SECURITY AND PRIVACY ISSUES

SECURITY AND PRIVACY ISSUES

Overcoming security and privacy issues in public cloud computing requires a fed-eral agency to gain a better understanding of their risks and the necessary security

EPIC FAIL

Data Security Breaches

On May 7, 2007, the Congressional Research Services (CRS) reported on personal data security breaches to Congress through a report title “Data Security Breaches: Context and Incident Summaries.” The breaches were not only due to illegal activity such as hacking or unauthorized employee accesses, but also due to poor security and privacy practices such as lost laptops and posting of personal data to public websites. Highlights of the report [20]

that covered business, education, financial, government, and healthcare industries included:

Business

• March 2007—Hacker broke into the website of Johnny’s Selected Seeds (Winslow, ME) and stole credit card information in which 20 were used fraudulently.

• February 2007—TJ Maxx computer systems were hacked which resulted in drivers’

license numbers, names, and addresses being compromised.

Education

• April 2007—Ohio State University’s firewall was bypassed by hackers using foreign Internet in which the names, Social Security numbers, employee identification numbers, and birthdates of current and former staff members was stolen.

• April 2007—University of California, San Francisco’s campus server was compromised over a two-year period in which the names, Social Security numbers, and bank accounts for students, faculty, and staff were allegedly affected.

Financial

• December 2006—TD Ameritrade’s computers were hacked by criminals using stolen customer accounts requiring them to cover approximately $4 million in fraudulent transactions.

• December 2005—Scottrade Inc. was hacked through the internet in which the customers’ names, birth dates, driver’s license numbers, phone numbers, bank names, bank routing information, bank account numbers, and Scottrade account numbers were allegedly stolen.

Government

• February 2007—Personal information (names and Social Security numbers) were inadvertently posted to Connecticut State Administrative Services Department’s website.

• November 2006—Bowling Green Ohio Police Department inadvertent published personal data (names, Social Security numbers, and phone numbers) to website.

Healthcare

• March 2007—Westerly Hospital in Westerly, RI, allegedly posted patients’ confidential information (name, Social Security number, and insurance information) posted on public website.

• Ohio Board of Nursing posted the names and Social Security numbers of nurses to their website twice in one month.

100 CHAPTER 4 Security and Privacy in Public Cloud Computing

and privacy requirements that need to exist. Using situational analysis techniques such as SWOT³⁹ (Strengths, Weaknesses, Opportunities, and Threats), a federal agency can analyze the different public cloud service offerings from various CSPs.

The analysis can be used to determine if privacy and security-related issues, identi-fied in Table 4.6, believed to have long-term significance for cloud computing [5]

exist. In addition, any applicable service agreements (or a separate contract)⁴⁰ used can be updated to ensure the CSP satisfies the federal agency’s security and privacy requirements.

39The European Network Information Security Agency (ENISA) Security & Resilience in Govern-ment Clouds provides an example of using SWOT as a tool as an initial analyzes of different cloud models. Available from: http://www.enisa.europa.eu/act/rm/emerging-and-future-risk/deliverables/

security-and-resilience-in-governmental-clouds.

40The Federal CIO Council and Chief Acquisition Officers Council in coordination with the Federal Cloud Complinace Committee to developed Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service, which discusses “Privacy” in con-tracts (pp. 16–23).

Table 4.6 Key Security and Privacy Issues and CSP Actions [5]

Issues CSP Actions

Governance Align federal agency practices pertaining to the policies, procedures, and standards used for application develop-ment and service provisioning in the cloud computing environment.

Compliance Understand the various types of federal laws and regula-tions that may impose security and privacy obligaregula-tions.

Trust Allow the federal agency visibility into the security and privacy controls and processes employed.

Architecture Provide the federal agency with technical details into the technologies used to provision the cloud services.

Identity and Access

Management Review in-place safeguards against the federal agency’s requirements to ensure it provides adequate security for authentication and authorization, and other identity and access management functions.

Software Isolation Understand the federal agency’s requirements and poten-tial risk associated with using the cloud service virtualiza-tion and other logical isolavirtualiza-tion techniques.

Data Protection Understand the federal agency’s data management requirements to include access control and protection at-rest or in-transit, and deposition.

Availability Understand the federal agency’s availability, data backup and recovery, and disaster recovery requirements.

Incident Response Align with the federal agency’s incident response procedures.

101 References

SUMMARY

Public cloud computing presents many opportunities for the federal government to reduce costs and improve operational efficiency. But it requires clear understand-ing of the security and privacy requirements and examinunderstand-ing the risks of the types of information that will be placed in the cloud and requiring an appropriate level of assurance through the application of security service and privacy controls. Although cloud computing is evolving, the application of appropriate frameworks such as the FEA-SPP and tools such as PIAs can assist in predicting the implications and conse-quences of collecting and storing privacy in a public cloud service.

References

[1] Kundra V. Federal cloud computing strategy. Washington, DC: Executive Office of the President, Office of Management and Budget; 2011.

[2] Federal Chief Information Officers Council, Privacy Committee, Web 2.0/Cloud Computing Subcommittee. Privacy recommendations for the use of cloud computing by federal departments and agencies. Washington, DC: Executive Office of the President, Office of Management and Budget; 2010.

[3] Federal Chief Information Officers Council. Federal enterprise architecture security and privacy profile (FEA-SPP), version 3.0. Washington, DC: Executive Office of the President, Office of Management and Budget; 2011.

[4] Mell P, Grance T. NIST Special Publication (SP) 800–145, the NIST definition of cloud computing. Maryland: National Institute of Standards and Technology; 2011.

[5] Jansen W, Grance T. NIST Special Publication (SP) 800–144, guidelines on security and privacy in public cloud computing. Maryland: National Institute of Standards and Technology; 2011.

[6] The Smart Grid Interoperability Panel (SGIP), Cyber Security Working Group.

Interagency Report (IR) 7628, guidelines for smart grid security. Maryland: National Institute of Standards and Technology; 2010.

[7] Records, computers and the rights of citizens [Internet]. Washington: US Department of Health & Human Services [cited September 28 2011]. <http://aspe.hhs.gov/

datacncl/1973privacy/tocprefacemembers.htm>.

[8] OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data [Internet]. Paris: Organisation for Economic Co-operation and Development;

[cited September 28 2011]. <http://www.oecd.org/internet/interneteconomy/

oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm>.

[9] Johnson IIIC. Office of Management and Budget (OMB) memorandum 07–16, Safeguarding against and responding to the breach of personally identifiable information.

Washington, DC: Executive Office of the President, Office of Management and Budget; 2007.

[10] Overview of the Privacy Act of 1974, 2010 Edition [Internet]. Washington: US Department of Justice [cited September 28 2011]. <http://www.justice.gov/opcl/

1974privacyactoverview.htm>.

[11] Privacy Act of 1974 [Internet]. Washington: US Government Printing Office [cited October 10 2011]. <http://www.gpo.gov/fdsys/pkg/USCODE-2011-title5/html/

USCODE-2011-title5-partI-chap5-subchapII-sec552a.htm>.

102 CHAPTER 4 Security and Privacy in Public Cloud Computing

[12] Privacy act issuances [Internet]. Washington: US Government Printing Office [cited October 14 2011]. <http://www.gpoaccess.gov/privacyact/index.html>.

[13] Federal Chief Information Officers Council, Privacy Committee, Web 2.0/Cloud Computing Subcommittee. Privacy recommendations for the use of cloud computing by federal departments and agencies. Washington, DC: Executive Office of the President, Office of Management and Budget; 2010.

[14] McCallister E, Grance T, Scarfone K. NIST Special Publication (SP) 800–122, Guide to protecting the confidentiality of Personally Identifiable Information (PII). Maryland:

National Institute of Standards and Technology; 2010.

[15] Evans D, Bond P, Bement A. Federal Information Processing Standards (FIPS) 199 Standards for security categorization of federal information and information systems.

Maryland: National Institute of Standards and Technology; 2004.

[16] Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Publication (SP) 800–53 revision 4 (initial public draft), Security and privacy controls for federal information system and organizations. Maryland: National Institute of Standards and Technology; 2012.

[17] Federal Chief Information Officers Council. Federal enterprise architecture security and privacy profile (FEA-SPP), version 3.0. Washington, DC: Office of Management and Budget; 2011.

[18] Federal Privacy Recommendations for the use of cloud computing by federal departments and agencies. Chief Information Officers Council, Privacy Committee, Web 2.0/Cloud Computing Subcommittee. Washington, DC: Executive Office of the President, Office of Management and Budget; 2010.

[19] Wood D. Personal information: data breaches are frequent, but evidence resulting identity theft is limited; however, the full extent is unknown. Washington: US Government Accountability Office; 2007.

[20] Tehan R. Data security breaches: context and incident summaries. Washington, DC:

Congressional Research Service (CRS); 2007.

[21] Federal CIO Council and Chief Acquisition Officers Council. Creating Effective Cloud Computing Contracts for the Federal Government. Washington, DC: Executive Office of the President, Office of Management and Budget; 2012.

Federal Cloud Computing.

© 2013 Elsevier, Inc. All rights reserved.

http://dx.doi.org/10.1016/B978-1-59-749737-4.00005-8 103

INFORMATION IN THIS CHAPTER: