premise or traditional outsourcing solution so that the relative merits of the cloud option(s) can be understood. Too often a thorough risk assessment of a cloud solution scares people off as it is viewed in isolation rather than being compared with an equivalent assessment of the current on- premise solution or other alternatives. Practices for Reducing Implementation Risks Beyond risk assessments there are a number of other practices that can be used to reduce the privacy, residency and security risks of cloud computing. One way that many organisations are getting experience with cloud security is by implementing low risk applications, with low risk and non-sensitive business information. This can help the organisation identify issues with the way that they manage security with cloud providers as well as building confidence and trust for addressing more critical processes. For significant cloud solutions good vendor management practices should be key parts of addressing any security issues, for example: • Put in place clear Service Level Agreements (SLAs) that define what security controls the cloud provider must put in place, and what penalties are to be imposed if they are not met; • Get a clear, binding commitment that you can get your data back and that the data will be securely removed from their equipment at your request; • Where possible use contracts to address inadequacies in local privacy legislation. When it comes to personal information a good practice to follow is to minimise what is sent to the cloud. This reduces the effort required to manage any privacy risk, and is merely follows the good privacy principle of only collecting the minimum amount of personal information that is needed to perform the business task. Finally you need to remember that the overall solution is not limited to the cloud service alone. The complete solution may well include your organisation’s people and processes as well as elements of its infrastructure, application and data. Managing the parts under your control can decrease or increase the security risk. 20
  • 21. THE LONG WHITE CLOUD IN CONCLUSION It is our opinion that New Zealand organisations should routinely assess the cloud as an option when delivering IT solutions. Utilising the cloud is essential in today’s environment of increased competition in the private sector and increasing demand for efficiency and cost- effectiveness in the public sector. Understanding and managing the privacy, residency and security risks – while not exaggerating them - is essential to realising the greatest benefit from cloud computing. Refusing to use the cloud due to fear, uncertainty and doubt, or leaping in to cloud use without examining the risks are both fraught approaches that could see your organisation losing out. In the first case you are not taking advantage of the efficiencies and cost reductions available. In the second, you are exposed to the possibility of reputation damage or compliance penalties if any of the real but un-addressed risks become reality. The potential benefits to New Zealand and New Zealand organisations of cloud computing are immense. A small country, at great distance from the commercial centres of the world, we are able to take advantage of the scale and innovation of larger players. Will our fear of the pitfalls of cloud computing hold us back? Or can we take the opportunity to carefully and considerately assess the real risks and benefits inherent in this new trend and use it to drive organisational success? 21
  • 22. THE LONG WHITE CLOUD ENDNOTES 1 A Guide to the Privacy Act 1993, Office of the Privacy Commissioner, 2009. 2 Information and Privacy Principles, Office of the Privacy Commissioner, 2009. 3 PADLOCK: an Easy Checklist to Help Get Privacy Right, Office of the Privacy Commissioner, 2010. 4 Revenue Alert RA 10/02, Inland Revenue Department, 2010. 5 Outsourcing Policy, Financial Stability Department, Reserve Bank of New Zealand, 2006. 6 Security in the Government Sector, Department of the Prime Minister and Cabinet, 2002. 7 Government Use of Offshore Information and Communication Technologies (ICT) Service Providers: Advice on Risk Management, State Services Commission, 2009. 8 Consensus Assessments Initiative Questionnaire, Cloud Security Alliance, 2010. 22