Data Protection and Retention in the Cloud: Getting it Right.

March 11, 2013

Much attention is focused on the “Triple A” of Cloud services, namely: Availability all the time (Service Level Agreements and uptime claims); Appropriate access controls (passwords and authentication); and Alteration protection and audit trails, which is especially critical in terms of eDiscovery, and responsibility in ensuring the entity’s ability to effectively backup, recover, and archive its data on a regular basis, and to restore its data on-site or off-site after the fact of a contingency event.

Whether you are thinking of a far-flung transnational operator or a small business, the following are 8 (“eight”) factors to constantly revisit in getting it right when considering or indulging in cloud services.

1.   Backup Cloud: If you have critical functionalities that have moved completely or almost completely to a cloud-based solution (SaaS,[1] PaaS,[2] Iaas,[3] NaaS[4]),[5] then it is highly-advisable to have a backup cloud.  Whether this is done as a failover provision (not always easy to coordinate the two providers), or the running of parallel instances (such as accessing a standalone data archive with staggered replication between those two or more remote access nodes, so permitting them to jointly recover the entire data set should access to the central archive suddenly cease), is ultimately the consumer’s decision.  It is important to remember in the former scenario, however, that if it is not working or suddenly stops working, then it might not be able to failover on its own, without external intervention.  This is especially true if the stoppage is due to a utility outage, climatic event, or human action (terrorism, error, criminality, or hacktivism).

2.   Effective Version Controls: Backup, recovery, and replication processes can be configured in a variety of ways, from the guarantee that a single newer version replaces a single older one, to cases where multiple older versions are retained and disposed-of in sequence as new ones are stored.  Mishaps or mis-alignments in this process can lead to sometimes irretrievable loss of valuable data, which must be avoided.  It may well be true that short of walking hard drives and zip drives, many modern “losses” may still be recoverable.  However, with the increasing complexity and sensitivity of the back-end tools, and the difficulty and active management required to get them to work well together (within promised SLA parameters) for enough of the time, the costs can be prohibitive.  Doing it right the first time, should always be the goal.

3.   Security Consciousness:  There is significant current media and government focus (here in North America and Canada) on the topic of hacking and data exploitation.  One report,[6] indicates that while 54% and 20% respectively of all 2012 breaches were in the accommodation and food services industries, and the retail trade industry,[7] external threats accounted for 95% of all breaches.[8]  With regard to the actors, 83% of breaches against all organizations reporting, were by organized criminal groups,[9] and the descending-order ranking of breach motivation for exploits at large organizations, was: financial or personal gain (71%); disagreement or protest (25%); fun, curiosity, or pride (23%); and grudge or personal offence (2%).[10]  The disgruntled current or former employee with a grudge, is apparently less of a threat than the current employee in deep financial distress, who himself or herself is also apparently less of a threat than the totally unknown but well-financed and staffed criminal organization or state actor that wants access at almost any cost, to the treasure-chest of information on your servers or on the servers of your Cloud Services Provider (CSP).  However, “apparently” is just that, because the reality is joint or co-opted action.  In stating that 65% of internal agent breaches were through a cashier, teller, or waiter, the report also found that “[t]hese individuals, often solicited by external organized gangs, regularly skim customer payment cards on handheld devices designed to capture magnetic stripe data.  The data is then passed up the chain to criminals who use magnetic stripe encoders to fabricate duplicate cards”.[11]  The threat landscape is deep, diverse, and dynamic.  Forewarned with this knowledge, you should have no choice but to be security conscious, spurring you on to craft strategies appropriate to your industry, entity, and V5,[12] to protect your client and other critical data, systems, and processes against compromise, criminality, and a completely unrecoverable disaster.

4.   Traditional (off-Cloud) Backup: Whether the cloud package is offsite, uses in-house accessories, or is a hybrid solution, off-cloud backup may still be an option – whether in addition to or as an alternative for, a backup cloud.  An offline backup sequence that occurs weekly, daily, or several times during the day depending on the interplay (V5)[13] of data Volume (sheer amount), Velocity (speed of its change), Variety (by operating division, product line, client, transaction, trade or other event, analytical element or matrix of elements in the case of big data, and so forth), Value (its criticality to the core functionality, as well as its full replicability on short-order), and Vulnerability (susceptibility to internal, external, and developing threats), with tapes transported, maintained, and regularly tested for their usability, offsite, is a highly-advisable redundancy.  In the event that the primary workspace is compromised and cloud connectivity interrupted, a well-prepared and practiced entity may – far more swiftly and smoothly than the competition – be able to recover from an initial adverse event or sequence of same, and resume operations in an alternate location using the backup tapes, staff able to reach that location if telecommuting remains unavailable, and either pre-positioned or called-in equipment; as available through an expanding group of contingent offsite emergency recovery solution/outcome providers.

5.   Data Retention Policies: Be aware of, and attune your operations to, applicable data retention policies.  Courts in the United States have, to date, proven more eager than Canadian courts to sanction parties for failing to preserve, protect, and produce data that they should have kept by law, and didn’t, or data that they could have had to present at a court or regulatory proceeding, but couldn’t, due to its initial non-retention.  There may be specific rules pertinent to your industry (such as food, or financial services and the PCI-DSS), your activity (such as Intellectual Property filing/prosecution, and healthcare), or your jurisdiction (differing in Canada and the European Union, for example).

6.   Advisable (and accelerating) Best Practices: Having your data resident (whether by bald custody or actual control, in accordance with your Cloud Services Agreement) in the pocket of a third-party, has its obvious risks.  There are also several more subtle ones, which I have canvassed at some length elsewhere in my several blogs on the cloud and outsourcing in general.  It used to be the fact that: (i) the lawmakers would write a law either creating a new regulator or authorizing an existing regulator to act; (ii) proposed regulations would be published for comment; (iii) final regulations would issue; and (iv) tests in court would help to better define and refine them.  Now, everything is in reverse.  An event leads to tests in court, the regulator makes a knee-jerk reaction to try and restore sanity in the interim, there is a public outcry (either here, or earlier in this reversed process), and then a law is passed; which may start the entire sequence again if the law is too broad, not broad enough, or has some adverse effect on a specified/protected group or interest.  “Best Practices in the Cloud” must for now, remain a still-evolving paradigm, so watch your prose (know what you draft and sign), listen to those-in-the- know (pay attention to ongoing doings, debates, and developments), and stay on your toes (be nimble and adaptive, and keep an open mind in this rapidly-changing service space).

7.   Transferring Risks: Insure thyself!  The costs of privacy practices, data breach liability, and similar lines of insurance have come down due to a modicum of standardization, and increased prevalence and awareness of their value from breach announcements occurring in several industries and jurisdictions; despite apparent best efforts.  Business interruption insurance has long been an option, and now, there are contingent event recovery services that can provide pre-packaged, tailored recovery solutions for a fixed monthly price; which is akin to insurance.  Risks can be transferred (insurance), shared (pooling), accounted for (planning), and limited (due diligence and best practices).  However, they can never be fully eliminated.  Be prepared, practice and game a variety of disaster and other contingency scenarios within your organization on a regular basis – whether actually or as tabletop exercises,[14] and expect the unexpected!  Utilities fail; climatic events don’t discriminate; and irrational actors, opportunists, state actors, hacktivists, and criminals all remain predictable in one respect: they will act!

8.   Alert and Notification Protocols: There is really no substitute for a solid system of internal controls. Pre-employment background checks, segregation of duties, authentication and access logging, counterparty due diligence, and strictly enforced policies, are all critically important.  Only 2% of 2012 breaches for misuse were as a result of inappropriate web or internet usage (surfing the wrong type of site, for example), whilst 43% were the result of abusing system access or privileges, and 50% were the result of using unapproved hardware or devices on work systems[15] (whether with BYOD, or as a workaround on strict network controls or prohibitions).  Having, properly configuring, and diligently checking logs is key to risk management.  However, the report also notes the rising challenge to proper data protection and retention from Anti-forensics[16] – especially when someone else is handling functions, now outsourced on a Cloud, that were formerly done in-house.  Cloud Security and Cybersecurity will, for now, remain as moving targets; even with current calls in the United States for laws empowering private actors to jointly take immediate steps (preserving evidence, curtailing breaches, or tracking sources, deeper structures, and sponsors of security events),[17] while regulators and Law Enforcement and National Security (LENS) actors either get up-to-speed, or use their own customized tools for some parallel or complementary actions.[18]

 

CONCLUSION:

We all know the adage that asks why re-invent the wheel?  I think the Payment Cards Industry Standards Council has already done a very good job in establishing the framework for its members to follow in their data protection and retention efforts as they “process, transmit, or store” that data;[19] which with “access” – presupposed by those first three options, also constitute the majority, if not the totality, of functions that can currently be performed in/via the Cloud.

I also think that the 6 categorical elements of that PCI-DSS Standard,[20] are broadly applicable in other industries; especially with cloud-based or cloud-dependent entities and service models.  To allow for proper tailoring, the 12 sub-elements can of course remain customizable within each of the SaaS, PaaS, IaaS, and NaaS sub-spaces.

There are many avenues that CSPs can pursue in efforts to self-regulate before something, perhaps more draconian than they had wanted, comes down firmly from the lawmakers and/or regulators above; whether with or without the precursor hue & cry following an adverse incident.

Perhaps they may find something in the above that is worthy of trying.[21]

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Software as a Service (SaaS), including “tools for processing, analysis, accounting, CRM, and back-office functions”.

[2] Platform as a Service (PaaS), including tools “for email, online backup, or desktops-on-demand”.

[3] Infrastructure as a Service (IaaS), including “tools for collaboration, integration, and visualization”.

[4] Network as a Service (NaaS), including advanced virtualization tools, such as bandwidth-on-demand for multiple Virtual Private Networks (VPN)-on-demand, and for cloud-to-cloud networking on demand.

[5] See generally, Ekundayo George, at (f).  In who’se pocket is your data packet? – International Data Governance.

Published February 6, 2013 on ogalaws.wordpress.com.  Online: >https://ogalaws.wordpress.com/2013/02/06/in-whose-pocket-is-your-data-packet-international-data-governance/<

[6] Verizon.  2012 Data Breach Investigations Report (DBIR).  Published 2012, by Verizon.com.  Online: >http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf?__ct_return=1<.  The report also discloses an error rate of +/- 4 percent.

[7] Id. at 11.

[8] Id. at 18.

[9] Id. at 20.

[10] Id. at 19.

[11] Id. at 21-2.

[12] Infra, note 13.

[13] The V5 interplay, is the mix of data volume, velocity, variety, value, and vulnerability that determines the how, where, and how often you back it up; amongst other distinct operations and/or management tasks.

[14] I have proposed a number of permanent executive positions for the C-Suite in modern business, including a Chief Contingency policies, plans, and practices Officer (CCO) with line and staff responsibility for all-hazards contingency affairs.  See e.g. Ekundayo George, at (i).  10/4: the “C–Suite” in 2013 and beyond; who should really be there?  Published November 21, 2012 on ogalaws.wordpress.com.  Online: >https://ogalaws.wordpress.com/2012/11/21/104-the-c-suite-in-2013-and-beyond-who-should-really-be-there/<

[15] Verizon.  2012 Data Breach Investigations Report (DBIR), at 35.  Published 2012, by Verizon.com.  Online: >http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf?__ct_return=1<.

[16] Id. at 55.

[17] American Bar Association (ABA).   National Security Experts Discuss Options for ‘Active’ Cyber Defense.  Published February 11, 2013, by ABA Division for Communications & Media Relations, on abanow.org.  (Link to full podcast is available at bottom of page).  Online:

>http://www.abanow.org/2013/02/national-security-experts-discuss-options-for-active-cyber-defense/<

[18] Supra note 15, at 52.  Fully 59% of breaches at all organizations in 2012 (10% for large organizations), were “only” discovered by the target when it was notified of the breach, by an arm of law enforcement/national security.  Notification by third-party as a result of that third-party’s fraud detection measures came next, at 26% and 8% respectively.

[19] PCI Security Standards Council.  PCI DSS Quick Reference Guide – Understanding the Payment Card Industry.  Data Security Standard version 2.0. For merchants and entities that store, process or transmit cardholder data.  Published 2010 on pcisecuritystandards.org, by PCI security Standards Council LLC.  Online:  >https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf<

[20] Id. at 8.  These six categorical elements of the PCI Data Security Standard (DSS), are: (i) Build and maintain a secure network; (ii) Protect cardholder data; (iii) Maintain a vulnerability management program; (iv) Implement strong access control measures; (v) Regularly monitor and test networks; (vi) Maintain an information security policy.

[21] Supra note 15, at 58.  With regard to PCI DSS in the context of the 2012 Data Breach Investigation Report (DBIR), we read:

“Overall, the standard attempts to set a bar of essential practices for securing cardholder data.  Nearly every case that we have seen thus far has attributes of its breach that could have been prevented if the control requirements had been properly implemented.  Of course, there is no way to be certain that new and different tactics could not have been used by the perpetrators to circumvent a compliant entity’s controls”.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: